Merge "Revert^2 "Migrate contexts tests to Android.bp""
diff --git a/Android.bp b/Android.bp
index df1e264..0ca82a6 100644
--- a/Android.bp
+++ b/Android.bp
@@ -865,6 +865,9 @@
"sepolicy_neverallows",
"sepolicy_neverallows_vendor",
],
+ dist: {
+ targets: ["base-sepolicy-files-for-mapping"],
+ },
}
// policy for recovery
@@ -933,6 +936,9 @@
name: "base_plat_sepolicy",
srcs: [":base_plat_sepolicy.cil"],
installable: false,
+ dist: {
+ targets: ["base-sepolicy-files-for-mapping"],
+ },
}
se_policy_conf {
@@ -1003,6 +1009,9 @@
filter_out: [":reqd_policy_mask.cil"],
secilc_check: false,
installable: false,
+ dist: {
+ targets: ["base-sepolicy-files-for-mapping"],
+ },
}
se_policy_conf {
diff --git a/Android.mk b/Android.mk
index b8ad3ca..69f1e00 100644
--- a/Android.mk
+++ b/Android.mk
@@ -481,6 +481,7 @@
LOCAL_REQUIRED_MODULES += precompiled_sepolicy.product_sepolicy_and_mapping.sha256
endif
+LOCAL_REQUIRED_MODULES += precompiled_sepolicy.apex_sepolicy.sha256
endif # ($(PRODUCT_PRECOMPILED_SEPOLICY),false)
diff --git a/apex/com.android.bluetooth.updatable-file_contexts b/apex/com.android.bluetooth-file_contexts
similarity index 100%
rename from apex/com.android.bluetooth.updatable-file_contexts
rename to apex/com.android.bluetooth-file_contexts
diff --git a/apex/com.android.tethering-file_contexts b/apex/com.android.tethering-file_contexts
index 9398505..1b578ea 100644
--- a/apex/com.android.tethering-file_contexts
+++ b/apex/com.android.tethering-file_contexts
@@ -1 +1,2 @@
-(/.*)? u:object_r:system_file:s0
+(/.*)? u:object_r:system_file:s0
+/bin/for-system/clatd u:object_r:clatd_exec:s0
diff --git a/build/soong/bug_map.go b/build/soong/bug_map.go
index 91c6347..00df33c 100644
--- a/build/soong/bug_map.go
+++ b/build/soong/bug_map.go
@@ -104,7 +104,7 @@
OutputFile: android.OptionalPathForPath(b.installSource),
ExtraEntries: []android.AndroidMkExtraEntriesFunc{
func(ctx android.AndroidMkExtraEntriesContext, entries *android.AndroidMkEntries) {
- entries.SetPath("LOCAL_MODULE_PATH", b.installPath.ToMakePath())
+ entries.SetPath("LOCAL_MODULE_PATH", b.installPath)
entries.SetString("LOCAL_INSTALLED_MODULE_STEM", b.stem())
},
},
diff --git a/build/soong/cil_compat_map.go b/build/soong/cil_compat_map.go
index 59d1172..78e870e 100644
--- a/build/soong/cil_compat_map.go
+++ b/build/soong/cil_compat_map.go
@@ -172,7 +172,7 @@
Class: "ETC",
}
ret.Extra = append(ret.Extra, func(w io.Writer, outputFile android.Path) {
- fmt.Fprintln(w, "LOCAL_MODULE_PATH :=", c.installPath.ToMakePath().String())
+ fmt.Fprintln(w, "LOCAL_MODULE_PATH :=", c.installPath.String())
if c.properties.Stem != nil {
fmt.Fprintln(w, "LOCAL_INSTALLED_MODULE_STEM :=", String(c.properties.Stem))
}
diff --git a/build/soong/compat_cil.go b/build/soong/compat_cil.go
index 3044425..6a1925d 100644
--- a/build/soong/compat_cil.go
+++ b/build/soong/compat_cil.go
@@ -109,7 +109,7 @@
OutputFile: android.OptionalPathForPath(c.installSource),
ExtraEntries: []android.AndroidMkExtraEntriesFunc{
func(ctx android.AndroidMkExtraEntriesContext, entries *android.AndroidMkEntries) {
- entries.SetPath("LOCAL_MODULE_PATH", c.installPath.ToMakePath())
+ entries.SetPath("LOCAL_MODULE_PATH", c.installPath)
entries.SetString("LOCAL_INSTALLED_MODULE_STEM", c.stem())
},
},
diff --git a/build/soong/policy.go b/build/soong/policy.go
index 2b190e6..390c439 100644
--- a/build/soong/policy.go
+++ b/build/soong/policy.go
@@ -200,7 +200,7 @@
}
func (c *policyConf) transformPolicyToConf(ctx android.ModuleContext) android.OutputPath {
- conf := android.PathForModuleOut(ctx, "conf").OutputPath
+ conf := android.PathForModuleOut(ctx, c.stem()).OutputPath
rule := android.NewRuleBuilder(pctx, ctx)
srcs := android.PathsForModuleSrc(ctx, c.properties.Srcs)
@@ -255,7 +255,7 @@
ExtraEntries: []android.AndroidMkExtraEntriesFunc{
func(ctx android.AndroidMkExtraEntriesContext, entries *android.AndroidMkEntries) {
entries.SetBool("LOCAL_UNINSTALLABLE_MODULE", !c.installable())
- entries.SetPath("LOCAL_MODULE_PATH", c.installPath.ToMakePath())
+ entries.SetPath("LOCAL_MODULE_PATH", c.installPath)
entries.SetString("LOCAL_INSTALLED_MODULE_STEM", c.stem())
},
},
@@ -410,7 +410,7 @@
ExtraEntries: []android.AndroidMkExtraEntriesFunc{
func(ctx android.AndroidMkExtraEntriesContext, entries *android.AndroidMkEntries) {
entries.SetBool("LOCAL_UNINSTALLABLE_MODULE", !c.Installable())
- entries.SetPath("LOCAL_MODULE_PATH", c.installPath.ToMakePath())
+ entries.SetPath("LOCAL_MODULE_PATH", c.installPath)
entries.SetString("LOCAL_INSTALLED_MODULE_STEM", c.stem())
},
},
@@ -546,7 +546,7 @@
ExtraEntries: []android.AndroidMkExtraEntriesFunc{
func(ctx android.AndroidMkExtraEntriesContext, entries *android.AndroidMkEntries) {
entries.SetBool("LOCAL_UNINSTALLABLE_MODULE", !c.Installable())
- entries.SetPath("LOCAL_MODULE_PATH", c.installPath.ToMakePath())
+ entries.SetPath("LOCAL_MODULE_PATH", c.installPath)
entries.SetString("LOCAL_INSTALLED_MODULE_STEM", c.stem())
},
},
diff --git a/build/soong/selinux_contexts.go b/build/soong/selinux_contexts.go
index 7424001..8894931 100644
--- a/build/soong/selinux_contexts.go
+++ b/build/soong/selinux_contexts.go
@@ -197,7 +197,7 @@
SubName: nameSuffix,
Extra: []android.AndroidMkExtraFunc{
func(w io.Writer, outputFile android.Path) {
- fmt.Fprintln(w, "LOCAL_MODULE_PATH :=", m.installPath.ToMakePath().String())
+ fmt.Fprintln(w, "LOCAL_MODULE_PATH :=", m.installPath.String())
fmt.Fprintln(w, "LOCAL_INSTALLED_MODULE_STEM :=", m.stem())
},
},
diff --git a/build/soong/sepolicy_neverallow.go b/build/soong/sepolicy_neverallow.go
index 119e477..98dd3cf 100644
--- a/build/soong/sepolicy_neverallow.go
+++ b/build/soong/sepolicy_neverallow.go
@@ -152,10 +152,11 @@
FlagWithArg("-c ", strconv.Itoa(PolicyVers)).
FlagWithOutput("-o ", binaryPolicy).
Input(checkpolicyConfPath)
+ rule.Build("neverallow_checkpolicy", "Neverallow check: "+ctx.ModuleName())
// Step 2. Run sepolicy-analyze with the conf file without the build test and binary policy
// file from Step 1
-
+ rule = android.NewRuleBuilder(pctx, ctx)
msg := `sepolicy-analyze failed. This is most likely due to the use\n` +
`of an expanded attribute in a neverallow assertion. Please fix\n` +
`the policy.`
@@ -170,9 +171,8 @@
Text(`"` + msg + `"`).
Text("; exit 1)")
- rule.Temporary(binaryPolicy)
rule.Command().Text("touch").Output(n.testTimestamp)
- rule.Build("neverallow", "Neverallow check: "+ctx.ModuleName())
+ rule.Build("neverallow_sepolicy-analyze", "Neverallow check: "+ctx.ModuleName())
}
func (n *neverallowTestModule) AndroidMkEntries() []android.AndroidMkEntries {
diff --git a/build/soong/sepolicy_vers.go b/build/soong/sepolicy_vers.go
index 9d1fe78..ca40173 100644
--- a/build/soong/sepolicy_vers.go
+++ b/build/soong/sepolicy_vers.go
@@ -97,7 +97,7 @@
OutputFile: android.OptionalPathForPath(v.installSource),
ExtraEntries: []android.AndroidMkExtraEntriesFunc{
func(ctx android.AndroidMkExtraEntriesContext, entries *android.AndroidMkEntries) {
- entries.SetPath("LOCAL_MODULE_PATH", v.installPath.ToMakePath())
+ entries.SetPath("LOCAL_MODULE_PATH", v.installPath)
entries.SetString("LOCAL_INSTALLED_MODULE_STEM", v.stem())
},
},
diff --git a/build/soong/versioned_policy.go b/build/soong/versioned_policy.go
index dc07910..c316d2a 100644
--- a/build/soong/versioned_policy.go
+++ b/build/soong/versioned_policy.go
@@ -172,7 +172,7 @@
ExtraEntries: []android.AndroidMkExtraEntriesFunc{
func(ctx android.AndroidMkExtraEntriesContext, entries *android.AndroidMkEntries) {
entries.SetBool("LOCAL_UNINSTALLABLE_MODULE", !m.installable())
- entries.SetPath("LOCAL_MODULE_PATH", m.installPath.ToMakePath())
+ entries.SetPath("LOCAL_MODULE_PATH", m.installPath)
entries.SetString("LOCAL_INSTALLED_MODULE_STEM", m.installSource.Base())
},
},
diff --git a/microdroid/Android.bp b/microdroid/Android.bp
index 3c82d4b..0600207 100644
--- a/microdroid/Android.bp
+++ b/microdroid/Android.bp
@@ -266,14 +266,6 @@
}
prebuilt_etc {
- name: "microdroid_hwservice_contexts",
- filename: "plat_hwservice_contexts",
- src: "system/private/hwservice_contexts",
- relative_install_path: "selinux",
- installable: false,
-}
-
-prebuilt_etc {
name: "microdroid_property_contexts",
filename: "plat_property_contexts",
src: "system/private/property_contexts",
@@ -289,10 +281,10 @@
installable: false,
}
-prebuilt_etc {
- name: "microdroid_keystore2_key_contexts",
- filename: "plat_keystore2_key_contexts",
- src: "system/private/keystore2_key_contexts",
- relative_install_path: "selinux",
+// For CTS
+se_policy_conf {
+ name: "microdroid_general_sepolicy.conf",
+ srcs: system_policy_files,
+ exclude_build_test: true,
installable: false,
}
diff --git a/microdroid/system/private/access_vectors b/microdroid/system/private/access_vectors
index 22f2ffa..477f78f 100644
--- a/microdroid/system/private/access_vectors
+++ b/microdroid/system/private/access_vectors
@@ -746,6 +746,16 @@
use_dev_id
}
+class diced
+{
+ demote
+ demote_self
+ derive
+ get_attestation_chain
+ use_seal
+ use_sign
+}
+
class drmservice {
consumeRights
setPlaybackStatus
diff --git a/microdroid/system/private/adbd.te b/microdroid/system/private/adbd.te
index 1212840..116c74d 100644
--- a/microdroid/system/private/adbd.te
+++ b/microdroid/system/private/adbd.te
@@ -48,6 +48,11 @@
# Set service.adb.tcp.port, service.adb.tls.port, persist.adb.wifi.* properties
set_prop(adbd, adbd_prop)
+# Allow pulling the SELinux policy for CTS purposes
+allow adbd selinuxfs:dir r_dir_perms;
+allow adbd selinuxfs:file r_file_perms;
+allow adbd kernel:security read_policy;
+
# adbd tries to run mdnsd, but mdnsd doesn't exist. Just dontaudit ctl permissions.
# TODO(b/200902288): patch adb and remove this rule
dontaudit adbd { ctl_default_prop ctl_start_prop }:property_service set;
diff --git a/microdroid/system/private/apexd.te b/microdroid/system/private/apexd.te
index cca95c2..275a455 100644
--- a/microdroid/system/private/apexd.te
+++ b/microdroid/system/private/apexd.te
@@ -81,8 +81,7 @@
allow apexd rootfs:dir mounton;
# apexd is using bootstrap bionic
-allow apexd system_bootstrap_lib_file:dir r_dir_perms;
-allow apexd system_bootstrap_lib_file:file { execute read open getattr map };
+use_bootstrap_libs(apexd)
# Allow apexd to read file contexts when performing restorecon
allow apexd file_contexts_file:file r_file_perms;
diff --git a/microdroid/system/private/apkdmverity.te b/microdroid/system/private/apkdmverity.te
index 84e1575..c56f05e 100644
--- a/microdroid/system/private/apkdmverity.te
+++ b/microdroid/system/private/apkdmverity.te
@@ -4,8 +4,7 @@
type apkdmverity_exec, exec_type, file_type, system_file_type;
# apkdmverity is using bootstrap bionic
-allow apkdmverity system_bootstrap_lib_file:dir r_dir_perms;
-allow apkdmverity system_bootstrap_lib_file:file { execute read open getattr map };
+use_bootstrap_libs(apkdmverity)
# apkdmverity accesses "payload metadata disk" which points to
# a /dev/vd* block device file.
diff --git a/microdroid/system/private/binderservicedomain.te b/microdroid/system/private/binderservicedomain.te
deleted file mode 100644
index 99006bf..0000000
--- a/microdroid/system/private/binderservicedomain.te
+++ /dev/null
@@ -1,5 +0,0 @@
-allow binderservicedomain keystore:keystore_key { get_state get insert delete exist list sign verify };
-allow binderservicedomain keystore:keystore2 { get_state };
-allow binderservicedomain keystore:keystore2_key { delete get_info rebind use };
-
-use_keystore(binderservicedomain)
diff --git a/microdroid/system/private/compos.te b/microdroid/system/private/compos.te
index 174eda3..d9edb67 100644
--- a/microdroid/system/private/compos.te
+++ b/microdroid/system/private/compos.te
@@ -2,22 +2,18 @@
type compos, domain, coredomain, microdroid_payload;
type compos_exec, exec_type, file_type, system_file_type;
+# Expose RPC Binder service over vsock
allow compos self:vsock_socket { create_socket_perms_no_ioctl listen accept };
-# Allow using keystore and authfs_service binder services
+# Allow using various binder services
binder_use(compos);
-use_keystore(compos);
-allow compos authfs_binder_service:service_manager find;
+allow compos {
+ authfs_binder_service
+ dice_node_service
+}:service_manager find;
binder_call(compos, authfs_service);
-
-# Allow payloads to use and manage their keys
-allow compos vm_payload_key:keystore2_key {
- delete
- get_info
- manage_blob
- rebind
- use
-};
+binder_call(compos, diced);
+allow compos diced:diced { get_attestation_chain derive };
# Read artifacts created by odrefresh and create signature files.
allow compos authfs_fuse:dir rw_dir_perms;
@@ -34,7 +30,5 @@
# See b/35323867#comment3
dontaudit compos self:global_capability_class_set dac_override;
-# Allow domain transition into odrefresh and dex2oat.
-# TODO(b/209008712): Remove dex2oat once the migration is done.
+# Allow domain transition into odrefresh.
domain_auto_trans(compos, odrefresh_exec, odrefresh)
-domain_auto_trans(compos, dex2oat_exec, dex2oat)
diff --git a/microdroid/system/private/crash_dump.te b/microdroid/system/private/crash_dump.te
index 90587fa..a636e9c 100644
--- a/microdroid/system/private/crash_dump.te
+++ b/microdroid/system/private/crash_dump.te
@@ -56,7 +56,6 @@
-crash_dump
-init
-kernel
- -keystore
-logd
-ueventd
-vendor_init
@@ -65,7 +64,6 @@
userdebug_or_eng(`
allow crash_dump {
apexd
- keystore
logd
}:process { ptrace signal sigchld sigstop sigkill };
')
diff --git a/microdroid/system/private/diced.te b/microdroid/system/private/diced.te
new file mode 100644
index 0000000..9530794
--- /dev/null
+++ b/microdroid/system/private/diced.te
@@ -0,0 +1,20 @@
+type diced, domain, coredomain;
+type diced_exec, system_file_type, exec_type, file_type;
+
+# diced can be started by init
+init_daemon_domain(diced)
+
+# diced can talk to dice HAL
+hal_client_domain(diced, hal_dice)
+
+# diced hosts AIDL services
+binder_use(diced)
+binder_service(diced)
+add_service(diced, dice_node_service)
+add_service(diced, dice_maintenance_service)
+
+# diced can check SELinux permissions.
+selinux_check_access(diced)
+
+# diced is using bootstrap bionic
+use_bootstrap_libs(diced)
diff --git a/microdroid/system/private/domain.te b/microdroid/system/private/domain.te
index ad2c645..ae97f75 100644
--- a/microdroid/system/private/domain.te
+++ b/microdroid/system/private/domain.te
@@ -47,7 +47,7 @@
allow domain zero_device:chr_file rw_file_perms;
# /dev/binder can be accessed by ... everyone! :)
-allow { domain -hwservicemanager } binder_device:chr_file rw_file_perms;
+allow domain binder_device:chr_file rw_file_perms;
# Restrict binder ioctls to an allowlist. Additional ioctl commands may be
# added to individual domains, but this sets safe defaults for all processes.
@@ -411,15 +411,6 @@
# from service name to service_type are defined in {,hw,vnd}service_contexts.
neverallow * default_android_service:service_manager *;
-# Looking up the base class/interface of all HwBinder services is a bad idea.
-# hwservicemanager currently offer such lookups only to make it so that security
-# decisions are expressed in SELinux policy. However, it's unclear whether this
-# lookup has security implications. If it doesn't, hwservicemanager should be
-# modified to not offer this lookup.
-# This rule can be removed if hwservicemanager is modified to not permit these
-# lookups.
-neverallow * hidl_base_hwservice:hwservice_manager find;
-
neverallow { domain -init -vendor_init } vendor_default_prop:property_service set;
neverallow { domain -init } build_prop:property_service set;
@@ -428,8 +419,6 @@
# The service managers are only allowed to access their own device node
neverallow servicemanager hwbinder_device:chr_file no_rw_file_perms;
neverallow servicemanager vndbinder_device:chr_file no_rw_file_perms;
-neverallow hwservicemanager binder_device:chr_file no_rw_file_perms;
-neverallow hwservicemanager vndbinder_device:chr_file no_rw_file_perms;
# system services cant add vendor services
neverallow {
@@ -549,11 +538,6 @@
servicemanager
}:service_manager list;
-# hwservicemanager is the only process which handles hw list requests
-neverallow * ~{
- hwservicemanager
- }:hwservice_manager list;
-
# only service_manager_types can be added to service_manager
# TODO - rework this: neverallow * ~service_manager_type:service_manager { add find };
@@ -596,15 +580,6 @@
# Enforce AT_SECURE for executing crash_dump.
neverallow domain crash_dump:process noatsecure;
-# Do not permit non-core domains to register HwBinder services which are
-# guaranteed to be provided by core domains only.
-neverallow ~coredomain coredomain_hwservice:hwservice_manager add;
-
-# Do not permit the registeration of HwBinder services which are guaranteed to
-# be passthrough only (i.e., run in the process of their clients instead of a
-# separate server process).
-neverallow * same_process_hwservice:hwservice_manager add;
-
# If an already existing file is opened with O_CREAT, the kernel might generate
# a false report of a create denial. Silence these denials and make sure that
# inappropriate permissions are not granted.
diff --git a/microdroid/system/private/file_contexts b/microdroid/system/private/file_contexts
index 933c63f..50558f8 100644
--- a/microdroid/system/private/file_contexts
+++ b/microdroid/system/private/file_contexts
@@ -63,6 +63,7 @@
/dev/kmsg_debug u:object_r:kmsg_debug_device:s0
/dev/kvm u:object_r:kvm_device:s0
/dev/null u:object_r:null_device:s0
+/dev/open-dice0 u:object_r:open_dice_device:s0
/dev/random u:object_r:random_device:s0
/dev/rtc[0-9] u:object_r:rtc_device:s0
/dev/socket(/.*)? u:object_r:socket_device:s0
@@ -106,10 +107,9 @@
/system/bin/linkerconfig u:object_r:linkerconfig_exec:s0
/system/bin/bootstrap/linker(64)? u:object_r:system_linker_exec:s0
/system/bin/bootstrap/linkerconfig u:object_r:linkerconfig_exec:s0
-/system/bin/servicemanager u:object_r:servicemanager_exec:s0
-/system/bin/hwservicemanager u:object_r:hwservicemanager_exec:s0
+/system/bin/diced.microdroid u:object_r:diced_exec:s0
+/system/bin/servicemanager.microdroid u:object_r:servicemanager_exec:s0
/system/bin/init u:object_r:init_exec:s0
-/system/bin/keystore2 u:object_r:keystore_exec:s0
/system/bin/logcat -- u:object_r:logcat_exec:s0
/system/bin/logd u:object_r:logd_exec:s0
/system/bin/run-as -- u:object_r:runas_exec:s0
@@ -135,8 +135,6 @@
/system/etc/selinux/plat_mac_permissions\.xml u:object_r:mac_perms_file:s0
/system/etc/selinux/plat_property_contexts u:object_r:property_contexts_file:s0
/system/etc/selinux/plat_service_contexts u:object_r:service_contexts_file:s0
-/system/etc/selinux/plat_hwservice_contexts u:object_r:hwservice_contexts_file:s0
-/system/etc/selinux/plat_keystore2_key_contexts u:object_r:keystore2_key_contexts_file:s0
/system/etc/selinux/plat_file_contexts u:object_r:file_contexts_file:s0
/system/etc/selinux/plat_seapp_contexts u:object_r:seapp_contexts_file:s0
/system/etc/selinux/plat_sepolicy\.cil u:object_r:sepolicy_file:s0
@@ -163,7 +161,6 @@
/data/local/tmp(/.*)? u:object_r:shell_data_file:s0
/data/local/tmp/ltp(/.*)? u:object_r:nativetest_data_file:s0
/data/local/traces(/.*)? u:object_r:trace_data_file:s0
-/data/misc/keystore(/.*)? u:object_r:keystore_data_file:s0
/data/misc/authfs(/.*)? u:object_r:authfs_data_file:s0
/data/tombstones(/.*)? u:object_r:tombstone_data_file:s0
/data/vendor(/.*)? u:object_r:vendor_data_file:s0
diff --git a/microdroid/system/private/halclientdomain.te b/microdroid/system/private/halclientdomain.te
deleted file mode 100644
index f9b15f0..0000000
--- a/microdroid/system/private/halclientdomain.te
+++ /dev/null
@@ -1,12 +0,0 @@
-###
-### Rules for all domains which are clients of a HAL
-###
-
-# Find out whether a HAL in passthrough/in-process mode or
-# binderized/out-of-process mode
-hwbinder_use(halclientdomain)
-
-# Wait for HAL server to be up (used by getService)
-allow halclientdomain hidl_manager_hwservice:hwservice_manager find;
-
-get_prop(halclientdomain, hwservicemanager_prop)
diff --git a/microdroid/system/private/hwservice_contexts b/microdroid/system/private/hwservice_contexts
deleted file mode 100644
index 9b47b06..0000000
--- a/microdroid/system/private/hwservice_contexts
+++ /dev/null
@@ -1,7 +0,0 @@
-android.hardware.keymaster::IKeymasterDevice u:object_r:hal_keymaster_hwservice:s0
-android.hidl.allocator::IAllocator u:object_r:hidl_allocator_hwservice:s0
-android.hidl.base::IBase u:object_r:hidl_base_hwservice:s0
-android.hidl.manager::IServiceManager u:object_r:hidl_manager_hwservice:s0
-android.hidl.memory::IMapper u:object_r:hidl_memory_hwservice:s0
-android.hidl.token::ITokenManager u:object_r:hidl_token_hwservice:s0
-* u:object_r:default_android_hwservice:s0
diff --git a/microdroid/system/private/hwservicemanager.te b/microdroid/system/private/hwservicemanager.te
deleted file mode 100644
index 88b9e89..0000000
--- a/microdroid/system/private/hwservicemanager.te
+++ /dev/null
@@ -1,27 +0,0 @@
-typeattribute hwservicemanager coredomain;
-
-init_daemon_domain(hwservicemanager)
-
-allow hwservicemanager vendor_configs_file:file { open getattr };
-
-# Note that we do not use the binder_* macros here.
-# hwservicemanager provides name service (aka context manager)
-# for hwbinder.
-# Additionally, it initiates binder IPC calls to
-# clients who request service notifications. The permission
-# to do this is granted in the hwbinder_use macro.
-allow hwservicemanager self:binder set_context_mgr;
-
-# Scan through /system/lib64/hw looking for installed HALs
-allow hwservicemanager system_file:dir r_dir_perms;
-
-# Read hwservice_contexts
-allow hwservicemanager hwservice_contexts_file:file r_file_perms;
-
-# Check SELinux permissions.
-selinux_check_access(hwservicemanager)
-
-add_hwservice(hwservicemanager, hidl_manager_hwservice)
-add_hwservice(hwservicemanager, hidl_token_hwservice)
-
-set_prop(hwservicemanager, hwservicemanager_prop)
diff --git a/microdroid/system/private/init.te b/microdroid/system/private/init.te
index ff3f6f5..ff75f75 100644
--- a/microdroid/system/private/init.te
+++ b/microdroid/system/private/init.te
@@ -171,7 +171,6 @@
allow init {
file_type
-exec_type
- -keystore_data_file
-shell_data_file
-system_file_type
-vendor_file_type
@@ -181,7 +180,6 @@
file_type
-apex_info_file
-exec_type
- -keystore_data_file
-runtime_event_log_tags_file
-shell_data_file
-system_file_type
@@ -193,7 +191,6 @@
allow init {
file_type
-exec_type
- -keystore_data_file
-shell_data_file
-system_file_type
-vendor_file_type
@@ -203,7 +200,6 @@
file_type
-apex_mnt_dir
-exec_type
- -keystore_data_file
-shell_data_file
-system_file_type
-vendor_file_type
@@ -356,11 +352,6 @@
allow init self:global_capability_class_set kill;
allow init domain:process { getpgid sigkill signal };
-# Init creates keystore's directory on boot, and walks through
-# the directory as part of a recursive restorecon.
-allow init keystore_data_file:dir { open create read getattr setattr search };
-allow init keystore_data_file:file { getattr };
-
# Init creates /data/local/tmp at boot
allow init shell_data_file:dir { open create read getattr setattr search };
allow init shell_data_file:file { getattr };
@@ -437,8 +428,7 @@
allow init proc_pressure_mem:file { rw_file_perms setattr };
# init is using bootstrap bionic
-allow init system_bootstrap_lib_file:dir r_dir_perms;
-allow init system_bootstrap_lib_file:file { execute read open getattr map };
+use_bootstrap_libs(init)
# stat the root dir of fuse filesystems (for the mount handler)
allow init fuse:dir { search getattr };
diff --git a/microdroid/system/private/kernel.te b/microdroid/system/private/kernel.te
index 258c8d7..2938be4 100644
--- a/microdroid/system/private/kernel.te
+++ b/microdroid/system/private/kernel.te
@@ -90,7 +90,6 @@
dontaudit kernel tmpfs:file { getattr open read relabelfrom };
dontaudit kernel {
file_contexts_file
- hwservice_contexts_file
mac_perms_file
property_contexts_file
seapp_contexts_file
diff --git a/microdroid/system/private/keystore.te b/microdroid/system/private/keystore.te
deleted file mode 100644
index ee10910..0000000
--- a/microdroid/system/private/keystore.te
+++ /dev/null
@@ -1,20 +0,0 @@
-typeattribute keystore coredomain;
-
-init_daemon_domain(keystore)
-
-# talk to keymint
-hal_client_domain(keystore, hal_keymint)
-
-# Allow keystore to write to statsd.
-unix_socket_send(keystore, statsdw, statsd)
-
-# Keystore need access to the keystore_key context files to load the keystore key backend.
-allow keystore keystore2_key_contexts_file:file r_file_perms;
-
-# microdroid doesn't use keymaster HAL
-dontaudit keystore hal_keymaster_hwservice:hwservice_manager find;
-
-# microdroid isn't related to F2FS, but sqlite3 tries to query F2FS features.
-dontauditxperm keystore keystore_data_file:file ioctl F2FS_IOC_GET_FEATURES;
-
-set_prop(keystore, keystore_crash_prop)
diff --git a/microdroid/system/private/keystore2_key_contexts b/microdroid/system/private/keystore2_key_contexts
deleted file mode 100644
index 02cdd5e..0000000
--- a/microdroid/system/private/keystore2_key_contexts
+++ /dev/null
@@ -1,11 +0,0 @@
-# Keystore 2.0 key contexts.
-# This file defines Keystore 2.0 namespaces and maps them to labels.
-# Format:
-# <namespace> <label>
-#
-# <namespace> must be an integer in the interval [0 ... 2^31)
-
-# vm_payload_key is a keystore2_key namespace intended for microdroid VM payloads.
-# TODO(b/191843770): sort out a longer term policy
-140 u:object_r:vm_payload_key:s0
-
diff --git a/microdroid/system/private/logd.te b/microdroid/system/private/logd.te
index fa1cb40..06d4fa6 100644
--- a/microdroid/system/private/logd.te
+++ b/microdroid/system/private/logd.te
@@ -5,16 +5,12 @@
allow logd adbd:dir search;
allow logd adbd:file { getattr open read };
allow logd device:dir search;
-allow logd hwservicemanager:dir search;
-allow logd hwservicemanager:file { open read };
allow logd init:dir search;
allow logd init:fd use;
allow logd init:file { getattr open read };
allow logd kernel:dir search;
allow logd kernel:file { getattr open read };
allow logd kernel:system { syslog_mod syslog_read };
-allow logd keystore:dir search;
-allow logd keystore:file { getattr open read };
allow logd linkerconfig_file:dir search;
allow logd microdroid_manager:dir search;
allow logd microdroid_manager:file { getattr open read };
diff --git a/microdroid/system/private/microdroid_app.te b/microdroid/system/private/microdroid_app.te
index de1c8d6..de58326 100644
--- a/microdroid/system/private/microdroid_app.te
+++ b/microdroid/system/private/microdroid_app.te
@@ -9,17 +9,9 @@
type microdroid_app, domain, coredomain, microdroid_payload;
type microdroid_app_exec, exec_type, file_type, system_file_type;
-# Talk to binder services (for keystore)
+# Talk to binder services (for diced)
binder_use(microdroid_app);
-# Allow payloads to use keystore
-use_keystore(microdroid_app);
-
-# Allow payloads to use and manage their keys
-allow microdroid_app vm_payload_key:keystore2_key {
- delete
- get_info
- manage_blob
- rebind
- use
-};
+allow microdroid_app dice_node_service:service_manager find;
+binder_call(microdroid_app, diced);
+allow microdroid_app diced:diced { get_attestation_chain derive };
diff --git a/microdroid/system/private/microdroid_manager.te b/microdroid/system/private/microdroid_manager.te
index 736a135..6539e2c 100644
--- a/microdroid/system/private/microdroid_manager.te
+++ b/microdroid/system/private/microdroid_manager.te
@@ -14,6 +14,11 @@
# microdroid_manager verifies DM-verity mounted APK payload
allow microdroid_manager dm_device:blk_file r_file_perms;
+# Allow microdroid_manager to do blkflsbuf on instance disk image. The ioctl
+# requires sys_admin cap as well.
+allowxperm microdroid_manager vd_device:blk_file ioctl BLKFLSBUF;
+allow microdroid_manager self:global_capability_class_set sys_admin;
+
# Allow microdroid_manager to start payload tasks
domain_auto_trans(microdroid_manager, microdroid_app_exec, microdroid_app)
domain_auto_trans(microdroid_manager, compos_exec, compos)
@@ -25,9 +30,6 @@
# Let microdroid_manager kernel-log.
allow microdroid_manager kmsg_device:chr_file w_file_perms;
-# Let microdroid_manager initialize the derived VM secrets.
-set_prop(microdroid_manager, vmsecret_keymint_prop);
-
# Let microdroid_manager read a config file from /mnt/apk (fusefs)
# TODO(b/188400186) remove the below rule
userdebug_or_eng(`
@@ -38,8 +40,13 @@
allow microdroid_manager self:vsock_socket { create_socket_perms_no_ioctl };
# microdroid_manager is using bootstrap bionic
-allow microdroid_manager system_bootstrap_lib_file:dir r_dir_perms;
-allow microdroid_manager system_bootstrap_lib_file:file { execute read open getattr map };
+use_bootstrap_libs(microdroid_manager)
+
+# microdroid_manager can talk to diced over binder
+binder_use(microdroid_manager)
+binder_call(microdroid_manager, diced)
+allow microdroid_manager { dice_node_service dice_maintenance_service }:service_manager find;
+allow microdroid_manager diced:diced { derive demote_self };
# microdroid_manager create /apex/vm-payload-metadata for apexd
# TODO(b/199371341) create a new label for the file so that only microdroid_manager can create it.
diff --git a/microdroid/system/private/property.te b/microdroid/system/private/property.te
index 7911753..01aa5e4 100644
--- a/microdroid/system/private/property.te
+++ b/microdroid/system/private/property.te
@@ -14,19 +14,6 @@
### Neverallow rules
###
-neverallow {
- domain
- -init
- -microdroid_manager
-} vmsecret_keymint_prop:property_service set;
-
-neverallow {
- domain
- -init
- -microdroid_manager
- -hal_keymint_server
-} vmsecret_keymint_prop:file no_rw_file_perms;
-
# microdroid_manager_roothash_prop can only be set by microdroid_manager
# and read by apkdmverity
neverallow {
diff --git a/microdroid/system/private/property_contexts b/microdroid/system/private/property_contexts
index 7b63cae..518ae87 100644
--- a/microdroid/system/private/property_contexts
+++ b/microdroid/system/private/property_contexts
@@ -46,28 +46,21 @@
ro.boottime.apexd-vm u:object_r:boottime_prop:s0 exact int
ro.boottime.apkdmverity u:object_r:boottime_prop:s0 exact int
ro.boottime.authfs_service u:object_r:boottime_prop:s0 exact int
-ro.boottime.hwservicemanager u:object_r:boottime_prop:s0 exact int
ro.boottime.init u:object_r:boottime_prop:s0 exact int
ro.boottime.init.cold_boot_wait u:object_r:boottime_prop:s0 exact int
ro.boottime.init.first_stage u:object_r:boottime_prop:s0 exact int
ro.boottime.init.modules u:object_r:boottime_prop:s0 exact int
ro.boottime.init.selinux u:object_r:boottime_prop:s0 exact int
-ro.boottime.keystore2 u:object_r:boottime_prop:s0 exact int
ro.boottime.logd u:object_r:boottime_prop:s0 exact int
ro.boottime.logd-reinit u:object_r:boottime_prop:s0 exact int
ro.boottime.microdroid_manager u:object_r:boottime_prop:s0 exact int
ro.boottime.servicemanager u:object_r:boottime_prop:s0 exact int
ro.boottime.tombstoned u:object_r:boottime_prop:s0 exact int
ro.boottime.ueventd u:object_r:boottime_prop:s0 exact int
-ro.boottime.vendor.keymint-microdroid u:object_r:boottime_prop:s0 exact int
ro.boottime.zipfuse u:object_r:boottime_prop:s0 exact int
ro.build.fingerprint u:object_r:fingerprint_prop:s0 exact string
-ro.vmsecret.keymint u:object_r:vmsecret_keymint_prop:s0 exact string
-
-hwservicemanager.ready u:object_r:hwservicemanager_prop:s0 exact bool
-
apexd.status u:object_r:apexd_prop:s0 exact enum starting activated ready
ro.apex.updatable u:object_r:apexd_prop:s0 exact bool
@@ -79,8 +72,6 @@
init.svc.apexd-vm u:object_r:init_service_status_private_prop:s0 exact string
init.svc.apkdmverity u:object_r:init_service_status_private_prop:s0 exact string
init.svc.authfs_service u:object_r:init_service_status_private_prop:s0 exact string
-init.svc.hwservicemanager u:object_r:init_service_status_private_prop:s0 exact string
-init.svc.keystore2 u:object_r:init_service_status_private_prop:s0 exact string
init.svc.logd u:object_r:init_service_status_private_prop:s0 exact string
init.svc.logd-reinit u:object_r:init_service_status_private_prop:s0 exact string
init.svc.microdroid_manager u:object_r:init_service_status_private_prop:s0 exact string
@@ -91,8 +82,6 @@
init.svc.adbd u:object_r:init_service_status_prop:s0 exact string
init.svc.tombstoned u:object_r:init_service_status_prop:s0 exact string
-init.svc.vendor.keymint-microdroid u:object_r:vendor_default_prop:s0 exact string
-
ro.boot.adb.enabled u:object_r:bootloader_prop:s0 exact bool
ro.boot.avb_version u:object_r:bootloader_prop:s0 exact string
ro.boot.boot_devices u:object_r:bootloader_prop:s0 exact string
@@ -100,6 +89,7 @@
ro.boot.force_normal_boot u:object_r:bootloader_prop:s0 exact string
ro.boot.hardware u:object_r:bootloader_prop:s0 exact string
ro.boot.logd.enabled u:object_r:bootloader_prop:s0 exact bool
+ro.boot.microdroid.debuggable u:object_r:bootloader_prop:s0 exact bool
ro.boot.slot_suffix u:object_r:bootloader_prop:s0 exact string
ro.boot.vbmeta.avb_version u:object_r:bootloader_prop:s0 exact string
ro.boot.vbmeta.device_state u:object_r:bootloader_prop:s0 exact string
@@ -127,10 +117,6 @@
ro.property_service.version u:object_r:property_service_version_prop:s0 exact int
-keystore.boot_level u:object_r:keystore_listen_prop:s0 exact int
-
-keystore.crash_count u:object_r:keystore_crash_prop:s0 exact int
-
apex_config.done u:object_r:apex_config_prop:s0 exact bool
microdroid_manager.apk_root_hash u:object_r:microdroid_manager_roothash_prop:s0 exact string
diff --git a/microdroid/system/private/security_classes b/microdroid/system/private/security_classes
index 200b030..0d3cc80 100644
--- a/microdroid/system/private/security_classes
+++ b/microdroid/system/private/security_classes
@@ -163,5 +163,8 @@
# Keystore 2.0 key permissions
class keystore2_key # userspace
+# Diced permissions
+class diced # userspace
+
class drmservice # userspace
# FLASK
diff --git a/microdroid/system/private/service_contexts b/microdroid/system/private/service_contexts
index 3489055..9a27306 100644
--- a/microdroid/system/private/service_contexts
+++ b/microdroid/system/private/service_contexts
@@ -1,19 +1,8 @@
-android.hardware.security.keymint.IKeyMintDevice/default u:object_r:hal_keymint_service:s0
-android.hardware.security.keymint.IRemotelyProvisionedComponent/default u:object_r:hal_remotelyprovisionedcomponent_service:s0
-android.hardware.security.secureclock.ISecureClock/default u:object_r:hal_secureclock_service:s0
-android.hardware.security.sharedsecret.ISharedSecret/default u:object_r:hal_sharedsecret_service:s0
-android.system.keystore2.IKeystoreService/default u:object_r:keystore_service:s0
+android.hardware.security.dice.IDiceDevice/default u:object_r:hal_dice_service:s0
adb u:object_r:adb_service:s0
-android.security.apc u:object_r:apc_service:s0
-android.security.authorization u:object_r:authorization_service:s0
-android.security.compat u:object_r:keystore_compat_hal_service:s0
-android.security.identity u:object_r:credstore_service:s0
-android.security.keystore u:object_r:keystore_service:s0
-android.security.legacykeystore u:object_r:legacykeystore_service:s0
-android.security.maintenance u:object_r:keystore_maintenance_service:s0
-android.security.metrics u:object_r:keystore_metrics_service:s0
-android.security.remoteprovisioning u:object_r:remoteprovisioning_service:s0
+android.security.dice.IDiceMaintenance u:object_r:dice_maintenance_service:s0
+android.security.dice.IDiceNode u:object_r:dice_node_service:s0
apexservice u:object_r:apex_service:s0
authfs_service u:object_r:authfs_binder_service:s0
manager u:object_r:service_manager_service:s0
diff --git a/microdroid/system/private/servicemanager.te b/microdroid/system/private/servicemanager.te
index 5dad3c1..d51c827 100644
--- a/microdroid/system/private/servicemanager.te
+++ b/microdroid/system/private/servicemanager.te
@@ -15,7 +15,6 @@
domain
-init
-vendor_init
- -hwservicemanager
}:binder transfer;
allow servicemanager service_contexts_file:file r_file_perms;
@@ -25,3 +24,6 @@
add_service(servicemanager, service_manager_service)
set_prop(servicemanager, ctl_interface_start_prop)
+
+# servicemanager is using bootstrap bionic
+use_bootstrap_libs(servicemanager)
diff --git a/microdroid/system/private/su.te b/microdroid/system/private/su.te
index 55b7308..1196262 100644
--- a/microdroid/system/private/su.te
+++ b/microdroid/system/private/su.te
@@ -6,7 +6,4 @@
# su is also permissive to permit setenforce.
permissive su;
- # Do not audit accesses to keystore2 namespace for the su domain.
- dontaudit su keystore2_key_type:{ keystore2 keystore2_key } *;
-
')
diff --git a/microdroid/system/private/ueventd.te b/microdroid/system/private/ueventd.te
index 8524c18..c7d9fd6 100644
--- a/microdroid/system/private/ueventd.te
+++ b/microdroid/system/private/ueventd.te
@@ -47,8 +47,7 @@
allow ueventd kernel:key search;
# ueventd is using bootstrap bionic
-allow ueventd system_bootstrap_lib_file:dir r_dir_perms;
-allow ueventd system_bootstrap_lib_file:file { execute read open getattr map };
+use_bootstrap_libs(ueventd)
# TODO(b/193118220): find out why this happens.
dontaudit ueventd tmpfs:chr_file { relabelfrom setattr };
diff --git a/microdroid/system/private/zipfuse.te b/microdroid/system/private/zipfuse.te
index da0cd0f..6652e27 100644
--- a/microdroid/system/private/zipfuse.te
+++ b/microdroid/system/private/zipfuse.te
@@ -7,8 +7,7 @@
type zipfuse_exec, exec_type, file_type, system_file_type;
# zipfuse is using bootstrap bionic
-allow zipfuse system_bootstrap_lib_file:dir r_dir_perms;
-allow zipfuse system_bootstrap_lib_file:file { execute read open getattr map };
+use_bootstrap_libs(zipfuse)
# allow basic rules to implement FUSE
allow zipfuse fuse_device:chr_file rw_file_perms;
diff --git a/microdroid/system/public/attributes b/microdroid/system/public/attributes
index 6479c55..e3258ae 100644
--- a/microdroid/system/public/attributes
+++ b/microdroid/system/public/attributes
@@ -298,6 +298,7 @@
hal_attribute(configstore);
hal_attribute(confirmationui);
hal_attribute(contexthub);
+hal_attribute(dice);
hal_attribute(drm);
hal_attribute(evs);
hal_attribute(face);
diff --git a/microdroid/system/public/device.te b/microdroid/system/public/device.te
index c03fb4d..4c008ea 100644
--- a/microdroid/system/public/device.te
+++ b/microdroid/system/public/device.te
@@ -18,6 +18,7 @@
type loop_control_device, dev_type;
type loop_device, dev_type;
type null_device, dev_type, mlstrustedobject;
+type open_dice_device, dev_type;
type owntty_device, dev_type, mlstrustedobject;
type ppp_device, dev_type;
type properties_device, dev_type;
diff --git a/microdroid/system/public/file.te b/microdroid/system/public/file.te
index 5b678ba..d15d9cd 100644
--- a/microdroid/system/public/file.te
+++ b/microdroid/system/public/file.te
@@ -2,7 +2,6 @@
# file types
type adbd_socket, file_type, coredomain_socket;
-type apc_service, service_manager_type;
type anr_data_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
type apex_info_file, file_type;
type apex_mnt_dir, file_type;
@@ -12,9 +11,6 @@
type cgroup_rc_file, file_type;
type extra_apk_file, file_type;
type file_contexts_file, file_type, system_file_type;
-type hwservice_contexts_file, file_type, system_file_type;
-type keystore2_key_contexts_file, file_type, system_file_type;
-type keystore_data_file, file_type, data_file_type, core_data_file_type;
type linkerconfig_file, file_type;
type logd_socket, file_type, mlstrustedobject, coredomain_socket;
type logdr_socket, file_type, mlstrustedobject, coredomain_socket;
diff --git a/microdroid/system/public/hal_dice.te b/microdroid/system/public/hal_dice.te
new file mode 100644
index 0000000..92222c5
--- /dev/null
+++ b/microdroid/system/public/hal_dice.te
@@ -0,0 +1,4 @@
+binder_call(hal_dice_client, hal_dice_server)
+
+hal_attribute_service(hal_dice, hal_dice_service)
+binder_call(hal_dice_server, servicemanager)
diff --git a/microdroid/system/public/hal_keymint.te b/microdroid/system/public/hal_keymint.te
deleted file mode 100644
index 7570188..0000000
--- a/microdroid/system/public/hal_keymint.te
+++ /dev/null
@@ -1,4 +0,0 @@
-binder_call(hal_keymint_client, hal_keymint_server)
-
-hal_attribute_service(hal_keymint, hal_keymint_service)
-binder_call(hal_keymint_server, servicemanager)
diff --git a/microdroid/system/public/hwservicemanager.te b/microdroid/system/public/hwservicemanager.te
deleted file mode 100644
index 5421b11..0000000
--- a/microdroid/system/public/hwservicemanager.te
+++ /dev/null
@@ -1,2 +0,0 @@
-type hwservicemanager, domain, mlstrustedsubject;
-type hwservicemanager_exec, file_type, exec_type, system_file_type;
diff --git a/microdroid/system/public/keystore.te b/microdroid/system/public/keystore.te
deleted file mode 100644
index 295d3d9..0000000
--- a/microdroid/system/public/keystore.te
+++ /dev/null
@@ -1,26 +0,0 @@
-type keystore, domain;
-type keystore_exec, file_type, exec_type, system_file_type;
-
-# keystore daemon
-typeattribute keystore mlstrustedsubject;
-binder_use(keystore)
-binder_service(keystore)
-
-allow keystore keystore_data_file:dir create_dir_perms;
-allow keystore keystore_data_file:notdevfile_class_set create_file_perms;
-allow keystore keystore_exec:file { getattr };
-
-add_service(keystore, keystore_service)
-add_service(keystore, remoteprovisioning_service)
-add_service(keystore, apc_service)
-add_service(keystore, keystore_compat_hal_service)
-add_service(keystore, authorization_service)
-add_service(keystore, keystore_maintenance_service)
-add_service(keystore, keystore_metrics_service)
-add_service(keystore, legacykeystore_service)
-
-# Check SELinux permissions.
-selinux_check_access(keystore)
-
-r_dir_file(keystore, cgroup)
-r_dir_file(keystore, cgroup_v2)
diff --git a/microdroid/system/public/property.te b/microdroid/system/public/property.te
index c62e091..d00a618 100644
--- a/microdroid/system/public/property.te
+++ b/microdroid/system/public/property.te
@@ -29,13 +29,10 @@
type fingerprint_prop, property_type;
type gsid_prop, property_type;
type heapprofd_prop, property_type;
-type hwservicemanager_prop, property_type;
type init_perf_lsm_hooks_prop, property_type;
type init_service_status_private_prop, property_type;
type init_service_status_prop, property_type;
type init_svc_debug_prop, property_type;
-type keystore_crash_prop, property_type;
-type keystore_listen_prop, property_type;
type libc_debug_prop, property_type;
type log_tag_prop, property_type;
type logd_prop, property_type;
@@ -45,7 +42,6 @@
type timezone_prop, property_type;
type usb_control_prop, property_type;
type vendor_default_prop, property_type;
-type vmsecret_keymint_prop, property_type;
type powerctl_prop, property_type;
allow property_type tmpfs:filesystem associate;
diff --git a/microdroid/system/public/statsd.te b/microdroid/system/public/statsd.te
index 5da3ec9..dea7c6b 100644
--- a/microdroid/system/public/statsd.te
+++ b/microdroid/system/public/statsd.te
@@ -15,10 +15,6 @@
allow statsd system_file:file execute_no_trans;
allow statsd toolbox_exec:file rx_file_perms;
-# Allow statsd to interact with keystore to pull atoms
-allow statsd keystore_service:service_manager find;
-binder_call(statsd, keystore)
-
# Allow logd access.
read_logd(statsd)
control_logd(statsd)
diff --git a/microdroid/system/public/su.te b/microdroid/system/public/su.te
index a440c21..e331bf6 100644
--- a/microdroid/system/public/su.te
+++ b/microdroid/system/public/su.te
@@ -39,11 +39,7 @@
dontaudit su property_type:property_service *;
dontaudit su property_type:file *;
dontaudit su service_manager_type:service_manager *;
- dontaudit su hwservice_manager_type:hwservice_manager *;
dontaudit su servicemanager:service_manager list;
- dontaudit su hwservicemanager:hwservice_manager list;
- dontaudit su keystore:keystore_key *;
- dontaudit su keystore:keystore2 *;
dontaudit su domain:drmservice *;
dontaudit su unlabeled:filesystem *;
dontaudit su domain:bpf *;
diff --git a/microdroid/system/public/te_macros b/microdroid/system/public/te_macros
index 1a7aaa4..6db0d70 100644
--- a/microdroid/system/public/te_macros
+++ b/microdroid/system/public/te_macros
@@ -987,3 +987,11 @@
allow $1 gsi_public_metadata_file:file r_file_perms;
allow $1 proc_bootconfig:file r_file_perms;
')
+
+######################################
+# use_bootstrap_libs(domain)
+# Allow domain to use bootstrap bionic libraries in system/lib[64]/bootstrap
+define(`use_bootstrap_libs', `
+ allow $1 system_bootstrap_lib_file:dir r_dir_perms;
+ allow $1 system_bootstrap_lib_file:file { execute read open getattr map };
+')
diff --git a/microdroid/system/public/type.te b/microdroid/system/public/type.te
index 0ee9f89..818ae46 100644
--- a/microdroid/system/public/type.te
+++ b/microdroid/system/public/type.te
@@ -2,24 +2,10 @@
type adb_service, system_server_service, system_api_service, service_manager_type;
type apex_service, service_manager_type;
type authfs_binder_service, service_manager_type;
-type authorization_service, service_manager_type;
-type credstore_service, app_api_service, service_manager_type;
-type default_android_hwservice, hwservice_manager_type, protected_hwservice;
type default_android_service, service_manager_type;
-type hal_keymint_service, protected_service, vendor_service, service_manager_type;
-type hal_remotelyprovisionedcomponent_service, protected_service, vendor_service, service_manager_type;
-type hidl_allocator_hwservice, hwservice_manager_type, coredomain_hwservice;
-type hidl_base_hwservice, hwservice_manager_type;
-type hidl_manager_hwservice, hwservice_manager_type, coredomain_hwservice;
-type hidl_memory_hwservice, hwservice_manager_type, coredomain_hwservice;
-type hidl_token_hwservice, hwservice_manager_type, coredomain_hwservice;
-type hal_keymaster_hwservice, hwservice_manager_type, protected_hwservice;
-type keystore_compat_hal_service, service_manager_type;
-type keystore_maintenance_service, service_manager_type;
-type keystore_metrics_service, service_manager_type;
-type keystore_service, service_manager_type;
-type legacykeystore_service, service_manager_type;
-type remoteprovisioning_service, service_manager_type;
+type dice_maintenance_service, service_manager_type;
+type dice_node_service, service_manager_type;
+type hal_dice_service, protected_service, vendor_service, service_manager_type;
type service_manager_service, service_manager_type;
type system_linker;
type vm_payload_key;
diff --git a/microdroid/system/public/vendor_init.te b/microdroid/system/public/vendor_init.te
index b66caa9..322abe3 100644
--- a/microdroid/system/public/vendor_init.te
+++ b/microdroid/system/public/vendor_init.te
@@ -133,8 +133,7 @@
allow vendor_init self:global_capability_class_set sys_admin;
# vendor_init is using bootstrap bionic
-allow vendor_init system_bootstrap_lib_file:dir r_dir_perms;
-allow vendor_init system_bootstrap_lib_file:file { execute read open getattr map };
+use_bootstrap_libs(vendor_init)
# Get file context
allow vendor_init file_contexts_file:file r_file_perms;
diff --git a/microdroid/vendor/file_contexts b/microdroid/vendor/file_contexts
index 0aa85cf..c86f862 100644
--- a/microdroid/vendor/file_contexts
+++ b/microdroid/vendor/file_contexts
@@ -35,4 +35,4 @@
/bin/install-recovery\.sh u:object_r:vendor_install_recovery_exec:s0
-/bin/hw/android\.hardware\.security\.keymint-service\.microdroid u:object_r:hal_keymint_default_exec:s0
+/bin/hw/android\.hardware\.security\.dice-service\.microdroid u:object_r:hal_dice_default_exec:s0
diff --git a/microdroid/vendor/hal_dice_default.te b/microdroid/vendor/hal_dice_default.te
new file mode 100644
index 0000000..c203550
--- /dev/null
+++ b/microdroid/vendor/hal_dice_default.te
@@ -0,0 +1,10 @@
+type hal_dice_default, domain;
+hal_server_domain(hal_dice_default, hal_dice)
+
+type hal_dice_default_exec, exec_type, vendor_file_type, file_type;
+init_daemon_domain(hal_dice_default)
+
+# hal_dice_default is using bootstrap bionic
+use_bootstrap_libs(hal_dice_default)
+
+allow hal_dice_default open_dice_device:chr_file { read write open map };
diff --git a/microdroid/vendor/hal_keymint_default.te b/microdroid/vendor/hal_keymint_default.te
deleted file mode 100644
index 359ca60..0000000
--- a/microdroid/vendor/hal_keymint_default.te
+++ /dev/null
@@ -1,13 +0,0 @@
-type hal_keymint_default, domain;
-hal_server_domain(hal_keymint_default, hal_keymint)
-
-type hal_keymint_default_exec, exec_type, vendor_file_type, file_type;
-init_daemon_domain(hal_keymint_default)
-
-allow hal_keymint_default keystore:binder transfer;
-allow hal_keymint_default system_lib_file:file execute;
-
-allow logd hal_keymint_default:dir search;
-allow logd hal_keymint_default:file { getattr open read };
-
-get_prop(hal_keymint_default, vmsecret_keymint_prop);
diff --git a/prebuilts/api/31.0/private/zygote.te b/prebuilts/api/31.0/private/zygote.te
index 090e121..743647e 100644
--- a/prebuilts/api/31.0/private/zygote.te
+++ b/prebuilts/api/31.0/private/zygote.te
@@ -112,7 +112,7 @@
# Control cgroups.
allow zygote cgroup:dir create_dir_perms;
-allow zygote cgroup:{ file lnk_file } r_file_perms;
+allow zygote cgroup:{ file lnk_file } { r_file_perms setattr };
allow zygote cgroup_v2:dir create_dir_perms;
allow zygote cgroup_v2:{ file lnk_file } { r_file_perms setattr };
allow zygote self:global_capability_class_set sys_admin;
diff --git a/prebuilts/api/32.0/private/apexd.te b/prebuilts/api/32.0/private/apexd.te
index 09799bd..d43ed33 100644
--- a/prebuilts/api/32.0/private/apexd.te
+++ b/prebuilts/api/32.0/private/apexd.te
@@ -86,6 +86,7 @@
allow apexd apex_info_file:file relabelto;
# apexd needs to update /apex/apex-info-list.xml after non-staged APEX update.
allow apexd apex_info_file:file rw_file_perms;
+allow apexd apex_info_file:file mounton;
# allow apexd to unlink apex files in /data/apex/active
# note that apexd won't be able to unlink files in /data/app-staging/session_XXXX,
diff --git a/prebuilts/api/32.0/private/mediaprovider_app.te b/prebuilts/api/32.0/private/mediaprovider_app.te
index 16d0d6d..742da1f 100644
--- a/prebuilts/api/32.0/private/mediaprovider_app.te
+++ b/prebuilts/api/32.0/private/mediaprovider_app.te
@@ -21,6 +21,9 @@
# Talk to the MediaServer service
allow mediaprovider_app mediaserver_service:service_manager find;
+# Talk to the MediaCodec APIs that log media metrics
+allow mediaprovider_app mediametrics_service:service_manager find;
+
# Talk to regular app services
allow mediaprovider_app app_api_service:service_manager find;
diff --git a/private/access_vectors b/private/access_vectors
index fc17c1d..0f8dd5f 100644
--- a/private/access_vectors
+++ b/private/access_vectors
@@ -722,7 +722,9 @@
change_user
clear_ns
clear_uid
+ delete_all_keys
early_boot_ended
+ get_attestation_key
get_auth_token
get_state
list
@@ -732,7 +734,6 @@
report_off_body
reset
unlock
- delete_all_keys
}
class keystore2_key
diff --git a/private/apexd.te b/private/apexd.te
index 9dfe45f..69645a1 100644
--- a/private/apexd.te
+++ b/private/apexd.te
@@ -13,6 +13,10 @@
allow apexd apex_metadata_file:dir create_dir_perms;
allow apexd apex_metadata_file:file create_file_perms;
+# Allow creating and writing APEX files/dirs in the SEPolicy metadata dir
+allow apexd sepolicy_metadata_file:dir create_dir_perms;
+allow apexd sepolicy_metadata_file:file create_file_perms;
+
# Allow reserving space on /data/apex/ota_reserved for apex decompression
allow apexd apex_ota_reserved_file:dir create_dir_perms;
allow apexd apex_ota_reserved_file:file create_file_perms;
@@ -126,8 +130,7 @@
binder_call(apexd, vold)
# apexd is using bootstrap bionic
-allow apexd system_bootstrap_lib_file:dir r_dir_perms;
-allow apexd system_bootstrap_lib_file:file { execute read open getattr map };
+use_bootstrap_libs(apexd)
# Allow apexd to be invoked with logwrapper from init during userspace reboot.
allow apexd devpts:chr_file { read write };
diff --git a/private/app.te b/private/app.te
index 7177b92..856f483 100644
--- a/private/app.te
+++ b/private/app.te
@@ -87,6 +87,375 @@
allow appdomain tombstone_data_file:file { getattr read };
neverallow appdomain tombstone_data_file:file ~{ getattr read };
+# WebView and other application-specific JIT compilers
+allow appdomain self:process execmem;
+
+allow appdomain { ashmem_device ashmem_libcutils_device }:chr_file execute;
+
+# Receive and use open file descriptors inherited from zygote.
+allow appdomain zygote:fd use;
+
+# Receive and use open file descriptors inherited from app zygote.
+allow appdomain app_zygote:fd use;
+
+# gdbserver for ndk-gdb reads the zygote.
+# valgrind needs mmap exec for zygote
+allow appdomain zygote_exec:file rx_file_perms;
+
+# Notify zygote of death;
+allow appdomain zygote:process sigchld;
+
+# Read /data/dalvik-cache.
+allow appdomain dalvikcache_data_file:dir { search getattr };
+allow appdomain dalvikcache_data_file:file r_file_perms;
+
+# Read the /sdcard and /mnt/sdcard symlinks
+allow { appdomain -isolated_app } rootfs:lnk_file r_file_perms;
+allow { appdomain -isolated_app } tmpfs:lnk_file r_file_perms;
+
+# Search /storage/emulated tmpfs mount.
+allow appdomain tmpfs:dir r_dir_perms;
+
+# Notify zygote of the wrapped process PID when using --invoke-with.
+allow appdomain zygote:fifo_file write;
+
+userdebug_or_eng(`
+ # Allow apps to create and write method traces in /data/misc/trace.
+ allow appdomain method_trace_data_file:dir w_dir_perms;
+ allow appdomain method_trace_data_file:file { create w_file_perms };
+')
+
+# Notify shell and adbd of death when spawned via runas for ndk-gdb.
+allow appdomain shell:process sigchld;
+allow appdomain adbd:process sigchld;
+
+# child shell or gdbserver pty access for runas.
+allow appdomain devpts:chr_file { getattr read write ioctl };
+
+# Use pipes and sockets provided by system_server via binder or local socket.
+allow appdomain system_server:fd use;
+allow appdomain system_server:fifo_file rw_file_perms;
+allow appdomain system_server:unix_stream_socket { read write setopt getattr getopt shutdown };
+allow appdomain system_server:tcp_socket { read write getattr getopt shutdown };
+
+# For AppFuse.
+allow appdomain vold:fd use;
+
+# Communication with other apps via fifos
+allow appdomain appdomain:fifo_file rw_file_perms;
+
+# Communicate with surfaceflinger.
+allow appdomain surfaceflinger:unix_stream_socket { read write setopt getattr getopt shutdown };
+
+# App sandbox file accesses.
+allow { appdomain -isolated_app -mlstrustedsubject } { app_data_file privapp_data_file }:dir create_dir_perms;
+allow { appdomain -isolated_app -mlstrustedsubject } { app_data_file privapp_data_file }:file create_file_perms;
+
+# Access via already open fds is ok even for mlstrustedsubject.
+allow { appdomain -isolated_app } { app_data_file privapp_data_file system_app_data_file }:file { getattr map read write };
+
+# Traverse into expanded storage
+allow appdomain mnt_expand_file:dir r_dir_perms;
+
+# Keychain and user-trusted credentials
+r_dir_file(appdomain, keychain_data_file)
+allow appdomain misc_user_data_file:dir r_dir_perms;
+allow appdomain misc_user_data_file:file r_file_perms;
+
+# TextClassifier
+r_dir_file({ appdomain -isolated_app }, textclassifier_data_file)
+
+# Access to OEM provided data and apps
+allow appdomain oemfs:dir r_dir_perms;
+allow appdomain oemfs:file rx_file_perms;
+
+# Execute the shell or other system executables.
+allow { appdomain -ephemeral_app } shell_exec:file rx_file_perms;
+allow { appdomain -ephemeral_app } toolbox_exec:file rx_file_perms;
+allow appdomain system_file:file x_file_perms;
+not_full_treble(`allow { appdomain -ephemeral_app } vendor_file:file x_file_perms;')
+
+# Renderscript needs the ability to read directories on /system
+allow appdomain system_file:dir r_dir_perms;
+allow appdomain system_file:lnk_file { getattr open read };
+# Renderscript specific permissions to open /system/vendor/lib64.
+not_full_treble(`
+ allow appdomain vendor_file_type:dir r_dir_perms;
+ allow appdomain vendor_file_type:lnk_file { getattr open read };
+')
+
+full_treble_only(`
+ # For looking up Renderscript vendor drivers
+ allow { appdomain -isolated_app } vendor_file:dir { open read };
+')
+
+# Allow apps access to /vendor/app except for privileged
+# apps which cannot be in /vendor.
+r_dir_file({ appdomain -ephemeral_app }, vendor_app_file)
+allow { appdomain -ephemeral_app } vendor_app_file:file execute;
+
+# Allow apps access to /vendor/overlay
+r_dir_file(appdomain, vendor_overlay_file)
+
+# Allow apps access to /vendor/framework
+# for vendor provided libraries.
+r_dir_file(appdomain, vendor_framework_file)
+
+# Allow apps read / execute access to vendor public libraries.
+allow appdomain {vendor_public_framework_file vendor_public_lib_file}:dir r_dir_perms;
+allow appdomain {vendor_public_framework_file vendor_public_lib_file}:file { execute read open getattr map };
+
+# Read/write wallpaper file (opened by system).
+allow appdomain wallpaper_file:file { getattr read write map };
+
+# Read/write cached ringtones (opened by system).
+allow appdomain ringtone_file:file { getattr read write map };
+
+# Read ShortcutManager icon files (opened by system).
+allow appdomain shortcut_manager_icons:file { getattr read map };
+
+# Read icon file (opened by system).
+allow appdomain icon_file:file { getattr read map };
+
+# Old stack dumping scheme : append to a global trace file (/data/anr/traces.txt).
+#
+# TODO: All of these permissions except for anr_data_file:file append can be
+# withdrawn once we've switched to the new stack dumping mechanism, see b/32064548
+# and the rules below.
+allow appdomain anr_data_file:dir search;
+allow appdomain anr_data_file:file { open append };
+
+# New stack dumping scheme : request an output FD from tombstoned via a unix
+# domain socket.
+#
+# Allow apps to connect and write to the tombstoned java trace socket in
+# order to dump their traces. Also allow them to append traces to pipes
+# created by dumptrace. (Also see the rules below where they are given
+# additional permissions to dumpstate pipes for other aspects of bug report
+# creation).
+unix_socket_connect(appdomain, tombstoned_java_trace, tombstoned)
+allow appdomain tombstoned:fd use;
+allow appdomain dumpstate:fifo_file append;
+allow appdomain incidentd:fifo_file append;
+
+# Allow apps to send dump information to dumpstate
+allow appdomain dumpstate:fd use;
+allow appdomain dumpstate:unix_stream_socket { read write getopt getattr shutdown };
+allow appdomain dumpstate:fifo_file { write getattr };
+allow appdomain shell_data_file:file { write getattr };
+
+# Allow apps to send dump information to incidentd
+allow appdomain incidentd:fd use;
+allow appdomain incidentd:fifo_file { write getattr };
+
+# Allow apps to send information to statsd socket.
+unix_socket_send(appdomain, statsdw, statsd)
+
+# Write profiles /data/misc/profiles
+allow appdomain user_profile_root_file:dir search;
+allow appdomain user_profile_data_file:dir { search write add_name };
+allow appdomain user_profile_data_file:file create_file_perms;
+
+# Send heap dumps to system_server via an already open file descriptor
+# % adb shell am set-watch-heap com.android.systemui 1048576
+# % adb shell dumpsys procstats --start-testing
+# debuggable builds only.
+userdebug_or_eng(`
+ allow appdomain heapdump_data_file:file append;
+')
+
+# /proc/net access.
+# TODO(b/9496886) Audit access for removal.
+# proc_net access for the negated domains below is granted (or not) in their
+# individual .te files.
+r_dir_file({
+ appdomain
+ -ephemeral_app
+ -isolated_app
+ -platform_app
+ -priv_app
+ -shell
+ -system_app
+ -untrusted_app_all
+}, proc_net_type)
+# audit access for all these non-core app domains.
+userdebug_or_eng(`
+ auditallow {
+ appdomain
+ -ephemeral_app
+ -isolated_app
+ -platform_app
+ -priv_app
+ -shell
+ -su
+ -system_app
+ -untrusted_app_all
+ } proc_net_type:{ dir file lnk_file } { getattr open read };
+')
+
+# Grant GPU access to all processes started by Zygote.
+# They need that to render the standard UI.
+allow { appdomain -isolated_app } gpu_device:chr_file rw_file_perms;
+
+# Use the Binder.
+binder_use(appdomain)
+# Perform binder IPC to binder services.
+binder_call(appdomain, binderservicedomain)
+# Perform binder IPC to other apps.
+binder_call(appdomain, appdomain)
+# Perform binder IPC to ephemeral apps.
+binder_call(appdomain, ephemeral_app)
+# Perform binder IPC to gpuservice.
+binder_call({ appdomain -isolated_app }, gpuservice)
+
+# Talk with graphics composer fences
+allow appdomain hal_graphics_composer:fd use;
+
+# Already connected, unnamed sockets being passed over some other IPC
+# hence no sock_file or connectto permission. This appears to be how
+# Chrome works, may need to be updated as more apps using isolated services
+# are examined.
+allow appdomain appdomain:unix_stream_socket { getopt getattr read write shutdown };
+
+# Backup ability for every app. BMS opens and passes the fd
+# to any app that has backup ability. Hence, no open permissions here.
+allow appdomain backup_data_file:file { read write getattr map };
+allow appdomain cache_backup_file:file { read write getattr map };
+allow appdomain cache_backup_file:dir getattr;
+# Backup ability using 'adb backup'
+allow appdomain system_data_file:lnk_file r_file_perms;
+allow appdomain system_data_file:file { getattr read map };
+
+# Allow read/stat of /data/media files passed by Binder or local socket IPC.
+allow { appdomain -isolated_app } media_rw_data_file:file { read getattr };
+
+# Read and write /data/data/com.android.providers.telephony files passed over Binder.
+allow { appdomain -isolated_app } radio_data_file:file { read write getattr };
+
+# Allow access to external storage; we have several visible mount points under /storage
+# and symlinks to primary storage at places like /storage/sdcard0 and /mnt/user/0/primary
+allow { appdomain -isolated_app -ephemeral_app } storage_file:dir r_dir_perms;
+allow { appdomain -isolated_app -ephemeral_app } storage_file:lnk_file r_file_perms;
+allow { appdomain -isolated_app -ephemeral_app } mnt_user_file:dir r_dir_perms;
+allow { appdomain -isolated_app -ephemeral_app } mnt_user_file:lnk_file r_file_perms;
+
+# Read/write visible storage
+allow { appdomain -isolated_app -ephemeral_app } { sdcard_type fuse }:dir create_dir_perms;
+allow { appdomain -isolated_app -ephemeral_app } { sdcard_type fuse }:file create_file_perms;
+# This should be removed if sdcardfs is modified to alter the secontext for its
+# accesses to the underlying FS.
+allow { appdomain -isolated_app -ephemeral_app } media_rw_data_file:dir create_dir_perms;
+allow { appdomain -isolated_app -ephemeral_app } media_rw_data_file:file create_file_perms;
+
+# Allow apps to use the USB Accessory interface.
+# http://developer.android.com/guide/topics/connectivity/usb/accessory.html
+#
+# USB devices are first opened by the system server (USBDeviceManagerService)
+# and the file descriptor is passed to the right Activity via binder.
+allow { appdomain -isolated_app -ephemeral_app } usb_device:chr_file { read write getattr ioctl };
+allow { appdomain -isolated_app -ephemeral_app } usbaccessory_device:chr_file { read write getattr };
+
+# For art.
+allow appdomain dalvikcache_data_file:file execute;
+allow appdomain dalvikcache_data_file:lnk_file r_file_perms;
+
+# Allow any app to read shared RELRO files.
+allow appdomain shared_relro_file:dir search;
+allow appdomain shared_relro_file:file r_file_perms;
+
+# Allow apps to read/execute installed binaries
+allow appdomain apk_data_file:dir r_dir_perms;
+allow appdomain apk_data_file:file rx_file_perms;
+
+# /data/resource-cache
+allow appdomain resourcecache_data_file:file r_file_perms;
+allow appdomain resourcecache_data_file:dir r_dir_perms;
+
+# logd access
+read_logd(appdomain)
+control_logd({ appdomain -ephemeral_app })
+# application inherit logd write socket (urge is to deprecate this long term)
+allow appdomain zygote:unix_dgram_socket write;
+
+allow { appdomain -isolated_app -ephemeral_app } keystore:keystore_key { get_state get insert delete exist list sign verify };
+allow { appdomain -isolated_app -ephemeral_app } keystore:keystore2_key { delete use get_info rebind update };
+
+allow { appdomain -isolated_app -ephemeral_app } keystore_maintenance_service:service_manager find;
+allow { appdomain -isolated_app -ephemeral_app } keystore:keystore2 get_state;
+
+use_keystore({ appdomain -isolated_app -ephemeral_app })
+
+use_credstore({ appdomain -isolated_app -ephemeral_app })
+
+allow appdomain console_device:chr_file { read write };
+
+# only allow unprivileged socket ioctl commands
+allowxperm { appdomain -bluetooth } self:{ rawip_socket tcp_socket udp_socket }
+ ioctl { unpriv_sock_ioctls unpriv_tty_ioctls };
+
+allow { appdomain -isolated_app } ion_device:chr_file r_file_perms;
+allow { appdomain -isolated_app } dmabuf_system_heap_device:chr_file r_file_perms;
+allow { appdomain -isolated_app } dmabuf_system_secure_heap_device:chr_file r_file_perms;
+
+# Allow AAudio apps to use shared memory file descriptors from the HAL
+allow { appdomain -isolated_app } hal_audio:fd use;
+
+# Allow app to access shared memory created by camera HAL1
+allow { appdomain -isolated_app } hal_camera:fd use;
+
+# Allow apps to access shared memory file descriptor from the tuner HAL
+allow {appdomain -isolated_app} hal_tv_tuner_server:fd use;
+
+# RenderScript always-passthrough HAL
+allow { appdomain -isolated_app } hal_renderscript_hwservice:hwservice_manager find;
+allow appdomain same_process_hal_file:file { execute read open getattr map };
+
+# TODO: switch to meminfo service
+allow appdomain proc_meminfo:file r_file_perms;
+
+# For app fuse.
+allow appdomain app_fuse_file:file { getattr read append write map };
+
+pdx_client({ appdomain -isolated_app -ephemeral_app }, display_client)
+pdx_client({ appdomain -isolated_app -ephemeral_app }, display_manager)
+pdx_client({ appdomain -isolated_app -ephemeral_app }, display_vsync)
+pdx_client({ appdomain -isolated_app -ephemeral_app }, performance_client)
+# Apps do not directly open the IPC socket for bufferhubd.
+pdx_use({ appdomain -isolated_app -ephemeral_app }, bufferhub_client)
+
+###
+### CTS-specific rules
+###
+
+# For cts/tests/tests/permission/src/android/permission/cts/FileSystemPermissionTest.java.
+# testRunAsHasCorrectCapabilities
+allow appdomain runas_exec:file getattr;
+# Others are either allowed elsewhere or not desired.
+
+# Apps receive an open tun fd from the framework for
+# device traffic. Do not allow untrusted app to directly open tun_device
+allow { appdomain -isolated_app -ephemeral_app } tun_device:chr_file { read write getattr append ioctl };
+allowxperm { appdomain -isolated_app -ephemeral_app } tun_device:chr_file ioctl TUNGETIFF;
+
+# Connect to adbd and use a socket transferred from it.
+# This is used for e.g. adb backup/restore.
+allow appdomain adbd:unix_stream_socket connectto;
+allow appdomain adbd:fd use;
+allow appdomain adbd:unix_stream_socket { getattr getopt ioctl read write shutdown };
+
+allow appdomain cache_file:dir getattr;
+
+# Allow apps to run with asanwrapper.
+with_asan(`allow appdomain asanwrapper_exec:file rx_file_perms;')
+
+# Read access to FDs from the DropboxManagerService.
+allow appdomain dropbox_data_file:file { getattr read };
+
+# Read tmpfs types from these processes.
+allow appdomain audioserver_tmpfs:file { getattr map read write };
+allow appdomain system_server_tmpfs:file { getattr map read write };
+allow appdomain zygote_tmpfs:file { map read };
+
# Sensitive app domains are not allowed to execute from /data
# to prevent persistence attacks and ensure all code is executed
# from read-only locations.
diff --git a/private/atrace.te b/private/atrace.te
index cbb5b7c..2ab8c69 100644
--- a/private/atrace.te
+++ b/private/atrace.te
@@ -33,6 +33,7 @@
-installd_service
-iorapd_service
-lpdump_service
+ -mdns_service
-netd_service
-stats_service
-tracingproxy_service
diff --git a/private/automotive_display_service.te b/private/automotive_display_service.te
index d757a52..db20696 100644
--- a/private/automotive_display_service.te
+++ b/private/automotive_display_service.te
@@ -4,7 +4,7 @@
typeattribute automotive_display_service automotive_display_service_server;
-# Allow to add a display service to the manager
+# Allow to add a display service to the hwservicemanager
add_hwservice(automotive_display_service, fwk_automotive_display_hwservice);
# Allow init to launch automotive display service
@@ -36,3 +36,9 @@
# Allow to access EGL files
allow automotive_display_service gpu_device:chr_file rw_file_perms;
allow automotive_display_service gpu_device:dir search;
+
+# Allow to add a service to the servicemanager
+add_service(automotive_display_service, fwk_automotive_display_service);
+
+# Allow to communicate with EVS services
+binder_call(automotive_display_service, hal_evs)
diff --git a/private/bluetooth.te b/private/bluetooth.te
index 0e0cf7f..5522e32 100644
--- a/private/bluetooth.te
+++ b/private/bluetooth.te
@@ -62,6 +62,7 @@
allow bluetooth system_api_service:service_manager find;
allow bluetooth network_stack_service:service_manager find;
allow bluetooth system_suspend_control_service:service_manager find;
+allow bluetooth hal_audio_service:service_manager find;
# already open bugreport file descriptors may be shared with
# the bluetooth process, from a file in
diff --git a/private/bpfdomain.te b/private/bpfdomain.te
new file mode 100644
index 0000000..f0888a7
--- /dev/null
+++ b/private/bpfdomain.te
@@ -0,0 +1,13 @@
+# platform should have ownership of network attachpoints for BPF
+neverallow {
+ bpfdomain
+ -bpfloader
+ -netd
+ -netutils_wrapper
+ -network_stack
+ -system_server
+} self:global_capability_class_set { net_admin net_raw };
+
+# any domain which uses bpf is a bpfdomain
+neverallow { domain -bpfdomain } *:bpf *;
+
diff --git a/private/bpfloader.te b/private/bpfloader.te
index 78cd37e..7644cac 100644
--- a/private/bpfloader.te
+++ b/private/bpfloader.te
@@ -1,12 +1,14 @@
-# bpf program loader
-type bpfloader, domain;
type bpfloader_exec, system_file_type, exec_type, file_type;
-typeattribute bpfloader coredomain;
+
+typeattribute bpfloader bpfdomain;
+
+# allow bpfloader to write to the kernel log (starts early)
+allow bpfloader kmsg_device:chr_file w_file_perms;
# These permissions are required to pin ebpf maps & programs.
-allow bpfloader { fs_bpf fs_bpf_tethering }:dir { add_name create search write };
-allow bpfloader { fs_bpf fs_bpf_tethering }:file { create read setattr };
-allow fs_bpf_tethering fs_bpf:filesystem associate;
+allow bpfloader { fs_bpf fs_bpf_tethering fs_bpf_vendor }:dir { add_name create search write };
+allow bpfloader { fs_bpf fs_bpf_tethering fs_bpf_vendor }:file { create read setattr };
+allow { fs_bpf_tethering fs_bpf_vendor } fs_bpf:filesystem associate;
# Allow bpfloader to create bpf maps and programs.
allow bpfloader self:bpf { map_create map_read map_write prog_load prog_run };
@@ -17,29 +19,33 @@
set_prop(bpfloader, bpf_progs_loaded_prop)
+allow bpfloader bpfloader_exec:file execute_no_trans;
+
###
### Neverallow rules
###
# TODO: get rid of init & vendor_init; Note: we don't care about getattr/mounton/search
-neverallow { domain -init -vendor_init } { fs_bpf fs_bpf_tethering }:dir { open read setattr };
-neverallow { domain -bpfloader } { fs_bpf fs_bpf_tethering }:dir { add_name create write };
-neverallow domain { fs_bpf fs_bpf_tethering }:dir ~{ add_name create getattr mounton open read search setattr write };
+neverallow { domain -init -vendor_init } { fs_bpf fs_bpf_tethering fs_bpf_vendor }:dir { open read setattr };
+neverallow { domain -bpfloader } { fs_bpf fs_bpf_tethering fs_bpf_vendor }:dir { add_name create write };
+neverallow domain { fs_bpf fs_bpf_tethering fs_bpf_vendor }:dir ~{ add_name create getattr mounton open read search setattr write };
# TODO: get rid of init & vendor_init
-neverallow { domain -bpfloader -init -vendor_init } { fs_bpf fs_bpf_tethering }:file { map open setattr };
-neverallow { domain -bpfloader } { fs_bpf fs_bpf_tethering }:file create;
+neverallow { domain -bpfloader -init -vendor_init } { fs_bpf fs_bpf_tethering fs_bpf_vendor }:file { map open setattr };
+neverallow { domain -bpfloader } { fs_bpf fs_bpf_tethering fs_bpf_vendor }:file create;
neverallow { domain -bpfloader -gpuservice -init -lmkd -mediaprovider_app -netd -netutils_wrapper -network_stack -system_server -vendor_init } { fs_bpf }:file read;
neverallow { domain -bpfloader -gpuservice -init -lmkd -netd -netutils_wrapper -network_stack -system_server -vendor_init } { fs_bpf_tethering }:file read;
neverallow { domain -bpfloader -gpuservice -netd -netutils_wrapper -network_stack -system_server } { fs_bpf fs_bpf_tethering }:file write;
neverallow domain { fs_bpf fs_bpf_tethering }:file ~{ create map open read setattr write };
neverallow { domain -bpfloader } *:bpf { map_create prog_load };
+
neverallow { domain -bpfloader -gpuservice -mediaprovider_app -netd -netutils_wrapper -network_stack -system_server } *:bpf prog_run;
neverallow { domain -bpfloader -gpuservice -lmkd -mediaprovider_app -netd -network_stack -system_server } *:bpf { map_read map_write };
-
neverallow { domain -bpfloader -init } bpfloader_exec:file { execute execute_no_trans };
+neverallow { coredomain -bpfloader -init } fs_bpf_vendor:file *;
+
neverallow bpfloader *:{ tcp_socket udp_socket rawip_socket } *;
# No domain should be allowed to ptrace bpfloader
diff --git a/private/clatd.te b/private/clatd.te
index da6820c..57eee78 100644
--- a/private/clatd.te
+++ b/private/clatd.te
@@ -4,18 +4,10 @@
net_domain(clatd)
-r_dir_file(clatd, proc_net_type)
-userdebug_or_eng(`
- auditallow clatd proc_net_type:{ dir file lnk_file } { getattr open read };
-')
-
# Access objects inherited from netd.
allow clatd netd:fd use;
-allow clatd netd:fifo_file { read write };
allow clatd netd:packet_socket { read write };
allow clatd netd:rawip_socket { read write };
-allow clatd self:global_capability_class_set { net_admin net_raw setuid setgid };
-
allow clatd self:netlink_route_socket nlmsg_write;
allow clatd tun_device:chr_file rw_file_perms;
diff --git a/private/compat/31.0/31.0.ignore.cil b/private/compat/31.0/31.0.ignore.cil
index 2ae6a5f..29378d4 100644
--- a/private/compat/31.0/31.0.ignore.cil
+++ b/private/compat/31.0/31.0.ignore.cil
@@ -21,13 +21,7 @@
hal_dumpstate_service
hal_graphics_composer_service
hal_health_service
- hal_radio_config_service
- hal_radio_data_service
- hal_radio_messaging_service
- hal_radio_modem_service
- hal_radio_network_service
- hal_radio_sim_service
- hal_radio_voice_service
+ hal_radio_service
hal_sensors_service
hal_system_suspend_service
hal_tv_tuner_service
diff --git a/private/compat/32.0/32.0.ignore.cil b/private/compat/32.0/32.0.ignore.cil
index 43f8136..ee7d51e 100644
--- a/private/compat/32.0/32.0.ignore.cil
+++ b/private/compat/32.0/32.0.ignore.cil
@@ -8,7 +8,9 @@
apexd_select_prop
artd_service
attestation_verification_service
+ bluetooth_config_prop
charger_vendor
+ cloudsearch
cloudsearch_service
device_config_nnapi_native_prop
device_config_surface_flinger_native_boot_prop
@@ -16,39 +18,47 @@
dice_node_service
diced
diced_exec
+ fwk_automotive_display_service
+ evsmanagerd
+ evsmanagerd_service
extra_free_kbytes
extra_free_kbytes_exec
+ fs_bpf_vendor
gesture_prop
hal_contexthub_service
+ hal_camera_service
+ hal_evs_service
hal_dice_service
+ hal_drm_service
hal_dumpstate_service
+ hal_graphics_allocator_service
hal_graphics_composer_service
hal_health_service
+ hal_input_processor_service
hal_ir_service
+ hal_nfc_service
hal_nlinterceptor_service
- hal_radio_config_service
- hal_radio_data_service
- hal_radio_messaging_service
- hal_radio_modem_service
- hal_radio_network_service
- hal_radio_sim_service
- hal_radio_voice_service
+ hal_radio_service
hal_sensors_service
hal_system_suspend_service
hal_tv_tuner_service
+ hal_usb_service
hal_uwb_service
hal_vehicle_service
hal_wifi_hostapd_service
hal_wifi_supplicant_service
locale_service
+ mdns_service
nearby_service
proc_watermark_boost_factor
proc_watermark_scale_factor
+ remotelyprovisionedkeypool_service
resources_manager_service
selection_toolbar_service
snapuserd_proxy_socket
supplemental_process_service
sysfs_fs_fuse_bpf
+ system_dlkm_file
tare_service
tv_iapp_service
untrusted_app_30
@@ -56,4 +66,5 @@
vendor_vm_data_file
vendor_vm_file
virtual_device_service
- ))
+ wallpaper_effects_generation_service
+))
diff --git a/private/compos_fd_server.te b/private/compos_fd_server.te
index a1a8a64..01504ee 100644
--- a/private/compos_fd_server.te
+++ b/private/compos_fd_server.te
@@ -1,10 +1,6 @@
# Make ART inputs and outputs available to the CompOS VM
type compos_fd_server, domain, coredomain;
-# Allow access to open fds inherited from odrefresh - read inputs, generate outputs
-# TODO(b/209008712): Remove once migration is done.
-allow compos_fd_server odrefresh:fd use;
-
# Allow access to open fds inherited from composd
allow compos_fd_server composd:fd use;
@@ -17,18 +13,14 @@
allow compos_fd_server apex_art_data_file:file create_file_perms;
# Use a pipe to signal readiness
-# TODO(b/205750213): Removed odrefresh when we run odrefresh in the VM
-allow compos_fd_server odrefresh:fifo_file write;
allow compos_fd_server composd:fifo_file write;
# TODO(b/196109647) - remove this when no longer needed by minijail
-allow compos_fd_server odrefresh:fifo_file read;
allow compos_fd_server composd:fifo_file read;
# Create a listening vsock for the VM to connect back to
allow compos_fd_server self:vsock_socket { create_socket_perms_no_ioctl listen accept };
-# Only composd and odrefresh can enter the domain via exec
-# TODO(b/209008712): Remove odrefresh once migration is done.
-neverallow { domain -composd -odrefresh } compos_fd_server:process transition;
+# Only composd can enter the domain via exec
+neverallow { domain -composd } compos_fd_server:process transition;
neverallow * compos_fd_server:process dyntransition;
diff --git a/private/composd.te b/private/composd.te
index dd61e39..5f99a92 100644
--- a/private/composd.te
+++ b/private/composd.te
@@ -5,7 +5,6 @@
init_daemon_domain(composd)
binder_use(composd)
add_service(composd, compos_service)
-add_service(composd, compos_internal_service)
# Call back into system server
binder_call(composd, system_server)
@@ -26,11 +25,6 @@
allow composd apex_compos_data_file:dir create_dir_perms;
allow composd apex_compos_data_file:file create_file_perms;
-# TODO(b/209008712): Remove these when we run odrefresh in the VM
-# Run odrefresh to refresh ART artifacts, and kill it if we need to
-domain_auto_trans(composd, odrefresh_exec, odrefresh)
-allow composd odrefresh:process sigkill;
-
# Run fd_server in its own domain, and send SIGTERM when finished.
domain_auto_trans(composd, fd_server_exec, compos_fd_server)
allow composd compos_fd_server:process signal;
diff --git a/private/coredomain.te b/private/coredomain.te
index f8a61d2..e4c9a52 100644
--- a/private/coredomain.te
+++ b/private/coredomain.te
@@ -76,6 +76,7 @@
userdebug_or_eng(`-profcollectd')
-postinstall_dexopt
-rs # spawned by appdomain, so carryover the exception above
+ userdebug_or_eng(`-simpleperf_boot')
-system_server
-traced_perf
-mediaserver
@@ -121,6 +122,7 @@
-zygote
-heapprofd
userdebug_or_eng(`-profcollectd')
+ userdebug_or_eng(`-simpleperf_boot')
} vendor_overlay_file:file open;
')
@@ -176,6 +178,7 @@
-system_server
-traceur_app
userdebug_or_eng(`-profcollectd')
+ userdebug_or_eng(`-simpleperf_boot')
} debugfs_tracing:file no_rw_file_perms;
# inotifyfs
diff --git a/private/credstore.te b/private/credstore.te
index 8d87e2f..c410d76 100644
--- a/private/credstore.te
+++ b/private/credstore.te
@@ -4,3 +4,9 @@
# talk to Identity Credential
hal_client_domain(credstore, hal_identity)
+
+# talk to keymint, specifically for IRemotelyProvisionedComponent/default
+hal_client_domain(credstore, hal_keymint)
+
+# credstore needs to get keys from the remotely provisioned pool
+allow credstore remotelyprovisionedkeypool_service:service_manager find;
diff --git a/private/crosvm.te b/private/crosvm.te
index 5106f87..426cb28 100644
--- a/private/crosvm.te
+++ b/private/crosvm.te
@@ -7,9 +7,12 @@
# Most other domains shouldn't access /dev/kvm.
neverallow { domain -crosvm -ueventd -shell } kvm_device:chr_file getattr;
-neverallow { domain -crosvm -ueventd -virtualizationservice } kvm_device:chr_file ~getattr;
+neverallow { domain -crosvm -ueventd } kvm_device:chr_file ~getattr;
neverallowxperm { domain -crosvm } kvm_device:chr_file ioctl ~{ KVM_CHECK_EXTENSION };
+# Let crosvm mlock VM memory and page tables.
+allow crosvm self:capability ipc_lock;
+
# Let crosvm create temporary files.
tmpfs_domain(crosvm)
@@ -86,3 +89,10 @@
-app_data_file
userdebug_or_eng(`-shell_data_file')
}:file read;
+
+# Only virtualizationservice can run crosvm
+neverallow {
+ domain
+ -crosvm
+ -virtualizationservice
+} crosvm_exec:file no_x_file_perms;
diff --git a/private/dmesgd.te b/private/dmesgd.te
new file mode 100644
index 0000000..7a12882
--- /dev/null
+++ b/private/dmesgd.te
@@ -0,0 +1,15 @@
+type dmesgd, domain, coredomain;
+type dmesgd_exec, system_file_type, exec_type, file_type;
+
+init_daemon_domain(dmesgd)
+
+allow dmesgd dmesgd_data_file:dir create_dir_perms;
+allow dmesgd dmesgd_data_file:file create_file_perms;
+
+allow dmesgd kernel:system syslog_read;
+allow dmesgd shell_exec:file rx_file_perms;
+allow dmesgd toolbox_exec:file rx_file_perms;
+binder_use(dmesgd)
+binder_call(dmesgd, system_server)
+allow dmesgd dropbox_service:service_manager find;
+allow dmesgd proc_version:file r_file_perms;
diff --git a/private/domain.te b/private/domain.te
index ae5b0d7..988bd56 100644
--- a/private/domain.te
+++ b/private/domain.te
@@ -112,6 +112,26 @@
# Allow all processes to check for the existence of the boringssl_self_test_marker files.
allow domain boringssl_self_test_marker:dir search;
+# No domains other than a select few can access the misc_block_device. This
+# block device is reserved for OTA use.
+# Do not assert this rule on userdebug/eng builds, due to some devices using
+# this partition for testing purposes.
+neverallow {
+ domain
+ userdebug_or_eng(`-domain') # exclude debuggable builds
+ -fastbootd
+ -hal_bootctl_server
+ -init
+ -uncrypt
+ -update_engine
+ -vendor_init
+ -vendor_misc_writer
+ -vold
+ -recovery
+ -ueventd
+ -mtectrl
+} misc_block_device:blk_file { append link relabelfrom rename write open read ioctl lock };
+
# Limit ability to ptrace or read sensitive /proc/pid files of processes
# with other UIDs to these allowlisted domains.
neverallow {
@@ -121,6 +141,7 @@
-dumpstate
userdebug_or_eng(`-incidentd')
userdebug_or_eng(`-profcollectd')
+ userdebug_or_eng(`-simpleperf_boot')
-storaged
-system_server
} self:global_capability_class_set sys_ptrace;
@@ -456,6 +477,7 @@
-iorap_inode2filename
-iorap_prefetcherd
-kernel
+ userdebug_or_eng(`-simpleperf_boot')
-traced_perf
-ueventd
} vendor_file:file { no_w_file_perms no_x_file_perms open };
@@ -496,6 +518,7 @@
-heapprofd
userdebug_or_eng(`-profcollectd')
-shell
+ userdebug_or_eng(`-simpleperf_boot')
-system_executes_vendor_violators
-traced_perf # library/binary access for symbolization
-ueventd # reads /vendor/ueventd.rc
@@ -547,6 +570,7 @@
-init
userdebug_or_eng(`-profcollectd')
-vendor_init
+ userdebug_or_eng(`-simpleperf_boot')
-traced_probes
-traced_perf
} proc_kallsyms:file { open read };
diff --git a/private/evsmanagerd.te b/private/evsmanagerd.te
new file mode 100644
index 0000000..3772628
--- /dev/null
+++ b/private/evsmanagerd.te
@@ -0,0 +1,39 @@
+# evsmanager
+typeattribute evsmanagerd coredomain;
+typeattribute evsmanagerd evsmanager_service_server;
+
+type evsmanagerd_exec, system_file_type, exec_type, file_type;
+
+init_daemon_domain(evsmanagerd);
+
+# Declares as a binder service
+binder_service(evsmanagerd)
+
+# Allows to add a service to service_manager
+add_service(evsmanagerd, evsmanagerd_service)
+
+# Allows to use the binder IPC
+binder_use(evsmanagerd)
+
+# Allows binder IPCs to the various system services
+binder_call(evsmanagerd, system_server)
+
+# Allows to use EVS HAL implementations
+hal_client_domain(evsmanagerd, hal_evs)
+
+# Allows to write messages to the shell
+allow evsmanagerd shell:fd use;
+allow evsmanagerd shell:fifo_file write;
+
+# Allows to use the graphics allocator
+allow evsmanagerd hal_graphics_allocator:fd use;
+
+# Allows to use a bootstrap statsd
+allow evsmanagerd statsbootstrap_service:service_manager find;
+
+# Allows binder IPCs to the CarService
+binder_call(evsmanagerd, appdomain)
+
+# For HIDL evs manager implementation
+allow evsmanagerd hal_evs_hwservice:hwservice_manager add;
+allow evsmanagerd hidl_base_hwservice:hwservice_manager add;
diff --git a/private/file.te b/private/file.te
index 5b6170f..9dd0615 100644
--- a/private/file.te
+++ b/private/file.te
@@ -54,9 +54,19 @@
# /data/misc/apexdata/com.android.compos
type apex_compos_data_file, file_type, data_file_type, core_data_file_type, apex_data_file_type;
+# legacy labels for various /data/misc[_ce|_de]/*/apexdata directories - retained
+# for backward compatibility b/217581286
+type apex_appsearch_data_file, file_type, data_file_type, core_data_file_type, apex_data_file_type;
+type apex_permission_data_file, file_type, data_file_type, core_data_file_type, apex_data_file_type;
+type apex_scheduling_data_file, file_type, data_file_type, core_data_file_type, apex_data_file_type;
+type apex_wifi_data_file, file_type, data_file_type, core_data_file_type, apex_data_file_type;
+
# /data/font/files
type font_data_file, file_type, data_file_type, core_data_file_type;
+# /data/misc/dmesgd
+type dmesgd_data_file, file_type, data_file_type, core_data_file_type;
+
# /data/misc/odrefresh
type odrefresh_data_file, file_type, data_file_type, core_data_file_type;
diff --git a/private/file_contexts b/private/file_contexts
index 4a04532..d8c6fbf 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -19,7 +19,7 @@
# For kernel modules
/lib(/.*)? u:object_r:rootfs:s0
-/system_dlkm(/.*)? u:object_r:rootfs:s0
+/system_dlkm(/.*)? u:object_r:system_dlkm_file:s0
# Empty directories
/lost\+found u:object_r:rootfs:s0
@@ -291,12 +291,12 @@
/system/bin/remount u:object_r:remount_exec:s0
/system/bin/dhcpcd u:object_r:dhcp_exec:s0
/system/bin/dhcpcd-6\.8\.2 u:object_r:dhcp_exec:s0
+/system/bin/dmesgd u:object_r:dmesgd_exec:s0
/system/bin/mtpd u:object_r:mtp_exec:s0
/system/bin/pppd u:object_r:ppp_exec:s0
/system/bin/racoon u:object_r:racoon_exec:s0
/system/xbin/su u:object_r:su_exec:s0
/system/bin/dnsmasq u:object_r:dnsmasq_exec:s0
-/system/bin/clatd u:object_r:clatd_exec:s0
/system/bin/linker(64)? u:object_r:system_linker_exec:s0
/system/bin/linkerconfig u:object_r:linkerconfig_exec:s0
/system/bin/bootstrap/linker(64)? u:object_r:system_linker_exec:s0
@@ -309,6 +309,7 @@
/system/bin/lpdumpd u:object_r:lpdumpd_exec:s0
/system/bin/rss_hwm_reset u:object_r:rss_hwm_reset_exec:s0
/system/bin/perfetto u:object_r:perfetto_exec:s0
+/system/bin/mtectrl u:object_r:mtectrl_exec:s0
/system/bin/traced u:object_r:traced_exec:s0
/system/bin/traced_perf u:object_r:traced_perf_exec:s0
/system/bin/traced_probes u:object_r:traced_probes_exec:s0
@@ -365,6 +366,7 @@
/system/bin/stats u:object_r:stats_exec:s0
/system/bin/statsd u:object_r:statsd_exec:s0
/system/bin/bpfloader u:object_r:bpfloader_exec:s0
+/system/bin/btfloader u:object_r:bpfloader_exec:s0
/system/bin/watchdogd u:object_r:watchdogd_exec:s0
/system/bin/apexd u:object_r:apexd_exec:s0
/system/bin/gsid u:object_r:gsid_exec:s0
@@ -375,6 +377,9 @@
/system/bin/snapuserd u:object_r:snapuserd_exec:s0
/system/bin/odsign u:object_r:odsign_exec:s0
/system/bin/vehicle_binding_util u:object_r:vehicle_binding_util_exec:s0
+/system/bin/cardisplayproxyd u:object_r:automotive_display_service_exec:s0
+/system/bin/evsmanagerd u:object_r:evsmanagerd_exec:s0
+/system/bin/android\.automotive\.evs\.manager@1\.[0-9]+ u:object_r:evsmanagerd_exec:s0
#############################
# Vendor files
@@ -601,6 +606,7 @@
/data/misc/carrierid(/.*)? u:object_r:radio_data_file:s0
/data/misc/dhcp(/.*)? u:object_r:dhcp_data_file:s0
/data/misc/dhcp-6\.8\.2(/.*)? u:object_r:dhcp_data_file:s0
+/data/misc/dmesgd(/.*)? u:object_r:dmesgd_data_file:s0
/data/misc/emergencynumberdb(/.*)? u:object_r:emergency_data_file:s0
/data/misc/gatekeeper(/.*)? u:object_r:gatekeeper_data_file:s0
/data/misc/incidents(/.*)? u:object_r:incident_data_file:s0
diff --git a/private/genfs_contexts b/private/genfs_contexts
index a7cdeb8..f20251d 100644
--- a/private/genfs_contexts
+++ b/private/genfs_contexts
@@ -262,6 +262,7 @@
genfscon tracefs /events/power/clock_set_rate/ u:object_r:debugfs_tracing:s0
genfscon tracefs /events/power/cpu_frequency_limits/ u:object_r:debugfs_tracing:s0
genfscon tracefs /events/power/gpu_frequency/ u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/power/gpu_work_period/ u:object_r:debugfs_tracing:s0
genfscon tracefs /events/power/suspend_resume/ u:object_r:debugfs_tracing:s0
genfscon tracefs /events/cpufreq_interactive/ u:object_r:debugfs_tracing:s0
genfscon tracefs /events/vmscan/mm_vmscan_direct_reclaim_begin/ u:object_r:debugfs_tracing:s0
@@ -326,6 +327,7 @@
genfscon debugfs /tracing/events/power/clock_set_rate/ u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/events/power/cpu_frequency_limits/ u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/events/power/gpu_frequency/ u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/power/gpu_work_period/ u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/events/power/suspend_resume/ u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/events/cpufreq_interactive/ u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/events/vmscan/mm_vmscan_direct_reclaim_begin/ u:object_r:debugfs_tracing:s0
@@ -391,3 +393,4 @@
genfscon binfmt_misc / u:object_r:binfmt_miscfs:s0
genfscon bpf / u:object_r:fs_bpf:s0
genfscon bpf /tethering u:object_r:fs_bpf_tethering:s0
+genfscon bpf /vendor u:object_r:fs_bpf_vendor:s0
diff --git a/private/gmscore_app.te b/private/gmscore_app.te
index 799d7ff..a05f3de 100644
--- a/private/gmscore_app.te
+++ b/private/gmscore_app.te
@@ -5,6 +5,11 @@
app_domain(gmscore_app)
+# TODO(b/217368496): remove this.
+perfetto_producer(gmscore_app)
+can_profile_heap(gmscore_app)
+can_profile_perf(gmscore_app)
+
allow gmscore_app sysfs_type:dir search;
# Read access to /sys/class/net/wlan*/address
r_dir_file(gmscore_app, sysfs_net)
@@ -31,6 +36,12 @@
# Allow GMS core to communicate with statsd.
binder_call(gmscore_app, statsd)
+# Allow GMS core to receive Perfetto traces through the framework
+# (i.e. TracingServiceProxy) and sendfile them into its private directory
+# for reporting when network and battery conditions are appropriate.
+allow gmscore_app perfetto:fd use;
+allow gmscore_app perfetto_traces_data_file:file { read getattr };
+
# Allow GMS core to generate unique hardware IDs
allow gmscore_app keystore:keystore_key gen_unique_id;
allow gmscore_app keystore:keystore2_key gen_unique_id;
diff --git a/private/gpuservice.te b/private/gpuservice.te
index 2e4254c..35167d5 100644
--- a/private/gpuservice.te
+++ b/private/gpuservice.te
@@ -1,5 +1,7 @@
# gpuservice - server for gpu stats and other gpu related services
typeattribute gpuservice coredomain;
+typeattribute gpuservice bpfdomain;
+
type gpuservice_exec, system_file_type, exec_type, file_type;
init_daemon_domain(gpuservice)
@@ -51,11 +53,12 @@
neverallow gpuservice self:perf_event ~{ cpu kernel open write };
# Needed for interact with bpf fs.
+# Write is needed to open read/write bpf maps.
allow gpuservice fs_bpf:dir search;
-allow gpuservice fs_bpf:file read;
+allow gpuservice fs_bpf:file { read write };
-# Needed for enable the bpf program and read the map.
-allow gpuservice bpfloader:bpf { map_read prog_run };
+# Needed for enabling bpf programs and accessing bpf maps (read-only and read/write).
+allow gpuservice bpfloader:bpf { map_read map_write prog_run };
# Needed for getting a prop to ensure bpf programs loaded.
get_prop(gpuservice, bpf_progs_loaded_prop)
diff --git a/private/lmkd.te b/private/lmkd.te
index aee1b7f..13828a4 100644
--- a/private/lmkd.te
+++ b/private/lmkd.te
@@ -1,4 +1,5 @@
typeattribute lmkd coredomain;
+typeattribute lmkd bpfdomain;
init_daemon_domain(lmkd)
diff --git a/private/logd.te b/private/logd.te
index 7112c4f..62d4196 100644
--- a/private/logd.te
+++ b/private/logd.te
@@ -10,6 +10,8 @@
neverallow logd {
file_type
-runtime_event_log_tags_file
+ # shell_data_file access is needed to dump bugreports
+ -shell_data_file
userdebug_or_eng(`-coredump_file -misc_logd_file')
with_native_coverage(`-method_trace_data_file')
}:file { create write append };
@@ -39,3 +41,11 @@
userdebug_or_eng(`-su')
-system_app
} runtime_event_log_tags_file:file no_rw_file_perms;
+
+# Only binder communication between logd and system_server is allowed
+binder_use(logd)
+binder_service(logd)
+binder_call(logd, system_server)
+
+add_service(logd, logd_service)
+allow logd logcat_service:service_manager find;
diff --git a/private/mediaprovider_app.te b/private/mediaprovider_app.te
index 82dcdb2..bcbbfcc 100644
--- a/private/mediaprovider_app.te
+++ b/private/mediaprovider_app.te
@@ -1,7 +1,7 @@
###
### A domain for further sandboxing the MediaProvider mainline module.
###
-type mediaprovider_app, domain, coredomain;
+type mediaprovider_app, domain, coredomain, bpfdomain;
app_domain(mediaprovider_app)
diff --git a/private/mtectrl.te b/private/mtectrl.te
new file mode 100644
index 0000000..436dcae
--- /dev/null
+++ b/private/mtectrl.te
@@ -0,0 +1,10 @@
+# mtectrl is a tool to request MTE (Memory Tagging Extensions) from the bootloader.
+type mtectrl, domain, coredomain;
+type mtectrl_exec, system_file_type, exec_type, file_type;
+
+init_daemon_domain(mtectrl)
+
+# mtectrl communicates the request to the bootloader via the misc partition.
+allow mtectrl misc_block_device:blk_file w_file_perms;
+allow mtectrl block_device:dir r_dir_perms;
+read_fstab(mtectrl)
diff --git a/private/netd.te b/private/netd.te
index d87b9a6..10ba20e 100644
--- a/private/netd.te
+++ b/private/netd.te
@@ -1,4 +1,5 @@
typeattribute netd coredomain;
+typeattribute netd bpfdomain;
init_daemon_domain(netd)
@@ -18,6 +19,7 @@
# in order to invoke side effect of close() on such a socket calling synchronize_rcu()
# TODO: Remove this permission when 4.9 kernel is deprecated.
+# TODO: Remove this after we remove all bpf interactions from netd.
allow netd self:key_socket create;
set_prop(netd, ctl_mdnsd_prop)
diff --git a/private/netutils_wrapper.te b/private/netutils_wrapper.te
index ca3b515..06aadc2 100644
--- a/private/netutils_wrapper.te
+++ b/private/netutils_wrapper.te
@@ -1,4 +1,5 @@
typeattribute netutils_wrapper coredomain;
+typeattribute netutils_wrapper bpfdomain;
r_dir_file(netutils_wrapper, system_file);
@@ -17,6 +18,7 @@
# For netutils (ndc) to be able to talk to netd
allow netutils_wrapper netd_service:service_manager find;
allow netutils_wrapper dnsresolver_service:service_manager find;
+allow netutils_wrapper mdns_service:service_manager find;
binder_use(netutils_wrapper);
binder_call(netutils_wrapper, netd);
diff --git a/private/network_stack.te b/private/network_stack.te
index 09a98b5..b105938 100644
--- a/private/network_stack.te
+++ b/private/network_stack.te
@@ -1,5 +1,7 @@
# Networking service app
-typeattribute network_stack coredomain, mlstrustedsubject;
+typeattribute network_stack coredomain;
+typeattribute network_stack mlstrustedsubject;
+typeattribute network_stack bpfdomain;
app_domain(network_stack);
net_domain(network_stack);
@@ -22,6 +24,7 @@
allow network_stack app_api_service:service_manager find;
allow network_stack dnsresolver_service:service_manager find;
+allow network_stack mdns_service:service_manager find;
allow network_stack netd_service:service_manager find;
allow network_stack network_watchlist_service:service_manager find;
allow network_stack radio_service:service_manager find;
diff --git a/private/odrefresh.te b/private/odrefresh.te
index 9febf45..d716309 100644
--- a/private/odrefresh.te
+++ b/private/odrefresh.te
@@ -45,24 +45,6 @@
get_prop(odrefresh, device_config_runtime_native_prop)
get_prop(odrefresh, device_config_runtime_native_boot_prop)
-# Use inherited stdin/stdout/stderr from composd which exec()'s
-# odrefesh.
-allow odrefresh composd:fd use;
-
-# Run binaries from the CompOS APEX in the same domain
-allow odrefresh system_file:file execute_no_trans;
-
-# Make binder calls back to composd
-binder_use(odrefresh)
-allow odrefresh compos_internal_service:service_manager find;
-binder_call(odrefresh, composd)
-
-# Run fd_server in its own domain
-domain_auto_trans(odrefresh, fd_server_exec, compos_fd_server)
-
-# And kill it via SIGTERM
-allow odrefresh compos_fd_server:process signal;
-
# Do not audit unused resources from parent processes (adb, shell, su).
# These appear to be unnecessary for odrefresh.
dontaudit odrefresh { adbd shell }:fd use;
diff --git a/private/perfetto.te b/private/perfetto.te
index 174855f..5897aed 100644
--- a/private/perfetto.te
+++ b/private/perfetto.te
@@ -22,10 +22,10 @@
allow perfetto perfetto_traces_data_file:dir rw_dir_perms;
allow perfetto perfetto_traces_data_file:file create_file_perms;
-# Allow to access binder to pass the traces to Dropbox.
+# Allow perfetto to access the proxy service for reporting traces.
+allow perfetto tracingproxy_service:service_manager find;
binder_use(perfetto)
binder_call(perfetto, system_server)
-allow perfetto dropbox_service:service_manager find;
# Allow perfetto to read the trace config from /data/misc/perfetto-configs.
# shell and adb can write files into that directory.
@@ -52,6 +52,7 @@
allow perfetto devpts:chr_file rw_file_perms;
# Allow perfetto to ask incidentd to start a report.
+# TODO(lalitm): remove all incidentd rules when proxy service is stable.
allow perfetto incident_service:service_manager find;
binder_call(perfetto, incidentd)
@@ -68,7 +69,31 @@
###
### Neverallow rules
###
-### perfetto should NEVER do any of this
+
+# Disallow anyone else from being able to handle traces except selected system
+# components.
+neverallow {
+ domain
+ -init # The creator of the folder.
+ -perfetto # The owner of the folder.
+ -adbd # For pulling traces.
+ -shell # For devepment purposes.
+ -traced # For write_into_file traces.
+ -dumpstate # For attaching traces to bugreports.
+ -incidentd # For receiving reported traces. TODO(lalitm): remove this.
+ -priv_app # For stating traces for bug-report UI.
+} perfetto_traces_data_file:dir *;
+neverallow {
+ domain
+ -init # The creator of the folder.
+ -perfetto # The owner of the folder.
+ -adbd # For pulling traces.
+ -shell # For devepment purposes.
+ -traced # For write_into_file traces.
+ -incidentd # For receiving reported traces. TODO(lalitm): remove this.
+} perfetto_traces_data_file:file ~{ getattr read };
+
+### perfetto should NEVER do any of the following
# Disallow mapping executable memory (execstack and exec are already disallowed
# globally in domain.te).
diff --git a/private/platform_app.te b/private/platform_app.te
index 9764eab..20c9820 100644
--- a/private/platform_app.te
+++ b/private/platform_app.te
@@ -109,6 +109,10 @@
# Allow platform apps to act as Perfetto producers.
perfetto_producer(platform_app)
+# TODO(b/217368496): remove this.
+can_profile_heap(platform_app)
+can_profile_perf(platform_app)
+
# Allow platform apps to create VMs
virtualizationservice_use(platform_app)
diff --git a/private/priv_app.te b/private/priv_app.te
index 909e676..c7d6ab1 100644
--- a/private/priv_app.te
+++ b/private/priv_app.te
@@ -86,6 +86,13 @@
# Required to traverse the parent dir (/data/misc/perfetto-traces).
allow priv_app perfetto_traces_data_file:dir { search };
+# Allow priv apps (e.g. BetterBug) to receive Perfetto traces through
+# the framework (i.e. TracingServiceProxy) and sendfile them into their private
+# directories for reporting when network and battery conditions are
+# appropriate.
+allow priv_app perfetto:fd use;
+allow priv_app perfetto_traces_data_file:file { read getattr };
+
# Allow verifier to access staged apks.
allow priv_app { apk_tmp_file apk_private_tmp_file }:dir r_dir_perms;
allow priv_app { apk_tmp_file apk_private_tmp_file }:file r_file_perms;
@@ -262,3 +269,6 @@
# Do not follow untrusted app provided symlinks
neverallow priv_app app_data_file:lnk_file { open read getattr };
+
+# Allow reporting off body events to keystore.
+allow priv_app keystore:keystore2 report_off_body;
diff --git a/private/profcollectd.te b/private/profcollectd.te
index efde321..1dc6849 100644
--- a/private/profcollectd.te
+++ b/private/profcollectd.te
@@ -23,7 +23,7 @@
allow profcollectd vendor_file:dir r_dir_perms;
allow profcollectd vendor_kernel_modules:file r_file_perms;
- # Allow profcollectd to read system bootstrap libs.
+ # Allow profcollectd to read (but not execute) system bootstrap libs.
allow profcollectd system_bootstrap_lib_file:dir search;
allow profcollectd system_bootstrap_lib_file:file r_file_perms;
@@ -48,6 +48,8 @@
# Allow profcollectd to publish a binder service and make binder calls.
binder_use(profcollectd)
+ # Allow profcollectd to call callbacks registered by system_server when ETM is ready.
+ binder_call(profcollectd, system_server)
add_service(profcollectd, profcollectd_service)
# Allow to temporarily lift the kptr_restrict setting and get kernel start address
diff --git a/private/property.te b/private/property.te
index f63beb9..3f02c83 100644
--- a/private/property.te
+++ b/private/property.te
@@ -12,6 +12,7 @@
system_internal_prop(device_config_configuration_prop)
system_internal_prop(device_config_connectivity_prop)
system_internal_prop(device_config_swcodec_native_prop)
+system_internal_prop(dmesgd_start_prop)
system_internal_prop(fastbootd_protocol_prop)
system_internal_prop(gsid_prop)
system_internal_prop(init_perf_lsm_hooks_prop)
@@ -557,6 +558,7 @@
domain
-init
userdebug_or_eng(`-profcollectd')
+ userdebug_or_eng(`-simpleperf_boot')
userdebug_or_eng(`-traced_probes')
userdebug_or_eng(`-traced_perf')
} {
diff --git a/private/property_contexts b/private/property_contexts
index 5a9f0e8..dcaa432 100644
--- a/private/property_contexts
+++ b/private/property_contexts
@@ -269,7 +269,7 @@
persist.vendor.apex. u:object_r:apexd_select_prop:s0
ro.boot.vendor.apex. u:object_r:apexd_select_prop:s0
-bpf.progs_loaded u:object_r:bpf_progs_loaded_prop:s0
+bpf.progs_loaded u:object_r:bpf_progs_loaded_prop:s0 exact bool
gsid. u:object_r:gsid_prop:s0
ro.gsid. u:object_r:gsid_prop:s0
@@ -464,6 +464,45 @@
persist.bluetooth.btsnooplogmode u:object_r:bluetooth_prop:s0 exact enum empty disabled filtered full
persist.bluetooth.factoryreset u:object_r:bluetooth_prop:s0 exact bool
+bluetooth.hardware.power.operating_voltage_mv u:object_r:bluetooth_config_prop:s0 exact int
+bluetooth.hardware.power.idle_cur_ma u:object_r:bluetooth_config_prop:s0 exact int
+bluetooth.hardware.power.tx_cur_ma u:object_r:bluetooth_config_prop:s0 exact int
+bluetooth.hardware.power.rx_cur_ma u:object_r:bluetooth_config_prop:s0 exact int
+
+bluetooth.framework.support_persisted_state u:object_r:bluetooth_config_prop:s0 exact bool
+bluetooth.framework.adapter_address_validation u:object_r:bluetooth_config_prop:s0 exact bool
+
+bluetooth.device.default_name u:object_r:bluetooth_config_prop:s0 exact string
+bluetooth.device.class_of_device u:object_r:bluetooth_config_prop:s0 exact string
+
+bluetooth.profile.a2dp.sink.enabled u:object_r:bluetooth_config_prop:s0 exact bool
+bluetooth.profile.a2dp.source.enabled u:object_r:bluetooth_config_prop:s0 exact bool
+bluetooth.profile.asha.central.enabled u:object_r:bluetooth_config_prop:s0 exact bool
+bluetooth.profile.avrcp.controller.enabled u:object_r:bluetooth_config_prop:s0 exact bool
+bluetooth.profile.avrcp.target.enabled u:object_r:bluetooth_config_prop:s0 exact bool
+bluetooth.profile.bap.broadcast.assist.enabled u:object_r:bluetooth_config_prop:s0 exact bool
+bluetooth.profile.bap.broadcast.source.enabled u:object_r:bluetooth_config_prop:s0 exact bool
+bluetooth.profile.bap.unicast.server.enabled u:object_r:bluetooth_config_prop:s0 exact bool
+bluetooth.profile.bass.client.enabled u:object_r:bluetooth_config_prop:s0 exact bool
+bluetooth.profile.csip.set_coordinator.enabled u:object_r:bluetooth_config_prop:s0 exact bool
+bluetooth.profile.gatt.enabled u:object_r:bluetooth_config_prop:s0 exact bool
+bluetooth.profile.hap.client.enabled u:object_r:bluetooth_config_prop:s0 exact bool
+bluetooth.profile.hfp.ag.enabled u:object_r:bluetooth_config_prop:s0 exact bool
+bluetooth.profile.hfp.hf.enabled u:object_r:bluetooth_config_prop:s0 exact bool
+bluetooth.profile.hid.device.enabled u:object_r:bluetooth_config_prop:s0 exact bool
+bluetooth.profile.hid.host.enabled u:object_r:bluetooth_config_prop:s0 exact bool
+bluetooth.profile.map.client.enabled u:object_r:bluetooth_config_prop:s0 exact bool
+bluetooth.profile.map.server.enabled u:object_r:bluetooth_config_prop:s0 exact bool
+bluetooth.profile.mcp.server.enabled u:object_r:bluetooth_config_prop:s0 exact bool
+bluetooth.profile.opp.enabled u:object_r:bluetooth_config_prop:s0 exact bool
+bluetooth.profile.pan.nap.enabled u:object_r:bluetooth_config_prop:s0 exact bool
+bluetooth.profile.pan.panu.enabled u:object_r:bluetooth_config_prop:s0 exact bool
+bluetooth.profile.pbap.client.enabled u:object_r:bluetooth_config_prop:s0 exact bool
+bluetooth.profile.pbap.server.enabled u:object_r:bluetooth_config_prop:s0 exact bool
+bluetooth.profile.sap.server.enabled u:object_r:bluetooth_config_prop:s0 exact bool
+bluetooth.profile.tbs.server.enabled u:object_r:bluetooth_config_prop:s0 exact bool
+bluetooth.profile.vc.server.enabled u:object_r:bluetooth_config_prop:s0 exact bool
+
persist.nfc.debug_enabled u:object_r:nfc_prop:s0 exact bool
persist.radio.multisim.config u:object_r:radio_control_prop:s0 exact string
@@ -612,6 +651,8 @@
apexd.payload_metadata.path u:object_r:apexd_payload_metadata_prop:s0 exact string
apexd.status u:object_r:apexd_prop:s0 exact enum starting activated ready
+dmesgd.start u:object_r:dmesgd_start_prop:s0 exact bool
+
odsign.key.done u:object_r:odsign_prop:s0 exact bool
odsign.verification.done u:object_r:odsign_prop:s0 exact bool
odsign.verification.success u:object_r:odsign_prop:s0 exact bool
@@ -668,6 +709,8 @@
# shell-only props for ARM memory tagging (MTE).
arm64.memtag. u:object_r:arm64_memtag_prop:s0 prefix string
+persist.arm64.memtag.default u:object_r:arm64_memtag_prop:s0 exact string
+persist.arm64.memtag.app_default u:object_r:arm64_memtag_prop:s0 exact string
net.redirect_socket_calls.hooked u:object_r:socket_hook_prop:s0 exact bool
@@ -697,7 +740,9 @@
ro.boot.verifiedbootstate u:object_r:bootloader_prop:s0 exact string
ro.boot.veritymode u:object_r:bootloader_prop:s0 exact string
# Properties specific to virtualized deployments of Android
+ro.boot.hypervisor.protected_vm.supported u:object_r:hypervisor_prop:s0 exact bool
ro.boot.hypervisor.version u:object_r:hypervisor_prop:s0 exact string
+ro.boot.hypervisor.vm.supported u:object_r:hypervisor_prop:s0 exact bool
# These ro.X properties are set to values of ro.boot.X by property_service.
ro.baseband u:object_r:bootloader_prop:s0 exact string
diff --git a/private/seapp_contexts b/private/seapp_contexts
index d47134b..5cf0711 100644
--- a/private/seapp_contexts
+++ b/private/seapp_contexts
@@ -137,7 +137,7 @@
isSystemServer=true domain=system_server_startup
-user=_app isPrivApp=true name=com.android.traceur domain=traceur_app type=app_data_file levelFrom=all
+user=_app seinfo=platform name=com.android.traceur domain=traceur_app type=app_data_file levelFrom=all
user=_app isPrivApp=true name=com.android.remoteprovisioner domain=remote_prov_app type=app_data_file levelFrom=all
user=system seinfo=platform domain=system_app type=system_app_data_file
user=bluetooth seinfo=platform domain=bluetooth type=bluetooth_data_file
diff --git a/private/service.te b/private/service.te
index 10461ec..cd2cec6 100644
--- a/private/service.te
+++ b/private/service.te
@@ -1,8 +1,11 @@
+type ambient_context_service, app_api_service, system_server_service, service_manager_type;
type attention_service, system_server_service, service_manager_type;
type compos_service, service_manager_type;
type dynamic_system_service, system_api_service, system_server_service, service_manager_type;
type gsi_service, service_manager_type;
type incidentcompanion_service, app_api_service, system_api_service, system_server_service, service_manager_type;
+type logcat_service, system_server_service, service_manager_type;
+type logd_service, service_manager_type;
type mediatuner_service, app_api_service, service_manager_type;
type profcollectd_service, service_manager_type;
type resolver_service, system_server_service, service_manager_type;
@@ -12,5 +15,5 @@
type statscompanion_service, system_server_service, service_manager_type;
type statsmanager_service, system_api_service, system_server_service, service_manager_type;
type tracingproxy_service, system_server_service, service_manager_type;
+type transparency_service, system_server_service, service_manager_type;
type uce_service, service_manager_type;
-type compos_internal_service, service_manager_type;
diff --git a/private/service_contexts b/private/service_contexts
index bee400f..4fb4b29 100644
--- a/private/service_contexts
+++ b/private/service_contexts
@@ -1,41 +1,52 @@
android.hardware.authsecret.IAuthSecret/default u:object_r:hal_authsecret_service:s0
+android.hardware.automotive.evs.IEvsEnumerator/hw/0 u:object_r:hal_evs_service:s0
+android.hardware.automotive.evs.IEvsEnumerator/hw/1 u:object_r:hal_evs_service:s0
android.hardware.automotive.vehicle.IVehicle/default u:object_r:hal_vehicle_service:s0
android.hardware.automotive.audiocontrol.IAudioControl/default u:object_r:hal_audiocontrol_service:s0
android.hardware.biometrics.face.IFace/default u:object_r:hal_face_service:s0
android.hardware.biometrics.fingerprint.IFingerprint/default u:object_r:hal_fingerprint_service:s0
+android.hardware.bluetooth.audio.IBluetoothAudioProviderFactory/default u:object_r:hal_audio_service:s0
+# The instance here is internal/0 following naming convention for ICameraProvider.
+# It advertises internal camera devices.
+android.hardware.camera.provider.ICameraProvider/internal/0 u:object_r:hal_camera_service:s0
android.hardware.contexthub.IContextHub/default u:object_r:hal_contexthub_service:s0
+android.hardware.drm.IDrmFactory/clearkey u:object_r:hal_drm_service:s0
+android.hardware.drm.ICryptoFactory/clearkey u:object_r:hal_drm_service:s0
android.hardware.dumpstate.IDumpstateDevice/default u:object_r:hal_dumpstate_service:s0
android.hardware.gnss.IGnss/default u:object_r:hal_gnss_service:s0
+android.hardware.graphics.allocator.IAllocator/default u:object_r:hal_graphics_allocator_service:s0
android.hardware.graphics.composer3.IComposer/default u:object_r:hal_graphics_composer_service:s0
android.hardware.health.storage.IStorage/default u:object_r:hal_health_storage_service:s0
android.hardware.health.IHealth/default u:object_r:hal_health_service:s0
android.hardware.identity.IIdentityCredentialStore/default u:object_r:hal_identity_service:s0
+android.hardware.input.processor.IInputProcessor/default u:object_r:hal_input_processor_service:s0
android.hardware.ir.IConsumerIr/default u:object_r:hal_ir_service:s0
android.hardware.light.ILights/default u:object_r:hal_light_service:s0
android.hardware.memtrack.IMemtrack/default u:object_r:hal_memtrack_service:s0
android.hardware.net.nlinterceptor.IInterceptor/default u:object_r:hal_nlinterceptor_service:s0
+android.hardware.nfc.INfc/default u:object_r:hal_nfc_service:s0
android.hardware.oemlock.IOemLock/default u:object_r:hal_oemlock_service:s0
android.hardware.power.IPower/default u:object_r:hal_power_service:s0
android.hardware.power.stats.IPowerStats/default u:object_r:hal_power_stats_service:s0
-android.hardware.radio.config.IRadioConfig/default u:object_r:hal_radio_config_service:s0
-android.hardware.radio.data.IRadioData/slot1 u:object_r:hal_radio_data_service:s0
-android.hardware.radio.data.IRadioData/slot2 u:object_r:hal_radio_data_service:s0
-android.hardware.radio.data.IRadioData/slot3 u:object_r:hal_radio_data_service:s0
-android.hardware.radio.messaging.IRadioMessaging/slot1 u:object_r:hal_radio_messaging_service:s0
-android.hardware.radio.messaging.IRadioMessaging/slot2 u:object_r:hal_radio_messaging_service:s0
-android.hardware.radio.messaging.IRadioMessaging/slot3 u:object_r:hal_radio_messaging_service:s0
-android.hardware.radio.modem.IRadioModem/slot1 u:object_r:hal_radio_modem_service:s0
-android.hardware.radio.modem.IRadioModem/slot2 u:object_r:hal_radio_modem_service:s0
-android.hardware.radio.modem.IRadioModem/slot3 u:object_r:hal_radio_modem_service:s0
-android.hardware.radio.network.IRadioNetwork/slot1 u:object_r:hal_radio_network_service:s0
-android.hardware.radio.network.IRadioNetwork/slot2 u:object_r:hal_radio_network_service:s0
-android.hardware.radio.network.IRadioNetwork/slot3 u:object_r:hal_radio_network_service:s0
-android.hardware.radio.sim.IRadioSim/slot1 u:object_r:hal_radio_sim_service:s0
-android.hardware.radio.sim.IRadioSim/slot2 u:object_r:hal_radio_sim_service:s0
-android.hardware.radio.sim.IRadioSim/slot3 u:object_r:hal_radio_sim_service:s0
-android.hardware.radio.voice.IRadioVoice/slot1 u:object_r:hal_radio_voice_service:s0
-android.hardware.radio.voice.IRadioVoice/slot2 u:object_r:hal_radio_voice_service:s0
-android.hardware.radio.voice.IRadioVoice/slot3 u:object_r:hal_radio_voice_service:s0
+android.hardware.radio.config.IRadioConfig/default u:object_r:hal_radio_service:s0
+android.hardware.radio.data.IRadioData/slot1 u:object_r:hal_radio_service:s0
+android.hardware.radio.data.IRadioData/slot2 u:object_r:hal_radio_service:s0
+android.hardware.radio.data.IRadioData/slot3 u:object_r:hal_radio_service:s0
+android.hardware.radio.messaging.IRadioMessaging/slot1 u:object_r:hal_radio_service:s0
+android.hardware.radio.messaging.IRadioMessaging/slot2 u:object_r:hal_radio_service:s0
+android.hardware.radio.messaging.IRadioMessaging/slot3 u:object_r:hal_radio_service:s0
+android.hardware.radio.modem.IRadioModem/slot1 u:object_r:hal_radio_service:s0
+android.hardware.radio.modem.IRadioModem/slot2 u:object_r:hal_radio_service:s0
+android.hardware.radio.modem.IRadioModem/slot3 u:object_r:hal_radio_service:s0
+android.hardware.radio.network.IRadioNetwork/slot1 u:object_r:hal_radio_service:s0
+android.hardware.radio.network.IRadioNetwork/slot2 u:object_r:hal_radio_service:s0
+android.hardware.radio.network.IRadioNetwork/slot3 u:object_r:hal_radio_service:s0
+android.hardware.radio.sim.IRadioSim/slot1 u:object_r:hal_radio_service:s0
+android.hardware.radio.sim.IRadioSim/slot2 u:object_r:hal_radio_service:s0
+android.hardware.radio.sim.IRadioSim/slot3 u:object_r:hal_radio_service:s0
+android.hardware.radio.voice.IRadioVoice/slot1 u:object_r:hal_radio_service:s0
+android.hardware.radio.voice.IRadioVoice/slot2 u:object_r:hal_radio_service:s0
+android.hardware.radio.voice.IRadioVoice/slot3 u:object_r:hal_radio_service:s0
android.hardware.rebootescrow.IRebootEscrow/default u:object_r:hal_rebootescrow_service:s0
android.hardware.security.dice.IDiceDevice/default u:object_r:hal_dice_service:s0
android.hardware.security.keymint.IKeyMintDevice/default u:object_r:hal_keymint_service:s0
@@ -45,6 +56,7 @@
android.hardware.sensors.ISensors/default u:object_r:hal_sensors_service:s0
android.hardware.soundtrigger3.ISoundTriggerHw/default u:object_r:hal_audio_service:s0
android.hardware.tv.tuner.ITuner/default u:object_r:hal_tv_tuner_service:s0
+android.hardware.usb.IUsb/default u:object_r:hal_usb_service:s0
android.hardware.uwb.IUwb/default u:object_r:hal_uwb_service:s0
android.hardware.vibrator.IVibrator/default u:object_r:hal_vibrator_service:s0
android.hardware.vibrator.IVibratorManager/default u:object_r:hal_vibrator_service:s0
@@ -65,8 +77,10 @@
aidl_lazy_test_2 u:object_r:aidl_lazy_test_service:s0
aidl_lazy_cb_test u:object_r:aidl_lazy_test_service:s0
alarm u:object_r:alarm_service:s0
+android.hardware.automotive.evs.IEvsEnumerator/default u:object_r:evsmanagerd_service:s0
android.os.UpdateEngineService u:object_r:update_engine_service:s0
android.os.UpdateEngineStableService u:object_r:update_engine_stable_service:s0
+android.frameworks.automotive.display.ICarDisplayProxy/default u:object_r:fwk_automotive_display_service:s0
android.security.apc u:object_r:apc_service:s0
android.security.authorization u:object_r:authorization_service:s0
android.security.compat u:object_r:keystore_compat_hal_service:s0
@@ -78,10 +92,11 @@
android.security.maintenance u:object_r:keystore_maintenance_service:s0
android.security.metrics u:object_r:keystore_metrics_service:s0
android.security.remoteprovisioning u:object_r:remoteprovisioning_service:s0
+android.security.remoteprovisioning.IRemotelyProvisionedKeyPool u:object_r:remotelyprovisionedkeypool_service:s0
android.service.gatekeeper.IGateKeeperService u:object_r:gatekeeper_service:s0
android.system.composd u:object_r:compos_service:s0
-android.system.composd.internal u:object_r:compos_internal_service:s0
android.system.virtualizationservice u:object_r:virtualization_service:s0
+ambient_context u:object_r:ambient_context_service:s0
app_binding u:object_r:app_binding_service:s0
app_hibernation u:object_r:app_hibernation_service:s0
app_integrity u:object_r:app_integrity_service:s0
@@ -112,6 +127,7 @@
cacheinfo u:object_r:cacheinfo_service:s0
carrier_config u:object_r:radio_service:s0
clipboard u:object_r:clipboard_service:s0
+cloudsearch u:object_r:cloudsearch_service:s0
cloudsearch_service u:object_r:cloudsearch_service:s0
com.android.net.IProxyService u:object_r:IProxyService_service:s0
companiondevice u:object_r:companion_device_service:s0
@@ -198,8 +214,11 @@
location u:object_r:location_service:s0
location_time_zone_manager u:object_r:location_time_zone_manager_service:s0
lock_settings u:object_r:lock_settings_service:s0
+logcat u:object_r:logcat_service:s0
+logd u:object_r:logd_service:s0
looper_stats u:object_r:looper_stats_service:s0
lpdump_service u:object_r:lpdump_service:s0
+mdns u:object_r:mdns_service:s0
media.aaudio u:object_r:audioserver_service:s0
media.audio_flinger u:object_r:audioserver_service:s0
media.audio_policy u:object_r:audioserver_service:s0
@@ -305,6 +324,7 @@
storaged_pri u:object_r:storaged_service:s0
storagestats u:object_r:storagestats_service:s0
SurfaceFlinger u:object_r:surfaceflinger_service:s0
+SurfaceFlingerAIDL u:object_r:surfaceflinger_service:s0
suspend_control u:object_r:system_suspend_control_service:s0
suspend_control_internal u:object_r:system_suspend_control_internal_service:s0
system_config u:object_r:system_config_service:s0
@@ -325,9 +345,10 @@
timezone u:object_r:timezone_service:s0
thermalservice u:object_r:thermal_service:s0
tracing.proxy u:object_r:tracingproxy_service:s0
-translation u:object_r:translation_service:s0
+translation u:object_r:translation_service:s0
+transparency u:object_r:transparency_service:s0
trust u:object_r:trust_service:s0
-tv_iapp u:object_r:tv_iapp_service:s0
+tv_interactive_app u:object_r:tv_iapp_service:s0
tv_input u:object_r:tv_input_service:s0
tv_tuner_resource_mgr u:object_r:tv_tuner_resource_mgr_service:s0
uce u:object_r:uce_service:s0
@@ -348,6 +369,7 @@
vpn_management u:object_r:vpn_management_service:s0
vrmanager u:object_r:vr_manager_service:s0
wallpaper u:object_r:wallpaper_service:s0
+wallpaper_effects_generation u:object_r:wallpaper_effects_generation_service:s0
webviewupdate u:object_r:webviewupdate_service:s0
wifip2p u:object_r:wifip2p_service:s0
wifiscanner u:object_r:wifiscanner_service:s0
diff --git a/private/simpleperf_boot.te b/private/simpleperf_boot.te
new file mode 100644
index 0000000..e71c492
--- /dev/null
+++ b/private/simpleperf_boot.te
@@ -0,0 +1,59 @@
+# Domain used when running /system/bin/simpleperf to record boot-time profiles.
+# It is started by init process. It's only available on userdebug/eng build.
+
+type simpleperf_boot, domain, coredomain, mlstrustedsubject;
+
+# /data/simpleperf_boot_data, used to store boot-time profiles.
+type simpleperf_boot_data_file, file_type;
+
+userdebug_or_eng(`
+ domain_auto_trans(init, simpleperf_exec, simpleperf_boot)
+
+ # simpleperf_boot writes profile data to /data/simpleperf_boot_data.
+ allow simpleperf_boot simpleperf_boot_data_file:file create_file_perms;
+ allow simpleperf_boot simpleperf_boot_data_file:dir rw_dir_perms;
+
+ # Allow simpleperf_boot full use of perf_event_open(2), to enable system wide profiling.
+ allow simpleperf_boot self:perf_event { cpu kernel open read write };
+ allow simpleperf_boot self:global_capability2_class_set perfmon;
+
+ # Allow simpleperf_boot to scan through /proc/pid for all processes.
+ r_dir_file(simpleperf_boot, domain)
+
+ # Allow simpleperf_boot to read executable binaries.
+ allow simpleperf_boot system_file_type:file r_file_perms;
+ allow simpleperf_boot vendor_file_type:file r_file_perms;
+
+ # Allow simpleperf_boot to search for and read kernel modules.
+ allow simpleperf_boot vendor_file:dir r_dir_perms;
+ allow simpleperf_boot vendor_kernel_modules:file r_file_perms;
+
+ # Allow simpleperf_boot to read system bootstrap libs.
+ allow simpleperf_boot system_bootstrap_lib_file:dir search;
+ allow simpleperf_boot system_bootstrap_lib_file:file r_file_perms;
+
+ # Allow simpleperf_boot to access tracefs.
+ allow simpleperf_boot debugfs_tracing:dir r_dir_perms;
+ allow simpleperf_boot debugfs_tracing:file rw_file_perms;
+ allow simpleperf_boot debugfs_tracing_debug:dir r_dir_perms;
+ allow simpleperf_boot debugfs_tracing_debug:file rw_file_perms;
+
+ # Allow simpleperf_boot to write to perf_event_paranoid under /proc.
+ allow simpleperf_boot proc_perf:file write;
+
+ # Allow simpleperf_boot to read process maps.
+ allow simpleperf_boot self:global_capability_class_set sys_ptrace;
+ # Allow simpleperf_boot to read JIT debug info from system_server and zygote.
+ allow simpleperf_boot { system_server zygote }:process ptrace;
+
+ # Allow to temporarily lift the kptr_restrict setting and get kernel start address
+ # by reading /proc/kallsyms, get module start address by reading /proc/modules.
+ set_prop(simpleperf_boot, lower_kptr_restrict_prop)
+ allow simpleperf_boot proc_kallsyms:file r_file_perms;
+ allow simpleperf_boot proc_modules:file r_file_perms;
+
+ # Allow simpleperf_boot to read kernel build id.
+ allow simpleperf_boot sysfs_kernel_notes:file r_file_perms;
+
+ dontaudit simpleperf_boot shell_data_file:dir search;
+')
diff --git a/private/surfaceflinger.te b/private/surfaceflinger.te
index 1c7f657..bc7543b 100644
--- a/private/surfaceflinger.te
+++ b/private/surfaceflinger.te
@@ -125,6 +125,9 @@
# TODO(146461633): remove this once native pullers talk to StatsManagerService
binder_call(surfaceflinger, statsd);
+# Allow to use files supplied by hal_evs
+allow surfaceflinger hal_evs:fd use;
+
# Allow pushing jank event atoms to statsd
userdebug_or_eng(`
unix_socket_send(surfaceflinger, statsdw, statsd)
diff --git a/private/system_app.te b/private/system_app.te
index 460ad4b..77cca3d 100644
--- a/private/system_app.te
+++ b/private/system_app.te
@@ -89,6 +89,7 @@
-installd_service
-iorapd_service
-lpdump_service
+ -mdns_service
-netd_service
-system_suspend_control_internal_service
-system_suspend_control_service
@@ -103,6 +104,7 @@
dumpstate_service
installd_service
iorapd_service
+ mdns_service
netd_service
virtual_touchpad_service
vold_service
@@ -157,6 +159,7 @@
# Settings app writes to /dev/stune/foreground/tasks.
allow system_app cgroup:file w_file_perms;
allow system_app cgroup_v2:file w_file_perms;
+allow system_app cgroup_v2:dir w_dir_perms;
control_logd(system_app)
read_runtime_log_tags(system_app)
diff --git a/private/system_server.te b/private/system_server.te
index 68792e8..fa66ff1 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -8,12 +8,18 @@
typeattribute system_server scheduler_service_server;
typeattribute system_server sensor_service_server;
typeattribute system_server stats_service_server;
+typeattribute system_server bpfdomain;
# Define a type for tmpfs-backed ashmem regions.
tmpfs_domain(system_server)
userfaultfd_use(system_server)
+# TODO(b/217368496): remove this.
+perfetto_producer(system_server)
+can_profile_heap(system_server)
+can_profile_perf(system_server)
+
# Create a socket for connections from crash_dump.
type_transition system_server system_data_file:sock_file system_ndebug_socket "ndebugsocket";
@@ -97,7 +103,7 @@
crash_dump
webview_zygote
zygote
-}:process { sigkill signull };
+}:process { getpgid sigkill signull };
# Read /system/bin/app_process.
allow system_server zygote_exec:file r_file_perms;
@@ -277,6 +283,7 @@
binder_call(system_server, storaged)
binder_call(system_server, update_engine)
binder_call(system_server, vold)
+binder_call(system_server, logd)
binder_call(system_server, wificond)
binder_call(system_server, wpantund)
binder_service(system_server)
@@ -295,6 +302,7 @@
hal_client_domain(system_server, hal_graphics_allocator)
hal_client_domain(system_server, hal_health)
hal_client_domain(system_server, hal_input_classifier)
+hal_client_domain(system_server, hal_input_processor)
hal_client_domain(system_server, hal_ir)
hal_client_domain(system_server, hal_light)
hal_client_domain(system_server, hal_memtrack)
@@ -401,7 +409,7 @@
# Check SELinux permissions.
selinux_check_access(system_server)
-allow system_server sysfs_type:dir search;
+allow system_server sysfs_type:dir r_dir_perms;
r_dir_file(system_server, sysfs_android_usb)
allow system_server sysfs_android_usb:file w_file_perms;
@@ -441,6 +449,7 @@
allow system_server adbd_socket:sock_file rw_file_perms;
allow system_server rtc_device:chr_file rw_file_perms;
allow system_server audio_device:dir r_dir_perms;
+allow system_server uhid_device:chr_file rw_file_perms;
# write access to ALSA interfaces (/dev/snd/*) needed for MIDI
allow system_server audio_device:chr_file rw_file_perms;
@@ -524,9 +533,9 @@
allow system_server prereboot_data_file:dir rw_dir_perms;
allow system_server prereboot_data_file:file create_file_perms;
-# Allow dropbox to read /data/misc/perfetto-traces. Only the fd is sent over
+# Allow tracing proxy service to read traces. Only the fd is sent over
# binder.
-allow system_server perfetto_traces_data_file:file read;
+allow system_server perfetto_traces_data_file:file { read getattr };
allow system_server perfetto:fd use;
# Manage /data/backup.
@@ -690,6 +699,7 @@
set_prop(system_server, surfaceflinger_color_prop)
set_prop(system_server, provisioned_prop)
set_prop(system_server, retaildemo_prop)
+set_prop(system_server, dmesgd_start_prop)
userdebug_or_eng(`set_prop(system_server, wifi_log_prop)')
# ctl interface
@@ -780,6 +790,9 @@
# Read the net.464xlat.cellular.enabled property (written by init).
get_prop(system_server, net_464xlat_fromvendor_prop)
+# Read hypervisor capabilities ro.boot.hypervisor.*
+get_prop(system_server, hypervisor_prop)
+
# Create a socket for connections from debuggerd.
allow system_server system_ndebug_socket:sock_file create_file_perms;
@@ -867,6 +880,7 @@
allow system_server keystore_maintenance_service:service_manager find;
allow system_server keystore_metrics_service:service_manager find;
allow system_server keystore_service:service_manager find;
+allow system_server mdns_service:service_manager find;
allow system_server mediaserver_service:service_manager find;
allow system_server mediametrics_service:service_manager find;
allow system_server mediaextractor_service:service_manager find;
@@ -881,6 +895,7 @@
allow system_server update_engine_service:service_manager find;
allow system_server vold_service:service_manager find;
allow system_server wifinl80211_service:service_manager find;
+allow system_server logd_service:service_manager find;
userdebug_or_eng(`
allow system_server profcollectd_service:service_manager find;
')
@@ -915,6 +930,7 @@
clear_ns
clear_uid
get_state
+ list
lock
migrate_any_key
pull_metrics
@@ -1111,6 +1127,8 @@
allow system_server fs_bpf:dir search;
allow system_server fs_bpf:file { read write };
allow system_server bpfloader:bpf { map_read map_write prog_run };
+# in order to invoke side effect of close() on such a socket calling synchronize_rcu()
+allow system_server self:key_socket create;
# ART Profiles.
# Allow system_server to open profile snapshots for read.
@@ -1314,6 +1332,19 @@
# These are modules where the code runs in system_server, so we need full access.
allow system_server apex_system_server_data_file:dir create_dir_perms;
allow system_server apex_system_server_data_file:file create_file_perms;
+# Legacy labels that we still need to support (b/217581286)
+allow system_server {
+ apex_appsearch_data_file
+ apex_permission_data_file
+ apex_scheduling_data_file
+ apex_wifi_data_file
+}:dir create_dir_perms;
+allow system_server {
+ apex_appsearch_data_file
+ apex_permission_data_file
+ apex_scheduling_data_file
+ apex_wifi_data_file
+}:file create_file_perms;
# Allow PasswordSlotManager rw access to /metadata/password_slots, so GSIs and the host image can
# communicate which slots are available for use.
diff --git a/private/traced.te b/private/traced.te
index fc9a245..a6e200e 100644
--- a/private/traced.te
+++ b/private/traced.te
@@ -118,4 +118,12 @@
neverallow * traced:process dyntransition;
# Limit the processes that can access tracingproxy_service.
-neverallow { domain -traced -dumpstate -traceur_app -shell -system_server } tracingproxy_service:service_manager find;
+neverallow {
+ domain
+ -traced
+ -dumpstate
+ -traceur_app
+ -shell
+ -system_server
+ -perfetto
+} tracingproxy_service:service_manager find;
diff --git a/private/virtualizationservice.te b/private/virtualizationservice.te
index d304ae6..05e1664 100644
--- a/private/virtualizationservice.te
+++ b/private/virtualizationservice.te
@@ -55,17 +55,21 @@
# Run derive_classpath in our domain
allow virtualizationservice derive_classpath_exec:file rx_file_perms;
allow virtualizationservice apex_mnt_dir:dir r_dir_perms;
+# Ignore harmless denials on /proc/self/fd
+dontaudit virtualizationservice self:dir write;
# Let virtualizationservice to accept vsock connection from the guest VMs
allow virtualizationservice self:vsock_socket { create_socket_perms_no_ioctl listen accept };
-# Allow virtualization to ioctl on dev/kvm only to check if protected VM is supported or not.
-allow virtualizationservice kvm_device:chr_file { open read write };
-allowxperm virtualizationservice kvm_device:chr_file ioctl KVM_CHECK_EXTENSION;
-
# Allow virtualizationservice to read/write its own sysprop. Only the process can do so.
set_prop(virtualizationservice, virtualizationservice_prop)
+# Allow virtualizationservice to inspect hypervisor capabilities.
+get_prop(virtualizationservice, hypervisor_prop)
+
+# Allow writing stats to statsd
+unix_socket_send(virtualizationservice, statsdw, statsd)
+
neverallow {
domain
-init
diff --git a/private/vold_prepare_subdirs.te b/private/vold_prepare_subdirs.te
index c6d482a..e4004e4 100644
--- a/private/vold_prepare_subdirs.te
+++ b/private/vold_prepare_subdirs.te
@@ -48,6 +48,15 @@
allow vold_prepare_subdirs mnt_expand_file:dir search;
allow vold_prepare_subdirs user_profile_data_file:dir { search getattr relabelfrom };
allow vold_prepare_subdirs user_profile_root_file:dir { search getattr relabelfrom relabelto };
+
+# Migrate legacy labels to apex_system_server_data_file (b/217581286)
+allow vold_prepare_subdirs {
+ apex_appsearch_data_file
+ apex_permission_data_file
+ apex_scheduling_data_file
+ apex_wifi_data_file
+}:dir relabelfrom;
+
# /data/misc is unlabeled during early boot.
allow vold_prepare_subdirs unlabeled:dir search;
diff --git a/public/app.te b/public/app.te
index 7de9c00..09e30ca 100644
--- a/public/app.te
+++ b/public/app.te
@@ -8,375 +8,6 @@
###
type appdomain_tmpfs, file_type;
-# WebView and other application-specific JIT compilers
-allow appdomain self:process execmem;
-
-allow appdomain { ashmem_device ashmem_libcutils_device }:chr_file execute;
-
-# Receive and use open file descriptors inherited from zygote.
-allow appdomain zygote:fd use;
-
-# Receive and use open file descriptors inherited from app zygote.
-allow appdomain app_zygote:fd use;
-
-# gdbserver for ndk-gdb reads the zygote.
-# valgrind needs mmap exec for zygote
-allow appdomain zygote_exec:file rx_file_perms;
-
-# Notify zygote of death;
-allow appdomain zygote:process sigchld;
-
-# Read /data/dalvik-cache.
-allow appdomain dalvikcache_data_file:dir { search getattr };
-allow appdomain dalvikcache_data_file:file r_file_perms;
-
-# Read the /sdcard and /mnt/sdcard symlinks
-allow { appdomain -isolated_app } rootfs:lnk_file r_file_perms;
-allow { appdomain -isolated_app } tmpfs:lnk_file r_file_perms;
-
-# Search /storage/emulated tmpfs mount.
-allow appdomain tmpfs:dir r_dir_perms;
-
-# Notify zygote of the wrapped process PID when using --invoke-with.
-allow appdomain zygote:fifo_file write;
-
-userdebug_or_eng(`
- # Allow apps to create and write method traces in /data/misc/trace.
- allow appdomain method_trace_data_file:dir w_dir_perms;
- allow appdomain method_trace_data_file:file { create w_file_perms };
-')
-
-# Notify shell and adbd of death when spawned via runas for ndk-gdb.
-allow appdomain shell:process sigchld;
-allow appdomain adbd:process sigchld;
-
-# child shell or gdbserver pty access for runas.
-allow appdomain devpts:chr_file { getattr read write ioctl };
-
-# Use pipes and sockets provided by system_server via binder or local socket.
-allow appdomain system_server:fd use;
-allow appdomain system_server:fifo_file rw_file_perms;
-allow appdomain system_server:unix_stream_socket { read write setopt getattr getopt shutdown };
-allow appdomain system_server:tcp_socket { read write getattr getopt shutdown };
-
-# For AppFuse.
-allow appdomain vold:fd use;
-
-# Communication with other apps via fifos
-allow appdomain appdomain:fifo_file rw_file_perms;
-
-# Communicate with surfaceflinger.
-allow appdomain surfaceflinger:unix_stream_socket { read write setopt getattr getopt shutdown };
-
-# App sandbox file accesses.
-allow { appdomain -isolated_app -mlstrustedsubject } { app_data_file privapp_data_file }:dir create_dir_perms;
-allow { appdomain -isolated_app -mlstrustedsubject } { app_data_file privapp_data_file }:file create_file_perms;
-
-# Access via already open fds is ok even for mlstrustedsubject.
-allow { appdomain -isolated_app } { app_data_file privapp_data_file system_app_data_file }:file { getattr map read write };
-
-# Traverse into expanded storage
-allow appdomain mnt_expand_file:dir r_dir_perms;
-
-# Keychain and user-trusted credentials
-r_dir_file(appdomain, keychain_data_file)
-allow appdomain misc_user_data_file:dir r_dir_perms;
-allow appdomain misc_user_data_file:file r_file_perms;
-
-# TextClassifier
-r_dir_file({ appdomain -isolated_app }, textclassifier_data_file)
-
-# Access to OEM provided data and apps
-allow appdomain oemfs:dir r_dir_perms;
-allow appdomain oemfs:file rx_file_perms;
-
-# Execute the shell or other system executables.
-allow { appdomain -ephemeral_app } shell_exec:file rx_file_perms;
-allow { appdomain -ephemeral_app } toolbox_exec:file rx_file_perms;
-allow appdomain system_file:file x_file_perms;
-not_full_treble(`allow { appdomain -ephemeral_app } vendor_file:file x_file_perms;')
-
-# Renderscript needs the ability to read directories on /system
-allow appdomain system_file:dir r_dir_perms;
-allow appdomain system_file:lnk_file { getattr open read };
-# Renderscript specific permissions to open /system/vendor/lib64.
-not_full_treble(`
- allow appdomain vendor_file_type:dir r_dir_perms;
- allow appdomain vendor_file_type:lnk_file { getattr open read };
-')
-
-full_treble_only(`
- # For looking up Renderscript vendor drivers
- allow { appdomain -isolated_app } vendor_file:dir { open read };
-')
-
-# Allow apps access to /vendor/app except for privileged
-# apps which cannot be in /vendor.
-r_dir_file({ appdomain -ephemeral_app }, vendor_app_file)
-allow { appdomain -ephemeral_app } vendor_app_file:file execute;
-
-# Allow apps access to /vendor/overlay
-r_dir_file(appdomain, vendor_overlay_file)
-
-# Allow apps access to /vendor/framework
-# for vendor provided libraries.
-r_dir_file(appdomain, vendor_framework_file)
-
-# Allow apps read / execute access to vendor public libraries.
-allow appdomain {vendor_public_framework_file vendor_public_lib_file}:dir r_dir_perms;
-allow appdomain {vendor_public_framework_file vendor_public_lib_file}:file { execute read open getattr map };
-
-# Read/write wallpaper file (opened by system).
-allow appdomain wallpaper_file:file { getattr read write map };
-
-# Read/write cached ringtones (opened by system).
-allow appdomain ringtone_file:file { getattr read write map };
-
-# Read ShortcutManager icon files (opened by system).
-allow appdomain shortcut_manager_icons:file { getattr read map };
-
-# Read icon file (opened by system).
-allow appdomain icon_file:file { getattr read map };
-
-# Old stack dumping scheme : append to a global trace file (/data/anr/traces.txt).
-#
-# TODO: All of these permissions except for anr_data_file:file append can be
-# withdrawn once we've switched to the new stack dumping mechanism, see b/32064548
-# and the rules below.
-allow appdomain anr_data_file:dir search;
-allow appdomain anr_data_file:file { open append };
-
-# New stack dumping scheme : request an output FD from tombstoned via a unix
-# domain socket.
-#
-# Allow apps to connect and write to the tombstoned java trace socket in
-# order to dump their traces. Also allow them to append traces to pipes
-# created by dumptrace. (Also see the rules below where they are given
-# additional permissions to dumpstate pipes for other aspects of bug report
-# creation).
-unix_socket_connect(appdomain, tombstoned_java_trace, tombstoned)
-allow appdomain tombstoned:fd use;
-allow appdomain dumpstate:fifo_file append;
-allow appdomain incidentd:fifo_file append;
-
-# Allow apps to send dump information to dumpstate
-allow appdomain dumpstate:fd use;
-allow appdomain dumpstate:unix_stream_socket { read write getopt getattr shutdown };
-allow appdomain dumpstate:fifo_file { write getattr };
-allow appdomain shell_data_file:file { write getattr };
-
-# Allow apps to send dump information to incidentd
-allow appdomain incidentd:fd use;
-allow appdomain incidentd:fifo_file { write getattr };
-
-# Allow apps to send information to statsd socket.
-unix_socket_send(appdomain, statsdw, statsd)
-
-# Write profiles /data/misc/profiles
-allow appdomain user_profile_root_file:dir search;
-allow appdomain user_profile_data_file:dir { search write add_name };
-allow appdomain user_profile_data_file:file create_file_perms;
-
-# Send heap dumps to system_server via an already open file descriptor
-# % adb shell am set-watch-heap com.android.systemui 1048576
-# % adb shell dumpsys procstats --start-testing
-# debuggable builds only.
-userdebug_or_eng(`
- allow appdomain heapdump_data_file:file append;
-')
-
-# /proc/net access.
-# TODO(b/9496886) Audit access for removal.
-# proc_net access for the negated domains below is granted (or not) in their
-# individual .te files.
-r_dir_file({
- appdomain
- -ephemeral_app
- -isolated_app
- -platform_app
- -priv_app
- -shell
- -system_app
- -untrusted_app_all
-}, proc_net_type)
-# audit access for all these non-core app domains.
-userdebug_or_eng(`
- auditallow {
- appdomain
- -ephemeral_app
- -isolated_app
- -platform_app
- -priv_app
- -shell
- -su
- -system_app
- -untrusted_app_all
- } proc_net_type:{ dir file lnk_file } { getattr open read };
-')
-
-# Grant GPU access to all processes started by Zygote.
-# They need that to render the standard UI.
-allow { appdomain -isolated_app } gpu_device:chr_file rw_file_perms;
-
-# Use the Binder.
-binder_use(appdomain)
-# Perform binder IPC to binder services.
-binder_call(appdomain, binderservicedomain)
-# Perform binder IPC to other apps.
-binder_call(appdomain, appdomain)
-# Perform binder IPC to ephemeral apps.
-binder_call(appdomain, ephemeral_app)
-# Perform binder IPC to gpuservice.
-binder_call({ appdomain -isolated_app }, gpuservice)
-
-# Talk with graphics composer fences
-allow appdomain hal_graphics_composer:fd use;
-
-# Already connected, unnamed sockets being passed over some other IPC
-# hence no sock_file or connectto permission. This appears to be how
-# Chrome works, may need to be updated as more apps using isolated services
-# are examined.
-allow appdomain appdomain:unix_stream_socket { getopt getattr read write shutdown };
-
-# Backup ability for every app. BMS opens and passes the fd
-# to any app that has backup ability. Hence, no open permissions here.
-allow appdomain backup_data_file:file { read write getattr map };
-allow appdomain cache_backup_file:file { read write getattr map };
-allow appdomain cache_backup_file:dir getattr;
-# Backup ability using 'adb backup'
-allow appdomain system_data_file:lnk_file r_file_perms;
-allow appdomain system_data_file:file { getattr read map };
-
-# Allow read/stat of /data/media files passed by Binder or local socket IPC.
-allow { appdomain -isolated_app } media_rw_data_file:file { read getattr };
-
-# Read and write /data/data/com.android.providers.telephony files passed over Binder.
-allow { appdomain -isolated_app } radio_data_file:file { read write getattr };
-
-# Allow access to external storage; we have several visible mount points under /storage
-# and symlinks to primary storage at places like /storage/sdcard0 and /mnt/user/0/primary
-allow { appdomain -isolated_app -ephemeral_app } storage_file:dir r_dir_perms;
-allow { appdomain -isolated_app -ephemeral_app } storage_file:lnk_file r_file_perms;
-allow { appdomain -isolated_app -ephemeral_app } mnt_user_file:dir r_dir_perms;
-allow { appdomain -isolated_app -ephemeral_app } mnt_user_file:lnk_file r_file_perms;
-
-# Read/write visible storage
-allow { appdomain -isolated_app -ephemeral_app } { sdcard_type fuse }:dir create_dir_perms;
-allow { appdomain -isolated_app -ephemeral_app } { sdcard_type fuse }:file create_file_perms;
-# This should be removed if sdcardfs is modified to alter the secontext for its
-# accesses to the underlying FS.
-allow { appdomain -isolated_app -ephemeral_app } media_rw_data_file:dir create_dir_perms;
-allow { appdomain -isolated_app -ephemeral_app } media_rw_data_file:file create_file_perms;
-
-# Allow apps to use the USB Accessory interface.
-# http://developer.android.com/guide/topics/connectivity/usb/accessory.html
-#
-# USB devices are first opened by the system server (USBDeviceManagerService)
-# and the file descriptor is passed to the right Activity via binder.
-allow { appdomain -isolated_app -ephemeral_app } usb_device:chr_file { read write getattr ioctl };
-allow { appdomain -isolated_app -ephemeral_app } usbaccessory_device:chr_file { read write getattr };
-
-# For art.
-allow appdomain dalvikcache_data_file:file execute;
-allow appdomain dalvikcache_data_file:lnk_file r_file_perms;
-
-# Allow any app to read shared RELRO files.
-allow appdomain shared_relro_file:dir search;
-allow appdomain shared_relro_file:file r_file_perms;
-
-# Allow apps to read/execute installed binaries
-allow appdomain apk_data_file:dir r_dir_perms;
-allow appdomain apk_data_file:file rx_file_perms;
-
-# /data/resource-cache
-allow appdomain resourcecache_data_file:file r_file_perms;
-allow appdomain resourcecache_data_file:dir r_dir_perms;
-
-# logd access
-read_logd(appdomain)
-control_logd({ appdomain -ephemeral_app })
-# application inherit logd write socket (urge is to deprecate this long term)
-allow appdomain zygote:unix_dgram_socket write;
-
-allow { appdomain -isolated_app -ephemeral_app } keystore:keystore_key { get_state get insert delete exist list sign verify };
-allow { appdomain -isolated_app -ephemeral_app } keystore:keystore2_key { delete use get_info rebind update };
-
-allow { appdomain -isolated_app -ephemeral_app } keystore_maintenance_service:service_manager find;
-allow { appdomain -isolated_app -ephemeral_app } keystore:keystore2 get_state;
-
-use_keystore({ appdomain -isolated_app -ephemeral_app })
-
-use_credstore({ appdomain -isolated_app -ephemeral_app })
-
-allow appdomain console_device:chr_file { read write };
-
-# only allow unprivileged socket ioctl commands
-allowxperm { appdomain -bluetooth } self:{ rawip_socket tcp_socket udp_socket }
- ioctl { unpriv_sock_ioctls unpriv_tty_ioctls };
-
-allow { appdomain -isolated_app } ion_device:chr_file r_file_perms;
-allow { appdomain -isolated_app } dmabuf_system_heap_device:chr_file r_file_perms;
-allow { appdomain -isolated_app } dmabuf_system_secure_heap_device:chr_file r_file_perms;
-
-# Allow AAudio apps to use shared memory file descriptors from the HAL
-allow { appdomain -isolated_app } hal_audio:fd use;
-
-# Allow app to access shared memory created by camera HAL1
-allow { appdomain -isolated_app } hal_camera:fd use;
-
-# Allow apps to access shared memory file descriptor from the tuner HAL
-allow {appdomain -isolated_app} hal_tv_tuner_server:fd use;
-
-# RenderScript always-passthrough HAL
-allow { appdomain -isolated_app } hal_renderscript_hwservice:hwservice_manager find;
-allow appdomain same_process_hal_file:file { execute read open getattr map };
-
-# TODO: switch to meminfo service
-allow appdomain proc_meminfo:file r_file_perms;
-
-# For app fuse.
-allow appdomain app_fuse_file:file { getattr read append write map };
-
-pdx_client({ appdomain -isolated_app -ephemeral_app }, display_client)
-pdx_client({ appdomain -isolated_app -ephemeral_app }, display_manager)
-pdx_client({ appdomain -isolated_app -ephemeral_app }, display_vsync)
-pdx_client({ appdomain -isolated_app -ephemeral_app }, performance_client)
-# Apps do not directly open the IPC socket for bufferhubd.
-pdx_use({ appdomain -isolated_app -ephemeral_app }, bufferhub_client)
-
-###
-### CTS-specific rules
-###
-
-# For cts/tests/tests/permission/src/android/permission/cts/FileSystemPermissionTest.java.
-# testRunAsHasCorrectCapabilities
-allow appdomain runas_exec:file getattr;
-# Others are either allowed elsewhere or not desired.
-
-# Apps receive an open tun fd from the framework for
-# device traffic. Do not allow untrusted app to directly open tun_device
-allow { appdomain -isolated_app -ephemeral_app } tun_device:chr_file { read write getattr append ioctl };
-allowxperm { appdomain -isolated_app -ephemeral_app } tun_device:chr_file ioctl TUNGETIFF;
-
-# Connect to adbd and use a socket transferred from it.
-# This is used for e.g. adb backup/restore.
-allow appdomain adbd:unix_stream_socket connectto;
-allow appdomain adbd:fd use;
-allow appdomain adbd:unix_stream_socket { getattr getopt ioctl read write shutdown };
-
-allow appdomain cache_file:dir getattr;
-
-# Allow apps to run with asanwrapper.
-with_asan(`allow appdomain asanwrapper_exec:file rx_file_perms;')
-
-# Read access to FDs from the DropboxManagerService.
-allow appdomain dropbox_data_file:file { getattr read };
-
-# Read tmpfs types from these processes.
-allow appdomain audioserver_tmpfs:file { getattr map read write };
-allow appdomain system_server_tmpfs:file { getattr map read write };
-allow appdomain zygote_tmpfs:file { map read };
-
###
### Neverallow rules
###
diff --git a/public/attributes b/public/attributes
index 07eecfc..e257bba 100644
--- a/public/attributes
+++ b/public/attributes
@@ -51,6 +51,9 @@
# All types in /system
attribute system_file_type;
+# All types in /system_dlkm
+attribute system_dlkm_file_type;
+
# All types in /vendor
attribute vendor_file_type;
@@ -219,6 +222,10 @@
# All domains used for binder service domains.
attribute binderservicedomain;
+# All domains which have BPF access.
+attribute bpfdomain;
+expandattribute bpfdomain false;
+
# update_engine related domains that need to apply an update and run
# postinstall. This includes the background daemon and the sideload tool from
# recovery for A/B devices.
@@ -347,6 +354,7 @@
hal_attribute(health_storage);
hal_attribute(identity);
hal_attribute(input_classifier);
+hal_attribute(input_processor);
hal_attribute(ir);
hal_attribute(keymaster);
hal_attribute(keymint);
@@ -393,6 +401,7 @@
attribute automotive_display_service_server;
attribute camera_service_server;
attribute display_service_server;
+attribute evsmanager_service_server;
attribute scheduler_service_server;
attribute sensor_service_server;
attribute stats_service_server;
diff --git a/public/bpfloader.te b/public/bpfloader.te
new file mode 100644
index 0000000..81c32ee
--- /dev/null
+++ b/public/bpfloader.te
@@ -0,0 +1 @@
+type bpfloader, domain, coredomain;
diff --git a/public/cameraserver.te b/public/cameraserver.te
index 577a465..d41339a 100644
--- a/public/cameraserver.te
+++ b/public/cameraserver.te
@@ -35,6 +35,7 @@
allow cameraserver surfaceflinger_service:service_manager find;
allow cameraserver hidl_token_hwservice:hwservice_manager find;
+allow cameraserver hal_camera_service:service_manager find;
# Allow to talk with surfaceflinger through unix stream socket
allow cameraserver surfaceflinger:unix_stream_socket { read write };
diff --git a/public/domain.te b/public/domain.te
index e7853ec..2be67f5 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -100,7 +100,9 @@
# Public readable properties
get_prop(domain, aaudio_config_prop)
+get_prop(domain, apexd_select_prop)
get_prop(domain, arm64_memtag_prop)
+get_prop(domain, bluetooth_config_prop)
get_prop(domain, bootloader_prop)
get_prop(domain, build_odm_prop)
get_prop(domain, build_prop)
@@ -610,25 +612,6 @@
-update_engine
} system_block_device:blk_file { write append };
-# No domains other than a select few can access the misc_block_device. This
-# block device is reserved for OTA use.
-# Do not assert this rule on userdebug/eng builds, due to some devices using
-# this partition for testing purposes.
-neverallow {
- domain
- userdebug_or_eng(`-domain') # exclude debuggable builds
- -fastbootd
- -hal_bootctl_server
- -init
- -uncrypt
- -update_engine
- -vendor_init
- -vendor_misc_writer
- -vold
- -recovery
- -ueventd
-} misc_block_device:blk_file { append link relabelfrom rename write open read ioctl lock };
-
# Only (hw|vnd|)servicemanager should be able to register with binder as the context manager
neverallow { domain -servicemanager -hwservicemanager -vndservicemanager } *:binder set_context_mgr;
# The service managers are only allowed to access their own device node
@@ -1279,8 +1262,9 @@
# Enforce restrictions on kernel module origin.
# Do not allow kernel module loading except from system,
-# vendor, and boot partitions.
-neverallow * ~{ system_file_type vendor_file_type rootfs }:system module_load;
+# vendor, boot, and system_dlkm partitions.
+# TODO(b/218951883): Remove usage of system and rootfs as origin
+neverallow * ~{ system_file_type vendor_file_type rootfs system_dlkm_file_type }:system module_load;
# Only allow filesystem caps to be set at build time. Runtime changes
# to filesystem capabilities are not permitted.
diff --git a/public/dumpstate.te b/public/dumpstate.te
index b1f186c..3f9a127 100644
--- a/public/dumpstate.te
+++ b/public/dumpstate.te
@@ -147,6 +147,7 @@
dump_hal(hal_graphics_allocator)
dump_hal(hal_light)
dump_hal(hal_neuralnetworks)
+dump_hal(hal_nfc)
dump_hal(hal_thermal)
dump_hal(hal_power)
dump_hal(hal_power_stats)
@@ -253,6 +254,7 @@
-apex_service
-dumpstate_service
-gatekeeper_service
+ -hal_wifi_supplicant_service
-virtual_touchpad_service
-vold_service
-default_android_service
@@ -262,6 +264,7 @@
apex_service
dumpstate_service
gatekeeper_service
+ hal_wifi_supplicant_service
virtual_touchpad_service
vold_service
}:service_manager find;
diff --git a/public/evsmanagerd.te b/public/evsmanagerd.te
new file mode 100644
index 0000000..cde0380
--- /dev/null
+++ b/public/evsmanagerd.te
@@ -0,0 +1,2 @@
+# evsmanager daemon
+type evsmanagerd, domain;
diff --git a/public/file.te b/public/file.te
index 5850e7d..c0b7679 100644
--- a/public/file.te
+++ b/public/file.te
@@ -128,6 +128,7 @@
')
type fs_bpf, fs_type;
type fs_bpf_tethering, fs_type;
+type fs_bpf_vendor, fs_type;
type configfs, fs_type;
# /sys/devices/cs_etm
type sysfs_devices_cs_etm, fs_type, sysfs_type;
@@ -582,6 +583,9 @@
# kernel modules
type vendor_kernel_modules, vendor_file_type, file_type;
+# system_dlkm
+type system_dlkm_file, system_dlkm_file_type, file_type;
+
# Allow files to be created in their appropriate filesystems.
allow fs_type self:filesystem associate;
allow cgroup tmpfs:filesystem associate;
diff --git a/public/hal_camera.te b/public/hal_camera.te
index 45fad56..df70ab6 100644
--- a/public/hal_camera.te
+++ b/public/hal_camera.te
@@ -2,7 +2,11 @@
binder_call(hal_camera_client, hal_camera_server)
binder_call(hal_camera_server, hal_camera_client)
+#binder IPC from client to service manager and callbacks
+binder_use(hal_camera_server)
+
hal_attribute_hwservice(hal_camera, hal_camera_hwservice)
+hal_attribute_service(hal_camera, hal_camera_service)
allow hal_camera device:dir r_dir_perms;
allow hal_camera video_device:dir r_dir_perms;
@@ -32,7 +36,7 @@
neverallow hal_camera_server { file_type fs_type }:file execute_no_trans;
# hal_camera should never need network access. Disallow network sockets.
-neverallow hal_camera_server domain:{ tcp_socket udp_socket rawip_socket } *;
+neverallow hal_camera_server { domain userdebug_or_eng(`-su') }:{ tcp_socket udp_socket rawip_socket } *;
# Only camera HAL may directly access the camera hardware
neverallow { halserverdomain -hal_camera_server } camera_device:chr_file *;
diff --git a/public/hal_drm.te b/public/hal_drm.te
index bb1bd91..72fa308 100644
--- a/public/hal_drm.te
+++ b/public/hal_drm.te
@@ -1,8 +1,10 @@
# HwBinder IPC from client to server, and callbacks
+binder_use(hal_drm_server)
binder_call(hal_drm_client, hal_drm_server)
binder_call(hal_drm_server, hal_drm_client)
hal_attribute_hwservice(hal_drm, hal_drm_hwservice)
+hal_attribute_service(hal_drm, hal_drm_service)
allow hal_drm hidl_memory_hwservice:hwservice_manager find;
diff --git a/public/hal_evs.te b/public/hal_evs.te
index 789333a..09a40d8 100644
--- a/public/hal_evs.te
+++ b/public/hal_evs.te
@@ -1,5 +1,15 @@
hwbinder_use(hal_evs_client)
hwbinder_use(hal_evs_server)
+
binder_call(hal_evs_client, hal_evs_server)
binder_call(hal_evs_server, hal_evs_client)
-hal_attribute_hwservice(hal_evs, hal_evs_hwservice)
+
+# Below lines are equivalent to hal_attribute_hwservice(hal_evs, hal_evs_hwservice)
+# except it allows evsmanagerd to add hal_evs_hwservice.
+allow hal_evs_client hal_evs_hwservice:hwservice_manager find;
+allow hal_evs_server hal_evs_hwservice:hwservice_manager { add find };
+allow hal_evs_server hidl_base_hwservice:hwservice_manager add;
+neverallow { domain -hal_evs_server -evsmanagerd } hal_evs_hwservice:hwservice_manager add;
+
+# Allows to add a service
+hal_attribute_service(hal_evs, hal_evs_service)
diff --git a/public/hal_graphics_allocator.te b/public/hal_graphics_allocator.te
index 3ec6b96..b6d5d92 100644
--- a/public/hal_graphics_allocator.te
+++ b/public/hal_graphics_allocator.te
@@ -12,3 +12,8 @@
# allow to run with real-time scheduling policy
allow hal_graphics_allocator self:global_capability_class_set sys_nice;
+
+# IAllocator stable-aidl
+hal_attribute_service(hal_graphics_allocator, hal_graphics_allocator_service)
+binder_call(hal_graphics_allocator_server, servicemanager)
+binder_call(hal_graphics_allocator_client, servicemanager)
diff --git a/public/hal_input_processor.te b/public/hal_input_processor.te
new file mode 100644
index 0000000..77d1d70
--- /dev/null
+++ b/public/hal_input_processor.te
@@ -0,0 +1,5 @@
+# HwBinder IPC from client to server
+binder_call(hal_input_processor_client, hal_input_processor_server)
+binder_call(hal_input_processor_server, servicemanager)
+
+hal_attribute_service(hal_input_processor, hal_input_processor_service)
diff --git a/public/hal_nfc.te b/public/hal_nfc.te
index 7cef4a1..3d0202b 100644
--- a/public/hal_nfc.te
+++ b/public/hal_nfc.te
@@ -1,8 +1,10 @@
# HwBinder IPC from client to server, and callbacks
binder_call(hal_nfc_client, hal_nfc_server)
binder_call(hal_nfc_server, hal_nfc_client)
+binder_call(hal_nfc_server, servicemanager)
hal_attribute_hwservice(hal_nfc, hal_nfc_hwservice)
+hal_attribute_service(hal_nfc, hal_nfc_service)
# Set NFC properties (used by bcm2079x HAL).
set_prop(hal_nfc, nfc_prop)
diff --git a/public/hal_telephony.te b/public/hal_telephony.te
index 8a1fbe5..e21796a 100644
--- a/public/hal_telephony.te
+++ b/public/hal_telephony.te
@@ -3,13 +3,7 @@
binder_call(hal_telephony_server, hal_telephony_client)
hal_attribute_hwservice(hal_telephony, hal_telephony_hwservice)
-hal_attribute_service(hal_telephony, hal_radio_config_service)
-hal_attribute_service(hal_telephony, hal_radio_data_service)
-hal_attribute_service(hal_telephony, hal_radio_messaging_service)
-hal_attribute_service(hal_telephony, hal_radio_modem_service)
-hal_attribute_service(hal_telephony, hal_radio_network_service)
-hal_attribute_service(hal_telephony, hal_radio_sim_service)
-hal_attribute_service(hal_telephony, hal_radio_voice_service)
+hal_attribute_service(hal_telephony, hal_radio_service)
allowxperm hal_telephony_server self:udp_socket ioctl priv_sock_ioctls;
diff --git a/public/hal_usb.te b/public/hal_usb.te
index 38bc49a..45cafaa 100644
--- a/public/hal_usb.te
+++ b/public/hal_usb.te
@@ -2,6 +2,9 @@
binder_call(hal_usb_client, hal_usb_server)
binder_call(hal_usb_server, hal_usb_client)
+hal_attribute_service(hal_usb, hal_usb_service)
+binder_call(hal_usb_server, servicemanager)
+
hal_attribute_hwservice(hal_usb, hal_usb_hwservice)
allow hal_usb self:netlink_kobject_uevent_socket create;
diff --git a/public/hal_wifi_hostapd.te b/public/hal_wifi_hostapd.te
index b508aa5..eeb72ba 100644
--- a/public/hal_wifi_hostapd.te
+++ b/public/hal_wifi_hostapd.te
@@ -5,7 +5,7 @@
hal_attribute_hwservice(hal_wifi_hostapd, hal_wifi_hostapd_hwservice)
hal_attribute_service(hal_wifi_hostapd, hal_wifi_hostapd_service)
-binder_call(hal_wifi_hostapd_server, servicemanager)
+binder_use(hal_wifi_hostapd_server)
allow hal_wifi_hostapd_server dumpstate:fifo_file write;
diff --git a/public/hal_wifi_supplicant.te b/public/hal_wifi_supplicant.te
index b4ff7aa..b531a22 100644
--- a/public/hal_wifi_supplicant.te
+++ b/public/hal_wifi_supplicant.te
@@ -5,8 +5,6 @@
hal_attribute_hwservice(hal_wifi_supplicant, hal_wifi_supplicant_hwservice)
hal_attribute_service(hal_wifi_supplicant, hal_wifi_supplicant_service)
-binder_call(hal_wifi_supplicant_server, servicemanager)
-
# in addition to ioctls allowlisted for all domains, grant hal_wifi_supplicant priv_sock_ioctls.
allowxperm hal_wifi_supplicant self:udp_socket ioctl priv_sock_ioctls;
diff --git a/public/init.te b/public/init.te
index 5c3e4e7..362c41e 100644
--- a/public/init.te
+++ b/public/init.te
@@ -98,6 +98,7 @@
mnt_user_file
system_data_file
system_data_root_file
+ system_dlkm_file
system_file
vendor_file
postinstall_mnt_dir
@@ -201,6 +202,7 @@
-nativetest_data_file
-privapp_data_file
-system_app_data_file
+ -system_dlkm_file_type
-system_file_type
-vendor_file_type
}:dir { create search getattr open read setattr ioctl };
@@ -217,6 +219,7 @@
-privapp_data_file
-shell_data_file
-system_app_data_file
+ -system_dlkm_file_type
-system_file_type
-vendor_file_type
-vold_data_file
@@ -237,6 +240,7 @@
-runtime_event_log_tags_file
-shell_data_file
-system_app_data_file
+ -system_dlkm_file_type
-system_file_type
-vendor_file_type
-vold_data_file
@@ -258,6 +262,7 @@
-privapp_data_file
-shell_data_file
-system_app_data_file
+ -system_dlkm_file_type
-system_file_type
-vendor_file_type
-vold_data_file
@@ -277,6 +282,7 @@
-privapp_data_file
-shell_data_file
-system_app_data_file
+ -system_dlkm_file_type
-system_file_type
-vendor_file_type
-vold_data_file
@@ -286,6 +292,7 @@
allow init {
file_type
+ -system_dlkm_file_type
-system_file_type
-vendor_file_type
-exec_type
@@ -590,6 +597,7 @@
allow init misc_block_device:blk_file w_file_perms;
r_dir_file(init, system_file)
+r_dir_file(init, system_dlkm_file_type)
r_dir_file(init, vendor_file_type)
allow init system_data_file:file { getattr read };
@@ -609,8 +617,7 @@
allow init proc_pressure_mem:file { rw_file_perms setattr };
# init is using bootstrap bionic
-allow init system_bootstrap_lib_file:dir r_dir_perms;
-allow init system_bootstrap_lib_file:file { execute read open getattr map };
+use_bootstrap_libs(init)
# stat the root dir of fuse filesystems (for the mount handler)
allow init fuse:dir { search getattr };
diff --git a/public/keystore.te b/public/keystore.te
index 9535491..e1c58a4 100644
--- a/public/keystore.te
+++ b/public/keystore.te
@@ -13,6 +13,7 @@
allow keystore keystore_exec:file { getattr };
add_service(keystore, keystore_service)
+add_service(keystore, remotelyprovisionedkeypool_service)
add_service(keystore, remoteprovisioning_service)
allow keystore sec_key_att_app_id_provider_service:service_manager find;
allow keystore dropbox_service:service_manager find;
diff --git a/public/netd.te b/public/netd.te
index ff0bff6..899df88 100644
--- a/public/netd.te
+++ b/public/netd.te
@@ -87,6 +87,7 @@
binder_use(netd)
add_service(netd, netd_service)
add_service(netd, dnsresolver_service)
+add_service(netd, mdns_service)
allow netd dumpstate:fifo_file { getattr write };
# Allow netd to call into the system server so it can check permissions.
@@ -150,6 +151,16 @@
-netutils_wrapper
} dnsresolver_service:service_manager find;
+# only system_server, dumpstate and network stack app may find mdns service
+neverallow {
+ domain
+ -system_server
+ -dumpstate
+ -network_stack
+ -netd
+ -netutils_wrapper
+} mdns_service:service_manager find;
+
# apps may not interact with netd over binder.
neverallow { appdomain -network_stack } netd:binder call;
neverallow netd { appdomain -network_stack userdebug_or_eng(`-su') }:binder call;
diff --git a/public/property.te b/public/property.te
index 83dfc36..7957f8c 100644
--- a/public/property.te
+++ b/public/property.te
@@ -16,7 +16,6 @@
compatible_property_only(`
# DO NOT ADD ANY PROPERTIES HERE
system_internal_prop(boottime_prop)
- system_internal_prop(bpf_progs_loaded_prop)
system_internal_prop(charger_prop)
system_internal_prop(cold_boot_done_prop)
system_internal_prop(ctl_adbd_prop)
@@ -121,6 +120,7 @@
system_vendor_config_prop(apk_verity_prop)
system_vendor_config_prop(audio_config_prop)
system_vendor_config_prop(bootanim_config_prop)
+system_vendor_config_prop(bluetooth_config_prop)
system_vendor_config_prop(build_config_prop)
system_vendor_config_prop(build_odm_prop)
system_vendor_config_prop(build_vendor_prop)
@@ -181,6 +181,7 @@
system_public_prop(bluetooth_a2dp_offload_prop)
system_public_prop(bluetooth_audio_hal_prop)
system_public_prop(bluetooth_prop)
+system_public_prop(bpf_progs_loaded_prop)
system_public_prop(charger_status_prop)
system_public_prop(ctl_default_prop)
system_public_prop(ctl_interface_start_prop)
@@ -235,7 +236,6 @@
not_compatible_property(`
# DO NOT ADD ANY PROPERTIES HERE
system_public_prop(boottime_prop)
- system_public_prop(bpf_progs_loaded_prop)
system_public_prop(charger_prop)
system_public_prop(cold_boot_done_prop)
system_public_prop(ctl_adbd_prop)
diff --git a/public/service.te b/public/service.te
index 0e9488c..8c4ae56 100644
--- a/public/service.te
+++ b/public/service.te
@@ -13,7 +13,9 @@
type dnsresolver_service, service_manager_type;
type drmserver_service, service_manager_type;
type dumpstate_service, service_manager_type;
+type evsmanagerd_service, service_manager_type;
type fingerprintd_service, service_manager_type;
+type fwk_automotive_display_service, service_manager_type;
type gatekeeper_service, app_api_service, service_manager_type;
type gpu_service, app_api_service, ephemeral_app_api_service, service_manager_type;
type idmap_service, service_manager_type;
@@ -27,6 +29,7 @@
type keystore_service, service_manager_type;
type legacykeystore_service, service_manager_type;
type lpdump_service, service_manager_type;
+type mdns_service, service_manager_type;
type mediaserver_service, service_manager_type;
type mediametrics_service, service_manager_type;
type mediaextractor_service, service_manager_type;
@@ -35,6 +38,7 @@
type netd_service, service_manager_type;
type nfc_service, service_manager_type;
type radio_service, service_manager_type;
+type remotelyprovisionedkeypool_service, service_manager_type;
type remoteprovisioning_service, service_manager_type;
type secure_element_service, service_manager_type;
type service_manager_service, service_manager_type;
@@ -59,7 +63,7 @@
type adb_service, system_api_service, system_server_service, service_manager_type;
type alarm_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type app_binding_service, system_server_service, service_manager_type;
-type app_hibernation_service, system_api_service, system_server_service, service_manager_type;
+type app_hibernation_service, app_api_service, system_api_service, system_server_service, service_manager_type;
type app_integrity_service, system_api_service, system_server_service, service_manager_type;
type app_prediction_service, app_api_service, system_server_service, service_manager_type;
type app_search_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
@@ -157,7 +161,7 @@
type midi_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type mount_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type music_recognition_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type nearby_service, system_server_service, service_manager_type;
+type nearby_service, system_api_service, system_server_service, service_manager_type;
type netpolicy_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type netstats_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type network_management_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
@@ -243,6 +247,7 @@
type vpn_management_service, app_api_service, system_server_service, service_manager_type;
type vr_manager_service, system_server_service, service_manager_type;
type wallpaper_service, app_api_service, system_server_service, service_manager_type;
+type wallpaper_effects_generation_service, app_api_service, system_server_service, service_manager_type;
type webviewupdate_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type wifip2p_service, app_api_service, system_server_service, service_manager_type;
type wifiscanner_service, system_api_service, system_server_service, service_manager_type;
@@ -264,31 +269,31 @@
type hal_audio_service, vendor_service, protected_service, service_manager_type;
type hal_audiocontrol_service, vendor_service, service_manager_type;
type hal_authsecret_service, vendor_service, protected_service, service_manager_type;
+type hal_camera_service, vendor_service, protected_service, service_manager_type;
type hal_contexthub_service, vendor_service, protected_service, service_manager_type;
type hal_dice_service, vendor_service, protected_service, service_manager_type;
+type hal_drm_service, vendor_service, service_manager_type;
type hal_dumpstate_service, vendor_service, protected_service, service_manager_type;
+type hal_evs_service, vendor_service, protected_service, service_manager_type;
type hal_face_service, vendor_service, protected_service, service_manager_type;
type hal_fingerprint_service, vendor_service, protected_service, service_manager_type;
type hal_gnss_service, vendor_service, protected_service, service_manager_type;
+type hal_graphics_allocator_service, vendor_service, service_manager_type;
type hal_graphics_composer_service, vendor_service, protected_service, service_manager_type;
type hal_health_service, vendor_service, protected_service, service_manager_type;
type hal_health_storage_service, vendor_service, protected_service, service_manager_type;
type hal_identity_service, vendor_service, protected_service, service_manager_type;
+type hal_input_processor_service, vendor_service, protected_service, service_manager_type;
type hal_ir_service, vendor_service, protected_service, service_manager_type;
type hal_keymint_service, vendor_service, protected_service, service_manager_type;
type hal_light_service, vendor_service, protected_service, service_manager_type;
type hal_memtrack_service, vendor_service, protected_service, service_manager_type;
type hal_neuralnetworks_service, vendor_service, service_manager_type;
+type hal_nfc_service, vendor_service, protected_service, service_manager_type;
type hal_oemlock_service, vendor_service, protected_service, service_manager_type;
type hal_power_service, vendor_service, protected_service, service_manager_type;
type hal_power_stats_service, vendor_service, protected_service, service_manager_type;
-type hal_radio_config_service, vendor_service, protected_service, service_manager_type;
-type hal_radio_data_service, vendor_service, protected_service, service_manager_type;
-type hal_radio_messaging_service, vendor_service, protected_service, service_manager_type;
-type hal_radio_modem_service, vendor_service, protected_service, service_manager_type;
-type hal_radio_network_service, vendor_service, protected_service, service_manager_type;
-type hal_radio_sim_service, vendor_service, protected_service, service_manager_type;
-type hal_radio_voice_service, vendor_service, protected_service, service_manager_type;
+type hal_radio_service, vendor_service, protected_service, service_manager_type;
type hal_rebootescrow_service, vendor_service, protected_service, service_manager_type;
type hal_remotelyprovisionedcomponent_service, vendor_service, protected_service, service_manager_type;
type hal_sensors_service, vendor_service, protected_service, service_manager_type;
@@ -296,6 +301,7 @@
type hal_sharedsecret_service, vendor_service, protected_service, service_manager_type;
type hal_system_suspend_service, protected_service, service_manager_type;
type hal_tv_tuner_service, vendor_service, protected_service, service_manager_type;
+type hal_usb_service, vendor_service, protected_service, service_manager_type;
type hal_uwb_service, vendor_service, protected_service, service_manager_type;
type hal_vehicle_service, vendor_service, protected_service, service_manager_type;
type hal_vibrator_service, vendor_service, protected_service, service_manager_type;
diff --git a/public/shell.te b/public/shell.te
index 60e3521..4175c86 100644
--- a/public/shell.te
+++ b/public/shell.te
@@ -85,6 +85,7 @@
-incident_service
-installd_service
-iorapd_service
+ -mdns_service
-netd_service
-system_suspend_control_internal_service
-system_suspend_control_service
diff --git a/public/te_macros b/public/te_macros
index c112cc1..5c3438f 100644
--- a/public/te_macros
+++ b/public/te_macros
@@ -196,6 +196,8 @@
# permission to create a vsock; the client can only connect to VMs
# that it owns.
allow $1 virtualizationservice:vsock_socket { getattr read write };
+# Allow client to inspect hypervisor capabilities
+get_prop($1, hypervisor_prop)
')
#####################################
@@ -1021,3 +1023,11 @@
allow $1 gsi_public_metadata_file:file r_file_perms;
allow $1 proc_bootconfig:file r_file_perms;
')
+
+######################################
+# use_bootstrap_libs(domain)
+# Allow domain to use bootstrap bionic libraries in system/lib[64]/bootstrap
+define(`use_bootstrap_libs', `
+ allow $1 system_bootstrap_lib_file:dir r_dir_perms;
+ allow $1 system_bootstrap_lib_file:file { execute read open getattr map };
+')
diff --git a/public/traceur_app.te b/public/traceur_app.te
index 03c4944..1ab150d 100644
--- a/public/traceur_app.te
+++ b/public/traceur_app.te
@@ -12,6 +12,7 @@
-installd_service
-iorapd_service
-lpdump_service
+ -mdns_service
-netd_service
-virtual_touchpad_service
-vold_service
diff --git a/public/ueventd.te b/public/ueventd.te
index d5d4301..4e3c7c2 100644
--- a/public/ueventd.te
+++ b/public/ueventd.te
@@ -60,8 +60,7 @@
allow ueventd kernel:key search;
# ueventd is using bootstrap bionic
-allow ueventd system_bootstrap_lib_file:dir r_dir_perms;
-allow ueventd system_bootstrap_lib_file:file { execute read open getattr map };
+use_bootstrap_libs(ueventd)
# Allow ueventd to run shell scripts from vendor
allow ueventd vendor_shell_exec:file execute;
diff --git a/public/vendor_init.te b/public/vendor_init.te
index c6e5e82..bc6d3b9 100644
--- a/public/vendor_init.te
+++ b/public/vendor_init.te
@@ -50,6 +50,7 @@
file_type
-core_data_file_type
-exec_type
+ -system_dlkm_file_type
-system_file_type
-mnt_product_file
-password_slot_metadata_file
@@ -71,6 +72,7 @@
-password_slot_metadata_file
-ota_metadata_file
-runtime_event_log_tags_file
+ -system_dlkm_file_type
-system_file_type
-unlabeled
-vendor_file_type
@@ -88,6 +90,7 @@
-exec_type
-password_slot_metadata_file
-ota_metadata_file
+ -system_dlkm_file_type
-system_file_type
-unlabeled
-vendor_file_type
@@ -104,6 +107,7 @@
-exec_type
-password_slot_metadata_file
-ota_metadata_file
+ -system_dlkm_file_type
-system_file_type
-unlabeled
-vendor_file_type
@@ -120,6 +124,7 @@
-mnt_product_file
-password_slot_metadata_file
-ota_metadata_file
+ -system_dlkm_file_type
-system_file_type
-vendor_file_type
-vold_metadata_file
@@ -191,8 +196,7 @@
allow vendor_init misc_block_device:blk_file w_file_perms;
# vendor_init is using bootstrap bionic
-allow vendor_init system_bootstrap_lib_file:dir r_dir_perms;
-allow vendor_init system_bootstrap_lib_file:file { execute read open getattr map };
+use_bootstrap_libs(vendor_init)
# allow filesystem tuning
allow vendor_init userdata_sysdev:file create_file_perms;
@@ -220,6 +224,7 @@
set_prop(vendor_init, apk_verity_prop)
set_prop(vendor_init, bluetooth_a2dp_offload_prop)
set_prop(vendor_init, bluetooth_audio_hal_prop)
+set_prop(vendor_init, bluetooth_config_prop)
set_prop(vendor_init, camera2_extensions_prop)
set_prop(vendor_init, camerax_extensions_prop)
set_prop(vendor_init, cpu_variant_prop)
diff --git a/tests/Android.bp b/tests/Android.bp
index 78a631f..8ca952d 100644
--- a/tests/Android.bp
+++ b/tests/Android.bp
@@ -25,34 +25,46 @@
},
}
+python_library_host {
+ name: "mini_cil_parser",
+ srcs: ["mini_parser.py"],
+}
+
+python_library_host {
+ name: "pysepolwrap",
+ srcs: [
+ "fc_sort.py",
+ "policy.py",
+ ],
+}
+
python_binary_host {
name: "treble_sepolicy_tests",
srcs: [
- "fc_sort.py",
- "mini_parser.py",
- "policy.py",
"treble_sepolicy_tests.py",
],
+ libs: [
+ "mini_cil_parser",
+ "pysepolwrap",
+ ],
data: [":libsepolwrap"],
}
python_binary_host {
name: "sepolicy_tests",
srcs: [
- "fc_sort.py",
- "policy.py",
"sepolicy_tests.py",
],
+ libs: ["pysepolwrap"],
data: [":libsepolwrap"],
}
python_binary_host {
name: "searchpolicy",
srcs: [
- "fc_sort.py",
- "policy.py",
"searchpolicy.py",
],
+ libs: ["pysepolwrap"],
required: ["libsepolwrap"],
}
@@ -60,8 +72,8 @@
name: "combine_maps",
srcs: [
"combine_maps.py",
- "mini_parser.py",
],
+ libs: ["mini_cil_parser"],
}
python_binary_host {
diff --git a/tests/policy.py b/tests/policy.py
index 06157fd..60c6962 100644
--- a/tests/policy.py
+++ b/tests/policy.py
@@ -396,7 +396,8 @@
self.__libsepolwrap = lib
def __GenfsDictAdd(self, Dict, buf):
- fs, path, context = buf.split(" ")
+ fs, buf = buf.split(' ', 1)
+ path, context = buf.rsplit(' ', 1)
Type = context.split(":")[2]
if not fs in Dict:
Dict[fs] = {Type}
diff --git a/tools/Android.bp b/tools/Android.bp
index c480dc2..fcf375d 100644
--- a/tools/Android.bp
+++ b/tools/Android.bp
@@ -63,3 +63,10 @@
name: "insertkeys",
srcs: ["insertkeys.py"],
}
+
+python_binary_host {
+ name: "sepolicy_generate_compat",
+ srcs: ["sepolicy_generate_compat.py"],
+ libs: ["mini_cil_parser", "pysepolwrap"],
+ data: [":libsepolwrap"],
+}
diff --git a/tools/sepolicy_generate_compat.py b/tools/sepolicy_generate_compat.py
new file mode 100644
index 0000000..17a4d75
--- /dev/null
+++ b/tools/sepolicy_generate_compat.py
@@ -0,0 +1,376 @@
+#!/usr/bin/env python3
+
+# Copyright 2022 The Android Open Source Project
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+import argparse
+import distutils.ccompiler
+import glob
+import logging
+import mini_parser
+import os
+import policy
+import shutil
+import subprocess
+import sys
+import tempfile
+import zipfile
+"""This tool generates a mapping file for {ver} core sepolicy."""
+
+temp_dir = ''
+compat_cil_template = ";; This file can't be empty.\n"
+ignore_cil_template = """;; new_objects - a collection of types that have been introduced that have no
+;; analogue in older policy. Thus, we do not need to map these types to
+;; previous ones. Add here to pass checkapi tests.
+(type new_objects)
+(typeattribute new_objects)
+(typeattributeset new_objects
+ ( new_objects
+ %s
+ ))
+"""
+
+
+def check_run(cmd, cwd=None):
+ if cwd:
+ logging.debug('Running cmd at %s: %s' % (cwd, cmd))
+ else:
+ logging.debug('Running cmd: %s' % cmd)
+ subprocess.run(cmd, cwd=cwd, check=True)
+
+
+def check_output(cmd):
+ logging.debug('Running cmd: %s' % cmd)
+ return subprocess.run(cmd, check=True, stdout=subprocess.PIPE)
+
+
+def get_android_build_top():
+ ANDROID_BUILD_TOP = os.getenv('ANDROID_BUILD_TOP')
+ if not ANDROID_BUILD_TOP:
+ sys.exit(
+ 'Error: Missing ANDROID_BUILD_TOP env variable. Please run '
+ '\'. build/envsetup.sh; lunch <build target>\'. Exiting script.')
+ return ANDROID_BUILD_TOP
+
+
+def fetch_artifact(branch, build, pattern, destination='.'):
+ """Fetches build artifacts from Android Build server.
+
+ Args:
+ branch: string, branch to pull build artifacts from
+ build: string, build ID or "latest"
+ pattern: string, pattern of build artifact file name
+ destination: string, destination to pull build artifact to
+ """
+ fetch_artifact_path = '/google/data/ro/projects/android/fetch_artifact'
+ cmd = [
+ fetch_artifact_path, '--branch', branch, '--target',
+ 'aosp_arm64-userdebug'
+ ]
+ if build == 'latest':
+ cmd.append('--latest')
+ else:
+ cmd.extend(['--bid', build])
+ cmd.extend([pattern, destination])
+ check_run(cmd)
+
+
+def extract_mapping_file_from_img(img_path, ver, destination='.'):
+ """ Extracts system/etc/selinux/mapping/{ver}.cil from system.img file.
+
+ Args:
+ img_path: string, path to system.img file
+ ver: string, version of designated mapping file
+ destination: string, destination to pull the mapping file to
+
+ Returns:
+ string, path to extracted mapping file
+ """
+
+ cmd = [
+ 'debugfs', '-R',
+ 'cat system/etc/selinux/mapping/10000.0.cil', img_path
+ ]
+ path = os.path.join(destination, '%s.cil' % ver)
+ with open(path, 'wb') as f:
+ logging.debug('Extracting %s.cil to %s' % (ver, destination))
+ f.write(check_output(cmd).stdout.replace(b'10000.0',b'33.0').replace(b'10000_0',b'33_0'))
+ return path
+
+
+def download_mapping_file(branch, build, ver, destination='.'):
+ """ Downloads system/etc/selinux/mapping/{ver}.cil from Android Build server.
+
+ Args:
+ branch: string, branch to pull build artifacts from (e.g. "sc-v2-dev")
+ build: string, build ID or "latest"
+ ver: string, version of designated mapping file (e.g. "32.0")
+ destination: string, destination to pull build artifact to
+
+ Returns:
+ string, path to extracted mapping file
+ """
+ logging.info('Downloading %s mapping file from branch %s build %s...' %
+ (ver, branch, build))
+ artifact_pattern = 'aosp_arm64-img-*.zip'
+ fetch_artifact(branch, build, artifact_pattern, temp_dir)
+
+ # glob must succeed
+ zip_path = glob.glob(os.path.join(temp_dir, artifact_pattern))[0]
+ with zipfile.ZipFile(zip_path) as zip_file:
+ logging.debug('Extracting system.img to %s' % temp_dir)
+ zip_file.extract('system.img', temp_dir)
+
+ system_img_path = os.path.join(temp_dir, 'system.img')
+ return extract_mapping_file_from_img(system_img_path, ver, destination)
+
+
+def build_base_files(target_version):
+ """ Builds needed base policy files from the source code.
+
+ Args:
+ target_version: string, target version to gerenate the mapping file
+
+ Returns:
+ (string, string, string), paths to base policy, old policy, and pub policy
+ cil
+ """
+ logging.info('building base sepolicy files')
+ build_top = get_android_build_top()
+
+ cmd = [
+ 'build/soong/soong_ui.bash',
+ '--make-mode',
+ 'dist',
+ 'base-sepolicy-files-for-mapping',
+ 'TARGET_PRODUCT=aosp_arm64',
+ 'TARGET_BUILD_VARIANT=userdebug',
+ ]
+ check_run(cmd, cwd=build_top)
+
+ dist_dir = os.path.join(build_top, 'out', 'dist')
+ base_policy_path = os.path.join(dist_dir, 'base_plat_sepolicy')
+ old_policy_path = os.path.join(dist_dir,
+ '%s_plat_sepolicy' % target_version)
+ pub_policy_cil_path = os.path.join(dist_dir, 'base_plat_pub_policy.cil')
+
+ return base_policy_path, old_policy_path, pub_policy_cil_path
+
+
+def change_api_level(versioned_type, api_from, api_to):
+ """ Verifies the API version of versioned_type, and changes it to new API level.
+
+ For example, change_api_level("foo_32_0", "32.0", "31.0") will return
+ "foo_31_0".
+
+ Args:
+ versioned_type: string, type with version suffix
+ api_from: string, api version of versioned_type
+ api_to: string, new api version for versioned_type
+
+ Returns:
+ string, a new versioned type
+ """
+ old_suffix = api_from.replace('.', '_')
+ new_suffix = api_to.replace('.', '_')
+ if not versioned_type.endswith(old_suffix):
+ raise ValueError('Version of type %s is different from %s' %
+ (versioned_type, api_from))
+ return versioned_type.removesuffix(old_suffix) + new_suffix
+
+
+def get_args():
+ parser = argparse.ArgumentParser()
+ parser.add_argument(
+ '--branch',
+ required=True,
+ help='Branch to pull build from. e.g. "sc-v2-dev"')
+ parser.add_argument('--build', required=True, help='Build ID, or "latest"')
+ parser.add_argument(
+ '--target-version',
+ required=True,
+ help='Target version of designated mapping file. e.g. "32.0"')
+ parser.add_argument(
+ '--latest-version',
+ required=True,
+ help='Latest version for mapping of newer types. e.g. "31.0"')
+ parser.add_argument(
+ '-v',
+ '--verbose',
+ action='count',
+ default=0,
+ help='Increase output verbosity, e.g. "-v", "-vv".')
+ return parser.parse_args()
+
+
+def main():
+ args = get_args()
+
+ verbosity = min(args.verbose, 2)
+ logging.basicConfig(
+ format='%(levelname)-8s [%(filename)s:%(lineno)d] %(message)s',
+ level=(logging.WARNING, logging.INFO, logging.DEBUG)[verbosity])
+
+ global temp_dir
+ temp_dir = tempfile.mkdtemp()
+
+ try:
+ libpath = os.path.join(
+ os.path.dirname(os.path.realpath(__file__)), 'libsepolwrap' +
+ distutils.ccompiler.new_compiler().shared_lib_extension)
+ if not os.path.exists(libpath):
+ sys.exit(
+ 'Error: libsepolwrap does not exist. Is this binary corrupted?\n'
+ )
+
+ build_top = get_android_build_top()
+ sepolicy_path = os.path.join(build_top, 'system', 'sepolicy')
+
+ # Step 1. Download system/etc/selinux/mapping/{ver}.cil, and remove types/typeattributes
+ mapping_file = download_mapping_file(
+ args.branch, args.build, args.target_version, destination=temp_dir)
+ mapping_file_cil = mini_parser.MiniCilParser(mapping_file)
+ mapping_file_cil.types = set()
+ mapping_file_cil.typeattributes = set()
+
+ # Step 2. Build base policy files and parse latest mapping files
+ base_policy_path, old_policy_path, pub_policy_cil_path = build_base_files(
+ args.target_version)
+ base_policy = policy.Policy(base_policy_path, None, libpath)
+ old_policy = policy.Policy(old_policy_path, None, libpath)
+ pub_policy_cil = mini_parser.MiniCilParser(pub_policy_cil_path)
+
+ all_types = base_policy.GetAllTypes(False)
+ old_all_types = old_policy.GetAllTypes(False)
+ pub_types = pub_policy_cil.types
+
+ # Step 3. Find new types and removed types
+ new_types = pub_types & (all_types - old_all_types)
+ removed_types = (mapping_file_cil.pubtypes - mapping_file_cil.types) & (
+ old_all_types - all_types)
+
+ logging.info('new types: %s' % new_types)
+ logging.info('removed types: %s' % removed_types)
+
+ # Step 4. Map new types and removed types appropriately, based on the latest mapping
+ latest_compat_path = os.path.join(sepolicy_path, 'private', 'compat',
+ args.latest_version)
+ latest_mapping_cil = mini_parser.MiniCilParser(
+ os.path.join(latest_compat_path, args.latest_version + '.cil'))
+ latest_ignore_cil = mini_parser.MiniCilParser(
+ os.path.join(latest_compat_path,
+ args.latest_version + '.ignore.cil'))
+
+ latest_ignored_types = list(latest_ignore_cil.rTypeattributesets.keys())
+ latest_removed_types = latest_mapping_cil.types
+ logging.debug('types ignored in latest policy: %s' %
+ latest_ignored_types)
+ logging.debug('types removed in latest policy: %s' %
+ latest_removed_types)
+
+ target_ignored_types = set()
+ target_removed_types = set()
+ invalid_new_types = set()
+ invalid_mapping_types = set()
+ invalid_removed_types = set()
+
+ logging.info('starting mapping')
+ for new_type in new_types:
+ # Either each new type should be in latest_ignore_cil, or mapped to existing types
+ if new_type in latest_ignored_types:
+ logging.debug('adding %s to ignore' % new_type)
+ target_ignored_types.add(new_type)
+ elif new_type in latest_mapping_cil.rTypeattributesets:
+ latest_mapped_types = latest_mapping_cil.rTypeattributesets[
+ new_type]
+ target_mapped_types = {change_api_level(t, args.latest_version,
+ args.target_version)
+ for t in latest_mapped_types}
+ logging.debug('mapping %s to %s' %
+ (new_type, target_mapped_types))
+
+ for t in target_mapped_types:
+ if t not in mapping_file_cil.typeattributesets:
+ logging.error(
+ 'Cannot find desired type %s in mapping file' % t)
+ invalid_mapping_types.add(t)
+ continue
+ mapping_file_cil.typeattributesets[t].add(new_type)
+ else:
+ logging.error('no mapping information for new type %s' %
+ new_type)
+ invalid_new_types.add(new_type)
+
+ for removed_type in removed_types:
+ # Removed type should be in latest_mapping_cil
+ if removed_type in latest_removed_types:
+ logging.debug('adding %s to removed' % removed_type)
+ target_removed_types.add(removed_type)
+ else:
+ logging.error('no mapping information for removed type %s' %
+ removed_type)
+ invalid_removed_types.add(removed_type)
+
+ error_msg = ''
+
+ if invalid_new_types:
+ error_msg += ('The following new types were not in the latest '
+ 'mapping: %s\n') % sorted(invalid_new_types)
+ if invalid_mapping_types:
+ error_msg += (
+ 'The following existing types were not in the '
+ 'downloaded mapping file: %s\n') % sorted(invalid_mapping_types)
+ if invalid_removed_types:
+ error_msg += ('The following removed types were not in the latest '
+ 'mapping: %s\n') % sorted(invalid_removed_types)
+
+ if error_msg:
+ error_msg += '\n'
+ error_msg += ('Please make sure the source tree and the build ID is'
+ ' up to date.\n')
+ sys.exit(error_msg)
+
+ # Step 5. Write to system/sepolicy/private/compat
+ target_compat_path = os.path.join(sepolicy_path, 'private', 'compat',
+ args.target_version)
+ target_mapping_file = os.path.join(target_compat_path,
+ args.target_version + '.cil')
+ target_compat_file = os.path.join(target_compat_path,
+ args.target_version + '.compat.cil')
+ target_ignore_file = os.path.join(target_compat_path,
+ args.target_version + '.ignore.cil')
+
+ with open(target_mapping_file, 'w') as f:
+ logging.info('writing %s' % target_mapping_file)
+ if removed_types:
+ f.write(';; types removed from current policy\n')
+ f.write('\n'.join(f'(type {x})' for x in sorted(target_removed_types)))
+ f.write('\n\n')
+ f.write(mapping_file_cil.unparse())
+
+ with open(target_compat_file, 'w') as f:
+ logging.info('writing %s' % target_compat_file)
+ f.write(compat_cil_template)
+
+ with open(target_ignore_file, 'w') as f:
+ logging.info('writing %s' % target_ignore_file)
+ f.write(ignore_cil_template %
+ ('\n '.join(sorted(target_ignored_types))))
+ finally:
+ logging.info('Deleting temporary dir: {}'.format(temp_dir))
+ shutil.rmtree(temp_dir)
+
+
+if __name__ == '__main__':
+ main()
diff --git a/treble_sepolicy_tests_for_release.mk b/treble_sepolicy_tests_for_release.mk
index 011001b..6a56d58 100644
--- a/treble_sepolicy_tests_for_release.mk
+++ b/treble_sepolicy_tests_for_release.mk
@@ -85,6 +85,9 @@
$(hide) cat $(PRIVATE_ADDITIONAL_CIL_FILES) >> $@
$(hide) $(HOST_OUT_EXECUTABLES)/secilc -m -M true -G -c $(POLICYVERS) $(PRIVATE_NEVERALLOW_ARG) $@ -o $@ -f /dev/null
+# TODO(b/214336258): move to Soong
+$(call dist-for-goals,base-sepolicy-files-for-mapping,$(built_$(version)_plat_sepolicy):$(version)_plat_sepolicy)
+
$(version)_plat_policy.conf :=
# $(version)_compat - the current plat_sepolicy.cil built with the compatibility file
diff --git a/vendor/file_contexts b/vendor/file_contexts
index 4fc0460..4faa05a 100644
--- a/vendor/file_contexts
+++ b/vendor/file_contexts
@@ -8,9 +8,9 @@
/(vendor|system/vendor)/bin/hw/android\.hardware\.automotive\.audiocontrol@2\.0-service u:object_r:hal_audiocontrol_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.automotive\.audiocontrol-service.example u:object_r:hal_audiocontrol_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.automotive\.can@1\.0-service u:object_r:hal_can_socketcan_exec:s0
-/(vendor|system/vendor)/bin/hw/android\.hardware\.automotive\.evs@1\.[0-9]-service u:object_r:hal_evs_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.automotive\.evs(.*)? u:object_r:hal_evs_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.automotive\.vehicle@2\.0-((default|emulator)-)*(service|protocan-service) u:object_r:hal_vehicle_default_exec:s0
-/(vendor|system/vendor)/bin/hw/android\.hardware\.automotive\.vehicle@V1-default-service u:object_r:hal_vehicle_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.automotive\.vehicle@V1-(default|emulator)-service u:object_r:hal_vehicle_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.bluetooth@1\.[0-9]+-service u:object_r:hal_bluetooth_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.bluetooth@1\.[0-9]+-service\.btlinux u:object_r:hal_bluetooth_btlinux_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.biometrics\.face@1\.[0-9]+-service\.example u:object_r:hal_face_default_exec:s0
@@ -25,12 +25,14 @@
/(vendor|system/vendor)/bin/hw/android\.hardware\.camera\.provider@2\.[0-9]+-service-lazy_64 u:object_r:hal_camera_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.camera\.provider@2\.[0-9]+-service-lazy u:object_r:hal_camera_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.camera\.provider@2\.[0-9]+-external-service u:object_r:hal_camera_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.camera\.provider@2\.[0-9]+-external-service-lazy u:object_r:hal_camera_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.configstore@1\.[0-9]+-service u:object_r:hal_configstore_default_exec:s0
/(vendor|sustem/vendor)/bin/hw/android\.hardware\.confirmationui@1\.0-service u:object_r:hal_confirmationui_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.contexthub@1\.[0-9]+-service u:object_r:hal_contexthub_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.contexthub-service\.example u:object_r:hal_contexthub_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.drm@1\.0-service u:object_r:hal_drm_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.drm@1\.0-service-lazy u:object_r:hal_drm_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.drm-service\.clearkey(-lazy)? u:object_r:hal_drm_clearkey_aidl_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.cas@1\.[0-2]-service u:object_r:hal_cas_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.cas@1\.[0-2]-service-lazy u:object_r:hal_cas_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.dumpstate@1\.[0-1]-service\.example u:object_r:hal_dumpstate_default_exec:s0
@@ -51,6 +53,7 @@
/(vendor|system/vendor)/bin/hw/android\.hardware\.health\.storage-service\.default u:object_r:hal_health_storage_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.identity-service.example u:object_r:hal_identity_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.input\.classifier@1\.0-service u:object_r:hal_input_classifier_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.input\.processor-service u:object_r:hal_input_processor_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.ir@1\.0-service u:object_r:hal_ir_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.ir-service\.example u:object_r:hal_ir_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.keymaster@3\.0-service u:object_r:hal_keymaster_default_exec:s0
@@ -87,6 +90,7 @@
/(vendor|system/vendor)/bin/hw/android\.hardware\.tv\.tuner@1\.[01]-service u:object_r:hal_tv_tuner_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.tv\.tuner-service\.example u:object_r:hal_tv_tuner_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.usb@1\.0-service u:object_r:hal_usb_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.usb-service\.example u:object_r:hal_usb_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.usb\.gadget@1\.1-service u:object_r:hal_usb_gadget_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.uwb-service u:object_r:hal_uwb_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.vibrator@1\.0-service u:object_r:hal_vibrator_default_exec:s0
diff --git a/vendor/hal_drm_clearkey.te b/vendor/hal_drm_clearkey.te
new file mode 100644
index 0000000..ab474d6
--- /dev/null
+++ b/vendor/hal_drm_clearkey.te
@@ -0,0 +1,6 @@
+type hal_drm_clearkey_aidl, domain;
+type hal_drm_clearkey_aidl_exec, exec_type, vendor_file_type, file_type;
+
+init_daemon_domain(hal_drm_clearkey_aidl)
+
+hal_server_domain(hal_drm_clearkey_aidl, hal_drm)
diff --git a/vendor/hal_evs_default.te b/vendor/hal_evs_default.te
index 57a0299..d1d4559 100644
--- a/vendor/hal_evs_default.te
+++ b/vendor/hal_evs_default.te
@@ -6,10 +6,19 @@
type hal_evs_default_exec, exec_type, vendor_file_type, file_type;
init_daemon_domain(hal_evs_default)
-allow hal_evs_default hal_graphics_allocator_server:fd use;
-
-# allow to use surface flinger
-allow hal_evs_default automotive_display_service_server:fd use;
+# allow to use a graphic buffer
+hal_client_domain(hal_evs_default, hal_configstore)
+hal_client_domain(hal_evs_default, hal_graphics_allocator)
+hal_client_domain(hal_evs_default, hal_graphics_composer)
# allow to use automotive display service
+binder_call(hal_evs_default, automotive_display_service_server)
allow hal_evs_default fwk_automotive_display_hwservice:hwservice_manager find;
+
+# allow to access EGL
+allow hal_evs_default gpu_device:chr_file rw_file_perms;
+allow hal_evs_default gpu_device:dir search;
+
+# allow to monitor uevents and access video devices
+allow hal_evs_default device:dir r_dir_perms;
+allow hal_evs_default video_device:chr_file rw_file_perms;
diff --git a/vendor/hal_identity_default.te b/vendor/hal_identity_default.te
index 7f84687..550db95 100644
--- a/vendor/hal_identity_default.te
+++ b/vendor/hal_identity_default.te
@@ -3,3 +3,8 @@
type hal_identity_default_exec, exec_type, vendor_file_type, file_type;
init_daemon_domain(hal_identity_default)
+
+# We need to get a handle to the IRemotelyProvisionedComponent, and it's hosted by
+# the keymint HAL.
+hal_client_domain(hal_identity_default, hal_keymint)
+
diff --git a/vendor/hal_input_processor_default.te b/vendor/hal_input_processor_default.te
new file mode 100644
index 0000000..33a5c41
--- /dev/null
+++ b/vendor/hal_input_processor_default.te
@@ -0,0 +1,5 @@
+type hal_input_processor_default, domain;
+hal_server_domain(hal_input_processor_default, hal_input_processor)
+
+type hal_input_processor_default_exec, exec_type, vendor_file_type, file_type;
+init_daemon_domain(hal_input_processor_default)