Merge "Add usbd servicemanager permission"
diff --git a/Android.mk b/Android.mk
index bd2bd56..8220fd5 100644
--- a/Android.mk
+++ b/Android.mk
@@ -511,6 +511,8 @@
odm_seapp_contexts \
odm_property_contexts \
odm_property_contexts_test \
+ odm_service_contexts \
+ odm_service_contexts_test \
odm_hwservice_contexts \
odm_hwservice_contexts_test \
odm_mac_permissions.xml
diff --git a/build/soong/policy.go b/build/soong/policy.go
index 4161bb3..aea8e09 100644
--- a/build/soong/policy.go
+++ b/build/soong/policy.go
@@ -456,6 +456,9 @@
// Whether this module is directly installable to one of the partitions. Default is true
Installable *bool
+
+ // List of domains that are allowed to be in permissive mode on user builds.
+ Permissive_domains_on_user_builds []string
}
type policyBinary struct {
@@ -512,11 +515,19 @@
// permissive check is performed only in user build (not debuggable).
if !ctx.Config().Debuggable() {
permissiveDomains := android.PathForModuleOut(ctx, c.stem()+"_permissive")
- rule.Command().BuiltTool("sepolicy-analyze").
+ cmd := rule.Command().BuiltTool("sepolicy-analyze").
Input(bin).
- Text("permissive").
- Text(" > ").
- Output(permissiveDomains)
+ Text("permissive")
+ // Filter-out domains listed in permissive_domains_on_user_builds
+ allowedDomains := c.properties.Permissive_domains_on_user_builds
+ if len(allowedDomains) != 0 {
+ cmd.Text("| { grep -Fxv")
+ for _, d := range allowedDomains {
+ cmd.FlagWithArg("-e ", proptools.ShellEscape(d))
+ }
+ cmd.Text(" || true; }") // no match doesn't fail the cmd
+ }
+ cmd.Text(" > ").Output(permissiveDomains)
rule.Temporary(permissiveDomains)
msg := `==========\n` +
diff --git a/build/soong/service_fuzzer_bindings.go b/build/soong/service_fuzzer_bindings.go
index 841b64a..104ac81 100644
--- a/build/soong/service_fuzzer_bindings.go
+++ b/build/soong/service_fuzzer_bindings.go
@@ -14,412 +14,445 @@
package selinux
+var EXCEPTION_NO_FUZZER = []string{}
+
+//
+// To add a fuzzer for service, add your service name and fuzzer name in ServiceFuzzerBindings
+// example of entry -
+// "android.hardware.health.IHealth/default": []string{"android.hardware.health-service.aidl_fuzzer"},
+
var (
ServiceFuzzerBindings = map[string][]string{
- "android.hardware.audio.core.IConfig/default": []string{},
- "android.hardware.audio.core.IModule/default": []string{},
- "android.hardware.audio.effect.IFactory/default": []string{},
- "android.hardware.authsecret.IAuthSecret/default": []string{},
- "android.hardware.automotive.evs.IEvsEnumerator/hw/0": []string{},
- "android.hardware.boot.IBootControl/default": []string{},
- "android.hardware.automotive.evs.IEvsEnumerator/hw/1": []string{},
- "android.hardware.automotive.remoteaccess.IRemoteAccess/default": []string{},
- "android.hardware.automotive.vehicle.IVehicle/default": []string{},
- "android.hardware.automotive.audiocontrol.IAudioControl/default": []string{},
- "android.hardware.biometrics.face.IFace/default": []string{},
- "android.hardware.biometrics.fingerprint.IFingerprint/default": []string{},
- "android.hardware.biometrics.fingerprint.IFingerprint/virtual": []string{},
- "android.hardware.bluetooth.audio.IBluetoothAudioProviderFactory/default": []string{},
- "android.hardware.broadcastradio.IBroadcastRadio/amfm": []string{},
- "android.hardware.broadcastradio.IBroadcastRadio/dab": []string{},
- "android.hardware.camera.provider.ICameraProvider/internal/0": []string{},
- "android.hardware.confirmationui.IConfirmationUI/default": []string{},
- "android.hardware.contexthub.IContextHub/default": []string{},
- "android.hardware.drm.IDrmFactory/clearkey": []string{},
- "android.hardware.drm.ICryptoFactory/clearkey": []string{},
- "android.hardware.dumpstate.IDumpstateDevice/default": []string{},
- "android.hardware.gatekeeper.IGatekeeper/default": []string{},
- "android.hardware.gnss.IGnss/default": []string{},
- "android.hardware.graphics.allocator.IAllocator/default": []string{},
- "android.hardware.graphics.composer3.IComposer/default": []string{},
- "android.hardware.health.storage.IStorage/default": []string{},
+ "android.hardware.audio.core.IConfig/default": EXCEPTION_NO_FUZZER,
+ "android.hardware.audio.core.IModule/default": EXCEPTION_NO_FUZZER,
+ "android.hardware.audio.core.IModule/a2dp": EXCEPTION_NO_FUZZER,
+ "android.hardware.audio.core.IModule/bluetooth": EXCEPTION_NO_FUZZER,
+ "android.hardware.audio.core.IModule/hearing_aid": EXCEPTION_NO_FUZZER,
+ "android.hardware.audio.core.IModule/msd": EXCEPTION_NO_FUZZER,
+ "android.hardware.audio.core.IModule/r_submix": EXCEPTION_NO_FUZZER,
+ "android.hardware.audio.core.IModule/stub": EXCEPTION_NO_FUZZER,
+ "android.hardware.audio.core.IModule/usb": EXCEPTION_NO_FUZZER,
+ "android.hardware.audio.effect.IFactory/default": EXCEPTION_NO_FUZZER,
+ "android.hardware.audio.sounddose.ISoundDoseFactory/default": EXCEPTION_NO_FUZZER,
+ "android.hardware.authsecret.IAuthSecret/default": EXCEPTION_NO_FUZZER,
+ "android.hardware.automotive.evs.IEvsEnumerator/hw/0": EXCEPTION_NO_FUZZER,
+ "android.hardware.boot.IBootControl/default": EXCEPTION_NO_FUZZER,
+ "android.hardware.automotive.can.ICanController/default": EXCEPTION_NO_FUZZER,
+ "android.hardware.automotive.evs.IEvsEnumerator/hw/1": EXCEPTION_NO_FUZZER,
+ "android.hardware.automotive.remoteaccess.IRemoteAccess/default": EXCEPTION_NO_FUZZER,
+ "android.hardware.automotive.vehicle.IVehicle/default": EXCEPTION_NO_FUZZER,
+ "android.hardware.automotive.audiocontrol.IAudioControl/default": EXCEPTION_NO_FUZZER,
+ "android.hardware.biometrics.face.IFace/default": EXCEPTION_NO_FUZZER,
+ "android.hardware.biometrics.fingerprint.IFingerprint/default": EXCEPTION_NO_FUZZER,
+ "android.hardware.biometrics.fingerprint.IFingerprint/virtual": EXCEPTION_NO_FUZZER,
+ "android.hardware.bluetooth.audio.IBluetoothAudioProviderFactory/default": EXCEPTION_NO_FUZZER,
+ "android.hardware.broadcastradio.IBroadcastRadio/amfm": EXCEPTION_NO_FUZZER,
+ "android.hardware.broadcastradio.IBroadcastRadio/dab": EXCEPTION_NO_FUZZER,
+ "android.hardware.bluetooth.IBluetoothHci/default": EXCEPTION_NO_FUZZER,
+ "android.hardware.camera.provider.ICameraProvider/internal/0": EXCEPTION_NO_FUZZER,
+ "android.hardware.cas.IMediaCasService/default": EXCEPTION_NO_FUZZER,
+ "android.hardware.confirmationui.IConfirmationUI/default": []string{"android.hardware.confirmationui-service.trusty_fuzzer"},
+ "android.hardware.contexthub.IContextHub/default": EXCEPTION_NO_FUZZER,
+ "android.hardware.drm.IDrmFactory/clearkey": EXCEPTION_NO_FUZZER,
+ "android.hardware.drm.ICryptoFactory/clearkey": EXCEPTION_NO_FUZZER,
+ "android.hardware.dumpstate.IDumpstateDevice/default": EXCEPTION_NO_FUZZER,
+ "android.hardware.fastboot.IFastboot/default": EXCEPTION_NO_FUZZER,
+ "android.hardware.gatekeeper.IGatekeeper/default": EXCEPTION_NO_FUZZER,
+ "android.hardware.gnss.IGnss/default": EXCEPTION_NO_FUZZER,
+ "android.hardware.graphics.allocator.IAllocator/default": EXCEPTION_NO_FUZZER,
+ "android.hardware.graphics.composer3.IComposer/default": EXCEPTION_NO_FUZZER,
+ "android.hardware.health.storage.IStorage/default": EXCEPTION_NO_FUZZER,
"android.hardware.health.IHealth/default": []string{"android.hardware.health-service.aidl_fuzzer"},
- "android.hardware.identity.IIdentityCredentialStore/default": []string{},
- "android.hardware.input.processor.IInputProcessor/default": []string{},
- "android.hardware.ir.IConsumerIr/default": []string{},
- "android.hardware.light.ILights/default": []string{},
- "android.hardware.memtrack.IMemtrack/default": []string{},
- "android.hardware.net.nlinterceptor.IInterceptor/default": []string{},
- "android.hardware.nfc.INfc/default": []string{},
- "android.hardware.oemlock.IOemLock/default": []string{},
- "android.hardware.power.IPower/default": []string{},
- "android.hardware.power.stats.IPowerStats/default": []string{},
- "android.hardware.radio.config.IRadioConfig/default": []string{},
- "android.hardware.radio.data.IRadioData/slot1": []string{},
- "android.hardware.radio.data.IRadioData/slot2": []string{},
- "android.hardware.radio.data.IRadioData/slot3": []string{},
- "android.hardware.radio.ims.IRadioIms/slot1": []string{},
- "android.hardware.radio.ims.IRadioIms/slot2": []string{},
- "android.hardware.radio.ims.IRadioIms/slot3": []string{},
- "android.hardware.radio.ims.media.IImsMedia/default": []string{},
- "android.hardware.radio.messaging.IRadioMessaging/slot1": []string{},
- "android.hardware.radio.messaging.IRadioMessaging/slot2": []string{},
- "android.hardware.radio.messaging.IRadioMessaging/slot3": []string{},
- "android.hardware.radio.modem.IRadioModem/slot1": []string{},
- "android.hardware.radio.modem.IRadioModem/slot2": []string{},
- "android.hardware.radio.modem.IRadioModem/slot3": []string{},
- "android.hardware.radio.network.IRadioNetwork/slot1": []string{},
- "android.hardware.radio.network.IRadioNetwork/slot2": []string{},
- "android.hardware.radio.network.IRadioNetwork/slot3": []string{},
- "android.hardware.radio.sim.IRadioSim/slot1": []string{},
- "android.hardware.radio.sim.IRadioSim/slot2": []string{},
- "android.hardware.radio.sim.IRadioSim/slot3": []string{},
- "android.hardware.radio.voice.IRadioVoice/slot1": []string{},
- "android.hardware.radio.voice.IRadioVoice/slot2": []string{},
- "android.hardware.radio.voice.IRadioVoice/slot3": []string{},
- "android.hardware.rebootescrow.IRebootEscrow/default": []string{},
- "android.hardware.security.dice.IDiceDevice/default": []string{},
- "android.hardware.security.keymint.IKeyMintDevice/default": []string{},
- "android.hardware.security.keymint.IRemotelyProvisionedComponent/default": []string{},
- "android.hardware.security.secureclock.ISecureClock/default": []string{},
- "android.hardware.security.sharedsecret.ISharedSecret/default": []string{},
- "android.hardware.sensors.ISensors/default": []string{},
- "android.hardware.soundtrigger3.ISoundTriggerHw/default": []string{},
- "android.hardware.thermal.IThermal/default": []string{},
- "android.hardware.tv.cec.IHdmiCec/default": []string{},
- "android.hardware.tv.hdmi.IHdmi/default": []string{},
- "android.hardware.tv.input.ITvInput/default": []string{},
- "android.hardware.tv.tuner.ITuner/default": []string{},
- "android.hardware.usb.IUsb/default": []string{},
- "android.hardware.usb.gadget.IUsbGadget/default": []string{},
- "android.hardware.uwb.IUwb/default": []string{},
- "android.hardware.vibrator.IVibrator/default": []string{},
+ "android.hardware.identity.IIdentityCredentialStore/default": EXCEPTION_NO_FUZZER,
+ "android.hardware.input.processor.IInputProcessor/default": EXCEPTION_NO_FUZZER,
+ "android.hardware.ir.IConsumerIr/default": EXCEPTION_NO_FUZZER,
+ "android.hardware.light.ILights/default": EXCEPTION_NO_FUZZER,
+ "android.hardware.memtrack.IMemtrack/default": EXCEPTION_NO_FUZZER,
+ "android.hardware.net.nlinterceptor.IInterceptor/default": EXCEPTION_NO_FUZZER,
+ "android.hardware.nfc.INfc/default": EXCEPTION_NO_FUZZER,
+ "android.hardware.oemlock.IOemLock/default": EXCEPTION_NO_FUZZER,
+ "android.hardware.power.IPower/default": EXCEPTION_NO_FUZZER,
+ "android.hardware.power.stats.IPowerStats/default": EXCEPTION_NO_FUZZER,
+ "android.hardware.radio.config.IRadioConfig/default": EXCEPTION_NO_FUZZER,
+ "android.hardware.radio.data.IRadioData/slot1": EXCEPTION_NO_FUZZER,
+ "android.hardware.radio.data.IRadioData/slot2": EXCEPTION_NO_FUZZER,
+ "android.hardware.radio.data.IRadioData/slot3": EXCEPTION_NO_FUZZER,
+ "android.hardware.radio.ims.IRadioIms/slot1": EXCEPTION_NO_FUZZER,
+ "android.hardware.radio.ims.IRadioIms/slot2": EXCEPTION_NO_FUZZER,
+ "android.hardware.radio.ims.IRadioIms/slot3": EXCEPTION_NO_FUZZER,
+ "android.hardware.radio.ims.media.IImsMedia/default": EXCEPTION_NO_FUZZER,
+ "android.hardware.radio.messaging.IRadioMessaging/slot1": EXCEPTION_NO_FUZZER,
+ "android.hardware.radio.messaging.IRadioMessaging/slot2": EXCEPTION_NO_FUZZER,
+ "android.hardware.radio.messaging.IRadioMessaging/slot3": EXCEPTION_NO_FUZZER,
+ "android.hardware.radio.modem.IRadioModem/slot1": EXCEPTION_NO_FUZZER,
+ "android.hardware.radio.modem.IRadioModem/slot2": EXCEPTION_NO_FUZZER,
+ "android.hardware.radio.modem.IRadioModem/slot3": EXCEPTION_NO_FUZZER,
+ "android.hardware.radio.network.IRadioNetwork/slot1": EXCEPTION_NO_FUZZER,
+ "android.hardware.radio.network.IRadioNetwork/slot2": EXCEPTION_NO_FUZZER,
+ "android.hardware.radio.network.IRadioNetwork/slot3": EXCEPTION_NO_FUZZER,
+ "android.hardware.radio.sim.IRadioSim/slot1": EXCEPTION_NO_FUZZER,
+ "android.hardware.radio.sim.IRadioSim/slot2": EXCEPTION_NO_FUZZER,
+ "android.hardware.radio.sim.IRadioSim/slot3": EXCEPTION_NO_FUZZER,
+ "android.hardware.radio.sap.ISap/slot1": EXCEPTION_NO_FUZZER,
+ "android.hardware.radio.sap.ISap/slot2": EXCEPTION_NO_FUZZER,
+ "android.hardware.radio.sap.ISap/slot3": EXCEPTION_NO_FUZZER,
+ "android.hardware.radio.voice.IRadioVoice/slot1": EXCEPTION_NO_FUZZER,
+ "android.hardware.radio.voice.IRadioVoice/slot2": EXCEPTION_NO_FUZZER,
+ "android.hardware.radio.voice.IRadioVoice/slot3": EXCEPTION_NO_FUZZER,
+ "android.hardware.rebootescrow.IRebootEscrow/default": EXCEPTION_NO_FUZZER,
+ "android.hardware.secure_element.ISecureElement/eSE1": EXCEPTION_NO_FUZZER,
+ "android.hardware.secure_element.ISecureElement/eSE2": EXCEPTION_NO_FUZZER,
+ "android.hardware.secure_element.ISecureElement/eSE3": EXCEPTION_NO_FUZZER,
+ "android.hardware.secure_element.ISecureElement/SIM1": EXCEPTION_NO_FUZZER,
+ "android.hardware.secure_element.ISecureElement/SIM2": EXCEPTION_NO_FUZZER,
+ "android.hardware.secure_element.ISecureElement/SIM3": EXCEPTION_NO_FUZZER,
+ "android.hardware.security.dice.IDiceDevice/default": EXCEPTION_NO_FUZZER,
+ "android.hardware.security.keymint.IKeyMintDevice/default": EXCEPTION_NO_FUZZER,
+ "android.hardware.security.keymint.IRemotelyProvisionedComponent/default": EXCEPTION_NO_FUZZER,
+ "android.hardware.security.secureclock.ISecureClock/default": EXCEPTION_NO_FUZZER,
+ "android.hardware.security.sharedsecret.ISharedSecret/default": EXCEPTION_NO_FUZZER,
+ "android.hardware.sensors.ISensors/default": EXCEPTION_NO_FUZZER,
+ "android.hardware.soundtrigger3.ISoundTriggerHw/default": EXCEPTION_NO_FUZZER,
+ "android.hardware.thermal.IThermal/default": EXCEPTION_NO_FUZZER,
+ "android.hardware.tv.cec.IHdmiCec/default": EXCEPTION_NO_FUZZER,
+ "android.hardware.tv.hdmi.IHdmi/default": EXCEPTION_NO_FUZZER,
+ "android.hardware.tv.input.ITvInput/default": EXCEPTION_NO_FUZZER,
+ "android.hardware.tv.tuner.ITuner/default": EXCEPTION_NO_FUZZER,
+ "android.hardware.usb.IUsb/default": EXCEPTION_NO_FUZZER,
+ "android.hardware.usb.gadget.IUsbGadget/default": EXCEPTION_NO_FUZZER,
+ "android.hardware.uwb.IUwb/default": EXCEPTION_NO_FUZZER,
+ "android.hardware.vibrator.IVibrator/default": EXCEPTION_NO_FUZZER,
"android.hardware.vibrator.IVibratorManager/default": []string{"android.hardware.vibrator-service.example_fuzzer"},
- "android.hardware.weaver.IWeaver/default": []string{},
- "android.hardware.wifi.hostapd.IHostapd/default": []string{},
- "android.hardware.wifi.supplicant.ISupplicant/default": []string{},
- "android.frameworks.stats.IStats/default": []string{},
- "android.se.omapi.ISecureElementService/default": []string{},
- "android.system.keystore2.IKeystoreService/default": []string{},
- "android.system.net.netd.INetd/default": []string{},
- "android.system.suspend.ISystemSuspend/default": []string{},
- "accessibility": []string{},
- "account": []string{},
- "activity": []string{},
- "activity_task": []string{},
- "adb": []string{},
- "adservices_manager": []string{},
- "aidl_lazy_test_1": []string{},
- "aidl_lazy_test_2": []string{},
- "aidl_lazy_cb_test": []string{},
- "alarm": []string{},
- "android.hardware.automotive.evs.IEvsEnumerator/default": []string{},
- "android.os.UpdateEngineService": []string{},
- "android.os.UpdateEngineStableService": []string{},
- "android.frameworks.automotive.display.ICarDisplayProxy/default": []string{},
- "android.security.apc": []string{},
- "android.security.authorization": []string{},
- "android.security.compat": []string{},
- "android.security.dice.IDiceMaintenance": []string{},
- "android.security.dice.IDiceNode": []string{},
- "android.security.identity": []string{},
- "android.security.keystore": []string{},
- "android.security.legacykeystore": []string{},
- "android.security.maintenance": []string{},
- "android.security.metrics": []string{},
- "android.security.remoteprovisioning": []string{},
- "android.security.remoteprovisioning.IRemotelyProvisionedKeyPool": []string{},
- "android.service.gatekeeper.IGateKeeperService": []string{},
- "android.system.composd": []string{},
- "android.system.virtualizationservice": []string{},
- "ambient_context": []string{},
- "app_binding": []string{},
- "app_hibernation": []string{},
- "app_integrity": []string{},
- "app_prediction": []string{},
- "app_search": []string{},
- "apexservice": []string{},
- "attestation_verification": []string{},
- "blob_store": []string{},
- "gsiservice": []string{},
- "appops": []string{},
- "appwidget": []string{},
- "artd": []string{},
- "assetatlas": []string{},
- "attention": []string{},
- "audio": []string{},
- "auth": []string{},
- "autofill": []string{},
- "background_install_control": []string{},
- "backup": []string{},
- "batteryproperties": []string{},
- "batterystats": []string{},
- "battery": []string{},
- "binder_calls_stats": []string{},
- "biometric": []string{},
- "bluetooth_manager": []string{},
- "bluetooth": []string{},
- "broadcastradio": []string{},
- "bugreport": []string{},
- "cacheinfo": []string{},
- "carrier_config": []string{},
- "clipboard": []string{},
- "cloudsearch": []string{},
- "cloudsearch_service": []string{},
- "com.android.net.IProxyService": []string{},
- "companiondevice": []string{},
- "communal": []string{},
- "platform_compat": []string{},
- "platform_compat_native": []string{},
- "connectivity": []string{},
- "connectivity_native": []string{},
- "connmetrics": []string{},
- "consumer_ir": []string{},
- "content": []string{},
- "content_capture": []string{},
- "content_suggestions": []string{},
- "contexthub": []string{},
- "country_detector": []string{},
- "coverage": []string{},
- "cpuinfo": []string{},
- "credential": []string{},
- "crossprofileapps": []string{},
- "dataloader_manager": []string{},
- "dbinfo": []string{},
- "device_config": []string{},
- "device_policy": []string{},
- "device_identifiers": []string{},
- "deviceidle": []string{},
- "device_lock": []string{},
- "device_state": []string{},
- "devicestoragemonitor": []string{},
- "diskstats": []string{},
- "display": []string{},
- "dnsresolver": []string{},
- "domain_verification": []string{},
- "color_display": []string{},
- "netd_listener": []string{},
- "network_watchlist": []string{},
- "DockObserver": []string{},
- "dreams": []string{},
- "drm.drmManager": []string{},
- "dropbox": []string{},
- "dumpstate": []string{},
- "dynamic_system": []string{},
- "econtroller": []string{},
- "emergency_affordance": []string{},
- "euicc_card_controller": []string{},
- "external_vibrator_service": []string{},
- "ethernet": []string{},
- "face": []string{},
- "file_integrity": []string{},
- "fingerprint": []string{},
- "font": []string{},
- "android.hardware.fingerprint.IFingerprintDaemon": []string{},
- "game": []string{},
- "gfxinfo": []string{},
- "gnss_time_update_service": []string{},
- "graphicsstats": []string{},
- "gpu": []string{},
- "hardware": []string{},
- "hardware_properties": []string{},
- "hdmi_control": []string{},
- "healthconnect": []string{},
- "ions": []string{},
- "idmap": []string{},
- "incident": []string{},
- "incidentcompanion": []string{},
- "inputflinger": []string{},
- "input_method": []string{},
- "input": []string{},
- "installd": []string{},
- "iphonesubinfo_msim": []string{},
- "iphonesubinfo2": []string{},
- "iphonesubinfo": []string{},
- "ims": []string{},
- "imms": []string{},
- "incremental": []string{},
- "ipsec": []string{},
- "ircsmessage": []string{},
- "iris": []string{},
- "isms_msim": []string{},
- "isms2": []string{},
- "isms": []string{},
- "isub": []string{},
- "jobscheduler": []string{},
- "launcherapps": []string{},
- "legacy_permission": []string{},
- "lights": []string{},
- "locale": []string{},
- "location": []string{},
- "location_time_zone_manager": []string{},
- "lock_settings": []string{},
- "logcat": []string{},
- "logd": []string{},
- "looper_stats": []string{},
- "lpdump_service": []string{},
- "mdns": []string{},
- "media.aaudio": []string{},
- "media.audio_flinger": []string{},
- "media.audio_policy": []string{},
- "media.camera": []string{},
- "media.camera.proxy": []string{},
- "media.log": []string{},
- "media.player": []string{},
- "media.metrics": []string{},
- "media.extractor": []string{},
- "media.transcoding": []string{},
- "media.resource_manager": []string{},
- "media.resource_observer": []string{},
- "media.sound_trigger_hw": []string{},
- "media.drm": []string{},
- "media.tuner": []string{},
- "media_communication": []string{},
- "media_metrics": []string{},
- "media_projection": []string{},
- "media_resource_monitor": []string{},
- "media_router": []string{},
- "media_session": []string{},
- "meminfo": []string{},
- "memtrack.proxy": []string{},
- "midi": []string{},
- "mount": []string{},
- "music_recognition": []string{},
- "nearby": []string{},
- "netd": []string{},
- "netpolicy": []string{},
- "netstats": []string{},
- "network_stack": []string{},
- "network_management": []string{},
- "network_score": []string{},
- "network_time_update_service": []string{},
- "nfc": []string{},
- "notification": []string{},
- "oem_lock": []string{},
- "otadexopt": []string{},
- "overlay": []string{},
- "pac_proxy": []string{},
- "package": []string{},
- "package_native": []string{},
- "people": []string{},
- "performance_hint": []string{},
- "permission": []string{},
- "permissionmgr": []string{},
- "permission_checker": []string{},
- "persistent_data_block": []string{},
- "phone_msim": []string{},
- "phone1": []string{},
- "phone2": []string{},
- "phone": []string{},
- "pinner": []string{},
- "powerstats": []string{},
- "power": []string{},
- "print": []string{},
- "processinfo": []string{},
- "procstats": []string{},
- "profcollectd": []string{},
- "radio.phonesubinfo": []string{},
- "radio.phone": []string{},
- "radio.sms": []string{},
- "rcs": []string{},
- "reboot_readiness": []string{},
- "recovery": []string{},
- "resolver": []string{},
- "resources": []string{},
- "restrictions": []string{},
- "rkpd.registrar": []string{},
- "rkpd.refresh": []string{},
- "role": []string{},
- "rollback": []string{},
- "rttmanager": []string{},
- "runtime": []string{},
- "safety_center": []string{},
- "samplingprofiler": []string{},
- "scheduling_policy": []string{},
- "search": []string{},
- "search_ui": []string{},
- "secure_element": []string{},
- "sec_key_att_app_id_provider": []string{},
- "selection_toolbar": []string{},
- "sensorservice": []string{},
- "sensor_privacy": []string{},
- "serial": []string{},
- "servicediscovery": []string{},
+ "android.hardware.weaver.IWeaver/default": EXCEPTION_NO_FUZZER,
+ "android.hardware.wifi.IWifi/default": EXCEPTION_NO_FUZZER,
+ "android.hardware.wifi.hostapd.IHostapd/default": EXCEPTION_NO_FUZZER,
+ "android.hardware.wifi.supplicant.ISupplicant/default": EXCEPTION_NO_FUZZER,
+ "android.frameworks.cameraservice.service.ICameraService/default": EXCEPTION_NO_FUZZER,
+ "android.frameworks.sensorservice.ISensorManager/default": []string{"libsensorserviceaidl_fuzzer"},
+ "android.frameworks.stats.IStats/default": EXCEPTION_NO_FUZZER,
+ "android.se.omapi.ISecureElementService/default": EXCEPTION_NO_FUZZER,
+ "android.system.keystore2.IKeystoreService/default": EXCEPTION_NO_FUZZER,
+ "android.system.net.netd.INetd/default": EXCEPTION_NO_FUZZER,
+ "android.system.suspend.ISystemSuspend/default": EXCEPTION_NO_FUZZER,
+ "accessibility": EXCEPTION_NO_FUZZER,
+ "account": EXCEPTION_NO_FUZZER,
+ "activity": EXCEPTION_NO_FUZZER,
+ "activity_task": EXCEPTION_NO_FUZZER,
+ "adb": EXCEPTION_NO_FUZZER,
+ "adservices_manager": EXCEPTION_NO_FUZZER,
+ "aidl_lazy_test_1": EXCEPTION_NO_FUZZER,
+ "aidl_lazy_test_2": EXCEPTION_NO_FUZZER,
+ "aidl_lazy_cb_test": EXCEPTION_NO_FUZZER,
+ "alarm": EXCEPTION_NO_FUZZER,
+ "android.hardware.automotive.evs.IEvsEnumerator/default": EXCEPTION_NO_FUZZER,
+ "android.os.UpdateEngineService": EXCEPTION_NO_FUZZER,
+ "android.os.UpdateEngineStableService": EXCEPTION_NO_FUZZER,
+ "android.frameworks.automotive.display.ICarDisplayProxy/default": EXCEPTION_NO_FUZZER,
+ "android.security.apc": EXCEPTION_NO_FUZZER,
+ "android.security.authorization": EXCEPTION_NO_FUZZER,
+ "android.security.compat": EXCEPTION_NO_FUZZER,
+ "android.security.dice.IDiceMaintenance": EXCEPTION_NO_FUZZER,
+ "android.security.dice.IDiceNode": EXCEPTION_NO_FUZZER,
+ "android.security.identity": EXCEPTION_NO_FUZZER,
+ "android.security.keystore": EXCEPTION_NO_FUZZER,
+ "android.security.legacykeystore": EXCEPTION_NO_FUZZER,
+ "android.security.maintenance": EXCEPTION_NO_FUZZER,
+ "android.security.metrics": EXCEPTION_NO_FUZZER,
+ "android.security.remoteprovisioning": EXCEPTION_NO_FUZZER,
+ "android.security.remoteprovisioning.IRemotelyProvisionedKeyPool": EXCEPTION_NO_FUZZER,
+ "android.service.gatekeeper.IGateKeeperService": EXCEPTION_NO_FUZZER,
+ "android.system.composd": EXCEPTION_NO_FUZZER,
+ "android.system.virtualizationservice": EXCEPTION_NO_FUZZER,
+ "ambient_context": EXCEPTION_NO_FUZZER,
+ "app_binding": EXCEPTION_NO_FUZZER,
+ "app_hibernation": EXCEPTION_NO_FUZZER,
+ "app_integrity": EXCEPTION_NO_FUZZER,
+ "app_prediction": EXCEPTION_NO_FUZZER,
+ "app_search": EXCEPTION_NO_FUZZER,
+ "apexservice": EXCEPTION_NO_FUZZER,
+ "attestation_verification": EXCEPTION_NO_FUZZER,
+ "blob_store": EXCEPTION_NO_FUZZER,
+ "gsiservice": EXCEPTION_NO_FUZZER,
+ "appops": EXCEPTION_NO_FUZZER,
+ "appwidget": EXCEPTION_NO_FUZZER,
+ "artd": EXCEPTION_NO_FUZZER,
+ "assetatlas": EXCEPTION_NO_FUZZER,
+ "attention": EXCEPTION_NO_FUZZER,
+ "audio": EXCEPTION_NO_FUZZER,
+ "auth": EXCEPTION_NO_FUZZER,
+ "autofill": EXCEPTION_NO_FUZZER,
+ "background_install_control": EXCEPTION_NO_FUZZER,
+ "backup": EXCEPTION_NO_FUZZER,
+ "batteryproperties": EXCEPTION_NO_FUZZER,
+ "batterystats": EXCEPTION_NO_FUZZER,
+ "battery": EXCEPTION_NO_FUZZER,
+ "binder_calls_stats": EXCEPTION_NO_FUZZER,
+ "biometric": EXCEPTION_NO_FUZZER,
+ "bluetooth_manager": EXCEPTION_NO_FUZZER,
+ "bluetooth": EXCEPTION_NO_FUZZER,
+ "broadcastradio": EXCEPTION_NO_FUZZER,
+ "bugreport": EXCEPTION_NO_FUZZER,
+ "cacheinfo": EXCEPTION_NO_FUZZER,
+ "carrier_config": EXCEPTION_NO_FUZZER,
+ "clipboard": EXCEPTION_NO_FUZZER,
+ "cloudsearch": EXCEPTION_NO_FUZZER,
+ "cloudsearch_service": EXCEPTION_NO_FUZZER,
+ "com.android.net.IProxyService": EXCEPTION_NO_FUZZER,
+ "companiondevice": EXCEPTION_NO_FUZZER,
+ "communal": EXCEPTION_NO_FUZZER,
+ "platform_compat": EXCEPTION_NO_FUZZER,
+ "platform_compat_native": EXCEPTION_NO_FUZZER,
+ "connectivity": EXCEPTION_NO_FUZZER,
+ "connectivity_native": EXCEPTION_NO_FUZZER,
+ "connmetrics": EXCEPTION_NO_FUZZER,
+ "consumer_ir": EXCEPTION_NO_FUZZER,
+ "content": EXCEPTION_NO_FUZZER,
+ "content_capture": EXCEPTION_NO_FUZZER,
+ "content_suggestions": EXCEPTION_NO_FUZZER,
+ "contexthub": EXCEPTION_NO_FUZZER,
+ "country_detector": EXCEPTION_NO_FUZZER,
+ "coverage": EXCEPTION_NO_FUZZER,
+ "cpuinfo": EXCEPTION_NO_FUZZER,
+ "credential": EXCEPTION_NO_FUZZER,
+ "crossprofileapps": EXCEPTION_NO_FUZZER,
+ "dataloader_manager": EXCEPTION_NO_FUZZER,
+ "dbinfo": EXCEPTION_NO_FUZZER,
+ "device_config": EXCEPTION_NO_FUZZER,
+ "device_policy": EXCEPTION_NO_FUZZER,
+ "device_identifiers": EXCEPTION_NO_FUZZER,
+ "deviceidle": EXCEPTION_NO_FUZZER,
+ "device_lock": EXCEPTION_NO_FUZZER,
+ "device_state": EXCEPTION_NO_FUZZER,
+ "devicestoragemonitor": EXCEPTION_NO_FUZZER,
+ "diskstats": EXCEPTION_NO_FUZZER,
+ "display": EXCEPTION_NO_FUZZER,
+ "dnsresolver": EXCEPTION_NO_FUZZER,
+ "domain_verification": EXCEPTION_NO_FUZZER,
+ "color_display": EXCEPTION_NO_FUZZER,
+ "netd_listener": EXCEPTION_NO_FUZZER,
+ "network_watchlist": EXCEPTION_NO_FUZZER,
+ "DockObserver": EXCEPTION_NO_FUZZER,
+ "dreams": EXCEPTION_NO_FUZZER,
+ "drm.drmManager": EXCEPTION_NO_FUZZER,
+ "dropbox": EXCEPTION_NO_FUZZER,
+ "dumpstate": EXCEPTION_NO_FUZZER,
+ "dynamic_system": EXCEPTION_NO_FUZZER,
+ "econtroller": EXCEPTION_NO_FUZZER,
+ "emergency_affordance": EXCEPTION_NO_FUZZER,
+ "euicc_card_controller": EXCEPTION_NO_FUZZER,
+ "external_vibrator_service": EXCEPTION_NO_FUZZER,
+ "ethernet": EXCEPTION_NO_FUZZER,
+ "face": EXCEPTION_NO_FUZZER,
+ "file_integrity": EXCEPTION_NO_FUZZER,
+ "fingerprint": EXCEPTION_NO_FUZZER,
+ "font": EXCEPTION_NO_FUZZER,
+ "android.hardware.fingerprint.IFingerprintDaemon": EXCEPTION_NO_FUZZER,
+ "game": EXCEPTION_NO_FUZZER,
+ "gfxinfo": EXCEPTION_NO_FUZZER,
+ "gnss_time_update_service": EXCEPTION_NO_FUZZER,
+ "grammatical_inflection": EXCEPTION_NO_FUZZER,
+ "graphicsstats": EXCEPTION_NO_FUZZER,
+ "gpu": EXCEPTION_NO_FUZZER,
+ "hardware": EXCEPTION_NO_FUZZER,
+ "hardware_properties": EXCEPTION_NO_FUZZER,
+ "hdmi_control": EXCEPTION_NO_FUZZER,
+ "healthconnect": EXCEPTION_NO_FUZZER,
+ "ions": EXCEPTION_NO_FUZZER,
+ "idmap": EXCEPTION_NO_FUZZER,
+ "incident": EXCEPTION_NO_FUZZER,
+ "incidentcompanion": EXCEPTION_NO_FUZZER,
+ "inputflinger": EXCEPTION_NO_FUZZER,
+ "input_method": EXCEPTION_NO_FUZZER,
+ "input": EXCEPTION_NO_FUZZER,
+ "installd": EXCEPTION_NO_FUZZER,
+ "iphonesubinfo_msim": EXCEPTION_NO_FUZZER,
+ "iphonesubinfo2": EXCEPTION_NO_FUZZER,
+ "iphonesubinfo": EXCEPTION_NO_FUZZER,
+ "ims": EXCEPTION_NO_FUZZER,
+ "imms": EXCEPTION_NO_FUZZER,
+ "incremental": EXCEPTION_NO_FUZZER,
+ "ipsec": EXCEPTION_NO_FUZZER,
+ "ircsmessage": EXCEPTION_NO_FUZZER,
+ "iris": EXCEPTION_NO_FUZZER,
+ "isms_msim": EXCEPTION_NO_FUZZER,
+ "isms2": EXCEPTION_NO_FUZZER,
+ "isms": EXCEPTION_NO_FUZZER,
+ "isub": EXCEPTION_NO_FUZZER,
+ "jobscheduler": EXCEPTION_NO_FUZZER,
+ "launcherapps": EXCEPTION_NO_FUZZER,
+ "legacy_permission": EXCEPTION_NO_FUZZER,
+ "lights": EXCEPTION_NO_FUZZER,
+ "locale": EXCEPTION_NO_FUZZER,
+ "location": EXCEPTION_NO_FUZZER,
+ "location_time_zone_manager": EXCEPTION_NO_FUZZER,
+ "lock_settings": EXCEPTION_NO_FUZZER,
+ "logcat": EXCEPTION_NO_FUZZER,
+ "logd": EXCEPTION_NO_FUZZER,
+ "looper_stats": EXCEPTION_NO_FUZZER,
+ "lpdump_service": EXCEPTION_NO_FUZZER,
+ "mdns": EXCEPTION_NO_FUZZER,
+ "media.aaudio": EXCEPTION_NO_FUZZER,
+ "media.audio_flinger": EXCEPTION_NO_FUZZER,
+ "media.audio_policy": EXCEPTION_NO_FUZZER,
+ "media.camera": EXCEPTION_NO_FUZZER,
+ "media.camera.proxy": EXCEPTION_NO_FUZZER,
+ "media.log": EXCEPTION_NO_FUZZER,
+ "media.player": EXCEPTION_NO_FUZZER,
+ "media.metrics": EXCEPTION_NO_FUZZER,
+ "media.extractor": EXCEPTION_NO_FUZZER,
+ "media.transcoding": EXCEPTION_NO_FUZZER,
+ "media.resource_manager": EXCEPTION_NO_FUZZER,
+ "media.resource_observer": EXCEPTION_NO_FUZZER,
+ "media.sound_trigger_hw": EXCEPTION_NO_FUZZER,
+ "media.drm": EXCEPTION_NO_FUZZER,
+ "media.tuner": EXCEPTION_NO_FUZZER,
+ "media_communication": EXCEPTION_NO_FUZZER,
+ "media_metrics": EXCEPTION_NO_FUZZER,
+ "media_projection": EXCEPTION_NO_FUZZER,
+ "media_resource_monitor": EXCEPTION_NO_FUZZER,
+ "media_router": EXCEPTION_NO_FUZZER,
+ "media_session": EXCEPTION_NO_FUZZER,
+ "meminfo": EXCEPTION_NO_FUZZER,
+ "memtrack.proxy": EXCEPTION_NO_FUZZER,
+ "midi": EXCEPTION_NO_FUZZER,
+ "mount": EXCEPTION_NO_FUZZER,
+ "music_recognition": EXCEPTION_NO_FUZZER,
+ "nearby": EXCEPTION_NO_FUZZER,
+ "netd": EXCEPTION_NO_FUZZER,
+ "netpolicy": EXCEPTION_NO_FUZZER,
+ "netstats": EXCEPTION_NO_FUZZER,
+ "network_stack": EXCEPTION_NO_FUZZER,
+ "network_management": EXCEPTION_NO_FUZZER,
+ "network_score": EXCEPTION_NO_FUZZER,
+ "network_time_update_service": EXCEPTION_NO_FUZZER,
+ "nfc": EXCEPTION_NO_FUZZER,
+ "notification": EXCEPTION_NO_FUZZER,
+ "oem_lock": EXCEPTION_NO_FUZZER,
+ "otadexopt": EXCEPTION_NO_FUZZER,
+ "overlay": EXCEPTION_NO_FUZZER,
+ "pac_proxy": EXCEPTION_NO_FUZZER,
+ "package": EXCEPTION_NO_FUZZER,
+ "package_native": EXCEPTION_NO_FUZZER,
+ "people": EXCEPTION_NO_FUZZER,
+ "performance_hint": EXCEPTION_NO_FUZZER,
+ "permission": EXCEPTION_NO_FUZZER,
+ "permissionmgr": EXCEPTION_NO_FUZZER,
+ "permission_checker": EXCEPTION_NO_FUZZER,
+ "persistent_data_block": EXCEPTION_NO_FUZZER,
+ "phone_msim": EXCEPTION_NO_FUZZER,
+ "phone1": EXCEPTION_NO_FUZZER,
+ "phone2": EXCEPTION_NO_FUZZER,
+ "phone": EXCEPTION_NO_FUZZER,
+ "pinner": EXCEPTION_NO_FUZZER,
+ "powerstats": EXCEPTION_NO_FUZZER,
+ "power": EXCEPTION_NO_FUZZER,
+ "print": EXCEPTION_NO_FUZZER,
+ "processinfo": EXCEPTION_NO_FUZZER,
+ "procstats": EXCEPTION_NO_FUZZER,
+ "profcollectd": EXCEPTION_NO_FUZZER,
+ "radio.phonesubinfo": EXCEPTION_NO_FUZZER,
+ "radio.phone": EXCEPTION_NO_FUZZER,
+ "radio.sms": EXCEPTION_NO_FUZZER,
+ "rcs": EXCEPTION_NO_FUZZER,
+ "reboot_readiness": EXCEPTION_NO_FUZZER,
+ "recovery": EXCEPTION_NO_FUZZER,
+ "remote_provisioning": EXCEPTION_NO_FUZZER,
+ "resolver": EXCEPTION_NO_FUZZER,
+ "resources": EXCEPTION_NO_FUZZER,
+ "restrictions": EXCEPTION_NO_FUZZER,
+ "rkpd.registrar": EXCEPTION_NO_FUZZER,
+ "rkpd.refresh": EXCEPTION_NO_FUZZER,
+ "role": EXCEPTION_NO_FUZZER,
+ "rollback": EXCEPTION_NO_FUZZER,
+ "rttmanager": EXCEPTION_NO_FUZZER,
+ "runtime": EXCEPTION_NO_FUZZER,
+ "safety_center": EXCEPTION_NO_FUZZER,
+ "samplingprofiler": EXCEPTION_NO_FUZZER,
+ "scheduling_policy": EXCEPTION_NO_FUZZER,
+ "search": EXCEPTION_NO_FUZZER,
+ "search_ui": EXCEPTION_NO_FUZZER,
+ "secure_element": EXCEPTION_NO_FUZZER,
+ "sec_key_att_app_id_provider": EXCEPTION_NO_FUZZER,
+ "selection_toolbar": EXCEPTION_NO_FUZZER,
+ "sensorservice": EXCEPTION_NO_FUZZER,
+ "sensor_privacy": EXCEPTION_NO_FUZZER,
+ "serial": EXCEPTION_NO_FUZZER,
+ "servicediscovery": EXCEPTION_NO_FUZZER,
"manager": []string{"servicemanager_fuzzer"},
- "settings": []string{},
- "shortcut": []string{},
- "simphonebook_msim": []string{},
- "simphonebook2": []string{},
- "simphonebook": []string{},
- "sip": []string{},
- "slice": []string{},
- "smartspace": []string{},
- "speech_recognition": []string{},
- "stats": []string{},
- "statsbootstrap": []string{},
- "statscompanion": []string{},
- "statsmanager": []string{},
- "soundtrigger": []string{},
- "soundtrigger_middleware": []string{},
- "statusbar": []string{},
- "storaged": []string{},
- "storaged_pri": []string{},
- "storagestats": []string{},
- "sdk_sandbox": []string{},
- "SurfaceFlinger": []string{},
- "SurfaceFlingerAIDL": []string{},
- "suspend_control": []string{},
- "suspend_control_internal": []string{},
- "system_config": []string{},
- "system_server_dumper": []string{},
- "system_update": []string{},
- "tare": []string{},
- "task": []string{},
- "telecom": []string{},
- "telephony.registry": []string{},
- "telephony_ims": []string{},
- "testharness": []string{},
- "tethering": []string{},
- "textclassification": []string{},
- "textservices": []string{},
- "texttospeech": []string{},
- "time_detector": []string{},
- "time_zone_detector": []string{},
- "thermalservice": []string{},
- "tracing.proxy": []string{},
- "translation": []string{},
- "transparency": []string{},
- "trust": []string{},
- "tv_interactive_app": []string{},
- "tv_input": []string{},
- "tv_tuner_resource_mgr": []string{},
- "uce": []string{},
- "uimode": []string{},
- "updatelock": []string{},
- "uri_grants": []string{},
- "usagestats": []string{},
- "usb": []string{},
- "user": []string{},
- "uwb": []string{},
- "vcn_management": []string{},
- "vibrator": []string{},
- "vibrator_manager": []string{},
- "virtualdevice": []string{},
- "virtual_touchpad": []string{},
- "voiceinteraction": []string{},
- "vold": []string{},
- "vpn_management": []string{},
- "vrmanager": []string{},
- "wallpaper": []string{},
- "wallpaper_effects_generation": []string{},
- "webviewupdate": []string{},
- "wifip2p": []string{},
- "wifiscanner": []string{},
- "wifi": []string{},
- "wifinl80211": []string{},
- "wifiaware": []string{},
- "wifirtt": []string{},
- "window": []string{},
- "*": []string{},
+ "settings": EXCEPTION_NO_FUZZER,
+ "shortcut": EXCEPTION_NO_FUZZER,
+ "simphonebook_msim": EXCEPTION_NO_FUZZER,
+ "simphonebook2": EXCEPTION_NO_FUZZER,
+ "simphonebook": EXCEPTION_NO_FUZZER,
+ "sip": EXCEPTION_NO_FUZZER,
+ "slice": EXCEPTION_NO_FUZZER,
+ "smartspace": EXCEPTION_NO_FUZZER,
+ "speech_recognition": EXCEPTION_NO_FUZZER,
+ "stats": EXCEPTION_NO_FUZZER,
+ "statsbootstrap": EXCEPTION_NO_FUZZER,
+ "statscompanion": EXCEPTION_NO_FUZZER,
+ "statsmanager": EXCEPTION_NO_FUZZER,
+ "soundtrigger": EXCEPTION_NO_FUZZER,
+ "soundtrigger_middleware": EXCEPTION_NO_FUZZER,
+ "statusbar": EXCEPTION_NO_FUZZER,
+ "storaged": EXCEPTION_NO_FUZZER,
+ "storaged_pri": EXCEPTION_NO_FUZZER,
+ "storagestats": EXCEPTION_NO_FUZZER,
+ "sdk_sandbox": EXCEPTION_NO_FUZZER,
+ "SurfaceFlinger": EXCEPTION_NO_FUZZER,
+ "SurfaceFlingerAIDL": EXCEPTION_NO_FUZZER,
+ "suspend_control": EXCEPTION_NO_FUZZER,
+ "suspend_control_internal": EXCEPTION_NO_FUZZER,
+ "system_config": EXCEPTION_NO_FUZZER,
+ "system_server_dumper": EXCEPTION_NO_FUZZER,
+ "system_update": EXCEPTION_NO_FUZZER,
+ "tare": EXCEPTION_NO_FUZZER,
+ "task": EXCEPTION_NO_FUZZER,
+ "telecom": EXCEPTION_NO_FUZZER,
+ "telephony.registry": EXCEPTION_NO_FUZZER,
+ "telephony_ims": EXCEPTION_NO_FUZZER,
+ "testharness": EXCEPTION_NO_FUZZER,
+ "tethering": EXCEPTION_NO_FUZZER,
+ "textclassification": EXCEPTION_NO_FUZZER,
+ "textservices": EXCEPTION_NO_FUZZER,
+ "texttospeech": EXCEPTION_NO_FUZZER,
+ "time_detector": EXCEPTION_NO_FUZZER,
+ "time_zone_detector": EXCEPTION_NO_FUZZER,
+ "thermalservice": EXCEPTION_NO_FUZZER,
+ "tracing.proxy": EXCEPTION_NO_FUZZER,
+ "translation": EXCEPTION_NO_FUZZER,
+ "transparency": EXCEPTION_NO_FUZZER,
+ "trust": EXCEPTION_NO_FUZZER,
+ "tv_interactive_app": EXCEPTION_NO_FUZZER,
+ "tv_input": EXCEPTION_NO_FUZZER,
+ "tv_tuner_resource_mgr": EXCEPTION_NO_FUZZER,
+ "uce": EXCEPTION_NO_FUZZER,
+ "uimode": EXCEPTION_NO_FUZZER,
+ "updatelock": EXCEPTION_NO_FUZZER,
+ "uri_grants": EXCEPTION_NO_FUZZER,
+ "usagestats": EXCEPTION_NO_FUZZER,
+ "usb": EXCEPTION_NO_FUZZER,
+ "user": EXCEPTION_NO_FUZZER,
+ "uwb": EXCEPTION_NO_FUZZER,
+ "vcn_management": EXCEPTION_NO_FUZZER,
+ "vibrator": EXCEPTION_NO_FUZZER,
+ "vibrator_manager": EXCEPTION_NO_FUZZER,
+ "virtualdevice": EXCEPTION_NO_FUZZER,
+ "virtual_touchpad": EXCEPTION_NO_FUZZER,
+ "voiceinteraction": EXCEPTION_NO_FUZZER,
+ "vold": EXCEPTION_NO_FUZZER,
+ "vpn_management": EXCEPTION_NO_FUZZER,
+ "vrmanager": EXCEPTION_NO_FUZZER,
+ "wallpaper": EXCEPTION_NO_FUZZER,
+ "wallpaper_effects_generation": EXCEPTION_NO_FUZZER,
+ "webviewupdate": EXCEPTION_NO_FUZZER,
+ "wifip2p": EXCEPTION_NO_FUZZER,
+ "wifiscanner": EXCEPTION_NO_FUZZER,
+ "wifi": EXCEPTION_NO_FUZZER,
+ "wifinl80211": EXCEPTION_NO_FUZZER,
+ "wifiaware": EXCEPTION_NO_FUZZER,
+ "wifirtt": EXCEPTION_NO_FUZZER,
+ "window": EXCEPTION_NO_FUZZER,
+ "*": EXCEPTION_NO_FUZZER,
}
)
diff --git a/contexts/Android.bp b/contexts/Android.bp
index 82f42ba..d5cd8ae 100644
--- a/contexts/Android.bp
+++ b/contexts/Android.bp
@@ -277,6 +277,15 @@
recovery_available: true,
}
+service_contexts {
+ name: "odm_service_contexts",
+ srcs: [
+ ":service_contexts_files{.odm}",
+ ],
+ device_specific: true,
+ recovery_available: true,
+}
+
keystore2_key_contexts {
name: "plat_keystore2_key_contexts",
srcs: [":keystore2_key_contexts_files{.plat_private}"],
@@ -515,6 +524,12 @@
sepolicy: ":precompiled_sepolicy",
}
+service_contexts_test {
+ name: "odm_service_contexts_test",
+ srcs: [":odm_service_contexts"],
+ sepolicy: ":precompiled_sepolicy",
+}
+
vndservice_contexts_test {
name: "vndservice_contexts_test",
srcs: [":vndservice_contexts"],
diff --git a/microdroid/Android.bp b/microdroid/Android.bp
index 0628a5b..12bb8f7 100644
--- a/microdroid/Android.bp
+++ b/microdroid/Android.bp
@@ -241,6 +241,11 @@
":microdroid_vendor_sepolicy.cil",
],
installable: false,
+
+ // b/259729287. In Microdroid, su is allowed to be in permissive mode.
+ // This is to support fully debuggable VMs on user builds. This is safe
+ // because we don't start adbd at all on non-debuggable VMs.
+ permissive_domains_on_user_builds: ["su"],
}
genrule {
@@ -277,14 +282,6 @@
installable: false,
}
-prebuilt_etc {
- name: "microdroid_service_contexts",
- filename: "plat_service_contexts",
- src: "system/private/service_contexts",
- relative_install_path: "selinux",
- installable: false,
-}
-
// For CTS
se_policy_conf {
name: "microdroid_general_sepolicy.conf",
diff --git a/microdroid/system/private/adbd.te b/microdroid/system/private/adbd.te
index ed74ddd..9a50f67 100644
--- a/microdroid/system/private/adbd.te
+++ b/microdroid/system/private/adbd.te
@@ -4,10 +4,12 @@
domain_auto_trans(adbd, shell_exec, shell)
-userdebug_or_eng(`
- allow adbd self:process setcurrent;
- allow adbd su:process dyntransition;
-')
+# Allow adbd to transition to su. In Android, this is disallowed in user builds.
+# However, Microdroid allows it even in user builds because apps should be able
+# to adb root into their "debuggable" VMs in user builds. Disabling adbd for
+# non debuggable VMs are done by not starting adbd at all using sysprops.
+allow adbd self:process setcurrent;
+allow adbd su:process dyntransition;
# Do not sanitize the environment or open fds of the shell. Allow signaling
# created processes.
@@ -55,3 +57,6 @@
# adbd tries to run mdnsd, but mdnsd doesn't exist. Just dontaudit ctl permissions.
# TODO(b/200902288): patch adb and remove this rule
dontaudit adbd { ctl_default_prop ctl_start_prop }:property_service set;
+
+# only adbd can transition to su.
+neverallow {domain -adbd} su:process { transition dyntransition };
diff --git a/microdroid/system/private/apkdmverity.te b/microdroid/system/private/apkdmverity.te
index 0545744..ce29abc 100644
--- a/microdroid/system/private/apkdmverity.te
+++ b/microdroid/system/private/apkdmverity.te
@@ -32,6 +32,9 @@
# allow apkdmverity to log to the kernel
allow apkdmverity kmsg_device:chr_file w_file_perms;
+# allow apkdmverity to write kmsg_debug (stdio_to_kmsg) inherited from microdroid_manager.
+allow apkdmverity kmsg_debug_device:chr_file w_file_perms;
+
# apkdmverity is forked from microdroid_manager
allow apkdmverity microdroid_manager:fd use;
diff --git a/microdroid/system/private/authfs_service.te b/microdroid/system/private/authfs_service.te
index e7e9ef0..05dea40 100644
--- a/microdroid/system/private/authfs_service.te
+++ b/microdroid/system/private/authfs_service.te
@@ -9,10 +9,6 @@
# Allow domain transition from init.
init_daemon_domain(authfs_service)
-# Allow running as a binder service.
-binder_call(authfs_service, servicemanager)
-add_service(authfs_service, authfs_binder_service)
-
# Allow domain transition into authfs.
domain_auto_trans(authfs_service, authfs_exec, authfs)
diff --git a/microdroid/system/private/compos_key_helper.te b/microdroid/system/private/compos_key_helper.te
index 8ec131c..0d617fb 100644
--- a/microdroid/system/private/compos_key_helper.te
+++ b/microdroid/system/private/compos_key_helper.te
@@ -6,14 +6,12 @@
# Block crash dumps to ensure the secrets are not leaked.
typeattribute compos_key_helper no_crash_dump_domain;
-# Allow use of vm_payload_binder_service
-binder_use(compos_key_helper);
-allow compos_key_helper vm_payload_binder_service:service_manager find;
-binder_call(compos_key_helper, microdroid_manager);
-
# Communicate with compos via stdin/stdout pipes
allow compos_key_helper compos:fd use;
allow compos_key_helper compos:fifo_file { getattr read write };
# Write to /dev/kmsg.
allow compos_key_helper kmsg_device:chr_file rw_file_perms;
+
+# Communicate with microdroid manager to get DICE information
+unix_socket_connect(compos_key_helper, vm_payload_service, microdroid_manager)
diff --git a/microdroid/system/private/domain.te b/microdroid/system/private/domain.te
index c3156fb..d300679 100644
--- a/microdroid/system/private/domain.te
+++ b/microdroid/system/private/domain.te
@@ -46,19 +46,6 @@
allow domain null_device:chr_file rw_file_perms;
allow domain zero_device:chr_file rw_file_perms;
-# /dev/binder can be accessed by ... everyone! :)
-allow domain binder_device:chr_file rw_file_perms;
-get_prop(domain, servicemanager_prop)
-
-# Restrict binder ioctls to an allowlist. Additional ioctl commands may be
-# added to individual domains, but this sets safe defaults for all processes.
-allowxperm domain binder_device:chr_file ioctl { unpriv_binder_ioctls };
-
-# /dev/binderfs needs to be accessed by everyone too!
-allow domain binderfs:dir { getattr search };
-allow domain binderfs_logs_proc:dir search;
-
-allow { domain -servicemanager } hwbinder_device:chr_file rw_file_perms;
allow domain ptmx_device:chr_file rw_file_perms;
allow domain random_device:chr_file rw_file_perms;
allow domain proc_random:dir r_dir_perms;
@@ -396,26 +383,14 @@
# Ensure that context mount types are not writable, to ensure that
# the write to /system restriction above is not bypassed via context=
# mount to another type.
-neverallow * { contextmount_type -authfs_fuse }:dir_file_class_set
+neverallow * { contextmount_type -authfs_fuse -encryptedstore_file }:dir_file_class_set
{ create relabelfrom relabelto append link rename };
-neverallow domain { contextmount_type -authfs_fuse }:dir_file_class_set { write unlink };
-
-# Do not allow service_manager add for default service labels.
-# Instead domains should use a more specific type such as
-# system_app_service rather than the generic type.
-# New service_types are defined in {,hw,vnd}service.te and new mappings
-# from service name to service_type are defined in {,hw,vnd}service_contexts.
-neverallow * default_android_service:service_manager *;
+neverallow domain { contextmount_type -authfs_fuse -encryptedstore_file }:dir_file_class_set { write unlink };
neverallow { domain -init -vendor_init } vendor_default_prop:property_service set;
neverallow { domain -init } build_prop:property_service set;
-# Only (hw|vnd|)servicemanager should be able to register with binder as the context manager
-# The service managers are only allowed to access their own device node
-neverallow servicemanager hwbinder_device:chr_file no_rw_file_perms;
-neverallow servicemanager vndbinder_device:chr_file no_rw_file_perms;
-
# Never allow anyone to connect or write to
# the tombstoned intercept socket.
neverallow { domain } tombstoned_intercept_socket:sock_file write;
@@ -443,11 +418,6 @@
# Feature parity with Chromium LSM.
neverallow * { file_type fs_type dev_type }:{ lnk_file fifo_file sock_file } mounton;
-# Nobody should be able to execute su on user builds.
-# On userdebug/eng builds, only shell, and
-# su itself execute su.
-neverallow { domain userdebug_or_eng(`-shell -su') } su_exec:file no_x_file_perms;
-
neverallow { domain -init } proc:{ file dir } mounton;
# Ensure that all types assigned to processes are included
@@ -512,15 +482,6 @@
-shell
} shell_data_file:dir { open search };
-# servicemanager is the only process which handles the
-# service_manager list request
-neverallow * ~{
- servicemanager
- }:service_manager list;
-
-# only service_manager_types can be added to service_manager
-# TODO - rework this: neverallow * ~service_manager_type:service_manager { add find };
-
# Prevent assigning non property types to properties
# TODO - rework this: neverallow * ~property_type:property_service set;
@@ -589,3 +550,6 @@
# These domains must not be crash dumped
neverallow no_crash_dump_domain crash_dump_exec:file no_x_file_perms;
neverallow no_crash_dump_domain crash_dump:process { transition dyntransition };
+
+# Ensure that no one can execute from encrypted storage, which is a writable partition in VM.
+neverallow domain encryptedstore_file:file no_x_file_perms;
diff --git a/microdroid/system/private/encryptedstore.te b/microdroid/system/private/encryptedstore.te
new file mode 100644
index 0000000..5fa2e3a
--- /dev/null
+++ b/microdroid/system/private/encryptedstore.te
@@ -0,0 +1,48 @@
+# encryptedstore is a program that provides (encrypted) storage solution in a VM based on dm-crypt
+
+type encryptedstore, domain, coredomain;
+type encryptedstore_exec, exec_type, file_type, system_file_type;
+
+# encryptedstore is using bootstrap bionic
+use_bootstrap_libs(encryptedstore)
+
+# encryptedstore require access to block device directory to map dm-crypt
+r_dir_file(encryptedstore, block_device)
+
+# encryptedstore accesses /dev/vd* block device file.
+allow encryptedstore vd_device:blk_file rw_file_perms;
+
+# allow encryptedstore to create dm-crypt devices
+allow encryptedstore dm_device:{ chr_file blk_file } rw_file_perms;
+
+# sys_admin is required to access the device-mapper and mount
+allow encryptedstore self:global_capability_class_set sys_admin;
+
+# encryptedstore is forked from microdroid_manager
+allow encryptedstore microdroid_manager:fd use;
+
+# For formatting encrypted storage device
+allow encryptedstore e2fs_exec:file { rx_file_perms };
+allowxperm encryptedstore dm_device:blk_file ioctl {
+ BLKPBSZGET BLKDISCARDZEROES BLKROGET BLKDISCARD
+};
+
+# access /sys/fs/ext4/features - required because encryptedstore runs mkfs.ext4 in its own domain
+allow encryptedstore sysfs_fs_ext4_features:dir search;
+allow encryptedstore sysfs_fs_ext4_features:file r_file_perms;
+
+# encryptedstore to mount on tmpfs bases directory (/mnt/)
+allow encryptedstore tmpfs:dir { add_name create mounton write };
+
+# encryptedstore relabels the labeledfs to encryptedstore_fs, then mounts on the later
+allow encryptedstore labeledfs:filesystem { relabelfrom };
+allow encryptedstore encryptedstore_fs:filesystem { mount unmount relabelto relabelfrom };
+
+# allow encryptedstore to log to the kernel
+allow encryptedstore kmsg_device:chr_file w_file_perms;
+
+# Allow encryptedstore to write kmsg_debug (stdio_to_kmsg).
+allow encryptedstore kmsg_debug_device:chr_file w_file_perms;
+
+# Only microdroid_manager can run encryptedstore
+neverallow { domain -microdroid_manager } encryptedstore:process { transition dyntransition };
diff --git a/microdroid/system/private/file.te b/microdroid/system/private/file.te
index d15f9ba..da54361 100644
--- a/microdroid/system/private/file.te
+++ b/microdroid/system/private/file.te
@@ -4,6 +4,7 @@
allow cgroup_rc_file tmpfs:filesystem associate;
allow debugfs_type { debugfs debugfs_tracing debugfs_tracing_debug }:filesystem associate;
allow dev_type tmpfs:filesystem associate;
+allow encryptedstore_file encryptedstore_fs:filesystem associate;
allow extra_apk_file zipfusefs:filesystem associate;
allow file_type labeledfs:filesystem associate;
allow file_type tmpfs:filesystem associate;
@@ -17,3 +18,9 @@
# /dev/selinux/test - used to verify that apex sepolicy is loaded and
# property labeled.
type sepolicy_test_file, file_type;
+
+# /system/bin/mke2fs - used to format encryptedstore block device
+type e2fs_exec, system_file_type, exec_type, file_type;
+
+type encryptedstore_file, file_type;
+type encryptedstore_fs, fs_type, contextmount_type;
diff --git a/microdroid/system/private/file_contexts b/microdroid/system/private/file_contexts
index 7968ff3..0ccb250 100644
--- a/microdroid/system/private/file_contexts
+++ b/microdroid/system/private/file_contexts
@@ -34,7 +34,6 @@
/dev(/.*)? u:object_r:device:s0
/dev/ashmem u:object_r:ashmem_device:s0
/dev/ashmem(.*)? u:object_r:ashmem_libcutils_device:s0
-/dev/binder u:object_r:binder_device:s0
/dev/block(/.*)? u:object_r:block_device:s0
/dev/block/dm-[0-9]+ u:object_r:dm_device:s0
/dev/block/loop[0-9]* u:object_r:loop_device:s0
@@ -55,7 +54,6 @@
/dev/hvc1 u:object_r:serial_device:s0
/dev/hvc2 u:object_r:log_device:s0
/dev/hw_random u:object_r:hw_random_device:s0
-/dev/hwbinder u:object_r:hwbinder_device:s0
/dev/loop-control u:object_r:loop_control_device:s0
/dev/ppp u:object_r:ppp_device:s0
/dev/ptmx u:object_r:ptmx_device:s0
@@ -73,6 +71,8 @@
/dev/socket/tombstoned_crash u:object_r:tombstoned_crash_socket:s0
/dev/socket/tombstoned_java_trace u:object_r:tombstoned_java_trace_socket:s0
/dev/socket/tombstoned_intercept u:object_r:tombstoned_intercept_socket:s0
+/dev/socket/authfs_service u:object_r:authfs_service_socket:s0
+/dev/socket/vm_payload_service u:object_r:vm_payload_service_socket:s0
/dev/sys/block/by-name/userdata(/.*)? u:object_r:userdata_sysdev:s0
/dev/sys/fs/by-name/userdata(/.*)? u:object_r:userdata_sysdev:s0
/dev/tty u:object_r:owntty_device:s0
@@ -84,7 +84,6 @@
/dev/uio[0-9]* u:object_r:uio_device:s0
/dev/urandom u:object_r:random_device:s0
/dev/vhost-vsock u:object_r:kvm_device:s0
-/dev/vndbinder u:object_r:vndbinder_device:s0
/dev/vsock u:object_r:vsock_device:s0
/dev/zero u:object_r:zero_device:s0
/dev/__properties__ u:object_r:properties_device:s0
@@ -105,7 +104,6 @@
/system/bin/linkerconfig u:object_r:linkerconfig_exec:s0
/system/bin/bootstrap/linker(64)? u:object_r:system_linker_exec:s0
/system/bin/bootstrap/linkerconfig u:object_r:linkerconfig_exec:s0
-/system/bin/servicemanager.microdroid u:object_r:servicemanager_exec:s0
/system/bin/init u:object_r:init_exec:s0
/system/bin/logcat -- u:object_r:logcat_exec:s0
/system/bin/logd u:object_r:logd_exec:s0
@@ -119,6 +117,8 @@
/system/bin/apkdmverity u:object_r:apkdmverity_exec:s0
/system/bin/authfs u:object_r:authfs_exec:s0
/system/bin/authfs_service u:object_r:authfs_service_exec:s0
+/system/bin/encryptedstore u:object_r:encryptedstore_exec:s0
+/system/bin/mke2fs u:object_r:e2fs_exec:s0
/system/bin/kexec_load u:object_r:kexec_exec:s0
/system/etc/cgroups\.json u:object_r:cgroup_desc_file:s0
/system/etc/task_profiles/cgroups_[0-9]+\.json u:object_r:cgroup_desc_api_file:s0
@@ -167,3 +167,7 @@
#############################
# Directory for extra apks
/mnt/extra-apk u:object_r:extra_apk_file:s0
+
+#############################
+# Directory for encrypted storage (persistent across boot)
+/mnt/encryptedstore u:object_r:encryptedstore_file:s0
diff --git a/microdroid/system/private/genfs_contexts b/microdroid/system/private/genfs_contexts
index 254dbe8..ce28471 100644
--- a/microdroid/system/private/genfs_contexts
+++ b/microdroid/system/private/genfs_contexts
@@ -42,7 +42,6 @@
genfscon proc /sys/fs/protected_hardlinks u:object_r:proc_security:s0
genfscon proc /sys/fs/protected_symlinks u:object_r:proc_security:s0
genfscon proc /sys/fs/suid_dumpable u:object_r:proc_security:s0
-genfscon proc /sys/fs/verity/require_signatures u:object_r:proc_fs_verity:s0
genfscon proc /sys/kernel/core_pattern u:object_r:usermodehelper:s0
genfscon proc /sys/kernel/core_pipe_limit u:object_r:usermodehelper:s0
genfscon proc /sys/kernel/domainname u:object_r:proc_hostname:s0
@@ -357,15 +356,8 @@
genfscon securityfs / u:object_r:securityfs:s0
-genfscon binder /binder u:object_r:binder_device:s0
-genfscon binder /hwbinder u:object_r:hwbinder_device:s0
-genfscon binder /vndbinder u:object_r:vndbinder_device:s0
-genfscon binder /binder_logs u:object_r:binderfs_logs:s0
-genfscon binder /binder_logs/proc u:object_r:binderfs_logs_proc:s0
-
genfscon inotifyfs / u:object_r:inotify:s0
genfscon vfat / u:object_r:vfat:s0
-genfscon binder / u:object_r:binderfs:s0
genfscon exfat / u:object_r:exfat:s0
genfscon debugfs / u:object_r:debugfs:s0
genfscon fuse / u:object_r:fuse:s0
diff --git a/microdroid/system/private/init.te b/microdroid/system/private/init.te
index 19b7256..283775e 100644
--- a/microdroid/system/private/init.te
+++ b/microdroid/system/private/init.te
@@ -230,11 +230,9 @@
allow init { fs_type -contextmount_type -fusefs_type -rootfs }:dir { open read setattr search };
allow init {
- binder_device
console_device
devpts
dm_device
- hwbinder_device
kmsg_device
null_device
owntty_device
diff --git a/microdroid/system/private/kexec.te b/microdroid/system/private/kexec.te
index c0ab735..8d40986 100644
--- a/microdroid/system/private/kexec.te
+++ b/microdroid/system/private/kexec.te
@@ -10,3 +10,6 @@
# allow kexec to have SYS_BOOT
allow kexec self:capability sys_boot;
+
+# allow kexec to write kmsg_debug
+allow kexec kmsg_debug_device:chr_file w_file_perms;
diff --git a/microdroid/system/private/microdroid_manager.te b/microdroid/system/private/microdroid_manager.te
index ac92f38..baf8366 100644
--- a/microdroid/system/private/microdroid_manager.te
+++ b/microdroid/system/private/microdroid_manager.te
@@ -39,6 +39,9 @@
domain_auto_trans(microdroid_manager, apkdmverity_exec, apkdmverity)
domain_auto_trans(microdroid_manager, zipfuse_exec, zipfuse)
+# Allow microdroid_manager to start encryptedstore binary
+domain_auto_trans(microdroid_manager, encryptedstore_exec, encryptedstore)
+
# Allow microdroid_manager to run kexec to load crashkernel
domain_auto_trans(microdroid_manager, kexec_exec, kexec)
@@ -48,15 +51,12 @@
# Let microdroid_manager to create a vsock connection back to the host VM
allow microdroid_manager self:vsock_socket { create_socket_perms_no_ioctl };
+# Allow microdroid_manager to read the CID of the VM.
+allow microdroid_manager vsock_device:chr_file { ioctl open read };
+
# microdroid_manager is using bootstrap bionic
use_bootstrap_libs(microdroid_manager)
-# microdroid_manager hosts binder services.
-binder_use(microdroid_manager)
-
-# microdroid_manager can add virtual_machine_payload_service
-add_service(microdroid_manager, vm_payload_binder_service)
-
# microdroid_manager create /apex/vm-payload-metadata for apexd
# TODO(b/199371341) create a new label for the file so that only microdroid_manager can create it.
allow microdroid_manager apex_mnt_dir:dir w_dir_perms;
@@ -82,6 +82,12 @@
# Allow microdroid_manager to pass the roothash to apkdmverity
set_prop(microdroid_manager, microdroid_manager_roothash_prop)
+# Allow microdroid_manager to set sysprops calculated from the payload config
+set_prop(microdroid_manager, microdroid_config_prop)
+
+# Allow microdroid_manager to set sysprops related to microdroid_lifecycle (ex. init_done)
+set_prop(microdroid_manager, microdroid_lifecycle_prop)
+
# Allow microdroid_manager to shutdown the device when verification fails
set_prop(microdroid_manager, powerctl_prop)
@@ -111,6 +117,9 @@
# Allow microdroid_manager to handle extra_apks
allow microdroid_manager extra_apk_file:dir create_dir_perms;
+# Allow microdroid_manager to write kmsg_debug (stdio_to_kmsg).
+allow microdroid_manager kmsg_debug_device:chr_file w_file_perms;
+
# Domains other than microdroid can't write extra_apks
neverallow { domain -microdroid_manager -init -vendor_init } extra_apk_file:file no_w_file_perms;
neverallow { domain -microdroid_manager -init -vendor_init } extra_apk_file:dir no_w_dir_perms;
@@ -123,6 +132,7 @@
-crash_dump
-microdroid_payload
-apkdmverity
+ -encryptedstore
-zipfuse
-kexec
}:process transition;
diff --git a/microdroid/system/private/microdroid_payload.te b/microdroid/system/private/microdroid_payload.te
index 851a85a..c1974c7 100644
--- a/microdroid/system/private/microdroid_payload.te
+++ b/microdroid/system/private/microdroid_payload.te
@@ -27,8 +27,15 @@
# Write to /dev/kmsg.
allow microdroid_payload kmsg_device:chr_file rw_file_perms;
-# Allow microdroid_payload to open binder servers via vsock.
-allow microdroid_payload self:vsock_socket { create_socket_perms_no_ioctl listen accept };
+# Allow microdroid_payload to host binder servers via vsock. Listening
+# for connections from the host is permitted, but connecting out to
+# the host is not. Inbound connections are mediated by
+# virtualiationservice which ensures a process can only connect to a
+# VM that it owns.
+allow microdroid_payload self:vsock_socket {
+ create listen accept read getattr write setattr lock append bind
+ getopt setopt shutdown map
+};
# Payload can read extra apks
r_dir_file(microdroid_payload, extra_apk_file)
@@ -36,10 +43,8 @@
# Payload can read /proc/meminfo.
allow microdroid_payload proc_meminfo:file r_file_perms;
-# Allow use of authfs.
-binder_use(microdroid_payload);
-allow microdroid_payload authfs_binder_service:service_manager find;
-binder_call(microdroid_payload, authfs_service);
+# Allow payload to communicate with authfs_service
+unix_socket_connect(microdroid_payload, authfs_service, authfs_service)
# Allow locating the authfs mount directory.
allow microdroid_payload authfs_data_file:dir search;
@@ -48,6 +53,12 @@
allow microdroid_payload authfs_fuse:dir rw_dir_perms;
allow microdroid_payload authfs_fuse:file create_file_perms;
-# Allow use of virtual_machine_payload_service.
-allow microdroid_payload vm_payload_binder_service:service_manager find;
-binder_call(microdroid_payload, microdroid_manager)
+# Allow payload to communicate with microdroid manager
+unix_socket_connect(microdroid_payload, vm_payload_service, microdroid_manager)
+
+# Payload can read, write into encrypted storage directory
+allow microdroid_payload encryptedstore_file:dir create_dir_perms;
+allow microdroid_payload encryptedstore_file:file create_file_perms;
+
+# Never allow microdroid_payload to connect to vsock
+neverallow microdroid_payload self:vsock_socket connect;
diff --git a/microdroid/system/private/net.te b/microdroid/system/private/net.te
index 1b2fd41..8e783cb 100644
--- a/microdroid/system/private/net.te
+++ b/microdroid/system/private/net.te
@@ -2,15 +2,3 @@
type node, node_type;
type netif, netif_type;
type port, port_type;
-
-###
-### Domain with network access
-###
-
-allow netdomain self:tcp_socket create_stream_socket_perms;
-allow netdomain self:{ icmp_socket udp_socket rawip_socket } create_socket_perms;
-
-allow netdomain port_type:tcp_socket name_connect;
-allow netdomain node_type:{ icmp_socket rawip_socket tcp_socket udp_socket } node_bind;
-allow netdomain port_type:udp_socket name_bind;
-allow netdomain port_type:tcp_socket name_bind;
diff --git a/microdroid/system/private/property.te b/microdroid/system/private/property.te
index a02a7f2..d983775 100644
--- a/microdroid/system/private/property.te
+++ b/microdroid/system/private/property.te
@@ -39,3 +39,16 @@
domain
-init
} apexd_payload_metadata_prop:property_service set;
+
+# Only microdroid_manager and init can set the microdroid_config_prop sysprops
+neverallow {
+ domain
+ -init
+ -microdroid_manager
+} {microdroid_config_prop microdroid_lifecycle_prop}:property_service set;
+
+neverallow {
+ domain
+ -init
+ -microdroid_manager
+} {microdroid_config_prop microdroid_lifecycle_prop}:file no_rw_file_perms;
diff --git a/microdroid/system/private/property_contexts b/microdroid/system/private/property_contexts
index ff15f5d..0d5786c 100644
--- a/microdroid/system/private/property_contexts
+++ b/microdroid/system/private/property_contexts
@@ -1,7 +1,6 @@
# property contexts for microdroid
-# microdroid only uses much fewer properties than normal Android, so every property is listed as
-# an exact entry. The only wildcards are "debug.*", "init.svc_debug_pid.*", "ctl.*", and
-# process-dependent properties like "arm64.memtag.*" and "log.tag.*".
+# microdroid uses far fewer properties than normal Android, so almost
+# every property is listed as an exact entry.
debug. u:object_r:debug_prop:s0 prefix
persist.debug. u:object_r:debug_prop:s0 prefix
@@ -55,7 +54,6 @@
ro.boottime.init.modules u:object_r:boottime_prop:s0 exact int
ro.boottime.init.selinux u:object_r:boottime_prop:s0 exact int
ro.boottime.microdroid_manager u:object_r:boottime_prop:s0 exact int
-ro.boottime.servicemanager u:object_r:boottime_prop:s0 exact int
ro.boottime.tombstoned u:object_r:boottime_prop:s0 exact int
ro.boottime.ueventd u:object_r:boottime_prop:s0 exact int
ro.boottime.zipfuse u:object_r:boottime_prop:s0 exact int
@@ -74,7 +72,6 @@
init.svc.apkdmverity u:object_r:init_service_status_private_prop:s0 exact string
init.svc.authfs_service u:object_r:init_service_status_private_prop:s0 exact string
init.svc.microdroid_manager u:object_r:init_service_status_private_prop:s0 exact string
-init.svc.servicemanager u:object_r:init_service_status_private_prop:s0 exact string
init.svc.ueventd u:object_r:init_service_status_private_prop:s0 exact string
init.svc.zipfuse u:object_r:init_service_status_private_prop:s0 exact string
@@ -87,7 +84,6 @@
ro.boot.first_stage_console u:object_r:bootloader_prop:s0 exact string
ro.boot.force_normal_boot u:object_r:bootloader_prop:s0 exact string
ro.boot.hardware u:object_r:bootloader_prop:s0 exact string
-ro.boot.microdroid.app_debuggable u:object_r:bootloader_prop:s0 exact bool
ro.boot.microdroid.debuggable u:object_r:bootloader_prop:s0 exact bool
ro.boot.slot_suffix u:object_r:bootloader_prop:s0 exact string
ro.boot.tombstone_transmit.enabled u:object_r:bootloader_prop:s0 exact bool
@@ -122,6 +118,12 @@
microdroid_manager.apk_root_hash u:object_r:microdroid_manager_roothash_prop:s0 exact string
microdroid_manager.apk.mounted u:object_r:microdroid_manager_zipfuse_prop:s0 exact bool
+microdroid_manager.extra_apk.mounted. u:object_r:microdroid_manager_zipfuse_prop:s0 prefix bool
+
+microdroid_manager.authfs.enabled u:object_r:microdroid_config_prop:s0 exact bool
+
+microdroid_manager.config_done u:object_r:microdroid_lifecycle_prop:s0 exact bool
+microdroid_manager.init_done u:object_r:microdroid_lifecycle_prop:s0 exact bool
dev.mnt.blk.root u:object_r:dev_mnt_prop:s0 exact string
dev.mnt.blk.vendor u:object_r:dev_mnt_prop:s0 exact string
@@ -152,8 +154,6 @@
heapprofd.enable u:object_r:heapprofd_prop:s0 exact bool
-servicemanager.ready u:object_r:servicemanager_prop:s0 exact bool
-
# ART properties for CompOS
dalvik.vm. u:object_r:dalvik_config_prop:s0 prefix
ro.dalvik.vm. u:object_r:dalvik_config_prop:s0 prefix
diff --git a/microdroid/system/private/service_contexts b/microdroid/system/private/service_contexts
deleted file mode 100644
index 2abd7e3..0000000
--- a/microdroid/system/private/service_contexts
+++ /dev/null
@@ -1,6 +0,0 @@
-adb u:object_r:adb_service:s0
-virtual_machine_payload_service u:object_r:vm_payload_binder_service:s0
-apexservice u:object_r:apex_service:s0
-authfs_service u:object_r:authfs_binder_service:s0
-manager u:object_r:service_manager_service:s0
-* u:object_r:default_android_service:s0
diff --git a/microdroid/system/private/servicemanager.te b/microdroid/system/private/servicemanager.te
deleted file mode 100644
index a9d025c..0000000
--- a/microdroid/system/private/servicemanager.te
+++ /dev/null
@@ -1,33 +0,0 @@
-typeattribute servicemanager coredomain;
-
-init_daemon_domain(servicemanager)
-
-selinux_check_access(servicemanager)
-
-# Note that we do not use the binder_* macros here.
-# servicemanager is unique in that it only provides
-# name service (aka context manager) for Binder.
-# As such, it only ever receives and transfers other references
-# created by other domains. It never passes its own references
-# or initiates a Binder IPC.
-allow servicemanager self:binder set_context_mgr;
-allow servicemanager {
- domain
- -init
- -vendor_init
-}:binder transfer;
-
-allow servicemanager service_contexts_file:file r_file_perms;
-
-allow servicemanager vendor_service_contexts_file:file r_file_perms;
-
-add_service(servicemanager, service_manager_service)
-
-set_prop(servicemanager, ctl_interface_start_prop)
-set_prop(servicemanager, servicemanager_prop)
-
-# servicemanager is using bootstrap bionic
-use_bootstrap_libs(servicemanager)
-
-# servicemanager is using apex_info via libvintf
-use_apex_info(servicemanager)
diff --git a/microdroid/system/private/su.te b/microdroid/system/private/su.te
index 1196262..533b328 100644
--- a/microdroid/system/private/su.te
+++ b/microdroid/system/private/su.te
@@ -1,9 +1,4 @@
-userdebug_or_eng(`
- typeattribute su coredomain;
+typeattribute su coredomain;
- domain_auto_trans(shell, su_exec, su)
-
- # su is also permissive to permit setenforce.
- permissive su;
-
-')
+# su is also permissive to permit setenforce.
+permissive su;
diff --git a/microdroid/system/private/zipfuse.te b/microdroid/system/private/zipfuse.te
index 6e0472d..0cb6daf 100644
--- a/microdroid/system/private/zipfuse.te
+++ b/microdroid/system/private/zipfuse.te
@@ -36,6 +36,9 @@
# allow zipfuse to log to the kernel
allow zipfuse kmsg_device:chr_file w_file_perms;
+# allow zipfuse to write kmsg_debug (stdio_to_kmsg) inherited from microdroid_manager.
+allow zipfuse kmsg_debug_device:chr_file w_file_perms;
+
# allow zipfuse to handle extra apks
r_dir_file(zipfuse, extra_apk_file)
allow zipfuse extra_apk_file:dir mounton;
diff --git a/microdroid/system/public/apexd.te b/microdroid/system/public/apexd.te
index f80c1da..d14da93 100644
--- a/microdroid/system/public/apexd.te
+++ b/microdroid/system/public/apexd.te
@@ -1,5 +1,2 @@
type apexd, domain, coredomain;
type apexd_exec, file_type, exec_type, system_file_type;
-
-binder_use(apexd)
-add_service(apexd, apex_service)
diff --git a/microdroid/system/public/attributes b/microdroid/system/public/attributes
index 7d351a9..61bf8fb 100644
--- a/microdroid/system/public/attributes
+++ b/microdroid/system/public/attributes
@@ -120,14 +120,6 @@
attribute vendor_public_property_type;
expandattribute vendor_public_property_type false;
-# All types used for services managed by servicemanager.
-# On change, update CHECK_SC_ASSERT_ATTRS
-# definition in tools/checkfc.c.
-attribute service_manager_type;
-
-# All domains used for apps with network access.
-attribute netdomain;
-
# All domains used for apps with bluetooth access.
attribute bluetoothdomain;
diff --git a/microdroid/system/public/device.te b/microdroid/system/public/device.te
index 27efdc4..8c6f777 100644
--- a/microdroid/system/public/device.te
+++ b/microdroid/system/public/device.te
@@ -1,6 +1,5 @@
type ashmem_device, dev_type;
type ashmem_libcutils_device, dev_type;
-type binder_device, dev_type;
type block_device, dev_type;
type console_device, dev_type;
type device, dev_type, fs_type;
@@ -11,7 +10,6 @@
type dmabuf_system_secure_heap_device, dev_type, dmabuf_heap_device_type;
type fuse_device, dev_type;
type hw_random_device, dev_type;
-type hwbinder_device, dev_type;
type kmsg_debug_device, dev_type;
type kmsg_device, dev_type;
type kvm_device, dev_type;
@@ -37,6 +35,5 @@
type uio_device, dev_type;
type userdata_sysdev, dev_type;
type vd_device, dev_type;
-type vndbinder_device, dev_type;
type vsock_device, dev_type;
type zero_device, dev_type;
diff --git a/microdroid/system/public/file.te b/microdroid/system/public/file.te
index 47d29aa..fe269d7 100644
--- a/microdroid/system/public/file.te
+++ b/microdroid/system/public/file.te
@@ -5,6 +5,7 @@
type apex_info_file, file_type;
type apex_mnt_dir, file_type;
type authfs_data_file, file_type, data_file_type, core_data_file_type;
+type authfs_service_socket, file_type, coredomain_socket;
type cgroup_desc_api_file, file_type, system_file_type;
type cgroup_desc_file, file_type, system_file_type;
type cgroup_rc_file, file_type;
@@ -43,11 +44,9 @@
type vendor_data_file, file_type, data_file_type;
type vendor_file, file_type, vendor_file_type;
type vendor_service_contexts_file, vendor_file_type, file_type;
+type vm_payload_service_socket, file_type, coredomain_socket;
# file system types
-type binderfs, fs_type;
-type binderfs_logs, fs_type;
-type binderfs_logs_proc, fs_type;
type binfmt_miscfs, fs_type;
type cgroup, fs_type;
type cgroup_v2, fs_type;
@@ -90,7 +89,6 @@
type proc_drop_caches, fs_type, proc_type;
type proc_extra_free_kbytes, fs_type, proc_type;
type proc_filesystems, fs_type, proc_type;
-type proc_fs_verity, fs_type, proc_type;
type proc_hostname, fs_type, proc_type;
type proc_hung_task, fs_type, proc_type;
type proc_interrupts, fs_type, proc_type;
diff --git a/microdroid/system/public/property.te b/microdroid/system/public/property.te
index 9ec022b..a2c3b77 100644
--- a/microdroid/system/public/property.te
+++ b/microdroid/system/public/property.te
@@ -25,7 +25,6 @@
type ctl_stop_prop, property_type;
type ctl_tombstone_transmit_prop, property_type;
type ctl_zipfuse_prop, property_type;
-type servicemanager_prop, property_type;
type debug_prop, property_type;
type default_prop, property_type;
type dev_mnt_prop, property_type;
@@ -41,6 +40,8 @@
type log_tag_prop, property_type;
type microdroid_manager_roothash_prop, property_type;
type microdroid_manager_zipfuse_prop, property_type;
+type microdroid_config_prop, property_type;
+type microdroid_lifecycle_prop, property_type;
type property_service_version_prop, property_type;
type shell_prop, property_type;
type timezone_prop, property_type;
diff --git a/microdroid/system/public/servicemanager.te b/microdroid/system/public/servicemanager.te
deleted file mode 100644
index 41a1096..0000000
--- a/microdroid/system/public/servicemanager.te
+++ /dev/null
@@ -1,2 +0,0 @@
-type servicemanager, domain;
-type servicemanager_exec, file_type, exec_type, system_file_type;
diff --git a/microdroid/system/public/shell.te b/microdroid/system/public/shell.te
index bde9cd9..0bcb29d 100644
--- a/microdroid/system/public/shell.te
+++ b/microdroid/system/public/shell.te
@@ -2,9 +2,6 @@
type shell, domain;
type shell_exec, system_file_type, exec_type, file_type;
-# Create and use network sockets.
-net_domain(shell)
-
# Root fs.
allow shell rootfs:dir r_dir_perms;
diff --git a/microdroid/system/public/statsd.te b/microdroid/system/public/statsd.te
index 495d3f4..0807126 100644
--- a/microdroid/system/public/statsd.te
+++ b/microdroid/system/public/statsd.te
@@ -1,7 +1,6 @@
type statsd, domain;
type statsd_exec, system_file_type, exec_type, file_type;
-binder_use(statsd)
# Allow statsd to scan through /proc/pid for all processes.
r_dir_file(statsd, domain)
diff --git a/microdroid/system/public/su.te b/microdroid/system/public/su.te
index aded9ae..5f41e37 100644
--- a/microdroid/system/public/su.te
+++ b/microdroid/system/public/su.te
@@ -2,45 +2,36 @@
# after performing an adb root command.
# All types must be defined regardless of build variant to ensure
-# policy compilation succeeds with userdebug/user combination at boot
+# that adb root works on debuggable VMs even for user builds.
type su, domain;
-# File types must be defined for file_contexts.
-type su_exec, system_file_type, exec_type, file_type;
-
-userdebug_or_eng(`
- # Add su to various domains
- net_domain(su)
-
- dontaudit su self:capability_class_set *;
- dontaudit su self:capability2 *;
- dontaudit su kernel:security *;
- dontaudit su { kernel file_type }:system *;
- dontaudit su self:memprotect *;
- dontaudit su domain:{ process process2 } *;
- dontaudit su domain:fd *;
- dontaudit su domain:dir *;
- dontaudit su domain:lnk_file *;
- dontaudit su domain:{ fifo_file file } *;
- dontaudit su domain:socket_class_set *;
- dontaudit su domain:ipc_class_set *;
- dontaudit su domain:key *;
- dontaudit su fs_type:filesystem *;
- dontaudit su {fs_type dev_type file_type}:dir_file_class_set *;
- dontaudit su node_type:node *;
- dontaudit su node_type:{ tcp_socket udp_socket rawip_socket } *;
- dontaudit su netif_type:netif *;
- dontaudit su port_type:socket_class_set *;
- dontaudit su port_type:{ tcp_socket dccp_socket } *;
- dontaudit su domain:peer *;
- dontaudit su domain:binder *;
- dontaudit su property_type:property_service *;
- dontaudit su property_type:file *;
- dontaudit su service_manager_type:service_manager *;
- dontaudit su servicemanager:service_manager list;
- dontaudit su domain:drmservice *;
- dontaudit su unlabeled:filesystem *;
- dontaudit su domain:bpf *;
- dontaudit su unlabeled:vsock_socket *;
- dontaudit su self:perf_event *;
-')
+# Add su to various domains
+dontaudit su self:capability_class_set *;
+dontaudit su self:capability2 *;
+dontaudit su kernel:security *;
+dontaudit su { kernel file_type }:system *;
+dontaudit su self:memprotect *;
+dontaudit su domain:{ process process2 } *;
+dontaudit su domain:fd *;
+dontaudit su domain:dir *;
+dontaudit su domain:lnk_file *;
+dontaudit su domain:{ fifo_file file } *;
+dontaudit su domain:socket_class_set *;
+dontaudit su domain:ipc_class_set *;
+dontaudit su domain:key *;
+dontaudit su fs_type:filesystem *;
+dontaudit su {fs_type dev_type file_type}:dir_file_class_set *;
+dontaudit su node_type:node *;
+dontaudit su node_type:{ tcp_socket udp_socket rawip_socket } *;
+dontaudit su netif_type:netif *;
+dontaudit su port_type:socket_class_set *;
+dontaudit su port_type:{ tcp_socket dccp_socket } *;
+dontaudit su domain:peer *;
+dontaudit su domain:binder *;
+dontaudit su property_type:property_service *;
+dontaudit su property_type:file *;
+dontaudit su domain:drmservice *;
+dontaudit su unlabeled:filesystem *;
+dontaudit su domain:bpf *;
+dontaudit su unlabeled:vsock_socket *;
+dontaudit su self:perf_event *;
diff --git a/microdroid/system/public/type.te b/microdroid/system/public/type.te
index dbdafaf..efc1aa3 100644
--- a/microdroid/system/public/type.te
+++ b/microdroid/system/public/type.te
@@ -1,9 +1,3 @@
# Miscellaneous types
-type adb_service, service_manager_type;
-type apex_service, service_manager_type;
-type authfs_binder_service, service_manager_type;
-type default_android_service, service_manager_type;
-type vm_payload_binder_service, service_manager_type;
-type service_manager_service, service_manager_type;
type system_linker;
type vm_payload_key;
diff --git a/prebuilts/api/33.0/private/system_server.te b/prebuilts/api/33.0/private/system_server.te
index 8a7947d..6d3bc78 100644
--- a/prebuilts/api/33.0/private/system_server.te
+++ b/prebuilts/api/33.0/private/system_server.te
@@ -396,6 +396,7 @@
hal_graphics_allocator_server
hal_graphics_composer_server
hal_health_server
+ hal_input_processor_server
hal_light_server
hal_neuralnetworks_server
hal_omx_server
diff --git a/prebuilts/api/33.0/public/dumpstate.te b/prebuilts/api/33.0/public/dumpstate.te
index 8d3e556..05a7317 100644
--- a/prebuilts/api/33.0/public/dumpstate.te
+++ b/prebuilts/api/33.0/public/dumpstate.te
@@ -113,9 +113,6 @@
sysfs_zram
}:file r_file_perms;
-# Ignore other file access under /sys.
-dontaudit dumpstate sysfs:file r_file_perms;
-
# Other random bits of data we want to collect
no_debugfs_restriction(`
allow dumpstate debugfs:file r_file_perms;
diff --git a/private/app.te b/private/app.te
index 005a078..ae8b206 100644
--- a/private/app.te
+++ b/private/app.te
@@ -52,6 +52,12 @@
get_prop(appdomain, device_config_runtime_native_prop)
get_prop(appdomain, device_config_runtime_native_boot_prop)
+# Allow to read ro.vendor.camera.extensions.enabled
+get_prop(appdomain, camera2_extensions_prop)
+
+# Allow to ro.camerax.extensions.enabled
+get_prop(appdomain, camerax_extensions_prop)
+
userdebug_or_eng(`perfetto_producer({ appdomain })')
# Prevent apps from causing presubmit failures.
diff --git a/private/app_neverallows.te b/private/app_neverallows.te
index c2e0b10..6231623 100644
--- a/private/app_neverallows.te
+++ b/private/app_neverallows.te
@@ -261,5 +261,7 @@
# due to the specific logging use cases.
# Context: b/193912100
neverallow {
- untrusted_app_all
+ all_untrusted_apps
+ -mediaprovider
+ -mediaprovider_app
} { userdebug_or_eng_prop }:file read;
diff --git a/private/artd.te b/private/artd.te
index cb2b6c2..88094e7 100644
--- a/private/artd.te
+++ b/private/artd.te
@@ -29,12 +29,21 @@
# Allow testing userfaultfd support.
userfaultfd_use(artd)
-# Read access to primary dex'es on writable partitions (e.g., /data/app/...).
+# Read access to primary dex'es on writable partitions
+# ({/data,/mnt/expand/<volume-uuid>}/app/...).
+allow artd mnt_expand_file:dir { getattr search };
r_dir_file(artd, apk_data_file)
-# Read access to /vendor/app.
+# Read access to vendor APKs ({/vendor,/odm}/{app,priv-app}/...).
r_dir_file(artd, vendor_app_file)
+# Read access to vendor overlay APKs ({/vendor,/odm,/oem}/overlay/...).
+allow artd oemfs:dir { getattr search };
+r_dir_file(artd, vendor_overlay_file)
+
+# Read access to vendor shared libraries ({/vendor,/odm}/framework/...).
+r_dir_file(artd, vendor_framework_file)
+
# Read/write access to all compilation artifacts generated on device for apps'
# primary dex'es. (/data/dalvik-cache/..., /data/app/.../oat/..., etc.)
allow artd dalvikcache_data_file:dir create_dir_perms;
@@ -67,6 +76,24 @@
allow artd user_profile_data_file:dir rw_dir_perms;
allow artd user_profile_data_file:file create_file_perms;
+# Read/write access to secondary dex files, their profiles, and their
+# compilation artifacts
+# ({/data,/mnt/expand/<volume-uuid>}/{user,user_de}/<user-id>/<package-name>/...).
+allow artd app_data_file_type:dir { create_dir_perms relabelfrom relabelto };
+allow artd app_data_file_type:file { create_file_perms relabelfrom relabelto };
+
+# Allow symlinks for secondary dex files. This has be to restricted because
+# symlinks can cause various security issues. We allow "privapp_data_file" just
+# for GMS because so far we only see GMS using symlinks.
+allow artd privapp_data_file:lnk_file { getattr read };
+
+# Read access to SELinux context files, for restorecon.
+allow artd file_contexts_file:file r_file_perms;
+allow artd seapp_contexts_file:file r_file_perms;
+
+# Check validity of SELinux context, for restorecon.
+selinux_check_context(artd)
+
# Never allow running other binaries without a domain transition.
# The only exception is art_exec. It is allowed to use the artd domain because
# it is a thin wrapper that executes other binaries on behalf of artd.
diff --git a/private/bpfloader.te b/private/bpfloader.te
index 7c009ec..6bdc259 100644
--- a/private/bpfloader.te
+++ b/private/bpfloader.te
@@ -18,6 +18,8 @@
allow bpfloader sysfs_fs_fuse_bpf:file r_file_perms;
+allow bpfloader proc_bpf:file w_file_perms;
+
set_prop(bpfloader, bpf_progs_loaded_prop)
allow bpfloader bpfloader_exec:file execute_no_trans;
@@ -26,28 +28,30 @@
### Neverallow rules
###
-# TODO: get rid of init & vendor_init; Note: we don't care about getattr/mounton/search
-neverallow { domain -init -vendor_init } bpffs_type:dir { open read setattr };
+# Note: we don't care about getattr/mounton/search
+neverallow { domain } bpffs_type:dir ~{ add_name create getattr mounton remove_name search write };
neverallow { domain -bpfloader } bpffs_type:dir { add_name create remove_name write };
-neverallow domain bpffs_type:dir ~{ add_name create getattr mounton open read remove_name search setattr write };
-# TODO: get rid of init & vendor_init
-neverallow { domain -bpfloader -init -vendor_init } bpffs_type:file { map open setattr };
-neverallow { domain -bpfloader } bpffs_type:file { create getattr rename };
-neverallow { domain -bpfloader -gpuservice -init -lmkd -mediaprovider_app -netd -netutils_wrapper -system_server -vendor_init } fs_bpf:file read;
-neverallow { domain -bpfloader -init -network_stack -vendor_init } fs_bpf_net_private:file read;
-neverallow { domain -bpfloader -init -network_stack -system_server -vendor_init } fs_bpf_net_shared:file read;
-neverallow { domain -bpfloader -init -netd -network_stack -system_server -vendor_init } fs_bpf_netd_readonly:file read;
-neverallow { domain -bpfloader -init -netd -netutils_wrapper -network_stack -system_server -vendor_init } fs_bpf_netd_shared:file read;
-neverallow { domain -bpfloader -init -network_stack -vendor_init } fs_bpf_tethering:file read;
-neverallow { domain -bpfloader -gpuservice -netd -netutils_wrapper -network_stack -system_server } { bpffs_type -fs_bpf_vendor }:file write;
-neverallow domain bpffs_type:file ~{ create getattr map open read rename setattr write };
+neverallow { domain } bpffs_type:file ~{ create getattr map open read rename setattr write };
+neverallow { domain -bpfloader } bpffs_type:file { create getattr map open rename setattr };
+neverallow { domain -bpfloader -gpuservice -lmkd -mediaprovider_app -netd -netutils_wrapper -system_server } fs_bpf:file read;
+neverallow { domain -bpfloader } fs_bpf_loader:file read;
+neverallow { domain -bpfloader -network_stack } fs_bpf_net_private:file read;
+neverallow { domain -bpfloader -network_stack -system_server } fs_bpf_net_shared:file read;
+neverallow { domain -bpfloader -netd -network_stack -system_server } fs_bpf_netd_readonly:file read;
+neverallow { domain -bpfloader -netd -netutils_wrapper -network_stack -system_server } fs_bpf_netd_shared:file read;
+neverallow { domain -bpfloader -network_stack } fs_bpf_tethering:file read;
+neverallow { domain -bpfloader -gpuservice -netd -netutils_wrapper -network_stack -system_server } { bpffs_type -fs_bpf_vendor }:file write;
neverallow { domain -bpfloader } bpffs_type:lnk_file ~read;
neverallow { domain -bpfdomain } bpffs_type:lnk_file read;
neverallow { domain -bpfloader } *:bpf { map_create prog_load };
+# 'fs_bpf_loader' is for internal use of the BpfLoader oneshot boot time process.
+neverallow { domain -bpfloader } fs_bpf_loader:bpf *;
+neverallow { domain -bpfloader } fs_bpf_loader:file *;
+
neverallow {
domain
-bpfloader
@@ -62,13 +66,11 @@
neverallow { domain -bpfloader -gpuservice -lmkd -mediaprovider_app -netd -network_stack -system_server } *:bpf { map_read map_write };
neverallow { domain -bpfloader -init } bpfloader_exec:file { execute execute_no_trans };
-neverallow { coredomain -bpfloader -init } fs_bpf_vendor:file *;
+neverallow { coredomain -bpfloader } fs_bpf_vendor:file *;
neverallow bpfloader *:{ tcp_socket udp_socket rawip_socket } *;
# No domain should be allowed to ptrace bpfloader
neverallow { domain userdebug_or_eng(`-llkd') } bpfloader:process ptrace;
-# Currently only bpfloader.rc (which runs as init) can do bpf sysctl setup
-# this should perhaps be moved to the bpfloader binary itself. Allow both.
-neverallow { domain -bpfloader -init } proc_bpf:file write;
+neverallow { domain -bpfloader } proc_bpf:file write;
diff --git a/private/canhalconfigurator.te b/private/canhalconfigurator.te
index 9ba60ac..5673ccd 100644
--- a/private/canhalconfigurator.te
+++ b/private/canhalconfigurator.te
@@ -5,3 +5,6 @@
# This allows the configurator to look up the CAN HAL controller via
# hwservice_manager and communicate with it.
hal_client_domain(canhalconfigurator, hal_can_controller)
+
+binder_use(canhalconfigurator)
+binder_call(hal_can_controller, canhalconfigurator)
diff --git a/private/compat/33.0/33.0.cil b/private/compat/33.0/33.0.cil
index 849be82..2f8887b 100644
--- a/private/compat/33.0/33.0.cil
+++ b/private/compat/33.0/33.0.cil
@@ -2116,7 +2116,7 @@
(typeattributeset proc_drop_caches_33_0 (proc_drop_caches))
(typeattributeset proc_extra_free_kbytes_33_0 (proc_extra_free_kbytes))
(typeattributeset proc_filesystems_33_0 (proc_filesystems))
-(typeattributeset proc_fs_verity_33_0 (proc_fs_verity))
+(typeattributeset proc_fs_verity_33_0 (proc))
(typeattributeset proc_hostname_33_0 (proc_hostname))
(typeattributeset proc_hung_task_33_0 (proc_hung_task))
(typeattributeset proc_interrupts_33_0 (proc_interrupts))
diff --git a/private/compat/33.0/33.0.ignore.cil b/private/compat/33.0/33.0.ignore.cil
index 5d9a7cb..89afef2 100644
--- a/private/compat/33.0/33.0.ignore.cil
+++ b/private/compat/33.0/33.0.ignore.cil
@@ -5,23 +5,36 @@
(typeattribute new_objects)
(typeattributeset new_objects
( new_objects
+ adaptive_haptics_prop
apex_ready_prop
artd
credential_service
+ device_config_camera_native_prop
device_config_memory_safety_native_prop
device_config_vendor_system_native_prop
devicelock_service
+ fwk_camera_service
+ fwk_sensor_service
+ grammatical_inflection_service
+ hal_bluetooth_service
hal_bootctl_service
+ hal_cas_service
hal_remoteaccess_service
+ hal_secure_element_service
hal_thermal_service
hal_usb_gadget_service
hal_tv_input_service
hal_tv_hdmi_service
hal_tv_hdmi_cec_service
+ hal_wifi_service
healthconnect_service
+ hypervisor_restricted_prop
keystore_config_prop
+ ntfs
permissive_mte_prop
prng_seeder
+ remote_provisioning_service
+ rkpdapp
servicemanager_prop
system_net_netd_service
timezone_metadata_prop
@@ -32,4 +45,6 @@
hal_gatekeeper_service
hal_broadcastradio_service
hal_confirmationui_service
+ hal_fastboot_service
+ hal_can_controller_service
))
diff --git a/private/coredomain.te b/private/coredomain.te
index c041ca3..55f715d 100644
--- a/private/coredomain.te
+++ b/private/coredomain.te
@@ -92,6 +92,7 @@
neverallow {
coredomain
-appdomain
+ -artd
-idmap
-init
-installd
@@ -110,6 +111,7 @@
neverallow {
coredomain
-appdomain
+ -artd
-idmap
-init
-installd
diff --git a/private/crosvm.te b/private/crosvm.te
index 5971b91..d4d29b0 100644
--- a/private/crosvm.te
+++ b/private/crosvm.te
@@ -10,9 +10,6 @@
neverallow { domain -crosvm -ueventd } kvm_device:chr_file ~getattr;
neverallowxperm { domain -crosvm } kvm_device:chr_file ioctl ~{ KVM_CHECK_EXTENSION };
-# Let crosvm mlock VM memory and page tables.
-allow crosvm self:capability ipc_lock;
-
# Let crosvm create temporary files.
tmpfs_domain(crosvm)
@@ -45,6 +42,12 @@
# Note that the open permission is not given as the socket is passed by FD.
allow crosvm virtualizationservice:unix_stream_socket { accept read write getattr getopt };
+# Let crosvm open test artifacts under /data/local/tmp with file path. (e.g. custom pvmfw.img)
+userdebug_or_eng(`
+ allow crosvm shell_data_file:dir search;
+ allow crosvm shell_data_file:file open;
+')
+
# The instance image and the composite image should be writable as well because they could represent
# mutable disks.
allow crosvm {
diff --git a/private/domain.te b/private/domain.te
index 632b9f6..2b2619b 100644
--- a/private/domain.te
+++ b/private/domain.te
@@ -2,7 +2,9 @@
# This occurs when the process crashes.
# We do not apply this to the su domain to avoid interfering with
# tests (b/114136122)
-domain_auto_trans({ domain userdebug_or_eng(`-su') }, crash_dump_exec, crash_dump);
+# We exempt crosvm because parts of its memory are inaccessible to the
+# kernel. TODO(b/238324526): Remove this.
+domain_auto_trans({ domain userdebug_or_eng(`-su') -crosvm }, crash_dump_exec, crash_dump);
allow domain crash_dump:process sigchld;
# Allow every process to check the heapprofd.enable properties to determine
@@ -101,6 +103,48 @@
get_prop({domain -coredomain -appdomain}, vendor_default_prop)
')
+# Public readable properties
+get_prop(domain, aaudio_config_prop)
+get_prop(domain, apexd_select_prop)
+get_prop(domain, arm64_memtag_prop)
+get_prop(domain, bluetooth_config_prop)
+get_prop(domain, bootloader_prop)
+get_prop(domain, build_odm_prop)
+get_prop(domain, build_prop)
+get_prop(domain, build_vendor_prop)
+get_prop(domain, debug_prop)
+get_prop(domain, exported_config_prop)
+get_prop(domain, exported_default_prop)
+get_prop(domain, exported_dumpstate_prop)
+get_prop(domain, exported_secure_prop)
+get_prop(domain, exported_system_prop)
+get_prop(domain, fingerprint_prop)
+get_prop(domain, framework_status_prop)
+get_prop(domain, gwp_asan_prop)
+get_prop(domain, hal_instrumentation_prop)
+get_prop(domain, hw_timeout_multiplier_prop)
+get_prop(domain, init_service_status_prop)
+get_prop(domain, libc_debug_prop)
+get_prop(domain, locale_prop)
+get_prop(domain, logd_prop)
+get_prop(domain, mediadrm_config_prop)
+get_prop(domain, property_service_version_prop)
+get_prop(domain, soc_prop)
+get_prop(domain, socket_hook_prop)
+get_prop(domain, surfaceflinger_prop)
+get_prop(domain, telephony_status_prop)
+get_prop(domain, timezone_prop)
+get_prop({domain -untrusted_app_all -isolated_app -ephemeral_app }, userdebug_or_eng_prop)
+get_prop(domain, vendor_socket_hook_prop)
+get_prop(domain, vndk_prop)
+get_prop(domain, vold_status_prop)
+get_prop(domain, vts_config_prop)
+
+# Binder cache properties are world-readable
+get_prop(domain, binder_cache_bluetooth_server_prop)
+get_prop(domain, binder_cache_system_server_prop)
+get_prop(domain, binder_cache_telephony_server_prop)
+
# Allow access to fsverity keyring.
allow domain kernel:key search;
# Allow access to keys in the fsverity keyring that were installed at boot.
@@ -181,6 +225,7 @@
neverallow {
domain
-appdomain
+ -artd # compile secondary dex files
-installd # creation of sandbox
} { privapp_data_file app_data_file }:dir_file_class_set { create unlink };
@@ -191,6 +236,7 @@
-adbd
-appdomain
-app_zygote
+ -artd # compile secondary dex files
-dexoptanalyzer
-installd
-profman
@@ -206,6 +252,7 @@
neverallow {
domain
-appdomain
+ -artd # compile secondary dex files
-installd
-rs # spawned by appdomain, so carryover the exception above
} { privapp_data_file app_data_file }:dir ~r_dir_perms;
@@ -214,6 +261,7 @@
domain
-appdomain
-app_zygote
+ -artd # compile secondary dex files
-installd
-rs # spawned by appdomain, so carryover the exception above
} { privapp_data_file app_data_file }:file_class_set open;
@@ -221,11 +269,13 @@
neverallow {
domain
-appdomain
+ -artd # compile secondary dex files
-installd # creation of sandbox
} { privapp_data_file app_data_file }:dir_file_class_set { create unlink };
neverallow {
domain
+ -artd # compile secondary dex files
-installd
} { privapp_data_file app_data_file }:dir_file_class_set { relabelfrom relabelto };
@@ -602,14 +652,18 @@
# Restrict write access to etm sysfs interface.
neverallow { domain -ueventd -vendor_init } sysfs_devices_cs_etm:file no_w_file_perms;
-# Restrict write access to shell owned files. The /data/local/tmp directory is
+# Restrict direct access to shell owned files. The /data/local/tmp directory is
# untrustworthy, and non-allowed domains should not be trusting any content in
# those directories. We allow shell files to be passed around by file
# descriptor, but not directly opened.
+# artd doesn't need to access /data/local/tmp, but it needs to access
+# /data/{user,user_de}/<user-id>/com.android.shell/... for compiling secondary
+# dex files.
neverallow {
domain
-adbd
-appdomain
+ -artd
-dumpstate
-installd
userdebug_or_eng(`-uncrypt')
@@ -617,10 +671,56 @@
userdebug_or_eng(`-crosvm')
} shell_data_file:file open;
+# In addition to the symlink reading restrictions above, restrict
+# write access to shell owned directories. The /data/local/tmp
+# directory is untrustworthy, and non-allowed domains should
+# not be trusting any content in those directories.
+# artd doesn't need to access /data/local/tmp, but it needs to access
+# /data/{user,user_de}/<user-id>/com.android.shell/... for compiling secondary
+# dex files.
+neverallow {
+ domain
+ -adbd
+ -artd
+ -dumpstate
+ -installd
+ -init
+ -shell
+ -vold
+} shell_data_file:dir no_w_dir_perms;
+
+neverallow {
+ domain
+ -adbd
+ -appdomain
+ -artd
+ -dumpstate
+ -init
+ -installd
+ -simpleperf_app_runner
+ -system_server # why?
+ userdebug_or_eng(`-uncrypt')
+} shell_data_file:dir open;
+
+neverallow {
+ domain
+ -adbd
+ -appdomain
+ -artd
+ -dumpstate
+ -init
+ -installd
+ -simpleperf_app_runner
+ -system_server # why?
+ userdebug_or_eng(`-uncrypt')
+ userdebug_or_eng(`-crosvm')
+} shell_data_file:dir search;
+
# respect system_app sandboxes
neverallow {
domain
-appdomain
+ -artd # compile secondary dex files
-system_server #populate com.android.providers.settings/databases/settings.db.
-installd # creation of app sandbox
-traced_probes # resolve inodes for i/o tracing.
diff --git a/private/fastbootd.te b/private/fastbootd.te
index c33e044..d93ee42 100644
--- a/private/fastbootd.te
+++ b/private/fastbootd.te
@@ -45,6 +45,9 @@
# Needed for reading boot properties.
allow fastbootd proc_bootconfig:file r_file_perms;
+ # Let this domain use the hal fastboot service
+ binder_use(fastbootd)
+ hal_client_domain(fastbootd, hal_fastboot)
')
# io_uring_setup needs ipc_lock and permission to operate anon inodes
diff --git a/private/file.te b/private/file.te
index 60e2274..134b377 100644
--- a/private/file.te
+++ b/private/file.te
@@ -7,6 +7,7 @@
type fs_bpf_net_shared, fs_type, bpffs_type;
type fs_bpf_netd_readonly, fs_type, bpffs_type;
type fs_bpf_netd_shared, fs_type, bpffs_type;
+type fs_bpf_loader, fs_type, bpffs_type;
# /data/misc/storaged
type storaged_data_file, file_type, data_file_type, core_data_file_type;
diff --git a/private/file_contexts b/private/file_contexts
index 951c9b5..632e069 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -223,13 +223,14 @@
/system/bin/boringssl_self_test(32|64) u:object_r:boringssl_self_test_exec:s0
/system/bin/prng_seeder u:object_r:prng_seeder_exec:s0
/system/bin/charger u:object_r:charger_exec:s0
-/system/bin/canhalconfigurator u:object_r:canhalconfigurator_exec:s0
+/system/bin/canhalconfigurator(-aidl)? u:object_r:canhalconfigurator_exec:s0
/system/bin/e2fsdroid u:object_r:e2fs_exec:s0
/system/bin/mke2fs u:object_r:e2fs_exec:s0
/system/bin/e2fsck -- u:object_r:fsck_exec:s0
/system/bin/extra_free_kbytes\.sh u:object_r:extra_free_kbytes_exec:s0
/system/bin/fsck\.exfat -- u:object_r:fsck_exec:s0
/system/bin/fsck\.f2fs -- u:object_r:fsck_exec:s0
+/system/bin/ntfsfix -- u:object_r:fsck_exec:s0
/system/bin/init u:object_r:init_exec:s0
# TODO(/123600489): merge mini-keyctl into toybox
/system/bin/mini-keyctl -- u:object_r:toolbox_exec:s0
@@ -443,13 +444,14 @@
/odm/etc/selinux/precompiled_sepolicy u:object_r:sepolicy_file:s0
/odm/etc/selinux/precompiled_sepolicy\.plat_and_mapping\.sha256 u:object_r:sepolicy_file:s0
-/(odm|vendor/odm)/etc/selinux/odm_sepolicy\.cil u:object_r:sepolicy_file:s0
+/(odm|vendor/odm)/etc/selinux/odm_sepolicy\.cil u:object_r:sepolicy_file:s0
/(odm|vendor/odm)/etc/selinux/odm_file_contexts u:object_r:file_contexts_file:s0
/(odm|vendor/odm)/etc/selinux/odm_seapp_contexts u:object_r:seapp_contexts_file:s0
/(odm|vendor/odm)/etc/selinux/odm_property_contexts u:object_r:property_contexts_file:s0
+/(odm|vendor/odm)/etc/selinux/odm_service_contexts u:object_r:vendor_service_contexts_file:s0
/(odm|vendor/odm)/etc/selinux/odm_hwservice_contexts u:object_r:hwservice_contexts_file:s0
-/(odm|vendor/odm)/etc/selinux/odm_keystore2_key_contexts u:object_r:keystore2_key_contexts_file:s0
-/(odm|vendor/odm)/etc/selinux/odm_mac_permissions\.xml u:object_r:mac_perms_file:s0
+/(odm|vendor/odm)/etc/selinux/odm_keystore2_key_contexts u:object_r:keystore2_key_contexts_file:s0
+/(odm|vendor/odm)/etc/selinux/odm_mac_permissions\.xml u:object_r:mac_perms_file:s0
#############################
# Product files
diff --git a/private/flags_health_check.te b/private/flags_health_check.te
index a26726d..0cc450d 100644
--- a/private/flags_health_check.te
+++ b/private/flags_health_check.te
@@ -28,6 +28,7 @@
set_prop(flags_health_check, device_config_virtualization_framework_native_prop)
set_prop(flags_health_check, device_config_memory_safety_native_prop)
set_prop(flags_health_check, device_config_remote_key_provisioning_native_prop)
+set_prop(flags_health_check, device_config_camera_native_prop)
# system property device_config_boot_count_prop is used for deciding when to perform server
# configurable flags related disaster recovery. Mistakenly set up by unrelated components can, at a
diff --git a/private/fsverity_init.te b/private/fsverity_init.te
index e069233..2e5089c 100644
--- a/private/fsverity_init.te
+++ b/private/fsverity_init.te
@@ -11,9 +11,6 @@
allow fsverity_init kernel:key { view search write setattr };
allow fsverity_init fsverity_init:key { view search write };
-# Allow init to write to /proc/sys/fs/verity/require_signatures
-allow fsverity_init proc_fs_verity:file w_file_perms;
-
# Read the on-device signing certificate, to be able to add it to the keyring
allow fsverity_init odsign:fd use;
allow fsverity_init odsign_data_file:file { getattr read };
diff --git a/private/genfs_contexts b/private/genfs_contexts
index 6578470..6fa98ea 100644
--- a/private/genfs_contexts
+++ b/private/genfs_contexts
@@ -43,7 +43,6 @@
genfscon proc /sys/fs/protected_hardlinks u:object_r:proc_security:s0
genfscon proc /sys/fs/protected_symlinks u:object_r:proc_security:s0
genfscon proc /sys/fs/suid_dumpable u:object_r:proc_security:s0
-genfscon proc /sys/fs/verity/require_signatures u:object_r:proc_fs_verity:s0
genfscon proc /sys/kernel/bpf_ u:object_r:proc_bpf:s0
genfscon proc /sys/kernel/core_pattern u:object_r:usermodehelper:s0
genfscon proc /sys/kernel/core_pipe_limit u:object_r:usermodehelper:s0
@@ -385,6 +384,7 @@
genfscon vfat / u:object_r:vfat:s0
genfscon binder / u:object_r:binderfs:s0
genfscon exfat / u:object_r:exfat:s0
+genfscon ntfs / u:object_r:ntfs:s0
genfscon debugfs / u:object_r:debugfs:s0
genfscon fuse / u:object_r:fuse:s0
genfscon configfs / u:object_r:configfs:s0
@@ -394,7 +394,9 @@
genfscon functionfs / u:object_r:functionfs:s0
genfscon usbfs / u:object_r:usbfs:s0
genfscon binfmt_misc / u:object_r:binfmt_miscfs:s0
+
genfscon bpf / u:object_r:fs_bpf:s0
+genfscon bpf /loader u:object_r:fs_bpf_loader:s0
genfscon bpf /net_private u:object_r:fs_bpf_net_private:s0
genfscon bpf /net_shared u:object_r:fs_bpf_net_shared:s0
genfscon bpf /netd_readonly u:object_r:fs_bpf_netd_readonly:s0
diff --git a/private/init.te b/private/init.te
index f03a138..72dedd2 100644
--- a/private/init.te
+++ b/private/init.te
@@ -14,6 +14,7 @@
domain_trans(init, rootfs, hal_bootctl_server)
domain_trans(init, rootfs, charger)
domain_trans(init, rootfs, fastbootd)
+ domain_trans(init, rootfs, hal_fastboot_server)
domain_trans(init, rootfs, hal_health_server)
domain_trans(init, rootfs, recovery)
domain_trans(init, rootfs, linkerconfig)
@@ -94,9 +95,6 @@
# Only init can write normal ro.boot. properties
neverallow { domain -init } bootloader_prop:property_service set;
-# Only init can write ro.boot.hypervisor properties
-neverallow { domain -init } hypervisor_prop:property_service set;
-
# Only init can write hal.instrumentation.enable
neverallow { domain -init } hal_instrumentation_prop:property_service set;
diff --git a/private/mlstrustedsubject.te b/private/mlstrustedsubject.te
index 0aed4d3..67bd113 100644
--- a/private/mlstrustedsubject.te
+++ b/private/mlstrustedsubject.te
@@ -6,16 +6,19 @@
neverallow {
mlstrustedsubject
+ -artd # compile secondary dex files
-installd
} { app_data_file privapp_data_file }:file ~{ read write map getattr ioctl lock append };
neverallow {
mlstrustedsubject
+ -artd # compile secondary dex files
-installd
} { app_data_file privapp_data_file }:dir ~{ read getattr search };
neverallow {
mlstrustedsubject
+ -artd # compile secondary dex files
-installd
-system_server
-adbd
diff --git a/private/network_stack.te b/private/network_stack.te
index 3cdf884..dfee019 100644
--- a/private/network_stack.te
+++ b/private/network_stack.te
@@ -75,44 +75,27 @@
# This place is as good as any for these rules,
# and it is probably the most appropriate because
# network_stack itself is entirely mainline code.
-#
-# Unfortunately init/vendor_init have all sorts of extra privs
# T+: Only the bpfloader and the network_stack should ever touch 'fs_bpf_net_private' programs/maps.
-neverallow { domain -bpfloader -init -network_stack -vendor_init } fs_bpf_net_private:dir ~getattr;
-neverallow { domain -bpfloader -init -network_stack -vendor_init } fs_bpf_net_private:file *;
-
-neverallow { domain -bpfloader -network_stack } fs_bpf_net_private:dir ~{ getattr open read search setattr };
-neverallow { domain -bpfloader -network_stack } fs_bpf_net_private:file ~{ map open read setattr };
+neverallow { domain -bpfloader -network_stack } fs_bpf_net_private:dir ~getattr;
+neverallow { domain -bpfloader -network_stack } fs_bpf_net_private:file *;
# T+: Only the bpfloader, network_stack and system_server should ever touch 'fs_bpf_net_shared' programs/maps.
-neverallow { domain -bpfloader -init -network_stack -system_server -vendor_init } fs_bpf_net_shared:dir ~getattr;
-neverallow { domain -bpfloader -init -network_stack -system_server -vendor_init } fs_bpf_net_shared:file *;
-
-neverallow { domain -bpfloader -network_stack -system_server } fs_bpf_net_shared:dir ~{ getattr open read search setattr };
-neverallow { domain -bpfloader -network_stack -system_server } fs_bpf_net_shared:file ~{ map open read setattr };
+neverallow { domain -bpfloader -network_stack -system_server } fs_bpf_net_shared:dir ~getattr;
+neverallow { domain -bpfloader -network_stack -system_server } fs_bpf_net_shared:file *;
# T+: Only the bpfloader, netd, network_stack and system_server should ever touch 'fs_bpf_netd_readonly' programs/maps.
# netd's access should be readonly
-neverallow { domain -bpfloader -init -netd -network_stack -system_server -vendor_init } fs_bpf_netd_readonly:dir ~getattr;
-neverallow { domain -bpfloader -init -netd -network_stack -system_server -vendor_init } fs_bpf_netd_readonly:file *;
+neverallow { domain -bpfloader -netd -network_stack -system_server } fs_bpf_netd_readonly:dir ~getattr;
+neverallow { domain -bpfloader -netd -network_stack -system_server } fs_bpf_netd_readonly:file *;
neverallow netd fs_bpf_netd_readonly:file write;
-neverallow { domain -bpfloader -netd -network_stack -system_server } fs_bpf_netd_readonly:dir ~{ getattr open read search setattr };
-neverallow { domain -bpfloader -netd -network_stack -system_server } fs_bpf_netd_readonly:file ~{ map open read setattr };
-
# T+: Only the bpfloader, netd, netutils_wrapper, network_stack and system_server should ever touch 'fs_bpf_netd_shared' programs/maps.
# netutils_wrapper requires access to be able to run iptables and only needs readonly access
-neverallow { domain -bpfloader -init -netd -netutils_wrapper -network_stack -system_server -vendor_init } fs_bpf_netd_shared:dir ~getattr;
-neverallow { domain -bpfloader -init -netd -netutils_wrapper -network_stack -system_server -vendor_init } fs_bpf_netd_shared:file *;
+neverallow { domain -bpfloader -netd -netutils_wrapper -network_stack -system_server } fs_bpf_netd_shared:dir ~getattr;
+neverallow { domain -bpfloader -netd -netutils_wrapper -network_stack -system_server } fs_bpf_netd_shared:file *;
neverallow netutils_wrapper fs_bpf_netd_shared:file write;
-neverallow { domain -bpfloader -netd -netutils_wrapper -network_stack -system_server } fs_bpf_netd_shared:dir ~{ getattr open read search setattr };
-neverallow { domain -bpfloader -netd -netutils_wrapper -network_stack -system_server } fs_bpf_netd_shared:file ~{ map open read setattr };
-
# S+: Only the bpfloader and the network_stack should ever touch 'fs_bpf_tethering' programs/maps.
-neverallow { domain -bpfloader -init -network_stack -vendor_init } fs_bpf_tethering:dir ~getattr;
-neverallow { domain -bpfloader -init -network_stack -vendor_init } fs_bpf_tethering:file *;
-
-neverallow { domain -bpfloader -network_stack } fs_bpf_tethering:dir ~{ getattr open read search setattr };
-neverallow { domain -bpfloader -network_stack } fs_bpf_tethering:file ~{ map open read setattr };
+neverallow { domain -bpfloader -network_stack } fs_bpf_tethering:dir ~getattr;
+neverallow { domain -bpfloader -network_stack } fs_bpf_tethering:file *;
diff --git a/private/priv_app.te b/private/priv_app.te
index 4dcd1fb..8c965fc 100644
--- a/private/priv_app.te
+++ b/private/priv_app.te
@@ -190,6 +190,11 @@
# Required for Phonesky to be able to read staged files under /data/app-staging.
allow priv_app staging_data_file:dir r_dir_perms;
+# Allow com.android.vending to access files under vendor/apex as well as system apex files.
+# This is required for com.android.vending to handle APEXes for e.g. delta patch optimization.
+allow priv_app vendor_apex_file:dir r_dir_perms;
+allow priv_app vendor_apex_file:file r_file_perms;
+
# allow priv app to access the system app data files for ContentProvider case.
allow priv_app system_app_data_file:file { read getattr };
diff --git a/private/property_contexts b/private/property_contexts
index d1a4ecf..32746cd 100644
--- a/private/property_contexts
+++ b/private/property_contexts
@@ -247,6 +247,7 @@
device_config.reset_performed u:object_r:device_config_reset_performed_prop:s0
persist.device_config.activity_manager_native_boot. u:object_r:device_config_activity_manager_native_boot_prop:s0
persist.device_config.attempted_boot_count u:object_r:device_config_boot_count_prop:s0
+persist.device_config.camera_native. u:object_r:device_config_camera_native_prop:s0
persist.device_config.configuration. u:object_r:device_config_configuration_prop:s0
persist.device_config.connectivity. u:object_r:device_config_connectivity_prop:s0
persist.device_config.input_native_boot. u:object_r:device_config_input_native_boot_prop:s0
@@ -321,6 +322,8 @@
ro.virtual_ab.compression.xor.enabled u:object_r:virtual_ab_prop:s0 exact bool
ro.virtual_ab.userspace.snapshots.enabled u:object_r:virtual_ab_prop:s0 exact bool
ro.virtual_ab.io_uring.enabled u:object_r:virtual_ab_prop:s0 exact bool
+ro.virtual_ab.compression.threads u:object_r:virtual_ab_prop:s0 exact bool
+ro.virtual_ab.batch_writes u:object_r:virtual_ab_prop:s0 exact bool
snapuserd.ready u:object_r:snapuserd_prop:s0 exact bool
snapuserd.proxy_ready u:object_r:snapuserd_prop:s0 exact bool
snapuserd.test.dm.snapshots u:object_r:snapuserd_prop:s0 exact bool
@@ -377,6 +380,7 @@
camera.disable_preview_scheduler u:object_r:camera_config_prop:s0 exact bool
camera.disable_zsl_mode u:object_r:camera_config_prop:s0 exact bool
camera.fifo.disable u:object_r:camera_config_prop:s0 exact bool
+camera.enable_landscape_to_portrait u:object_r:camera_config_prop:s0 exact bool
ro.camera.notify_nfc u:object_r:camera_config_prop:s0 exact bool
ro.camera.enableLazyHal u:object_r:camera_config_prop:s0 exact bool
ro.camera.enableCamera1MaxZsl u:object_r:camera_config_prop:s0 exact bool
@@ -465,7 +469,6 @@
dalvik.vm.restore-dex2oat-cpu-set u:object_r:dalvik_config_prop:s0 exact string
dalvik.vm.restore-dex2oat-threads u:object_r:dalvik_config_prop:s0 exact int
dalvik.vm.usejit u:object_r:dalvik_config_prop:s0 exact bool
-dalvik.vm.usejitprofiles u:object_r:dalvik_config_prop:s0 exact bool
dalvik.vm.zygote.max-boot-retry u:object_r:dalvik_config_prop:s0 exact int
persist.sys.dalvik.vm.lib.2 u:object_r:dalvik_runtime_prop:s0 exact string
@@ -504,6 +507,7 @@
bluetooth.core.gap.le.privacy.enabled u:object_r:bluetooth_config_prop:s0 exact bool
bluetooth.core.gap.le.conn.min.limit u:object_r:bluetooth_config_prop:s0 exact int
+bluetooth.core.gap.le.conn.only_init_1m_phy.enabled u:object_r:bluetooth_config_prop:s0 exact bool
bluetooth.device.default_name u:object_r:bluetooth_config_prop:s0 exact string
bluetooth.device.class_of_device u:object_r:bluetooth_config_prop:s0 exact string
@@ -564,6 +568,8 @@
bluetooth.core.le.inquiry_scan_interval u:object_r:bluetooth_config_prop:s0 exact uint
bluetooth.core.le.inquiry_scan_window u:object_r:bluetooth_config_prop:s0 exact uint
+bluetooth.sco.disable_enhanced_connection u:object_r:bluetooth_config_prop:s0 exact bool
+
persist.nfc.debug_enabled u:object_r:nfc_prop:s0 exact bool
persist.radio.multisim.config u:object_r:radio_control_prop:s0 exact string
@@ -637,6 +643,11 @@
external_storage.sdcardfs.enabled u:object_r:storage_config_prop:s0 exact bool
external_storage.cross_user.enabled u:object_r:storage_config_prop:s0 exact bool
ro.fuse.bpf.enabled u:object_r:storage_config_prop:s0 exact bool
+ro.fuse.bpf.is_running u:object_r:vold_status_prop:s0 exact bool
+
+# hypervisor.*: configured by the vendor to advertise capabilities of their
+# hypervisor to virtualizationservice.
+hypervisor.memory_reclaim.supported u:object_r:hypervisor_restricted_prop:s0 exact bool
ro.config.per_app_memcg u:object_r:lmkd_config_prop:s0 exact bool
ro.lmk.critical u:object_r:lmkd_config_prop:s0 exact int
@@ -1436,19 +1447,34 @@
# properties for the virtual Fingerprint HAL
persist.vendor.fingerprint.virtual.type u:object_r:virtual_fingerprint_hal_prop:s0 exact string
persist.vendor.fingerprint.virtual.enrollments u:object_r:virtual_fingerprint_hal_prop:s0 exact string
+persist.vendor.fingerprint.virtual.lockout u:object_r:virtual_fingerprint_hal_prop:s0 exact bool
+persist.vendor.fingerprint.virtual.authenticator_id u:object_r:virtual_fingerprint_hal_prop:s0 exact int
+persist.vendor.fingerprint.virtual.sensor_location u:object_r:virtual_fingerprint_hal_prop:s0 exact string
+persist.vendor.fingerprint.virtual.sensor_id u:object_r:virtual_fingerprint_hal_prop:s0 exact int
+persist.vendor.fingerprint.virtual.sensor_strength u:object_r:virtual_fingerprint_hal_prop:s0 exact int
+persist.vendor.fingerprint.virtual.max_enrollments u:object_r:virtual_fingerprint_hal_prop:s0 exact int
+persist.vendor.fingerprint.virtual.navigation_guesture u:object_r:virtual_fingerprint_hal_prop:s0 exact bool
+persist.vendor.fingerprint.virtual.detect_interaction u:object_r:virtual_fingerprint_hal_prop:s0 exact bool
+persist.vendor.fingerprint.virtual.udfps.display_touch u:object_r:virtual_fingerprint_hal_prop:s0 exact bool
+persist.vendor.fingerprint.virtual.udfps.control_illumination u:object_r:virtual_fingerprint_hal_prop:s0 exact bool
+persist.vendor.fingerprint.virtual.lockout_enable u:object_r:virtual_fingerprint_hal_prop:s0 exact bool
+persist.vendor.fingerprint.virtual.lockout_timed_threshold u:object_r:virtual_fingerprint_hal_prop:s0 exact int
+persist.vendor.fingerprint.virtual.lockout_timed_duration u:object_r:virtual_fingerprint_hal_prop:s0 exact int
+persist.vendor.fingerprint.virtual.lockout_permanent_threshold u:object_r:virtual_fingerprint_hal_prop:s0 exact int
vendor.fingerprint.virtual.enrollment_hit u:object_r:virtual_fingerprint_hal_prop:s0 exact int
vendor.fingerprint.virtual.next_enrollment u:object_r:virtual_fingerprint_hal_prop:s0 exact string
-vendor.fingerprint.virtual.authenticator_id u:object_r:virtual_fingerprint_hal_prop:s0 exact int
vendor.fingerprint.virtual.challenge u:object_r:virtual_fingerprint_hal_prop:s0 exact int
-vendor.fingerprint.virtual.lockout u:object_r:virtual_fingerprint_hal_prop:s0 exact bool
vendor.fingerprint.virtual.operation_authenticate_fails u:object_r:virtual_fingerprint_hal_prop:s0 exact bool
vendor.fingerprint.virtual.operation_detect_interaction_fails u:object_r:virtual_fingerprint_hal_prop:s0 exact bool
vendor.fingerprint.virtual.operation_enroll_fails u:object_r:virtual_fingerprint_hal_prop:s0 exact bool
-vendor.fingerprint.virtual.operation_authenticate_latency u:object_r:virtual_fingerprint_hal_prop:s0 exact int
-vendor.fingerprint.virtual.operation_detect_interaction_latency u:object_r:virtual_fingerprint_hal_prop:s0 exact int
-vendor.fingerprint.virtual.operation_enroll_latency u:object_r:virtual_fingerprint_hal_prop:s0 exact int
+vendor.fingerprint.virtual.operation_authenticate_latency u:object_r:virtual_fingerprint_hal_prop:s0 exact string
+vendor.fingerprint.virtual.operation_detect_interaction_latency u:object_r:virtual_fingerprint_hal_prop:s0 exact string
+vendor.fingerprint.virtual.operation_enroll_latency u:object_r:virtual_fingerprint_hal_prop:s0 exact string
vendor.fingerprint.virtual.operation_authenticate_duration u:object_r:virtual_fingerprint_hal_prop:s0 exact int
# properties for tuner
ro.tuner.lazyhal u:object_r:tuner_config_prop:s0 exact bool
tuner.server.enable u:object_r:tuner_server_ctl_prop:s0 exact bool
+
+# Adaptive haptics settings property
+vibrator.adaptive_haptics.enabled u:object_r:adaptive_haptics_prop:s0 exact string
diff --git a/private/rkpd_app.te b/private/rkpd_app.te
new file mode 100644
index 0000000..21f9b0c
--- /dev/null
+++ b/private/rkpd_app.te
@@ -0,0 +1,25 @@
+###
+### A domain for sandboxing the remote key provisioning daemon
+### app that is shipped via mainline.
+###
+typeattribute rkpdapp coredomain;
+
+app_domain(rkpdapp)
+net_domain(rkpdapp)
+
+# RKPD needs to be able to call the remote provisioning HALs
+hal_client_domain(rkpdapp, hal_keymint)
+
+# Grant access to certain system properties related to RKP
+get_prop(rkpdapp, device_config_remote_key_provisioning_native_prop)
+
+# Grant access to the normal services that are available to all apps
+allow rkpdapp app_api_service:service_manager find;
+
+# Grant access to media.metrics service, needed for widevine. This
+# access is granted to all other apps already (e.g. untrusted_app_all).
+allow rkpdapp mediametrics_service:service_manager find;
+
+# Grant access to statsd
+allow rkpdapp statsmanager_service:service_manager find;
+binder_call(rkpdapp, statsd)
diff --git a/private/sdk_sandbox.te b/private/sdk_sandbox.te
index 12310d2..a0e77a2 100644
--- a/private/sdk_sandbox.te
+++ b/private/sdk_sandbox.te
@@ -213,6 +213,10 @@
allow sdk_sandbox system_linker_exec:file execute_no_trans;
+# Required to read CTS tests data from the shell_data_file location.
+allow sdk_sandbox shell_data_file:file r_file_perms;
+allow sdk_sandbox shell_data_file:dir r_dir_perms;
+
# Write app-specific trace data to the Perfetto traced damon. This requires
# connecting to its producer socket and obtaining a (per-process) tmpfs fd.
perfetto_producer(sdk_sandbox)
diff --git a/private/seapp_contexts b/private/seapp_contexts
index b26d977..d3f065b 100644
--- a/private/seapp_contexts
+++ b/private/seapp_contexts
@@ -164,6 +164,8 @@
user=_app isPrivApp=true name=com.google.android.providers.media.module domain=mediaprovider_app type=privapp_data_file levelFrom=all
user=_app seinfo=platform isPrivApp=true name=com.android.permissioncontroller domain=permissioncontroller_app type=privapp_data_file levelFrom=all
user=_app isPrivApp=true name=com.android.vzwomatrigger domain=vzwomatrigger_app type=privapp_data_file levelFrom=all
+user=_app isPrivApp=true name=com.android.rkpdapp domain=rkpdapp type=privapp_data_file levelFrom=user
+user=_app isPrivApp=true name=com.google.android.rkpdapp domain=rkpdapp type=privapp_data_file levelFrom=user
user=_app isPrivApp=true name=com.google.android.gms domain=gmscore_app type=privapp_data_file levelFrom=user
user=_app isPrivApp=true name=com.google.android.gms.* domain=gmscore_app type=privapp_data_file levelFrom=user
user=_app isPrivApp=true name=com.google.android.gms:* domain=gmscore_app type=privapp_data_file levelFrom=user
diff --git a/private/service_contexts b/private/service_contexts
index 7dc700a..04615c0 100644
--- a/private/service_contexts
+++ b/private/service_contexts
@@ -1,10 +1,22 @@
+android.frameworks.cameraservice.service.ICameraService/default u:object_r:fwk_camera_service:s0
android.frameworks.stats.IStats/default u:object_r:fwk_stats_service:s0
+android.frameworks.sensorservice.ISensorManager/default u:object_r:fwk_sensor_service:s0
android.hardware.audio.core.IConfig/default u:object_r:hal_audio_service:s0
+# 'default' IModule is equivalent to 'primary' in HIDL
android.hardware.audio.core.IModule/default u:object_r:hal_audio_service:s0
+android.hardware.audio.core.IModule/a2dp u:object_r:hal_audio_service:s0
+android.hardware.audio.core.IModule/bluetooth u:object_r:hal_audio_service:s0
+android.hardware.audio.core.IModule/hearing_aid u:object_r:hal_audio_service:s0
+android.hardware.audio.core.IModule/msd u:object_r:hal_audio_service:s0
+android.hardware.audio.core.IModule/r_submix u:object_r:hal_audio_service:s0
+android.hardware.audio.core.IModule/stub u:object_r:hal_audio_service:s0
+android.hardware.audio.core.IModule/usb u:object_r:hal_audio_service:s0
android.hardware.audio.effect.IFactory/default u:object_r:hal_audio_service:s0
+android.hardware.audio.sounddose.ISoundDoseFactory/default u:object_r:hal_audio_service:s0
android.hardware.authsecret.IAuthSecret/default u:object_r:hal_authsecret_service:s0
android.hardware.automotive.evs.IEvsEnumerator/hw/0 u:object_r:hal_evs_service:s0
android.hardware.boot.IBootControl/default u:object_r:hal_bootctl_service:s0
+android.hardware.automotive.can.ICanController/default u:object_r:hal_can_controller_service:s0
android.hardware.automotive.evs.IEvsEnumerator/hw/1 u:object_r:hal_evs_service:s0
android.hardware.automotive.audiocontrol.IAudioControl/default u:object_r:hal_audiocontrol_service:s0
android.hardware.automotive.remoteaccess.IRemoteAccess/default u:object_r:hal_remoteaccess_service:s0
@@ -12,17 +24,20 @@
android.hardware.biometrics.face.IFace/default u:object_r:hal_face_service:s0
android.hardware.biometrics.fingerprint.IFingerprint/default u:object_r:hal_fingerprint_service:s0
android.hardware.biometrics.fingerprint.IFingerprint/virtual u:object_r:hal_fingerprint_service:s0
+android.hardware.bluetooth.IBluetoothHci/default u:object_r:hal_bluetooth_service:s0
android.hardware.bluetooth.audio.IBluetoothAudioProviderFactory/default u:object_r:hal_audio_service:s0
android.hardware.broadcastradio.IBroadcastRadio/amfm u:object_r:hal_broadcastradio_service:s0
android.hardware.broadcastradio.IBroadcastRadio/dab u:object_r:hal_broadcastradio_service:s0
# The instance here is internal/0 following naming convention for ICameraProvider.
# It advertises internal camera devices.
android.hardware.camera.provider.ICameraProvider/internal/0 u:object_r:hal_camera_service:s0
+android.hardware.cas.IMediaCasService/default u:object_r:hal_cas_service:s0
android.hardware.confirmationui.IConfirmationUI/default u:object_r:hal_confirmationui_service:s0
android.hardware.contexthub.IContextHub/default u:object_r:hal_contexthub_service:s0
android.hardware.drm.IDrmFactory/clearkey u:object_r:hal_drm_service:s0
android.hardware.drm.ICryptoFactory/clearkey u:object_r:hal_drm_service:s0
android.hardware.dumpstate.IDumpstateDevice/default u:object_r:hal_dumpstate_service:s0
+android.hardware.fastboot.IFastboot/default u:object_r:hal_fastboot_service:s0
android.hardware.gnss.IGnss/default u:object_r:hal_gnss_service:s0
android.hardware.graphics.allocator.IAllocator/default u:object_r:hal_graphics_allocator_service:s0
android.hardware.graphics.composer3.IComposer/default u:object_r:hal_graphics_composer_service:s0
@@ -58,6 +73,9 @@
android.hardware.radio.sim.IRadioSim/slot1 u:object_r:hal_radio_service:s0
android.hardware.radio.sim.IRadioSim/slot2 u:object_r:hal_radio_service:s0
android.hardware.radio.sim.IRadioSim/slot3 u:object_r:hal_radio_service:s0
+android.hardware.radio.sap.ISap/slot1 u:object_r:hal_radio_service:s0
+android.hardware.radio.sap.ISap/slot2 u:object_r:hal_radio_service:s0
+android.hardware.radio.sap.ISap/slot3 u:object_r:hal_radio_service:s0
android.hardware.radio.voice.IRadioVoice/slot1 u:object_r:hal_radio_service:s0
android.hardware.radio.voice.IRadioVoice/slot2 u:object_r:hal_radio_service:s0
android.hardware.radio.voice.IRadioVoice/slot3 u:object_r:hal_radio_service:s0
@@ -81,9 +99,16 @@
android.hardware.vibrator.IVibrator/default u:object_r:hal_vibrator_service:s0
android.hardware.vibrator.IVibratorManager/default u:object_r:hal_vibrator_service:s0
android.hardware.weaver.IWeaver/default u:object_r:hal_weaver_service:s0
+android.hardware.wifi.IWifi/default u:object_r:hal_wifi_service:s0
android.hardware.wifi.hostapd.IHostapd/default u:object_r:hal_wifi_hostapd_service:s0
android.hardware.wifi.supplicant.ISupplicant/default u:object_r:hal_wifi_supplicant_service:s0
android.se.omapi.ISecureElementService/default u:object_r:secure_element_service:s0
+android.hardware.secure_element.ISecureElement/eSE1 u:object_r:hal_secure_element_service:s0
+android.hardware.secure_element.ISecureElement/eSE2 u:object_r:hal_secure_element_service:s0
+android.hardware.secure_element.ISecureElement/eSE3 u:object_r:hal_secure_element_service:s0
+android.hardware.secure_element.ISecureElement/SIM1 u:object_r:hal_secure_element_service:s0
+android.hardware.secure_element.ISecureElement/SIM2 u:object_r:hal_secure_element_service:s0
+android.hardware.secure_element.ISecureElement/SIM3 u:object_r:hal_secure_element_service:s0
android.system.keystore2.IKeystoreService/default u:object_r:keystore_service:s0
android.system.net.netd.INetd/default u:object_r:system_net_netd_service:s0
android.system.suspend.ISystemSuspend/default u:object_r:hal_system_suspend_service:s0
@@ -204,6 +229,7 @@
game u:object_r:game_service:s0
gfxinfo u:object_r:gfxinfo_service:s0
gnss_time_update_service u:object_r:gnss_time_update_service:s0
+grammatical_inflection u:object_r:grammatical_inflection_service:s0
graphicsstats u:object_r:graphicsstats_service:s0
gpu u:object_r:gpu_service:s0
hardware u:object_r:hardware_service:s0
@@ -309,6 +335,7 @@
rcs u:object_r:radio_service:s0
reboot_readiness u:object_r:reboot_readiness_service:s0
recovery u:object_r:recovery_service:s0
+remote_provisioning u:object_r:remote_provisioning_service:s0
resolver u:object_r:resolver_service:s0
resources u:object_r:resources_manager_service:s0
restrictions u:object_r:restrictions_service:s0
diff --git a/private/shell.te b/private/shell.te
index c20e612..02105a9 100644
--- a/private/shell.te
+++ b/private/shell.te
@@ -121,6 +121,9 @@
allow shell profcollectd:binder call;
')
+# Allow shell to run remount command.
+allow shell remount_exec:file rx_file_perms;
+
# Allow shell to call perf_event_open for profiling other shell processes, but
# not the whole system.
allow shell self:perf_event { open read write kernel };
@@ -181,6 +184,9 @@
get_prop(shell, last_boot_reason_prop)
get_prop(shell, system_boot_reason_prop)
+# Allow shell to execute the remote key provisioning factory tool
+binder_call(shell, hal_keymint)
+
# Allow reading the outcome of perf_event_open LSM support test for CTS.
get_prop(shell, init_perf_lsm_hooks_prop)
diff --git a/private/stats.te b/private/stats.te
index db29072..c784145 100644
--- a/private/stats.te
+++ b/private/stats.te
@@ -47,6 +47,7 @@
-mediametrics
-platform_app
-priv_app
+ -rkpdapp
-shell
-stats
-statsd
diff --git a/private/surfaceflinger.te b/private/surfaceflinger.te
index dbb5507..26c781b 100644
--- a/private/surfaceflinger.te
+++ b/private/surfaceflinger.te
@@ -132,6 +132,9 @@
# Allow to use files supplied by hal_evs
allow surfaceflinger hal_evs:fd use;
+# Allow to use release fence fds supplied by hal_camera
+allow surfaceflinger hal_camera:fd use;
+
# Allow pushing jank event atoms to statsd
userdebug_or_eng(`
unix_socket_send(surfaceflinger, statsdw, statsd)
diff --git a/private/system_app.te b/private/system_app.te
index 61d3b5d..3b92c0f 100644
--- a/private/system_app.te
+++ b/private/system_app.te
@@ -34,6 +34,7 @@
allow system_app icon_file:file r_file_perms;
# Write to properties
+set_prop(system_app, adaptive_haptics_prop)
set_prop(system_app, arm64_memtag_prop)
set_prop(system_app, bluetooth_a2dp_offload_prop)
set_prop(system_app, bluetooth_audio_hal_prop)
@@ -192,3 +193,6 @@
# bug reports, but not reads.
neverallow system_app shell_data_file:dir { no_w_dir_perms open search read };
neverallow system_app shell_data_file:file { open read ioctl lock };
+
+# system_app should be the only domain writing the adaptive haptics prop
+neverallow { domain -init -system_app } adaptive_haptics_prop:property_service set;
diff --git a/private/system_server.te b/private/system_server.te
index aedebaf..54ad242 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -5,6 +5,7 @@
typeattribute system_server coredomain;
typeattribute system_server mlstrustedsubject;
+typeattribute system_server remote_provisioning_service_server;
typeattribute system_server scheduler_service_server;
typeattribute system_server sensor_service_server;
typeattribute system_server stats_service_server;
@@ -693,6 +694,7 @@
# Property Service write
set_prop(system_server, system_prop)
set_prop(system_server, bootanim_system_prop)
+set_prop(system_server, bluetooth_prop)
set_prop(system_server, exported_system_prop)
set_prop(system_server, exported3_system_prop)
set_prop(system_server, safemode_prop)
@@ -742,6 +744,7 @@
set_prop(system_server, device_config_runtime_native_prop)
set_prop(system_server, device_config_lmkd_native_prop)
set_prop(system_server, device_config_media_native_prop)
+set_prop(system_server, device_config_camera_native_prop)
set_prop(system_server, device_config_mglru_native_prop)
set_prop(system_server, device_config_profcollect_native_boot_prop)
set_prop(system_server, device_config_statsd_native_prop)
@@ -1216,8 +1219,8 @@
# Font files are written by system server
allow system_server font_data_file:file create_file_perms;
allow system_server font_data_file:dir create_dir_perms;
-# Allow system process to setup fs-verity for font files
-allowxperm system_server font_data_file:file ioctl FS_IOC_ENABLE_VERITY;
+# Allow system process to setup and measure fs-verity for font files
+allowxperm system_server font_data_file:file ioctl { FS_IOC_ENABLE_VERITY FS_IOC_MEASURE_VERITY };
# Read qemu.hw.mainkeys property
get_prop(system_server, qemu_hw_prop)
diff --git a/private/untrusted_app_all.te b/private/untrusted_app_all.te
index 0b4b919..8c7fe7a 100644
--- a/private/untrusted_app_all.te
+++ b/private/untrusted_app_all.te
@@ -153,9 +153,12 @@
# These have been disallowed since Android O.
# For P, we assume that apps are safely handling the denial.
-dontaudit untrusted_app_all proc_stat:file read;
-dontaudit untrusted_app_all proc_vmstat:file read;
-dontaudit untrusted_app_all proc_uptime:file read;
+dontaudit untrusted_app_all {
+ proc_stat
+ proc_uptime
+ proc_vmstat
+ proc_zoneinfo
+}:file read;
# Allow the allocation and use of ptys
# Used by: https://play.google.com/store/apps/details?id=jackpal.androidterm
diff --git a/private/virtualizationservice.te b/private/virtualizationservice.te
index 3e057fe..883ff56 100644
--- a/private/virtualizationservice.te
+++ b/private/virtualizationservice.te
@@ -22,6 +22,9 @@
# When virtualizationservice execs a file with the crosvm_exec label, run it in the crosvm domain.
domain_auto_trans(virtualizationservice, crosvm_exec, crosvm)
+# Let virtualizationservice (and specifically its children) mlock VM memory and page tables.
+allow virtualizationservice self:capability sys_resource;
+
# Let virtualizationservice kill crosvm.
allow virtualizationservice crosvm:process sigkill;
@@ -68,8 +71,9 @@
# Allow virtualizationservice to read/write its own sysprop. Only the process can do so.
set_prop(virtualizationservice, virtualizationservice_prop)
-# Allow virtualizationservice to inspect hypervisor capabilities.
+# Allow virtualizationservice to inspect all hypervisor capabilities.
get_prop(virtualizationservice, hypervisor_prop)
+get_prop(virtualizationservice, hypervisor_restricted_prop)
# Allow writing stats to statsd
unix_socket_send(virtualizationservice, statsdw, statsd)
@@ -81,6 +85,9 @@
allow virtualizationservice tombstone_data_file:file { append getattr };
allow virtualizationservice tombstoned:fd use;
+# Allow reading files under /proc/[crosvm pid]/, for collecting CPU & memory usage inside VM.
+r_dir_file(virtualizationservice, crosvm);
+
neverallow {
domain
-init
diff --git a/public/app.te b/public/app.te
index de3d0ca..9ce0255 100644
--- a/public/app.te
+++ b/public/app.te
@@ -233,9 +233,3 @@
{ open read write append execute execute_no_trans map };
neverallow appdomain system_bootstrap_lib_file:dir
{ open read getattr search };
-
-# Allow to read ro.vendor.camera.extensions.enabled
-get_prop(appdomain, camera2_extensions_prop)
-
-# Allow to ro.camerax.extensions.enabled
-get_prop(appdomain, camerax_extensions_prop)
diff --git a/public/attributes b/public/attributes
index 121adc0..0478874 100644
--- a/public/attributes
+++ b/public/attributes
@@ -338,6 +338,7 @@
hal_attribute(dumpstate);
hal_attribute(evs);
hal_attribute(face);
+hal_attribute(fastboot);
hal_attribute(fingerprint);
hal_attribute(gatekeeper);
hal_attribute(gnss);
@@ -398,6 +399,7 @@
attribute camera_service_server;
attribute display_service_server;
attribute evsmanager_service_server;
+attribute remote_provisioning_service_server;
attribute scheduler_service_server;
attribute sensor_service_server;
attribute stats_service_server;
diff --git a/public/cameraserver.te b/public/cameraserver.te
index d41339a..c88e3f0 100644
--- a/public/cameraserver.te
+++ b/public/cameraserver.te
@@ -19,6 +19,7 @@
allow cameraserver hal_graphics_composer:fd use;
add_service(cameraserver, cameraserver_service)
+add_service(cameraserver, fwk_camera_service)
add_hwservice(cameraserver, fwk_camera_hwservice)
allow cameraserver activity_service:service_manager find;
diff --git a/public/domain.te b/public/domain.te
index dc467a6..79e62d0 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -101,48 +101,6 @@
allow domain properties_serial:file r_file_perms;
allow domain property_info:file r_file_perms;
-# Public readable properties
-get_prop(domain, aaudio_config_prop)
-get_prop(domain, apexd_select_prop)
-get_prop(domain, arm64_memtag_prop)
-get_prop(domain, bluetooth_config_prop)
-get_prop(domain, bootloader_prop)
-get_prop(domain, build_odm_prop)
-get_prop(domain, build_prop)
-get_prop(domain, build_vendor_prop)
-get_prop(domain, debug_prop)
-get_prop(domain, exported_config_prop)
-get_prop(domain, exported_default_prop)
-get_prop(domain, exported_dumpstate_prop)
-get_prop(domain, exported_secure_prop)
-get_prop(domain, exported_system_prop)
-get_prop(domain, fingerprint_prop)
-get_prop(domain, framework_status_prop)
-get_prop(domain, gwp_asan_prop)
-get_prop(domain, hal_instrumentation_prop)
-get_prop(domain, hw_timeout_multiplier_prop)
-get_prop(domain, init_service_status_prop)
-get_prop(domain, libc_debug_prop)
-get_prop(domain, locale_prop)
-get_prop(domain, logd_prop)
-get_prop(domain, mediadrm_config_prop)
-get_prop(domain, property_service_version_prop)
-get_prop(domain, soc_prop)
-get_prop(domain, socket_hook_prop)
-get_prop(domain, surfaceflinger_prop)
-get_prop(domain, telephony_status_prop)
-get_prop(domain, timezone_prop)
-get_prop({domain - untrusted_app_all }, userdebug_or_eng_prop)
-get_prop(domain, vendor_socket_hook_prop)
-get_prop(domain, vndk_prop)
-get_prop(domain, vold_status_prop)
-get_prop(domain, vts_config_prop)
-
-# Binder cache properties are world-readable
-get_prop(domain, binder_cache_bluetooth_server_prop)
-get_prop(domain, binder_cache_system_server_prop)
-get_prop(domain, binder_cache_telephony_server_prop)
-
# Let everyone read log properties, so that liblog can avoid sending unloggable
# messages to logd.
get_prop(domain, log_property_type)
@@ -593,6 +551,7 @@
-hal_camera_server
-hal_cas_server
-hal_drm_server
+ -hal_keymint_server
userdebug_or_eng(`-incidentd')
-init
-mediadrmserver
@@ -623,6 +582,7 @@
-e2fs
-fsck
-fastbootd
+ -hal_fastboot_server
} metadata_block_device:blk_file { append link rename write open read ioctl lock };
# No domain other than recovery, update_engine and fastbootd can write to system partition(s).
@@ -1141,6 +1101,7 @@
neverallow {
domain
-appdomain
+ -artd
-installd
} { app_data_file privapp_data_file }:lnk_file read;
@@ -1151,32 +1112,6 @@
-installd
} shell_data_file:lnk_file read;
-# In addition to the symlink reading restrictions above, restrict
-# write access to shell owned directories. The /data/local/tmp
-# directory is untrustworthy, and non-allowed domains should
-# not be trusting any content in those directories.
-neverallow {
- domain
- -adbd
- -dumpstate
- -installd
- -init
- -shell
- -vold
-} shell_data_file:dir no_w_dir_perms;
-
-neverallow {
- domain
- -adbd
- -appdomain
- -dumpstate
- -init
- -installd
- -simpleperf_app_runner
- -system_server # why?
- userdebug_or_eng(`-uncrypt')
-} shell_data_file:dir { open search };
-
# servicemanager and vndservicemanager are the only processes which handle the
# service_manager list request
neverallow * ~{
diff --git a/public/dumpstate.te b/public/dumpstate.te
index c73c2e7..6b112dc 100644
--- a/public/dumpstate.te
+++ b/public/dumpstate.te
@@ -75,6 +75,7 @@
vold
# This list comes from hal_interfaces_to_dump in dumputils/dump_utils.c
+ evsmanagerd
hal_audio_server
hal_audiocontrol_server
hal_bluetooth_server
@@ -149,6 +150,7 @@
# Allow dumpstate to call dump() on specific hals.
dump_hal(hal_authsecret)
+dump_hal(hal_bluetooth)
dump_hal(hal_contexthub)
dump_hal(hal_drm)
dump_hal(hal_dumpstate)
@@ -243,9 +245,9 @@
allow dumpstate recovery_data_file:dir r_dir_perms;
allow dumpstate recovery_data_file:file r_file_perms;
-#Access /data/misc/update_engine_log
-allow dumpstate update_engine_log_data_file:dir r_dir_perms;
-allow dumpstate update_engine_log_data_file:file r_file_perms;
+# Access /data/misc/update_engine & /data/misc/update_engine_log
+allow dumpstate { update_engine_data_file update_engine_log_data_file }:dir r_dir_perms;
+allow dumpstate { update_engine_data_file update_engine_log_data_file }:file r_file_perms;
# Access /data/misc/profiles/{cur,ref}/
userdebug_or_eng(`
@@ -364,7 +366,7 @@
allow dumpstate binderfs_logs:file r_file_perms;
allow dumpstate binderfs_logs_proc:file r_file_perms;
-allow dumpstate apex_info_file:file getattr;
+use_apex_info(dumpstate)
###
### neverallow rules
diff --git a/public/fastbootd.te b/public/fastbootd.te
index 68cb9e0..8452b97 100644
--- a/public/fastbootd.te
+++ b/public/fastbootd.te
@@ -13,6 +13,7 @@
# fastbootd can use AIDL HALs in binder mode
binder_use(fastbootd)
hal_client_domain(fastbootd, hal_health)
+ hal_client_domain(fastbootd, hal_fastboot)
# Access /dev/usb-ffs/fastbootd/ep0
allow fastbootd functionfs:dir search;
diff --git a/public/file.te b/public/file.te
index eb55210..8d33a9d 100644
--- a/public/file.te
+++ b/public/file.te
@@ -157,6 +157,7 @@
type sdcardfs, sdcard_type, fs_type, mlstrustedobject;
type vfat, sdcard_type, fs_type, mlstrustedobject;
type exfat, sdcard_type, fs_type, mlstrustedobject;
+type ntfs, sdcard_type, fs_type, mlstrustedobject;
type debugfs, fs_type, debugfs_type;
type debugfs_kprobes, fs_type, debugfs_type;
type debugfs_mmc, fs_type, debugfs_type;
diff --git a/public/hal_bluetooth.te b/public/hal_bluetooth.te
index 97177ba..53bbef2 100644
--- a/public/hal_bluetooth.te
+++ b/public/hal_bluetooth.te
@@ -1,8 +1,10 @@
# HwBinder IPC from clients into server, and callbacks
binder_call(hal_bluetooth_client, hal_bluetooth_server)
binder_call(hal_bluetooth_server, hal_bluetooth_client)
+binder_call(hal_bluetooth_server, servicemanager)
hal_attribute_hwservice(hal_bluetooth, hal_bluetooth_hwservice)
+hal_attribute_service(hal_bluetooth, hal_bluetooth_service)
wakelock_use(hal_bluetooth);
diff --git a/public/hal_can.te b/public/hal_can.te
index 959d1d9..d48c43f 100644
--- a/public/hal_can.te
+++ b/public/hal_can.te
@@ -7,3 +7,7 @@
binder_call(hal_can_bus_client, hal_can_bus_server)
binder_call(hal_can_bus_server, hal_can_bus_client)
hal_attribute_hwservice(hal_can_bus, hal_can_bus_hwservice)
+
+# AIDL HAL for CAN buses (ICanController)
+hal_attribute_service(hal_can_controller, hal_can_controller_service)
+binder_use(hal_can_controller)
diff --git a/public/hal_cas.te b/public/hal_cas.te
index e699a6b..056b4c9 100644
--- a/public/hal_cas.te
+++ b/public/hal_cas.te
@@ -5,6 +5,11 @@
hal_attribute_hwservice(hal_cas, hal_cas_hwservice)
allow hal_cas_server hidl_memory_hwservice:hwservice_manager find;
+hal_attribute_service(hal_cas, hal_cas_service)
+
+binder_call(hal_cas_server, servicemanager)
+binder_call(hal_cas_client, servicemanager)
+
# Permit reading device's serial number from system properties
get_prop(hal_cas_server, serialno_prop)
diff --git a/public/hal_configstore.te b/public/hal_configstore.te
index 886286e..7d4d150 100644
--- a/public/hal_configstore.te
+++ b/public/hal_configstore.te
@@ -49,11 +49,11 @@
# Should never need sdcard access
neverallow hal_configstore_server {
sdcard_type
- fuse sdcardfs vfat exfat # manual expansion for completeness
+ fuse sdcardfs vfat exfat ntfs # manual expansion for completeness
}:dir ~getattr;
neverallow hal_configstore_server {
sdcard_type
- fuse sdcardfs vfat exfat # manual expansion for completeness
+ fuse sdcardfs vfat exfat ntfs # manual expansion for completeness
}:file *;
# Do not permit access to service_manager and vndservice_manager
diff --git a/public/hal_fastboot.te b/public/hal_fastboot.te
new file mode 100644
index 0000000..7aecac1
--- /dev/null
+++ b/public/hal_fastboot.te
@@ -0,0 +1,7 @@
+# allow binder connection from client to server
+binder_call(hal_fastboot_client, hal_fastboot_server)
+# allow client to find the service, allow server to register the service
+hal_attribute_service(hal_fastboot, hal_fastboot_service)
+# allow binder communication from server to service_manager
+binder_call(hal_fastboot_server, servicemanager)
+
diff --git a/public/hal_keymint.te b/public/hal_keymint.te
index 9c65e22..ba29956 100644
--- a/public/hal_keymint.te
+++ b/public/hal_keymint.te
@@ -4,5 +4,5 @@
hal_attribute_service(hal_keymint, hal_remotelyprovisionedcomponent_service)
binder_call(hal_keymint_server, servicemanager)
-allow hal_keymint tee_device:chr_file rw_file_perms;
-allow hal_keymint ion_device:chr_file r_file_perms;
+allow hal_keymint_server tee_device:chr_file rw_file_perms;
+allow hal_keymint_server ion_device:chr_file r_file_perms;
diff --git a/public/hal_secure_element.te b/public/hal_secure_element.te
index 3724d35..8d3e15c 100644
--- a/public/hal_secure_element.te
+++ b/public/hal_secure_element.te
@@ -3,3 +3,8 @@
binder_call(hal_secure_element_server, hal_secure_element_client)
hal_attribute_hwservice(hal_secure_element, hal_secure_element_hwservice)
+hal_attribute_service(hal_secure_element, hal_secure_element_service)
+
+binder_use(hal_secure_element_server)
+
+allow hal_secure_element_client hal_secure_element_service:service_manager find;
diff --git a/public/hal_wifi.te b/public/hal_wifi.te
index 2e4fa78..e4f1d21 100644
--- a/public/hal_wifi.te
+++ b/public/hal_wifi.te
@@ -3,6 +3,9 @@
binder_call(hal_wifi_server, hal_wifi_client)
hal_attribute_hwservice(hal_wifi, hal_wifi_hwservice)
+hal_attribute_service(hal_wifi, hal_wifi_service)
+
+binder_call(hal_wifi_server, servicemanager)
r_dir_file(hal_wifi, proc_net_type)
r_dir_file(hal_wifi, sysfs_type)
diff --git a/public/init.te b/public/init.te
index d99172f..a399b3a 100644
--- a/public/init.te
+++ b/public/init.te
@@ -199,6 +199,7 @@
allow init {
file_type
-app_data_file
+ -bpffs_type
-exec_type
-misc_logd_file
-nativetest_data_file
@@ -212,6 +213,7 @@
allow init {
file_type
-app_data_file
+ -bpffs_type
-credstore_data_file
-exec_type
-keystore_data_file
@@ -233,6 +235,7 @@
file_type
-apex_info_file
-app_data_file
+ -bpffs_type
-exec_type
-gsi_data_file
-credstore_data_file
@@ -259,6 +262,7 @@
allow init {
file_type
-app_data_file
+ -bpffs_type
-exec_type
-gsi_data_file
-credstore_data_file
@@ -278,6 +282,7 @@
file_type
-apex_mnt_dir
-app_data_file
+ -bpffs_type
-exec_type
-gsi_data_file
-credstore_data_file
@@ -297,6 +302,7 @@
allow init {
file_type
+ -bpffs_type
-system_dlkm_file_type
-system_file_type
-vendor_file_type
@@ -321,6 +327,7 @@
# chown/chmod on pseudo files.
allow init {
fs_type
+ -bpffs_type
-contextmount_type
-keychord_device
-proc_type
@@ -330,7 +337,14 @@
-rootfs
enforce_debugfs_restriction(`-debugfs_type')
}:file { open read setattr };
-allow init { fs_type -contextmount_type -sdcard_type -fusefs_type -rootfs }:dir { open read setattr search };
+allow init {
+ fs_type
+ -bpffs_type
+ -contextmount_type
+ -sdcard_type
+ -fusefs_type
+ -rootfs
+}:dir { open read setattr search };
allow init {
binder_device
@@ -365,7 +379,8 @@
userdebug_or_eng(`
# Overlayfs workdir write access check during mount to permit remount,rw
allow init overlayfs_file:dir { relabelfrom mounton write };
- allow init overlayfs_file:file { append };
+ allow init overlayfs_file:file { append rename };
+ allow init overlayfs_file:chr_file unlink;
allow init system_block_device:blk_file { write };
')
@@ -383,7 +398,6 @@
allow init {
proc_abi
- proc_bpf
proc_cpu_alignment
proc_dirty
proc_hostname
diff --git a/public/keystore.te b/public/keystore.te
index 8ac503e..4cef175 100644
--- a/public/keystore.te
+++ b/public/keystore.te
@@ -5,6 +5,7 @@
typeattribute keystore mlstrustedsubject;
binder_use(keystore)
binder_service(keystore)
+binder_call(keystore, remote_provisioning_service_server)
binder_call(keystore, system_server)
binder_call(keystore, wificond)
@@ -17,6 +18,7 @@
add_service(keystore, remoteprovisioning_service)
allow keystore sec_key_att_app_id_provider_service:service_manager find;
allow keystore dropbox_service:service_manager find;
+allow keystore remote_provisioning_service:service_manager find;
add_service(keystore, apc_service)
add_service(keystore, keystore_compat_hal_service)
add_service(keystore, authorization_service)
diff --git a/public/mediaserver.te b/public/mediaserver.te
index 621b6d7..65cd4a1 100644
--- a/public/mediaserver.te
+++ b/public/mediaserver.te
@@ -77,6 +77,7 @@
allow mediaserver mediaextractor_service:service_manager find;
allow mediaserver mediametrics_service:service_manager find;
allow mediaserver media_session_service:service_manager find;
+allow mediaserver package_native_service:service_manager find;
allow mediaserver permission_service:service_manager find;
allow mediaserver permission_checker_service:service_manager find;
allow mediaserver power_service:service_manager find;
diff --git a/public/property.te b/public/property.te
index a9e61b5..c0a3a6e 100644
--- a/public/property.te
+++ b/public/property.te
@@ -52,6 +52,7 @@
# Properties which can't be written outside system
system_restricted_prop(aac_drc_prop)
+system_restricted_prop(adaptive_haptics_prop)
system_restricted_prop(apex_ready_prop)
system_restricted_prop(arm64_memtag_prop)
system_restricted_prop(binder_cache_bluetooth_server_prop)
@@ -64,6 +65,7 @@
system_restricted_prop(bq_config_prop)
system_restricted_prop(build_bootimage_prop)
system_restricted_prop(build_prop)
+system_restricted_prop(device_config_camera_native_prop)
system_restricted_prop(device_config_nnapi_native_prop)
system_restricted_prop(device_config_runtime_native_boot_prop)
system_restricted_prop(device_config_runtime_native_prop)
@@ -74,7 +76,6 @@
system_restricted_prop(gwp_asan_prop)
system_restricted_prop(hal_instrumentation_prop)
system_restricted_prop(userdebug_or_eng_prop)
-system_restricted_prop(hypervisor_prop)
system_restricted_prop(init_service_status_prop)
system_restricted_prop(libc_debug_prop)
system_restricted_prop(module_sdkextensions_prop)
@@ -150,6 +151,8 @@
system_vendor_config_prop(graphics_config_prop)
system_vendor_config_prop(hdmi_config_prop)
system_vendor_config_prop(hw_timeout_multiplier_prop)
+system_vendor_config_prop(hypervisor_prop)
+system_vendor_config_prop(hypervisor_restricted_prop)
system_vendor_config_prop(incremental_prop)
system_vendor_config_prop(keyguard_config_prop)
system_vendor_config_prop(keystore_config_prop)
diff --git a/public/remote_provisioning_service_server.te b/public/remote_provisioning_service_server.te
new file mode 100644
index 0000000..710b43d
--- /dev/null
+++ b/public/remote_provisioning_service_server.te
@@ -0,0 +1,5 @@
+# This service is hosted by system server, and provides a stable aidl
+# front-end for a mainline module that is loaded into system server.
+add_service(remote_provisioning_service_server, remote_provisioning_service)
+
+binder_use(remote_provisioning_service_server)
diff --git a/public/rkpd_app.te b/public/rkpd_app.te
new file mode 100644
index 0000000..2aaf3b8
--- /dev/null
+++ b/public/rkpd_app.te
@@ -0,0 +1,6 @@
+###
+### A domain for sandboxing the remote key provisioning daemon
+### app that is shipped via mainline.
+###
+
+type rkpdapp, domain;
diff --git a/public/service.te b/public/service.te
index 705da33..b4745bb 100644
--- a/public/service.te
+++ b/public/service.te
@@ -7,6 +7,7 @@
type batteryproperties_service, app_api_service, ephemeral_app_api_service, service_manager_type;
type bluetooth_service, service_manager_type;
type cameraserver_service, service_manager_type;
+type fwk_camera_service, service_manager_type;
type default_android_service, service_manager_type;
type dice_maintenance_service, service_manager_type;
type dice_node_service, service_manager_type;
@@ -131,9 +132,11 @@
type face_service, app_api_service, system_server_service, service_manager_type;
type fingerprint_service, app_api_service, system_server_service, service_manager_type;
type fwk_stats_service, app_api_service, system_server_service, service_manager_type;
+type fwk_sensor_service, system_server_service, service_manager_type;
type game_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type gfxinfo_service, system_api_service, system_server_service, service_manager_type;
type gnss_time_update_service, system_server_service, service_manager_type;
+type grammatical_inflection_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type graphicsstats_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type hardware_service, system_server_service, service_manager_type;
type hardware_properties_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
@@ -193,6 +196,7 @@
type reboot_readiness_service, app_api_service, system_server_service, service_manager_type;
type recovery_service, system_server_service, service_manager_type;
type registry_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type remote_provisioning_service, system_server_service, service_manager_type;
type resources_manager_service, system_api_service, system_server_service, service_manager_type;
type restrictions_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type role_service, app_api_service, system_server_service, service_manager_type;
@@ -270,9 +274,12 @@
type hal_audio_service, protected_service, hal_service_type, service_manager_type;
type hal_audiocontrol_service, hal_service_type, service_manager_type;
type hal_authsecret_service, protected_service, hal_service_type, service_manager_type;
+type hal_bluetooth_service, protected_service, hal_service_type, service_manager_type;
type hal_bootctl_service, protected_service, hal_service_type, service_manager_type;
type hal_broadcastradio_service, protected_service, hal_service_type, service_manager_type;
type hal_camera_service, protected_service, hal_service_type, service_manager_type;
+type hal_can_controller_service, protected_service, hal_service_type, service_manager_type;
+type hal_cas_service, hal_service_type, service_manager_type;
type hal_confirmationui_service, protected_service, hal_service_type, service_manager_type;
type hal_contexthub_service, protected_service, hal_service_type, service_manager_type;
type hal_dice_service, protected_service, hal_service_type, service_manager_type;
@@ -280,6 +287,7 @@
type hal_dumpstate_service, protected_service, hal_service_type, service_manager_type;
type hal_evs_service, protected_service, hal_service_type, service_manager_type;
type hal_face_service, protected_service, hal_service_type, service_manager_type;
+type hal_fastboot_service, protected_service, hal_service_type, service_manager_type;
type hal_fingerprint_service, protected_service, hal_service_type, service_manager_type;
type hal_gnss_service, protected_service, hal_service_type, service_manager_type;
type hal_graphics_allocator_service, hal_service_type, service_manager_type;
@@ -303,6 +311,7 @@
type hal_remotelyprovisionedcomponent_service, protected_service, hal_service_type, service_manager_type;
type hal_sensors_service, protected_service, hal_service_type, service_manager_type;
type hal_secureclock_service, protected_service, hal_service_type, service_manager_type;
+type hal_secure_element_service, protected_service, hal_service_type, service_manager_type;
type hal_sharedsecret_service, protected_service, hal_service_type, service_manager_type;
type hal_system_suspend_service, protected_service, hal_service_type, service_manager_type;
type hal_thermal_service, protected_service, hal_service_type, service_manager_type;
@@ -317,6 +326,7 @@
type hal_vibrator_service, protected_service, hal_service_type, service_manager_type;
type hal_weaver_service, protected_service, hal_service_type, service_manager_type;
type hal_nlinterceptor_service, protected_service, hal_service_type, service_manager_type;
+type hal_wifi_service, protected_service, hal_service_type, service_manager_type;
type hal_wifi_hostapd_service, protected_service, hal_service_type, service_manager_type;
type hal_wifi_supplicant_service, protected_service, hal_service_type, service_manager_type;
type hal_gatekeeper_service, protected_service, hal_service_type, service_manager_type;
diff --git a/public/shell.te b/public/shell.te
index 496061c..6c67cea 100644
--- a/public/shell.te
+++ b/public/shell.te
@@ -81,6 +81,9 @@
-apex_service
-dnsresolver_service
-gatekeeper_service
+ -hal_keymint_service
+ -hal_secureclock_service
+ -hal_sharedsecret_service
-incident_service
-installd_service
-mdns_service
@@ -196,6 +199,14 @@
### Neverallow rules
###
+# Do not allow shell to talk directly to security HAL services other than
+# hal_remotelyprovisionedcomponent_service
+neverallow shell {
+ hal_keymint_service
+ hal_secureclock_service
+ hal_sharedsecret_service
+}:service_manager find;
+
# Do not allow shell to hard link to any files.
# In particular, if shell hard links to app data
# files, installd will not be able to guarantee the deletion
diff --git a/public/te_macros b/public/te_macros
index 8a8b473..ab42534 100644
--- a/public/te_macros
+++ b/public/te_macros
@@ -194,7 +194,7 @@
# to crosvm
allow { virtualizationservice crosvm } $1:fd use;
# Allow piping console log to the client
-allow { virtualizationservice crosvm } $1:fifo_file write;
+allow { virtualizationservice crosvm } $1:fifo_file { getattr write};
# Allow client to read/write vsock created by virtualizationservice to
# communicate with the VM that it created. Notice that we do not grant
# permission to create a vsock; the client can only connect to VMs
diff --git a/public/vendor_init.te b/public/vendor_init.te
index 61fa686..683ab61 100644
--- a/public/vendor_init.te
+++ b/public/vendor_init.te
@@ -48,6 +48,7 @@
allow vendor_init {
file_type
+ -bpffs_type
-core_data_file_type
-exec_type
-system_dlkm_file_type
@@ -67,6 +68,7 @@
allow vendor_init {
file_type
+ -bpffs_type
-core_data_file_type
-exec_type
-password_slot_metadata_file
@@ -86,6 +88,7 @@
allow vendor_init {
file_type
+ -bpffs_type
-core_data_file_type
-exec_type
-password_slot_metadata_file
@@ -103,6 +106,7 @@
allow vendor_init {
file_type
-apex_mnt_dir
+ -bpffs_type
-core_data_file_type
-exec_type
-password_slot_metadata_file
@@ -119,6 +123,7 @@
allow vendor_init {
file_type
+ -bpffs_type
-core_data_file_type
-exec_type
-mnt_product_file
@@ -142,6 +147,7 @@
# chown/chmod on pseudo files.
allow vendor_init {
fs_type
+ -bpffs_type
-contextmount_type
-keychord_device
-sdcard_type
@@ -157,6 +163,7 @@
allow vendor_init {
fs_type
+ -bpffs_type
-contextmount_type
-sdcard_type
-fusefs_type
@@ -164,7 +171,7 @@
-proc_uid_time_in_state
-proc_uid_concurrent_active_time
-proc_uid_concurrent_policy_time
-}:dir { open read setattr search };
+}:dir { open read setattr search };
allow vendor_init dev_type:blk_file getattr;
diff --git a/vendor/file_contexts b/vendor/file_contexts
index ab47b83..2c9a74a 100644
--- a/vendor/file_contexts
+++ b/vendor/file_contexts
@@ -10,10 +10,11 @@
/(vendor|system/vendor)/bin/hw/android\.hardware\.automotive\.audiocontrol@2\.0-service u:object_r:hal_audiocontrol_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.automotive\.audiocontrol-service.example u:object_r:hal_audiocontrol_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.automotive\.can@1\.0-service u:object_r:hal_can_socketcan_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.automotive\.can-service u:object_r:hal_can_socketcan_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.automotive\.evs(.*)? u:object_r:hal_evs_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.automotive\.vehicle@2\.0-((default|emulator)-)*(service|protocan-service) u:object_r:hal_vehicle_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.automotive\.vehicle@V1-(default|emulator)-service u:object_r:hal_vehicle_default_exec:s0
-/(vendor|system/vendor)/bin/hw/android\.hardware\.automotive\.remoteaccess@V1-default-service u:object_r:hal_remoteaccess_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.automotive\.remoteaccess@V1-(.*)-service u:object_r:hal_remoteaccess_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.bluetooth@1\.[0-9]+-service u:object_r:hal_bluetooth_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.bluetooth@1\.[0-9]+-service\.btlinux u:object_r:hal_bluetooth_btlinux_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.biometrics\.face@1\.[0-9]+-service\.example u:object_r:hal_face_default_exec:s0
@@ -40,6 +41,8 @@
/(vendor|system/vendor)/bin/hw/android\.hardware\.drm-service(-lazy)?\.clearkey u:object_r:hal_drm_clearkey_aidl_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.cas@1\.[0-2]-service u:object_r:hal_cas_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.cas@1\.[0-2]-service-lazy u:object_r:hal_cas_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.cas-service\.example u:object_r:hal_cas_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.cas-service\.example-lazy u:object_r:hal_cas_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.dumpstate@1\.[0-1]-service\.example u:object_r:hal_dumpstate_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.dumpstate-service\.example u:object_r:hal_dumpstate_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.gatekeeper@1\.0-service u:object_r:hal_gatekeeper_default_exec:s0
@@ -49,6 +52,7 @@
/(vendor|system/vendor)/bin/hw/android\.hardware\.graphics\.allocator@3\.0-service u:object_r:hal_graphics_allocator_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.graphics\.allocator@4\.0-service u:object_r:hal_graphics_allocator_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.graphics\.allocator-V1-service u:object_r:hal_graphics_allocator_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.graphics\.allocator-service u:object_r:hal_graphics_allocator_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.graphics\.composer@[0-9]\.[0-9]-service u:object_r:hal_graphics_composer_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.graphics\.composer3-service\.example u:object_r:hal_graphics_composer_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.health@1\.0-service u:object_r:hal_health_default_exec:s0
@@ -88,6 +92,7 @@
/(vendor|system/vendor)/bin/hw/android\.hardware\.sensors-service\.example u:object_r:hal_sensors_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.sensors-service(\.multihal)? u:object_r:hal_sensors_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.secure_element@1\.0-service u:object_r:hal_secure_element_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.secure_element-service.example u:object_r:hal_secure_element_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.security\.dice-service\.non-secure-software u:object_r:hal_dice_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.security\.keymint-service u:object_r:hal_keymint_default_exec:s0
/(vendor|system/vendor)/bin/hw/rild u:object_r:rild_exec:s0
@@ -110,6 +115,8 @@
/(vendor|system/vendor)/bin/hw/android\.hardware\.vr@1\.0-service u:object_r:hal_vr_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.wifi@1\.0-service u:object_r:hal_wifi_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.wifi@1\.0-service-lazy u:object_r:hal_wifi_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.wifi-service u:object_r:hal_wifi_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.wifi-service-lazy u:object_r:hal_wifi_default_exec:s0
/(vendor|system/vendor)/bin/hw/hostapd u:object_r:hal_wifi_hostapd_default_exec:s0
/(vendor|system/vendor)/bin/hw/wpa_supplicant u:object_r:hal_wifi_supplicant_default_exec:s0
/(vendor|system/vendor)/bin/install-recovery\.sh u:object_r:vendor_install_recovery_exec:s0
diff --git a/vendor/hal_camera_default.te b/vendor/hal_camera_default.te
index b0912d4..f0098a8 100644
--- a/vendor/hal_camera_default.te
+++ b/vendor/hal_camera_default.te
@@ -6,6 +6,8 @@
allow hal_camera_default fwk_sensor_hwservice:hwservice_manager find;
+get_prop(hal_camera_default, device_config_camera_native_prop);
+
# For collecting bugreports.
allow hal_camera_default dumpstate:fd use;
allow hal_camera_default dumpstate:fifo_file write;
diff --git a/vendor/hal_can_socketcan.te b/vendor/hal_can_socketcan.te
index 7498788..12bb028 100644
--- a/vendor/hal_can_socketcan.te
+++ b/vendor/hal_can_socketcan.te
@@ -9,10 +9,12 @@
allow hal_can_socketcan self:capability net_admin;
allow hal_can_socketcan self:netlink_route_socket { create bind write nlmsg_write read };
-# Calling if_nametoindex(3) to open CAN sockets
+# See man page for netdevice(7) for more info on ioctls
allow hal_can_socketcan self:udp_socket { create ioctl };
allowxperm hal_can_socketcan self:udp_socket ioctl {
SIOCGIFINDEX
+ SIOCGIFFLAGS
+ SIOCSIFFLAGS
};
# Communicating with SocketCAN interfaces and bringing them up/down
diff --git a/vendor/hal_fastboot_default.te b/vendor/hal_fastboot_default.te
new file mode 100644
index 0000000..4a52642
--- /dev/null
+++ b/vendor/hal_fastboot_default.te
@@ -0,0 +1,6 @@
+type hal_fastboot_default, domain;
+
+hal_server_domain(hal_fastboot_default, hal_fastboot)
+
+type hal_fastboot_default_exec, exec_type, vendor_file_type, file_type;
+init_daemon_domain(hal_fastboot_default)