Merge "Android.bp: set sepolicy version for use by init"
diff --git a/private/art_apex_boot_integrity.te b/private/art_apex_boot_integrity.te
index 2ac9140..ba02083 100644
--- a/private/art_apex_boot_integrity.te
+++ b/private/art_apex_boot_integrity.te
@@ -26,9 +26,3 @@
allowxperm art_apex_boot_integrity dalvikcache_data_file:file ioctl {
FS_IOC_ENABLE_VERITY FS_IOC_MEASURE_VERITY
};
-
-allow art_apex_boot_integrity kernel:key search;
-# For testing purposes, allow keys installed with su.
-userdebug_or_eng(`
- allow art_apex_boot_integrity su:key search;
-')
diff --git a/private/art_apex_postinstall.te b/private/art_apex_postinstall.te
index 40b09d2..576ed20 100644
--- a/private/art_apex_postinstall.te
+++ b/private/art_apex_postinstall.te
@@ -4,7 +4,7 @@
type art_apex_postinstall, domain, coredomain;
type art_apex_postinstall_exec, system_file_type, exec_type, file_type;
-# /dev/zero
+# /system/bin/sh (see b/126787589).
allow art_apex_postinstall apexd:fd use;
# Read temp dirs and files. Move directories.
@@ -29,9 +29,3 @@
allowxperm art_apex_postinstall ota_data_file:file ioctl {
FS_IOC_ENABLE_VERITY FS_IOC_MEASURE_VERITY
};
-
-allow art_apex_postinstall kernel:key search;
-# For testing purposes, allow keys installed with su.
-userdebug_or_eng(`
- allow art_apex_postinstall su:key search;
-')
diff --git a/private/art_apex_preinstall.te b/private/art_apex_preinstall.te
index 99341ec..12b1020 100644
--- a/private/art_apex_preinstall.te
+++ b/private/art_apex_preinstall.te
@@ -4,7 +4,7 @@
type art_apex_preinstall, domain, coredomain;
type art_apex_preinstall_exec, system_file_type, exec_type, file_type;
-# /dev/zero
+# /system/bin/sh (see b/126787589).
allow art_apex_preinstall apexd:fd use;
# Create temp dirs and files under /data/ota.
@@ -31,9 +31,3 @@
allowxperm art_apex_preinstall ota_data_file:file ioctl {
FS_IOC_ENABLE_VERITY FS_IOC_MEASURE_VERITY
};
-
-allow art_apex_preinstall kernel:key search;
-# For testing purposes, allow keys installed with su.
-userdebug_or_eng(`
- allow art_apex_preinstall su:key search;
-')
diff --git a/private/compat/28.0/28.0.cil b/private/compat/28.0/28.0.cil
index ac3ab2a..29efc22 100644
--- a/private/compat/28.0/28.0.cil
+++ b/private/compat/28.0/28.0.cil
@@ -1377,6 +1377,7 @@
(typeattributeset priv_app_28_0 (priv_app))
(typeattributeset proc_28_0
( proc
+ proc_fs_verity
proc_keys
proc_pressure_cpu
proc_pressure_io
diff --git a/private/compat/28.0/28.0.ignore.cil b/private/compat/28.0/28.0.ignore.cil
index d9e5755..7031977 100644
--- a/private/compat/28.0/28.0.ignore.cil
+++ b/private/compat/28.0/28.0.ignore.cil
@@ -23,6 +23,7 @@
app_zygote_tmpfs
ashmemd
ashmem_device_service
+ attention_service
biometric_service
bpf_progs_loaded_prop
bugreport_service
@@ -126,6 +127,7 @@
time_prop
timedetector_service
timezonedetector_service
+ traced_lazy_prop
uri_grants_service
use_memfd_prop
vendor_cgroup_desc_file
diff --git a/private/crash_dump.te b/private/crash_dump.te
index adc46a1..f130327 100644
--- a/private/crash_dump.te
+++ b/private/crash_dump.te
@@ -1,7 +1,7 @@
typeattribute crash_dump coredomain;
# Crash dump does not need to access devices passed across exec().
-dontaudit crash_dump dev_type:chr_file { read write };
+dontaudit crash_dump { devpts dev_type }:chr_file { read write };
allow crash_dump {
domain
diff --git a/private/domain.te b/private/domain.te
index d6b233f..8431957 100644
--- a/private/domain.te
+++ b/private/domain.te
@@ -73,6 +73,15 @@
get_prop({domain -coredomain -appdomain}, vendor_default_prop)
')
+# Allow access to fsverity keyring.
+allow domain kernel:key search;
+# Allow access to keys in the fsverity keyring that were installed at boot.
+allow domain mini-keyctl:key search;
+# For testing purposes, allow access to keys installed with su.
+userdebug_or_eng(`
+ allow domain su:key search;
+')
+
# Limit ability to ptrace or read sensitive /proc/pid files of processes
# with other UIDs to these whitelisted domains.
neverallow {
@@ -271,3 +280,19 @@
dac_override_allowed
traced_probes
} self:global_capability_class_set dac_read_search;
+
+# Limit what domains can mount filesystems or change their mount flags.
+# sdcard_type / vfat is exempt as a larger set of domains need
+# this capability, including device-specific domains.
+neverallow {
+ domain
+ -apexd
+ recovery_only(`userdebug_or_eng(`-fastbootd')')
+ -init
+ -kernel
+ -otapreopt_chroot
+ -recovery
+ -update_engine
+ -vold
+ -zygote
+} { fs_type -sdcard_type }:filesystem { mount remount relabelfrom relabelto };
diff --git a/private/file_contexts b/private/file_contexts
index 91d4484..a3723e2 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -39,10 +39,6 @@
/etc u:object_r:rootfs:s0
/sdcard u:object_r:rootfs:s0
-/bionic(/.*)? u:object_r:system_file:s0
-/bionic/lib(64)?(/.*)? u:object_r:system_lib_file:s0
-/bionic/bin/linker(64)? u:object_r:system_linker_exec:s0
-
# SELinux policy files
/vendor_file_contexts u:object_r:file_contexts_file:s0
/nonplat_file_contexts u:object_r:file_contexts_file:s0
@@ -393,6 +389,7 @@
/(product|system/product)(/.*)? u:object_r:system_file:s0
/(product|system/product)/overlay(/.*)? u:object_r:vendor_overlay_file:s0
+/(product|system/product)/etc/security/apex(/.*)? u:object_r:apex_key_file:s0
/(product|system/product)/etc/selinux/product_file_contexts u:object_r:file_contexts_file:s0
/(product|system/product)/etc/selinux/product_hwservice_contexts u:object_r:hwservice_contexts_file:s0
/(product|system/product)/etc/selinux/product_property_contexts u:object_r:property_contexts_file:s0
diff --git a/private/genfs_contexts b/private/genfs_contexts
index 20ec084..def17aa 100644
--- a/private/genfs_contexts
+++ b/private/genfs_contexts
@@ -37,6 +37,7 @@
genfscon proc /sys/fs/protected_hardlinks u:object_r:proc_security:s0
genfscon proc /sys/fs/protected_symlinks u:object_r:proc_security:s0
genfscon proc /sys/fs/suid_dumpable u:object_r:proc_security:s0
+genfscon proc /sys/fs/verity/require_signatures u:object_r:proc_fs_verity:s0
genfscon proc /sys/kernel/core_pattern u:object_r:usermodehelper:s0
genfscon proc /sys/kernel/core_pipe_limit u:object_r:usermodehelper:s0
genfscon proc /sys/kernel/domainname u:object_r:proc_hostname:s0
diff --git a/private/kernel.te b/private/kernel.te
index a4e6ebe..207800e 100644
--- a/private/kernel.te
+++ b/private/kernel.te
@@ -1,3 +1,8 @@
typeattribute kernel coredomain;
domain_auto_trans(kernel, init_exec, init)
+
+# Allow the kernel to read otapreopt_chroot's file descriptors and files under
+# /postinstall, as it uses apexd logic to mount APEX packages in /postinstall/apex.
+allow kernel otapreopt_chroot:fd use;
+allow kernel postinstall_file:file read;
diff --git a/private/network_stack.te b/private/network_stack.te
index 4435a7a..b214538 100644
--- a/private/network_stack.te
+++ b/private/network_stack.te
@@ -24,5 +24,7 @@
allow network_stack dnsresolver_service:service_manager find;
allow network_stack netd_service:service_manager find;
allow network_stack radio_service:service_manager find;
+allow network_stack radio_data_file:dir create_dir_perms;
+allow network_stack radio_data_file:file create_file_perms;
binder_call(network_stack, netd);
diff --git a/private/otapreopt_chroot.te b/private/otapreopt_chroot.te
index 61fdaab..ba85678 100644
--- a/private/otapreopt_chroot.te
+++ b/private/otapreopt_chroot.te
@@ -1,4 +1,32 @@
-typeattribute otapreopt_chroot coredomain;
+# otapreopt_chroot executable
+type otapreopt_chroot, domain, coredomain;
+type otapreopt_chroot_exec, system_file_type, exec_type, file_type;
+
+# Chroot preparation and execution.
+# We need to create an unshared mount namespace, and then mount /data.
+allow otapreopt_chroot postinstall_file:dir { search mounton };
+allow otapreopt_chroot self:global_capability_class_set { sys_admin sys_chroot };
+
+# This is required to mount /vendor and mount/unmount ext4 images from
+# APEX packages in /postinstall/apex.
+allow otapreopt_chroot block_device:dir search;
+allow otapreopt_chroot labeledfs:filesystem { mount unmount };
+# Mounting /vendor can have this side-effect. Ignore denial.
+dontaudit otapreopt_chroot kernel:process setsched;
+
+# Allow otapreopt_chroot to read SELinux policy files.
+allow otapreopt_chroot file_contexts_file:file r_file_perms;
+
+# Allow otapreopt_chroot to open and read the contents of /postinstall/system/apex.
+allow otapreopt_chroot postinstall_file:dir r_dir_perms;
+# Allow otapreopt_chroot to read the persist.apexd.verity_on_system system property.
+get_prop(otapreopt_chroot, apexd_prop)
+
+# Allow otapreopt to use file descriptors from update-engine. It will
+# close them immediately.
+allow otapreopt_chroot postinstall:fd use;
+allow otapreopt_chroot update_engine:fd use;
+allow otapreopt_chroot update_engine:fifo_file write;
# Allow to transition to postinstall_dexopt, to run otapreopt in its own sandbox.
domain_auto_trans(otapreopt_chroot, postinstall_file, postinstall_dexopt)
@@ -32,13 +60,9 @@
# Allow otapreopt_chroot to mount APEX packages in /postinstall/apex.
allow otapreopt_chroot postinstall_apex_mnt_dir:dir mounton;
-# Allow otapreopt_chroot to bind-mount Bionic artifacts from the Runtime APEX
-# into /postinstall/bionic/.
-allow otapreopt_chroot postinstall_file:file mounton;
-# Allow otapreopt_chroot to read the /postinstall/system/bin/linker(64) symlink to
-# /postinstall/bionic/bin/linker(64) when executing /postinstall/system/bin/otapreopt.
-allow otapreopt_chroot postinstall_file:lnk_file read;
-
# Allow otapreopt_chroot to access /dev/block (needed to detach loop
# devices used by ext4 images from APEX packages).
allow otapreopt_chroot block_device:dir r_dir_perms;
+
+# Allow to access the linker through the symlink.
+allow otapreopt_chroot postinstall_file:lnk_file r_file_perms;
diff --git a/private/property_contexts b/private/property_contexts
index b3214c8..3261014 100644
--- a/private/property_contexts
+++ b/private/property_contexts
@@ -64,6 +64,7 @@
persist.service.bdroid. u:object_r:bluetooth_prop:s0
persist.security. u:object_r:system_prop:s0
persist.traced.enable u:object_r:traced_enabled_prop:s0
+traced.lazy. u:object_r:traced_lazy_prop:s0
persist.heapprofd.enable u:object_r:heapprofd_enabled_prop:s0
persist.vendor.overlay. u:object_r:overlay_prop:s0
ro.boot.vendor.overlay. u:object_r:overlay_prop:s0
diff --git a/private/seapp_contexts b/private/seapp_contexts
index 628b7d6..cbbdd64 100644
--- a/private/seapp_contexts
+++ b/private/seapp_contexts
@@ -146,7 +146,7 @@
user=_app seinfo=platform name=com.android.traceur domain=traceur_app type=app_data_file levelFrom=all
user=system seinfo=platform domain=system_app type=system_app_data_file
user=bluetooth seinfo=platform domain=bluetooth type=bluetooth_data_file
-user=network_stack seinfo=network_stack domain=network_stack levelFrom=all
+user=network_stack seinfo=network_stack domain=network_stack levelFrom=all type=radio_data_file
user=nfc seinfo=platform domain=nfc type=nfc_data_file
user=secure_element seinfo=platform domain=secure_element levelFrom=all
user=radio seinfo=platform domain=radio type=radio_data_file
diff --git a/private/service.te b/private/service.te
index 1bec3ce..e597f5b 100644
--- a/private/service.te
+++ b/private/service.te
@@ -1,4 +1,5 @@
type ashmem_device_service, app_api_service, service_manager_type;
+type attention_service, system_server_service, service_manager_type;
type dynamic_android_service, system_api_service, system_server_service, service_manager_type;
type gsi_service, service_manager_type;
type incidentcompanion_service, system_api_service, system_server_service, service_manager_type;
diff --git a/private/service_contexts b/private/service_contexts
index baead30..7ee4827 100644
--- a/private/service_contexts
+++ b/private/service_contexts
@@ -15,6 +15,7 @@
appops u:object_r:appops_service:s0
appwidget u:object_r:appwidget_service:s0
assetatlas u:object_r:assetatlas_service:s0
+attention u:object_r:attention_service:s0
audio u:object_r:audio_service:s0
autofill u:object_r:autofill_service:s0
backup u:object_r:backup_service:s0
diff --git a/private/system_server.te b/private/system_server.te
index e5e8a03..ab4a07c 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -809,11 +809,6 @@
allowxperm system_server apk_data_file:file ioctl {
FS_IOC_ENABLE_VERITY FS_IOC_MEASURE_VERITY
};
-# Allow system process to access the keyring.
-allow system_server kernel:key search;
-userdebug_or_eng(`
- allow system_server su:key search;
-')
# Postinstall
#
diff --git a/private/system_server_startup.te b/private/system_server_startup.te
index bd7b2c0..ad9fb44 100644
--- a/private/system_server_startup.te
+++ b/private/system_server_startup.te
@@ -7,6 +7,13 @@
allow system_server_startup self:process execmem;
allow system_server_startup system_server_startup_tmpfs:file { execute read write open map };
+# Allow to pick up integrity-checked artifacts from the dalvik cache.
+allow system_server_startup dalvikcache_data_file:dir r_dir_perms;
+allow system_server_startup dalvikcache_data_file:file { r_file_perms execute };
+
+# While doing the above, will touch the apex mount dir.
+allow system_server_startup mnt_expand_file:dir getattr;
+
# Allow system_server_startup to run setcon() and enter the
# system_server domain
allow system_server_startup self:process setcurrent;
diff --git a/private/traced.te b/private/traced.te
index 0aeb11b..1e2d7d6 100644
--- a/private/traced.te
+++ b/private/traced.te
@@ -39,6 +39,8 @@
# Allow traced to notify Traceur when a trace ends by setting the
# sys.trace.trace_end_signal property.
set_prop(traced, system_trace_prop)
+# Allow to lazily start producers.
+set_prop(traced, traced_lazy_prop)
###
### Neverallow rules
diff --git a/private/zygote.te b/private/zygote.te
index 29d61b4..4b8990c 100644
--- a/private/zygote.te
+++ b/private/zygote.te
@@ -44,11 +44,10 @@
allow zygote resourcecache_data_file:dir rw_dir_perms;
allow zygote resourcecache_data_file:file create_file_perms;
-# When WITH_DEXPREOPT is true, the zygote does not load executable content from
-# /data/dalvik-cache. Executable files loaded from /data is a persistence vector
-# we want to avoid. See
-# https://bugs.chromium.org/p/project-zero/issues/detail?id=955 for example.
-allow { zygote with_dexpreopt(`-zygote') } dalvikcache_data_file:file execute;
+# For updateability, the zygote may fetch the current boot
+# classpath from the dalvik cache. Integrity of the files
+# is ensured by fsverity protection (checked in art_apex_boot_integrity).
+allow zygote dalvikcache_data_file:file execute;
# Allow zygote to create JIT memory.
allow zygote self:process execmem;
diff --git a/public/domain.te b/public/domain.te
index e285a2e..8331d2d 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -449,22 +449,6 @@
# Rather force a relabel to a more specific type.
neverallow domain device:chr_file { open read write };
-# Limit what domains can mount filesystems or change their mount flags.
-# sdcard_type / vfat is exempt as a larger set of domains need
-# this capability, including device-specific domains.
-neverallow {
- domain
- -apexd
- recovery_only(`userdebug_or_eng(`-fastbootd')')
- -init
- -kernel
- -otapreopt_chroot
- -recovery
- -update_engine
- -vold
- -zygote
-} { fs_type -sdcard_type }:filesystem { mount remount relabelfrom relabelto };
-
# Files from cache should never be executed
neverallow domain { cache_file cache_backup_file cache_private_backup_file cache_recovery_file }:file execute;
@@ -574,8 +558,9 @@
-adbd
-dumpstate
-fastbootd
- -hal_drm_server
+ -hal_camera_server
-hal_cas_server
+ -hal_drm_server
-init
-mediadrmserver
-recovery
diff --git a/public/fastbootd.te b/public/fastbootd.te
index 99ccd8c..7b71c2c 100644
--- a/public/fastbootd.te
+++ b/public/fastbootd.te
@@ -86,6 +86,11 @@
# Refined manipulation of /mnt/scratch, without these perms resorts
# to deleting scratch partition when partition(s) are flashed.
allow fastbootd self:process setfscreate;
+ allow fastbootd cache_file:dir search;
+ allow fastbootd proc_filesystems:file { getattr open read };
+ allow fastbootd self:capability sys_rawio;
+ dontaudit fastbootd kernel:system module_request;
+ allowxperm fastbootd dev_type:blk_file ioctl BLKROSET;
allow fastbootd overlayfs_file:dir { create_dir_perms mounton };
allow fastbootd {
system_file_type
diff --git a/public/file.te b/public/file.te
index 3f6b2b0..883f4a3 100644
--- a/public/file.te
+++ b/public/file.te
@@ -24,6 +24,7 @@
type proc_diskstats, fs_type, proc_type;
type proc_extra_free_kbytes, fs_type, proc_type;
type proc_filesystems, fs_type, proc_type;
+type proc_fs_verity, fs_type, proc_type;
type proc_hostname, fs_type, proc_type;
type proc_hung_task, fs_type, proc_type;
type proc_interrupts, fs_type, proc_type;
diff --git a/public/init.te b/public/init.te
index 88e8dba..f5f42e7 100644
--- a/public/init.te
+++ b/public/init.te
@@ -87,15 +87,6 @@
# Mount tmpfs on /apex
allow init apex_mnt_dir:dir mounton;
-# Mount Bionic libraries and dynamic linkers
-allow init system_lib_file:file mounton;
-allow init system_linker_exec:file mounton;
-# The mount points under /bionic are rootfs in recovery mode. Init should
-# be able to bind-mount the bootstrap Bionic to the mount points.
-recovery_only(`
- allow init rootfs:file mounton;
-')
-
# Create and remove symlinks in /.
allow init rootfs:lnk_file { create unlink };
@@ -538,6 +529,9 @@
# Allow init to write to /proc/sys/vm/overcommit_memory
allow init proc_overcommit_memory:file { write };
+# Allow init to write to /proc/sys/fs/verity/require_signatures
+allow init proc_fs_verity:file w_file_perms;
+
# Raw writes to misc block device
allow init misc_block_device:blk_file w_file_perms;
diff --git a/public/kernel.te b/public/kernel.te
index 3ffb5ce..50e72c2 100644
--- a/public/kernel.te
+++ b/public/kernel.te
@@ -88,12 +88,6 @@
allow kernel apex_data_file:file read;
allow kernel staging_data_file:file read;
-# Likewise, allow the kernel to read otapreopt_chroot's file descriptors and
-# files under /postinstall, as it uses apexd logic to mount APEX packages in
-# /postinstall/apex.
-allow kernel otapreopt_chroot:fd use;
-allow kernel postinstall_file:file read;
-
# Allow the first-stage init (which is running in the kernel domain) to execute the
# dynamic linker when it re-executes /init to switch into the second stage.
# Until Linux 4.8, the program interpreter (dynamic linker in this case) is executed
diff --git a/public/otapreopt_chroot.te b/public/otapreopt_chroot.te
deleted file mode 100644
index a8d5fda..0000000
--- a/public/otapreopt_chroot.te
+++ /dev/null
@@ -1,29 +0,0 @@
-# otapreopt_chroot executable
-type otapreopt_chroot, domain;
-type otapreopt_chroot_exec, system_file_type, exec_type, file_type;
-
-# Chroot preparation and execution.
-# We need to create an unshared mount namespace, and then mount /data.
-allow otapreopt_chroot postinstall_file:dir { search mounton };
-allow otapreopt_chroot self:global_capability_class_set { sys_admin sys_chroot };
-
-# This is required to mount /vendor and mount/unmount ext4 images from
-# APEX packages in /postinstall/apex.
-allow otapreopt_chroot block_device:dir search;
-allow otapreopt_chroot labeledfs:filesystem { mount unmount };
-# Mounting /vendor can have this side-effect. Ignore denial.
-dontaudit otapreopt_chroot kernel:process setsched;
-
-# Allow otapreopt_chroot to read SELinux policy files.
-allow otapreopt_chroot file_contexts_file:file r_file_perms;
-
-# Allow otapreopt_chroot to open and read the contents of /postinstall/system/apex.
-allow otapreopt_chroot postinstall_file:dir r_dir_perms;
-# Allow otapreopt_chroot to read the persist.apexd.verity_on_system system property.
-get_prop(otapreopt_chroot, apexd_prop)
-
-# Allow otapreopt to use file descriptors from update-engine. It will
-# close them immediately.
-allow otapreopt_chroot postinstall:fd use;
-allow otapreopt_chroot update_engine:fd use;
-allow otapreopt_chroot update_engine:fifo_file write;
diff --git a/public/property.te b/public/property.te
index a549ef1..c2b65f0 100644
--- a/public/property.te
+++ b/public/property.te
@@ -81,6 +81,7 @@
type test_harness_prop, property_type;
type time_prop, property_type;
type traced_enabled_prop, property_type;
+type traced_lazy_prop, property_type;
type use_memfd_prop, property_type;
type vold_prop, property_type, core_property_type;
type wifi_log_prop, property_type, log_property_type;
@@ -451,6 +452,7 @@
-test_harness_prop
-time_prop
-traced_enabled_prop
+ -traced_lazy_prop
-vendor_default_prop
-vendor_security_patch_level_prop
-vold_prop
diff --git a/public/property_contexts b/public/property_contexts
index 2589941..3fe9feb 100644
--- a/public/property_contexts
+++ b/public/property_contexts
@@ -12,6 +12,7 @@
dalvik.vm.appimageformat u:object_r:exported_dalvik_prop:s0 exact string
dalvik.vm.backgroundgctype u:object_r:exported_dalvik_prop:s0 exact string
dalvik.vm.boot-dex2oat-threads u:object_r:exported_dalvik_prop:s0 exact int
+dalvik.vm.boot-image u:object_r:exported_dalvik_prop:s0 exact string
dalvik.vm.checkjni u:object_r:exported_dalvik_prop:s0 exact bool
dalvik.vm.dex2oat-Xms u:object_r:exported_dalvik_prop:s0 exact string
dalvik.vm.dex2oat-Xmx u:object_r:exported_dalvik_prop:s0 exact string
@@ -334,7 +335,7 @@
ro.product.vendor.manufacturer u:object_r:exported_default_prop:s0 exact string
ro.product.vendor.model u:object_r:exported_default_prop:s0 exact string
ro.product.vendor.name u:object_r:exported_default_prop:s0 exact string
-ro.telephony.iwlan_operation_mode u:object_r:exported_radio_prop:s0 exact int
+ro.telephony.iwlan_operation_mode u:object_r:exported_radio_prop:s0 exact enum default legacy AP-assisted
ro.vendor.build.date u:object_r:exported_default_prop:s0 exact string
ro.vendor.build.date.utc u:object_r:exported_default_prop:s0 exact int
ro.vendor.build.fingerprint u:object_r:exported_default_prop:s0 exact string