Merge "Dontaudit zygote to read and open media_rw_data_file dir"
diff --git a/Android.bp b/Android.bp
index 55951e2..8fa57ca 100644
--- a/Android.bp
+++ b/Android.bp
@@ -634,3 +634,104 @@
relative_install_path: "selinux/mapping",
installable: false,
}
+
+///////////////////////////////////////////////////////////////////
+genrule {
+ name: "microdroid_pub_policy.cil_gen",
+ srcs: [
+ ":microdroid_sepolicy_public_and_reqd_mask_build_files",
+ ":microdroid_reqd_policy_mask.cil_gen",
+ ],
+ tools: ["m4", "checkpolicy", "build_sepolicy"],
+ out: ["pub_policy.cil"],
+ cmd: policy_to_conf_flags + " -s $(locations :microdroid_sepolicy_public_and_reqd_mask_build_files) > $(out).conf && " +
+ "$(location checkpolicy) -C -M -c 30 -o $(out) $(out).conf && " +
+ "$(location build_sepolicy) filter_out -f $(location :microdroid_reqd_policy_mask.cil_gen) -t $(out)",
+ visibility: ["//visibility:private"],
+}
+
+genrule {
+ name: "microdroid_plat_pub_versioned.cil_gen",
+ srcs: [":microdroid_pub_policy.cil_gen"],
+ tools: ["version_policy"],
+ out: ["plat_pub_versioned.cil"],
+ cmd: "$(location version_policy) " +
+ "-b $(location :microdroid_pub_policy.cil_gen) " +
+ "-t $(location :microdroid_pub_policy.cil_gen) " +
+ "-n 10000.0 " +
+ "-o $(out)",
+ visibility: ["//visibility:private"],
+}
+
+filegroup {
+ name: "microdroid_vendor_sepolicy_build_files",
+ srcs: [
+ "reqd_mask/security_classes",
+ "reqd_mask/initial_sids",
+ "reqd_mask/access_vectors",
+ "public/global_macros",
+ "public/neverallow_macros",
+ "reqd_mask/mls_macros",
+ "reqd_mask/mls_decl",
+ "reqd_mask/mls",
+ "public/te_macros",
+ "public/attributes",
+ "public/ioctl_defines",
+ "public/ioctl_macros",
+ "public/*.te",
+ "reqd_mask/*.te",
+ "vendor/*.te",
+ "reqd_mask/roles_decl",
+ "public/roles",
+ "reqd_mask/roles",
+ "reqd_mask/users",
+ "reqd_mask/initial_sid_contexts",
+ ],
+}
+
+genrule {
+ name: "microdroid_vendor_sepolicy.cil_gen",
+ srcs: [
+ ":microdroid_vendor_sepolicy_build_files",
+ ":microdroid_plat_pub_versioned.cil_gen",
+ ":microdroid_pub_policy.cil_gen",
+ ":microdroid_reqd_policy_mask.cil_gen",
+ ],
+ tools: [
+ "m4",
+ "build_sepolicy",
+ "checkpolicy",
+ "secilc",
+ "version_policy",
+ ],
+ out: ["vendor_sepolicy.cil"],
+ cmd: policy_to_conf_flags + " -s $(locations :microdroid_vendor_sepolicy_build_files) > $(out).conf && " +
+ "$(location build_sepolicy) " +
+ "--android_host_path $$(dirname $(location build_sepolicy)) " +
+ "build_cil " +
+ "--input_policy_conf $(out).conf " +
+ "--checkpolicy_env ASAN_OPTIONS=detect_leaks=0 " +
+ "--base_policy $(location :microdroid_pub_policy.cil_gen) " +
+ "--filter_out_files $(location :microdroid_plat_pub_versioned.cil_gen) " +
+ "--reqd_mask $(location :microdroid_reqd_policy_mask.cil_gen) " +
+ "--treble_sepolicy_vers 10000.0 " +
+ "--policy_vers 30 " +
+ "--output_cil $(out)",
+ visibility: ["//visibility:private"],
+}
+
+prebuilt_etc {
+ name: "microdroid_vendor_sepolicy.cil",
+ src: ":microdroid_vendor_sepolicy.cil_gen",
+ filename: "vendor_sepolicy.cil",
+ relative_install_path: "selinux",
+ installable: false,
+}
+
+prebuilt_etc {
+ name: "microdroid_plat_pub_versioned.cil",
+ src: ":microdroid_plat_pub_versioned.cil_gen",
+ filename: "plat_pub_versioned.cil",
+ relative_install_path: "selinux",
+ installable: false,
+}
diff --git a/private/bpfloader.te b/private/bpfloader.te
index f1932bb..ae9b52c 100644
--- a/private/bpfloader.te
+++ b/private/bpfloader.te
@@ -11,7 +11,7 @@
# Allow bpfloader to create bpf maps and programs.
allow bpfloader self:bpf { map_create map_read map_write prog_load prog_run };
-allow bpfloader self:capability { chown sys_admin };
+allow bpfloader self:capability { chown sys_admin net_admin };
set_prop(bpfloader, bpf_progs_loaded_prop)
diff --git a/private/coredomain.te b/private/coredomain.te
index de9b953..9fe82d3 100644
--- a/private/coredomain.te
+++ b/private/coredomain.te
@@ -11,6 +11,7 @@
get_prop(coredomain, localization_prop)
get_prop(coredomain, pm_prop)
get_prop(coredomain, radio_control_prop)
+get_prop(coredomain, rollback_test_prop)
get_prop(coredomain, setupwizard_prop)
get_prop(coredomain, sqlite_log_prop)
get_prop(coredomain, storagemanager_config_prop)
diff --git a/private/keystore2_key_contexts b/private/keystore2_key_contexts
index 9612b90..5695cc3 100644
--- a/private/keystore2_key_contexts
+++ b/private/keystore2_key_contexts
@@ -20,3 +20,6 @@
# namespace in keystore.
102 u:object_r:wifi_key:s0
+# resume_on_reboot_key is a keystore2_key namespace intended for resume on reboot.
+120 u:object_r:resume_on_reboot_key:s0
+
diff --git a/private/keystore_keys.te b/private/keystore_keys.te
index 990bc29..8d33d5d 100644
--- a/private/keystore_keys.te
+++ b/private/keystore_keys.te
@@ -13,3 +13,7 @@
# A keystore2 namespace for the on-device signing daemon.
type odsign_key, keystore2_key_type;
+
+# A keystore2 namespace for resume on reboot.
+type resume_on_reboot_key, keystore2_key_type;
+
diff --git a/private/property.te b/private/property.te
index 34c0fd8..88f3ec0 100644
--- a/private/property.te
+++ b/private/property.te
@@ -21,6 +21,7 @@
system_internal_prop(lower_kptr_restrict_prop)
system_internal_prop(netd_stable_secret_prop)
system_internal_prop(pm_prop)
+system_internal_prop(rollback_test_prop)
system_internal_prop(setupwizard_prop)
system_internal_prop(system_adbd_prop)
system_internal_prop(suspend_prop)
@@ -556,3 +557,9 @@
# Only one of system_property_type and vendor_property_type can be assigned.
# Property types having both attributes won't be accessible from anywhere.
neverallow domain system_and_vendor_property_type:{file property_service} *;
+
+neverallow {
+ # Only allow init and shell to set rollback_test_prop
+ -init
+ -shell
+} rollback_test_prop:property_service set;
diff --git a/private/property_contexts b/private/property_contexts
index 22e0ff6..1854bd7 100644
--- a/private/property_contexts
+++ b/private/property_contexts
@@ -1122,3 +1122,7 @@
# SOC related props
ro.soc.manufacturer u:object_r:soc_prop:s0 exact string
ro.soc.model u:object_r:soc_prop:s0 exact string
+
+# set to true when running rollback tests to disable fallback-to-copy when enabling rollbacks
+# to detect failures where hard linking should work otherwise
+persist.rollback.is_test u:object_r:rollback_test_prop:s0 exact bool
diff --git a/private/shell.te b/private/shell.te
index 94a2c2e..a99ada8 100644
--- a/private/shell.te
+++ b/private/shell.te
@@ -94,6 +94,9 @@
# userspace reboot
set_prop(shell, userspace_reboot_test_prop)
+# Allow shell to set this property used for rollback tests
+set_prop(shell, rollback_test_prop)
+
# Allow shell to get encryption policy of /data/local/tmp/, for CTS
allowxperm shell shell_data_file:dir ioctl {
FS_IOC_GET_ENCRYPTION_POLICY
diff --git a/private/system_server.te b/private/system_server.te
index 8bee1bf..349a0b8 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -891,6 +891,15 @@
use
};
+# Allow lock_settings service to manage RoR keys.
+allow system_server resume_on_reboot_key:keystore2_key {
+ delete
+ get_info
+ rebind
+ update
+ use
+};
+
# Allow system server to search and write to the persistent factory reset
# protection partition. This block device does not get wiped in a factory reset.
allow system_server block_device:dir search;
diff --git a/public/hal_wifi_supplicant.te b/public/hal_wifi_supplicant.te
index e19ad1c..7361af1 100644
--- a/public/hal_wifi_supplicant.te
+++ b/public/hal_wifi_supplicant.te
@@ -21,6 +21,7 @@
allowxperm hal_wifi_supplicant self:packet_socket ioctl { unpriv_sock_ioctls priv_sock_ioctls unpriv_tty_ioctls };
use_keystore(hal_wifi_supplicant)
+binder_use(hal_wifi_supplicant_server)
# Allow the WI-FI HAL to use keys in the keystore namespace wifi_key.
allow hal_wifi_supplicant wifi_key:keystore2_key {