Merge "Ignore access to /proc/pagetypeinfo for Settings" into main
diff --git a/Android.bp b/Android.bp
index 038d92f..88107cc 100644
--- a/Android.bp
+++ b/Android.bp
@@ -833,3 +833,45 @@
"-p $(location :precompiled_sepolicy) && " +
"touch $(out)",
}
+
+//////////////////////////////////
+// TestDevTypeViolations can't run on old devices (V or before)
+//////////////////////////////////
+
+soong_config_module_type {
+ name: "dev_type_test_genrule",
+ module_type: "genrule",
+ config_namespace: "ANDROID",
+ bool_variables: ["CHECK_DEV_TYPE_VIOLATIONS"],
+ properties: ["cmd"],
+}
+
+dev_type_test_genrule {
+ name: "sepolicy_dev_type_test",
+ srcs: [
+ ":plat_file_contexts",
+ ":vendor_file_contexts",
+ ":system_ext_file_contexts",
+ ":product_file_contexts",
+ ":odm_file_contexts",
+ ":precompiled_sepolicy",
+ ],
+ tools: ["sepolicy_tests"],
+ out: ["sepolicy_dev_type_test"],
+ soong_config_variables: {
+ CHECK_DEV_TYPE_VIOLATIONS: {
+ cmd: "$(location sepolicy_tests) " +
+ "-f $(location :plat_file_contexts) " +
+ "-f $(location :vendor_file_contexts) " +
+ "-f $(location :system_ext_file_contexts) " +
+ "-f $(location :product_file_contexts) " +
+ "-f $(location :odm_file_contexts) " +
+ "-p $(location :precompiled_sepolicy) " +
+ "-t TestDevTypeViolations && " +
+ "touch $(out)",
+ conditions_default: {
+ cmd: "touch $(out)",
+ },
+ },
+ },
+}
diff --git a/Android.mk b/Android.mk
index 384c416..63b74aa 100644
--- a/Android.mk
+++ b/Android.mk
@@ -240,6 +240,7 @@
# genrule modules aren't installable, so LOCAL_REQUIRED_MODULES doesn't work.
# Instead, use LOCAL_ADDITIONAL_DEPENDENCIES with intermediate output
LOCAL_ADDITIONAL_DEPENDENCIES += $(call intermediates-dir-for,ETC,sepolicy_test)/sepolicy_test
+LOCAL_ADDITIONAL_DEPENDENCIES += $(call intermediates-dir-for,ETC,sepolicy_dev_type_test)/sepolicy_dev_type_test
LOCAL_REQUIRED_MODULES += \
$(addprefix treble_sepolicy_tests_,$(PLATFORM_SEPOLICY_COMPAT_VERSIONS)) \
diff --git a/apex/Android.bp b/apex/Android.bp
index 21054fc..04fd5f6 100644
--- a/apex/Android.bp
+++ b/apex/Android.bp
@@ -205,11 +205,10 @@
],
}
-filegroup {
+file_contexts {
name: "com.android.virt-file_contexts",
- srcs: [
- "com.android.virt-file_contexts",
- ],
+ defaults: ["contexts_flags_defaults"],
+ srcs: ["com.android.virt-file_contexts"],
}
filegroup {
diff --git a/apex/com.android.virt-file_contexts b/apex/com.android.virt-file_contexts
index afe9f51..78720aa 100644
--- a/apex/com.android.virt-file_contexts
+++ b/apex/com.android.virt-file_contexts
@@ -3,4 +3,6 @@
/bin/fd_server u:object_r:fd_server_exec:s0
/bin/virtmgr u:object_r:virtualizationmanager_exec:s0
/bin/virtualizationservice u:object_r:virtualizationservice_exec:s0
-/bin/vfio_handler u:object_r:vfio_handler_exec:s0
+is_flag_enabled(RELEASE_AVF_ENABLE_DEVICE_ASSIGNMENT, `
+ /bin/vfio_handler u:object_r:vfio_handler_exec:s0
+')
diff --git a/build/soong/service_fuzzer_bindings.go b/build/soong/service_fuzzer_bindings.go
index 81d90d4..9e047df 100644
--- a/build/soong/service_fuzzer_bindings.go
+++ b/build/soong/service_fuzzer_bindings.go
@@ -119,6 +119,7 @@
"android.hardware.security.dice.IDiceDevice/default": EXCEPTION_NO_FUZZER,
"android.hardware.security.keymint.IKeyMintDevice/default": EXCEPTION_NO_FUZZER,
"android.hardware.security.keymint.IRemotelyProvisionedComponent/default": EXCEPTION_NO_FUZZER,
+ "android.hardware.security.secretkeeper.ISecretkeeper/nonsecure": EXCEPTION_NO_FUZZER,
"android.hardware.security.secureclock.ISecureClock/default": EXCEPTION_NO_FUZZER,
"android.hardware.security.sharedsecret.ISharedSecret/default": EXCEPTION_NO_FUZZER,
"android.hardware.sensors.ISensors/default": EXCEPTION_NO_FUZZER,
@@ -144,6 +145,7 @@
"android.frameworks.location.altitude.IAltitudeService/default": EXCEPTION_NO_FUZZER,
"android.frameworks.sensorservice.ISensorManager/default": []string{"libsensorserviceaidl_fuzzer"},
"android.frameworks.stats.IStats/default": EXCEPTION_NO_FUZZER,
+ "android.frameworks.vibrator.IVibratorControlService/default": EXCEPTION_NO_FUZZER,
"android.se.omapi.ISecureElementService/default": EXCEPTION_NO_FUZZER,
"android.system.keystore2.IKeystoreService/default": EXCEPTION_NO_FUZZER,
"android.system.net.netd.INetd/default": []string{"netd_hw_service_fuzzer"},
@@ -176,6 +178,7 @@
"android.service.gatekeeper.IGateKeeperService": []string{"gatekeeperd_service_fuzzer"},
"android.system.composd": EXCEPTION_NO_FUZZER,
// TODO(b/294158658): add fuzzer
+ "android.hardware.security.keymint.IRemotelyProvisionedComponent/avf": EXCEPTION_NO_FUZZER,
"android.system.virtualizationservice": EXCEPTION_NO_FUZZER,
"android.system.virtualizationservice_internal.IVfioHandler": EXCEPTION_NO_FUZZER,
"ambient_context": EXCEPTION_NO_FUZZER,
@@ -309,7 +312,7 @@
"logd": EXCEPTION_NO_FUZZER,
"looper_stats": EXCEPTION_NO_FUZZER,
"lpdump_service": EXCEPTION_NO_FUZZER,
- "mdns": []string{"mdns_service_fuzzer"},
+ "mdns": EXCEPTION_NO_FUZZER,
"media.aaudio": EXCEPTION_NO_FUZZER,
"media.audio_flinger": []string{"audioflinger_aidl_fuzzer"},
"media.audio_policy": []string{"audiopolicy_aidl_fuzzer"},
@@ -447,6 +450,7 @@
"translation": EXCEPTION_NO_FUZZER,
"transparency": EXCEPTION_NO_FUZZER,
"trust": EXCEPTION_NO_FUZZER,
+ "tv_ad": EXCEPTION_NO_FUZZER,
"tv_interactive_app": EXCEPTION_NO_FUZZER,
"tv_input": EXCEPTION_NO_FUZZER,
"tv_tuner_resource_mgr": EXCEPTION_NO_FUZZER,
@@ -460,11 +464,10 @@
"uwb": EXCEPTION_NO_FUZZER,
"vcn_management": EXCEPTION_NO_FUZZER,
"vibrator": EXCEPTION_NO_FUZZER,
- "vibrator_control": EXCEPTION_NO_FUZZER,
"vibrator_manager": EXCEPTION_NO_FUZZER,
"virtualdevice": EXCEPTION_NO_FUZZER,
"virtualdevice_native": EXCEPTION_NO_FUZZER,
- "virtual_camera_service": EXCEPTION_NO_FUZZER,
+ "virtual_camera": EXCEPTION_NO_FUZZER,
"virtual_touchpad": EXCEPTION_NO_FUZZER,
"voiceinteraction": EXCEPTION_NO_FUZZER,
"vold": []string{"vold_native_service_fuzzer"},
diff --git a/flagging/Android.bp b/flagging/Android.bp
index babd034..b61b41d 100644
--- a/flagging/Android.bp
+++ b/flagging/Android.bp
@@ -16,14 +16,14 @@
se_policy_conf_defaults {
name: "se_policy_conf_flags_defaults",
srcs: [":sepolicy_flagging_macros"],
- flags: [],
+ flags: ["RELEASE_AVF_ENABLE_DEVICE_ASSIGNMENT"],
}
contexts_defaults {
name: "contexts_flags_defaults",
srcs: [":sepolicy_flagging_macros"],
neverallow_files: [":sepolicy_flagging_macros"], // for seapp_contexts
- flags: [],
+ flags: ["RELEASE_AVF_ENABLE_DEVICE_ASSIGNMENT"],
}
filegroup {
diff --git a/flagging/te_macros b/flagging/te_macros
index a81ec1b..3464502 100644
--- a/flagging/te_macros
+++ b/flagging/te_macros
@@ -1,9 +1,9 @@
####################################
# is_flag_enabled(flag, rules)
# SELinux rules which apply only if given feature is turned on
-define(`is_flag_enabled', `ifelse(target_flag_$1, `true', $2, )')
+define(`is_flag_enabled', `ifelse(target_flag_$1, `true', `$2')')
####################################
# is_flag_disabled(flag, rules)
# SELinux rules which apply only if given feature is turned off
-define(`is_flag_disabled', `ifelse(target_flag_$1, `true', , $2)')
+define(`is_flag_disabled', `ifelse(target_flag_$1, `true', , `$2')')
diff --git a/private/compat/34.0/34.0.ignore.cil b/private/compat/34.0/34.0.ignore.cil
index 83e3b3d..5bbfecc 100644
--- a/private/compat/34.0/34.0.ignore.cil
+++ b/private/compat/34.0/34.0.ignore.cil
@@ -9,16 +9,20 @@
dtbo_block_device
ota_build_prop
snapuserd_log_data_file
+ fwk_vibrator_control_service
hal_authgraph_service
- vibrator_control_service
+ hal_secretkeeper_service
hal_codec2_service
hal_macsec_service
+ hal_remotelyprovisionedcomponent_avf_service
hal_threadnetwork_service
virtual_camera_service
ot_daemon_service
remote_auth_service
security_state_service
+ setupwizard_mode_prop
sysfs_sync_on_suspend
+ tv_ad_service
threadnetwork_service
device_config_aconfig_flags_prop
proc_memhealth
diff --git a/private/coredomain.te b/private/coredomain.te
index f9b47df..5442ea3 100644
--- a/private/coredomain.te
+++ b/private/coredomain.te
@@ -15,6 +15,7 @@
get_prop(coredomain, radio_control_prop)
get_prop(coredomain, rollback_test_prop)
get_prop(coredomain, setupwizard_prop)
+get_prop(coredomain, setupwizard_mode_prop)
get_prop(coredomain, sqlite_log_prop)
get_prop(coredomain, storagemanager_config_prop)
get_prop(coredomain, surfaceflinger_color_prop)
@@ -150,7 +151,7 @@
-apexd
-init
-ueventd
- -vfio_handler
+ is_flag_enabled(RELEASE_AVF_ENABLE_DEVICE_ASSIGNMENT, `-vfio_handler')
-vold
} sysfs:file no_rw_file_perms;
diff --git a/private/keystore.te b/private/keystore.te
index 73961ac..b81ccfa 100644
--- a/private/keystore.te
+++ b/private/keystore.te
@@ -11,6 +11,11 @@
# talk to keymint
hal_client_domain(keystore, hal_keymint)
+# Ignore keystore attempts to access the AVF RKP Hal but keystore is not suppose to
+# access it.
+# TODO(b/312427637): Investigate the reason and fix the denial.
+dontaudit keystore hal_remotelyprovisionedcomponent_avf_service:service_manager { find };
+
# This is used for the ConfirmationUI async callback.
allow keystore platform_app:binder call;
diff --git a/private/property.te b/private/property.te
index e1b42a0..d599751 100644
--- a/private/property.te
+++ b/private/property.te
@@ -27,6 +27,7 @@
system_internal_prop(keystore_listen_prop)
system_internal_prop(last_boot_reason_prop)
system_internal_prop(localization_prop)
+system_internal_prop(logd_auditrate_prop)
system_internal_prop(lower_kptr_restrict_prop)
system_internal_prop(net_464xlat_fromvendor_prop)
system_internal_prop(net_connectivity_prop)
@@ -605,6 +606,12 @@
neverallow {
domain
-init
+ -vendor_init
+} setupwizard_mode_prop:property_service set;
+
+neverallow {
+ domain
+ -init
} setupwizard_prop:property_service set;
# ro.product.property_source_order is useless after initialization of ro.product.* props.
diff --git a/private/property_contexts b/private/property_contexts
index f4e6ff4..3771873 100644
--- a/private/property_contexts
+++ b/private/property_contexts
@@ -62,6 +62,7 @@
logd. u:object_r:logd_prop:s0
persist.logd. u:object_r:logd_prop:s0
ro.logd. u:object_r:logd_prop:s0
+persist.logd.audit.rate u:object_r:logd_auditrate_prop:s0
persist.logd.security u:object_r:device_logging_prop:s0
persist.logd.logpersistd u:object_r:logpersistd_logging_prop:s0
logd.logpersistd u:object_r:logpersistd_logging_prop:s0
@@ -338,6 +339,10 @@
ro.virtual_ab.io_uring.enabled u:object_r:virtual_ab_prop:s0 exact bool
ro.virtual_ab.compression.threads u:object_r:virtual_ab_prop:s0 exact bool
ro.virtual_ab.batch_writes u:object_r:virtual_ab_prop:s0 exact bool
+# OEMs can set this prop at build time to configure how many seconds to delay
+# merge after installing a Virtual AB OTA. The default behavior is to start
+# merge immediately.
+ro.virtual_ab.merge_delay_seconds u:object_r:virtual_ab_prop:s0 exact int
snapuserd.ready u:object_r:snapuserd_prop:s0 exact bool
snapuserd.proxy_ready u:object_r:snapuserd_prop:s0 exact bool
snapuserd.test.dm.snapshots u:object_r:snapuserd_prop:s0 exact bool
@@ -618,6 +623,7 @@
bluetooth.core.le.vendor_capabilities.enabled u:object_r:bluetooth_config_prop:s0 exact bool
bluetooth.sco.disable_enhanced_connection u:object_r:bluetooth_config_prop:s0 exact bool
+bluetooth.core.le.dsa_transport_preference u:object_r:bluetooth_config_prop:s0 exact string
persist.nfc.debug_enabled u:object_r:nfc_prop:s0 exact bool
persist.nfc.vendor_debug_enabled u:object_r:nfc_prop:s0 exact bool
@@ -1136,6 +1142,7 @@
ro.board.first_api_level u:object_r:build_vendor_prop:s0 exact int
ro.board.api_level u:object_r:build_vendor_prop:s0 exact int
ro.board.api_frozen u:object_r:build_vendor_prop:s0 exact bool
+ro.llndk.api_level u:object_r:build_vendor_prop:s0 exact int
ro.vendor.api_level u:object_r:build_vendor_prop:s0 exact int
# Boot image build props set by /{second_stage_resources/,}boot/etc/build.prop
@@ -1482,6 +1489,8 @@
ro.setupwizard.rotation_locked u:object_r:setupwizard_prop:s0 exact bool
ro.setupwizard.wifi_on_exit u:object_r:setupwizard_prop:s0 exact bool
+ro.setupwizard.mode u:object_r:setupwizard_mode_prop:s0 exact string
+
setupwizard.enable_assist_gesture_training u:object_r:setupwizard_prop:s0 exact bool
setupwizard.feature.avoid_duplicate_tos u:object_r:setupwizard_prop:s0 exact bool
setupwizard.feature.baseline_setupwizard_enabled u:object_r:setupwizard_prop:s0 exact bool
diff --git a/private/rkpd_app.te b/private/rkpd_app.te
index 509a96e..e7809e9 100644
--- a/private/rkpd_app.te
+++ b/private/rkpd_app.te
@@ -9,6 +9,7 @@
# RKPD needs to be able to call the remote provisioning HALs
hal_client_domain(rkpdapp, hal_keymint)
+hal_client_domain(rkpdapp, hal_remotelyprovisionedcomponent_avf)
# Grant access to certain system properties related to RKP
get_prop(rkpdapp, device_config_remote_key_provisioning_native_prop)
diff --git a/private/seapp_contexts b/private/seapp_contexts
index 74701df..957d005 100644
--- a/private/seapp_contexts
+++ b/private/seapp_contexts
@@ -56,6 +56,12 @@
# as the current dessert release, with additional auditing rules for the accesses
# we are considering forbidding in the upcoming release.
#
+# The sdk_sandbox_next and sdk_sandbox_audit domains are special domains for the
+# SDK sandbox process. sdk_sandbox_next defines the set of restrictions proposed
+# for the upcoming dessert release. sdk_sandbox_audit uses the same restrictions
+# as the current dessert release, with additional auditing rules for the accesses
+# we are considering forbidding in the upcoming release.
+#
# isSdkSandboxNext=true means sdk sandbox processes will get
# sdk_sandbox_next sepolicy applied to them.
# An unspecified isSdkSandboxNext defaults to false.
@@ -64,6 +70,10 @@
# sdk_sandbox_audit sepolicy applied to them.
# An unspecified isSdkSandboxAudit defaults to false.
#
+# isSdkSandboxAudit=true means sdk sandbox processes will get
+# sdk_sandbox_audit sepolicy applied to them.
+# An unspecified isSdkSandboxAudit defaults to false.
+#
# Precedence: entries are compared using the following rules, in the order shown
# (see external/selinux/libselinux/src/android/android_platform.c,
# seapp_context_cmp()).
@@ -172,7 +182,6 @@
user=_app seinfo=platform name=com.android.traceur domain=traceur_app type=app_data_file levelFrom=all
user=system seinfo=platform domain=system_app type=system_app_data_file
user=system seinfo=platform isPrivApp=true name=com.android.DeviceAsWebcam domain=device_as_webcam type=system_app_data_file levelFrom=all
-user=system seinfo=platform isPrivApp=true name=com.android.virtualcamera domain=virtual_camera type=app_data_file levelFrom=all
user=bluetooth seinfo=bluetooth domain=bluetooth type=bluetooth_data_file
user=network_stack seinfo=network_stack domain=network_stack type=radio_data_file
user=nfc seinfo=platform domain=nfc type=nfc_data_file
diff --git a/private/service.te b/private/service.te
index 861afb3..2f5241c 100644
--- a/private/service.te
+++ b/private/service.te
@@ -1,6 +1,6 @@
type ambient_context_service, app_api_service, system_server_service, service_manager_type;
type attention_service, system_server_service, service_manager_type;
-type bg_install_control_service, system_server_service, service_manager_type;
+type bg_install_control_service, system_api_service, system_server_service, service_manager_type;
type compos_service, service_manager_type;
type communal_service, app_api_service, system_server_service, service_manager_type;
type dynamic_system_service, system_api_service, system_server_service, service_manager_type;
@@ -21,6 +21,10 @@
type statsmanager_service, system_api_service, system_server_service, service_manager_type;
type tracingproxy_service, system_server_service, service_manager_type;
type transparency_service, system_server_service, service_manager_type;
-type vfio_handler_service, service_manager_type;
+
+is_flag_enabled(RELEASE_AVF_ENABLE_DEVICE_ASSIGNMENT, `
+ type vfio_handler_service, service_manager_type;
+')
+
type uce_service, service_manager_type;
type wearable_sensing_service, system_api_service, system_server_service, service_manager_type;
diff --git a/private/service_contexts b/private/service_contexts
index 898cb14..90fb943 100644
--- a/private/service_contexts
+++ b/private/service_contexts
@@ -2,6 +2,7 @@
android.frameworks.location.altitude.IAltitudeService/default u:object_r:fwk_altitude_service:s0
android.frameworks.stats.IStats/default u:object_r:fwk_stats_service:s0
android.frameworks.sensorservice.ISensorManager/default u:object_r:fwk_sensor_service:s0
+android.frameworks.vibrator.IVibratorControlService/default u:object_r:fwk_vibrator_control_service:s0
android.hardware.audio.core.IConfig/default u:object_r:hal_audio_service:s0
# 'default' IModule is equivalent to 'primary' in HIDL
android.hardware.audio.core.IModule/default u:object_r:hal_audio_service:s0
@@ -93,6 +94,7 @@
android.hardware.security.authgraph.IAuthGraphKeyExchange/nonsecure u:object_r:hal_authgraph_service:s0
android.hardware.security.keymint.IKeyMintDevice/default u:object_r:hal_keymint_service:s0
android.hardware.security.keymint.IRemotelyProvisionedComponent/default u:object_r:hal_remotelyprovisionedcomponent_service:s0
+android.hardware.security.keymint.IRemotelyProvisionedComponent/avf u:object_r:hal_remotelyprovisionedcomponent_avf_service:s0
android.hardware.gatekeeper.IGatekeeper/default u:object_r:hal_gatekeeper_service:s0
android.hardware.security.secureclock.ISecureClock/default u:object_r:hal_secureclock_service:s0
android.hardware.security.sharedsecret.ISharedSecret/default u:object_r:hal_sharedsecret_service:s0
@@ -122,6 +124,7 @@
android.hardware.secure_element.ISecureElement/SIM1 u:object_r:hal_secure_element_service:s0
android.hardware.secure_element.ISecureElement/SIM2 u:object_r:hal_secure_element_service:s0
android.hardware.secure_element.ISecureElement/SIM3 u:object_r:hal_secure_element_service:s0
+android.hardware.security.secretkeeper.ISecretkeeper/nonsecure u:object_r:hal_secretkeeper_service:s0
android.system.keystore2.IKeystoreService/default u:object_r:keystore_service:s0
android.system.net.netd.INetd/default u:object_r:system_net_netd_service:s0
android.system.suspend.ISystemSuspend/default u:object_r:hal_system_suspend_service:s0
@@ -152,7 +155,9 @@
android.service.gatekeeper.IGateKeeperService u:object_r:gatekeeper_service:s0
android.system.composd u:object_r:compos_service:s0
android.system.virtualizationservice u:object_r:virtualization_service:s0
-android.system.virtualizationservice_internal.IVfioHandler u:object_r:vfio_handler_service:s0
+is_flag_enabled(RELEASE_AVF_ENABLE_DEVICE_ASSIGNMENT, `
+ android.system.virtualizationservice_internal.IVfioHandler u:object_r:vfio_handler_service:s0
+')
ambient_context u:object_r:ambient_context_service:s0
app_binding u:object_r:app_binding_service:s0
app_hibernation u:object_r:app_hibernation_service:s0
@@ -423,6 +428,7 @@
translation u:object_r:translation_service:s0
transparency u:object_r:transparency_service:s0
trust u:object_r:trust_service:s0
+tv_ad u:object_r:tv_ad_service:s0
tv_interactive_app u:object_r:tv_iapp_service:s0
tv_input u:object_r:tv_input_service:s0
tv_tuner_resource_mgr u:object_r:tv_tuner_resource_mgr_service:s0
@@ -436,8 +442,8 @@
uwb u:object_r:uwb_service:s0
vcn_management u:object_r:vcn_management_service:s0
vibrator u:object_r:vibrator_service:s0
-vibrator_control u:object_r:vibrator_control_service:s0
vibrator_manager u:object_r:vibrator_manager_service:s0
+virtual_camera u:object_r:virtual_camera_service:s0
virtualdevice u:object_r:virtual_device_service:s0
virtualdevice_native u:object_r:virtual_device_native_service:s0
virtual_touchpad u:object_r:virtual_touchpad_service:s0
diff --git a/private/shell.te b/private/shell.te
index e410862..f32395e 100644
--- a/private/shell.te
+++ b/private/shell.te
@@ -159,6 +159,8 @@
# Allow shell to start/stop traced via the persist.traced.enable
# property (which also takes care of /data/misc initialization).
set_prop(shell, traced_enabled_prop)
+# adjust SELinux audit rates
+set_prop(shell, logd_auditrate_prop)
# adjust is_loggable properties
userdebug_or_eng(`set_prop(shell, log_prop)')
# logpersist script
diff --git a/private/system_server.te b/private/system_server.te
index 97e64af..8c26cc7 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -298,6 +298,7 @@
binder_call(system_server, statsd)
binder_call(system_server, storaged)
binder_call(system_server, update_engine)
+binder_call(system_server, virtual_camera)
binder_call(system_server, vold)
binder_call(system_server, logd)
binder_call(system_server, wificond)
@@ -329,6 +330,7 @@
hal_client_domain(system_server, hal_power)
hal_client_domain(system_server, hal_power_stats)
hal_client_domain(system_server, hal_rebootescrow)
+hal_client_domain(system_server, hal_remotelyprovisionedcomponent_avf)
hal_client_domain(system_server, hal_sensors)
hal_client_domain(system_server, hal_tetheroffload)
hal_client_domain(system_server, hal_thermal)
diff --git a/private/vfio_handler.te b/private/vfio_handler.te
index 1b553e9..963809e 100644
--- a/private/vfio_handler.te
+++ b/private/vfio_handler.te
@@ -1,35 +1,37 @@
-# vfio_handler is a helper service for VFIO tasks, like binding platform devices to VFIO driver.
-# vfio_handler is separate from virtualizationservice as VFIO tasks require root.
-type vfio_handler, domain, coredomain;
-type vfio_handler_exec, system_file_type, exec_type, file_type;
+is_flag_enabled(RELEASE_AVF_ENABLE_DEVICE_ASSIGNMENT, `
+ # vfio_handler is a helper service for VFIO tasks, like binding platform devices to VFIO driver.
+ # vfio_handler is separate from virtualizationservice as VFIO tasks require root.
+ type vfio_handler, domain, coredomain;
+ type vfio_handler_exec, system_file_type, exec_type, file_type;
-# When init runs a file labelled with vfio_handler_exec, run it in the vfio_handler domain.
-init_daemon_domain(vfio_handler)
+ # When init runs a file labelled with vfio_handler_exec, run it in the vfio_handler domain.
+ init_daemon_domain(vfio_handler)
-# Let the vfio_handler domain register the vfio_handler_service with ServiceManager.
-add_service(vfio_handler, vfio_handler_service)
+ # Let the vfio_handler domain register the vfio_handler_service with ServiceManager.
+ add_service(vfio_handler, vfio_handler_service)
-# Let the vfio_handler domain use Binder.
-binder_use(vfio_handler)
+ # Let the vfio_handler domain use Binder.
+ binder_use(vfio_handler)
-# Allow vfio_handler to check if VFIO is supported
-allow vfio_handler vfio_device:chr_file getattr;
-allow vfio_handler vfio_device:dir r_dir_perms;
+ # Allow vfio_handler to check if VFIO is supported
+ allow vfio_handler vfio_device:chr_file getattr;
+ allow vfio_handler vfio_device:dir r_dir_perms;
-# Allow vfio_handler to bind/unbind platform devices
-allow vfio_handler sysfs:dir r_dir_perms;
-allow vfio_handler sysfs:file rw_file_perms;
+ # Allow vfio_handler to bind/unbind platform devices
+ allow vfio_handler sysfs:dir r_dir_perms;
+ allow vfio_handler sysfs:file rw_file_perms;
-# Allow vfio_handler to write to VM DTBO via a file created by virtualizationservice.
-allow vfio_handler virtualizationservice:fd use;
-allow vfio_handler virtualizationservice_data_file:file write;
+ # Allow vfio_handler to write to VM DTBO via a file created by virtualizationservice.
+ allow vfio_handler virtualizationservice:fd use;
+ allow vfio_handler virtualizationservice_data_file:file write;
-# vfio_handler can only use fd from virtualizationservice, and can't open files itself
-neverallow vfio_handler virtualizationservice_data_file:file { open create };
+ # vfio_handler can only use fd from virtualizationservice, and cannot open files itself
+ neverallow vfio_handler virtualizationservice_data_file:file { open create };
-# Allow vfio_handler to search /dev/block for accessing dtbo.img
-allow vfio_handler block_device:dir search;
-allow vfio_handler dtbo_block_device:blk_file r_file_perms;
+ # Allow vfio_handler to search /dev/block for accessing dtbo.img
+ allow vfio_handler block_device:dir search;
+ allow vfio_handler dtbo_block_device:blk_file r_file_perms;
-# Only vfio_handler can add vfio_handler_service
-neverallow { domain -vfio_handler } vfio_handler_service:service_manager add;
+ # Only vfio_handler can add vfio_handler_service
+ neverallow { domain -vfio_handler } vfio_handler_service:service_manager add;
+') # is_flag_enabled(RELEASE_AVF_ENABLE_DEVICE_ASSIGNMENT)
diff --git a/private/virtual_camera.te b/private/virtual_camera.te
index 765a59f..5739d5f 100644
--- a/private/virtual_camera.te
+++ b/private/virtual_camera.te
@@ -9,6 +9,8 @@
# hal_server_domain(virtual_camera, hal_camera) macro but only the rules that
# we actually need from halserverdomain and hal_camera_server:
binder_use(virtual_camera)
+binder_call(virtual_camera, cameraserver)
+binder_call(virtual_camera, system_server)
# Allow virtual_camera to use fd from apps
allow virtual_camera { appdomain -isolated_app }:fd use;
@@ -18,3 +20,7 @@
# Allow virtual_camera to map graphic buffers
hal_client_domain(virtual_camera, hal_graphics_allocator)
+
+# Allow virtual_camera to use GPU
+allow virtual_camera gpu_device:chr_file rw_file_perms;
+allow virtual_camera gpu_device:dir r_dir_perms;
diff --git a/private/virtualizationservice.te b/private/virtualizationservice.te
index 93cd04c..e17797e 100644
--- a/private/virtualizationservice.te
+++ b/private/virtualizationservice.te
@@ -15,9 +15,15 @@
# Let the virtualizationservice domain register the virtualization_service with ServiceManager.
add_service(virtualizationservice, virtualization_service)
-# Let virtualizationservice find and communicate with vfio_handler.
-allow virtualizationservice vfio_handler_service:service_manager find;
-binder_call(virtualizationservice, vfio_handler)
+is_flag_enabled(RELEASE_AVF_ENABLE_DEVICE_ASSIGNMENT, `
+ # Let virtualizationservice find and communicate with vfio_handler.
+ allow virtualizationservice vfio_handler_service:service_manager find;
+ binder_call(virtualizationservice, vfio_handler)
+')
+
+# Allow the virtualizationservice domain to serve a remotely provisioned component for
+# pVM remote attestation.
+hal_server_domain(virtualizationservice, hal_remotelyprovisionedcomponent_avf)
# Allow calling into the system server to find "permission_service".
binder_call(virtualizationservice, system_server)
@@ -97,5 +103,7 @@
-virtualizationservice
}:process setrlimit;
-# Only virtualizationservice can communicate to vfio_handler
-neverallow { domain -virtualizationservice -servicemanager } vfio_handler:binder call;
+is_flag_enabled(RELEASE_AVF_ENABLE_DEVICE_ASSIGNMENT, `
+ # Only virtualizationservice can communicate to vfio_handler
+ neverallow { domain -virtualizationservice -servicemanager } vfio_handler:binder call;
+')
diff --git a/public/attributes b/public/attributes
index fa47b25..759b773 100644
--- a/public/attributes
+++ b/public/attributes
@@ -376,6 +376,8 @@
hal_attribute(power_stats);
hal_attribute(rebootescrow);
hal_attribute(remoteaccess);
+hal_attribute(secretkeeper);
+hal_attribute(remotelyprovisionedcomponent_avf);
hal_attribute(secure_element);
hal_attribute(sensors);
hal_attribute(telephony);
diff --git a/public/dumpstate.te b/public/dumpstate.te
index 496d95974..549e6c6 100644
--- a/public/dumpstate.te
+++ b/public/dumpstate.te
@@ -178,6 +178,7 @@
dump_hal(hal_power)
dump_hal(hal_power_stats)
dump_hal(hal_rebootescrow)
+dump_hal(hal_secretkeeper)
dump_hal(hal_sensors)
dump_hal(hal_thermal)
dump_hal(hal_vehicle)
diff --git a/public/hal_remotelyprovisionedcomponent_avf.te b/public/hal_remotelyprovisionedcomponent_avf.te
new file mode 100644
index 0000000..8cc7ce5
--- /dev/null
+++ b/public/hal_remotelyprovisionedcomponent_avf.te
@@ -0,0 +1,8 @@
+# allow binder connection from client to server
+binder_call(hal_remotelyprovisionedcomponent_avf_client, hal_remotelyprovisionedcomponent_avf_server)
+
+# allow client to find the service, allow server to register the service
+hal_attribute_service(hal_remotelyprovisionedcomponent_avf, hal_remotelyprovisionedcomponent_avf_service)
+
+# allow binder communication from server to service_manager
+binder_use(hal_remotelyprovisionedcomponent_avf_server)
diff --git a/public/hal_secretkeeper.te b/public/hal_secretkeeper.te
new file mode 100644
index 0000000..809ed77
--- /dev/null
+++ b/public/hal_secretkeeper.te
@@ -0,0 +1,8 @@
+# Domains for the Secretkeeper HAL, which provides secure (tamper evident, rollback protected)
+# storage of secrets guarded by DICE policies.
+binder_call(hal_secretkeeper_client, hal_secretkeeper_server)
+
+hal_attribute_service(hal_secretkeeper, hal_secretkeeper_service)
+
+binder_use(hal_secretkeeper_server)
+binder_use(hal_secretkeeper_client)
diff --git a/public/hal_vibrator.te b/public/hal_vibrator.te
index 85b8e8c..6909ff2 100644
--- a/public/hal_vibrator.te
+++ b/public/hal_vibrator.te
@@ -14,4 +14,4 @@
allow hal_vibrator sysfs_vibrator:dir search;
# Allow HAL vibrator to control some parameters of a vibration, such as scaling.
-allow hal_vibrator vibrator_control_service:service_manager find;
+allow hal_vibrator fwk_vibrator_control_service:service_manager find;
diff --git a/public/property.te b/public/property.te
index 1a5b105..44b0aef 100644
--- a/public/property.te
+++ b/public/property.te
@@ -197,6 +197,7 @@
system_vendor_config_prop(dck_prop)
system_vendor_config_prop(tuner_config_prop)
system_vendor_config_prop(usb_uvc_enabled_prop)
+system_vendor_config_prop(setupwizard_mode_prop)
# Properties with no restrictions
system_public_prop(adbd_config_prop)
diff --git a/public/service.te b/public/service.te
index a208dcf..f2850a1 100644
--- a/public/service.te
+++ b/public/service.te
@@ -117,7 +117,7 @@
type diskstats_service, system_api_service, system_server_service, service_manager_type;
type display_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type domain_verification_service, app_api_service, system_server_service, service_manager_type;
-type color_display_service, system_api_service, system_server_service, service_manager_type;
+type color_display_service, app_api_service, system_api_service, system_server_service, service_manager_type;
type external_vibrator_service, system_server_service, service_manager_type;
type file_integrity_service, app_api_service, system_server_service, service_manager_type;
type font_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
@@ -136,6 +136,7 @@
type fwk_altitude_service, system_server_service, service_manager_type;
type fwk_stats_service, app_api_service, system_server_service, service_manager_type;
type fwk_sensor_service, system_server_service, service_manager_type;
+type fwk_vibrator_control_service, system_server_service, service_manager_type;
type game_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type gfxinfo_service, system_api_service, system_server_service, service_manager_type;
type gnss_time_update_service, system_server_service, service_manager_type;
@@ -243,6 +244,7 @@
type timezonedetector_service, app_api_service, system_server_service, service_manager_type;
type translation_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type trust_service, app_api_service, system_server_service, service_manager_type;
+type tv_ad_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type tv_iapp_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type tv_input_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type tv_tuner_resource_mgr_service, app_api_service, system_server_service, service_manager_type;
@@ -254,7 +256,6 @@
type user_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type uwb_service, app_api_service, system_server_service, service_manager_type;
type vcn_management_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type vibrator_control_service, system_server_service, service_manager_type;
type vibrator_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type vibrator_manager_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type virtual_device_service, app_api_service, system_server_service, service_manager_type;
@@ -319,8 +320,10 @@
type hal_radio_service, protected_service, hal_service_type, service_manager_type;
type hal_rebootescrow_service, protected_service, hal_service_type, service_manager_type;
type hal_remoteaccess_service, protected_service, hal_service_type, service_manager_type;
+type hal_remotelyprovisionedcomponent_avf_service, protected_service, hal_service_type, service_manager_type;
type hal_remotelyprovisionedcomponent_service, protected_service, hal_service_type, service_manager_type;
type hal_sensors_service, protected_service, hal_service_type, service_manager_type;
+type hal_secretkeeper_service, protected_service, hal_service_type, service_manager_type;
type hal_secureclock_service, protected_service, hal_service_type, service_manager_type;
type hal_secure_element_service, protected_service, hal_service_type, service_manager_type;
type hal_sharedsecret_service, protected_service, hal_service_type, service_manager_type;
diff --git a/public/su.te b/public/su.te
index 2887740..a893cdb 100644
--- a/public/su.te
+++ b/public/su.te
@@ -90,6 +90,7 @@
typeattribute su hal_oemlock_client;
typeattribute su hal_power_client;
typeattribute su hal_rebootescrow_client;
+ typeattribute su hal_secretkeeper_client;
typeattribute su hal_secure_element_client;
typeattribute su hal_sensors_client;
typeattribute su hal_telephony_client;
diff --git a/tests/policy.py b/tests/policy.py
index 8fc2ef7..98133b7 100644
--- a/tests/policy.py
+++ b/tests/policy.py
@@ -146,9 +146,9 @@
# DoNotMatchPrefix have the attribute Attr.
# For example assert that all types in /sys, and not in /sys/kernel/debugfs
# have the sysfs_type attribute.
- def AssertPathTypesHaveAttr(self, MatchPrefix, DoNotMatchPrefix, Attr):
+ def AssertPathTypesHaveAttr(self, MatchPrefix, DoNotMatchPrefix, Attr, ExcludedTypes = []):
# Query policy for the types associated with Attr
- TypesPol = self.QueryTypeAttribute(Attr, True)
+ TypesPol = self.QueryTypeAttribute(Attr, True) | set(ExcludedTypes)
# Search file_contexts to find paths/types that should be associated with
# Attr.
PathTypes = self.__GetTypesAndFilesByFilePathPrefix(MatchPrefix, DoNotMatchPrefix)
diff --git a/tests/sepolicy_tests.py b/tests/sepolicy_tests.py
index 4ef161b..7a341cb 100644
--- a/tests/sepolicy_tests.py
+++ b/tests/sepolicy_tests.py
@@ -265,6 +265,22 @@
"\"-isolated_app_all\". Violations are shown as the following: \n") + ret
return ret
+def TestDevTypeViolations(pol):
+ exceptions = [
+ "/dev/socket",
+ ]
+ exceptionTypes = [
+ "boringssl_self_test_marker", # /dev/boringssl/selftest
+ "cgroup_rc_file", # /dev/cgroup.rc
+ "dev_cpu_variant", # /dev/cpu_variant:{arch}
+ "fscklogs", # /dev/fscklogs
+ "properties_serial", # /dev/__properties__/properties_serial
+ "property_info", # /dev/__properties__/property_info
+ "runtime_event_log_tags_file", # /dev/event-log-tags
+ ]
+ return pol.AssertPathTypesHaveAttr(["/dev"], exceptions,
+ "dev_type", exceptionTypes)
+
###
# extend OptionParser to allow the same option flag to be used multiple times.
# This is used to allow multiple file_contexts files and tests to be
@@ -298,6 +314,7 @@
"TestCoredomainViolations",
"TestViolatorAttributes",
"TestIsolatedAttributeConsistency",
+ "TestDevTypeViolations",
]
def do_main(libpath):
@@ -366,6 +383,10 @@
if options.test is None or "TestIsolatedAttributeConsistency" in options.test:
results += TestIsolatedAttributeConsistency(test_policy)
+ # dev type test won't be run as default
+ if options.test and "TestDevTypeViolations" in options.test:
+ results += TestDevTypeViolations(pol)
+
if len(results) > 0:
sys.exit(results)
diff --git a/vendor/file_contexts b/vendor/file_contexts
index 1c393f1..6888987 100644
--- a/vendor/file_contexts
+++ b/vendor/file_contexts
@@ -100,6 +100,7 @@
/(vendor|system/vendor)/bin/hw/android\.hardware\.secure_element-service.example u:object_r:hal_secure_element_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.security\.authgraph-service\.nonsecure u:object_r:hal_authgraph_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.security\.keymint-service u:object_r:hal_keymint_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.security\.secretkeeper-service.nonsecure u:object_r:hal_secretkeeper_default_exec:s0
/(vendor|system/vendor)/bin/hw/rild u:object_r:rild_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.tetheroffload-service\.example u:object_r:hal_tetheroffload_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.thermal@1\.[01]-service u:object_r:hal_thermal_default_exec:s0
diff --git a/vendor/hal_secretkeeper_default.te b/vendor/hal_secretkeeper_default.te
new file mode 100644
index 0000000..50f4ac1
--- /dev/null
+++ b/vendor/hal_secretkeeper_default.te
@@ -0,0 +1,5 @@
+type hal_secretkeeper_default, domain;
+hal_server_domain(hal_secretkeeper_default, hal_secretkeeper)
+
+type hal_secretkeeper_default_exec, exec_type, vendor_file_type, file_type;
+init_daemon_domain(hal_secretkeeper_default)