Merge "tracefs: remove debugfs/tracing rules on release devices" into main
diff --git a/contexts/plat_file_contexts_test b/contexts/plat_file_contexts_test
index c799171..7a26ad8 100644
--- a/contexts/plat_file_contexts_test
+++ b/contexts/plat_file_contexts_test
@@ -189,6 +189,7 @@
/dev/socket socket_device
/dev/socket/does_not_exist socket_device
/dev/socket/adbd adbd_socket
+/dev/socket/aconfigd aconfigd_socket
/dev/socket/dnsproxyd dnsproxyd_socket
/dev/socket/dumpstate dumpstate_socket
/dev/socket/fwmarkd fwmarkd_socket
@@ -367,6 +368,7 @@
/system/bin/mediatranscoding mediatranscoding_exec
/system/bin/mediatuner mediatuner_exec
/system/bin/mdnsd mdnsd_exec
+/system/bin/ot-ctl ot_ctl_exec
/system/bin/installd installd_exec
/system/bin/otapreopt_chroot otapreopt_chroot_exec
/system/bin/otapreopt_slot otapreopt_slot_exec
@@ -432,6 +434,7 @@
/system/bin/virtual_touchpad virtual_touchpad_exec
/system/bin/hw/android.frameworks.bufferhub@1.0-service fwk_bufferhub_exec
/system/bin/hw/android.system.suspend-service system_suspend_exec
+/system/etc/aconfig system_aconfig_storage_file
/system/etc/cgroups.json cgroup_desc_file
/system/etc/task_profiles/cgroups_0.json cgroup_desc_api_file
/system/etc/task_profiles/cgroups_999.json cgroup_desc_api_file
@@ -462,6 +465,7 @@
/system/usr/share/zoneinfo system_zoneinfo_file
/system/usr/share/zoneinfo/0 system_zoneinfo_file
/system/bin/adbd adbd_exec
+/system/bin/aconfigd aconfigd_exec
/system/bin/vold_prepare_subdirs vold_prepare_subdirs_exec
/system/bin/stats stats_exec
/system/bin/statsd statsd_exec
@@ -495,6 +499,7 @@
/system/vendor/bin/toolbox vendor_toolbox_exec
/vendor/etc vendor_configs_file
/vendor/etc/does_not_exist vendor_configs_file
+/vendor/etc/aconfig vendor_aconfig_storage_file
/system/vendor/etc vendor_configs_file
/system/vendor/etc/does_not_exist vendor_configs_file
/vendor/etc/cgroups.json vendor_cgroup_desc_file
@@ -729,6 +734,8 @@
/system_ext/overlay/does_not_exist vendor_overlay_file
/system/system_ext/overlay vendor_overlay_file
/system/system_ext/overlay/does_not_exist vendor_overlay_file
+/system_ext/etc/aconfig system_aconfig_storage_file
+/product/etc/aconfig system_aconfig_storage_file
/system_ext/etc/selinux/system_ext_file_contexts file_contexts_file
/system/system_ext/etc/selinux/system_ext_file_contexts file_contexts_file
diff --git a/private/aconfigd.te b/private/aconfigd.te
new file mode 100644
index 0000000..43a08ce
--- /dev/null
+++ b/private/aconfigd.te
@@ -0,0 +1,36 @@
+# aconfigd -- manager for aconfig flags
+type aconfigd, domain;
+type aconfigd_exec, exec_type, file_type, system_file_type;
+
+typeattribute aconfigd coredomain;
+
+init_daemon_domain(aconfigd)
+
+# only init is allowed to enter the aconfigd domain
+neverallow { domain -init } aconfigd:process transition;
+neverallow * aconfigd:process dyntransition;
+
+allow aconfigd metadata_file:dir search;
+
+allow aconfigd {
+ aconfig_storage_metadata_file
+ aconfig_storage_flags_metadata_file
+}:dir create_dir_perms;
+
+allow aconfigd {
+ aconfig_storage_metadata_file
+ aconfig_storage_flags_metadata_file
+}:file create_file_perms;
+
+allow aconfigd aconfigd_socket:sock_file rw_file_perms;
+
+# allow aconfigd to log to the kernel.
+allow aconfigd kmsg_device:chr_file w_file_perms;
+
+# allow aconfigd to read system/system_ext/product partition storage files
+allow aconfigd system_aconfig_storage_file:file r_file_perms;
+allow aconfigd system_aconfig_storage_file:dir r_dir_perms;
+
+# allow aconfigd to read vendor partition storage files
+allow aconfigd vendor_aconfig_storage_file:file r_file_perms;
+allow aconfigd vendor_aconfig_storage_file:dir r_dir_perms;
diff --git a/private/adbd.te b/private/adbd.te
index d72d5b1..e735222 100644
--- a/private/adbd.te
+++ b/private/adbd.te
@@ -226,6 +226,10 @@
# Allow adbd to pull /apex/apex-info-list.xml for CTS tests.
allow adbd apex_info_file:file r_file_perms;
+# allow reading tombstones. users can already use bugreports to get those.
+allow adbd tombstone_data_file:dir r_dir_perms;
+allow adbd tombstone_data_file:file r_file_perms;
+
###
### Neverallow rules
###
diff --git a/private/app.te b/private/app.te
index 1ef6ceb..b0b5dbb 100644
--- a/private/app.te
+++ b/private/app.te
@@ -132,9 +132,9 @@
allow appdomain apex_art_data_file:file rx_file_perms;
# Allow access to tombstones if an fd to one is given to you.
-# This is restricted by unix permissions, so an app must go through system_server to get one.
+# An app cannot open the tombstone itself because it lacks `open`.
allow appdomain tombstone_data_file:file { getattr read };
-neverallow appdomain tombstone_data_file:file ~{ getattr read };
+neverallow { appdomain -shell } tombstone_data_file:file ~{ getattr read };
# Execute the shell or other system executables.
allow { appdomain -ephemeral_app -sdk_sandbox_all } shell_exec:file rx_file_perms;
@@ -464,6 +464,9 @@
# Allow apps to access shared memory file descriptor from the tuner HAL
allow {appdomain -isolated_app_all} hal_tv_tuner_server:fd use;
+# Allow app to access shared memory created by PowerHAL for FMQ use
+allow { appdomain -isolated_app_all } hal_power_server:fd use;
+
# RenderScript always-passthrough HAL
allow { appdomain -isolated_app_all } hal_renderscript_hwservice:hwservice_manager find;
allow appdomain same_process_hal_file:file { execute read open getattr map };
diff --git a/private/compat/34.0/34.0.ignore.cil b/private/compat/34.0/34.0.ignore.cil
index 351d647..5f835a4 100644
--- a/private/compat/34.0/34.0.ignore.cil
+++ b/private/compat/34.0/34.0.ignore.cil
@@ -23,6 +23,7 @@
hal_threadnetwork_service
hidl_memory_prop
hidraw_device
+ input_device_config_prop
virtual_camera_service
ot_daemon_service
ot_daemon_socket
@@ -45,4 +46,7 @@
profiling_service
aconfig_storage_metadata_file
aconfig_storage_flags_metadata_file
+ aconfigd
+ aconfigd_exec
+ aconfigd_socket
))
diff --git a/private/domain.te b/private/domain.te
index 59e30c8..66bce05 100644
--- a/private/domain.te
+++ b/private/domain.te
@@ -652,6 +652,7 @@
-vendor_task_profiles_file
-vendor_uuid_mapping_config_file
-vndk_sp_file
+ -vendor_aconfig_storage_file
}:file *;
')
@@ -808,3 +809,7 @@
# For now, don't allow processes other than gmscore to access /data/misc_ce/<userid>/checkin
neverallow { domain -gmscore_app -init -vold_prepare_subdirs } checkin_data_file:{dir file} *;
+
+# Do not allow write access to aconfig flag value files except init and aconfigd
+neverallow { domain -init -aconfigd } aconfig_storage_metadata_file:dir *;
+neverallow { domain -init -aconfigd } aconfig_storage_metadata_file:file no_w_file_perms;
diff --git a/private/file.te b/private/file.te
index 24c118a..c4341af 100644
--- a/private/file.te
+++ b/private/file.te
@@ -148,3 +148,12 @@
# Type for /sys/devices/uprobe.
type sysfs_uprobe, fs_type, sysfs_type;
+
+# Type for aconfig daemon socket
+type aconfigd_socket, file_type, coredomain_socket;
+
+# Type for /(system|system_ext|product)/etc/aconfig
+type system_aconfig_storage_file, system_file_type, file_type;
+
+# Type for /vendor/etc/aconfig
+type vendor_aconfig_storage_file, vendor_file_type, file_type;
diff --git a/private/file_contexts b/private/file_contexts
index b9d661a..350c79a 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -155,6 +155,7 @@
/dev/snd(/.*)? u:object_r:audio_device:s0
/dev/socket(/.*)? u:object_r:socket_device:s0
/dev/socket/adbd u:object_r:adbd_socket:s0
+/dev/socket/aconfigd u:object_r:aconfigd_socket:s0
/dev/socket/dnsproxyd u:object_r:dnsproxyd_socket:s0
/dev/socket/dumpstate u:object_r:dumpstate_socket:s0
/dev/socket/fwmarkd u:object_r:fwmarkd_socket:s0
@@ -288,6 +289,7 @@
/system/bin/vold u:object_r:vold_exec:s0
/system/bin/netd u:object_r:netd_exec:s0
/system/bin/wificond u:object_r:wificond_exec:s0
+/system/bin/ot-ctl u:object_r:ot_ctl_exec:s0
/system/bin/audioserver u:object_r:audioserver_exec:s0
/system/bin/mediadrmserver u:object_r:mediadrmserver_exec:s0
/system/bin/mediaserver u:object_r:mediaserver_exec:s0
@@ -357,6 +359,7 @@
/system/bin/virtual_camera u:object_r:virtual_camera_exec:s0
/system/bin/hw/android\.frameworks\.bufferhub@1\.0-service u:object_r:fwk_bufferhub_exec:s0
/system/bin/hw/android\.system\.suspend-service u:object_r:system_suspend_exec:s0
+/(system|system_ext|product)/etc/aconfig(/.*)? u:object_r:system_aconfig_storage_file:s0
/system/etc/cgroups\.json u:object_r:cgroup_desc_file:s0
/system/etc/task_profiles/cgroups_[0-9]+\.json u:object_r:cgroup_desc_api_file:s0
/system/etc/event-log-tags u:object_r:system_event_log_tags_file:s0
@@ -386,6 +389,7 @@
/system/bin/bpfloader u:object_r:bpfloader_exec:s0
/system/bin/netbpfload u:object_r:bpfloader_exec:s0
/system/bin/watchdogd u:object_r:watchdogd_exec:s0
+/system/bin/aconfigd u:object_r:aconfigd_exec:s0
/system/bin/apexd u:object_r:apexd_exec:s0
/system/bin/gsid u:object_r:gsid_exec:s0
/system/bin/simpleperf u:object_r:simpleperf_exec:s0
@@ -428,6 +432,8 @@
/(vendor|system/vendor)/bin/misc_writer u:object_r:vendor_misc_writer_exec:s0
/(vendor|system/vendor)/bin/boringssl_self_test(32|64) u:object_r:vendor_boringssl_self_test_exec:s0
+/(vendor|system/vendor)/etc/aconfig(/.*)? u:object_r:vendor_aconfig_storage_file:s0
+
# HAL location
/(vendor|system/vendor)/lib(64)?/hw u:object_r:vendor_hal_file:s0
diff --git a/private/ot_ctl.te b/private/ot_ctl.te
new file mode 100644
index 0000000..7325ce5
--- /dev/null
+++ b/private/ot_ctl.te
@@ -0,0 +1,12 @@
+#
+# ot-ctl is a command line tool for controlling ot-daemon
+#
+
+type ot_ctl, domain, coredomain;
+type ot_ctl_exec, exec_type, file_type, system_file_type;
+
+# ot-ctl is available in only userdebug or eng build
+userdebug_or_eng(`
+ # ot-ctl connects to ot-daemon via the socket
+ allow ot_ctl ot_daemon_socket:sock_file rw_file_perms;
+')
diff --git a/private/ot_daemon.te b/private/ot_daemon.te
index 341fa9c..2fc74b5 100644
--- a/private/ot_daemon.te
+++ b/private/ot_daemon.te
@@ -39,3 +39,12 @@
# For collecting bugreports.
allow ot_daemon dumpstate:fd use;
allow ot_daemon dumpstate:fifo_file write;
+
+# ot-daemon socket is for only ot-daemon and ot-ctl
+neverallow {
+ domain
+ -ot_daemon
+ userdebug_or_eng(`-ot_ctl')
+ -init
+ -vendor_init
+} ot_daemon_socket:sock_file *;
diff --git a/private/platform_app.te b/private/platform_app.te
index cd95353..eb1a7c7 100644
--- a/private/platform_app.te
+++ b/private/platform_app.te
@@ -64,10 +64,24 @@
auditallow platform_app proc_net_type:{ dir file lnk_file } { getattr open read };
')
+# Allow sharing traces to betterbug from /data/misc/wmtrace.
+userdebug_or_eng(`
+ allow platform_app trace_data_file:file create_file_perms;
+ allow platform_app trace_data_file:dir rw_dir_perms;
+')
+
# Allow writing and removing wmshell protolog in /data/misc/wmtrace.
userdebug_or_eng(`
allow platform_app wm_trace_data_file:dir rw_dir_perms;
- allow platform_app wm_trace_data_file:file { getattr setattr create unlink w_file_perms };
+ allow platform_app wm_trace_data_file:file { getattr setattr create unlink rw_file_perms };
+')
+
+
+# To exec the perfetto cmdline client and pass it the trace config on
+# stdint through a pipe. Allow to access traced's privileged consumer socket.
+userdebug_or_eng(`
+ allow platform_app perfetto_exec:file rx_file_perms;
+ unix_socket_connect(platform_app, traced_consumer, traced);
')
allow platform_app audioserver_service:service_manager find;
diff --git a/private/property_contexts b/private/property_contexts
index fe12202..7e31dd7 100644
--- a/private/property_contexts
+++ b/private/property_contexts
@@ -288,6 +288,9 @@
persist.device_config.memory_safety_native. u:object_r:device_config_memory_safety_native_prop:s0
persist.device_config.tethering_u_or_later_native. u:object_r:device_config_tethering_u_or_later_native_prop:s0
+# Prop indicates the apex that bundles input configuration files (*.idc,*.kl,*.kcm)
+input_device.config_file.apex u:object_r:input_device_config_prop:s0 exact string
+
# Properties that is for staging
next_boot. u:object_r:next_boot_prop:s0
diff --git a/private/shell.te b/private/shell.te
index bfcd5ac..60684f4 100644
--- a/private/shell.te
+++ b/private/shell.te
@@ -17,6 +17,10 @@
# read config.gz for CTS purposes
allow shell config_gz:file r_file_perms;
+# allow reading tombstones. users can already use bugreports to get those.
+allow shell tombstone_data_file:dir r_dir_perms;
+allow shell tombstone_data_file:file r_file_perms;
+
# Run app_process.
# XXX Transition into its own domain?
app_domain(shell)
diff --git a/private/system_server.te b/private/system_server.te
index 5b0caaa..886499e 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -520,6 +520,7 @@
r_dir_file(system_server, vendor_keylayout_file)
r_dir_file(system_server, vendor_keychars_file)
r_dir_file(system_server, vendor_idc_file)
+get_prop(system_server, input_device_config_prop)
# Access /vendor/{app,framework,overlay}
r_dir_file(system_server, vendor_app_file)
@@ -1527,9 +1528,8 @@
neverallow { domain -init -system_server } userspace_reboot_metadata_file:file no_rw_file_perms;
# Only system server should access /metadata/aconfig
-# TODO: add storage daemon to neverallow exception when it is introduced
-neverallow { domain -init -system_server } aconfig_storage_flags_metadata_file:dir *;
-neverallow { domain -init -system_server } aconfig_storage_flags_metadata_file:file no_rw_file_perms;
+neverallow { domain -init -system_server -aconfigd } aconfig_storage_flags_metadata_file:dir *;
+neverallow { domain -init -system_server -aconfigd } aconfig_storage_flags_metadata_file:file no_rw_file_perms;
# Allow systemserver to read/write the invalidation property
set_prop(system_server, binder_cache_system_server_prop)
diff --git a/private/traced.te b/private/traced.te
index d4e5bec..796095f 100644
--- a/private/traced.te
+++ b/private/traced.te
@@ -28,6 +28,7 @@
# Allow traceur to pass open file descriptors to traced, so traced can directly
# write into the output file without doing roundtrips over IPC.
allow traced traceur_app:fd use;
+allow traced platform_app:fd use;
allow traced trace_data_file:file { read write };
# Allow perfetto to access the proxy service for notifying Traceur.
@@ -119,6 +120,7 @@
-traced
-dumpstate
-traceur_app
+ -platform_app
-shell
-system_server
-perfetto
diff --git a/private/untrusted_app_all.te b/private/untrusted_app_all.te
index f666cc8..c646137 100644
--- a/private/untrusted_app_all.te
+++ b/private/untrusted_app_all.te
@@ -161,9 +161,6 @@
userdebug_or_eng(`
allow untrusted_app_all debugfs_kcov:file rw_file_perms;
allowxperm untrusted_app_all debugfs_kcov:file ioctl { KCOV_INIT_TRACE KCOV_ENABLE KCOV_DISABLE };
- # The use of debugfs kcov is considered a breach of the kernel integrity
- # according to the heuristic of lockdown.
- allow untrusted_app_all self:lockdown integrity;
')
# Allow running a VM for test/demo purposes. Note that access to the
diff --git a/private/virtual_camera.te b/private/virtual_camera.te
index dde98c0..45dc8a1 100644
--- a/private/virtual_camera.te
+++ b/private/virtual_camera.te
@@ -38,6 +38,9 @@
allow virtual_camera gpu_device:chr_file rw_file_perms;
allow virtual_camera gpu_device:dir r_dir_perms;
+# Allow virtual camera to use graphics composer fd-s (fences).
+allow virtual_camera hal_graphics_composer:fd use;
+
# For collecting bugreports.
allow virtual_camera dumpstate:fd use;
allow virtual_camera dumpstate:fifo_file write;
diff --git a/public/domain.te b/public/domain.te
index 755b4b2..0a2a5e5 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -259,13 +259,14 @@
allow domain debugfs_tracing_debug:dir search;
allow domain debugfs_trace_marker:file w_file_perms;
-# Linux lockdown mode offers coarse-grained definitions for access controls.
-# The "confidentiality" level detects access to tracefs or the perf subsystem.
-# This overlaps with more precise declarations in Android's policy. The
-# debugfs_trace_marker above is an example in which all processes should have
-# some access to tracefs. Therefore, allow all domains to access this level.
-# The "integrity" level is however enforced.
-allow domain self:lockdown confidentiality;
+# Linux lockdown mode offered coarse-grained definitions for access controls. In
+# previous versions of the policy, the integrity permission was neverallowed.
+# It was found that this permission mainly duplicates pre-existing rules in
+# the policy (see b/285443587). Additionally, some access were found to be
+# required (b/269377822). The access vector was removed from kernel 5.16
+# onwards. Grant unconditional access, these rules should be removed from the
+# policy once no kernel <5.16 are supported.
+allow domain self:lockdown { confidentiality integrity };
# Filesystem access.
allow domain fs_type:filesystem getattr;
@@ -629,11 +630,6 @@
neverallow vndservicemanager binder_device:chr_file no_rw_file_perms;
neverallow vndservicemanager hwbinder_device:chr_file no_rw_file_perms;
-# Do not allow write access to the general aconfig pb file and boot flag value files except init
-# TODO: need to add storage daemon into this exception list once it is created
-neverallow { domain -init } aconfig_storage_metadata_file:dir *;
-neverallow { domain -init } aconfig_storage_metadata_file:file no_w_file_perms;
-
full_treble_only(`
# Vendor apps are permited to use only stable public services. If they were to use arbitrary
# services which can change any time framework/core is updated, breakage is likely.
@@ -1310,6 +1306,3 @@
} ashmem_device:chr_file open;
neverallow { domain -traced_probes -init -vendor_init } debugfs_tracing_printk_formats:file *;
-
-# Linux lockdown "integrity" level is enforced for user builds.
-neverallow { domain userdebug_or_eng(`-domain') } self:lockdown integrity;
diff --git a/public/property.te b/public/property.te
index c513434..453a467 100644
--- a/public/property.te
+++ b/public/property.te
@@ -160,6 +160,7 @@
system_vendor_config_prop(hypervisor_prop)
system_vendor_config_prop(hypervisor_restricted_prop)
system_vendor_config_prop(incremental_prop)
+system_vendor_config_prop(input_device_config_prop)
system_vendor_config_prop(keyguard_config_prop)
system_vendor_config_prop(keystore_config_prop)
system_vendor_config_prop(lmkd_config_prop)