commit 90d117d661e8d740c8c6459d3aa26e3580ddf0a4
author Pomai Ahlo <poahlo@google.com> Thu Dec 08 17:32:38 2022 +0000
committer Gerrit Code Review <noreply-gerritcodereview@google.com> Thu Dec 08 17:32:38 2022 +0000
tree 79711d8bc41a91011f6e7a06d79a73d3aad602cb
parent e8a09e2480f383abcb6314120fee7acbe544f76a
parent ff82b77ae8ac64ab5162ef77d9a4f5ad22ecb3c1

Merge "[ISap hidl2aidl] Add ISap to sepolicy"

build/soong/policy.go

diff --git a/build/soong/policy.go b/build/soong/policy.go
index 4161bb3..aea8e09 100644
--- a/build/soong/policy.go
+++ b/build/soong/policy.go
@@ -456,6 +456,9 @@
 
 	// Whether this module is directly installable to one of the partitions. Default is true
 	Installable *bool
+
+	// List of domains that are allowed to be in permissive mode on user builds.
+	Permissive_domains_on_user_builds []string
 }
 
 type policyBinary struct {
@@ -512,11 +515,19 @@
 	// permissive check is performed only in user build (not debuggable).
 	if !ctx.Config().Debuggable() {
 		permissiveDomains := android.PathForModuleOut(ctx, c.stem()+"_permissive")
-		rule.Command().BuiltTool("sepolicy-analyze").
+		cmd := rule.Command().BuiltTool("sepolicy-analyze").
 			Input(bin).
-			Text("permissive").
-			Text(" > ").
-			Output(permissiveDomains)
+			Text("permissive")
+		// Filter-out domains listed in permissive_domains_on_user_builds
+		allowedDomains := c.properties.Permissive_domains_on_user_builds
+		if len(allowedDomains) != 0 {
+			cmd.Text("| { grep -Fxv")
+			for _, d := range allowedDomains {
+				cmd.FlagWithArg("-e ", proptools.ShellEscape(d))
+			}
+			cmd.Text(" || true; }") // no match doesn't fail the cmd
+		}
+		cmd.Text(" > ").Output(permissiveDomains)
 		rule.Temporary(permissiveDomains)
 
 		msg := `==========\n` +

build/soong/service_fuzzer_bindings.go

diff --git a/build/soong/service_fuzzer_bindings.go b/build/soong/service_fuzzer_bindings.go
index 9c67211..7f6d98d 100644
--- a/build/soong/service_fuzzer_bindings.go
+++ b/build/soong/service_fuzzer_bindings.go
@@ -344,6 +344,7 @@
 		"rcs":                          EXCEPTION_NO_FUZZER,
 		"reboot_readiness":             EXCEPTION_NO_FUZZER,
 		"recovery":                     EXCEPTION_NO_FUZZER,
+		"remote_provisioning":          EXCEPTION_NO_FUZZER,
 		"resolver":                     EXCEPTION_NO_FUZZER,
 		"resources":                    EXCEPTION_NO_FUZZER,
 		"restrictions":                 EXCEPTION_NO_FUZZER,

microdroid/Android.bp

diff --git a/microdroid/Android.bp b/microdroid/Android.bp
index d1dcff0..12bb8f7 100644
--- a/microdroid/Android.bp
+++ b/microdroid/Android.bp
@@ -241,6 +241,11 @@
         ":microdroid_vendor_sepolicy.cil",
     ],
     installable: false,
+
+    // b/259729287. In Microdroid, su is allowed to be in permissive mode.
+    // This is to support fully debuggable VMs on user builds. This is safe
+    // because we don't start adbd at all on non-debuggable VMs.
+    permissive_domains_on_user_builds: ["su"],
 }
 
 genrule {

microdroid/system/private/adbd.te

diff --git a/microdroid/system/private/adbd.te b/microdroid/system/private/adbd.te
index ed74ddd..9a50f67 100644
--- a/microdroid/system/private/adbd.te
+++ b/microdroid/system/private/adbd.te
@@ -4,10 +4,12 @@
 
 domain_auto_trans(adbd, shell_exec, shell)
 
-userdebug_or_eng(`
-  allow adbd self:process setcurrent;
-  allow adbd su:process dyntransition;
-')
+# Allow adbd to transition to su. In Android, this is disallowed in user builds.
+# However, Microdroid allows it even in user builds because apps should be able
+# to adb root into their "debuggable" VMs in user builds. Disabling adbd for
+# non debuggable VMs are done by not starting adbd at all using sysprops.
+allow adbd self:process setcurrent;
+allow adbd su:process dyntransition;
 
 # Do not sanitize the environment or open fds of the shell. Allow signaling
 # created processes.
@@ -55,3 +57,6 @@
 # adbd tries to run mdnsd, but mdnsd doesn't exist. Just dontaudit ctl permissions.
 # TODO(b/200902288): patch adb and remove this rule
 dontaudit adbd { ctl_default_prop ctl_start_prop }:property_service set;
+
+# only adbd can transition to su.
+neverallow {domain -adbd} su:process { transition dyntransition };

microdroid/system/private/domain.te

diff --git a/microdroid/system/private/domain.te b/microdroid/system/private/domain.te
index 04a9859..7d4fc8a 100644
--- a/microdroid/system/private/domain.te
+++ b/microdroid/system/private/domain.te
@@ -418,11 +418,6 @@
 # Feature parity with Chromium LSM.
 neverallow * { file_type fs_type dev_type }:{ lnk_file fifo_file sock_file } mounton;
 
-# Nobody should be able to execute su on user builds.
-# On userdebug/eng builds, only shell, and
-# su itself execute su.
-neverallow { domain userdebug_or_eng(`-shell -su') } su_exec:file no_x_file_perms;
-
 neverallow { domain -init } proc:{ file dir } mounton;
 
 # Ensure that all types assigned to processes are included

microdroid/system/private/genfs_contexts

diff --git a/microdroid/system/private/genfs_contexts b/microdroid/system/private/genfs_contexts
index 40decfe..ce28471 100644
--- a/microdroid/system/private/genfs_contexts
+++ b/microdroid/system/private/genfs_contexts
@@ -42,7 +42,6 @@
 genfscon proc /sys/fs/protected_hardlinks u:object_r:proc_security:s0
 genfscon proc /sys/fs/protected_symlinks u:object_r:proc_security:s0
 genfscon proc /sys/fs/suid_dumpable u:object_r:proc_security:s0
-genfscon proc /sys/fs/verity/require_signatures u:object_r:proc_fs_verity:s0
 genfscon proc /sys/kernel/core_pattern u:object_r:usermodehelper:s0
 genfscon proc /sys/kernel/core_pipe_limit u:object_r:usermodehelper:s0
 genfscon proc /sys/kernel/domainname u:object_r:proc_hostname:s0

microdroid/system/private/su.te

diff --git a/microdroid/system/private/su.te b/microdroid/system/private/su.te
index 1196262..533b328 100644
--- a/microdroid/system/private/su.te
+++ b/microdroid/system/private/su.te
@@ -1,9 +1,4 @@
-userdebug_or_eng(`
-  typeattribute su coredomain;
+typeattribute su coredomain;
 
-  domain_auto_trans(shell, su_exec, su)
-
-  # su is also permissive to permit setenforce.
-  permissive su;
-
-')
+# su is also permissive to permit setenforce.
+permissive su;

microdroid/system/public/file.te

diff --git a/microdroid/system/public/file.te b/microdroid/system/public/file.te
index 5616160..fe269d7 100644
--- a/microdroid/system/public/file.te
+++ b/microdroid/system/public/file.te
@@ -89,7 +89,6 @@
 type proc_drop_caches, fs_type, proc_type;
 type proc_extra_free_kbytes, fs_type, proc_type;
 type proc_filesystems, fs_type, proc_type;
-type proc_fs_verity, fs_type, proc_type;
 type proc_hostname, fs_type, proc_type;
 type proc_hung_task, fs_type, proc_type;
 type proc_interrupts, fs_type, proc_type;

microdroid/system/public/su.te

diff --git a/microdroid/system/public/su.te b/microdroid/system/public/su.te
index dbb3158..152de51 100644
--- a/microdroid/system/public/su.te
+++ b/microdroid/system/public/su.te
@@ -2,43 +2,38 @@
 # after performing an adb root command.
 
 # All types must be defined regardless of build variant to ensure
-# policy compilation succeeds with userdebug/user combination at boot
+# that adb root works on debuggable VMs even for user builds.
 type su, domain;
 
-# File types must be defined for file_contexts.
-type su_exec, system_file_type, exec_type, file_type;
+# Add su to various domains
+net_domain(su)
 
-userdebug_or_eng(`
-  # Add su to various domains
-  net_domain(su)
-
-  dontaudit su self:capability_class_set *;
-  dontaudit su self:capability2 *;
-  dontaudit su kernel:security *;
-  dontaudit su { kernel file_type }:system *;
-  dontaudit su self:memprotect *;
-  dontaudit su domain:{ process process2 } *;
-  dontaudit su domain:fd *;
-  dontaudit su domain:dir *;
-  dontaudit su domain:lnk_file *;
-  dontaudit su domain:{ fifo_file file } *;
-  dontaudit su domain:socket_class_set *;
-  dontaudit su domain:ipc_class_set *;
-  dontaudit su domain:key *;
-  dontaudit su fs_type:filesystem *;
-  dontaudit su {fs_type dev_type file_type}:dir_file_class_set *;
-  dontaudit su node_type:node *;
-  dontaudit su node_type:{ tcp_socket udp_socket rawip_socket } *;
-  dontaudit su netif_type:netif *;
-  dontaudit su port_type:socket_class_set *;
-  dontaudit su port_type:{ tcp_socket dccp_socket } *;
-  dontaudit su domain:peer *;
-  dontaudit su domain:binder *;
-  dontaudit su property_type:property_service *;
-  dontaudit su property_type:file *;
-  dontaudit su domain:drmservice *;
-  dontaudit su unlabeled:filesystem *;
-  dontaudit su domain:bpf *;
-  dontaudit su unlabeled:vsock_socket *;
-  dontaudit su self:perf_event *;
-')
+dontaudit su self:capability_class_set *;
+dontaudit su self:capability2 *;
+dontaudit su kernel:security *;
+dontaudit su { kernel file_type }:system *;
+dontaudit su self:memprotect *;
+dontaudit su domain:{ process process2 } *;
+dontaudit su domain:fd *;
+dontaudit su domain:dir *;
+dontaudit su domain:lnk_file *;
+dontaudit su domain:{ fifo_file file } *;
+dontaudit su domain:socket_class_set *;
+dontaudit su domain:ipc_class_set *;
+dontaudit su domain:key *;
+dontaudit su fs_type:filesystem *;
+dontaudit su {fs_type dev_type file_type}:dir_file_class_set *;
+dontaudit su node_type:node *;
+dontaudit su node_type:{ tcp_socket udp_socket rawip_socket } *;
+dontaudit su netif_type:netif *;
+dontaudit su port_type:socket_class_set *;
+dontaudit su port_type:{ tcp_socket dccp_socket } *;
+dontaudit su domain:peer *;
+dontaudit su domain:binder *;
+dontaudit su property_type:property_service *;
+dontaudit su property_type:file *;
+dontaudit su domain:drmservice *;
+dontaudit su unlabeled:filesystem *;
+dontaudit su domain:bpf *;
+dontaudit su unlabeled:vsock_socket *;
+dontaudit su self:perf_event *;

private/bpfloader.te

diff --git a/private/bpfloader.te b/private/bpfloader.te
index 5f8cfa3..a0a5cfa 100644
--- a/private/bpfloader.te
+++ b/private/bpfloader.te
@@ -27,26 +27,29 @@
 ###
 
 # Note: we don't care about getattr/mounton/search
-neverallow { domain } bpffs_type:dir { open read setattr };
+neverallow { domain            } bpffs_type:dir ~{ add_name create getattr mounton remove_name search write };
 neverallow { domain -bpfloader } bpffs_type:dir { add_name create remove_name write };
-neverallow domain bpffs_type:dir ~{ add_name create getattr mounton open read remove_name search setattr write };
 
-neverallow { domain -bpfloader } bpffs_type:file { map open setattr };
-neverallow { domain -bpfloader } bpffs_type:file { create getattr rename };
+neverallow { domain            } bpffs_type:file ~{ create getattr map open read rename setattr write };
+neverallow { domain -bpfloader } bpffs_type:file { create getattr map open rename setattr };
 neverallow { domain -bpfloader -gpuservice -lmkd -mediaprovider_app -netd -netutils_wrapper                -system_server } fs_bpf:file               read;
+neverallow { domain -bpfloader                                                                                            } fs_bpf_loader:file        read;
 neverallow { domain -bpfloader                                                              -network_stack                } fs_bpf_net_private:file   read;
 neverallow { domain -bpfloader                                                              -network_stack -system_server } fs_bpf_net_shared:file    read;
 neverallow { domain -bpfloader                                      -netd                   -network_stack -system_server } fs_bpf_netd_readonly:file read;
 neverallow { domain -bpfloader                                      -netd -netutils_wrapper -network_stack -system_server } fs_bpf_netd_shared:file   read;
 neverallow { domain -bpfloader                                                              -network_stack                } fs_bpf_tethering:file     read;
 neverallow { domain -bpfloader -gpuservice                          -netd -netutils_wrapper -network_stack -system_server } { bpffs_type -fs_bpf_vendor }:file write;
-neverallow domain bpffs_type:file ~{ create getattr map open read rename setattr write };
 
 neverallow { domain -bpfloader } bpffs_type:lnk_file ~read;
 neverallow { domain -bpfdomain } bpffs_type:lnk_file read;
 
 neverallow { domain -bpfloader } *:bpf { map_create prog_load };
 
+# 'fs_bpf_loader' is for internal use of the BpfLoader oneshot boot time process.
+neverallow { domain -bpfloader } fs_bpf_loader:bpf *;
+neverallow { domain -bpfloader } fs_bpf_loader:file *;
+
 neverallow {
   domain
   -bpfloader

private/compat/33.0/33.0.ignore.cil

diff --git a/private/compat/33.0/33.0.ignore.cil b/private/compat/33.0/33.0.ignore.cil
index 45bca3d..786dc14 100644
--- a/private/compat/33.0/33.0.ignore.cil
+++ b/private/compat/33.0/33.0.ignore.cil
@@ -29,6 +29,7 @@
     ntfs
     permissive_mte_prop
     prng_seeder
+    remote_provisioning_service
     rkpdapp
     servicemanager_prop
     system_net_netd_service

private/file.te

diff --git a/private/file.te b/private/file.te
index 60e2274..134b377 100644
--- a/private/file.te
+++ b/private/file.te
@@ -7,6 +7,7 @@
 type fs_bpf_net_shared, fs_type, bpffs_type;
 type fs_bpf_netd_readonly, fs_type, bpffs_type;
 type fs_bpf_netd_shared, fs_type, bpffs_type;
+type fs_bpf_loader, fs_type, bpffs_type;
 
 # /data/misc/storaged
 type storaged_data_file, file_type, data_file_type, core_data_file_type;

private/fsverity_init.te

diff --git a/private/fsverity_init.te b/private/fsverity_init.te
index e069233..2e5089c 100644
--- a/private/fsverity_init.te
+++ b/private/fsverity_init.te
@@ -11,9 +11,6 @@
 allow fsverity_init kernel:key { view search write setattr };
 allow fsverity_init fsverity_init:key { view search write };
 
-# Allow init to write to /proc/sys/fs/verity/require_signatures
-allow fsverity_init proc_fs_verity:file w_file_perms;
-
 # Read the on-device signing certificate, to be able to add it to the keyring
 allow fsverity_init odsign:fd use;
 allow fsverity_init odsign_data_file:file { getattr read };

private/genfs_contexts

diff --git a/private/genfs_contexts b/private/genfs_contexts
index 29d8561..d0af186 100644
--- a/private/genfs_contexts
+++ b/private/genfs_contexts
@@ -395,7 +395,9 @@
 genfscon functionfs / u:object_r:functionfs:s0
 genfscon usbfs / u:object_r:usbfs:s0
 genfscon binfmt_misc / u:object_r:binfmt_miscfs:s0
+
 genfscon bpf / u:object_r:fs_bpf:s0
+genfscon bpf /loader u:object_r:fs_bpf_loader:s0
 genfscon bpf /net_private u:object_r:fs_bpf_net_private:s0
 genfscon bpf /net_shared u:object_r:fs_bpf_net_shared:s0
 genfscon bpf /netd_readonly u:object_r:fs_bpf_netd_readonly:s0

private/service_contexts

diff --git a/private/service_contexts b/private/service_contexts
index 0af0165..4f907d1 100644
--- a/private/service_contexts
+++ b/private/service_contexts
@@ -322,6 +322,7 @@
 rcs                                       u:object_r:radio_service:s0
 reboot_readiness                          u:object_r:reboot_readiness_service:s0
 recovery                                  u:object_r:recovery_service:s0
+remote_provisioning                       u:object_r:remote_provisioning_service:s0
 resolver                                  u:object_r:resolver_service:s0
 resources                                 u:object_r:resources_manager_service:s0
 restrictions                              u:object_r:restrictions_service:s0

private/system_server.te

diff --git a/private/system_server.te b/private/system_server.te
index 3a7dd8a..a967dcf 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -5,6 +5,7 @@
 
 typeattribute system_server coredomain;
 typeattribute system_server mlstrustedsubject;
+typeattribute system_server remote_provisioning_service_server;
 typeattribute system_server scheduler_service_server;
 typeattribute system_server sensor_service_server;
 typeattribute system_server stats_service_server;

public/attributes

diff --git a/public/attributes b/public/attributes
index ae610e6..0478874 100644
--- a/public/attributes
+++ b/public/attributes
@@ -399,6 +399,7 @@
 attribute camera_service_server;
 attribute display_service_server;
 attribute evsmanager_service_server;
+attribute remote_provisioning_service_server;
 attribute scheduler_service_server;
 attribute sensor_service_server;
 attribute stats_service_server;

public/keystore.te

diff --git a/public/keystore.te b/public/keystore.te
index 8ac503e..4cef175 100644
--- a/public/keystore.te
+++ b/public/keystore.te
@@ -5,6 +5,7 @@
 typeattribute keystore mlstrustedsubject;
 binder_use(keystore)
 binder_service(keystore)
+binder_call(keystore, remote_provisioning_service_server)
 binder_call(keystore, system_server)
 binder_call(keystore, wificond)
 
@@ -17,6 +18,7 @@
 add_service(keystore, remoteprovisioning_service)
 allow keystore sec_key_att_app_id_provider_service:service_manager find;
 allow keystore dropbox_service:service_manager find;
+allow keystore remote_provisioning_service:service_manager find;
 add_service(keystore, apc_service)
 add_service(keystore, keystore_compat_hal_service)
 add_service(keystore, authorization_service)

public/remote_provisioning_service_server.te

diff --git a/public/remote_provisioning_service_server.te b/public/remote_provisioning_service_server.te
new file mode 100644
index 0000000..710b43d
--- /dev/null
+++ b/public/remote_provisioning_service_server.te
@@ -0,0 +1,5 @@
+# This service is hosted by system server, and provides a stable aidl
+# front-end for a mainline module that is loaded into system server.
+add_service(remote_provisioning_service_server, remote_provisioning_service)
+
+binder_use(remote_provisioning_service_server)

public/service.te

diff --git a/public/service.te b/public/service.te
index 9ca96bd..819498c 100644
--- a/public/service.te
+++ b/public/service.te
@@ -194,6 +194,7 @@
 type reboot_readiness_service, app_api_service, system_server_service, service_manager_type;
 type recovery_service, system_server_service, service_manager_type;
 type registry_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type remote_provisioning_service, system_server_service, service_manager_type;
 type resources_manager_service, system_api_service, system_server_service, service_manager_type;
 type restrictions_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
 type role_service, app_api_service, system_server_service, service_manager_type;

vendor/file_contexts

diff --git a/vendor/file_contexts b/vendor/file_contexts
index ee7458e..5b2df7e 100644
--- a/vendor/file_contexts
+++ b/vendor/file_contexts
@@ -114,6 +114,8 @@
 /(vendor|system/vendor)/bin/hw/android\.hardware\.vr@1\.0-service             u:object_r:hal_vr_default_exec:s0
 /(vendor|system/vendor)/bin/hw/android\.hardware\.wifi@1\.0-service           u:object_r:hal_wifi_default_exec:s0
 /(vendor|system/vendor)/bin/hw/android\.hardware\.wifi@1\.0-service-lazy      u:object_r:hal_wifi_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.wifi-service                u:object_r:hal_wifi_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.wifi-service-lazy           u:object_r:hal_wifi_default_exec:s0
 /(vendor|system/vendor)/bin/hw/hostapd                                        u:object_r:hal_wifi_hostapd_default_exec:s0
 /(vendor|system/vendor)/bin/hw/wpa_supplicant                                 u:object_r:hal_wifi_supplicant_default_exec:s0
 /(vendor|system/vendor)/bin/install-recovery\.sh                              u:object_r:vendor_install_recovery_exec:s0