Merge "Add 202604 genfs labels" into main
diff --git a/build/soong/service_fuzzer_bindings.go b/build/soong/service_fuzzer_bindings.go
index 7aaab4e..e6e220b 100644
--- a/build/soong/service_fuzzer_bindings.go
+++ b/build/soong/service_fuzzer_bindings.go
@@ -53,6 +53,7 @@
"android.hardware.broadcastradio.IBroadcastRadio/amfm": []string{"android.hardware.broadcastradio-service.default_fuzzer"},
"android.hardware.broadcastradio.IBroadcastRadio/dab": []string{"android.hardware.broadcastradio-service.default_fuzzer"},
"android.hardware.bluetooth.IBluetoothHci/default": EXCEPTION_NO_FUZZER,
+ "android.hardware.bluetooth.offload.leaudio.IHciProxy/default": EXCEPTION_NO_FUZZER,
"android.hardware.bluetooth.finder.IBluetoothFinder/default": EXCEPTION_NO_FUZZER,
"android.hardware.bluetooth.ranging.IBluetoothChannelSounding/default": EXCEPTION_NO_FUZZER,
"android.hardware.bluetooth.lmp_event.IBluetoothLmpEvent/default": EXCEPTION_NO_FUZZER,
diff --git a/microdroid/system/private/microdroid_app.te b/microdroid/system/private/microdroid_app.te
index 77667ff..ecb21cb 100644
--- a/microdroid/system/private/microdroid_app.te
+++ b/microdroid/system/private/microdroid_app.te
@@ -12,3 +12,7 @@
# Let microdroid_manager kernel-log.
allow microdroid_app kmsg_device:chr_file w_file_perms;
allow microdroid_app kmsg_debug_device:chr_file w_file_perms;
+
+# Allow microdroid_manager to read /apex directory to learn about activated
+# APEXes. It uses this to create linker namespace links to those APEXes.
+allow microdroid_app apex_mnt_dir:dir r_dir_perms;
diff --git a/private/adbd.te b/private/adbd.te
index b87b319..c8226f3 100644
--- a/private/adbd.te
+++ b/private/adbd.te
@@ -228,3 +228,6 @@
# Only init is allowed to enter the adbd domain via exec()
neverallow { domain -init } adbd:process transition;
neverallow * adbd:process dyntransition;
+
+# allow adbd to check if an app is frozen
+allow adbd cgroup_v2:file read;
diff --git a/private/app.te b/private/app.te
index b9a6d85..b359663 100644
--- a/private/app.te
+++ b/private/app.te
@@ -6,6 +6,7 @@
appdomain
-ephemeral_app
-isolated_app_all
+ -network_stack
-platform_app
-priv_app
-shell
@@ -19,6 +20,7 @@
appdomain
-ephemeral_app
-isolated_app_all
+ -network_stack
-platform_app
-priv_app
-shell
diff --git a/private/domain.te b/private/domain.te
index 31b544b..618258c 100644
--- a/private/domain.te
+++ b/private/domain.te
@@ -2274,5 +2274,26 @@
# ueventd needs write access to all sysfs files.
neverallow { domain -init -vendor_init -ueventd } sysfs_pgsize_migration:file no_w_file_perms;
-# We need to be able to rely on vsock labels, so disallow changing them.
-neverallow domain *:vsock_socket { relabelfrom relabelto };
+# virtmanager enforces access policy for which components can connect
+# to which VMs. If you have permissions to make direct connections, you
+# can talk to anything.
+starting_at_board_api(202504, `
+neverallow {
+ domain
+
+ # these are expected
+ -early_virtmgr
+ -virtualizationmanager
+ -virtualizationservice
+ -adbd_common # maybe should move to emulator/virtual device specific policy
+
+ # not expected, and defined outside of system/sepolicy.
+ # Note: this attribute is strongly recommended to be empty if not required.
+ -unconstrained_vsock_violators
+
+ # these are permissions that should be removed, and they are here for visibility.
+ -compos_fd_server # TODO: get connections from virtmanager
+ -hal_keymint_system # TODO: get connections from virtmanager
+ -vmlauncher_app # TODO: get connections from virtmanager
+} *:vsock_socket { connect create accept bind };
+')
diff --git a/private/network_stack.te b/private/network_stack.te
index 4450e02..8a07245 100644
--- a/private/network_stack.te
+++ b/private/network_stack.te
@@ -51,6 +51,10 @@
# calls if (fd.isSocket$()) if (isLingerSocket(fd)) ...
dontaudit network_stack self:key_socket getopt;
+# Allow network_stack to open/read/getattr various /proc/net files
+# (includes /proc/net/{anycast6,igmp,psched} /proc/sys/net/ipv4/ip_default_ttl)
+r_dir_file(network_stack, proc_net_type)
+
# Grant read permission of connectivity namespace system property prefix.
get_prop(network_stack, device_config_connectivity_prop)
diff --git a/private/service_contexts b/private/service_contexts
index c72f9b0..dec8f6b 100644
--- a/private/service_contexts
+++ b/private/service_contexts
@@ -32,6 +32,7 @@
android.hardware.biometrics.fingerprint.IFingerprint/virtual u:object_r:hal_fingerprint_service:s0
android.hardware.biometrics.fingerprint.virtualhal.IVirtualHal/virtual u:object_r:hal_fingerprint_service:s0
android.hardware.bluetooth.IBluetoothHci/default u:object_r:hal_bluetooth_service:s0
+android.hardware.bluetooth.offload.leaudio.IHciProxy/default u:object_r:hal_bluetooth_service:s0
android.hardware.bluetooth.finder.IBluetoothFinder/default u:object_r:hal_bluetooth_service:s0
is_flag_enabled(RELEASE_HARDWARE_BLUETOOTH_RANGING_SERVICE, `
android.hardware.bluetooth.ranging.IBluetoothChannelSounding/default u:object_r:hal_bluetooth_service:s0
diff --git a/private/ueventd.te b/private/ueventd.te
index 7effa6d..654f861 100644
--- a/private/ueventd.te
+++ b/private/ueventd.te
@@ -75,6 +75,9 @@
# Allow ueventd to read apexd property
get_prop(ueventd, apexd_prop)
+# Allow ueventd to correctly label the symlinks it creates
+allow ueventd block_device:lnk_file relabelfrom;
+
#####
##### neverallow rules
#####
diff --git a/private/wifi_mainline_supplicant.te b/private/wifi_mainline_supplicant.te
index d6c7998..c18cef6 100644
--- a/private/wifi_mainline_supplicant.te
+++ b/private/wifi_mainline_supplicant.te
@@ -5,7 +5,7 @@
init_daemon_domain(wifi_mainline_supplicant)
add_service(wifi_mainline_supplicant, wifi_mainline_supplicant_service)
-allow wifi_mainline_supplicant self:global_capability_class_set { setuid setgid net_admin net_raw };
+allow wifi_mainline_supplicant self:global_capability_class_set { net_admin net_raw };
allow wifi_mainline_supplicant proc_net:file rw_file_perms;
allow wifi_mainline_supplicant sysfs_net:dir search;