Merge "Microdroid sepolicy changes to handle crash export"
diff --git a/build/soong/service_fuzzer_bindings.go b/build/soong/service_fuzzer_bindings.go
index efb5947..88cd32b 100644
--- a/build/soong/service_fuzzer_bindings.go
+++ b/build/soong/service_fuzzer_bindings.go
@@ -138,7 +138,7 @@
"android.frameworks.stats.IStats/default": EXCEPTION_NO_FUZZER,
"android.se.omapi.ISecureElementService/default": EXCEPTION_NO_FUZZER,
"android.system.keystore2.IKeystoreService/default": EXCEPTION_NO_FUZZER,
- "android.system.net.netd.INetd/default": EXCEPTION_NO_FUZZER,
+ "android.system.net.netd.INetd/default": []string{"netd_hw_service_fuzzer"},
"android.system.suspend.ISystemSuspend/default": EXCEPTION_NO_FUZZER,
"accessibility": EXCEPTION_NO_FUZZER,
"account": EXCEPTION_NO_FUZZER,
@@ -155,7 +155,7 @@
"android.os.UpdateEngineStableService": EXCEPTION_NO_FUZZER,
"android.frameworks.automotive.display.ICarDisplayProxy/default": EXCEPTION_NO_FUZZER,
"android.security.apc": EXCEPTION_NO_FUZZER,
- "android.security.authorization": EXCEPTION_NO_FUZZER,
+ "android.security.authorization": []string{"authorization_service_fuzzer"},
"android.security.compat": EXCEPTION_NO_FUZZER,
"android.security.dice.IDiceMaintenance": EXCEPTION_NO_FUZZER,
"android.security.dice.IDiceNode": EXCEPTION_NO_FUZZER,
@@ -164,8 +164,6 @@
"android.security.legacykeystore": EXCEPTION_NO_FUZZER,
"android.security.maintenance": EXCEPTION_NO_FUZZER,
"android.security.metrics": EXCEPTION_NO_FUZZER,
- "android.security.remoteprovisioning": EXCEPTION_NO_FUZZER,
- "android.security.remoteprovisioning.IRemotelyProvisionedKeyPool": EXCEPTION_NO_FUZZER,
"android.service.gatekeeper.IGateKeeperService": EXCEPTION_NO_FUZZER,
"android.system.composd": EXCEPTION_NO_FUZZER,
"android.system.virtualizationservice": EXCEPTION_NO_FUZZER,
@@ -297,7 +295,7 @@
"logd": EXCEPTION_NO_FUZZER,
"looper_stats": EXCEPTION_NO_FUZZER,
"lpdump_service": EXCEPTION_NO_FUZZER,
- "mdns": EXCEPTION_NO_FUZZER,
+ "mdns": []string{"mdns_service_fuzzer"},
"media.aaudio": EXCEPTION_NO_FUZZER,
"media.audio_flinger": EXCEPTION_NO_FUZZER,
"media.audio_policy": EXCEPTION_NO_FUZZER,
@@ -325,7 +323,7 @@
"mount": EXCEPTION_NO_FUZZER,
"music_recognition": EXCEPTION_NO_FUZZER,
"nearby": EXCEPTION_NO_FUZZER,
- "netd": EXCEPTION_NO_FUZZER,
+ "netd": []string{"netd_native_service_fuzzer"},
"netpolicy": EXCEPTION_NO_FUZZER,
"netstats": EXCEPTION_NO_FUZZER,
"network_stack": EXCEPTION_NO_FUZZER,
diff --git a/microdroid/system/private/atrace.te b/microdroid/system/private/atrace.te
new file mode 100644
index 0000000..f8dd24f
--- /dev/null
+++ b/microdroid/system/private/atrace.te
@@ -0,0 +1,11 @@
+# SELinux policy for the atrace daemon running inside Microdroid.
+# For the host Android policy check system/sepolicy/private/atrace.te
+# So far, this file contains a subset of rules defined for the host Android.
+
+type atrace, domain, coredomain;
+type atrace_exec, exec_type, file_type, system_file_type;
+
+# Allow atrace to write data when a pipe is used for stdout/stderr.
+# This is used by Perfetto to capture atrace stdout/stderr.
+allow atrace traced_probes:fd use;
+allow atrace traced_probes:fifo_file { getattr write };
diff --git a/microdroid/system/private/domain.te b/microdroid/system/private/domain.te
index b8d44c6..a8fff90 100644
--- a/microdroid/system/private/domain.te
+++ b/microdroid/system/private/domain.te
@@ -539,7 +539,7 @@
domain
} ashmem_device:chr_file open;
-neverallow { domain -init -vendor_init } debugfs_tracing_printk_formats:file *;
+neverallow { domain -init -vendor_init -traced_probes } debugfs_tracing_printk_formats:file *;
# Linux lockdown "integrity" level is enforced for user builds.
neverallow { domain userdebug_or_eng(`-domain') } self:lockdown integrity;
diff --git a/microdroid/system/private/file.te b/microdroid/system/private/file.te
index 6f037a3..a06a9cf 100644
--- a/microdroid/system/private/file.te
+++ b/microdroid/system/private/file.te
@@ -27,3 +27,9 @@
# Filesystem entry for for PRNG seeder socket.
type prng_seeder_socket, file_type, coredomain_socket;
+
+# /data/misc/perfetto-traces for perfetto traces
+type perfetto_traces_data_file, file_type, data_file_type, core_data_file_type;
+
+# /data/misc/perfetto-configs for perfetto configs
+type perfetto_configs_data_file, file_type, data_file_type, core_data_file_type;
diff --git a/microdroid/system/private/file_contexts b/microdroid/system/private/file_contexts
index ffbfdc2..fa81c90 100644
--- a/microdroid/system/private/file_contexts
+++ b/microdroid/system/private/file_contexts
@@ -71,6 +71,8 @@
/dev/socket/statsdw u:object_r:statsdw_socket:s0
/dev/socket/authfs_service u:object_r:authfs_service_socket:s0
/dev/socket/vm_payload_service u:object_r:vm_payload_service_socket:s0
+/dev/socket/traced_consumer u:object_r:traced_consumer_socket:s0
+/dev/socket/traced_producer u:object_r:traced_producer_socket:s0
/dev/sys/block/by-name/userdata(/.*)? u:object_r:userdata_sysdev:s0
/dev/sys/fs/by-name/userdata(/.*)? u:object_r:userdata_sysdev:s0
/dev/tty u:object_r:owntty_device:s0
@@ -118,6 +120,10 @@
/system/bin/mke2fs u:object_r:e2fs_exec:s0
/system/bin/kexec_load u:object_r:kexec_exec:s0
/system/bin/prng_seeder u:object_r:prng_seeder_exec:s0
+/system/bin/atrace u:object_r:atrace_exec:s0
+/system/bin/perfetto u:object_r:perfetto_exec:s0
+/system/bin/traced u:object_r:traced_exec:s0
+/system/bin/traced_probes u:object_r:traced_probes_exec:s0
/system/etc/cgroups\.json u:object_r:cgroup_desc_file:s0
/system/etc/task_profiles/cgroups_[0-9]+\.json u:object_r:cgroup_desc_api_file:s0
/system/etc/event-log-tags u:object_r:system_event_log_tags_file:s0
diff --git a/microdroid/system/private/perfetto.te b/microdroid/system/private/perfetto.te
new file mode 100644
index 0000000..4efb323
--- /dev/null
+++ b/microdroid/system/private/perfetto.te
@@ -0,0 +1,78 @@
+# SELinux policy for the perfetto binary running inside Microdroid.
+# For the host Android policy check system/sepolicy/private/perfetto.te
+# So far, this is file contains a subset of rules defined for the host Android.
+
+type perfetto, domain, coredomain;
+type perfetto_exec, system_file_type, exec_type, file_type;
+
+# Allow to access traced's privileged consumer socket.
+unix_socket_connect(perfetto, traced_consumer, traced)
+
+# Connect to the Perfetto traced daemon as a producer. This requires
+# connecting to its producer socket and obtaining a (per-process) tmpfs fd.
+perfetto_producer(perfetto)
+
+# Allow to write and unlink traces into /data/misc/perfetto-traces.
+allow perfetto perfetto_traces_data_file:dir rw_dir_perms;
+allow perfetto perfetto_traces_data_file:file create_file_perms;
+
+# Allow perfetto to read the trace config from /data/misc/perfetto-configs.
+# shell and adb can write files into that directory.
+allow perfetto perfetto_configs_data_file:dir r_dir_perms;
+allow perfetto perfetto_configs_data_file:file r_file_perms;
+
+# Allow adbd to reap perfetto.
+allow perfetto adbd:process { sigchld };
+
+###
+### Neverallow rules
+###
+
+# Disallow anyone else from being able to handle traces except selected system
+# components.
+neverallow {
+ domain
+ -init # The creator of the folder.
+ -perfetto # The owner of the folder.
+ -adbd # For pulling traces.
+ -shell # For devepment purposes.
+ -traced # For write_into_file traces.
+ -vendor_init # TODO(b/249050813): remove this
+} perfetto_traces_data_file:dir *;
+
+neverallow {
+ domain
+ -init # The creator of the folder.
+ -perfetto # The owner of the folder.
+ -adbd # For pulling traces.
+ -shell # For devepment purposes.
+ -traced # For write_into_file traces.
+ -vendor_init # TODO(b/249050813): remove this
+} perfetto_traces_data_file:file ~{ getattr read };
+
+### perfetto should NEVER do any of the following
+
+# Block device access.
+neverallow perfetto dev_type:blk_file { read write };
+
+# ptrace any other process
+neverallow perfetto domain:process ptrace;
+
+# Disallows access to other /data files.
+neverallow perfetto {
+ data_file_type
+ -perfetto_traces_data_file
+ -perfetto_configs_data_file
+ # We need following 3 lines because allow rules for them are defined at the
+ # domain/coredomain level.
+ -system_data_file
+ -system_data_root_file
+ -vendor_data_file
+}:dir *;
+
+neverallow perfetto { system_data_file -perfetto_traces_data_file }:dir ~{ getattr search };
+neverallow perfetto {
+ data_file_type
+ -perfetto_traces_data_file
+ -perfetto_configs_data_file
+}:file ~write;
diff --git a/microdroid/system/private/traced.te b/microdroid/system/private/traced.te
new file mode 100644
index 0000000..1d94c15
--- /dev/null
+++ b/microdroid/system/private/traced.te
@@ -0,0 +1,69 @@
+# SELinux policy for the traced daemon running inside Microdroid.
+# For the host Android policy check system/sepolicy/private/traced.te
+# So far, this is file contains a subset of rules defined for the host Android.
+
+type traced, domain, coredomain;
+type traced_exec, system_file_type, exec_type, file_type;
+type traced_tmpfs, file_type;
+
+# Allow init to exec traced daemon
+init_daemon_domain(traced)
+
+# Required for perfetto_produced macro
+tmpfs_domain(traced)
+
+# Allow to pass a file descriptor for the output trace from "perfetto" (the
+# cmdline client) and other shell binaries to traced and let traced write
+# directly into that (rather than returning the trace contents over the socket).
+allow traced perfetto:fd use;
+allow traced shell:fd use;
+allow traced shell:fifo_file { read write };
+
+# Allow the service to create new files within /data/misc/perfetto-traces.
+allow traced perfetto_traces_data_file:file create_file_perms;
+allow traced perfetto_traces_data_file:dir rw_dir_perms;
+
+# Allow traced to use shared memory supplied by producers. Typically, traced
+# (i.e. the tracing service) creates the shared memory used for data transfer
+# from the producer. This rule allows an alternative scheme, where the producer
+# creates the shared memory, that is then adopted by traced (after validating
+# that it is appropriately sealed).
+# This list has to replicate the tmpfs domains of all applicable domains that
+# have perfetto_producer() macro applied to them.
+# perfetto_tmpfs excluded as it should never need to use the producer-supplied
+# shared memory scheme.
+allow traced traced_probes_tmpfs:file { getattr map read write };
+
+
+###
+### Neverallow rules
+###
+### traced should NEVER do any of this
+
+# Block device access.
+neverallow traced dev_type:blk_file { read write };
+
+# ptrace any other process
+neverallow traced domain:process ptrace;
+
+# Disallows access to /data files, still allowing to write to file descriptors
+# passed through the socket.
+neverallow traced {
+ data_file_type
+ -perfetto_traces_data_file
+ # We need following 3 lines because allow rules for them are defined at the
+ # domain/coredomain level.
+ -system_data_file
+ -system_data_root_file
+ -vendor_data_file
+}:dir *;
+
+neverallow traced system_data_file:dir ~{ getattr search };
+neverallow traced {
+ data_file_type
+ -perfetto_traces_data_file
+}:file ~write;
+
+# Only init is allowed to enter the traced domain via exec()
+neverallow { domain -init } traced:process transition;
+neverallow * traced:process dyntransition;
diff --git a/microdroid/system/private/traced_probes.te b/microdroid/system/private/traced_probes.te
new file mode 100644
index 0000000..cfc81b5
--- /dev/null
+++ b/microdroid/system/private/traced_probes.te
@@ -0,0 +1,62 @@
+type traced_probes, domain, coredomain;
+type traced_probes_exec, system_file_type, exec_type, file_type;
+type traced_probes_tmpfs, file_type;
+
+# Allow init to exec traced_probes daemon
+init_daemon_domain(traced_probes)
+
+# The traced daemon uses shared memory supplied producers. And hence
+# traced_probes daemon is a producer we need to have tmpfs_domain for it.
+tmpfs_domain(traced_probes)
+
+# Write trace data to the Perfetto traced damon. This requires connecting to its
+# producer socket and obtaining a (per-process) tmpfs fd.
+perfetto_producer(traced_probes)
+
+# Allow traced_probes to access tracefs.
+allow traced_probes debugfs_tracing:dir r_dir_perms;
+allow traced_probes debugfs_tracing:file rw_file_perms;
+allow traced_probes debugfs_trace_marker:file getattr;
+allow traced_probes debugfs_tracing_printk_formats:file r_file_perms;
+
+# Allow to log to kernel dmesg when starting / stopping ftrace.
+allow traced_probes kmsg_device:chr_file write;
+
+# Allow procfs access
+r_dir_file(traced_probes, domain)
+
+# Allow traced_probes to run atrace. atrace pokes at system services to enable
+# their userspace TRACE macros.
+domain_auto_trans(traced_probes, atrace_exec, atrace)
+
+# Allow traced_probes to kill atrace on timeout.
+allow traced_probes atrace:process sigkill;
+
+###
+### Neverallow rules
+###
+### traced_probes should NEVER do any of this
+
+# Block device access.
+neverallow traced_probes dev_type:blk_file { read write };
+
+# ptrace any other app
+# TODO(b/271562015): move this to domain level neverallow rule.
+neverallow traced_probes domain:process ptrace;
+
+# Disallows access to /data files.
+neverallow traced_probes {
+ data_file_type
+ -system_data_file
+ -system_data_root_file
+ -vendor_data_file
+}:dir *;
+
+neverallow traced_probes system_data_file:dir ~{ getattr search };
+
+neverallow traced_probes_exec data_file_type:file *;
+
+# Only init is allowed to enter the traced_probes domain via exec()
+neverallow { domain -init } traced_probes:process transition;
+neverallow * traced_probes:process dyntransition;
+
diff --git a/microdroid/system/public/file.te b/microdroid/system/public/file.te
index 9387714..d9a6e44 100644
--- a/microdroid/system/public/file.te
+++ b/microdroid/system/public/file.te
@@ -41,6 +41,8 @@
type vendor_file, file_type, vendor_file_type;
type vendor_service_contexts_file, vendor_file_type, file_type;
type vm_payload_service_socket, file_type, coredomain_socket;
+type traced_consumer_socket, file_type, coredomain_socket;
+type traced_producer_socket, file_type, coredomain_socket;
# file system types
type binfmt_miscfs, fs_type;
diff --git a/prebuilts/api/33.0/private/compat/32.0/32.0.ignore.cil b/prebuilts/api/33.0/private/compat/32.0/32.0.ignore.cil
index 767bfe3..7294656 100644
--- a/prebuilts/api/33.0/private/compat/32.0/32.0.ignore.cil
+++ b/prebuilts/api/33.0/private/compat/32.0/32.0.ignore.cil
@@ -5,6 +5,7 @@
(typeattribute new_objects)
(typeattributeset new_objects
( new_objects
+ adaptive_haptics_prop
adservices_manager_service
apexd_select_prop
artd_service
@@ -59,7 +60,6 @@
mdns_service
nearby_service
persist_wm_debug_prop
- prng_seeder
proc_watermark_boost_factor
proc_watermark_scale_factor
prng_seeder
diff --git a/prebuilts/api/33.0/private/property_contexts b/prebuilts/api/33.0/private/property_contexts
index db71be4..3841fd5 100644
--- a/prebuilts/api/33.0/private/property_contexts
+++ b/prebuilts/api/33.0/private/property_contexts
@@ -366,6 +366,7 @@
camera.disable_preview_scheduler u:object_r:camera_config_prop:s0 exact bool
camera.disable_zsl_mode u:object_r:camera_config_prop:s0 exact bool
camera.fifo.disable u:object_r:camera_config_prop:s0 exact bool
+camera.enable_landscape_to_portrait u:object_r:camera_config_prop:s0 exact bool
ro.camera.notify_nfc u:object_r:camera_config_prop:s0 exact bool
ro.camera.enableLazyHal u:object_r:camera_config_prop:s0 exact bool
ro.camera.enableCamera1MaxZsl u:object_r:camera_config_prop:s0 exact bool
@@ -1346,3 +1347,6 @@
# virtualization service properties
virtualizationservice.state.last_cid u:object_r:virtualizationservice_prop:s0 exact uint
+
+# Adaptive haptics settings property
+vibrator.adaptive_haptics.enabled u:object_r:adaptive_haptics_prop:s0 exact string
diff --git a/prebuilts/api/33.0/private/system_app.te b/prebuilts/api/33.0/private/system_app.te
index 77cca3d..76e5f7d 100644
--- a/prebuilts/api/33.0/private/system_app.te
+++ b/prebuilts/api/33.0/private/system_app.te
@@ -34,6 +34,7 @@
allow system_app icon_file:file r_file_perms;
# Write to properties
+set_prop(system_app, adaptive_haptics_prop)
set_prop(system_app, arm64_memtag_prop)
set_prop(system_app, bluetooth_a2dp_offload_prop)
set_prop(system_app, bluetooth_audio_hal_prop)
@@ -189,3 +190,6 @@
# bug reports, but not reads.
neverallow system_app shell_data_file:dir { no_w_dir_perms open search read };
neverallow system_app shell_data_file:file { open read ioctl lock };
+
+# system_app should be the only domain writing the adaptive haptics prop
+neverallow { domain -init -system_app } adaptive_haptics_prop:property_service set;
diff --git a/prebuilts/api/33.0/public/dumpstate.te b/prebuilts/api/33.0/public/dumpstate.te
index 05a7317..f1c6d72 100644
--- a/prebuilts/api/33.0/public/dumpstate.te
+++ b/prebuilts/api/33.0/public/dumpstate.te
@@ -333,6 +333,7 @@
mnt_vendor_file
mirror_data_file
mnt_user_file
+ mnt_product_file
}:dir search;
dontaudit dumpstate {
apex_mnt_dir
diff --git a/prebuilts/api/33.0/public/property.te b/prebuilts/api/33.0/public/property.te
index 42fe979..763a80a 100644
--- a/prebuilts/api/33.0/public/property.te
+++ b/prebuilts/api/33.0/public/property.te
@@ -52,6 +52,7 @@
# Properties which can't be written outside system
system_restricted_prop(aac_drc_prop)
+system_restricted_prop(adaptive_haptics_prop)
system_restricted_prop(arm64_memtag_prop)
system_restricted_prop(binder_cache_bluetooth_server_prop)
system_restricted_prop(binder_cache_system_server_prop)
diff --git a/private/clatd.te b/private/clatd.te
index 1f21d69..cd024a7 100644
--- a/private/clatd.te
+++ b/private/clatd.te
@@ -9,5 +9,4 @@
allow clatd system_server:packet_socket { read write };
allow clatd system_server:rawip_socket { read write };
-allow clatd self:netlink_route_socket nlmsg_write;
allow clatd tun_device:chr_file rw_file_perms;
diff --git a/private/compat/32.0/32.0.ignore.cil b/private/compat/32.0/32.0.ignore.cil
index ec2a16d..43ce0a1 100644
--- a/private/compat/32.0/32.0.ignore.cil
+++ b/private/compat/32.0/32.0.ignore.cil
@@ -5,6 +5,7 @@
(typeattribute new_objects)
(typeattributeset new_objects
( new_objects
+ adaptive_haptics_prop
adservices_manager_service
apexd_select_prop
artd_service
@@ -59,7 +60,6 @@
mdns_service
nearby_service
persist_wm_debug_prop
- prng_seeder
proc_watermark_boost_factor
remotelyprovisionedkeypool_service
resources_manager_service
diff --git a/private/compat/33.0/33.0.cil b/private/compat/33.0/33.0.cil
index 5737284..afcebba 100644
--- a/private/compat/33.0/33.0.cil
+++ b/private/compat/33.0/33.0.cil
@@ -16,6 +16,8 @@
(type iorapd_service)
(type iorapd_tmpfs)
(type lowpan_service)
+(type remotelyprovisionedkeypool_service)
+(type remoteprovisioning_service)
(type timezone_service)
(type tzdatacheck)
(type tzdatacheck_exec)
diff --git a/private/composd.te b/private/composd.te
index d007d66..96991c6 100644
--- a/private/composd.te
+++ b/private/composd.te
@@ -17,8 +17,9 @@
allow composd apex_art_staging_data_file:dir { create_dir_perms relabelto };
allow composd apex_art_staging_data_file:file { getattr unlink };
-# Delete files in the odrefresh target directory
-allow composd apex_art_data_file:file unlink;
+# Delete files or enable fs-verity in the odrefresh target directory
+allow composd apex_art_data_file:file { open ioctl read unlink write };
+allowxperm composd apex_art_data_file:file ioctl FS_IOC_ENABLE_VERITY;
# Access our APEX data files
allow composd apex_module_data_file:dir search;
@@ -34,4 +35,4 @@
get_prop(composd, device_config_runtime_native_boot_prop)
# We never create any artifact files directly
-neverallow composd apex_art_data_file:file ~unlink;
+neverallow composd apex_art_data_file:file create;
diff --git a/private/credstore.te b/private/credstore.te
index 434808f..02e87f7 100644
--- a/private/credstore.te
+++ b/private/credstore.te
@@ -8,10 +8,6 @@
# talk to keymint, specifically for IRemotelyProvisionedComponent/default
hal_client_domain(credstore, hal_keymint)
-# credstore needs to get keys from the remotely provisioned pool
-allow credstore remotelyprovisionedkeypool_service:service_manager find;
-allow credstore keystore:keystore2 get_attestation_key;
-
# credstore needs to get keys from the RKPD
get_prop(credstore, remote_prov_prop)
allow credstore remote_provisioning_service:service_manager find;
diff --git a/private/dumpstate.te b/private/dumpstate.te
index 850b0d8..b369797 100644
--- a/private/dumpstate.te
+++ b/private/dumpstate.te
@@ -66,9 +66,11 @@
netd
}:process signal;
+# Only allow dumpstate to dump Keystore on debuggable builds.
userdebug_or_eng(`
allow dumpstate keystore:process signal;
')
+dontaudit dumpstate keystore:process { signal };
# For collecting bugreports.
no_debugfs_restriction(`
diff --git a/private/file_contexts b/private/file_contexts
index 57fcdfb..7432c2f 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -379,7 +379,6 @@
/system/bin/snapuserd u:object_r:snapuserd_exec:s0
/system/bin/odsign u:object_r:odsign_exec:s0
/system/bin/vehicle_binding_util u:object_r:vehicle_binding_util_exec:s0
-/system/bin/cardisplayproxyd u:object_r:automotive_display_service_exec:s0
/system/bin/evsmanagerd u:object_r:evsmanagerd_exec:s0
/system/bin/android\.automotive\.evs\.manager@1\.[0-9]+ u:object_r:evsmanagerd_exec:s0
@@ -497,6 +496,7 @@
/(system_ext|system/system_ext)/bin/android\.frameworks\.automotive\.display@1\.0-service u:object_r:automotive_display_service_exec:s0
/(system_ext|system/system_ext)/bin/canhalconfigurator(-aidl)? u:object_r:canhalconfigurator_exec:s0
+/(system_ext|system/system_ext)/bin/cardisplayproxyd u:object_r:automotive_display_service_exec:s0
/(system_ext|system/system_ext)/lib(64)?(/.*)? u:object_r:system_lib_file:s0
diff --git a/private/property.te b/private/property.te
index 4fd9bc3..9e49c30 100644
--- a/private/property.te
+++ b/private/property.te
@@ -628,11 +628,10 @@
neverallow domain system_and_vendor_property_type:{file property_service} *;
neverallow {
- # Only init and the remote provisioner can set the remote_provisioning props
domain
-init
- -remote_prov_app
-shell
+ -rkpdapp
} remote_prov_prop:property_service set;
neverallow {
diff --git a/private/property_contexts b/private/property_contexts
index 4ce654c..269442d 100644
--- a/private/property_contexts
+++ b/private/property_contexts
@@ -319,6 +319,7 @@
ro.charger. u:object_r:charger_prop:s0
sys.boot_from_charger_mode u:object_r:charger_status_prop:s0 exact int
ro.enable_boot_charger_mode u:object_r:charger_config_prop:s0 exact bool
+ro.product.charger.unplugged_shutdown_time u:object_r:charger_config_prop:s0 exact int
# Virtual A/B and snapuserd properties
ro.virtual_ab.enabled u:object_r:virtual_ab_prop:s0 exact bool
diff --git a/private/remote_prov_app.te b/private/remote_prov_app.te
deleted file mode 100644
index d5f8e3f..0000000
--- a/private/remote_prov_app.te
+++ /dev/null
@@ -1,18 +0,0 @@
-type remote_prov_app, domain;
-typeattribute remote_prov_app coredomain;
-
-app_domain(remote_prov_app)
-net_domain(remote_prov_app)
-
-set_prop(remote_prov_app, remote_prov_prop)
-# The app needs access to properly build a DeviceInfo package for the verifying server
-get_prop(remote_prov_app, vendor_security_patch_level_prop)
-
-# if rkpd is enabled, remote provisioner is a noop
-get_prop(remote_prov_app, device_config_remote_key_provisioning_native_prop)
-
-allow remote_prov_app {
- app_api_service
- mediametrics_service
- remoteprovisioning_service
-}:service_manager find;
diff --git a/private/rkpd_app.te b/private/rkpd_app.te
index 2d25540..509a96e 100644
--- a/private/rkpd_app.te
+++ b/private/rkpd_app.te
@@ -12,7 +12,7 @@
# Grant access to certain system properties related to RKP
get_prop(rkpdapp, device_config_remote_key_provisioning_native_prop)
-get_prop(rkpdapp, remote_prov_prop)
+set_prop(rkpdapp, remote_prov_prop)
# Grant access to the normal services that are available to all apps
allow rkpdapp app_api_service:service_manager find;
diff --git a/private/seapp_contexts b/private/seapp_contexts
index 24e58bf..48ddeb8 100644
--- a/private/seapp_contexts
+++ b/private/seapp_contexts
@@ -152,7 +152,6 @@
neverallow name=com.android.sdksandbox domain=((?!sdk_sandbox).)*
user=_app seinfo=platform name=com.android.traceur domain=traceur_app type=app_data_file levelFrom=all
-user=_app isPrivApp=true name=com.android.remoteprovisioner domain=remote_prov_app type=app_data_file levelFrom=all
user=system seinfo=platform domain=system_app type=system_app_data_file
user=system seinfo=platform isPrivApp=true name=com.android.DeviceAsWebcam domain=device_as_webcam type=system_app_data_file levelFrom=all
user=bluetooth seinfo=bluetooth domain=bluetooth type=bluetooth_data_file
diff --git a/private/service_contexts b/private/service_contexts
index 6543e3f..91b114f 100644
--- a/private/service_contexts
+++ b/private/service_contexts
@@ -140,8 +140,6 @@
android.security.legacykeystore u:object_r:legacykeystore_service:s0
android.security.maintenance u:object_r:keystore_maintenance_service:s0
android.security.metrics u:object_r:keystore_metrics_service:s0
-android.security.remoteprovisioning u:object_r:remoteprovisioning_service:s0
-android.security.remoteprovisioning.IRemotelyProvisionedKeyPool u:object_r:remotelyprovisionedkeypool_service:s0
android.service.gatekeeper.IGateKeeperService u:object_r:gatekeeper_service:s0
android.system.composd u:object_r:compos_service:s0
android.system.virtualizationservice u:object_r:virtualization_service:s0
diff --git a/public/dumpstate.te b/public/dumpstate.te
index e626133..2c9f52f 100644
--- a/public/dumpstate.te
+++ b/public/dumpstate.te
@@ -149,15 +149,23 @@
binder_call(dumpstate, { appdomain netd wificond })
# Allow dumpstate to call dump() on specific hals.
+dump_hal(hal_audio)
+dump_hal(hal_audiocontrol)
dump_hal(hal_authsecret)
dump_hal(hal_bluetooth)
+dump_hal(hal_broadcastradio)
+dump_hal(hal_camera)
+dump_hal(hal_codec2)
dump_hal(hal_contexthub)
dump_hal(hal_drm)
dump_hal(hal_dumpstate)
+dump_hal(hal_evs)
dump_hal(hal_face)
dump_hal(hal_fingerprint)
dump_hal(hal_gnss)
dump_hal(hal_graphics_allocator)
+dump_hal(hal_graphics_composer)
+dump_hal(hal_health)
dump_hal(hal_identity)
dump_hal(hal_input_processor)
dump_hal(hal_keymint)
@@ -169,7 +177,9 @@
dump_hal(hal_power)
dump_hal(hal_power_stats)
dump_hal(hal_rebootescrow)
+dump_hal(hal_sensors)
dump_hal(hal_thermal)
+dump_hal(hal_vehicle)
dump_hal(hal_weaver)
dump_hal(hal_wifi)
diff --git a/public/keystore.te b/public/keystore.te
index 4cef175..7e964c2 100644
--- a/public/keystore.te
+++ b/public/keystore.te
@@ -14,8 +14,6 @@
allow keystore keystore_exec:file { getattr };
add_service(keystore, keystore_service)
-add_service(keystore, remotelyprovisionedkeypool_service)
-add_service(keystore, remoteprovisioning_service)
allow keystore sec_key_att_app_id_provider_service:service_manager find;
allow keystore dropbox_service:service_manager find;
allow keystore remote_provisioning_service:service_manager find;
diff --git a/public/service.te b/public/service.te
index 82a713a..e8f97bb 100644
--- a/public/service.te
+++ b/public/service.te
@@ -38,8 +38,6 @@
type nfc_service, service_manager_type;
type ondevicepersonalization_system_service, system_api_service, system_server_service, service_manager_type;
type radio_service, service_manager_type;
-type remotelyprovisionedkeypool_service, service_manager_type;
-type remoteprovisioning_service, service_manager_type;
type secure_element_service, service_manager_type;
type service_manager_service, service_manager_type;
type storaged_service, service_manager_type;
diff --git a/tests/treble_sepolicy_tests.py b/tests/treble_sepolicy_tests.py
index b49f138..c966423 100644
--- a/tests/treble_sepolicy_tests.py
+++ b/tests/treble_sepolicy_tests.py
@@ -51,172 +51,166 @@
self.entrypointpaths = []
self.error = ""
-def PrintScontexts():
- for d in sorted(alldomains.keys()):
- sctx = alldomains[d]
- print(d)
- print("\tcoredomain="+str(sctx.coredomain))
- print("\tappdomain="+str(sctx.appdomain))
- print("\tfromSystem="+str(sctx.fromSystem))
- print("\tfromVendor="+str(sctx.fromVendor))
- print("\tattributes="+str(sctx.attributes))
- print("\tentrypoints="+str(sctx.entrypoints))
- print("\tentrypointpaths=")
- if sctx.entrypointpaths is not None:
- for path in sctx.entrypointpaths:
- print("\t\t"+str(path))
-alldomains = {}
-coredomains = set()
-appdomains = set()
-vendordomains = set()
-pol = None
+class TestPolicy:
+ """A policy loaded in memory with its domains easily accessible."""
-# compat vars
-alltypes = set()
-oldalltypes = set()
-compatMapping = None
-pubtypes = set()
+ def __init__(self):
+ self.alldomains = {}
+ self.coredomains = set()
+ self.appdomains = set()
+ self.vendordomains = set()
+ self.pol = None
-# Distinguish between PRODUCT_FULL_TREBLE and PRODUCT_FULL_TREBLE_OVERRIDE
-FakeTreble = False
+ # compat vars
+ self.alltypes = set()
+ self.oldalltypes = set()
+ self.compatMapping = None
+ self.pubtypes = set()
-def GetAllDomains(pol):
- global alldomains
- for result in pol.QueryTypeAttribute("domain", True):
- alldomains[result] = scontext()
+ # Distinguish between PRODUCT_FULL_TREBLE and PRODUCT_FULL_TREBLE_OVERRIDE
+ self.FakeTreble = False
-def GetAppDomains():
- global appdomains
- global alldomains
- for d in alldomains:
- # The application of the "appdomain" attribute is trusted because core
- # selinux policy contains neverallow rules that enforce that only zygote
- # and runas spawned processes may transition to processes that have
- # the appdomain attribute.
- if "appdomain" in alldomains[d].attributes:
- alldomains[d].appdomain = True
- appdomains.add(d)
+ def GetAllDomains(self):
+ for result in self.pol.QueryTypeAttribute("domain", True):
+ self.alldomains[result] = scontext()
-def GetCoreDomains():
- global alldomains
- global coredomains
- for d in alldomains:
- domain = alldomains[d]
- # TestCoredomainViolations will verify if coredomain was incorrectly
- # applied.
- if "coredomain" in domain.attributes:
- domain.coredomain = True
- coredomains.add(d)
- # check whether domains are executed off of /system or /vendor
- if d in coredomainAllowlist:
- continue
- # TODO(b/153112003): add checks to prevent app domains from being
- # incorrectly labeled as coredomain. Apps don't have entrypoints as
- # they're always dynamically transitioned to by zygote.
- if d in appdomains:
- continue
- # TODO(b/153112747): need to handle cases where there is a dynamic
- # transition OR there happens to be no context in AOSP files.
- if not domain.entrypointpaths:
- continue
+ def GetAppDomains(self):
+ for d in self.alldomains:
+ # The application of the "appdomain" attribute is trusted because core
+ # selinux policy contains neverallow rules that enforce that only zygote
+ # and runas spawned processes may transition to processes that have
+ # the appdomain attribute.
+ if "appdomain" in self.alldomains[d].attributes:
+ self.alldomains[d].appdomain = True
+ self.appdomains.add(d)
- for path in domain.entrypointpaths:
- vendor = any(MatchPathPrefix(path, prefix) for prefix in
- ["/vendor", "/odm"])
- system = any(MatchPathPrefix(path, prefix) for prefix in
- ["/init", "/system_ext", "/product" ])
+ def GetCoreDomains(self):
+ for d in self.alldomains:
+ domain = self.alldomains[d]
+ # TestCoredomainViolations will verify if coredomain was incorrectly
+ # applied.
+ if "coredomain" in domain.attributes:
+ domain.coredomain = True
+ self.coredomains.add(d)
+ # check whether domains are executed off of /system or /vendor
+ if d in coredomainAllowlist:
+ continue
+ # TODO(b/153112003): add checks to prevent app domains from being
+ # incorrectly labeled as coredomain. Apps don't have entrypoints as
+ # they're always dynamically transitioned to by zygote.
+ if d in self.appdomains:
+ continue
+ # TODO(b/153112747): need to handle cases where there is a dynamic
+ # transition OR there happens to be no context in AOSP files.
+ if not domain.entrypointpaths:
+ continue
- # only mark entrypoint as system if it is not in legacy /system/vendor
- if MatchPathPrefix(path, "/system/vendor"):
- vendor = True
- elif MatchPathPrefix(path, "/system"):
- system = True
+ for path in domain.entrypointpaths:
+ vendor = any(MatchPathPrefix(path, prefix) for prefix in
+ ["/vendor", "/odm"])
+ system = any(MatchPathPrefix(path, prefix) for prefix in
+ ["/init", "/system_ext", "/product" ])
- if not vendor and not system:
- domain.error += "Unrecognized entrypoint for " + d + " at " + path + "\n"
+ # only mark entrypoint as system if it is not in legacy /system/vendor
+ if MatchPathPrefix(path, "/system/vendor"):
+ vendor = True
+ elif MatchPathPrefix(path, "/system"):
+ system = True
- domain.fromSystem = domain.fromSystem or system
- domain.fromVendor = domain.fromVendor or vendor
+ if not vendor and not system:
+ domain.error += "Unrecognized entrypoint for " + d + " at " + path + "\n"
-###
-# Add the entrypoint type and path(s) to each domain.
-#
-def GetDomainEntrypoints(pol):
- global alldomains
- for x in pol.QueryExpandedTERule(tclass=set(["file"]), perms=set(["entrypoint"])):
- if not x.sctx in alldomains:
- continue
- alldomains[x.sctx].entrypoints.append(str(x.tctx))
- # postinstall_file represents a special case specific to A/B OTAs.
- # Update_engine mounts a partition and relabels it postinstall_file.
- # There is no file_contexts entry associated with postinstall_file
- # so skip the lookup.
- if x.tctx == "postinstall_file":
- continue
- entrypointpath = pol.QueryFc(x.tctx)
- if not entrypointpath:
- continue
- alldomains[x.sctx].entrypointpaths.extend(entrypointpath)
-###
-# Get attributes associated with each domain
-#
-def GetAttributes(pol):
- global alldomains
- for domain in alldomains:
- for result in pol.QueryTypeAttribute(domain, False):
- alldomains[domain].attributes.add(result)
+ domain.fromSystem = domain.fromSystem or system
+ domain.fromVendor = domain.fromVendor or vendor
-def GetAllTypes(pol, oldpol):
- global alltypes
- global oldalltypes
- alltypes = pol.GetAllTypes(False)
- oldalltypes = oldpol.GetAllTypes(False)
+ ###
+ # Add the entrypoint type and path(s) to each domain.
+ #
+ def GetDomainEntrypoints(self):
+ for x in self.pol.QueryExpandedTERule(tclass=set(["file"]), perms=set(["entrypoint"])):
+ if not x.sctx in self.alldomains:
+ continue
+ self.alldomains[x.sctx].entrypoints.append(str(x.tctx))
+ # postinstall_file represents a special case specific to A/B OTAs.
+ # Update_engine mounts a partition and relabels it postinstall_file.
+ # There is no file_contexts entry associated with postinstall_file
+ # so skip the lookup.
+ if x.tctx == "postinstall_file":
+ continue
+ entrypointpath = self.pol.QueryFc(x.tctx)
+ if not entrypointpath:
+ continue
+ self.alldomains[x.sctx].entrypointpaths.extend(entrypointpath)
-def setup(pol):
- GetAllDomains(pol)
- GetAttributes(pol)
- GetDomainEntrypoints(pol)
- GetAppDomains()
- GetCoreDomains()
+ ###
+ # Get attributes associated with each domain
+ #
+ def GetAttributes(self):
+ for domain in self.alldomains:
+ for result in self.pol.QueryTypeAttribute(domain, False):
+ self.alldomains[domain].attributes.add(result)
-# setup for the policy compatibility tests
-def compatSetup(pol, oldpol, mapping, types):
- global compatMapping
- global pubtypes
+ def setup(self, pol):
+ self.pol = pol
+ self.GetAllDomains()
+ self.GetAttributes()
+ self.GetDomainEntrypoints()
+ self.GetAppDomains()
+ self.GetCoreDomains()
- GetAllTypes(pol, oldpol)
- compatMapping = mapping
- pubtypes = types
+ def GetAllTypes(self, basepol, oldpol):
+ self.alltypes = basepol.GetAllTypes(False)
+ self.oldalltypes = oldpol.GetAllTypes(False)
-def DomainsWithAttribute(attr):
- global alldomains
- domains = []
- for domain in alldomains:
- if attr in alldomains[domain].attributes:
- domains.append(domain)
- return domains
+ # setup for the policy compatibility tests
+ def compatSetup(self, basepol, oldpol, mapping, types):
+ self.GetAllTypes(basepol, oldpol)
+ self.compatMapping = mapping
+ self.pubtypes = types
+
+ def DomainsWithAttribute(self, attr):
+ domains = []
+ for domain in self.alldomains:
+ if attr in self.alldomains[domain].attributes:
+ domains.append(domain)
+ return domains
+
+ def PrintScontexts(self):
+ for d in sorted(self.alldomains.keys()):
+ sctx = self.alldomains[d]
+ print(d)
+ print("\tcoredomain="+str(sctx.coredomain))
+ print("\tappdomain="+str(sctx.appdomain))
+ print("\tfromSystem="+str(sctx.fromSystem))
+ print("\tfromVendor="+str(sctx.fromVendor))
+ print("\tattributes="+str(sctx.attributes))
+ print("\tentrypoints="+str(sctx.entrypoints))
+ print("\tentrypointpaths=")
+ if sctx.entrypointpaths is not None:
+ for path in sctx.entrypointpaths:
+ print("\t\t"+str(path))
+
#############################################################
# Tests
#############################################################
-def TestCoredomainViolations():
- global alldomains
+def TestCoredomainViolations(test_policy):
# verify that all domains launched from /system have the coredomain
# attribute
ret = ""
- for d in alldomains:
- domain = alldomains[d]
+ for d in test_policy.alldomains:
+ domain = test_policy.alldomains[d]
if domain.fromSystem and domain.fromVendor:
ret += "The following domain is system and vendor: " + d + "\n"
- for domain in alldomains.values():
+ for domain in test_policy.alldomains.values():
ret += domain.error
violators = []
- for d in alldomains:
- domain = alldomains[d]
+ for d in test_policy.alldomains:
+ domain = test_policy.alldomains[d]
if domain.fromSystem and "coredomain" not in domain.attributes:
violators.append(d);
if len(violators) > 0:
@@ -228,8 +222,8 @@
# verify that all domains launched form /vendor do not have the coredomain
# attribute
violators = []
- for d in alldomains:
- domain = alldomains[d]
+ for d in test_policy.alldomains:
+ domain = test_policy.alldomains[d]
if domain.fromVendor and "coredomain" in domain.attributes:
violators.append(d)
if len(violators) > 0:
@@ -243,17 +237,13 @@
###
# Make sure that any new public type introduced in the new policy that was not
# present in the old policy has been recorded in the mapping file.
-def TestNoUnmappedNewTypes():
- global alltypes
- global oldalltypes
- global compatMapping
- global pubtypes
- newt = alltypes - oldalltypes
+def TestNoUnmappedNewTypes(test_policy):
+ newt = test_policy.alltypes - test_policy.oldalltypes
ret = ""
violators = []
for n in newt:
- if n in pubtypes and compatMapping.rTypeattributesets.get(n) is None:
+ if n in test_policy.pubtypes and test_policy.compatMapping.rTypeattributesets.get(n) is None:
violators.append(n)
if len(violators) > 0:
@@ -270,16 +260,13 @@
###
# Make sure that any public type removed in the current policy has its
# declaration added to the mapping file for use in non-platform policy
-def TestNoUnmappedRmTypes():
- global alltypes
- global oldalltypes
- global compatMapping
- rmt = oldalltypes - alltypes
+def TestNoUnmappedRmTypes(test_policy):
+ rmt = test_policy.oldalltypes - test_policy.alltypes
ret = ""
violators = []
for o in rmt:
- if o in compatMapping.pubtypes and not o in compatMapping.types:
+ if o in test_policy.compatMapping.pubtypes and not o in test_policy.compatMapping.types:
violators.append(o)
if len(violators) > 0:
@@ -292,34 +279,32 @@
ret += "https://android-review.googlesource.com/c/platform/system/sepolicy/+/822743\n"
return ret
-def TestTrebleCompatMapping():
- ret = TestNoUnmappedNewTypes()
- ret += TestNoUnmappedRmTypes()
+def TestTrebleCompatMapping(test_policy):
+ ret = TestNoUnmappedNewTypes(test_policy)
+ ret += TestNoUnmappedRmTypes(test_policy)
return ret
-def TestViolatorAttribute(attribute):
- global FakeTreble
+def TestViolatorAttribute(test_policy, attribute):
ret = ""
- if FakeTreble:
+ if test_policy.FakeTreble:
return ret
- violators = DomainsWithAttribute(attribute)
+ violators = test_policy.DomainsWithAttribute(attribute)
if len(violators) > 0:
ret += "SELinux: The following domains violate the Treble ban "
ret += "against use of the " + attribute + " attribute: "
ret += " ".join(str(x) for x in sorted(violators)) + "\n"
return ret
-def TestViolatorAttributes():
+def TestViolatorAttributes(test_policy):
ret = ""
- ret += TestViolatorAttribute("socket_between_core_and_vendor_violators")
- ret += TestViolatorAttribute("vendor_executes_system_violators")
+ ret += TestViolatorAttribute(test_policy, "socket_between_core_and_vendor_violators")
+ ret += TestViolatorAttribute(test_policy, "vendor_executes_system_violators")
return ret
# TODO move this to sepolicy_tests
-def TestCoreDataTypeViolations():
- global pol
- return pol.AssertPathTypesDoNotHaveAttr(["/data/vendor/", "/data/vendor_ce/",
+def TestCoreDataTypeViolations(test_policy):
+ return test_policy.pol.AssertPathTypesDoNotHaveAttr(["/data/vendor/", "/data/vendor_ce/",
"/data/vendor_de/"], [], "core_data_file_type")
###
@@ -349,7 +334,7 @@
Args:
libpath: string, path to libsepolwrap.so
"""
- global pol, FakeTreble
+ test_policy = TestPolicy()
usage = "treble_sepolicy_tests "
usage += "-f nonplat_file_contexts -f plat_file_contexts "
@@ -402,27 +387,27 @@
oldpol = policy.Policy(options.oldpolicy, None, libpath)
mapping = mini_parser.MiniCilParser(options.mapping)
pubpol = mini_parser.MiniCilParser(options.base_pub_policy)
- compatSetup(basepol, oldpol, mapping, pubpol.types)
+ test_policy.compatSetup(basepol, oldpol, mapping, pubpol.types)
if options.faketreble:
- FakeTreble = True
+ test_policy.FakeTreble = True
pol = policy.Policy(options.policy, options.file_contexts, libpath)
- setup(pol)
+ test_policy.setup(pol)
if DEBUG:
- PrintScontexts()
+ test_policy.PrintScontexts()
results = ""
# If an individual test is not specified, run all tests.
if options.tests is None:
for t in Tests.values():
- results += t()
+ results += t(test_policy)
else:
for tn in options.tests:
t = Tests.get(tn)
if t:
- results += t()
+ results += t(test_policy)
else:
err = "Error: unknown test: " + tn + "\n"
err += "Available tests:\n"