commit 90bc7c36d98e79f34033d9ba39d05038aaf2d141
author Steven Moreland <smoreland@google.com> Wed Apr 06 18:10:05 2022 +0000
committer Gerrit Code Review <noreply-gerritcodereview@google.com> Wed Apr 06 18:10:05 2022 +0000
tree 08abd455b55af954a654381847b81fbd7c2e9fac
parent 295d74b9e044c130d73154b1a2a3df862ca84c31
parent c1e8eb522680ce4d18f520f2debd35fd7e53061b

Merge "crosvm: netlink perms for acpi"

microdroid/vendor/file_contexts

diff --git a/microdroid/vendor/file_contexts b/microdroid/vendor/file_contexts
index c86f862..002fb14 100644
--- a/microdroid/vendor/file_contexts
+++ b/microdroid/vendor/file_contexts
@@ -1,38 +1,8 @@
-# TODO(jiyong): clean this up
 #############################
 # Vendor files
 #
 (/.*)?                  u:object_r:vendor_file:s0
-/bin/sh                 u:object_r:vendor_shell_exec:s0
-/bin/toybox_vendor      u:object_r:vendor_toolbox_exec:s0
-/bin/toolbox            u:object_r:vendor_toolbox_exec:s0
 /etc(/.*)?              u:object_r:vendor_configs_file:s0
-/etc/cgroups\.json      u:object_r:vendor_cgroup_desc_file:s0
-/etc/task_profiles\.json    u:object_r:vendor_task_profiles_file:s0
-
-/lib(64)?/egl(/.*)?     u:object_r:same_process_hal_file:s0
-
-/lib(64)?/vndk-sp(/.*)? u:object_r:vndk_sp_file:s0
-
-/manifest\.xml           u:object_r:vendor_configs_file:s0
-/compatibility_matrix\.xml u:object_r:vendor_configs_file:s0
-/etc/vintf(/.*)?        u:object_r:vendor_configs_file:s0
-/app(/.*)?              u:object_r:vendor_app_file:s0
-/priv-app(/.*)?         u:object_r:vendor_app_file:s0
-/overlay(/.*)?          u:object_r:vendor_overlay_file:s0
-/framework(/.*)?        u:object_r:vendor_framework_file:s0
-
-/apex(/[^/]+){0,2}                      u:object_r:vendor_apex_file:s0
-/bin/misc_writer                        u:object_r:vendor_misc_writer_exec:s0
-/bin/boringssl_self_test(32|64)         u:object_r:vendor_boringssl_self_test_exec:s0
 
 # HAL location
-/lib(64)?/hw            u:object_r:vendor_hal_file:s0
-
-/etc/selinux/nonplat_service_contexts u:object_r:nonplat_service_contexts_file:s0
-
-/etc/selinux/vendor_service_contexts u:object_r:vendor_service_contexts_file:s0
-
-/bin/install-recovery\.sh u:object_r:vendor_install_recovery_exec:s0
-
 /bin/hw/android\.hardware\.security\.dice-service\.microdroid u:object_r:hal_dice_default_exec:s0

private/compat/32.0/32.0.ignore.cil

diff --git a/private/compat/32.0/32.0.ignore.cil b/private/compat/32.0/32.0.ignore.cil
index ceb54b1..5a1d863 100644
--- a/private/compat/32.0/32.0.ignore.cil
+++ b/private/compat/32.0/32.0.ignore.cil
@@ -5,6 +5,7 @@
 (typeattribute new_objects)
 (typeattributeset new_objects
   ( new_objects
+    adservices_manager_service
     apexd_select_prop
     artd_service
     attestation_verification_service
@@ -13,6 +14,7 @@
     charger_vendor
     cloudsearch
     cloudsearch_service
+    connectivity_native_service
     device_config_nnapi_native_prop
     device_config_surface_flinger_native_boot_prop
     dice_maintenance_service

private/init.te

diff --git a/private/init.te b/private/init.te
index 997a184..1405b9e 100644
--- a/private/init.te
+++ b/private/init.te
@@ -105,6 +105,9 @@
 # Only init can set keystore.boot_level
 neverallow { domain -init } keystore_listen_prop:property_service set;
 
+# Only init can set the ro.remote_provisioning.* props
+neverallow { domain -init } remote_prov_prop:property_service set;
+
 # Allow accessing /sys/kernel/tracing/instances/bootreceiver to set up tracing.
 allow init debugfs_bootreceiver_tracing:file w_file_perms;
 

private/keystore.te

diff --git a/private/keystore.te b/private/keystore.te
index 838712f..78c0198 100644
--- a/private/keystore.te
+++ b/private/keystore.te
@@ -17,6 +17,9 @@
 # Allow to check whether security logging is enabled.
 get_prop(keystore, device_logging_prop)
 
+# Allow keystore to check if the system is rkp only.
+get_prop(keystore, remote_prov_prop)
+
 # Allow keystore to write to statsd.
 unix_socket_send(keystore, statsdw, statsd)
 

private/property.te

diff --git a/private/property.te b/private/property.te
index 3f02c83..834d2df 100644
--- a/private/property.te
+++ b/private/property.te
@@ -31,6 +31,7 @@
 system_internal_prop(pm_prop)
 system_internal_prop(profcollectd_node_id_prop)
 system_internal_prop(radio_cdma_ecm_prop)
+system_internal_prop(remote_prov_prop)
 system_internal_prop(rollback_test_prop)
 system_internal_prop(setupwizard_prop)
 system_internal_prop(snapuserd_prop)

private/property_contexts

diff --git a/private/property_contexts b/private/property_contexts
index 04e77e4..d244108 100644
--- a/private/property_contexts
+++ b/private/property_contexts
@@ -1249,6 +1249,10 @@
 
 ro.zygote.disable_gl_preload u:object_r:zygote_config_prop:s0 exact bool
 
+# Store the URL that the provisioning code should point at.
+ro.remote_provisioning.strongbox.rkp_only u:object_r:remote_prov_prop:s0 exact bool
+ro.remote_provisioning.tee.rkp_only u:object_r:remote_prov_prop:s0 exact bool
+
 # Broadcast boot stages, which keystore listens to
 keystore.boot_level u:object_r:keystore_listen_prop:s0 exact int
 

private/remote_prov_app.te

diff --git a/private/remote_prov_app.te b/private/remote_prov_app.te
index 010c9bc..b2b3987 100644
--- a/private/remote_prov_app.te
+++ b/private/remote_prov_app.te
@@ -4,6 +4,7 @@
 app_domain(remote_prov_app)
 net_domain(remote_prov_app)
 
+get_prop(remote_prov_app, remote_prov_prop)
 # The app needs access to properly build a DeviceInfo package for the verifying server
 get_prop(remote_prov_app, vendor_security_patch_level_prop)
 

private/service_contexts

diff --git a/private/service_contexts b/private/service_contexts
index cac6ea8..ee5b6a9 100644
--- a/private/service_contexts
+++ b/private/service_contexts
@@ -75,6 +75,7 @@
 activity                                  u:object_r:activity_service:s0
 activity_task                             u:object_r:activity_task_service:s0
 adb                                       u:object_r:adb_service:s0
+adservices_manager                        u:object_r:adservices_manager_service:s0
 aidl_lazy_test_1                          u:object_r:aidl_lazy_test_service:s0
 aidl_lazy_test_2                          u:object_r:aidl_lazy_test_service:s0
 aidl_lazy_cb_test                         u:object_r:aidl_lazy_test_service:s0
@@ -136,6 +137,7 @@
 platform_compat                           u:object_r:platform_compat_service:s0
 platform_compat_native                    u:object_r:platform_compat_service:s0
 connectivity                              u:object_r:connectivity_service:s0
+connectivity_native                       u:object_r:connectivity_native_service:s0
 connmetrics                               u:object_r:connmetrics_service:s0
 consumer_ir                               u:object_r:consumer_ir_service:s0
 content                                   u:object_r:content_service:s0

private/system_app.te

diff --git a/private/system_app.te b/private/system_app.te
index 77cca3d..01956f4 100644
--- a/private/system_app.te
+++ b/private/system_app.te
@@ -176,6 +176,10 @@
 # Allow system apps to act as Perfetto producers.
 perfetto_producer(system_app)
 
+# TODO(b/217368496): remove this.
+can_profile_heap(system_app)
+can_profile_perf(system_app)
+
 ###
 ### Neverallow rules
 ###

private/traced_probes.te

diff --git a/private/traced_probes.te b/private/traced_probes.te
index 730a45c..66d5ac4 100644
--- a/private/traced_probes.te
+++ b/private/traced_probes.te
@@ -43,6 +43,9 @@
 # Allow to read packages.list file.
 allow traced_probes packages_list_file:file r_file_perms;
 
+# Allow to read game_mode_intervention.list file.
+allow traced_probes game_mode_intervention_list_file:file r_file_perms;
+
 # Allow to log to kernel dmesg when starting / stopping ftrace.
 allow traced_probes kmsg_device:chr_file write;
 
@@ -144,6 +147,7 @@
   -zoneinfo_data_file
   -packages_list_file
   with_native_coverage(`-method_trace_data_file')
+  -game_mode_intervention_list_file
 }:file *;
 
 # Only init is allowed to enter the traced_probes domain via exec()

public/service.te

diff --git a/public/service.te b/public/service.te
index 4583186..dbd9bfa 100644
--- a/public/service.te
+++ b/public/service.te
@@ -61,6 +61,7 @@
 type activity_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
 type activity_task_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
 type adb_service, system_api_service, system_server_service, service_manager_type;
+type adservices_manager_service, system_api_service, system_server_service, service_manager_type;
 type alarm_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
 type app_binding_service, system_server_service, service_manager_type;
 type app_hibernation_service, app_api_service, system_api_service, system_server_service, service_manager_type;
@@ -89,6 +90,7 @@
 type crossprofileapps_service, app_api_service, system_server_service, service_manager_type;
 type IProxyService_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
 type companion_device_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type connectivity_native_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
 type connectivity_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
 type connmetrics_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
 type consumer_ir_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;