Merge "cronet: remove com.android.cronet sepolicy"
diff --git a/build/soong/service_fuzzer_bindings.go b/build/soong/service_fuzzer_bindings.go
index f706339..8e11850 100644
--- a/build/soong/service_fuzzer_bindings.go
+++ b/build/soong/service_fuzzer_bindings.go
@@ -133,6 +133,7 @@
"android.hardware.wifi.hostapd.IHostapd/default": EXCEPTION_NO_FUZZER,
"android.hardware.wifi.supplicant.ISupplicant/default": EXCEPTION_NO_FUZZER,
"android.frameworks.cameraservice.service.ICameraService/default": EXCEPTION_NO_FUZZER,
+ "android.frameworks.location.altitude.IAltitudeService/default": EXCEPTION_NO_FUZZER,
"android.frameworks.sensorservice.ISensorManager/default": []string{"libsensorserviceaidl_fuzzer"},
"android.frameworks.stats.IStats/default": EXCEPTION_NO_FUZZER,
"android.se.omapi.ISecureElementService/default": EXCEPTION_NO_FUZZER,
@@ -333,6 +334,7 @@
"nfc": EXCEPTION_NO_FUZZER,
"notification": EXCEPTION_NO_FUZZER,
"oem_lock": EXCEPTION_NO_FUZZER,
+ "ondevicepersonalization_system_service": EXCEPTION_NO_FUZZER,
"otadexopt": EXCEPTION_NO_FUZZER,
"overlay": EXCEPTION_NO_FUZZER,
"pac_proxy": EXCEPTION_NO_FUZZER,
diff --git a/microdroid/system/private/dex2oat.te b/microdroid/system/private/dex2oat.te
index d259e1c..bd93f6e 100644
--- a/microdroid/system/private/dex2oat.te
+++ b/microdroid/system/private/dex2oat.te
@@ -30,7 +30,10 @@
# Allow dex2oat to read /apex/apex-info-list.xml
allow dex2oat apex_info_file:file r_file_perms;
-# Don't audit because we don't configure the compiler through system properties
-# in the VM.
-dontaudit dex2oat dalvik_config_prop:file { open read getattr map };
+# Allow reading dalvik system properties that may affect compilation
+get_prop(dex2oat, dalvik_config_prop)
+get_prop(dex2oat, device_config_runtime_native_boot_prop)
+
+# Don't audit because we don't configure the compiler through these
+# properties in the VM.
dontaudit dex2oat device_config_runtime_native_prop:file { open read getattr map };
diff --git a/microdroid/system/private/microdroid_manager.te b/microdroid/system/private/microdroid_manager.te
index 7e26f53..51372ad 100644
--- a/microdroid/system/private/microdroid_manager.te
+++ b/microdroid/system/private/microdroid_manager.te
@@ -45,6 +45,9 @@
# Allow microdroid_manager to start encryptedstore binary
domain_auto_trans(microdroid_manager, encryptedstore_exec, encryptedstore)
+# Microdroid Manager needs read related permission for syncing encrypted storage fs
+allow microdroid_manager encryptedstore_file:dir r_dir_perms;
+
# Allow microdroid_manager to run kexec to load crashkernel
domain_auto_trans(microdroid_manager, kexec_exec, kexec)
diff --git a/prebuilts/api/33.0/private/file.te b/prebuilts/api/33.0/private/file.te
index cf9ea02..c5837f9 100644
--- a/prebuilts/api/33.0/private/file.te
+++ b/prebuilts/api/33.0/private/file.te
@@ -12,7 +12,7 @@
type storaged_data_file, file_type, data_file_type, core_data_file_type;
# /data/misc/wmtrace for wm traces
-type wm_trace_data_file, file_type, data_file_type, core_data_file_type;
+type wm_trace_data_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
# /data/misc/a11ytrace for accessibility traces
type accessibility_trace_data_file, file_type, data_file_type, core_data_file_type;
diff --git a/prebuilts/api/33.0/private/platform_app.te b/prebuilts/api/33.0/private/platform_app.te
index 6112ae0..b40f6b9 100644
--- a/prebuilts/api/33.0/private/platform_app.te
+++ b/prebuilts/api/33.0/private/platform_app.te
@@ -57,6 +57,12 @@
auditallow platform_app proc_net_type:{ dir file lnk_file } { getattr open read };
')
+# Allow writing and removing wmshell protolog in /data/misc/wmtrace.
+userdebug_or_eng(`
+ allow platform_app wm_trace_data_file:dir rw_dir_perms;
+ allow platform_app wm_trace_data_file:file { getattr setattr create unlink w_file_perms };
+')
+
allow platform_app audioserver_service:service_manager find;
allow platform_app cameraserver_service:service_manager find;
allow platform_app drmserver_service:service_manager find;
diff --git a/private/app.te b/private/app.te
index 8838782..49b8cde 100644
--- a/private/app.te
+++ b/private/app.te
@@ -5,7 +5,7 @@
r_dir_file({
appdomain
-ephemeral_app
- -isolated_app
+ -isolated_app_all
-platform_app
-priv_app
-shell
@@ -18,7 +18,7 @@
auditallow {
appdomain
-ephemeral_app
- -isolated_app
+ -isolated_app_all
-platform_app
-priv_app
-shell
@@ -58,8 +58,6 @@
# Allow to ro.camerax.extensions.enabled
get_prop(appdomain, camerax_extensions_prop)
-userdebug_or_eng(`perfetto_producer({ appdomain })')
-
# Prevent apps from causing presubmit failures.
# Apps can cause selinux denials by accessing CE storage
# and/or external storage. In either case, the selinux denial is
@@ -149,53 +147,53 @@
# Allow access to external storage; we have several visible mount points under /storage
# and symlinks to primary storage at places like /storage/sdcard0 and /mnt/user/0/primary
-allow { appdomain -isolated_app -ephemeral_app -sdk_sandbox } storage_file:dir r_dir_perms;
-allow { appdomain -isolated_app -ephemeral_app -sdk_sandbox } storage_file:lnk_file r_file_perms;
-allow { appdomain -isolated_app -ephemeral_app -sdk_sandbox } mnt_user_file:dir r_dir_perms;
-allow { appdomain -isolated_app -ephemeral_app -sdk_sandbox } mnt_user_file:lnk_file r_file_perms;
+allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox } storage_file:dir r_dir_perms;
+allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox } storage_file:lnk_file r_file_perms;
+allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox } mnt_user_file:dir r_dir_perms;
+allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox } mnt_user_file:lnk_file r_file_perms;
# Read/write visible storage
-allow { appdomain -isolated_app -ephemeral_app -sdk_sandbox } { sdcard_type fuse }:dir create_dir_perms;
-allow { appdomain -isolated_app -ephemeral_app -sdk_sandbox } { sdcard_type fuse }:file create_file_perms;
+allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox } { sdcard_type fuse }:dir create_dir_perms;
+allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox } { sdcard_type fuse }:file create_file_perms;
# This should be removed if sdcardfs is modified to alter the secontext for its
# accesses to the underlying FS.
-allow { appdomain -isolated_app -ephemeral_app -sdk_sandbox } media_rw_data_file:dir create_dir_perms;
-allow { appdomain -isolated_app -ephemeral_app -sdk_sandbox } media_rw_data_file:file create_file_perms;
+allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox } media_rw_data_file:dir create_dir_perms;
+allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox } media_rw_data_file:file create_file_perms;
# Allow apps to use the USB Accessory interface.
# http://developer.android.com/guide/topics/connectivity/usb/accessory.html
#
# USB devices are first opened by the system server (USBDeviceManagerService)
# and the file descriptor is passed to the right Activity via binder.
-allow { appdomain -isolated_app -ephemeral_app -sdk_sandbox } usb_device:chr_file { read write getattr ioctl };
-allow { appdomain -isolated_app -ephemeral_app -sdk_sandbox } usbaccessory_device:chr_file { read write getattr };
+allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox } usb_device:chr_file { read write getattr ioctl };
+allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox } usbaccessory_device:chr_file { read write getattr };
#logd access
control_logd({ appdomain -ephemeral_app -sdk_sandbox })
# application inherit logd write socket (urge is to deprecate this long term)
-allow { appdomain -isolated_app -ephemeral_app -sdk_sandbox } keystore:keystore_key { get_state get insert delete exist list sign verify };
-allow { appdomain -isolated_app -ephemeral_app -sdk_sandbox } keystore:keystore2_key { delete use get_info rebind update };
+allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox } keystore:keystore_key { get_state get insert delete exist list sign verify };
+allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox } keystore:keystore2_key { delete use get_info rebind update };
-allow { appdomain -isolated_app -ephemeral_app -sdk_sandbox } keystore_maintenance_service:service_manager find;
-allow { appdomain -isolated_app -ephemeral_app -sdk_sandbox } keystore:keystore2 get_state;
+allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox } keystore_maintenance_service:service_manager find;
+allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox } keystore:keystore2 get_state;
-use_keystore({ appdomain -isolated_app -ephemeral_app -sdk_sandbox })
+use_keystore({ appdomain -isolated_app_all -ephemeral_app -sdk_sandbox })
-use_credstore({ appdomain -isolated_app -ephemeral_app -sdk_sandbox })
+use_credstore({ appdomain -isolated_app_all -ephemeral_app -sdk_sandbox })
# For app fuse.
-pdx_client({ appdomain -isolated_app -ephemeral_app -sdk_sandbox }, display_client)
-pdx_client({ appdomain -isolated_app -ephemeral_app -sdk_sandbox }, display_manager)
-pdx_client({ appdomain -isolated_app -ephemeral_app -sdk_sandbox }, display_vsync)
-pdx_client({ appdomain -isolated_app -ephemeral_app -sdk_sandbox }, performance_client)
+pdx_client({ appdomain -isolated_app_all -ephemeral_app -sdk_sandbox }, display_client)
+pdx_client({ appdomain -isolated_app_all -ephemeral_app -sdk_sandbox }, display_manager)
+pdx_client({ appdomain -isolated_app_all -ephemeral_app -sdk_sandbox }, display_vsync)
+pdx_client({ appdomain -isolated_app_all -ephemeral_app -sdk_sandbox }, performance_client)
# Apps do not directly open the IPC socket for bufferhubd.
-pdx_use({ appdomain -isolated_app -ephemeral_app -sdk_sandbox }, bufferhub_client)
+pdx_use({ appdomain -isolated_app_all -ephemeral_app -sdk_sandbox }, bufferhub_client)
# Apps receive an open tun fd from the framework for
# device traffic. Do not allow untrusted app to directly open tun_device
-allow { appdomain -isolated_app -ephemeral_app -sdk_sandbox } tun_device:chr_file { read write getattr append ioctl };
-allowxperm { appdomain -isolated_app -ephemeral_app -sdk_sandbox } tun_device:chr_file ioctl TUNGETIFF;
+allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox } tun_device:chr_file { read write getattr append ioctl };
+allowxperm { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox } tun_device:chr_file ioctl TUNGETIFF;
# WebView and other application-specific JIT compilers
@@ -221,8 +219,8 @@
allow appdomain dalvikcache_data_file:file r_file_perms;
# Read the /sdcard and /mnt/sdcard symlinks
-allow { appdomain -isolated_app -sdk_sandbox } rootfs:lnk_file r_file_perms;
-allow { appdomain -isolated_app -sdk_sandbox } tmpfs:lnk_file r_file_perms;
+allow { appdomain -isolated_app_all -sdk_sandbox } rootfs:lnk_file r_file_perms;
+allow { appdomain -isolated_app_all -sdk_sandbox } tmpfs:lnk_file r_file_perms;
# Search /storage/emulated tmpfs mount.
allow { appdomain -sdk_sandbox } tmpfs:dir r_dir_perms;
@@ -259,11 +257,11 @@
allow appdomain surfaceflinger:unix_stream_socket { read write setopt getattr getopt shutdown };
# App sandbox file accesses.
-allow { appdomain -isolated_app -mlstrustedsubject -sdk_sandbox } { app_data_file privapp_data_file }:dir create_dir_perms;
-allow { appdomain -isolated_app -mlstrustedsubject -sdk_sandbox } { app_data_file privapp_data_file }:file create_file_perms;
+allow { appdomain -isolated_app_all -mlstrustedsubject -sdk_sandbox } { app_data_file privapp_data_file }:dir create_dir_perms;
+allow { appdomain -isolated_app_all -mlstrustedsubject -sdk_sandbox } { app_data_file privapp_data_file }:file create_file_perms;
# Access via already open fds is ok even for mlstrustedsubject.
-allow { appdomain -isolated_app -sdk_sandbox } { app_data_file privapp_data_file system_app_data_file }:file { getattr map read write };
+allow { appdomain -isolated_app_all -sdk_sandbox } { app_data_file privapp_data_file system_app_data_file }:file { getattr map read write };
# Traverse into expanded storage
allow appdomain mnt_expand_file:dir r_dir_perms;
@@ -274,7 +272,7 @@
allow appdomain misc_user_data_file:file r_file_perms;
# TextClassifier
-r_dir_file({ appdomain -isolated_app }, textclassifier_data_file)
+r_dir_file({ appdomain -isolated_app_all }, textclassifier_data_file)
# Access to OEM provided data and apps
allow appdomain oemfs:dir r_dir_perms;
@@ -293,7 +291,7 @@
full_treble_only(`
# For looking up Renderscript vendor drivers
- allow { appdomain -isolated_app } vendor_file:dir { open read };
+ allow { appdomain -isolated_app_all } vendor_file:dir { open read };
')
# Allow apps access to /vendor/overlay
@@ -358,6 +356,12 @@
allow appdomain user_profile_data_file:dir w_dir_perms;
allow appdomain user_profile_data_file:file create_file_perms;
+# Allow writing performance tracing data into the perfetto traced daemon.
+# Needed for java heap graph ART plugin (perfetto_hprof).
+# The perfetto profiling daemon will check for the specific application's
+# opt-in/opt-out.
+perfetto_producer(appdomain)
+
# Send heap dumps to system_server via an already open file descriptor
# % adb shell am set-watch-heap com.android.systemui 1048576
# % adb shell dumpsys procstats --start-testing
@@ -368,9 +372,9 @@
# Grant GPU access to all processes started by Zygote.
# They need that to render the standard UI.
-allow { appdomain -isolated_app } gpu_device:chr_file rw_file_perms;
-allow { appdomain -isolated_app } gpu_device:dir r_dir_perms;
-allow { appdomain -isolated_app } sysfs_gpu:file r_file_perms;
+allow { appdomain -isolated_app_all } gpu_device:chr_file rw_file_perms;
+allow { appdomain -isolated_app_all } gpu_device:dir r_dir_perms;
+allow { appdomain -isolated_app_all } sysfs_gpu:file r_file_perms;
# Use the Binder.
@@ -382,7 +386,7 @@
# Perform binder IPC to ephemeral apps.
binder_call(appdomain, ephemeral_app)
# Perform binder IPC to gpuservice.
-binder_call({ appdomain -isolated_app }, gpuservice)
+binder_call({ appdomain -isolated_app_all }, gpuservice)
# Talk with graphics composer fences
allow appdomain hal_graphics_composer:fd use;
@@ -403,10 +407,10 @@
allow appdomain system_data_file:file { getattr read map };
# Allow read/stat of /data/media files passed by Binder or local socket IPC.
-allow { appdomain -isolated_app -sdk_sandbox } media_rw_data_file:file { read getattr };
+allow { appdomain -isolated_app_all -sdk_sandbox } media_rw_data_file:file { read getattr };
# Read and write /data/data/com.android.providers.telephony files passed over Binder.
-allow { appdomain -isolated_app } radio_data_file:file { read write getattr };
+allow { appdomain -isolated_app_all } radio_data_file:file { read write getattr };
# For art.
allow appdomain dalvikcache_data_file:file execute;
@@ -435,21 +439,21 @@
allowxperm { appdomain -bluetooth } self:{ rawip_socket tcp_socket udp_socket }
ioctl { unpriv_sock_ioctls unpriv_tty_ioctls };
-allow { appdomain -isolated_app } ion_device:chr_file r_file_perms;
-allow { appdomain -isolated_app } dmabuf_system_heap_device:chr_file r_file_perms;
-allow { appdomain -isolated_app } dmabuf_system_secure_heap_device:chr_file r_file_perms;
+allow { appdomain -isolated_app_all } ion_device:chr_file r_file_perms;
+allow { appdomain -isolated_app_all } dmabuf_system_heap_device:chr_file r_file_perms;
+allow { appdomain -isolated_app_all } dmabuf_system_secure_heap_device:chr_file r_file_perms;
# Allow AAudio apps to use shared memory file descriptors from the HAL
-allow { appdomain -isolated_app } hal_audio:fd use;
+allow { appdomain -isolated_app_all } hal_audio:fd use;
# Allow app to access shared memory created by camera HAL1
-allow { appdomain -isolated_app } hal_camera:fd use;
+allow { appdomain -isolated_app_all } hal_camera:fd use;
# Allow apps to access shared memory file descriptor from the tuner HAL
-allow {appdomain -isolated_app} hal_tv_tuner_server:fd use;
+allow {appdomain -isolated_app_all} hal_tv_tuner_server:fd use;
# RenderScript always-passthrough HAL
-allow { appdomain -isolated_app } hal_renderscript_hwservice:hwservice_manager find;
+allow { appdomain -isolated_app_all } hal_renderscript_hwservice:hwservice_manager find;
allow appdomain same_process_hal_file:file { execute read open getattr map };
# TODO: switch to meminfo service
@@ -491,7 +495,7 @@
# from read-only locations.
neverallow {
bluetooth
- isolated_app
+ isolated_app_all
nfc
radio
shared_relro
@@ -505,6 +509,18 @@
-apk_data_file
}:file no_x_file_perms;
-# For now, don't allow apps other than gmscore to access /data/misc_ce/<userid>/checkin
-neverallow { appdomain -gmscore_app } checkin_data_file:dir *;
-neverallow { appdomain -gmscore_app } checkin_data_file:file *;
+# Don't allow apps access to any of the following character devices.
+neverallow appdomain {
+ audio_device
+ camera_device
+ dm_device
+ radio_device
+ rpmsg_device
+}:chr_file { read write };
+
+# Block video device access for all apps except the DeviceAsWebcam Service which
+# needs access to /dev/video* for interfacing with the host
+neverallow {
+ appdomain
+ -device_as_webcam
+} video_device:chr_file { read write };
diff --git a/private/app_neverallows.te b/private/app_neverallows.te
index 5d5723e..ea10df5 100644
--- a/private/app_neverallows.te
+++ b/private/app_neverallows.te
@@ -5,6 +5,8 @@
define(`all_untrusted_apps',`{
ephemeral_app
isolated_app
+ isolated_app_all
+ isolated_compute_app
mediaprovider
mediaprovider_app
untrusted_app
diff --git a/private/app_zygote.te b/private/app_zygote.te
index 8aa288e..6552d63 100644
--- a/private/app_zygote.te
+++ b/private/app_zygote.te
@@ -142,18 +142,15 @@
alg_socket nfc_socket vsock_socket kcm_socket qipcrtr_socket smc_socket
} *;
-# Only allow app_zygote to talk to the logd socket, and
-# su/heapprofd/traced_perf on eng/userdebug. This is because
-# cap_setuid/cap_setgid allow to forge uid/gid in SCM_CREDENTIALS.
-# Think twice before changing.
+# Only allow app_zygote to talk to the logd socket, and su on eng/userdebug.
+# This is because cap_setuid/cap_setgid allow to forge uid/gid in
+# SCM_CREDENTIALS. Think twice before changing.
neverallow app_zygote {
domain
-app_zygote
-logd
-system_server
userdebug_or_eng(`-su')
- userdebug_or_eng(`-heapprofd')
- userdebug_or_eng(`-traced_perf')
}:unix_dgram_socket *;
neverallow app_zygote {
@@ -161,8 +158,6 @@
-app_zygote
-prng_seeder
userdebug_or_eng(`-su')
- userdebug_or_eng(`-heapprofd')
- userdebug_or_eng(`-traced_perf')
}:unix_stream_socket *;
# Never allow ptrace
diff --git a/private/compat/28.0/28.0.cil b/private/compat/28.0/28.0.cil
index 321e938..d79d2f8 100644
--- a/private/compat/28.0/28.0.cil
+++ b/private/compat/28.0/28.0.cil
@@ -30,6 +30,7 @@
;; mapping file compiles with vendor policies without exported_audio_prop type.
(typeattribute exported_audio_prop_28_0)
+;; mapping information from ToT policy's types to 28.0 policy's types.
(expandtypeattribute (accessibility_service_28_0) true)
(expandtypeattribute (account_service_28_0) true)
(expandtypeattribute (activity_service_28_0) true)
diff --git a/private/compat/28.0/28.0.compat.cil b/private/compat/28.0/28.0.compat.cil
index 2e85b23..783950c 100644
--- a/private/compat/28.0/28.0.compat.cil
+++ b/private/compat/28.0/28.0.compat.cil
@@ -1,3 +1,7 @@
+;; complement CIL file for compatibility between ToT policy and 28.0 vendors.
+;; will be compiled along with other normal policy files, on 28.0 vendors.
+;;
+
(typeattribute vendordomain)
(typeattributeset vendordomain ((and (domain) ((not (coredomain))))))
(allowx vendordomain dev_type (ioctl blk_file ((range 0x0000 0xffff))))
diff --git a/private/compat/28.0/28.0.ignore.cil b/private/compat/28.0/28.0.ignore.cil
index e7ddf48..7213f95 100644
--- a/private/compat/28.0/28.0.ignore.cil
+++ b/private/compat/28.0/28.0.ignore.cil
@@ -1,6 +1,6 @@
-;; new_objects - a collection of types that have been introduced that have no
-;; analogue in older policy. Thus, we do not need to map these types to
-;; previous ones. Add here to pass checkapi tests.
+;; new_objects - a collection of types that have been introduced with ToT policy
+;; that have no analogue in 28.0 policy. Thus, we do not need to map
+;; these types to previous ones. Add here to pass checkapi tests.
(type new_objects)
(typeattribute new_objects)
(typeattributeset new_objects
diff --git a/private/compat/29.0/29.0.cil b/private/compat/29.0/29.0.cil
index 5dba020..7315687 100644
--- a/private/compat/29.0/29.0.cil
+++ b/private/compat/29.0/29.0.cil
@@ -14,6 +14,7 @@
(type sysfs_mac_address)
(type wificond_service)
+;; mapping information from ToT policy's types to 29.0 policy's types.
(expandtypeattribute (accessibility_service_29_0) true)
(expandtypeattribute (account_service_29_0) true)
(expandtypeattribute (activity_service_29_0) true)
diff --git a/private/compat/29.0/29.0.compat.cil b/private/compat/29.0/29.0.compat.cil
index ccd9d1a..0bb2ae8 100644
--- a/private/compat/29.0/29.0.compat.cil
+++ b/private/compat/29.0/29.0.compat.cil
@@ -1,3 +1,7 @@
+;; complement CIL file for compatibility between ToT policy and 29.0 vendors.
+;; will be compiled along with other normal policy files, on 29.0 vendors.
+;;
+
(typeattribute vendordomain)
(typeattributeset vendordomain ((and (domain) ((not (coredomain))))))
(allow vendordomain self (netlink_route_socket (nlmsg_readpriv)))
diff --git a/private/compat/29.0/29.0.ignore.cil b/private/compat/29.0/29.0.ignore.cil
index 1079046..e40888d 100644
--- a/private/compat/29.0/29.0.ignore.cil
+++ b/private/compat/29.0/29.0.ignore.cil
@@ -1,6 +1,6 @@
-;; new_objects - a collection of types that have been introduced that have no
-;; analogue in older policy. Thus, we do not need to map these types to
-;; previous ones. Add here to pass checkapi tests.
+;; new_objects - a collection of types that have been introduced with ToT policy
+;; that have no analogue in 29.0 policy. Thus, we do not need to map
+;; these types to previous ones. Add here to pass checkapi tests.
(type new_objects)
(typeattribute new_objects)
(typeattributeset new_objects
diff --git a/private/compat/30.0/30.0.cil b/private/compat/30.0/30.0.cil
index 44044fb..83d83ff 100644
--- a/private/compat/30.0/30.0.cil
+++ b/private/compat/30.0/30.0.cil
@@ -21,6 +21,7 @@
(typeattribute binder_in_vendor_violators)
+;; mapping information from ToT policy's types to 30.0 policy's types.
(expandtypeattribute (DockObserver_service_30_0) true)
(expandtypeattribute (IProxyService_service_30_0) true)
(expandtypeattribute (accessibility_service_30_0) true)
diff --git a/private/compat/30.0/30.0.compat.cil b/private/compat/30.0/30.0.compat.cil
index 97c5874..b8bd755 100644
--- a/private/compat/30.0/30.0.compat.cil
+++ b/private/compat/30.0/30.0.compat.cil
@@ -1,3 +1,7 @@
+;; complement CIL file for compatibility between ToT policy and 30.0 vendors.
+;; will be compiled along with other normal policy files, on 30.0 vendors.
+;;
+
(typeattribute vendordomain)
(typeattributeset vendordomain ((and (domain) ((not (coredomain))))))
diff --git a/private/compat/30.0/30.0.ignore.cil b/private/compat/30.0/30.0.ignore.cil
index ba0a494..0a3d2e9 100644
--- a/private/compat/30.0/30.0.ignore.cil
+++ b/private/compat/30.0/30.0.ignore.cil
@@ -1,6 +1,6 @@
-;; new_objects - a collection of types that have been introduced that have no
-;; analogue in older policy. Thus, we do not need to map these types to
-;; previous ones. Add here to pass checkapi tests.
+;; new_objects - a collection of types that have been introduced with ToT policy
+;; that have no analogue in 30.0 policy. Thus, we do not need to map
+;; these types to previous ones. Add here to pass checkapi tests.
(type new_objects)
(typeattribute new_objects)
(typeattributeset new_objects
diff --git a/private/compat/31.0/31.0.cil b/private/compat/31.0/31.0.cil
index 0e90912..b0df314 100644
--- a/private/compat/31.0/31.0.cil
+++ b/private/compat/31.0/31.0.cil
@@ -9,6 +9,7 @@
(type vr_hwc)
(type vr_hwc_exec)
+;; mapping information from ToT policy's types to 31.0 policy's types.
(expandtypeattribute (DockObserver_service_31_0) true)
(expandtypeattribute (IProxyService_service_31_0) true)
(expandtypeattribute (aac_drc_prop_31_0) true)
diff --git a/private/compat/31.0/31.0.compat.cil b/private/compat/31.0/31.0.compat.cil
index 628abfc..787c92a 100644
--- a/private/compat/31.0/31.0.compat.cil
+++ b/private/compat/31.0/31.0.compat.cil
@@ -1 +1,3 @@
-;; This file can't be empty.
+;; complement CIL file for compatibility between ToT policy and 31.0 vendors.
+;; will be compiled along with other normal policy files, on 31.0 vendors.
+;;
diff --git a/private/compat/31.0/31.0.ignore.cil b/private/compat/31.0/31.0.ignore.cil
index a5a3475..0e39f3e 100644
--- a/private/compat/31.0/31.0.ignore.cil
+++ b/private/compat/31.0/31.0.ignore.cil
@@ -1,6 +1,6 @@
-;; new_objects - a collection of types that have been introduced that have no
-;; analogue in older policy. Thus, we do not need to map these types to
-;; previous ones. Add here to pass checkapi tests.
+;; new_objects - a collection of types that have been introduced with ToT policy
+;; that have no analogue in 31.0 policy. Thus, we do not need to map
+;; these types to previous ones. Add here to pass checkapi tests.
(type new_objects)
(typeattribute new_objects)
(typeattributeset new_objects
diff --git a/private/compat/32.0/32.0.cil b/private/compat/32.0/32.0.cil
index 3672436..171f0ad 100644
--- a/private/compat/32.0/32.0.cil
+++ b/private/compat/32.0/32.0.cil
@@ -9,6 +9,7 @@
(type vr_hwc)
(type vr_hwc_exec)
+;; mapping information from ToT policy's types to 32.0 policy's types.
(expandtypeattribute (DockObserver_service_32_0) true)
(expandtypeattribute (IProxyService_service_32_0) true)
(expandtypeattribute (aac_drc_prop_32_0) true)
diff --git a/private/compat/32.0/32.0.compat.cil b/private/compat/32.0/32.0.compat.cil
index 628abfc..00ac11f 100644
--- a/private/compat/32.0/32.0.compat.cil
+++ b/private/compat/32.0/32.0.compat.cil
@@ -1 +1,3 @@
-;; This file can't be empty.
+;; complement CIL file for compatibility between ToT policy and 32.0 vendors.
+;; will be compiled along with other normal policy files, on 32.0 vendors.
+;;
diff --git a/private/compat/32.0/32.0.ignore.cil b/private/compat/32.0/32.0.ignore.cil
index d810e0a..ec2a16d 100644
--- a/private/compat/32.0/32.0.ignore.cil
+++ b/private/compat/32.0/32.0.ignore.cil
@@ -1,6 +1,6 @@
-;; new_objects - a collection of types that have been introduced that have no
-;; analogue in older policy. Thus, we do not need to map these types to
-;; previous ones. Add here to pass checkapi tests.
+;; new_objects - a collection of types that have been introduced with ToT policy
+;; that have no analogue in 32.0 policy. Thus, we do not need to map
+;; these types to previous ones. Add here to pass checkapi tests.
(type new_objects)
(typeattribute new_objects)
(typeattributeset new_objects
diff --git a/private/compat/33.0/33.0.cil b/private/compat/33.0/33.0.cil
index d75b0fc..56da496 100644
--- a/private/compat/33.0/33.0.cil
+++ b/private/compat/33.0/33.0.cil
@@ -19,6 +19,7 @@
(type wpantund_service)
(type zoneinfo_data_file)
+;; mapping information from ToT policy's types to 33.0 policy's types.
(expandtypeattribute (DockObserver_service_33_0) true)
(expandtypeattribute (IProxyService_service_33_0) true)
(expandtypeattribute (aac_drc_prop_33_0) true)
diff --git a/private/compat/33.0/33.0.compat.cil b/private/compat/33.0/33.0.compat.cil
index 628abfc..53ee8ff 100644
--- a/private/compat/33.0/33.0.compat.cil
+++ b/private/compat/33.0/33.0.compat.cil
@@ -1 +1,3 @@
-;; This file can't be empty.
+;; complement CIL file for compatibility between ToT policy and 33.0 vendors.
+;; will be compiled along with other normal policy files, on 33.0 vendors.
+;;
diff --git a/private/compat/33.0/33.0.ignore.cil b/private/compat/33.0/33.0.ignore.cil
index ede2284..30a7e35 100644
--- a/private/compat/33.0/33.0.ignore.cil
+++ b/private/compat/33.0/33.0.ignore.cil
@@ -1,6 +1,6 @@
-;; new_objects - a collection of types that have been introduced that have no
-;; analogue in older policy. Thus, we do not need to map these types to
-;; previous ones. Add here to pass checkapi tests.
+;; new_objects - a collection of types that have been introduced with ToT policy
+;; that have no analogue in 33.0 policy. Thus, we do not need to map
+;; these types to previous ones. Add here to pass checkapi tests.
(type new_objects)
(typeattribute new_objects)
(typeattributeset new_objects
@@ -9,11 +9,15 @@
apex_ready_prop
artd
bt_device
+ build_attestation_prop
credential_service
+ device_as_webcam
device_config_camera_native_prop
+ device_config_memory_safety_native_boot_prop
device_config_memory_safety_native_prop
device_config_vendor_system_native_prop
devicelock_service
+ fwk_altitude_service
fwk_camera_service
fwk_sensor_service
grammatical_inflection_service
@@ -32,10 +36,13 @@
hal_wifi_service
healthconnect_service
hypervisor_restricted_prop
+ isolated_compute_app
keystore_config_prop
ntfs
+ ondevicepersonalization_system_service
permissive_mte_prop
prng_seeder
+ recovery_usb_config_prop
remote_provisioning_service
rkpdapp
servicemanager_prop
@@ -43,6 +50,7 @@
timezone_metadata_prop
tuner_config_prop
tuner_server_ctl_prop
+ usb_uvc_enabled_prop
virtual_face_hal_prop
virtual_fingerprint_hal_prop
hal_gatekeeper_service
diff --git a/private/crash_dump.te b/private/crash_dump.te
index 31f0128..bc6020e 100644
--- a/private/crash_dump.te
+++ b/private/crash_dump.te
@@ -30,13 +30,16 @@
}:process { ptrace signal sigchld sigstop sigkill };
')
+# Read ART APEX data directory
+allow crash_dump apex_art_data_file:dir { getattr search };
+allow crash_dump apex_art_data_file:file r_file_perms;
+
###
### neverallow assertions
###
-# ptrace neverallow assertions are spread throughout the other policy
-# files, so we avoid adding redundant assertions here
-
+# sigchld not explicitly forbidden since it's part of the
+# domain-transition-on-exec macros, and is by itself not sensitive
neverallow crash_dump {
apexd
userdebug_or_eng(`-apexd')
@@ -54,11 +57,7 @@
vendor_init
vold
userdebug_or_eng(`-vold')
-}:process { signal sigstop sigkill };
+}:process { ptrace signal sigstop sigkill };
neverallow crash_dump self:process ptrace;
neverallow crash_dump gpu_device:chr_file *;
-
-# Read ART APEX data directory
-allow crash_dump apex_art_data_file:dir { getattr search };
-allow crash_dump apex_art_data_file:file r_file_perms;
diff --git a/private/device_as_webcam.te b/private/device_as_webcam.te
new file mode 100644
index 0000000..98c91c2
--- /dev/null
+++ b/private/device_as_webcam.te
@@ -0,0 +1,21 @@
+# Domain for DeviceAsWebcam Service
+type device_as_webcam, domain, coredomain, mlstrustedsubject;
+
+app_domain(device_as_webcam)
+
+allow device_as_webcam system_app_data_file:dir create_dir_perms;
+allow device_as_webcam system_app_data_file:file create_file_perms;
+
+allow device_as_webcam { app_api_service cameraserver_service }:service_manager find;
+
+# Allow DeviceAsWebcam Service needs to access ro.usb.uvc.enabled property to
+# enale/disable itself
+get_prop(device_as_webcam, usb_uvc_enabled_prop)
+
+# need to access /dev to list all devices
+allow device_as_webcam device:dir r_dir_perms;
+
+# UVC nodes are mounted as V4L2 nodes (/dev/video*) on the device. These need to
+# be accessed by the DeviceAsWebcam Service.
+allow device_as_webcam video_device:dir r_dir_perms;
+allow device_as_webcam video_device:chr_file rw_file_perms;
diff --git a/private/dexoptanalyzer.te b/private/dexoptanalyzer.te
index 8eb1d29..ca715c1 100644
--- a/private/dexoptanalyzer.te
+++ b/private/dexoptanalyzer.te
@@ -45,6 +45,10 @@
# package manager.
allow dexoptanalyzer { privapp_data_file app_data_file }:file { getattr read map };
+# dexoptanalyzer checks the DM files next to dex files. We don't need this check
+# for secondary dex files, but it's not harmful. Just deny it and ignore it.
+dontaudit dexoptanalyzer { privapp_data_file app_data_file }:dir search;
+
# Allow testing /data/user/0 which symlinks to /data/data
allow dexoptanalyzer system_data_file:lnk_file { getattr };
diff --git a/private/domain.te b/private/domain.te
index e0ba975..b858d4e 100644
--- a/private/domain.te
+++ b/private/domain.te
@@ -12,44 +12,49 @@
# heap profiling, as initialization will fail if it does not have the
# necessary SELinux permissions.
get_prop(domain, heapprofd_prop);
-# Allow heap profiling on debug builds.
-userdebug_or_eng(`can_profile_heap({
- domain
- -bpfloader
- -init
- -kernel
- -keystore
- -llkd
- -logd
- -logpersist
- -recovery
- -recovery_persist
- -recovery_refresh
- -ueventd
- -vendor_init
- -vold
-})')
-# As above, allow perf profiling most processes on debug builds.
-# zygote is excluded as system-wide profiling could end up with it
-# (unexpectedly) holding an open fd across a fork.
-userdebug_or_eng(`can_profile_perf({
+# See private/crash_dump.te
+define(`dumpable_domain',`{
domain
+ -apexd
-bpfloader
+ -crash_dump
+ -crosvm # TODO(b/236672526): Remove exception for crosvm
+ -diced
-init
-kernel
-keystore
-llkd
-logd
+ -ueventd
+ -vendor_init
+ -vold
+}')
+
+# Allow heap profiling by heapprofd.
+# Zygotes are excluded due to potential issues with holding open file
+# descriptors or other state across forks. Other exclusions conflict with
+# neverallows, and are not considered important to profile.
+can_profile_heap({
+ dumpable_domain
+ -app_zygote
+ -hal_configstore
-logpersist
-recovery
-recovery_persist
-recovery_refresh
- -ueventd
- -vendor_init
- -vold
+ -webview_zygote
-zygote
-})')
+})
+
+# Allow profiling using perf_event_open by traced_perf.
+can_profile_perf({
+ dumpable_domain
+ -app_zygote
+ -hal_configstore
+ -webview_zygote
+ -zygote
+})
# Everyone can access the IncFS list of features.
r_dir_file(domain, sysfs_fs_incfs_features);
@@ -82,6 +87,7 @@
# Allow all domains to check whether MTE is set to permissive mode.
get_prop(domain, permissive_mte_prop);
+get_prop(domain, device_config_memory_safety_native_boot_prop);
get_prop(domain, device_config_memory_safety_native_prop);
# For now, everyone can access core property files
@@ -134,7 +140,7 @@
get_prop(domain, surfaceflinger_prop)
get_prop(domain, telephony_status_prop)
get_prop(domain, timezone_prop)
-get_prop({domain -untrusted_app_all -isolated_app -ephemeral_app }, userdebug_or_eng_prop)
+get_prop({domain -untrusted_app_all -isolated_app_all -ephemeral_app }, userdebug_or_eng_prop)
get_prop(domain, vendor_socket_hook_prop)
get_prop(domain, vndk_prop)
get_prop(domain, vold_status_prop)
@@ -217,8 +223,18 @@
# System_server owns dropbox data, and init creates/restorecons the directory
# Disallow direct access by other processes.
-neverallow { domain -init -system_server } dropbox_data_file:dir *;
-neverallow { domain -init -system_server } dropbox_data_file:file ~{ getattr read };
+neverallow {
+ domain
+ -init
+ -system_server
+ userdebug_or_eng(`-dumpstate')
+} dropbox_data_file:dir *;
+neverallow {
+ domain
+ -init
+ -system_server
+ userdebug_or_eng(`-dumpstate')
+} dropbox_data_file:file ~{ getattr read };
###
# Services should respect app sandboxes
@@ -555,9 +571,9 @@
userdebug_or_eng(`-su') # communications with su are permitted only on userdebug or eng builds
-init
-tombstoned # linker to tombstoned
- userdebug_or_eng(`-heapprofd')
- userdebug_or_eng(`-traced')
- userdebug_or_eng(`-traced_perf')
+ -heapprofd
+ -traced
+ -traced_perf
});
')
@@ -728,7 +744,7 @@
# traced_probes.te.
} system_app_data_file:dir_file_class_set { create unlink open };
neverallow {
- isolated_app
+ isolated_app_all
ephemeral_app
priv_app
sdk_sandbox
@@ -736,3 +752,6 @@
} system_app_data_file:dir_file_class_set { create unlink open };
neverallow { domain -init } mtectrl:process { dyntransition transition };
+
+# For now, don't allow processes other than gmscore to access /data/misc_ce/<userid>/checkin
+neverallow { domain -gmscore_app -init -vold_prepare_subdirs } checkin_data_file:{dir file} *;
diff --git a/private/dumpstate.te b/private/dumpstate.te
index fe442b3..850b0d8 100644
--- a/private/dumpstate.te
+++ b/private/dumpstate.te
@@ -27,6 +27,12 @@
allow dumpstate wm_trace_data_file:file r_file_perms;
')
+# /data/system/dropbox for dropbox entries
+userdebug_or_eng(`
+ allow dumpstate dropbox_data_file:dir r_dir_perms;
+ allow dumpstate dropbox_data_file:file r_file_perms;
+')
+
# Allow dumpstate to make binder calls to incidentd
binder_call(dumpstate, incidentd)
diff --git a/private/ephemeral_app.te b/private/ephemeral_app.te
index 3b916e2..9f2b1d5 100644
--- a/private/ephemeral_app.te
+++ b/private/ephemeral_app.te
@@ -45,14 +45,6 @@
allow ephemeral_app radio_service:service_manager find;
allow ephemeral_app ephemeral_app_api_service:service_manager find;
-# Write app-specific trace data to the Perfetto traced damon. This requires
-# connecting to its producer socket and obtaining a (per-process) tmpfs fd.
-perfetto_producer(ephemeral_app)
-
-# Allow profiling if the app opts in by being marked profileable/debuggable.
-can_profile_heap(ephemeral_app)
-can_profile_perf(ephemeral_app)
-
# allow ephemeral apps to use UDP sockets provided by the system server but not
# modify them other than to connect
allow ephemeral_app system_server:udp_socket {
diff --git a/private/file.te b/private/file.te
index e33469f..539e63e 100644
--- a/private/file.te
+++ b/private/file.te
@@ -13,7 +13,7 @@
type storaged_data_file, file_type, data_file_type, core_data_file_type;
# /data/misc/wmtrace for wm traces
-type wm_trace_data_file, file_type, data_file_type, core_data_file_type;
+type wm_trace_data_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
# /data/misc/a11ytrace for accessibility traces
type accessibility_trace_data_file, file_type, data_file_type, core_data_file_type;
@@ -130,3 +130,6 @@
# write permission on this to connect, and needs to be mlstrustedobject
# in to satisfy MLS constraints for trusted domains.
type prng_seeder_socket, file_type, coredomain_socket, mlstrustedobject;
+
+# /sys/firmware/devicetree/base/avf
+type sysfs_dt_avf, fs_type, sysfs_type;
diff --git a/private/file_contexts b/private/file_contexts
index 7ce80ae..4c3f108 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -224,7 +224,6 @@
/system/bin/boringssl_self_test(32|64) u:object_r:boringssl_self_test_exec:s0
/system/bin/prng_seeder u:object_r:prng_seeder_exec:s0
/system/bin/charger u:object_r:charger_exec:s0
-/system/bin/canhalconfigurator(-aidl)? u:object_r:canhalconfigurator_exec:s0
/system/bin/e2fsdroid u:object_r:e2fs_exec:s0
/system/bin/mke2fs u:object_r:e2fs_exec:s0
/system/bin/e2fsck -- u:object_r:fsck_exec:s0
@@ -494,6 +493,7 @@
/(system_ext|system/system_ext)/bin/hidl_lazy_cb_test_server u:object_r:hidl_lazy_test_server_exec:s0
/(system_ext|system/system_ext)/bin/android\.frameworks\.automotive\.display@1\.0-service u:object_r:automotive_display_service_exec:s0
+/(system_ext|system/system_ext)/bin/canhalconfigurator(-aidl)? u:object_r:canhalconfigurator_exec:s0
/(system_ext|system/system_ext)/lib(64)?(/.*)? u:object_r:system_lib_file:s0
diff --git a/private/flags_health_check.te b/private/flags_health_check.te
index 0cc450d..cc4a5ca 100644
--- a/private/flags_health_check.te
+++ b/private/flags_health_check.te
@@ -26,6 +26,7 @@
set_prop(flags_health_check, device_config_vendor_system_native_prop)
set_prop(flags_health_check, device_config_vendor_system_native_boot_prop)
set_prop(flags_health_check, device_config_virtualization_framework_native_prop)
+set_prop(flags_health_check, device_config_memory_safety_native_boot_prop)
set_prop(flags_health_check, device_config_memory_safety_native_prop)
set_prop(flags_health_check, device_config_remote_key_provisioning_native_prop)
set_prop(flags_health_check, device_config_camera_native_prop)
diff --git a/private/genfs_contexts b/private/genfs_contexts
index 6fa98ea..77e3954 100644
--- a/private/genfs_contexts
+++ b/private/genfs_contexts
@@ -145,6 +145,7 @@
genfscon sysfs /devices/virtual/net u:object_r:sysfs_net:s0
genfscon sysfs /devices/virtual/switch u:object_r:sysfs_switch:s0
genfscon sysfs /devices/virtual/wakeup u:object_r:sysfs_wakeup:s0
+genfscon sysfs /firmware/devicetree/base/avf u:object_r:sysfs_dt_avf:s0
genfscon sysfs /firmware/devicetree/base/firmware/android u:object_r:sysfs_dt_firmware_android:s0
genfscon sysfs /fs/ext4/features u:object_r:sysfs_fs_ext4_features:s0
genfscon sysfs /fs/f2fs u:object_r:sysfs_fs_f2fs:s0
diff --git a/private/gmscore_app.te b/private/gmscore_app.te
index 8795798..cd05a65 100644
--- a/private/gmscore_app.te
+++ b/private/gmscore_app.te
@@ -149,6 +149,9 @@
# b/186488185: Allow GMSCore to read dck properties
get_prop(gmscore_app, dck_prop)
+# Allow GMSCore to read RKP properties for the purpose of GTS testing.
+get_prop(gmscore_app, remote_prov_prop)
+
# Do not allow getting permission-protected network information from sysfs.
neverallow gmscore_app sysfs_net:file *;
diff --git a/private/heapprofd.te b/private/heapprofd.te
index 36d2938..1b41823 100644
--- a/private/heapprofd.te
+++ b/private/heapprofd.te
@@ -1,14 +1,4 @@
# Android heap profiling daemon. go/heapprofd.
-#
-# On user builds, this daemon is responsible for receiving the initial
-# profiling configuration, finding matching target processes (if profiling by
-# process name), and sending the activation signal to them (+ setting system
-# properties for new processes to start profiling from startup). When profiling
-# is triggered in a process, it spawns a private heapprofd subprocess (in its
-# own SELinux domain), which will exclusively handle profiling of its parent.
-#
-# On debug builds, this central daemon performs profiling for all target
-# processes (which talk directly to this daemon).
type heapprofd_exec, exec_type, file_type, system_file_type;
type heapprofd_tmpfs, file_type;
@@ -56,23 +46,28 @@
# For checking profileability.
allow heapprofd packages_list_file:file r_file_perms;
-# This is going to happen on user but is benign because central heapprofd
-# does not actually need these permission.
-# If the dac_read_search capability check is rejected, the kernel then tries
-# to perform a dac_override capability check, so we need to dontaudit that
-# as well.
-dontaudit heapprofd self:global_capability_class_set { dac_read_search dac_override };
-
+# Never allow profiling privileged or otherwise incompatible domains.
+# Corresponding allow-rule is in private/domain.te.
never_profile_heap(`{
+ apexd
+ app_zygote
bpfloader
+ diced
+ hal_configstore
init
kernel
keystore
llkd
logd
+ logpersist
+ recovery
+ recovery_persist
+ recovery_refresh
ueventd
vendor_init
vold
+ webview_zygote
+ zygote
}')
full_treble_only(`
diff --git a/private/incidentd.te b/private/incidentd.te
index c1314a8..e86b3bf 100644
--- a/private/incidentd.te
+++ b/private/incidentd.te
@@ -193,6 +193,9 @@
get_prop(incidentd, last_boot_reason_prop);
')
+# Allow incident to read the build properties for attestation feature
+get_prop(incidentd, build_attestation_prop);
+
###
### neverallow rules
###
diff --git a/private/isolated_app.te b/private/isolated_app.te
index 828ffb1..9d0fd73 100644
--- a/private/isolated_app.te
+++ b/private/isolated_app.te
@@ -1,36 +1,24 @@
###
-### Services with isolatedProcess=true in their manifest.
+### isolated_apps.
###
-### This file defines the rules for isolated apps. An "isolated
-### app" is an APP with UID between AID_ISOLATED_START (99000)
-### and AID_ISOLATED_END (99999).
+### This file defines the rules for isolated apps that does not wish to use
+### service managers and does not require extra computational resources.
###
typeattribute isolated_app coredomain;
app_domain(isolated_app)
+isolated_app_domain(isolated_app)
-# Access already open app data files received over Binder or local socket IPC.
-allow isolated_app { app_data_file privapp_data_file sdk_sandbox_data_file}:file { append read write getattr lock map };
+allow isolated_app webviewupdate_service:service_manager find;
# Allow access to network sockets received over IPC. New socket creation is not
# permitted.
allow isolated_app { ephemeral_app priv_app untrusted_app_all }:{ tcp_socket udp_socket } { rw_socket_perms_no_ioctl };
-allow isolated_app activity_service:service_manager find;
-allow isolated_app display_service:service_manager find;
-allow isolated_app webviewupdate_service:service_manager find;
-
-# Google Breakpad (crash reporter for Chrome) relies on ptrace
-# functionality. Without the ability to ptrace, the crash reporter
-# tool is broken.
-# b/20150694
-# https://code.google.com/p/chromium/issues/detail?id=475270
-allow isolated_app self:process ptrace;
-
# b/32896414: Allow accessing sdcard file descriptors passed to isolated_apps
# by other processes. Open should never be allowed, and is blocked by
-# neverallow rules below.
+# neverallow rules in isolated_app_all attribute.
# media_rw_data_file is included for sdcardfs, and can be removed if sdcardfs
# is modified to change the secontext when accessing the lower filesystem.
allow isolated_app { sdcard_type fuse media_rw_data_file }:file { read write append getattr lock map };
@@ -46,108 +34,3 @@
allow isolated_app webview_zygote:unix_dgram_socket write;
# Read system properties managed by webview_zygote.
allow isolated_app webview_zygote_tmpfs:file read;
-
-# Inherit FDs from the app_zygote.
-allow isolated_app app_zygote:fd use;
-# Notify app_zygote of child death.
-allow isolated_app app_zygote:process sigchld;
-# Inherit logd write socket.
-allow isolated_app app_zygote:unix_dgram_socket write;
-
-# TODO (b/63631799) fix this access
-# suppress denials to /data/local/tmp
-dontaudit isolated_app shell_data_file:dir search;
-
-# Write app-specific trace data to the Perfetto traced damon. This requires
-# connecting to its producer socket and obtaining a (per-process) tmpfs fd.
-perfetto_producer(isolated_app)
-
-# Allow profiling if the main app has been marked as profileable or
-# debuggable.
-can_profile_heap(isolated_app)
-can_profile_perf(isolated_app)
-
-#####
-##### Neverallow
-#####
-
-# Isolated apps should not directly open app data files themselves.
-neverallow isolated_app { app_data_file privapp_data_file sdk_sandbox_data_file}:file open;
-
-# Only allow appending to /data/anr/traces.txt (b/27853304, b/18340553)
-# TODO: are there situations where isolated_apps write to this file?
-# TODO: should we tighten these restrictions further?
-neverallow isolated_app anr_data_file:file ~{ open append };
-neverallow isolated_app anr_data_file:dir ~search;
-
-# Isolated apps must not be permitted to use HwBinder
-neverallow isolated_app hwbinder_device:chr_file *;
-neverallow isolated_app *:hwservice_manager *;
-
-# Isolated apps must not be permitted to use VndBinder
-neverallow isolated_app vndbinder_device:chr_file *;
-
-# Isolated apps must not be permitted to perform actions on Binder and VndBinder service_manager
-# except the find actions for services allowlisted below.
-neverallow isolated_app *:service_manager ~find;
-
-# b/17487348
-# Isolated apps can only access three services,
-# activity_service, display_service, webviewupdate_service.
-neverallow isolated_app {
- service_manager_type
- -activity_service
- -display_service
- -webviewupdate_service
-}:service_manager find;
-
-# Isolated apps shouldn't be able to access the driver directly.
-neverallow isolated_app gpu_device:chr_file { rw_file_perms execute };
-
-# Do not allow isolated_app access to /cache
-neverallow isolated_app cache_file:dir ~{ r_dir_perms };
-neverallow isolated_app cache_file:file ~{ read getattr };
-
-# Do not allow isolated_app to access external storage, except for files passed
-# via file descriptors (b/32896414).
-neverallow isolated_app { storage_file mnt_user_file sdcard_type fuse }:dir ~getattr;
-neverallow isolated_app { storage_file mnt_user_file }:file_class_set *;
-neverallow isolated_app { sdcard_type fuse }:{ devfile_class_set lnk_file sock_file fifo_file } *;
-neverallow isolated_app { sdcard_type fuse }:file ~{ read write append getattr lock map };
-
-# Do not allow USB access
-neverallow isolated_app { usb_device usbaccessory_device }:chr_file *;
-
-# Restrict the webview_zygote control socket.
-neverallow isolated_app webview_zygote:sock_file write;
-
-# Limit the /sys files which isolated_app can access. This is important
-# for controlling isolated_app attack surface.
-neverallow isolated_app {
- sysfs_type
- -sysfs_devices_system_cpu
- -sysfs_transparent_hugepage
- -sysfs_usb # TODO: check with audio team if needed for isolated_app (b/28417852)
- -sysfs_fs_incfs_features
-}:file no_rw_file_perms;
-
-# No creation of sockets families other than AF_UNIX sockets.
-# List taken from system/sepolicy/public/global_macros - socket_class_set
-# excluding unix_stream_socket and unix_dgram_socket.
-# Many of these are socket families which have never and will never
-# be compiled into the Android kernel.
-neverallow isolated_app { self ephemeral_app priv_app sdk_sandbox untrusted_app_all }:{
- socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket
- key_socket appletalk_socket netlink_route_socket
- netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket
- netlink_selinux_socket netlink_audit_socket netlink_dnrt_socket
- netlink_kobject_uevent_socket tun_socket netlink_iscsi_socket
- netlink_fib_lookup_socket netlink_connector_socket netlink_netfilter_socket
- netlink_generic_socket netlink_scsitransport_socket netlink_rdma_socket
- netlink_crypto_socket sctp_socket icmp_socket ax25_socket ipx_socket
- netrom_socket atmpvc_socket x25_socket rose_socket decnet_socket atmsvc_socket
- rds_socket irda_socket pppox_socket llc_socket can_socket tipc_socket
- bluetooth_socket iucv_socket rxrpc_socket isdn_socket phonet_socket
- ieee802154_socket caif_socket alg_socket nfc_socket vsock_socket kcm_socket
- qipcrtr_socket smc_socket xdp_socket
-} create;
diff --git a/private/isolated_app_all.te b/private/isolated_app_all.te
new file mode 100644
index 0000000..bb9da6c
--- /dev/null
+++ b/private/isolated_app_all.te
@@ -0,0 +1,120 @@
+###
+### isolated_app_all.
+###
+### Services with isolatedProcess=true in their manifest.
+###
+### This file defines the rules shared by all isolated apps. An "isolated
+### app" is an APP with UID between AID_ISOLATED_START (99000)
+### and AID_ISOLATED_END (99999).
+###
+
+# Access already open app data files received over Binder or local socket IPC.
+allow isolated_app_all { app_data_file privapp_data_file sdk_sandbox_data_file}:file { append read write getattr lock map };
+
+allow isolated_app_all activity_service:service_manager find;
+allow isolated_app_all display_service:service_manager find;
+
+# Google Breakpad (crash reporter for Chrome) relies on ptrace
+# functionality. Without the ability to ptrace, the crash reporter
+# tool is broken.
+# b/20150694
+# https://code.google.com/p/chromium/issues/detail?id=475270
+allow isolated_app_all self:process ptrace;
+
+# Inherit FDs from the app_zygote.
+allow isolated_app_all app_zygote:fd use;
+# Notify app_zygote of child death.
+allow isolated_app_all app_zygote:process sigchld;
+# Inherit logd write socket.
+allow isolated_app_all app_zygote:unix_dgram_socket write;
+
+# TODO (b/63631799) fix this access
+# suppress denials to /data/local/tmp
+dontaudit isolated_app_all shell_data_file:dir search;
+
+#####
+##### Neverallow
+#####
+
+# Isolated apps should not directly open app data files themselves.
+neverallow isolated_app_all { app_data_file privapp_data_file sdk_sandbox_data_file}:file open;
+
+# Only allow appending to /data/anr/traces.txt (b/27853304, b/18340553)
+# TODO: are there situations where isolated_apps write to this file?
+# TODO: should we tighten these restrictions further?
+neverallow isolated_app_all anr_data_file:file ~{ open append };
+neverallow isolated_app_all anr_data_file:dir ~search;
+
+# Isolated apps must not be permitted to use HwBinder
+neverallow { isolated_app_all -isolated_compute_app } hwbinder_device:chr_file *;
+neverallow { isolated_app_all -isolated_compute_app } *:hwservice_manager *;
+
+# Isolated apps must not be permitted to use VndBinder
+neverallow isolated_app_all vndbinder_device:chr_file *;
+
+# Isolated apps must not be permitted to perform actions on Binder and VndBinder service_manager
+# except the find actions for services allowlisted below.
+neverallow { isolated_app_all -isolated_compute_app } *:service_manager ~find;
+
+# b/17487348
+# Isolated apps can only access three services,
+# activity_service, display_service, webviewupdate_service.
+neverallow { isolated_app_all -isolated_compute_app } {
+ service_manager_type
+ -activity_service
+ -display_service
+ -webviewupdate_service
+}:service_manager find;
+
+# Isolated apps shouldn't be able to access the driver directly.
+neverallow isolated_app_all gpu_device:chr_file { rw_file_perms execute };
+
+# Do not allow isolated_apps access to /cache
+neverallow isolated_app_all cache_file:dir ~{ r_dir_perms };
+neverallow isolated_app_all cache_file:file ~{ read getattr };
+
+# Do not allow isolated_app_all to access external storage, except for files passed
+# via file descriptors (b/32896414).
+neverallow isolated_app_all { storage_file mnt_user_file sdcard_type fuse }:dir ~getattr;
+neverallow isolated_app_all { storage_file mnt_user_file }:file_class_set *;
+neverallow isolated_app_all { sdcard_type fuse }:{ devfile_class_set lnk_file sock_file fifo_file } *;
+neverallow isolated_app_all { sdcard_type fuse }:file ~{ read write append getattr lock map };
+
+# Do not allow USB access
+neverallow isolated_app_all { usb_device usbaccessory_device }:chr_file *;
+
+# Restrict the webview_zygote control socket.
+neverallow isolated_app_all webview_zygote:sock_file write;
+
+# Limit the /sys files which isolated_app_all can access. This is important
+# for controlling isolated_app_all attack surface.
+# TODO (b/266555480): The permission should be guarded by compliance test.
+# Remove the negation for member domains when refactorization is done.
+neverallow { isolated_app_all -isolated_compute_app } {
+ sysfs_type
+ -sysfs_devices_system_cpu
+ -sysfs_transparent_hugepage
+ -sysfs_usb # TODO: check with audio team if needed for isolated_apps (b/28417852)
+ -sysfs_fs_incfs_features
+}:file no_rw_file_perms;
+
+# No creation of sockets families other than AF_UNIX sockets.
+# List taken from system/sepolicy/public/global_macros - socket_class_set
+# excluding unix_stream_socket and unix_dgram_socket.
+# Many of these are socket families which have never and will never
+# be compiled into the Android kernel.
+neverallow isolated_app_all { self ephemeral_app priv_app sdk_sandbox untrusted_app_all }:{
+ socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket
+ key_socket appletalk_socket netlink_route_socket
+ netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket
+ netlink_selinux_socket netlink_audit_socket netlink_dnrt_socket
+ netlink_kobject_uevent_socket tun_socket netlink_iscsi_socket
+ netlink_fib_lookup_socket netlink_connector_socket netlink_netfilter_socket
+ netlink_generic_socket netlink_scsitransport_socket netlink_rdma_socket
+ netlink_crypto_socket sctp_socket icmp_socket ax25_socket ipx_socket
+ netrom_socket atmpvc_socket x25_socket rose_socket decnet_socket atmsvc_socket
+ rds_socket irda_socket pppox_socket llc_socket can_socket tipc_socket
+ bluetooth_socket iucv_socket rxrpc_socket isdn_socket phonet_socket
+ ieee802154_socket caif_socket alg_socket nfc_socket vsock_socket kcm_socket
+ qipcrtr_socket smc_socket xdp_socket
+} create;
diff --git a/private/isolated_compute_app.te b/private/isolated_compute_app.te
new file mode 100644
index 0000000..bde6195
--- /dev/null
+++ b/private/isolated_compute_app.te
@@ -0,0 +1,50 @@
+###
+### isolated_compute_apps.
+###
+### This file defines the rules for isolated apps that requires the permission
+### to gather data with service manager and require computational resources to
+### improve the performance to process data under a sandbox. This
+### isolated_compute_app restricts data egress to protect the privacy.
+###
+### TODO(b/266923392): Clean rules for isolated_compute_app characteristics
+###
+type isolated_compute_app, domain;
+
+typeattribute isolated_compute_app coredomain;
+
+app_domain(isolated_compute_app)
+isolated_app_domain(isolated_compute_app)
+
+allow isolated_compute_app audioserver_service:service_manager find;
+allow isolated_compute_app cameraserver_service:service_manager find;
+allow isolated_compute_app content_capture_service:service_manager find;
+allow isolated_compute_app device_state_service:service_manager find;
+allow isolated_compute_app speech_recognition_service:service_manager find;
+allow isolated_compute_app mediaserver_service:service_manager find;
+
+# Enable access to hardware services for camera functionalilites
+hal_client_domain(isolated_compute_app, hal_allocator)
+hwbinder_use(isolated_compute_app)
+
+allow isolated_compute_app dmabuf_system_heap_device:chr_file r_file_perms;
+
+# Allow access to network sockets received over IPC. New socket creation is not
+# permitted.
+allow isolated_compute_app { ephemeral_app priv_app untrusted_app_all }:{ tcp_socket udp_socket } { rw_socket_perms_no_ioctl };
+
+#####
+##### Neverallow
+#####
+
+# Do not allow isolated_compute_app to access hardware service except for the
+# ones necessary for camera service.
+# TODO (b/266555480): The permission should be guarded by compliance test.
+# Remove the negation for member domains when refactorization is done.
+# neverallow isolated_compute_app {
+# hwservice_manager_type
+# -hal_graphics_allocator_hwservice
+# -hal_graphics_mapper_hwservice
+# -hidl_allocator_hwservice
+# -hidl_manager_hwservice
+# -hidl_memory_hwservice
+# }:hwservice_manager *;
diff --git a/private/mediaserver.te b/private/mediaserver.te
index 6fe460c..aaf49f6 100644
--- a/private/mediaserver.te
+++ b/private/mediaserver.te
@@ -18,3 +18,8 @@
# Allow mediaserver to start media.transcoding service via ctl.start.
set_prop(mediaserver, ctl_mediatranscoding_prop);
+
+# Needed for stats callback registration to statsd.
+allow mediaserver stats_service:service_manager find;
+allow mediaserver statsmanager_service:service_manager find;
+binder_call(mediaserver, statsd)
diff --git a/private/platform_app.te b/private/platform_app.te
index f14e52d..5d16d85 100644
--- a/private/platform_app.te
+++ b/private/platform_app.te
@@ -57,6 +57,12 @@
auditallow platform_app proc_net_type:{ dir file lnk_file } { getattr open read };
')
+# Allow writing and removing wmshell protolog in /data/misc/wmtrace.
+userdebug_or_eng(`
+ allow platform_app wm_trace_data_file:dir rw_dir_perms;
+ allow platform_app wm_trace_data_file:file { getattr setattr create unlink w_file_perms };
+')
+
allow platform_app audioserver_service:service_manager find;
allow platform_app cameraserver_service:service_manager find;
allow platform_app drmserver_service:service_manager find;
@@ -109,9 +115,6 @@
# suppress denials caused by debugfs_tracing
dontaudit platform_app debugfs_tracing:file rw_file_perms;
-# Allow platform apps to act as Perfetto producers.
-perfetto_producer(platform_app)
-
# Allow platform apps to create VMs
virtualizationservice_use(platform_app)
diff --git a/private/priv_app.te b/private/priv_app.te
index 8c965fc..cfd8721 100644
--- a/private/priv_app.te
+++ b/private/priv_app.te
@@ -126,20 +126,12 @@
read_runtime_log_tags(priv_app)
-# Write app-specific trace data to the Perfetto traced damon. This requires
-# connecting to its producer socket and obtaining a (per-process) tmpfs fd.
-perfetto_producer(priv_app)
-
# Allow priv_apps to request and collect incident reports.
# (Also requires DUMP and PACKAGE_USAGE_STATS permissions)
allow priv_app incident_service:service_manager find;
binder_call(priv_app, incidentd)
allow priv_app incidentd:fifo_file { read write };
-# Allow profiling if the app opts in by being marked profileable/debuggable.
-can_profile_heap(priv_app)
-can_profile_perf(priv_app)
-
# Allow priv_apps to check whether Dynamic System Update is enabled
get_prop(priv_app, dynamic_system_prop)
diff --git a/private/property.te b/private/property.te
index c4351d1..4f806d4 100644
--- a/private/property.te
+++ b/private/property.te
@@ -681,3 +681,16 @@
domain
-init
} log_file_logger_prop:property_service set;
+
+neverallow {
+ domain
+ -init
+ -vendor_init
+} usb_uvc_enabled_prop:property_service set;
+
+# Disallow non system apps from reading ro.usb.uvc.enabled
+neverallow {
+ appdomain
+ -system_app
+ -device_as_webcam
+} usb_uvc_enabled_prop:file no_rw_file_perms;
diff --git a/private/property_contexts b/private/property_contexts
index 5611290..fdc6f89 100644
--- a/private/property_contexts
+++ b/private/property_contexts
@@ -268,6 +268,7 @@
persist.device_config.vendor_system_native_boot. u:object_r:device_config_vendor_system_native_boot_prop:s0
persist.device_config.virtualization_framework_native. u:object_r:device_config_virtualization_framework_native_prop:s0
persist.device_config.window_manager_native_boot. u:object_r:device_config_window_manager_native_boot_prop:s0
+persist.device_config.memory_safety_native_boot. u:object_r:device_config_memory_safety_native_boot_prop:s0
persist.device_config.memory_safety_native. u:object_r:device_config_memory_safety_native_prop:s0
# F2FS smart idle maint prop
@@ -494,13 +495,18 @@
media.stagefright.thumbnail.prefer_hw_codecs u:object_r:media_config_prop:s0 exact bool
persist.sys.media.avsync u:object_r:media_config_prop:s0 exact bool
-persist.bluetooth.a2dp_offload.cap u:object_r:bluetooth_a2dp_offload_prop:s0 exact string
-persist.bluetooth.a2dp_offload.disabled u:object_r:bluetooth_a2dp_offload_prop:s0 exact bool
-persist.bluetooth.bluetooth_audio_hal.disabled u:object_r:bluetooth_audio_hal_prop:s0 exact bool
-persist.bluetooth.btsnoopenable u:object_r:exported_bluetooth_prop:s0 exact bool
-persist.bluetooth.btsnoopdefaultmode u:object_r:bluetooth_prop:s0 exact enum empty disabled filtered full
-persist.bluetooth.btsnooplogmode u:object_r:bluetooth_prop:s0 exact enum empty disabled filtered full
-persist.bluetooth.factoryreset u:object_r:bluetooth_prop:s0 exact bool
+persist.bluetooth.a2dp_offload.cap u:object_r:bluetooth_a2dp_offload_prop:s0 exact string
+persist.bluetooth.a2dp_offload.disabled u:object_r:bluetooth_a2dp_offload_prop:s0 exact bool
+persist.bluetooth.bluetooth_audio_hal.disabled u:object_r:bluetooth_audio_hal_prop:s0 exact bool
+persist.bluetooth.btsnoopenable u:object_r:exported_bluetooth_prop:s0 exact bool
+persist.bluetooth.btsnoopdefaultmode u:object_r:bluetooth_prop:s0 exact enum empty disabled filtered full
+persist.bluetooth.btsnooplogmode u:object_r:bluetooth_prop:s0 exact enum empty disabled filtered full
+persist.bluetooth.snooplogfilter.headers.enabled u:object_r:bluetooth_prop:s0 exact bool
+persist.bluetooth.snooplogfilter.profiles.a2dp.enabled u:object_r:bluetooth_prop:s0 exact bool
+persist.bluetooth.snooplogfilter.profiles.map u:object_r:bluetooth_prop:s0 exact enum empty disabled fullfilter header magic
+persist.bluetooth.snooplogfilter.profiles.pbap u:object_r:bluetooth_prop:s0 exact enum empty disabled fullfilter header magic
+persist.bluetooth.snooplogfilter.profiles.rfcomm.enabled u:object_r:bluetooth_prop:s0 exact bool
+persist.bluetooth.factoryreset u:object_r:bluetooth_prop:s0 exact bool
bluetooth.hardware.power.operating_voltage_mv u:object_r:bluetooth_config_prop:s0 exact int
bluetooth.hardware.power.idle_cur_ma u:object_r:bluetooth_config_prop:s0 exact int
@@ -513,6 +519,7 @@
bluetooth.core.gap.le.privacy.enabled u:object_r:bluetooth_config_prop:s0 exact bool
bluetooth.core.gap.le.conn.min.limit u:object_r:bluetooth_config_prop:s0 exact int
bluetooth.core.gap.le.conn.only_init_1m_phy.enabled u:object_r:bluetooth_config_prop:s0 exact bool
+bluetooth.core.le_audio.inband_ringtone.supported u:object_r:bluetooth_config_prop:s0 exact bool
bluetooth.device.default_name u:object_r:bluetooth_config_prop:s0 exact string
bluetooth.device.class_of_device u:object_r:bluetooth_config_prop:s0 exact string
@@ -577,6 +584,9 @@
bluetooth.sco.disable_enhanced_connection u:object_r:bluetooth_config_prop:s0 exact bool
persist.nfc.debug_enabled u:object_r:nfc_prop:s0 exact bool
+persist.nfc.vendor_debug_enabled u:object_r:nfc_prop:s0 exact bool
+persist.nfc.snoop_log_mode u:object_r:nfc_prop:s0 exact enum full filtered
+nfc.dta.skip_ndef_read u:object_r:nfc_prop:s0 exact bool
persist.radio.multisim.config u:object_r:radio_control_prop:s0 exact string
persist.radio.allow_mock_modem u:object_r:radio_control_prop:s0 exact bool
@@ -702,6 +712,10 @@
ro.rebootescrow.device u:object_r:rebootescrow_hal_prop:s0 exact string
+ro.recovery.usb.vid u:object_r:recovery_usb_config_prop:s0 exact string
+ro.recovery.usb.adb.pid u:object_r:recovery_usb_config_prop:s0 exact string
+ro.recovery.usb.fastboot.pid u:object_r:recovery_usb_config_prop:s0 exact string
+
ro.storage_manager.enabled u:object_r:storagemanager_config_prop:s0 exact bool
ro.storage_manager.show_opt_in u:object_r:storagemanager_config_prop:s0 exact bool
@@ -1063,6 +1077,11 @@
ro.product.vendor_dlkm.model u:object_r:build_vendor_prop:s0 exact string
ro.product.vendor_dlkm.name u:object_r:build_vendor_prop:s0 exact string
+# build props for attestation feature are set by property_service
+ro.product.brand_for_attestation u:object_r:build_attestation_prop:s0 exact string
+ro.product.model_for_attestation u:object_r:build_attestation_prop:s0 exact string
+ro.product.name_for_attestation u:object_r:build_attestation_prop:s0 exact string
+
# GRF property for the first api level of the vendor partition
ro.board.first_api_level u:object_r:build_vendor_prop:s0 exact int
ro.board.api_level u:object_r:build_vendor_prop:s0 exact int
@@ -1343,6 +1362,9 @@
# Graphics related properties
ro.opengles.version u:object_r:graphics_config_prop:s0 exact int
+ro.egl.blobcache.multifile u:object_r:graphics_config_prop:s0 exact bool
+ro.egl.blobcache.multifile_limit u:object_r:graphics_config_prop:s0 exact int
+
ro.gfx.driver.0 u:object_r:graphics_config_prop:s0 exact string
ro.gfx.driver.1 u:object_r:graphics_config_prop:s0 exact string
ro.gfx.angle.supported u:object_r:graphics_config_prop:s0 exact bool
@@ -1501,3 +1523,6 @@
# Adaptive haptics settings property
vibrator.adaptive_haptics.enabled u:object_r:adaptive_haptics_prop:s0 exact string
+
+# UVC Gadget property
+ro.usb.uvc.enabled u:object_r:usb_uvc_enabled_prop:s0 exact bool
diff --git a/private/sdk_sandbox.te b/private/sdk_sandbox.te
index a0e77a2..cfcf2a4 100644
--- a/private/sdk_sandbox.te
+++ b/private/sdk_sandbox.te
@@ -49,6 +49,7 @@
-debug_prop
-debuggerd_prop
-default_prop
+ -device_config_memory_safety_native_boot_prop
-device_config_memory_safety_native_prop
-device_config_nnapi_native_prop
-device_config_runtime_native_boot_prop
@@ -217,14 +218,6 @@
allow sdk_sandbox shell_data_file:file r_file_perms;
allow sdk_sandbox shell_data_file:dir r_dir_perms;
-# Write app-specific trace data to the Perfetto traced damon. This requires
-# connecting to its producer socket and obtaining a (per-process) tmpfs fd.
-perfetto_producer(sdk_sandbox)
-
-# Allow profiling if the app opts in by being marked profileable/debuggable.
-can_profile_heap(sdk_sandbox)
-can_profile_perf(sdk_sandbox)
-
# allow sdk sandbox to use UDP sockets provided by the system server but not
# modify them other than to connect
allow sdk_sandbox system_server:udp_socket {
diff --git a/private/seapp_contexts b/private/seapp_contexts
index d950c3d..24e58bf 100644
--- a/private/seapp_contexts
+++ b/private/seapp_contexts
@@ -11,6 +11,7 @@
# isPrivApp (boolean)
# minTargetSdkVersion (unsigned integer)
# fromRunAs (boolean)
+# isIsolatedComputeApp (boolean)
#
# All specified input selectors in an entry must match (i.e. logical AND).
# An unspecified string or boolean selector with no default will match any
@@ -40,6 +41,11 @@
# it has a default value of 0.
# fromRunAs=true means the process being labeled is started by run-as. Default
# is false.
+# isIsolatedComputeApp=true means the process re-uses an isolated Uid but not
+# restricted to run in an isolated_app domain. Processes match this selector will
+# be mapped to isolated_compute_app by default. It is expected to be used together
+# with user=_isolated. This selector should not be used unless it is intended
+# to provide isolated processes with relaxed security restrictions.
#
# Precedence: entries are compared using the following rules, in the order shown
# (see external/selinux/libselinux/src/android/android_platform.c,
@@ -57,6 +63,7 @@
# minTargetSdkVersion= integer. Note that minTargetSdkVersion=
# defaults to 0 if unspecified.
# (8) fromRunAs=true before fromRunAs=false.
+# (9) isIsolatedComputeApp=true before isIsolatedComputeApp=false
# (A fixed selector is more specific than a prefix, i.e. ending in *, and a
# longer prefix is more specific than a shorter prefix.)
# Apps are checked against entries in precedence order until the first match,
@@ -122,9 +129,12 @@
# neverallow non-isolated uids into isolated_app domain
# and vice versa
-neverallow user=_isolated domain=((?!isolated_app).)*
+neverallow user=_isolated isIsolatedComputeApp=false domain=((?!isolated_app).)*
neverallow user=((?!_isolated).)* domain=isolated_app
+# neverallow isolatedComputeApp into domains other than isolated_compute_app
+neverallow user=_isolated isIsolatedComputeApp=true domain=((?!isolated_compute_app).)*
+
# uid shell should always be in shell domain, however non-shell
# uid's can be in shell domain
neverallow user=shell domain=((?!shell).)*
@@ -144,6 +154,7 @@
user=_app seinfo=platform name=com.android.traceur domain=traceur_app type=app_data_file levelFrom=all
user=_app isPrivApp=true name=com.android.remoteprovisioner domain=remote_prov_app type=app_data_file levelFrom=all
user=system seinfo=platform domain=system_app type=system_app_data_file
+user=system seinfo=platform isPrivApp=true name=com.android.DeviceAsWebcam domain=device_as_webcam type=system_app_data_file levelFrom=all
user=bluetooth seinfo=bluetooth domain=bluetooth type=bluetooth_data_file
user=network_stack seinfo=network_stack domain=network_stack type=radio_data_file
user=nfc seinfo=platform domain=nfc type=nfc_data_file
@@ -153,6 +164,7 @@
user=shell seinfo=platform domain=shell name=com.android.shell type=shell_data_file
user=webview_zygote seinfo=webview_zygote domain=webview_zygote
user=_isolated domain=isolated_app levelFrom=user
+user=_isolated isIsolatedComputeApp=true domain=isolated_compute_app levelFrom=user
user=_sdksandbox domain=sdk_sandbox type=sdk_sandbox_data_file levelFrom=all
user=_app seinfo=app_zygote domain=app_zygote levelFrom=user
user=_app seinfo=media domain=mediaprovider type=app_data_file levelFrom=user
@@ -161,7 +173,9 @@
user=_app isPrivApp=true domain=priv_app type=privapp_data_file levelFrom=user
user=_app isPrivApp=true name=com.google.android.permissioncontroller domain=permissioncontroller_app type=privapp_data_file levelFrom=all
user=_app seinfo=media isPrivApp=true name=com.android.providers.media.module domain=mediaprovider_app type=privapp_data_file levelFrom=all
+user=_app seinfo=media isPrivApp=true name=com.android.providers.media.module:* domain=mediaprovider_app type=privapp_data_file levelFrom=all
user=_app isPrivApp=true name=com.google.android.providers.media.module domain=mediaprovider_app type=privapp_data_file levelFrom=all
+user=_app isPrivApp=true name=com.google.android.providers.media.module:* domain=mediaprovider_app type=privapp_data_file levelFrom=all
user=_app seinfo=platform isPrivApp=true name=com.android.permissioncontroller domain=permissioncontroller_app type=privapp_data_file levelFrom=all
user=_app isPrivApp=true name=com.android.vzwomatrigger domain=vzwomatrigger_app type=privapp_data_file levelFrom=all
user=_app isPrivApp=true name=com.android.rkpdapp domain=rkpdapp type=privapp_data_file levelFrom=user
@@ -179,4 +193,3 @@
user=_app domain=untrusted_app_25 type=app_data_file levelFrom=user
user=_app minTargetSdkVersion=28 fromRunAs=true domain=runas_app levelFrom=all
user=_app fromRunAs=true domain=runas_app levelFrom=user
-
diff --git a/private/service_contexts b/private/service_contexts
index 8de1d42..6af5eab 100644
--- a/private/service_contexts
+++ b/private/service_contexts
@@ -1,4 +1,5 @@
android.frameworks.cameraservice.service.ICameraService/default u:object_r:fwk_camera_service:s0
+android.frameworks.location.altitude.IAltitudeService/default u:object_r:fwk_altitude_service:s0
android.frameworks.stats.IStats/default u:object_r:fwk_stats_service:s0
android.frameworks.sensorservice.ISensorManager/default u:object_r:fwk_sensor_service:s0
android.hardware.audio.core.IConfig/default u:object_r:hal_audio_service:s0
@@ -312,6 +313,7 @@
nfc u:object_r:nfc_service:s0
notification u:object_r:notification_service:s0
oem_lock u:object_r:oem_lock_service:s0
+ondevicepersonalization_system_service u:object_r:ondevicepersonalization_system_service:s0
otadexopt u:object_r:otadexopt_service:s0
overlay u:object_r:overlay_service:s0
pac_proxy u:object_r:pac_proxy_service:s0
diff --git a/private/stats.te b/private/stats.te
index c784145..89b9488 100644
--- a/private/stats.te
+++ b/private/stats.te
@@ -45,6 +45,7 @@
-incidentd
-keystore
-mediametrics
+ -mediaserver
-platform_app
-priv_app
-rkpdapp
diff --git a/private/system_app.te b/private/system_app.te
index 3b92c0f..e2bec30 100644
--- a/private/system_app.te
+++ b/private/system_app.te
@@ -177,8 +177,8 @@
# Settings app reads ro.oem_unlock_supported
get_prop(system_app, oem_unlock_prop)
-# Allow system apps to act as Perfetto producers.
-perfetto_producer(system_app)
+# Settings app reads ro.usb.uvc.enabled
+get_prop(system_app, usb_uvc_enabled_prop)
###
### Neverallow rules
diff --git a/private/system_server.te b/private/system_server.te
index 53acab0..4e5b2e8 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -421,7 +421,9 @@
allow system_server mediadrmserver:tcp_socket rw_socket_perms;
allow system_server mediadrmserver:udp_socket rw_socket_perms;
-userdebug_or_eng(`perfetto_producer({ system_server })')
+# Write trace data to the Perfetto traced daemon. This requires connecting to
+# its producer socket and obtaining a (per-process) tmpfs fd.
+perfetto_producer(system_server)
# Get file context
allow system_server file_contexts_file:file r_file_perms;
@@ -760,6 +762,7 @@
set_prop(system_server, device_config_vendor_system_native_prop)
set_prop(system_server, device_config_vendor_system_native_boot_prop)
set_prop(system_server, device_config_virtualization_framework_native_prop)
+set_prop(system_server, device_config_memory_safety_native_boot_prop)
set_prop(system_server, device_config_memory_safety_native_prop)
set_prop(system_server, device_config_remote_key_provisioning_native_prop)
set_prop(system_server, smart_idle_maint_enabled_prop)
diff --git a/private/technical_debt.cil b/private/technical_debt.cil
index fcd4fe7..27ea187 100644
--- a/private/technical_debt.cil
+++ b/private/technical_debt.cil
@@ -7,9 +7,9 @@
; Apps, except isolated apps, are clients of Allocator HAL
; Unfortunately, we can't currently express this in module policy language:
-; typeattribute { appdomain -isolated_app } hal_allocator_client;
+; typeattribute { appdomain -isolated_app_all } hal_allocator_client;
; typeattribute hal_allocator_client halclientdomain;
-(typeattributeset hal_allocator_client ((and (appdomain) ((not (isolated_app))))))
+(typeattributeset hal_allocator_client ((and (appdomain) ((not (isolated_app_all))))))
(typeattributeset halclientdomain (hal_allocator_client))
; Apps, except isolated apps, are clients of OMX-related services
@@ -22,12 +22,12 @@
; Apps, except isolated apps and SDK sandboxes, are clients of Drm-related services
; Unfortunately, we can't currently express this in module policy language:
-(typeattributeset hal_drm_client ((and (appdomain) ((not (or (isolated_app) (sdk_sandbox)))))))
+(typeattributeset hal_drm_client ((and (appdomain) ((not (or (isolated_app_all) (sdk_sandbox)))))))
; Apps, except isolated apps, are clients of Configstore HAL
; Unfortunately, we can't currently express this in module policy language:
-; typeattribute { appdomain -isolated_app } hal_configstore_client;
-(typeattributeset hal_configstore_client ((and (appdomain) ((not (isolated_app))))))
+; typeattribute { appdomain -isolated_app_all } hal_configstore_client;
+(typeattributeset hal_configstore_client ((and (appdomain) ((not (isolated_app_all))))))
; Apps, except isolated apps, are clients of Graphics Allocator HAL
; Unfortunately, we can't currently express this in module policy language:
@@ -36,8 +36,8 @@
; Apps, except isolated apps, are clients of Cas HAL
; Unfortunately, we can't currently express this in module policy language:
-; typeattribute { appdomain -isolated_app } hal_cas_client;
-(typeattributeset hal_cas_client ((and (appdomain) ((not (isolated_app))))))
+; typeattribute { appdomain -isolated_app_all } hal_cas_client;
+(typeattributeset hal_cas_client ((and (appdomain) ((not (isolated_app_all))))))
; Domains hosting Camera HAL implementations are clients of Allocator HAL
; Unfortunately, we can't currently express this in module policy language:
@@ -46,8 +46,8 @@
; Apps, except isolated apps, are clients of Neuralnetworks HAL
; Unfortunately, we can't currently express this in module policy language:
-; typeattribute { appdomain -isolated_app } hal_neuralnetworks_client;
-(typeattributeset hal_neuralnetworks_client ((and (appdomain) ((not (isolated_app))))))
+; typeattribute { appdomain -isolated_app_all } hal_neuralnetworks_client;
+(typeattributeset hal_neuralnetworks_client ((and (appdomain) ((not (isolated_app_all))))))
; TODO(b/112056006): move these to mapping files when/if we implement 'versioned' attributes.
; Rename untrusted_app_visible_* to untrusted_app_visible_*_violators.
diff --git a/private/traced_perf.te b/private/traced_perf.te
index 811bf48..080b6fe 100644
--- a/private/traced_perf.te
+++ b/private/traced_perf.te
@@ -60,9 +60,14 @@
# Never allow access to app data files
neverallow traced_perf { app_data_file privapp_data_file system_app_data_file }:file *;
-# Never allow profiling highly privileged processes.
+# Never allow profiling privileged or otherwise incompatible domains.
+# Corresponding allow-rule is in private/domain.te.
never_profile_perf(`{
+ apexd
+ app_zygote
bpfloader
+ diced
+ hal_configstore
init
kernel
keystore
@@ -71,4 +76,6 @@
ueventd
vendor_init
vold
+ webview_zygote
+ zygote
}')
diff --git a/private/untrusted_app_all.te b/private/untrusted_app_all.te
index 8c7fe7a..f666cc8 100644
--- a/private/untrusted_app_all.te
+++ b/private/untrusted_app_all.te
@@ -129,14 +129,6 @@
allow untrusted_app_all vendor_app_file:file { r_file_perms execute };
allow untrusted_app_all vendor_app_file:lnk_file { open getattr read };
-# Write app-specific trace data to the Perfetto traced damon. This requires
-# connecting to its producer socket and obtaining a (per-process) tmpfs fd.
-perfetto_producer(untrusted_app_all)
-
-# Allow profiling if the app opts in by being marked profileable/debuggable.
-can_profile_heap(untrusted_app_all)
-can_profile_perf(untrusted_app_all)
-
# allow untrusted apps to use UDP sockets provided by the system server but not
# modify them other than to connect
allow untrusted_app_all system_server:udp_socket {
diff --git a/private/virtualizationmanager.te b/private/virtualizationmanager.te
index 4cd32b7..946c783 100644
--- a/private/virtualizationmanager.te
+++ b/private/virtualizationmanager.te
@@ -69,6 +69,10 @@
allow virtualizationmanager tombstone_data_file:file { append getattr };
allow virtualizationmanager tombstoned:fd use;
+# Allow virtualizationservice to read AVF debug policy
+allow virtualizationmanager sysfs_dt_avf:dir search;
+allow virtualizationmanager sysfs_dt_avf:file { open read };
+
# Allow reading files under /proc/[crosvm pid]/, for collecting CPU & memory usage inside VM.
r_dir_file(virtualizationmanager, crosvm);
diff --git a/private/zygote.te b/private/zygote.te
index 0df84db..9c47468 100644
--- a/private/zygote.te
+++ b/private/zygote.te
@@ -195,6 +195,9 @@
allow zygote same_process_hal_file:file { execute read open getattr map };
+# Allow zygote to read build properties for attestation feature
+get_prop(zygote, build_attestation_prop)
+
# Allow the zygote to access storage properties to check if sdcardfs is enabled.
get_prop(zygote, storage_config_prop);
diff --git a/public/app.te b/public/app.te
index 9ce0255..da59f32 100644
--- a/public/app.te
+++ b/public/app.te
@@ -21,16 +21,6 @@
# Block device access.
neverallow appdomain dev_type:blk_file { read write };
-# Access to any of the following character devices.
-neverallow appdomain {
- audio_device
- camera_device
- dm_device
- radio_device
- rpmsg_device
- video_device
-}:chr_file { read write };
-
# Note: Try expanding list of app domains in the future.
neverallow { untrusted_app isolated_app shell } graphics_device:chr_file { read write };
diff --git a/public/attributes b/public/attributes
index 5509813..4897be5 100644
--- a/public/attributes
+++ b/public/attributes
@@ -206,6 +206,9 @@
# All third party apps (except isolated_app and ephemeral_app)
attribute untrusted_app_all;
+# All apps with UID between AID_ISOLATED_START (99000) and AID_ISOLATED_END (99999).
+attribute isolated_app_all;
+
# All domains used for apps with network access.
attribute netdomain;
diff --git a/public/hal_configstore.te b/public/hal_configstore.te
index 7d4d150..8867a8d 100644
--- a/public/hal_configstore.te
+++ b/public/hal_configstore.te
@@ -34,8 +34,6 @@
-prng_seeder
userdebug_or_eng(`-su')
-tombstoned
- userdebug_or_eng(`-heapprofd')
- userdebug_or_eng(`-traced_perf')
}:{ unix_dgram_socket unix_stream_socket } *;
# Should never need access to anything on /data
diff --git a/public/hal_fingerprint.te b/public/hal_fingerprint.te
index 444cfda..29abe4f 100644
--- a/public/hal_fingerprint.te
+++ b/public/hal_fingerprint.te
@@ -5,7 +5,7 @@
hal_attribute_hwservice(hal_fingerprint, hal_fingerprint_hwservice)
hal_attribute_service(hal_fingerprint, hal_fingerprint_service)
-binder_call(hal_fingerprint_server, servicemanager)
+binder_use(hal_fingerprint_server)
# For memory allocation
allow hal_fingerprint ion_device:chr_file r_file_perms;
diff --git a/public/hal_usb_gadget.te b/public/hal_usb_gadget.te
index 45bfdbe..c0df9a9 100644
--- a/public/hal_usb_gadget.te
+++ b/public/hal_usb_gadget.te
@@ -14,3 +14,6 @@
allow hal_usb_gadget_server functionfs:dir { read search };
allow hal_usb_gadget_server functionfs:file read;
allow hal_usb_gadget_server proc_interrupts:file r_file_perms;
+
+# Read access to ro.usb.uvc.enabled
+get_prop(hal_usb_gadget_server, usb_uvc_enabled_prop)
diff --git a/public/mediaserver.te b/public/mediaserver.te
index 65cd4a1..367012c 100644
--- a/public/mediaserver.te
+++ b/public/mediaserver.te
@@ -66,6 +66,9 @@
# but seems appropriate for all devices.
unix_socket_connect(mediaserver, bluetooth, bluetooth)
+# Needed for mediaserver to send information to statsd socket.
+unix_socket_send(mediaserver, statsdw, statsd)
+
add_service(mediaserver, mediaserver_service)
allow mediaserver activity_service:service_manager find;
allow mediaserver appops_service:service_manager find;
diff --git a/public/property.te b/public/property.te
index 346cd77..c41aa91 100644
--- a/public/property.te
+++ b/public/property.te
@@ -130,6 +130,7 @@
system_vendor_config_prop(audio_config_prop)
system_vendor_config_prop(bootanim_config_prop)
system_vendor_config_prop(bluetooth_config_prop)
+system_vendor_config_prop(build_attestation_prop)
system_vendor_config_prop(build_config_prop)
system_vendor_config_prop(build_odm_prop)
system_vendor_config_prop(build_vendor_prop)
@@ -164,6 +165,7 @@
system_vendor_config_prop(oem_unlock_prop)
system_vendor_config_prop(packagemanager_config_prop)
system_vendor_config_prop(recovery_config_prop)
+system_vendor_config_prop(recovery_usb_config_prop)
system_vendor_config_prop(sendbug_config_prop)
system_vendor_config_prop(soc_prop)
system_vendor_config_prop(storage_config_prop)
@@ -187,6 +189,7 @@
system_vendor_config_prop(zygote_config_prop)
system_vendor_config_prop(dck_prop)
system_vendor_config_prop(tuner_config_prop)
+system_vendor_config_prop(usb_uvc_enabled_prop)
# Properties with no restrictions
system_public_prop(adbd_config_prop)
@@ -202,6 +205,7 @@
system_public_prop(ctl_stop_prop)
system_public_prop(dalvik_runtime_prop)
system_public_prop(debug_prop)
+system_public_prop(device_config_memory_safety_native_boot_prop)
system_public_prop(device_config_memory_safety_native_prop)
system_public_prop(dumpstate_options_prop)
system_public_prop(exported_system_prop)
diff --git a/public/service.te b/public/service.te
index 154ebb9..3d3d98a 100644
--- a/public/service.te
+++ b/public/service.te
@@ -37,6 +37,7 @@
type mediatranscoding_service, app_api_service, service_manager_type;
type netd_service, service_manager_type;
type nfc_service, service_manager_type;
+type ondevicepersonalization_system_service, system_api_service, system_server_service, service_manager_type;
type radio_service, service_manager_type;
type remotelyprovisionedkeypool_service, service_manager_type;
type remoteprovisioning_service, service_manager_type;
@@ -131,6 +132,7 @@
type platform_compat_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type face_service, app_api_service, system_server_service, service_manager_type;
type fingerprint_service, app_api_service, system_server_service, service_manager_type;
+type fwk_altitude_service, system_server_service, service_manager_type;
type fwk_stats_service, app_api_service, system_server_service, service_manager_type;
type fwk_sensor_service, system_server_service, service_manager_type;
type game_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
diff --git a/public/statsd.te b/public/statsd.te
index 1a09586..31d033f 100644
--- a/public/statsd.te
+++ b/public/statsd.te
@@ -40,6 +40,10 @@
allow statsd mediametrics_service:service_manager find;
binder_call(statsd, mediametrics)
+# Allow statsd to interact with mediametrics
+allow statsd mediaserver_service:service_manager find;
+binder_call(statsd, mediaserver)
+
# Allow logd access.
read_logd(statsd)
control_logd(statsd)
diff --git a/public/su.te b/public/su.te
index 3473e74..bcdc322 100644
--- a/public/su.te
+++ b/public/su.te
@@ -31,7 +31,7 @@
dontaudit su domain:socket_class_set *;
dontaudit su domain:ipc_class_set *;
dontaudit su domain:key *;
- dontaudit su fs_type:filesystem *;
+ dontaudit su {fs_type fusefs_type}:filesystem *;
dontaudit su {fs_type dev_type file_type}:dir_file_class_set *;
dontaudit su node_type:node *;
dontaudit su node_type:{ tcp_socket udp_socket rawip_socket } *;
diff --git a/public/te_macros b/public/te_macros
index ad86a19..63805de 100644
--- a/public/te_macros
+++ b/public/te_macros
@@ -233,6 +233,13 @@
')
#####################################
+# isolated_app_domain(domain)
+# Allow a base set of permissions required for all isolated apps.
+define(`isolated_app_domain', `
+typeattribute $1 isolated_app_all;
+')
+
+#####################################
# net_domain(domain)
# Allow a base set of permissions required for network access.
define(`net_domain', `
diff --git a/tests/fix_policies.sh b/tests/fix_policies.sh
new file mode 100755
index 0000000..6011829
--- /dev/null
+++ b/tests/fix_policies.sh
@@ -0,0 +1,36 @@
+#!/bin/bash
+
+# Copyright (C) 2023 The Android Open Source Project
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+if [ $# -ne 1 ]; then
+ echo "Usage: $0 <directory>"
+ exit 1
+fi
+
+directory=$1
+
+# This fixes the Neverallow test involving policy violations of isolated_compute_app
+function fix_isolated_policies
+{
+ # Replace make sure we don't wrongly replace the existing occurrence
+ find "$directory" -name "*.te" -print0 | xargs -0 sed -i 's/-\s*isolated_app_all/-isolated_app/g'
+
+ # Replacement
+ find "$directory" -name "*.te" -print0 | xargs -0 sed -i 's/-\s*isolated_app/-isolated_app_all/g'
+
+ echo "Successfully replaced all occurrences of '-isolated_app' to '-isolated_app_all'!"
+}
+
+fix_isolated_policies
diff --git a/tools/check_seapp.c b/tools/check_seapp.c
index 7795e3a..e57a6b3 100644
--- a/tools/check_seapp.c
+++ b/tools/check_seapp.c
@@ -213,6 +213,7 @@
{ .name = "isPrivApp", .dir = dir_in, .fn_validate = validate_bool },
{ .name = "minTargetSdkVersion", .dir = dir_in, .fn_validate = validate_uint },
{ .name = "fromRunAs", .dir = dir_in, .fn_validate = validate_bool },
+ { .name = "isIsolatedComputeApp", .dir = dir_in, .fn_validate = validate_bool },
/*Outputs*/
{ .name = "domain", .dir = dir_out, .fn_validate = validate_domain },
{ .name = "type", .dir = dir_out, .fn_validate = validate_type },
diff --git a/tools/sepolicy_generate_compat.py b/tools/sepolicy_generate_compat.py
index ca5ae91..cd61c9a 100644
--- a/tools/sepolicy_generate_compat.py
+++ b/tools/sepolicy_generate_compat.py
@@ -29,9 +29,13 @@
"""This tool generates a mapping file for {ver} core sepolicy."""
temp_dir = ''
-compat_cil_template = ";; This file can't be empty.\n"
-ignore_cil_template = """;; new_objects - a collection of types that have been introduced that have no
-;; analogue in older policy. Thus, we do not need to map these types to
+mapping_cil_footer = ";; mapping information from ToT policy's types to %s policy's types.\n"
+compat_cil_template = """;; complement CIL file for compatibility between ToT policy and %s vendors.
+;; will be compiled along with other normal policy files, on %s vendors.
+;;
+"""
+ignore_cil_template = """;; new_objects - a collection of types that have been introduced with ToT policy
+;; that have no analogue in %s policy. Thus, we do not need to map these types to
;; previous ones. Add here to pass checkapi tests.
(type new_objects)
(typeattribute new_objects)
@@ -484,16 +488,17 @@
f.write(';; types removed from current policy\n')
f.write('\n'.join(f'(type {x})' for x in sorted(target_removed_types)))
f.write('\n\n')
+ f.write(mapping_cil_footer % args.target_version)
f.write(mapping_file_cil.unparse())
with open(target_compat_file, 'w') as f:
logging.info('writing %s' % target_compat_file)
- f.write(compat_cil_template)
+ f.write(compat_cil_template % (args.target_version, args.target_version))
with open(target_ignore_file, 'w') as f:
logging.info('writing %s' % target_ignore_file)
f.write(ignore_cil_template %
- ('\n '.join(sorted(target_ignored_types))))
+ (args.target_version, '\n '.join(sorted(target_ignored_types))))
finally:
logging.info('Deleting temporary dir: {}'.format(temp_dir))
shutil.rmtree(temp_dir)