Merge "Add Google specific module for RKPD for sepolicy."
diff --git a/build/soong/service_fuzzer_bindings.go b/build/soong/service_fuzzer_bindings.go
index 7f6d98d..2ee0ae2 100644
--- a/build/soong/service_fuzzer_bindings.go
+++ b/build/soong/service_fuzzer_bindings.go
@@ -29,6 +29,7 @@
"android.hardware.authsecret.IAuthSecret/default": EXCEPTION_NO_FUZZER,
"android.hardware.automotive.evs.IEvsEnumerator/hw/0": EXCEPTION_NO_FUZZER,
"android.hardware.boot.IBootControl/default": EXCEPTION_NO_FUZZER,
+ "android.hardware.automotive.can.ICanController/default": EXCEPTION_NO_FUZZER,
"android.hardware.automotive.evs.IEvsEnumerator/hw/1": EXCEPTION_NO_FUZZER,
"android.hardware.automotive.remoteaccess.IRemoteAccess/default": EXCEPTION_NO_FUZZER,
"android.hardware.automotive.vehicle.IVehicle/default": EXCEPTION_NO_FUZZER,
diff --git a/microdroid/system/private/net.te b/microdroid/system/private/net.te
index 1b2fd41..8e783cb 100644
--- a/microdroid/system/private/net.te
+++ b/microdroid/system/private/net.te
@@ -2,15 +2,3 @@
type node, node_type;
type netif, netif_type;
type port, port_type;
-
-###
-### Domain with network access
-###
-
-allow netdomain self:tcp_socket create_stream_socket_perms;
-allow netdomain self:{ icmp_socket udp_socket rawip_socket } create_socket_perms;
-
-allow netdomain port_type:tcp_socket name_connect;
-allow netdomain node_type:{ icmp_socket rawip_socket tcp_socket udp_socket } node_bind;
-allow netdomain port_type:udp_socket name_bind;
-allow netdomain port_type:tcp_socket name_bind;
diff --git a/microdroid/system/private/property_contexts b/microdroid/system/private/property_contexts
index 9222bdb..c2a3f4c 100644
--- a/microdroid/system/private/property_contexts
+++ b/microdroid/system/private/property_contexts
@@ -85,7 +85,6 @@
ro.boot.first_stage_console u:object_r:bootloader_prop:s0 exact string
ro.boot.force_normal_boot u:object_r:bootloader_prop:s0 exact string
ro.boot.hardware u:object_r:bootloader_prop:s0 exact string
-ro.boot.microdroid.app_debuggable u:object_r:bootloader_prop:s0 exact bool
ro.boot.microdroid.debuggable u:object_r:bootloader_prop:s0 exact bool
ro.boot.slot_suffix u:object_r:bootloader_prop:s0 exact string
ro.boot.tombstone_transmit.enabled u:object_r:bootloader_prop:s0 exact bool
diff --git a/microdroid/system/public/attributes b/microdroid/system/public/attributes
index 419caa1..61bf8fb 100644
--- a/microdroid/system/public/attributes
+++ b/microdroid/system/public/attributes
@@ -120,9 +120,6 @@
attribute vendor_public_property_type;
expandattribute vendor_public_property_type false;
-# All domains used for apps with network access.
-attribute netdomain;
-
# All domains used for apps with bluetooth access.
attribute bluetoothdomain;
diff --git a/microdroid/system/public/shell.te b/microdroid/system/public/shell.te
index bde9cd9..0bcb29d 100644
--- a/microdroid/system/public/shell.te
+++ b/microdroid/system/public/shell.te
@@ -2,9 +2,6 @@
type shell, domain;
type shell_exec, system_file_type, exec_type, file_type;
-# Create and use network sockets.
-net_domain(shell)
-
# Root fs.
allow shell rootfs:dir r_dir_perms;
diff --git a/microdroid/system/public/su.te b/microdroid/system/public/su.te
index 152de51..5f41e37 100644
--- a/microdroid/system/public/su.te
+++ b/microdroid/system/public/su.te
@@ -6,8 +6,6 @@
type su, domain;
# Add su to various domains
-net_domain(su)
-
dontaudit su self:capability_class_set *;
dontaudit su self:capability2 *;
dontaudit su kernel:security *;
diff --git a/prebuilts/api/33.0/private/system_server.te b/prebuilts/api/33.0/private/system_server.te
index 8a7947d..6d3bc78 100644
--- a/prebuilts/api/33.0/private/system_server.te
+++ b/prebuilts/api/33.0/private/system_server.te
@@ -396,6 +396,7 @@
hal_graphics_allocator_server
hal_graphics_composer_server
hal_health_server
+ hal_input_processor_server
hal_light_server
hal_neuralnetworks_server
hal_omx_server
diff --git a/prebuilts/api/33.0/public/dumpstate.te b/prebuilts/api/33.0/public/dumpstate.te
index 8d3e556..05a7317 100644
--- a/prebuilts/api/33.0/public/dumpstate.te
+++ b/prebuilts/api/33.0/public/dumpstate.te
@@ -113,9 +113,6 @@
sysfs_zram
}:file r_file_perms;
-# Ignore other file access under /sys.
-dontaudit dumpstate sysfs:file r_file_perms;
-
# Other random bits of data we want to collect
no_debugfs_restriction(`
allow dumpstate debugfs:file r_file_perms;
diff --git a/private/artd.te b/private/artd.te
index 63045af..96b2990 100644
--- a/private/artd.te
+++ b/private/artd.te
@@ -29,12 +29,21 @@
# Allow testing userfaultfd support.
userfaultfd_use(artd)
-# Read access to primary dex'es on writable partitions (e.g., /data/app/...).
+# Read access to primary dex'es on writable partitions
+# ({/data,/mnt/expand/<volume-uuid>}/app/...).
+allow artd mnt_expand_file:dir { getattr search };
r_dir_file(artd, apk_data_file)
-# Read access to /vendor/app.
+# Read access to vendor APKs ({/vendor,/odm}/{app,priv-app}/...).
r_dir_file(artd, vendor_app_file)
+# Read access to vendor overlay APKs ({/vendor,/odm,/oem}/overlay/...).
+allow artd oemfs:dir { getattr search };
+r_dir_file(artd, vendor_overlay_file)
+
+# Read access to vendor shared libraries ({/vendor,/odm}/framework/...).
+r_dir_file(artd, vendor_framework_file)
+
# Read/write access to all compilation artifacts generated on device for apps'
# primary dex'es. (/data/dalvik-cache/..., /data/app/.../oat/..., etc.)
allow artd dalvikcache_data_file:dir create_dir_perms;
diff --git a/private/canhalconfigurator.te b/private/canhalconfigurator.te
index 9ba60ac..5673ccd 100644
--- a/private/canhalconfigurator.te
+++ b/private/canhalconfigurator.te
@@ -5,3 +5,6 @@
# This allows the configurator to look up the CAN HAL controller via
# hwservice_manager and communicate with it.
hal_client_domain(canhalconfigurator, hal_can_controller)
+
+binder_use(canhalconfigurator)
+binder_call(hal_can_controller, canhalconfigurator)
diff --git a/private/compat/33.0/33.0.cil b/private/compat/33.0/33.0.cil
index 849be82..2f8887b 100644
--- a/private/compat/33.0/33.0.cil
+++ b/private/compat/33.0/33.0.cil
@@ -2116,7 +2116,7 @@
(typeattributeset proc_drop_caches_33_0 (proc_drop_caches))
(typeattributeset proc_extra_free_kbytes_33_0 (proc_extra_free_kbytes))
(typeattributeset proc_filesystems_33_0 (proc_filesystems))
-(typeattributeset proc_fs_verity_33_0 (proc_fs_verity))
+(typeattributeset proc_fs_verity_33_0 (proc))
(typeattributeset proc_hostname_33_0 (proc_hostname))
(typeattributeset proc_hung_task_33_0 (proc_hung_task))
(typeattributeset proc_interrupts_33_0 (proc_interrupts))
diff --git a/private/compat/33.0/33.0.ignore.cil b/private/compat/33.0/33.0.ignore.cil
index 786dc14..4e6c053 100644
--- a/private/compat/33.0/33.0.ignore.cil
+++ b/private/compat/33.0/33.0.ignore.cil
@@ -42,4 +42,5 @@
hal_broadcastradio_service
hal_confirmationui_service
hal_fastboot_service
+ hal_can_controller_service
))
diff --git a/private/coredomain.te b/private/coredomain.te
index c041ca3..55f715d 100644
--- a/private/coredomain.te
+++ b/private/coredomain.te
@@ -92,6 +92,7 @@
neverallow {
coredomain
-appdomain
+ -artd
-idmap
-init
-installd
@@ -110,6 +111,7 @@
neverallow {
coredomain
-appdomain
+ -artd
-idmap
-init
-installd
diff --git a/private/crosvm.te b/private/crosvm.te
index 9c45131..d4d29b0 100644
--- a/private/crosvm.te
+++ b/private/crosvm.te
@@ -42,6 +42,12 @@
# Note that the open permission is not given as the socket is passed by FD.
allow crosvm virtualizationservice:unix_stream_socket { accept read write getattr getopt };
+# Let crosvm open test artifacts under /data/local/tmp with file path. (e.g. custom pvmfw.img)
+userdebug_or_eng(`
+ allow crosvm shell_data_file:dir search;
+ allow crosvm shell_data_file:file open;
+')
+
# The instance image and the composite image should be writable as well because they could represent
# mutable disks.
allow crosvm {
diff --git a/private/domain.te b/private/domain.te
index 9de23ba..787a559 100644
--- a/private/domain.te
+++ b/private/domain.te
@@ -650,7 +650,7 @@
# Restrict write access to etm sysfs interface.
neverallow { domain -ueventd -vendor_init } sysfs_devices_cs_etm:file no_w_file_perms;
-# Restrict write access to shell owned files. The /data/local/tmp directory is
+# Restrict direct access to shell owned files. The /data/local/tmp directory is
# untrustworthy, and non-allowed domains should not be trusting any content in
# those directories. We allow shell files to be passed around by file
# descriptor, but not directly opened.
@@ -669,6 +669,51 @@
userdebug_or_eng(`-crosvm')
} shell_data_file:file open;
+# In addition to the symlink reading restrictions above, restrict
+# write access to shell owned directories. The /data/local/tmp
+# directory is untrustworthy, and non-allowed domains should
+# not be trusting any content in those directories.
+# artd doesn't need to access /data/local/tmp, but it needs to access
+# /data/{user,user_de}/<user-id>/com.android.shell/... for compiling secondary
+# dex files.
+neverallow {
+ domain
+ -adbd
+ -artd
+ -dumpstate
+ -installd
+ -init
+ -shell
+ -vold
+} shell_data_file:dir no_w_dir_perms;
+
+neverallow {
+ domain
+ -adbd
+ -appdomain
+ -artd
+ -dumpstate
+ -init
+ -installd
+ -simpleperf_app_runner
+ -system_server # why?
+ userdebug_or_eng(`-uncrypt')
+} shell_data_file:dir open;
+
+neverallow {
+ domain
+ -adbd
+ -appdomain
+ -artd
+ -dumpstate
+ -init
+ -installd
+ -simpleperf_app_runner
+ -system_server # why?
+ userdebug_or_eng(`-uncrypt')
+ userdebug_or_eng(`-crosvm')
+} shell_data_file:dir search;
+
# respect system_app sandboxes
neverallow {
domain
diff --git a/private/file_contexts b/private/file_contexts
index 72fae62..632e069 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -223,7 +223,7 @@
/system/bin/boringssl_self_test(32|64) u:object_r:boringssl_self_test_exec:s0
/system/bin/prng_seeder u:object_r:prng_seeder_exec:s0
/system/bin/charger u:object_r:charger_exec:s0
-/system/bin/canhalconfigurator u:object_r:canhalconfigurator_exec:s0
+/system/bin/canhalconfigurator(-aidl)? u:object_r:canhalconfigurator_exec:s0
/system/bin/e2fsdroid u:object_r:e2fs_exec:s0
/system/bin/mke2fs u:object_r:e2fs_exec:s0
/system/bin/e2fsck -- u:object_r:fsck_exec:s0
diff --git a/private/genfs_contexts b/private/genfs_contexts
index d0af186..6fa98ea 100644
--- a/private/genfs_contexts
+++ b/private/genfs_contexts
@@ -43,7 +43,6 @@
genfscon proc /sys/fs/protected_hardlinks u:object_r:proc_security:s0
genfscon proc /sys/fs/protected_symlinks u:object_r:proc_security:s0
genfscon proc /sys/fs/suid_dumpable u:object_r:proc_security:s0
-genfscon proc /sys/fs/verity/require_signatures u:object_r:proc_fs_verity:s0
genfscon proc /sys/kernel/bpf_ u:object_r:proc_bpf:s0
genfscon proc /sys/kernel/core_pattern u:object_r:usermodehelper:s0
genfscon proc /sys/kernel/core_pipe_limit u:object_r:usermodehelper:s0
diff --git a/private/property_contexts b/private/property_contexts
index a6a6ce4..38ed8d5 100644
--- a/private/property_contexts
+++ b/private/property_contexts
@@ -321,6 +321,8 @@
ro.virtual_ab.compression.xor.enabled u:object_r:virtual_ab_prop:s0 exact bool
ro.virtual_ab.userspace.snapshots.enabled u:object_r:virtual_ab_prop:s0 exact bool
ro.virtual_ab.io_uring.enabled u:object_r:virtual_ab_prop:s0 exact bool
+ro.virtual_ab.compression.threads u:object_r:virtual_ab_prop:s0 exact bool
+ro.virtual_ab.batch_writes u:object_r:virtual_ab_prop:s0 exact bool
snapuserd.ready u:object_r:snapuserd_prop:s0 exact bool
snapuserd.proxy_ready u:object_r:snapuserd_prop:s0 exact bool
snapuserd.test.dm.snapshots u:object_r:snapuserd_prop:s0 exact bool
diff --git a/private/service_contexts b/private/service_contexts
index 4f907d1..e9fc83c 100644
--- a/private/service_contexts
+++ b/private/service_contexts
@@ -6,6 +6,7 @@
android.hardware.authsecret.IAuthSecret/default u:object_r:hal_authsecret_service:s0
android.hardware.automotive.evs.IEvsEnumerator/hw/0 u:object_r:hal_evs_service:s0
android.hardware.boot.IBootControl/default u:object_r:hal_bootctl_service:s0
+android.hardware.automotive.can.ICanController/default u:object_r:hal_can_controller_service:s0
android.hardware.automotive.evs.IEvsEnumerator/hw/1 u:object_r:hal_evs_service:s0
android.hardware.automotive.audiocontrol.IAudioControl/default u:object_r:hal_audiocontrol_service:s0
android.hardware.automotive.remoteaccess.IRemoteAccess/default u:object_r:hal_remoteaccess_service:s0
diff --git a/public/domain.te b/public/domain.te
index 1e135b0..f99243b 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -1111,37 +1111,6 @@
-installd
} shell_data_file:lnk_file read;
-# In addition to the symlink reading restrictions above, restrict
-# write access to shell owned directories. The /data/local/tmp
-# directory is untrustworthy, and non-allowed domains should
-# not be trusting any content in those directories.
-# artd doesn't need to access /data/local/tmp, but it needs to access
-# /data/{user,user_de}/<user-id>/com.android.shell/... for compiling secondary
-# dex files.
-neverallow {
- domain
- -adbd
- -artd
- -dumpstate
- -installd
- -init
- -shell
- -vold
-} shell_data_file:dir no_w_dir_perms;
-
-neverallow {
- domain
- -adbd
- -appdomain
- -artd
- -dumpstate
- -init
- -installd
- -simpleperf_app_runner
- -system_server # why?
- userdebug_or_eng(`-uncrypt')
-} shell_data_file:dir { open search };
-
# servicemanager and vndservicemanager are the only processes which handle the
# service_manager list request
neverallow * ~{
diff --git a/public/hal_can.te b/public/hal_can.te
index 959d1d9..6d4cc89 100644
--- a/public/hal_can.te
+++ b/public/hal_can.te
@@ -7,3 +7,8 @@
binder_call(hal_can_bus_client, hal_can_bus_server)
binder_call(hal_can_bus_server, hal_can_bus_client)
hal_attribute_hwservice(hal_can_bus, hal_can_bus_hwservice)
+
+# AIDL HAL for CAN buses (ICanController)
+hal_attribute_service(hal_can_controller, hal_can_controller_service)
+binder_call(hal_can_controller, servicemanager)
+
diff --git a/public/service.te b/public/service.te
index 819498c..1fcaaf1 100644
--- a/public/service.te
+++ b/public/service.te
@@ -275,6 +275,7 @@
type hal_bootctl_service, protected_service, hal_service_type, service_manager_type;
type hal_broadcastradio_service, protected_service, hal_service_type, service_manager_type;
type hal_camera_service, protected_service, hal_service_type, service_manager_type;
+type hal_can_controller_service, protected_service, hal_service_type, service_manager_type;
type hal_cas_service, hal_service_type, service_manager_type;
type hal_confirmationui_service, protected_service, hal_service_type, service_manager_type;
type hal_contexthub_service, protected_service, hal_service_type, service_manager_type;
diff --git a/vendor/file_contexts b/vendor/file_contexts
index 5b2df7e..a8655b0 100644
--- a/vendor/file_contexts
+++ b/vendor/file_contexts
@@ -10,6 +10,7 @@
/(vendor|system/vendor)/bin/hw/android\.hardware\.automotive\.audiocontrol@2\.0-service u:object_r:hal_audiocontrol_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.automotive\.audiocontrol-service.example u:object_r:hal_audiocontrol_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.automotive\.can@1\.0-service u:object_r:hal_can_socketcan_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.automotive\.can-service u:object_r:hal_can_socketcan_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.automotive\.evs(.*)? u:object_r:hal_evs_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.automotive\.vehicle@2\.0-((default|emulator)-)*(service|protocan-service) u:object_r:hal_vehicle_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.automotive\.vehicle@V1-(default|emulator)-service u:object_r:hal_vehicle_default_exec:s0
diff --git a/vendor/hal_can_socketcan.te b/vendor/hal_can_socketcan.te
index 7498788..12bb028 100644
--- a/vendor/hal_can_socketcan.te
+++ b/vendor/hal_can_socketcan.te
@@ -9,10 +9,12 @@
allow hal_can_socketcan self:capability net_admin;
allow hal_can_socketcan self:netlink_route_socket { create bind write nlmsg_write read };
-# Calling if_nametoindex(3) to open CAN sockets
+# See man page for netdevice(7) for more info on ioctls
allow hal_can_socketcan self:udp_socket { create ioctl };
allowxperm hal_can_socketcan self:udp_socket ioctl {
SIOCGIFINDEX
+ SIOCGIFFLAGS
+ SIOCSIFFLAGS
};
# Communicating with SocketCAN interfaces and bringing them up/down