Merge "Update SELinux policy for app compilation CUJ."
diff --git a/Android.bp b/Android.bp
index 467f80e..0770a64 100644
--- a/Android.bp
+++ b/Android.bp
@@ -373,19 +373,44 @@
additional_cil_files: [":sepolicy_technical_debt{.plat_private}"],
}
-
se_policy_conf {
name: "apex_sepolicy-33.conf",
- srcs: plat_public_policy + plat_private_policy + ["com.android.sepolicy/33/*.te"],
+ srcs: plat_public_policy +
+ plat_private_policy +
+ system_ext_public_policy +
+ system_ext_private_policy +
+ product_public_policy +
+ product_private_policy +
+ ["com.android.sepolicy/33/*.te"],
installable: false,
}
se_policy_cil {
name: "apex_sepolicy-33.cil",
src: ":apex_sepolicy-33.conf",
- filter_out: [":plat_sepolicy.cil"],
+ filter_out: [
+ ":plat_sepolicy.cil",
+ ":system_ext_sepolicy.cil",
+ ":product_sepolicy.cil",
+ ],
installable: false,
stem: "apex_sepolicy.cil",
+ remove_line_marker: true,
+}
+
+se_policy_cil {
+ name: "decompiled_sepolicy-without_apex.cil",
+ src: ":precompiled_sepolicy-without_apex",
+ decompile_binary: true,
+}
+
+se_policy_cil {
+ name: "apex_sepolicy-decompiled.cil",
+ src: ":precompiled_sepolicy",
+ decompile_binary: true,
+ filter_out: [":decompiled_sepolicy-without_apex.cil"],
+ additional_cil_files: ["com.android.sepolicy/33/definitions/definitions.cil"],
+ secilc_check: false,
}
// userdebug_plat_policy.conf - the userdebug version plat_sepolicy.cil
@@ -896,6 +921,50 @@
},
}
+precompiled_se_policy_binary {
+ name: "precompiled_sepolicy-without_apex",
+ srcs: [
+ ":plat_sepolicy.cil",
+ ":plat_pub_versioned.cil",
+ ":system_ext_sepolicy.cil",
+ ":product_sepolicy.cil",
+ ":vendor_sepolicy.cil",
+ ":odm_sepolicy.cil",
+ ],
+ soong_config_variables: {
+ BOARD_USES_ODMIMAGE: {
+ device_specific: true,
+ conditions_default: {
+ vendor: true,
+ },
+ },
+ IS_TARGET_MIXED_SEPOLICY: {
+ ignore_neverallow: true,
+ },
+ MIXED_SEPOLICY_VERSION: {
+ srcs: [
+ ":plat_%s.cil",
+ ":system_ext_%s.cil",
+ ":product_%s.cil",
+ ],
+ conditions_default: {
+ srcs: [
+ ":plat_mapping_file",
+ ":system_ext_mapping_file",
+ ":product_mapping_file",
+ ],
+ },
+ },
+ },
+ required: [
+ "sepolicy_neverallows",
+ "sepolicy_neverallows_vendor",
+ ],
+ dist: {
+ targets: ["base-sepolicy-files-for-mapping"],
+ },
+}
+
// policy for recovery
se_policy_conf {
name: "recovery_sepolicy.conf",
diff --git a/build/soong/policy.go b/build/soong/policy.go
index 3946a04..380faff 100644
--- a/build/soong/policy.go
+++ b/build/soong/policy.go
@@ -287,6 +287,10 @@
// Policy file to be compiled to cil file.
Src *string `android:"path"`
+ // If true, the input policy file is a binary policy that will be decompiled to a cil file.
+ // Defaults to false.
+ Decompile_binary *bool
+
// Additional cil files to be added in the end of the output. This is to support workarounds
// which are not supported by the policy language.
Additional_cil_files []string `android:"path"`
@@ -338,17 +342,22 @@
func (c *policyCil) compileConfToCil(ctx android.ModuleContext, conf android.Path) android.OutputPath {
cil := android.PathForModuleOut(ctx, c.stem()).OutputPath
rule := android.NewRuleBuilder(pctx, ctx)
- rule.Command().BuiltTool("checkpolicy").
- Flag("-C"). // Write CIL
- Flag("-M"). // Enable MLS
- FlagWithArg("-c ", strconv.Itoa(PolicyVers)).
- FlagWithOutput("-o ", cil).
- Input(conf)
- if len(c.properties.Additional_cil_files) > 0 {
- rule.Command().Text("cat").
- Inputs(android.PathsForModuleSrc(ctx, c.properties.Additional_cil_files)).
- Text(">> ").Output(cil)
+ if proptools.Bool(c.properties.Decompile_binary) {
+ rule.Command().BuiltTool("checkpolicy").
+ Flag("-b"). // Read binary
+ Flag("-C"). // Write CIL
+ Flag("-M"). // Enable MLS
+ FlagWithArg("-c ", strconv.Itoa(PolicyVers)).
+ FlagWithOutput("-o ", cil).
+ Input(conf)
+ } else {
+ rule.Command().BuiltTool("checkpolicy").
+ Flag("-C"). // Write CIL
+ Flag("-M"). // Enable MLS
+ FlagWithArg("-c ", strconv.Itoa(PolicyVers)).
+ FlagWithOutput("-o ", cil).
+ Input(conf)
}
if len(c.properties.Filter_out) > 0 {
@@ -359,6 +368,12 @@
FlagWithOutput("-t ", cil)
}
+ if len(c.properties.Additional_cil_files) > 0 {
+ rule.Command().Text("cat").
+ Inputs(android.PathsForModuleSrc(ctx, c.properties.Additional_cil_files)).
+ Text(">> ").Output(cil)
+ }
+
if proptools.Bool(c.properties.Remove_line_marker) {
rule.Command().Text("grep -v").
Text(proptools.ShellEscape(";;")).
diff --git a/com.android.sepolicy/33/definitions/definitions.cil b/com.android.sepolicy/33/definitions/definitions.cil
new file mode 100644
index 0000000..06f7326
--- /dev/null
+++ b/com.android.sepolicy/33/definitions/definitions.cil
@@ -0,0 +1,527 @@
+(sid test)
+(sidorder (test))
+
+(classorder (file service_manager fd sock_file unix_stream_socket process dir udp_socket anon_inode fifo_file lnk_file unix_dgram_socket lockdown netlink_route_socket tcp_socket rawip_socket icmp_socket chr_file binder hwservice_manager))
+
+;;;;;;;;;;;;;;;;;;;;;; shell.te ;;;;;;;;;;;;;;;;;;;;;;
+(type shell)
+(type sepolicy_test_file)
+(class file (ioctl read write getattr lock map open watch watch_reads execute_no_trans append create setattr unlink rename execute relabelfrom relabelto link watch_mount watch_sb watch_with_perm entrypoint execmod audit_access mounton quotaon))
+
+;;;;;;;;;;;;;;;;;;;;;; sdk_sandbox.te ;;;;;;;;;;;;;;;;;;;;;;
+(role r)
+(role object_r)
+
+(class service_manager (add find list ))
+(class sock_file (write))
+(class fd (use ))
+(class unix_stream_socket (ioctl read write create getattr setattr lock append map bind connect listen accept getopt setopt shutdown connectto))
+(class process (fork sigchld sigkill sigstop signull ptrace transition signal siginh rlimitinh getsched setsched getsession getpgid setpgid getcap setcap getattr setrlimit execmem dyntransition noatsecure))
+(class dir (ioctl read write create getattr setattr lock rename open watch watch_reads relabelfrom relabelto append map unlink link add_name remove_name reparent search rmdir execute quotaon watch_with_perm watch_sb watch_mount execmod audit_access mounton))
+(class udp_socket (ioctl read write getattr setattr connect getopt setopt recvfrom sendto node_bind name_bind create lock append map bind shutdown))
+(class anon_inode (ioctl read write create getattr setattr lock relabelfrom relabelto append map unlink link rename execute quotaon mounton audit_access open execmod watch watch_mount watch_sb watch_with_perm watch_reads))
+(class unix_dgram_socket (ioctl read write create getattr setattr lock append map bind connect getopt setopt shutdown sendto))
+(class fifo_file (ioctl read write getattr lock append map open watch watch_reads))
+(class lnk_file (ioctl read getattr lock map open watch watch_reads))
+(class lockdown (confidentiality))
+(class netlink_route_socket (read write create getattr setattr lock append connect getopt setopt shutdown nlmsg_read bind nlmsg_getneigh nlmsg_readpriv))
+(class tcp_socket (node_bind name_bind ioctl read write create getattr setattr lock append map bind connect listen accept getopt setopt shutdown))
+(class rawip_socket (node_bind ioctl read write create getattr setattr lock append map bind connect getopt setopt shutdown))
+(class icmp_socket (node_bind ioctl read write create getattr setattr lock append map bind connect getopt setopt shutdown))
+(class binder (call transfer))
+(class chr_file (ioctl read write getattr lock append map open watch watch_reads))
+(class hwservice_manager (find))
+
+(typeattribute domain)
+(typeattribute coredomain)
+(typeattribute netdomain)
+(typeattribute appdomain)
+
+(type activity_service)
+(type activity_task_service)
+(type adbd)
+(type adsprpcd)
+(type aidl_lazy_test_server)
+(type airbrush)
+(type apexd)
+(type apexd_derive_classpath)
+(type apex_test_prepostinstall)
+(type appdomain_tmpfs)
+(type appops_service)
+(type app_zygote)
+(type artd)
+(type atrace)
+(type audioserver)
+(type audioserver_service)
+(type audio_service)
+(type auditctl)
+(type automotive_display_service)
+(type batteryproperties_service)
+(type batterystats_service)
+(type binder_device)
+(type blank_screen)
+(type blkid)
+(type blkid_untrusted)
+(type bluetooth)
+(type bootanim)
+(type bootstat)
+(type boringssl_self_test)
+(type bpfloader)
+(type bt_logger)
+(type bufferhubd)
+(type cameraserver)
+(type canhalconfigurator)
+(type cbrs_setup_app)
+(type cdsprpcd)
+(type charger)
+(type charger_vendor)
+(type chre)
+(type citadeld)
+(type citadel_provision)
+(type clatd)
+(type cnd)
+(type codec2_config_prop)
+(type color_init)
+(type composd)
+(type compos_fd_server)
+(type compos_verify)
+(type con_monitor_app)
+(type connectivity_service)
+(type connmetrics_service)
+(type cppreopts)
+(type crash_dump)
+(type crash_dump_exec)
+(type credstore)
+(type crosvm)
+(type dataservice_app)
+(type derive_classpath)
+(type derive_sdk)
+(type device_config_nnapi_native_prop)
+(type device_drop_monitor)
+(type deviceidle_service)
+(type dex2oat)
+(type dexoptanalyzer)
+(type dhcp)
+(type diag)
+(type diced)
+(type display_service)
+(type dmabuf_system_heap_device)
+(type dmabuf_system_secure_heap_device)
+(type dmesgd)
+(type dnsmasq)
+(type drmserver)
+(type dropbox_service)
+(type dumpstate)
+(type e2fs)
+(type ephemeral_app)
+(type evsmanagerd)
+(type extra_free_kbytes)
+(type face_debug)
+(type fastbootd)
+(type fingerprintd)
+(type flags_health_check)
+(type font_service)
+(type fsck)
+(type fsck_untrusted)
+(type fstman)
+(type fsverity_init)
+(type fwk_bufferhub)
+(type game_service)
+(type gatekeeperd)
+(type gki_apex_prepostinstall)
+(type gmscore_app)
+(type google_camera_app)
+(type google_touch_app)
+(type gpu_device)
+(type gpu_service)
+(type gpuservice)
+(type graphicsstats_service)
+(type grilservice_app)
+(type gsid)
+(type hal_allocator_default)
+(type hal_allocator_server)
+(type hal_atrace_default)
+(type hal_audiocontrol_default)
+(type hal_audio_default)
+(type hal_authsecret_default)
+(type hal_bluetooth_btlinux)
+(type hal_bluetooth_default)
+(type hal_bluetooth_qti)
+(type hal_bootctl_default)
+(type hal_broadcastradio_default)
+(type hal_camera_default)
+(type hal_can_socketcan)
+(type hal_cas_default)
+(type hal_cas_hwservice)
+(type hal_cas_server)
+(type hal_codec2_hwservice)
+(type hal_codec2_server)
+(type hal_configstore_default)
+(type hal_configstore_ISurfaceFlingerConfigs)
+(type hal_configstore_server)
+(type hal_confirmationui_default)
+(type hal_contexthub_default)
+(type hal_dice_default)
+(type hal_display_color_default)
+(type hal_drm_clearkey)
+(type hal_drm_clearkey_aidl)
+(type hal_drm_default)
+(type hal_drm_server)
+(type hal_drm_widevine)
+(type hal_dumpstate_default)
+(type hal_dumpstate_impl)
+(type hal_evs_default)
+(type hal_face_default)
+(type hal_fingerprint_default)
+(type hal_gatekeeper_default)
+(type hal_gatekeeper_qti)
+(type hal_gnss_default)
+(type hal_gnss_qti)
+(type hal_graphics_allocator_default)
+(type hal_graphics_allocator_hwservice)
+(type hal_graphics_allocator_server)
+(type hal_graphics_allocator_service)
+(type hal_graphics_composer_default)
+(type hal_graphics_mapper_hwservice)
+(type hal_health_default)
+(type hal_health_storage_default)
+(type hal_identity_citadel)
+(type hal_identity_default)
+(type hal_imsrtp)
+(type hal_input_classifier_default)
+(type hal_input_processor_default)
+(type hal_ir_default)
+(type hal_keymaster_citadel)
+(type hal_keymaster_default)
+(type hal_keymaster_qti)
+(type hal_keymint_citadel)
+(type hal_keymint_default)
+(type hal_light_default)
+(type hal_lowpan_default)
+(type hal_memtrack_default)
+(type hal_neuralnetworks_darwinn)
+(type hal_neuralnetworks_default)
+(type hal_neuralnetworks_hwservice)
+(type hal_neuralnetworks_server)
+(type hal_neuralnetworks_service)
+(type hal_nfc_default)
+(type hal_oemlock_default)
+(type hal_omx_hwservice)
+(type hal_omx_server)
+(type hal_power_default)
+(type hal_power_stats_default)
+(type hal_qseecom_default)
+(type hal_qteeconnector_qti)
+(type hal_radio_config_default)
+(type hal_radio_default)
+(type hal_radioext_default)
+(type hal_rcsservice)
+(type hal_rebootescrow_citadel)
+(type hal_rebootescrow_default)
+(type hal_renderscript_hwservice)
+(type hal_secure_element_default)
+(type hal_sensors_default)
+(type hal_tetheroffload_default)
+(type hal_thermal_default)
+(type hal_tui_comm_qti)
+(type hal_tv_cec_default)
+(type hal_tv_input_default)
+(type hal_tv_tuner_default)
+(type hal_tv_tuner_server)
+(type hal_usb_default)
+(type hal_usb_gadget_default)
+(type hal_usb_gadget_impl)
+(type hal_usb_impl)
+(type hal_uwb_default)
+(type hal_vehicle_default)
+(type hal_vibrator_default)
+(type hal_vr_default)
+(type hal_weaver_citadel)
+(type hal_weaver_default)
+(type hal_wifi_default)
+(type hal_wifi_ext)
+(type hal_wifi_hostapd_default)
+(type hal_wifi_supplicant_default)
+(type hal_wlc)
+(type hardware_info_app)
+(type hardware_properties_service)
+(type hbmsvmanager_app)
+(type healthd)
+(type heapprofd)
+(type heapprofd_socket)
+(type heapprofd_tmpfs)
+(type hidl_allocator_hwservice)
+(type hidl_lazy_test_server)
+(type hidl_manager_hwservice)
+(type hidl_memory_hwservice)
+(type hidl_token_hwservice)
+(type hint_service)
+(type hwbinder_device)
+(type hwservicemanager)
+(type hwservicemanager_prop)
+(type idmap)
+(type imms_service)
+(type ims)
+(type incident)
+(type incidentd)
+(type incident_helper)
+(type init)
+(type init_citadel)
+(type init_dp)
+(type init-insmod-sh)
+(type init-mm-logging-sh)
+(type init-qti-keymaster-sh)
+(type init_radio)
+(type init-thermal-logging-sh)
+(type init-thermal-symlinks-sh)
+(type inputflinger)
+(type input_method_service)
+(type input_service)
+(type installd)
+(type ion_device)
+(type IProxyService_service)
+(type ipsec_service)
+(type irsc_util)
+(type isolated_app)
+(type iw)
+(type kernel)
+(type keystore)
+(type launcherapps_service)
+(type legacy_permission_service)
+(type light_service)
+(type linkerconfig)
+(type llkd)
+(type lmkd)
+(type locale_service)
+(type location)
+(type logd)
+(type logger_app)
+(type logpersist)
+(type lpdumpd)
+(type mdm_helper)
+(type mdnsd)
+(type mediacodec)
+(type media_communication_service)
+(type mediadrmserver)
+(type mediaextractor)
+(type mediaextractor_service)
+(type mediametrics)
+(type mediametrics_service)
+(type media_projection_service)
+(type mediaprovider)
+(type mediaprovider_app)
+(type media_router_service)
+(type mediaserver)
+(type mediaserver_service)
+(type media_session_service)
+(type mediaswcodec)
+(type mediatranscoding)
+(type mediatuner)
+(type media_variant_prop)
+(type memtrackproxy_service)
+(type midi_service)
+(type migrate_legacy_obb_data)
+(type mm_events)
+(type modem_diagnostic_app)
+(type modem_svc)
+(type modprobe)
+(type msm_irqbalanced)
+(type mtectrl)
+(type mtp)
+(type netd)
+(type netmgrd)
+(type netpolicy_service)
+(type netstats_service)
+(type netutils_wrapper)
+(type network_management_service)
+(type network_stack)
+(type nfc)
+(type nnapi_ext_deny_product_prop)
+(type notification_service)
+(type obdm_app)
+(type odrefresh)
+(type odsign)
+(type omadm_app)
+(type oslo_app)
+(type otapreopt_chroot)
+(type otapreopt_slot)
+(type package_service)
+(type perfetto)
+(type performanced)
+(type permission_checker_service)
+(type permissioncontroller_app)
+(type permissionmgr_service)
+(type permission_service)
+(type pixelstats_system)
+(type pixelstats_vendor)
+(type pixel-thermal-control-sh)
+(type platform_app)
+(type platform_compat_service)
+(type port-bridge)
+(type postinstall)
+(type postinstall_dexopt)
+(type power_service)
+(type ppp)
+(type preloads_copy)
+(type preopt2cachename)
+(type priv_app)
+(type procstats_service)
+(type profcollectd)
+(type profman)
+(type qlogd)
+(type qrtr)
+(type qtelephony)
+(type qtidataservices_app)
+(type qti_init_shell)
+(type racoon)
+(type radio)
+(type radio_data_file)
+(type ramdump_app)
+(type ramoops)
+(type recovery)
+(type recovery_persist)
+(type recovery_refresh)
+(type registry_service)
+(type remote_prov_app)
+(type remount)
+(type restrictions_service)
+(type rfs_access)
+(type ril_config_service_app)
+(type rild)
+(type rlsservice)
+(type rmt_storage)
+(type rs)
+(type rss_hwm_reset)
+(type rttmanager_service)
+(type runas)
+(type runas_app)
+(type same_process_hal_file)
+(type sdcardd)
+(type sdk_sandbox)
+(type sdk_sandbox_data_file)
+(type sdk_sandbox_system_data_file)
+(type search_service)
+(type sec_nvm)
+(type secure_element)
+(type secure_ui_service_app)
+(type selection_toolbar_service)
+(type sensor_privacy_service)
+(type sensors)
+(type sensorservice_service)
+(type servicediscovery_service)
+(type servicemanager)
+(type settings_service)
+(type sgdisk)
+(type shared_relro)
+; (type shell)
+(type simpleperf)
+(type simpleperf_app_runner)
+(type simpleperf_boot)
+(type slideshow)
+(type smcinvoke_daemon)
+(type snapshotctl)
+(type snapuserd)
+(type spdaemon)
+(type speech_recognition_service)
+(type sprint_hidden_menu)
+(type ssr_detector_app)
+(type stats)
+(type statsd)
+(type statusbar_service)
+(type storaged)
+(type storagestats_service)
+(type su)
+(type surfaceflinger)
+(type surfaceflinger_service)
+(type sysfs_gpu)
+(type system_app)
+(type system_linker_exec)
+(type system_server)
+(type system_server_startup)
+(type system_suspend)
+(type tcpdump_logger)
+(type tee)
+(type telecom_service)
+(type tethering_service)
+(type textclassification_service)
+(type textclassifier_data_file)
+(type textservices_service)
+(type texttospeech_service)
+(type thermal-engine)
+(type thermal_service)
+(type time_daemon)
+(type timeservice_app)
+(type tmpfs)
+(type tombstoned)
+(type toolbox)
+(type traced)
+(type traced_perf)
+(type traced_perf_socket)
+(type traced_probes)
+(type traced_producer_socket)
+(type traced_tmpfs)
+(type traceur_app)
+(type translation_service)
+(type tv_iapp_service)
+(type tv_input_service)
+(type twoshay)
+(type ueventd)
+(type uimode_service)
+(type uncrypt)
+(type untrusted_app)
+(type untrusted_app_25)
+(type untrusted_app_27)
+(type untrusted_app_29)
+(type untrusted_app_30)
+(type update_engine)
+(type update_verifier)
+(type usbd)
+(type uscc_omadm)
+(type uv_exposure_reporter)
+(type vcn_management_service)
+(type vdc)
+(type vehicle_binding_util)
+(type vendor_boringssl_self_test)
+(type vendor_file)
+(type vendor_ia_crash_dump)
+(type vendor_init)
+(type vendor_install_recovery)
+(type vendor_misc_writer)
+(type vendor_modprobe)
+(type vendor_pd_mapper)
+(type vendor_per_mgr)
+(type vendor_shell)
+(type vendor_ssr_diag)
+(type vendor_ssr_setup)
+(type vendor_subsystem_ramdump)
+(type viewcompiler)
+(type virtualizationservice)
+(type virtual_touchpad)
+(type vndservicemanager)
+(type vold)
+(type vold_prepare_subdirs)
+(type vzw_omadm_connmo)
+(type vzw_omadm_dcmo)
+(type vzw_omadm_diagmon)
+(type vzw_omadm_trigger)
+(type vzwomatrigger_app)
+(type wait_for_keymaster)
+(type wait_for_strongbox)
+(type watchdogd)
+(type wcnss_service)
+(type webviewupdate_service)
+(type webview_zygote)
+(type wfc_activation_app)
+(type wificond)
+(type wifidisplayhalservice_qti)
+(type wifi_sniffer)
+(type wigighalsvc)
+(type wigignpt)
+(type wpantund)
+(type zygote)
+
+(type boot_status_prop)
+(allow dumpstate domain (dir (ioctl read getattr lock open watch watch_reads search)))
+(allow coredomain boot_status_prop (file (read getattr map open)))
+(allow netdomain netd (unix_stream_socket (connectto)))
+(allow appdomain traced (fd (use)))
diff --git a/com.android.sepolicy/33/sdk_sandbox.te b/com.android.sepolicy/33/sdk_sandbox.te
new file mode 100644
index 0000000..f3f9a67
--- /dev/null
+++ b/com.android.sepolicy/33/sdk_sandbox.te
@@ -0,0 +1,112 @@
+###
+### SDK Sandbox process.
+###
+### This file extends the sdk sandbox policy at system/sepolicy/private/sdk_sandbox.te
+
+typeattribute sdk_sandbox domain;
+typeattribute sdk_sandbox coredomain;
+
+net_domain(sdk_sandbox)
+app_domain(sdk_sandbox)
+
+# Allow finding services. This is different from ephemeral_app policy.
+# Adding services manually to the allowlist is preferred hence app_api_service is not used.
+# Audit the access to signal that we are still investigating whether sdk_sandbox
+# should have access to audio_service
+# TODO(b/211632068): remove this line
+auditallow sdk_sandbox audio_service:service_manager find;
+
+allow sdk_sandbox activity_service:service_manager find;
+allow sdk_sandbox activity_task_service:service_manager find;
+allow sdk_sandbox appops_service:service_manager find;
+allow sdk_sandbox audio_service:service_manager find;
+allow sdk_sandbox audioserver_service:service_manager find;
+allow sdk_sandbox batteryproperties_service:service_manager find;
+allow sdk_sandbox batterystats_service:service_manager find;
+allow sdk_sandbox connectivity_service:service_manager find;
+allow sdk_sandbox connmetrics_service:service_manager find;
+allow sdk_sandbox deviceidle_service:service_manager find;
+allow sdk_sandbox display_service:service_manager find;
+allow sdk_sandbox dropbox_service:service_manager find;
+allow sdk_sandbox font_service:service_manager find;
+allow sdk_sandbox game_service:service_manager find;
+allow sdk_sandbox gpu_service:service_manager find;
+allow sdk_sandbox graphicsstats_service:service_manager find;
+allow sdk_sandbox hardware_properties_service:service_manager find;
+allow sdk_sandbox hint_service:service_manager find;
+allow sdk_sandbox imms_service:service_manager find;
+allow sdk_sandbox input_method_service:service_manager find;
+allow sdk_sandbox input_service:service_manager find;
+allow sdk_sandbox IProxyService_service:service_manager find;
+allow sdk_sandbox ipsec_service:service_manager find;
+allow sdk_sandbox launcherapps_service:service_manager find;
+allow sdk_sandbox legacy_permission_service:service_manager find;
+allow sdk_sandbox light_service:service_manager find;
+allow sdk_sandbox locale_service:service_manager find;
+allow sdk_sandbox media_communication_service:service_manager find;
+allow sdk_sandbox mediaextractor_service:service_manager find;
+allow sdk_sandbox mediametrics_service:service_manager find;
+allow sdk_sandbox media_projection_service:service_manager find;
+allow sdk_sandbox media_router_service:service_manager find;
+allow sdk_sandbox mediaserver_service:service_manager find;
+allow sdk_sandbox media_session_service:service_manager find;
+allow sdk_sandbox memtrackproxy_service:service_manager find;
+allow sdk_sandbox midi_service:service_manager find;
+allow sdk_sandbox netpolicy_service:service_manager find;
+allow sdk_sandbox netstats_service:service_manager find;
+allow sdk_sandbox network_management_service:service_manager find;
+allow sdk_sandbox notification_service:service_manager find;
+allow sdk_sandbox package_service:service_manager find;
+allow sdk_sandbox permission_checker_service:service_manager find;
+allow sdk_sandbox permission_service:service_manager find;
+allow sdk_sandbox permissionmgr_service:service_manager find;
+allow sdk_sandbox platform_compat_service:service_manager find;
+allow sdk_sandbox power_service:service_manager find;
+allow sdk_sandbox procstats_service:service_manager find;
+allow sdk_sandbox registry_service:service_manager find;
+allow sdk_sandbox restrictions_service:service_manager find;
+allow sdk_sandbox rttmanager_service:service_manager find;
+allow sdk_sandbox search_service:service_manager find;
+allow sdk_sandbox selection_toolbar_service:service_manager find;
+allow sdk_sandbox sensor_privacy_service:service_manager find;
+allow sdk_sandbox sensorservice_service:service_manager find;
+allow sdk_sandbox servicediscovery_service:service_manager find;
+allow sdk_sandbox settings_service:service_manager find;
+allow sdk_sandbox speech_recognition_service:service_manager find;
+allow sdk_sandbox statusbar_service:service_manager find;
+allow sdk_sandbox storagestats_service:service_manager find;
+allow sdk_sandbox surfaceflinger_service:service_manager find;
+allow sdk_sandbox telecom_service:service_manager find;
+allow sdk_sandbox tethering_service:service_manager find;
+allow sdk_sandbox textclassification_service:service_manager find;
+allow sdk_sandbox textservices_service:service_manager find;
+allow sdk_sandbox texttospeech_service:service_manager find;
+allow sdk_sandbox thermal_service:service_manager find;
+allow sdk_sandbox translation_service:service_manager find;
+allow sdk_sandbox tv_iapp_service:service_manager find;
+allow sdk_sandbox tv_input_service:service_manager find;
+allow sdk_sandbox uimode_service:service_manager find;
+allow sdk_sandbox vcn_management_service:service_manager find;
+allow sdk_sandbox webviewupdate_service:service_manager find;
+
+allow sdk_sandbox system_linker_exec:file execute_no_trans;
+
+# Write app-specific trace data to the Perfetto traced damon. This requires
+# connecting to its producer socket and obtaining a (per-process) tmpfs fd.
+perfetto_producer(sdk_sandbox)
+
+# Allow profiling if the app opts in by being marked profileable/debuggable.
+can_profile_heap(sdk_sandbox)
+can_profile_perf(sdk_sandbox)
+
+# allow sdk sandbox to use UDP sockets provided by the system server but not
+# modify them other than to connect
+allow sdk_sandbox system_server:udp_socket {
+ connect getattr read recvfrom sendto write getopt setopt };
+
+# allow sandbox to search in sdk system server directory
+# additionally, for webview to work, getattr has been permitted
+allow sdk_sandbox sdk_sandbox_system_data_file:dir { getattr search };
+# allow sandbox to create files and dirs in sdk data directory
+allow sdk_sandbox sdk_sandbox_data_file:dir create_dir_perms;
+allow sdk_sandbox sdk_sandbox_data_file:file create_file_perms;
diff --git a/microdroid/system/private/logcat.te b/microdroid/system/private/logcat.te
index a26cff3..a5b59fb 100644
--- a/microdroid/system/private/logcat.te
+++ b/microdroid/system/private/logcat.te
@@ -17,3 +17,6 @@
get_prop(logcat, logd_prop)
allow logcat self:global_capability_class_set { sys_nice };
+
+# logcat uses bootstrap to be run before apexd
+use_bootstrap_libs(logcat)
diff --git a/microdroid/system/private/logd.te b/microdroid/system/private/logd.te
index 46cdb7d..5381212 100644
--- a/microdroid/system/private/logd.te
+++ b/microdroid/system/private/logd.te
@@ -41,4 +41,7 @@
# Logd sets defaults if certain properties are empty.
set_prop(logd, logd_prop)
+# logd uses bootstrap to be run before apexd
+use_bootstrap_libs(logd)
+
dontaudit domain runtime_event_log_tags_file:file { map open read };
diff --git a/microdroid/system/private/microdroid_manager.te b/microdroid/system/private/microdroid_manager.te
index a8eba6c..37ffadb 100644
--- a/microdroid/system/private/microdroid_manager.te
+++ b/microdroid/system/private/microdroid_manager.te
@@ -66,6 +66,9 @@
set_prop(microdroid_manager, ctl_tombstone_transmit_prop)
set_prop(microdroid_manager, ctl_zipfuse_prop)
+# Allow microdroid_manager to stop tombstoned
+set_prop(microdroid_manager, ctl_tombstoned_prop)
+
# Allow microdroid_manager to wait for linkerconfig to be ready
get_prop(microdroid_manager, apex_config_prop)
diff --git a/microdroid/system/private/property.te b/microdroid/system/private/property.te
index 28fb8e1..a02a7f2 100644
--- a/microdroid/system/private/property.te
+++ b/microdroid/system/private/property.te
@@ -1,3 +1,5 @@
+system_internal_prop(ctl_tombstoned_prop)
+
system_restricted_prop(boot_status_prop)
# Declare ART properties for CompOS
diff --git a/microdroid/system/private/property_contexts b/microdroid/system/private/property_contexts
index 57f28ae..16b40bc 100644
--- a/microdroid/system/private/property_contexts
+++ b/microdroid/system/private/property_contexts
@@ -23,6 +23,8 @@
ctl.stop$apexd u:object_r:ctl_apexd_prop:s0
+ctl.stop$tombstoned u:object_r:ctl_tombstoned_prop:s0
+
ctl.start$apexd-vm u:object_r:ctl_apexd_vm_prop:s0
ctl.start$apkdmverity u:object_r:ctl_apkdmverity_prop:s0
ctl.start$seriallogging u:object_r:ctl_seriallogging_prop:s0
diff --git a/prebuilts/api/33.0/public/dumpstate.te b/prebuilts/api/33.0/public/dumpstate.te
index 2c75f30..05a7317 100644
--- a/prebuilts/api/33.0/public/dumpstate.te
+++ b/prebuilts/api/33.0/public/dumpstate.te
@@ -87,6 +87,7 @@
hal_graphics_allocator_server
hal_graphics_composer_server
hal_health_server
+ hal_input_processor_server
hal_neuralnetworks_server
hal_omx_server
hal_power_server
@@ -146,6 +147,7 @@
dump_hal(hal_dumpstate)
dump_hal(hal_wifi)
dump_hal(hal_graphics_allocator)
+dump_hal(hal_input_processor)
dump_hal(hal_light)
dump_hal(hal_neuralnetworks)
dump_hal(hal_nfc)
diff --git a/private/access_vectors b/private/access_vectors
index 0f8dd5f..6cd8c4e 100644
--- a/private/access_vectors
+++ b/private/access_vectors
@@ -729,7 +729,6 @@
get_state
list
lock
- migrate_any_key
pull_metrics
report_off_body
reset
diff --git a/private/apexd.te b/private/apexd.te
index 6db0fd9..0482090 100644
--- a/private/apexd.te
+++ b/private/apexd.te
@@ -131,6 +131,10 @@
# Allow apexd to stop itself
set_prop(apexd, ctl_apexd_prop)
+# Allow apexd to send control messages to load/unload apex from init
+set_prop(apexd, ctl_apex_load_prop)
+get_prop(apexd, init_apex_status_private_prop)
+
# Find the vold service, and call into vold to manage FS checkpoints
allow apexd vold_service:service_manager find;
binder_call(apexd, vold)
diff --git a/private/audioserver.te b/private/audioserver.te
index ca29373..7a5e8bc 100644
--- a/private/audioserver.te
+++ b/private/audioserver.te
@@ -43,6 +43,7 @@
allow audioserver mediametrics_service:service_manager find;
allow audioserver sensor_privacy_service:service_manager find;
allow audioserver soundtrigger_middleware_service:service_manager find;
+allow audioserver audio_service:service_manager find;
# Allow read/write access to bluetooth-specific properties
set_prop(audioserver, bluetooth_a2dp_offload_prop)
diff --git a/private/bpfdomain.te b/private/bpfdomain.te
index 2be7f88..ada65ae 100644
--- a/private/bpfdomain.te
+++ b/private/bpfdomain.te
@@ -12,3 +12,10 @@
neverallow { domain -bpfdomain } *:bpf *;
allow bpfdomain fs_bpf:dir search;
+
+# genfscon doesn't seem to trigger during symlink creation,
+# and thus any created symlinks end up as 'fs_bpf:lnk_type',
+# however this feels like a kernel bug / missing feature,
+# so let's allow all bpffs_type's instead,
+# this will keep things working even if this is fixed.
+allow bpfdomain bpffs_type:lnk_file read;
diff --git a/private/bpfloader.te b/private/bpfloader.te
index ffb80c5..7c009ec 100644
--- a/private/bpfloader.te
+++ b/private/bpfloader.te
@@ -8,6 +8,7 @@
# These permissions are required to pin ebpf maps & programs.
allow bpfloader bpffs_type:dir { add_name create remove_name search write };
allow bpfloader bpffs_type:file { create getattr read rename setattr };
+allow bpfloader bpffs_type:lnk_file { create getattr read };
allow { bpffs_type -fs_bpf } fs_bpf:filesystem associate;
# Allow bpfloader to create bpf maps and programs.
@@ -42,6 +43,9 @@
neverallow { domain -bpfloader -gpuservice -netd -netutils_wrapper -network_stack -system_server } { bpffs_type -fs_bpf_vendor }:file write;
neverallow domain bpffs_type:file ~{ create getattr map open read rename setattr write };
+neverallow { domain -bpfloader } bpffs_type:lnk_file ~read;
+neverallow { domain -bpfdomain } bpffs_type:lnk_file read;
+
neverallow { domain -bpfloader } *:bpf { map_create prog_load };
neverallow {
diff --git a/private/coredomain.te b/private/coredomain.te
index 5dbd7ce..9888fa4 100644
--- a/private/coredomain.te
+++ b/private/coredomain.te
@@ -7,6 +7,7 @@
get_prop(coredomain, graphics_config_prop)
get_prop(coredomain, hdmi_config_prop)
get_prop(coredomain, init_service_status_private_prop)
+get_prop(coredomain, init_apex_status_private_prop)
get_prop(coredomain, lmkd_config_prop)
get_prop(coredomain, localization_prop)
get_prop(coredomain, pm_prop)
diff --git a/private/file_contexts b/private/file_contexts
index 09b53b5..de2c898 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -268,6 +268,8 @@
/system/bin/audioserver u:object_r:audioserver_exec:s0
/system/bin/mediadrmserver u:object_r:mediadrmserver_exec:s0
/system/bin/mediaserver u:object_r:mediaserver_exec:s0
+/system/bin/mediaserver32 u:object_r:mediaserver_exec:s0
+/system/bin/mediaserver64 u:object_r:mediaserver_exec:s0
/system/bin/mediametrics u:object_r:mediametrics_exec:s0
/system/bin/cameraserver u:object_r:cameraserver_exec:s0
/system/bin/mediaextractor u:object_r:mediaextractor_exec:s0
diff --git a/private/hwservicemanager.te b/private/hwservicemanager.te
index e1fde43..5982ecf 100644
--- a/private/hwservicemanager.te
+++ b/private/hwservicemanager.te
@@ -7,3 +7,6 @@
set_prop(hwservicemanager, ctl_interface_start_prop)
set_prop(hwservicemanager, hwservicemanager_prop)
+
+# hwservicemanager is using bootstrap bionic
+use_bootstrap_libs(hwservicemanager)
diff --git a/private/property.te b/private/property.te
index 2a88cbf..871b673 100644
--- a/private/property.te
+++ b/private/property.te
@@ -45,6 +45,8 @@
system_internal_prop(ctl_mediatranscoding_prop)
system_internal_prop(ctl_odsign_prop)
system_internal_prop(virtualizationservice_prop)
+system_internal_prop(ctl_apex_load_prop)
+system_internal_prop(init_apex_status_private_prop)
# Properties which can't be written outside system
system_restricted_prop(device_config_virtualization_framework_native_prop)
@@ -628,6 +630,25 @@
} rollback_test_prop:property_service set;
neverallow {
+ domain
+ -init
+} init_apex_status_private_prop:property_service set;
+
+neverallow {
+ domain
+ -init
+ -apexd
+} ctl_apex_load_prop:property_service set;
+
+neverallow {
+ domain
+ -coredomain
+ -init
+ -dumpstate
+ -apexd
+} {init_apex_status_private_prop ctl_apex_load_prop}:file no_rw_file_perms;
+
+neverallow {
# Only allow init and profcollectd to access profcollectd_node_id_prop
domain
-init
diff --git a/private/property_contexts b/private/property_contexts
index 3d1e7a5..cd880d3 100644
--- a/private/property_contexts
+++ b/private/property_contexts
@@ -162,6 +162,8 @@
ctl.interface_start$ u:object_r:ctl_interface_start_prop:s0
ctl.interface_stop$ u:object_r:ctl_interface_stop_prop:s0
ctl.interface_restart$ u:object_r:ctl_interface_restart_prop:s0
+ctl.apex_load$ u:object_r:ctl_apex_load_prop:s0
+ctl.apex_unload$ u:object_r:ctl_apex_load_prop:s0
# Restrict access to starting/stopping adbd
ctl.start$adbd u:object_r:ctl_adbd_prop:s0
@@ -274,8 +276,10 @@
persist.device_config.global_settings.sys_traced u:object_r:device_config_sys_traced_prop:s0
apexd. u:object_r:apexd_prop:s0
+apexd.config. u:object_r:apexd_config_prop:s0
apexd.config.dm_delete.timeout u:object_r:apexd_config_prop:s0 exact uint
apexd.config.dm_create.timeout u:object_r:apexd_config_prop:s0 exact uint
+apexd.config.loop_wait.attempts u:object_r:apexd_config_prop:s0 exact uint
persist.apexd. u:object_r:apexd_prop:s0
persist.vendor.apex. u:object_r:apexd_select_prop:s0
ro.boot.vendor.apex. u:object_r:apexd_select_prop:s0
@@ -523,6 +527,15 @@
bluetooth.profile.sap.server.enabled u:object_r:bluetooth_config_prop:s0 exact bool
bluetooth.profile.vcp.controller.enabled u:object_r:bluetooth_config_prop:s0 exact bool
+bluetooth.core.acl.link_supervision_timeout u:object_r:bluetooth_config_prop:s0 exact uint
+bluetooth.core.classic.page_scan_type u:object_r:bluetooth_config_prop:s0 exact uint
+bluetooth.core.classic.page_scan_interval u:object_r:bluetooth_config_prop:s0 exact uint
+bluetooth.core.classic.page_scan_window u:object_r:bluetooth_config_prop:s0 exact uint
+bluetooth.core.classic.inq_scan_type u:object_r:bluetooth_config_prop:s0 exact uint
+bluetooth.core.classic.inq_scan_interval u:object_r:bluetooth_config_prop:s0 exact uint
+bluetooth.core.classic.inq_scan_window u:object_r:bluetooth_config_prop:s0 exact uint
+bluetooth.core.classic.page_timeout u:object_r:bluetooth_config_prop:s0 exact uint
+
persist.nfc.debug_enabled u:object_r:nfc_prop:s0 exact bool
persist.radio.multisim.config u:object_r:radio_control_prop:s0 exact string
@@ -726,6 +739,10 @@
init.svc.tombstoned u:object_r:init_service_status_prop:s0 exact string
init.svc.zygote u:object_r:init_service_status_prop:s0 exact string
+# apexd reads this property to check if init has done with ctl.apex_* messages
+# This should be the form of init.apex.<apex_name>.
+init.apex. u:object_r:init_apex_status_private_prop:s0 prefix enum loaded unloaded
+
libc.debug.malloc.options u:object_r:libc_debug_prop:s0 exact string
libc.debug.malloc.program u:object_r:libc_debug_prop:s0 exact string
libc.debug.hooks.enable u:object_r:libc_debug_prop:s0 exact string
@@ -1179,6 +1196,7 @@
ro.surface_flinger.color_space_agnostic_dataspace u:object_r:surfaceflinger_prop:s0 exact int
ro.surface_flinger.refresh_rate_switching u:object_r:surfaceflinger_prop:s0 exact bool
ro.surface_flinger.update_device_product_info_on_hotplug_reconnect u:object_r:surfaceflinger_prop:s0 exact bool
+ro.surface_flinger.enable_adpf_cpu_hint u:object_r:surfaceflinger_prop:s0 exact bool
ro.surface_flinger.enable_frame_rate_override u:object_r:surfaceflinger_prop:s0 exact bool
ro.surface_flinger.enable_layer_caching u:object_r:surfaceflinger_prop:s0 exact bool
ro.surface_flinger.display_update_imminent_timeout_ms u:object_r:surfaceflinger_prop:s0 exact int
diff --git a/private/sdk_sandbox.te b/private/sdk_sandbox.te
index 20d3adf..1bb2c21 100644
--- a/private/sdk_sandbox.te
+++ b/private/sdk_sandbox.te
@@ -3,114 +3,7 @@
###
### This file defines the security policy for the sdk sandbox processes.
-type sdk_sandbox, domain;
-
-typeattribute sdk_sandbox coredomain;
-
-net_domain(sdk_sandbox)
-app_domain(sdk_sandbox)
-
-# Allow finding services. This is different from ephemeral_app policy.
-# Adding services manually to the allowlist is preferred hence app_api_service is not used.
-# Audit the access to signal that we are still investigating whether sdk_sandbox
-# should have access to audio_service
-# TODO(b/211632068): remove this line
-auditallow sdk_sandbox audio_service:service_manager find;
-
-allow sdk_sandbox activity_service:service_manager find;
-allow sdk_sandbox activity_task_service:service_manager find;
-allow sdk_sandbox appops_service:service_manager find;
-allow sdk_sandbox audio_service:service_manager find;
-allow sdk_sandbox audioserver_service:service_manager find;
-allow sdk_sandbox batteryproperties_service:service_manager find;
-allow sdk_sandbox batterystats_service:service_manager find;
-allow sdk_sandbox connectivity_service:service_manager find;
-allow sdk_sandbox connmetrics_service:service_manager find;
-allow sdk_sandbox deviceidle_service:service_manager find;
-allow sdk_sandbox display_service:service_manager find;
-allow sdk_sandbox dropbox_service:service_manager find;
-allow sdk_sandbox font_service:service_manager find;
-allow sdk_sandbox game_service:service_manager find;
-allow sdk_sandbox gpu_service:service_manager find;
-allow sdk_sandbox graphicsstats_service:service_manager find;
-allow sdk_sandbox hardware_properties_service:service_manager find;
-allow sdk_sandbox hint_service:service_manager find;
-allow sdk_sandbox imms_service:service_manager find;
-allow sdk_sandbox input_method_service:service_manager find;
-allow sdk_sandbox input_service:service_manager find;
-allow sdk_sandbox IProxyService_service:service_manager find;
-allow sdk_sandbox ipsec_service:service_manager find;
-allow sdk_sandbox launcherapps_service:service_manager find;
-allow sdk_sandbox legacy_permission_service:service_manager find;
-allow sdk_sandbox light_service:service_manager find;
-allow sdk_sandbox locale_service:service_manager find;
-allow sdk_sandbox media_communication_service:service_manager find;
-allow sdk_sandbox mediaextractor_service:service_manager find;
-allow sdk_sandbox mediametrics_service:service_manager find;
-allow sdk_sandbox media_projection_service:service_manager find;
-allow sdk_sandbox media_router_service:service_manager find;
-allow sdk_sandbox mediaserver_service:service_manager find;
-allow sdk_sandbox media_session_service:service_manager find;
-allow sdk_sandbox memtrackproxy_service:service_manager find;
-allow sdk_sandbox midi_service:service_manager find;
-allow sdk_sandbox netpolicy_service:service_manager find;
-allow sdk_sandbox netstats_service:service_manager find;
-allow sdk_sandbox network_management_service:service_manager find;
-allow sdk_sandbox notification_service:service_manager find;
-allow sdk_sandbox package_service:service_manager find;
-allow sdk_sandbox permission_checker_service:service_manager find;
-allow sdk_sandbox permission_service:service_manager find;
-allow sdk_sandbox permissionmgr_service:service_manager find;
-allow sdk_sandbox platform_compat_service:service_manager find;
-allow sdk_sandbox power_service:service_manager find;
-allow sdk_sandbox procstats_service:service_manager find;
-allow sdk_sandbox registry_service:service_manager find;
-allow sdk_sandbox restrictions_service:service_manager find;
-allow sdk_sandbox rttmanager_service:service_manager find;
-allow sdk_sandbox search_service:service_manager find;
-allow sdk_sandbox selection_toolbar_service:service_manager find;
-allow sdk_sandbox sensor_privacy_service:service_manager find;
-allow sdk_sandbox sensorservice_service:service_manager find;
-allow sdk_sandbox servicediscovery_service:service_manager find;
-allow sdk_sandbox settings_service:service_manager find;
-allow sdk_sandbox speech_recognition_service:service_manager find;
-allow sdk_sandbox statusbar_service:service_manager find;
-allow sdk_sandbox storagestats_service:service_manager find;
-allow sdk_sandbox surfaceflinger_service:service_manager find;
-allow sdk_sandbox telecom_service:service_manager find;
-allow sdk_sandbox tethering_service:service_manager find;
-allow sdk_sandbox textclassification_service:service_manager find;
-allow sdk_sandbox textservices_service:service_manager find;
-allow sdk_sandbox texttospeech_service:service_manager find;
-allow sdk_sandbox thermal_service:service_manager find;
-allow sdk_sandbox translation_service:service_manager find;
-allow sdk_sandbox tv_iapp_service:service_manager find;
-allow sdk_sandbox tv_input_service:service_manager find;
-allow sdk_sandbox uimode_service:service_manager find;
-allow sdk_sandbox vcn_management_service:service_manager find;
-allow sdk_sandbox webviewupdate_service:service_manager find;
-
-allow sdk_sandbox system_linker_exec:file execute_no_trans;
-
-# Write app-specific trace data to the Perfetto traced damon. This requires
-# connecting to its producer socket and obtaining a (per-process) tmpfs fd.
-perfetto_producer(sdk_sandbox)
-
-# Allow profiling if the app opts in by being marked profileable/debuggable.
-can_profile_heap(sdk_sandbox)
-can_profile_perf(sdk_sandbox)
-
-# allow sdk sandbox to use UDP sockets provided by the system server but not
-# modify them other than to connect
-allow sdk_sandbox system_server:udp_socket {
- connect getattr read recvfrom sendto write getopt setopt };
-
-# allow sandbox to search in sdk system server directory
-# additionally, for webview to work, getattr has been permitted
-allow sdk_sandbox sdk_sandbox_system_data_file:dir { getattr search };
-# allow sandbox to create files and dirs in sdk data directory
-allow sdk_sandbox sdk_sandbox_data_file:dir create_dir_perms;
-allow sdk_sandbox sdk_sandbox_data_file:file create_file_perms;
+type sdk_sandbox;
###
### neverallow rules
diff --git a/private/servicemanager.te b/private/servicemanager.te
index 6294452..56a41e1 100644
--- a/private/servicemanager.te
+++ b/private/servicemanager.te
@@ -5,3 +5,6 @@
read_runtime_log_tags(servicemanager)
set_prop(servicemanager, ctl_interface_start_prop)
+
+# servicemanager is using bootstrap bionic
+use_bootstrap_libs(servicemanager)
diff --git a/private/system_server.te b/private/system_server.te
index 32b1abf..9ccd22d 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -396,6 +396,7 @@
hal_graphics_allocator_server
hal_graphics_composer_server
hal_health_server
+ hal_input_processor_server
hal_light_server
hal_neuralnetworks_server
hal_omx_server
@@ -958,9 +959,7 @@
clear_ns
clear_uid
get_state
- list
lock
- migrate_any_key
pull_metrics
reset
unlock
diff --git a/public/domain.te b/public/domain.te
index 1db6a17..130948f 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -639,22 +639,6 @@
neverallow vndservicemanager binder_device:chr_file no_rw_file_perms;
neverallow vndservicemanager hwbinder_device:chr_file no_rw_file_perms;
-# system services cant add vendor services
-neverallow {
- coredomain
-} vendor_service:service_manager add;
-
-full_treble_only(`
- # vendor services cant add system services
- neverallow {
- domain
- -coredomain
- } {
- service_manager_type
- -vendor_service
- }:service_manager add;
-')
-
full_treble_only(`
# Vendor apps are permited to use only stable public services. If they were to use arbitrary
# services which can change any time framework/core is updated, breakage is likely.
@@ -670,6 +654,8 @@
-vendor_service # must be @VintfStability to be used by an app
-ephemeral_app_api_service
+ -hal_service_type # see app_neverallows.te
+
-apc_service
-audioserver_service # TODO(b/36783122) remove exemptions below once app_api_service is fixed
-cameraserver_service
diff --git a/public/dumpstate.te b/public/dumpstate.te
index 84c12d9..a2d2417 100644
--- a/public/dumpstate.te
+++ b/public/dumpstate.te
@@ -147,22 +147,28 @@
binder_call(dumpstate, { appdomain netd wificond })
# Allow dumpstate to call dump() on specific hals.
+dump_hal(hal_authsecret)
+dump_hal(hal_contexthub)
+dump_hal(hal_drm)
dump_hal(hal_dumpstate)
-dump_hal(hal_wifi)
-dump_hal(hal_graphics_allocator)
-dump_hal(hal_input_processor)
-dump_hal(hal_light)
-dump_hal(hal_neuralnetworks)
-dump_hal(hal_nfc)
-dump_hal(hal_thermal)
-dump_hal(hal_power)
-dump_hal(hal_power_stats)
-dump_hal(hal_identity)
dump_hal(hal_face)
dump_hal(hal_fingerprint)
dump_hal(hal_gnss)
-dump_hal(hal_contexthub)
-dump_hal(hal_drm)
+dump_hal(hal_graphics_allocator)
+dump_hal(hal_identity)
+dump_hal(hal_input_processor)
+dump_hal(hal_keymint)
+dump_hal(hal_light)
+dump_hal(hal_memtrack)
+dump_hal(hal_neuralnetworks)
+dump_hal(hal_nfc)
+dump_hal(hal_oemlock)
+dump_hal(hal_power)
+dump_hal(hal_power_stats)
+dump_hal(hal_rebootescrow)
+dump_hal(hal_thermal)
+dump_hal(hal_weaver)
+dump_hal(hal_wifi)
# Vibrate the device after we are done collecting the bugreport
hal_client_domain(dumpstate, hal_vibrator)
@@ -348,31 +354,6 @@
# Allow dumpstate to talk to mediaswcodec over binder
binder_call(dumpstate, mediaswcodec);
-# Allow dumpstate to talk to these stable AIDL services over binder
-binder_call(dumpstate, hal_rebootescrow_server)
-allow hal_rebootescrow_server dumpstate:fifo_file write;
-allow hal_rebootescrow_server dumpstate:fd use;
-
-binder_call(dumpstate, hal_authsecret_server)
-allow hal_authsecret_server dumpstate:fifo_file write;
-allow hal_authsecret_server dumpstate:fd use;
-
-binder_call(dumpstate, hal_keymint_server)
-allow hal_keymint_server dumpstate:fifo_file write;
-allow hal_keymint_server dumpstate:fd use;
-
-binder_call(dumpstate, hal_memtrack_server)
-allow hal_memtrack_server dumpstate:fifo_file write;
-allow hal_memtrack_server dumpstate:fd use;
-
-binder_call(dumpstate, hal_oemlock_server)
-allow hal_oemlock_server dumpstate:fifo_file write;
-allow hal_oemlock_server dumpstate:fd use;
-
-binder_call(dumpstate, hal_weaver_server)
-allow hal_weaver_server dumpstate:fifo_file write;
-allow hal_weaver_server dumpstate:fd use;
-
#Access /data/misc/snapshotctl_log
allow dumpstate snapshotctl_log_data_file:dir r_dir_perms;
allow dumpstate snapshotctl_log_data_file:file r_file_perms;
diff --git a/public/hal_input_processor.te b/public/hal_input_processor.te
index 77d1d70..b59b15f 100644
--- a/public/hal_input_processor.te
+++ b/public/hal_input_processor.te
@@ -3,3 +3,6 @@
binder_call(hal_input_processor_server, servicemanager)
hal_attribute_service(hal_input_processor, hal_input_processor_service)
+
+# Allow dumping of the HAL
+allow hal_input_processor_server dumpstate:fifo_file write;
diff --git a/public/kernel.te b/public/kernel.te
index 09d2480..b01c07a 100644
--- a/public/kernel.te
+++ b/public/kernel.te
@@ -95,10 +95,10 @@
staging_data_file
vendor_apex_file
}:file read;
-# Also allow the kernel to read /data/local/tmp files via loop device
-# for ApexTestCases
+# Also allow the kernel to read/write /data/local/tmp files via loop device
+# for ApexTestCases and fiemap_image_test.
userdebug_or_eng(`
- allow kernel shell_data_file:file read;
+ allow kernel shell_data_file:file { read write };
')
# Allow the first-stage init (which is running in the kernel domain) to execute the
diff --git a/public/te_macros b/public/te_macros
index 58d04b4..db4ab3d 100644
--- a/public/te_macros
+++ b/public/te_macros
@@ -758,6 +758,8 @@
-$1_server
# some services are allowed to find all services
-atrace
+ # TODO(b/240362192): Remove dumpstate. It is already marked as client
+ # for each HAL via the dump_hal() macro.
-dumpstate
-shell
-system_app
diff --git a/public/update_engine_common.te b/public/update_engine_common.te
index e8fd29e..12961e7 100644
--- a/public/update_engine_common.te
+++ b/public/update_engine_common.te
@@ -72,6 +72,7 @@
# read /dev/dm-user, so that we can inotify wait for control devices to be
# asynchronously created by ueventd.
allow update_engine dm_user_device:dir r_dir_perms;
+allow update_engine dm_user_device:chr_file r_file_perms;
# read / write metadata on super device to resize partitions
allow update_engine_common super_block_device_type:blk_file rw_file_perms;
diff --git a/tests/Android.bp b/tests/Android.bp
index 8ca952d..e271346 100644
--- a/tests/Android.bp
+++ b/tests/Android.bp
@@ -43,6 +43,11 @@
srcs: [
"treble_sepolicy_tests.py",
],
+ version: {
+ py3: {
+ embedded_launcher: true,
+ },
+ },
libs: [
"mini_cil_parser",
"pysepolwrap",
@@ -55,6 +60,11 @@
srcs: [
"sepolicy_tests.py",
],
+ version: {
+ py3: {
+ embedded_launcher: true,
+ },
+ },
libs: ["pysepolwrap"],
data: [":libsepolwrap"],
}
diff --git a/tests/searchpolicy.py b/tests/searchpolicy.py
index 9d2c636..79efecf 100644
--- a/tests/searchpolicy.py
+++ b/tests/searchpolicy.py
@@ -78,10 +78,10 @@
for r in TERules:
if len(r.perms) > 1:
rules.append("allow " + r.sctx + " " + r.tctx + ":" + r.tclass + " { " +
- " ".join(r.perms) + " };")
+ " ".join(sorted(r.perms)) + " };")
else:
rules.append("allow " + r.sctx + " " + r.tctx + ":" + r.tclass + " " +
- " ".join(r.perms) + ";")
+ " ".join(sorted(r.perms)) + ";")
for r in sorted(rules):
print(r)
diff --git a/tests/sepolicy_tests.py b/tests/sepolicy_tests.py
index 79c55de..63144dd 100644
--- a/tests/sepolicy_tests.py
+++ b/tests/sepolicy_tests.py
@@ -15,10 +15,14 @@
from optparse import OptionParser
from optparse import Option, OptionValueError
import os
+import pkgutil
import policy
import re
+import shutil
import sys
-import distutils.ccompiler
+import tempfile
+
+SHARED_LIB_EXTENSION = '.dylib' if sys.platform == 'darwin' else '.so'
#############################################################
# Tests
@@ -145,7 +149,11 @@
"TestDmaHeapDevTypeViolations",
]
-if __name__ == '__main__':
+def do_main(libpath):
+ """
+ Args:
+ libpath: string, path to libsepolwrap.so
+ """
usage = "sepolicy_tests -f vendor_file_contexts -f "
usage +="plat_file_contexts -p policy [--test test] [--help]"
parser = OptionParser(option_class=MultipleOption, usage=usage)
@@ -157,11 +165,6 @@
(options, args) = parser.parse_args()
- libpath = os.path.join(os.path.dirname(os.path.realpath(__file__)),
- "libsepolwrap" + distutils.ccompiler.new_compiler().shared_lib_extension)
- if not os.path.exists(libpath):
- sys.exit("Error: libsepolwrap does not exist. Is this binary corrupted?\n")
-
if not options.policy:
sys.exit("Must specify monolithic policy file\n" + parser.usage)
if not os.path.exists(options.policy):
@@ -206,3 +209,17 @@
if len(results) > 0:
sys.exit(results)
+
+if __name__ == '__main__':
+ temp_dir = tempfile.mkdtemp()
+ try:
+ libname = "libsepolwrap" + SHARED_LIB_EXTENSION
+ libpath = os.path.join(temp_dir, libname)
+ with open(libpath, "wb") as f:
+ blob = pkgutil.get_data("sepolicy_tests", libname)
+ if not blob:
+ sys.exit("Error: libsepolwrap does not exist. Is this binary corrupted?\n")
+ f.write(blob)
+ do_main(libpath)
+ finally:
+ shutil.rmtree(temp_dir)
diff --git a/tests/treble_sepolicy_tests.py b/tests/treble_sepolicy_tests.py
index a3bf661..b49f138 100644
--- a/tests/treble_sepolicy_tests.py
+++ b/tests/treble_sepolicy_tests.py
@@ -16,13 +16,16 @@
from optparse import Option, OptionValueError
import os
import mini_parser
+import pkgutil
import policy
from policy import MatchPathPrefix
import re
+import shutil
import sys
-import distutils.ccompiler
+import tempfile
DEBUG=False
+SHARED_LIB_EXTENSION = '.dylib' if sys.platform == 'darwin' else '.so'
'''
Use file_contexts and policy to verify Treble requirements
@@ -341,7 +344,13 @@
"TrebleCompatMapping": TestTrebleCompatMapping,
"ViolatorAttributes": TestViolatorAttributes}
-if __name__ == '__main__':
+def do_main(libpath):
+ """
+ Args:
+ libpath: string, path to libsepolwrap.so
+ """
+ global pol, FakeTreble
+
usage = "treble_sepolicy_tests "
usage += "-f nonplat_file_contexts -f plat_file_contexts "
usage += "-p curr_policy -b base_policy -o old_policy "
@@ -374,11 +383,6 @@
sys.exit("Error: File_contexts file " + f + " does not exist\n" +
parser.usage)
- libpath = os.path.join(os.path.dirname(os.path.realpath(__file__)),
- "libsepolwrap" + distutils.ccompiler.new_compiler().shared_lib_extension)
- if not os.path.exists(libpath):
- sys.exit("Error: libsepolwrap does not exist. Is this binary corrupted?\n")
-
# Mapping files and public platform policy are only necessary for the
# TrebleCompatMapping test.
if options.tests is None or options.tests == "TrebleCompatMapping":
@@ -428,3 +432,17 @@
if len(results) > 0:
sys.exit(results)
+
+if __name__ == '__main__':
+ temp_dir = tempfile.mkdtemp()
+ try:
+ libname = "libsepolwrap" + SHARED_LIB_EXTENSION
+ libpath = os.path.join(temp_dir, libname)
+ with open(libpath, "wb") as f:
+ blob = pkgutil.get_data("treble_sepolicy_tests", libname)
+ if not blob:
+ sys.exit("Error: libsepolwrap does not exist. Is this binary corrupted?\n")
+ f.write(blob)
+ do_main(libpath)
+ finally:
+ shutil.rmtree(temp_dir)
diff --git a/tools/Android.bp b/tools/Android.bp
index fcf375d..8e40575 100644
--- a/tools/Android.bp
+++ b/tools/Android.bp
@@ -59,6 +59,13 @@
srcs: ["version_policy.c"],
}
+cc_binary {
+ name: "seamendc",
+ defaults: ["sepolicy_tools_defaults"],
+ srcs: ["seamendc.c"],
+ host_supported: true,
+}
+
python_binary_host {
name: "insertkeys",
srcs: ["insertkeys.py"],
diff --git a/tools/seamendc.c b/tools/seamendc.c
new file mode 100644
index 0000000..cd79c76
--- /dev/null
+++ b/tools/seamendc.c
@@ -0,0 +1,286 @@
+#include <getopt.h>
+#include <stddef.h>
+#include <stdint.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <sys/stat.h>
+
+#include <cil/cil.h>
+#include <cil/android.h>
+#include <sepol/policydb.h>
+#include "sepol/handle.h"
+
+void usage(const char *prog)
+{
+ printf("Usage: %s [OPTION]... FILE...\n", prog);
+ printf("Takes a binary policy file as input and applies the rules and definitions specified ");
+ printf("in the provided FILEs. Each FILE must be a policy file in CIL format.\n");
+ printf("\n");
+ printf("Options:\n");
+ printf(" -b, --base=<file> (required) base binary policy.\n");
+ printf(" -o, --output=<file> (required) write binary policy to <file>\n");
+ printf(" -v, --verbose increment verbosity level\n");
+ printf(" -h, --help display usage information\n");
+ exit(1);
+}
+
+/*
+ * Read binary policy file from path into the allocated pdb.
+ *
+ * We first read the binary policy into memory, and then we parse it to a
+ * policydb object using sepol_policydb_from_image. This combination is slightly
+ * faster than using sepol_policydb_read that reads the binary file in small
+ * chunks at a time.
+ */
+static int read_binary_policy(char *path, sepol_policydb_t *pdb)
+{
+ int rc = SEPOL_OK;
+ char *buff = NULL;
+ sepol_handle_t *handle = NULL;
+
+ FILE *file = fopen(path, "r");
+ if (!file) {
+ fprintf(stderr, "Could not open %s: %s.\n", path, strerror(errno));
+ rc = SEPOL_ERR;
+ goto exit;
+ }
+
+ struct stat binarydata;
+ rc = stat(path, &binarydata);
+ if (rc == -1) {
+ fprintf(stderr, "Could not stat %s: %s.\n", path, strerror(errno));
+ goto exit;
+ }
+
+ uint32_t file_size = binarydata.st_size;
+ if (!file_size) {
+ fprintf(stderr, "Binary policy file is empty.\n");
+ rc = SEPOL_ERR;
+ goto exit;
+ }
+
+ buff = malloc(file_size);
+ if (buff == NULL) {
+ perror("malloc failed");
+ rc = SEPOL_ERR;
+ goto exit;
+ }
+
+ rc = fread(buff, file_size, 1, file);
+ if (rc != 1) {
+ fprintf(stderr, "Failure reading %s: %s.\n", path, strerror(errno));
+ rc = SEPOL_ERR;
+ goto exit;
+ }
+
+ handle = sepol_handle_create();
+ if (!handle) {
+ perror("Could not create policy handle");
+ rc = SEPOL_ERR;
+ goto exit;
+ }
+
+ rc = sepol_policydb_from_image(handle, buff, file_size, pdb);
+ if (rc != 0) {
+ fprintf(stderr, "Failed to read binary policy: %d.\n", rc);
+ }
+
+exit:
+ if (file != NULL && fclose(file) == EOF && rc == SEPOL_OK) {
+ perror("Failure closing binary file");
+ rc = SEPOL_ERR;
+ }
+ if(handle != NULL) {
+ sepol_handle_destroy(handle);
+ }
+ free(buff);
+ return rc;
+}
+
+/*
+ * read_cil_files - Initialize db and parse CIL input files.
+ */
+static int read_cil_files(struct cil_db **db, char **paths,
+ unsigned int n_files)
+{
+ int rc = SEPOL_ERR;
+ FILE *file = NULL;
+ char *buff = NULL;
+
+ for (int i = 0; i < n_files; i++) {
+ char *path = paths[i];
+
+ file = fopen(path, "r");
+ if (file == NULL) {
+ rc = SEPOL_ERR;
+ fprintf(stderr, "Could not open %s: %s.\n", path, strerror(errno));
+ goto file_err;
+ }
+
+ struct stat filedata;
+ rc = stat(path, &filedata);
+ if (rc == -1) {
+ fprintf(stderr, "Could not stat %s: %s.\n", path, strerror(errno));
+ goto err;
+ }
+
+ uint32_t file_size = filedata.st_size;
+ buff = malloc(file_size);
+ if (buff == NULL) {
+ perror("malloc failed");
+ rc = SEPOL_ERR;
+ goto err;
+ }
+
+ rc = fread(buff, file_size, 1, file);
+ if (rc != 1) {
+ fprintf(stderr, "Failure reading %s: %s.\n", path, strerror(errno));
+ rc = SEPOL_ERR;
+ goto err;
+ }
+ fclose(file);
+ file = NULL;
+
+ /* create parse_tree */
+ rc = cil_add_file(*db, path, buff, file_size);
+ if (rc != SEPOL_OK) {
+ fprintf(stderr, "Failure adding %s to parse tree.\n", path);
+ goto parse_err;
+ }
+ free(buff);
+ buff = NULL;
+ }
+
+ return SEPOL_OK;
+err:
+ fclose(file);
+parse_err:
+ free(buff);
+file_err:
+ return rc;
+}
+
+/*
+ * Write binary policy in pdb to file at path.
+ */
+static int write_binary_policy(sepol_policydb_t *pdb, char *path)
+{
+ int rc = SEPOL_OK;
+
+ FILE *file = fopen(path, "w");
+ if (file == NULL) {
+ fprintf(stderr, "Could not open %s: %s.\n", path, strerror(errno));
+ rc = SEPOL_ERR;
+ goto exit;
+ }
+
+ struct sepol_policy_file *pf = NULL;
+ rc = sepol_policy_file_create(&pf);
+ if (rc != 0) {
+ fprintf(stderr, "Failed to create policy file: %d.\n", rc);
+ goto exit;
+ }
+ sepol_policy_file_set_fp(pf, file);
+
+ rc = sepol_policydb_write(pdb, pf);
+ if (rc != 0) {
+ fprintf(stderr, "failed to write binary policy: %d.\n", rc);
+ goto exit;
+ }
+
+exit:
+ if (file != NULL && fclose(file) == EOF && rc == SEPOL_OK) {
+ perror("Failure closing binary file");
+ rc = SEPOL_ERR;
+ }
+ return rc;
+}
+
+int main(int argc, char *argv[])
+{
+ char *base = NULL;
+ char *output = NULL;
+ enum cil_log_level log_level = CIL_ERR;
+ static struct option long_opts[] = {{"base", required_argument, 0, 'b'},
+ {"output", required_argument, 0, 'o'},
+ {"verbose", no_argument, 0, 'v'},
+ {"help", no_argument, 0, 'h'},
+ {0, 0, 0, 0}};
+
+ while (1) {
+ int opt_index = 0;
+ int opt_char = getopt_long(argc, argv, "b:o:vh", long_opts, &opt_index);
+ if (opt_char == -1) {
+ break;
+ }
+ switch (opt_char)
+ {
+ case 'b':
+ base = optarg;
+ break;
+ case 'o':
+ output = optarg;
+ break;
+ case 'v':
+ log_level++;
+ break;
+ case 'h':
+ usage(argv[0]);
+ default:
+ fprintf(stderr, "Unsupported option: %s.\n", optarg);
+ usage(argv[0]);
+ }
+ }
+ if (base == NULL || output == NULL) {
+ fprintf(stderr, "Please specify required arguments.\n");
+ usage(argv[0]);
+ }
+
+ cil_set_log_level(log_level);
+
+ // Initialize and read input policydb file.
+ sepol_policydb_t *pdb = NULL;
+ int rc = sepol_policydb_create(&pdb);
+ if (rc != 0) {
+ fprintf(stderr, "Could not create policy db: %d.\n", rc);
+ exit(rc);
+ }
+
+ rc = read_binary_policy(base, pdb);
+ if (rc != SEPOL_OK) {
+ fprintf(stderr, "Failed to read binary policy: %d.\n", rc);
+ exit(rc);
+ }
+
+ // Initialize cil_db.
+ struct cil_db *incremental_db = NULL;
+ cil_db_init(&incremental_db);
+ cil_set_attrs_expand_generated(incremental_db, 1);
+
+ // Read input cil files and compile them into cil_db.
+ rc = read_cil_files(&incremental_db, argv + optind, argc - optind);
+ if (rc != SEPOL_OK) {
+ fprintf(stderr, "Failed to read CIL files: %d.\n", rc);
+ exit(rc);
+ }
+
+ rc = cil_compile(incremental_db);
+ if (rc != SEPOL_OK) {
+ fprintf(stderr, "Failed to compile cildb: %d.\n", rc);
+ exit(rc);
+ }
+
+ // Amend the policydb.
+ rc = cil_amend_policydb(incremental_db, pdb);
+ if (rc != SEPOL_OK) {
+ fprintf(stderr, "Failed to build policydb.\n");
+ exit(rc);
+ }
+
+ rc = write_binary_policy(pdb, output);
+ if (rc != SEPOL_OK) {
+ fprintf(stderr, "Failed to write binary policy: %d.\n", rc);
+ exit(rc);
+ }
+}