Merge "Ignore crash_dump access to mapped files" into main
diff --git a/apex/Android.bp b/apex/Android.bp
index 5b2a75e..4daff80 100644
--- a/apex/Android.bp
+++ b/apex/Android.bp
@@ -293,3 +293,17 @@
"com.android.configinfrastructure-file_contexts",
],
}
+
+filegroup {
+ name: "com.android.biometrics.virtual.fingerprint-file_contexts",
+ srcs: [
+ "com.android.biometrics.virtual.fingerprint-file_contexts",
+ ],
+}
+
+filegroup {
+ name: "com.android.uprobestats-file_contexts",
+ srcs: [
+ "com.android.uprobestats-file_contexts",
+ ],
+}
diff --git a/apex/com.android.biometrics.virtual.fingerprint-file_contexts b/apex/com.android.biometrics.virtual.fingerprint-file_contexts
new file mode 100644
index 0000000..940934b
--- /dev/null
+++ b/apex/com.android.biometrics.virtual.fingerprint-file_contexts
@@ -0,0 +1,2 @@
+(/.*)? u:object_r:system_file:s0
+/bin/hw/android\.hardware\.biometrics\.fingerprint-service\.example u:object_r:virtual_fingerprint_exec:s0
diff --git a/apex/com.android.uprobestats-file_contexts b/apex/com.android.uprobestats-file_contexts
new file mode 100644
index 0000000..01de3e2
--- /dev/null
+++ b/apex/com.android.uprobestats-file_contexts
@@ -0,0 +1,3 @@
+(/.*)? u:object_r:system_file:s0
+/bin/uprobestats u:object_r:uprobestats_exec:s0
+
diff --git a/build/soong/service_fuzzer_bindings.go b/build/soong/service_fuzzer_bindings.go
index 726bbbc..0c98d1b 100644
--- a/build/soong/service_fuzzer_bindings.go
+++ b/build/soong/service_fuzzer_bindings.go
@@ -47,6 +47,7 @@
"android.hardware.biometrics.face.IFace/virtual": EXCEPTION_NO_FUZZER,
"android.hardware.biometrics.fingerprint.IFingerprint/default": EXCEPTION_NO_FUZZER,
"android.hardware.biometrics.fingerprint.IFingerprint/virtual": EXCEPTION_NO_FUZZER,
+ "android.hardware.biometrics.fingerprint.virtualhal.IVirtualHal/virtual": EXCEPTION_NO_FUZZER,
"android.hardware.bluetooth.audio.IBluetoothAudioProviderFactory/default": EXCEPTION_NO_FUZZER,
"android.hardware.broadcastradio.IBroadcastRadio/amfm": []string{"android.hardware.broadcastradio-service.default_fuzzer"},
"android.hardware.broadcastradio.IBroadcastRadio/dab": []string{"android.hardware.broadcastradio-service.default_fuzzer"},
diff --git a/private/app.te b/private/app.te
index cc69e5e..c51ba8b 100644
--- a/private/app.te
+++ b/private/app.te
@@ -641,12 +641,6 @@
apk_tmp_file:dir_file_class_set
{ create write setattr relabelfrom relabelto append unlink link rename };
-neverallow { appdomain -untrusted_app_all -platform_app -priv_app -isolated_app_all }
- { apk_tmp_file apk_private_tmp_file }:dir_file_class_set *;
-
-neverallow { untrusted_app_all isolated_app_all } { apk_tmp_file apk_private_tmp_file }:{ devfile_class_set dir fifo_file lnk_file sock_file } *;
-neverallow { untrusted_app_all isolated_app_all } { apk_tmp_file apk_private_tmp_file }:file ~{ getattr read map };
-
# Access to factory files.
neverallow appdomain efs_file:dir_file_class_set write;
neverallow { appdomain -shell } efs_file:dir_file_class_set read;
diff --git a/private/app_neverallows.te b/private/app_neverallows.te
index bf723c5..0e2b01c 100644
--- a/private/app_neverallows.te
+++ b/private/app_neverallows.te
@@ -45,6 +45,10 @@
neverallow { all_untrusted_apps -mediaprovider } init:unix_stream_socket connectto;
neverallow { all_untrusted_apps -mediaprovider } property_type:property_service set;
+# Do not allow untrusted apps to modify temporarily staged APKs.
+neverallow all_untrusted_apps { apk_tmp_file apk_private_tmp_file }:{ devfile_class_set dir fifo_file lnk_file sock_file } *;
+neverallow all_untrusted_apps { apk_tmp_file apk_private_tmp_file }:file ~{ getattr read map };
+
# net.dns properties are not a public API. Disallow untrusted apps from reading this property.
neverallow { all_untrusted_apps } net_dns_prop:file read;
diff --git a/private/compat/202404/202404.cil b/private/compat/202404/202404.cil
index 869deb6..5dc8bc4 100644
--- a/private/compat/202404/202404.cil
+++ b/private/compat/202404/202404.cil
@@ -1,5 +1,6 @@
;; This type may or may not already exist in vendor policy. Re-define it here (duplicate
;; definitions in CIL will be ignored) - so we can reference it in 202404.cil.
+(type otapreopt_chroot)
(type vendor_hidraw_device)
(typeattributeset dev_type (vendor_hidraw_device))
diff --git a/private/compat/202404/202404.ignore.cil b/private/compat/202404/202404.ignore.cil
index bd9bc84..73058ef 100644
--- a/private/compat/202404/202404.ignore.cil
+++ b/private/compat/202404/202404.ignore.cil
@@ -6,8 +6,6 @@
(typeattributeset new_objects
( new_objects
profcollectd_etr_prop
- fs_bpf_lmkd_memevents_rb
- fs_bpf_lmkd_memevents_prog
fstype_prop
binderfs_logs_transactions
binderfs_logs_transaction_history
@@ -15,4 +13,6 @@
supervision_service
sysfs_udc
app_function_service
+ virtual_fingerprint
+ virtual_fingerprint_exec
))
diff --git a/private/crosvm.te b/private/crosvm.te
index 3cae672..1031f0f 100644
--- a/private/crosvm.te
+++ b/private/crosvm.te
@@ -24,10 +24,16 @@
tmpfs_domain(crosvm)
# Let crosvm receive file descriptors from VirtualizationService.
-allow crosvm virtualizationmanager:fd use;
+allow crosvm {
+ virtualizationmanager
+ is_flag_enabled(RELEASE_AVF_ENABLE_EARLY_VM, `early_virtmgr')
+}:fd use;
# Allow sending VirtualizationService the failure reason and console/log from the VM via pipe.
-allow crosvm virtualizationmanager:fifo_file write;
+allow crosvm {
+ virtualizationmanager
+ is_flag_enabled(RELEASE_AVF_ENABLE_EARLY_VM, `early_virtmgr')
+}:fifo_file write;
# Let crosvm read the composite disk images (virtualizationservice_data_file), APEXes
# (staging_data_file), APKs (apk_data_file and shell_data_file where the latter is for test apks in
@@ -66,7 +72,10 @@
# read, write, getattr: listener socket polling
# accept: listener socket accepting new connection
# Note that the open permission is not given as the socket is passed by FD.
-allow crosvm virtualizationmanager:unix_stream_socket { accept read write getattr getopt };
+allow crosvm {
+ virtualizationmanager
+ is_flag_enabled(RELEASE_AVF_ENABLE_EARLY_VM, `early_virtmgr')
+}:unix_stream_socket { accept read write getattr getopt };
# Let crosvm open test artifacts under /data/local/tmp with file path. (e.g. custom pvmfw.img)
userdebug_or_eng(`
@@ -125,7 +134,10 @@
# crosvm tries to read serial device, including the write-only pipe from virtualizationmanager (to
# forward console/log to the host logcat).
# crosvm only needs write permission, so dontaudit read
-dontaudit crosvm virtualizationmanager:fifo_file { read getattr };
+dontaudit crosvm {
+ virtualizationmanager
+ is_flag_enabled(RELEASE_AVF_ENABLE_EARLY_VM, `early_virtmgr')
+}:fifo_file { read getattr };
# Required for crosvm to start gdb-server to enable debugging of guest kernel.
allow crosvm self:tcp_socket { bind create read setopt write accept listen };
@@ -138,7 +150,6 @@
allow crosvm vfio_device:dir r_dir_perms;
# Allow crosvm to access VM DTBO via a file created by virtualizationmanager.
-allow crosvm virtualizationmanager:fd use;
allow crosvm virtualizationservice_data_file:file read;
is_flag_enabled(RELEASE_AVF_ENABLE_NETWORK, `
@@ -150,6 +161,9 @@
allow crosvm vmnic:fd use;
')
+# Early VMs may print messages to kmsg_debug_device.
+allow crosvm kmsg_debug_device:chr_file w_file_perms;
+
# Don't allow crosvm to open files that it doesn't own.
# This is important because a malicious application could try to start a VM with a composite disk
# image referring by name to files which it doesn't have permission to open, trying to get crosvm to
@@ -201,4 +215,6 @@
# TODO(b/357025924): This is a temporary workaround to allow the KeyMint VM to use crosvm
# directly. It should be removed once the KeyMint VM can be started with early_virtmgr
is_flag_enabled(RELEASE_AVF_ENABLE_EARLY_VM, `-init')
+
+ is_flag_enabled(RELEASE_AVF_ENABLE_EARLY_VM, `-early_virtmgr')
} crosvm_exec:file no_x_file_perms;
diff --git a/private/early_virtmgr.te b/private/early_virtmgr.te
index 484077c..e244be2 100644
--- a/private/early_virtmgr.te
+++ b/private/early_virtmgr.te
@@ -6,8 +6,61 @@
use_bootstrap_libs(early_virtmgr)
+ # Let early_virtmgr create files and directories inside /mnt/vm/early.
allow early_virtmgr vm_data_file:dir create_dir_perms;
allow early_virtmgr vm_data_file:file create_file_perms;
+ allow early_virtmgr vm_data_file:sock_file create_file_perms;
+
+ # Allow early_virtmgr to communicate use, read and write over the adb connection.
+ allow early_virtmgr adbd:fd use;
+ allow early_virtmgr adbd:unix_stream_socket { getattr read write };
+
+ # Allow writing VM logs to the shell console
+ allow early_virtmgr devpts:chr_file { read write getattr ioctl };
+
+ # Let the early_virtmgr domain use Binder.
+ binder_use(early_virtmgr)
+
+ # When early_virtmgr execs a file with the crosvm_exec label, run it in the crosvm domain.
+ domain_auto_trans(early_virtmgr, crosvm_exec, crosvm)
+
+ # Let early_virtmgr kill crosvm.
+ allow early_virtmgr crosvm:process sigkill;
+
+ # Allow early_virtmgr to read apex-info-list.xml and access the APEX files listed there.
+ allow early_virtmgr apex_info_file:file r_file_perms;
+ allow early_virtmgr apex_data_file:dir search;
+
+ # Ignore harmless denials on /proc/self/fd
+ dontaudit early_virtmgr self:dir write;
+
+ # Let early_virtmgr to accept vsock connection from the guest VMs
+ allow early_virtmgr self:vsock_socket { create_socket_perms_no_ioctl listen accept };
+
+ # Allow early_virtmgr to inspect all hypervisor capabilities.
+ get_prop(early_virtmgr, hypervisor_prop)
+ get_prop(early_virtmgr, hypervisor_pvmfw_prop)
+ get_prop(early_virtmgr, hypervisor_restricted_prop)
+ get_prop(early_virtmgr, hypervisor_virtualizationmanager_prop)
+
+ # Allow early_virtmgr to read file system DT for VM reference DT and AVF debug policy
+ r_dir_file(early_virtmgr, proc_dt_avf)
+ r_dir_file(early_virtmgr, sysfs_dt_avf)
+
+ # early_virtmgr to be client of secretkeeper HAL. It ferries SecretManagement messages from pVM
+ # to HAL.
+ hal_client_domain(early_virtmgr, hal_secretkeeper);
+
+ # Allow reading files under /proc/[crosvm pid]/, for collecting CPU & memory usage inside VM.
+ r_dir_file(early_virtmgr, crosvm);
+
+ # Allow early_virtmgr to:
+ # 1) bind to a vsock port less than 1024, because early VMs use static CIDs less than 1024
+ # 2) call RLIMIT_MEMLOCK for itself
+ allow early_virtmgr self:global_capability_class_set { net_bind_service ipc_lock sys_resource };
+
+ # early_virtmgr may print messages to kmsg_debug_device.
+ allow early_virtmgr kmsg_debug_device:chr_file w_file_perms;
###
### Neverallow rules
@@ -16,4 +69,7 @@
# Only crosvm and early_virtmgr can access vm_data_file
neverallow { domain -crosvm -early_virtmgr -init } vm_data_file:dir no_w_dir_perms;
neverallow { domain -crosvm -early_virtmgr } vm_data_file:file no_rw_file_perms;
+
+ # No other domains can accept vsock connection from the guest VMs
+ neverallow { domain -early_virtmgr } early_virtmgr:vsock_socket { accept bind create connect listen };
')
diff --git a/private/file.te b/private/file.te
index 3cb8d18..70b8523 100644
--- a/private/file.te
+++ b/private/file.te
@@ -9,6 +9,7 @@
type fs_bpf_netd_shared, fs_type, bpffs_type;
type fs_bpf_loader, fs_type, bpffs_type;
type fs_bpf_uprobestats, fs_type, bpffs_type;
+type fs_bpf_memevents, fs_type, bpffs_type;
# /data/misc/storaged
type storaged_data_file, file_type, data_file_type, core_data_file_type;
diff --git a/private/genfs_contexts b/private/genfs_contexts
index e87e7ff..b8b7247 100644
--- a/private/genfs_contexts
+++ b/private/genfs_contexts
@@ -330,13 +330,11 @@
genfscon bpf / u:object_r:fs_bpf:s0
genfscon bpf /loader u:object_r:fs_bpf_loader:s0
-genfscon bpf /map_bpfMemEvents_lmkd_rb u:object_r:fs_bpf_lmkd_memevents_rb:s0
+genfscon bpf /memevents u:object_r:fs_bpf_memevents:s0
genfscon bpf /net_private u:object_r:fs_bpf_net_private:s0
genfscon bpf /net_shared u:object_r:fs_bpf_net_shared:s0
genfscon bpf /netd_readonly u:object_r:fs_bpf_netd_readonly:s0
genfscon bpf /netd_shared u:object_r:fs_bpf_netd_shared:s0
-genfscon bpf /prog_bpfMemEvents_tracepoint_vmscan_mm_vmscan_direct_reclaim_begin_lmkd u:object_r:fs_bpf_lmkd_memevents_prog:s0
-genfscon bpf /prog_bpfMemEvents_tracepoint_vmscan_mm_vmscan_direct_reclaim_end_lmkd u:object_r:fs_bpf_lmkd_memevents_prog:s0
genfscon bpf /tethering u:object_r:fs_bpf_tethering:s0
genfscon bpf /vendor u:object_r:fs_bpf_vendor:s0
genfscon bpf /uprobestats u:object_r:fs_bpf_uprobestats:s0
diff --git a/private/hal_fingerprint.te b/private/hal_fingerprint.te
index a1d68be..3295cc7 100644
--- a/private/hal_fingerprint.te
+++ b/private/hal_fingerprint.te
@@ -15,6 +15,6 @@
r_dir_file(hal_fingerprint, cgroup)
r_dir_file(hal_fingerprint, cgroup_v2)
-r_dir_file(hal_fingerprint, sysfs)
+r_dir_file({hal_fingerprint -coredomain}, sysfs)
diff --git a/private/hal_keymint.te b/private/hal_keymint.te
index ba29956..6c7b577 100644
--- a/private/hal_keymint.te
+++ b/private/hal_keymint.te
@@ -4,5 +4,5 @@
hal_attribute_service(hal_keymint, hal_remotelyprovisionedcomponent_service)
binder_call(hal_keymint_server, servicemanager)
-allow hal_keymint_server tee_device:chr_file rw_file_perms;
-allow hal_keymint_server ion_device:chr_file r_file_perms;
+allow { hal_keymint_server -coredomain } tee_device:chr_file rw_file_perms;
+allow { hal_keymint_server -coredomain } ion_device:chr_file r_file_perms;
diff --git a/private/lmkd.te b/private/lmkd.te
index 8d22552..97dc398 100644
--- a/private/lmkd.te
+++ b/private/lmkd.te
@@ -19,9 +19,9 @@
allow lmkd fs_bpf:file read;
allow lmkd bpfloader:bpf { map_read map_write prog_run };
-# Needed for polling directly from the bpf ring buffer's fd
-allow lmkd fs_bpf_lmkd_memevents_rb:file { read write };
-allow lmkd fs_bpf_lmkd_memevents_prog:file read;
+# Needed to interact with memevents-eBPF and receive notifications for memory events
+allow lmkd fs_bpf_memevents:file { read write };
+allow lmkd fs_bpf_memevents:dir search;
allow lmkd self:global_capability_class_set { dac_override dac_read_search sys_resource kill };
diff --git a/private/otapreopt_chroot.te b/private/otapreopt_chroot.te
index 73e170b..2aeab0b 100644
--- a/private/otapreopt_chroot.te
+++ b/private/otapreopt_chroot.te
@@ -1,4 +1,5 @@
# otapreopt_chroot executable
+starting_at_board_api(202504, `type otapreopt_chroot, domain;')
typeattribute otapreopt_chroot coredomain;
type otapreopt_chroot_exec, exec_type, file_type, system_file_type;
diff --git a/private/property.te b/private/property.te
index 54565f9..402585e 100644
--- a/private/property.te
+++ b/private/property.te
@@ -68,6 +68,7 @@
system_internal_prop(hidl_memory_prop)
system_internal_prop(suspend_debug_prop)
system_internal_prop(system_service_enable_prop)
+system_internal_prop(ctl_artd_pre_reboot_prop)
# Properties which can't be written outside system
diff --git a/private/property_contexts b/private/property_contexts
index bfe2a52..7e9f1ca 100644
--- a/private/property_contexts
+++ b/private/property_contexts
@@ -202,6 +202,11 @@
ctl.stop$snapuserd u:object_r:ctl_snapuserd_prop:s0
ctl.restart$snapuserd u:object_r:ctl_snapuserd_prop:s0
+# Restrict access to starting/stopping artd_pre_reboot.
+ctl.start$artd_pre_reboot u:object_r:ctl_artd_pre_reboot_prop:s0
+ctl.stop$artd_pre_reboot u:object_r:ctl_artd_pre_reboot_prop:s0
+ctl.restart$artd_pre_reboot u:object_r:ctl_artd_pre_reboot_prop:s0
+
# NFC properties
nfc. u:object_r:nfc_prop:s0
@@ -314,6 +319,7 @@
apexd.config.dm_create.timeout u:object_r:apexd_config_prop:s0 exact uint
apexd.config.loop_wait.attempts u:object_r:apexd_config_prop:s0 exact uint
apexd.config.boot_activation.threads u:object_r:apexd_config_prop:s0 exact uint
+apexd.config.loopback.readahead u:object_r:apexd_config_prop:s0 exact uint
persist.apexd. u:object_r:apexd_prop:s0
persist.vendor.apex. u:object_r:apexd_select_prop:s0
ro.boot.vendor.apex. u:object_r:apexd_select_prop:s0
@@ -1604,6 +1610,7 @@
# bootanimation properties
ro.bootanim.quiescent.enabled u:object_r:bootanim_config_prop:s0 exact bool
+ro.product.bootanim.file u:object_r:bootanim_config_prop:s0 exact string
# dck properties
ro.gms.dck.eligible_wcc u:object_r:dck_prop:s0 exact int
diff --git a/private/service_contexts b/private/service_contexts
index 71abb42..5fdae3c 100644
--- a/private/service_contexts
+++ b/private/service_contexts
@@ -28,6 +28,7 @@
android.hardware.biometrics.face.IFace/virtual u:object_r:hal_face_service:s0
android.hardware.biometrics.fingerprint.IFingerprint/default u:object_r:hal_fingerprint_service:s0
android.hardware.biometrics.fingerprint.IFingerprint/virtual u:object_r:hal_fingerprint_service:s0
+android.hardware.biometrics.fingerprint.virtualhal.IVirtualHal/virtual u:object_r:hal_fingerprint_service:s0
android.hardware.bluetooth.IBluetoothHci/default u:object_r:hal_bluetooth_service:s0
android.hardware.bluetooth.finder.IBluetoothFinder/default u:object_r:hal_bluetooth_service:s0
is_flag_enabled(RELEASE_HARDWARE_BLUETOOTH_RANGING_SERVICE, `
diff --git a/private/system_server.te b/private/system_server.te
index 0385df3..fc4faef 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -774,6 +774,7 @@
set_prop(system_server, ctl_default_prop)
set_prop(system_server, ctl_bugreport_prop)
set_prop(system_server, ctl_gsid_prop)
+set_prop(system_server, ctl_artd_pre_reboot_prop)
# cppreopt property
set_prop(system_server, cppreopt_prop)
@@ -1236,6 +1237,10 @@
# calls if (fd.isSocket$()) if (isLingerSocket(fd)) ...
dontaudit system_server self:key_socket getopt;
+# Needed to interact with memevents-eBPF and receive notifications for memory events
+allow system_server fs_bpf_memevents:dir search;
+allow system_server fs_bpf_memevents:file { read write };
+
# Allow system_server to start clatd in its own domain and kill it.
domain_auto_trans(system_server, clatd_exec, clatd)
allow system_server clatd:process { sigkill signal };
diff --git a/private/virtual_camera.te b/private/virtual_camera.te
index 0faf0c5..fa8db43 100644
--- a/private/virtual_camera.te
+++ b/private/virtual_camera.te
@@ -41,7 +41,7 @@
# Allow virtual_camera to use GPU
allow virtual_camera gpu_device:chr_file rw_file_perms;
allow virtual_camera gpu_device:dir r_dir_perms;
-allow virtual_camera sysfs_gpu:file r_file_perms;
+r_dir_file(virtual_camera, sysfs_gpu)
# Allow virtual camera to use graphics composer fd-s (fences).
allow virtual_camera hal_graphics_composer:fd use;
diff --git a/private/virtual_fingerprint.te b/private/virtual_fingerprint.te
new file mode 100644
index 0000000..61bff28
--- /dev/null
+++ b/private/virtual_fingerprint.te
@@ -0,0 +1,7 @@
+# biometric virtual fingerprint sensor
+type virtual_fingerprint, domain;
+type virtual_fingerprint_exec, system_file_type, exec_type, file_type;
+hal_server_domain(virtual_fingerprint, hal_fingerprint)
+typeattribute virtual_fingerprint coredomain;
+init_daemon_domain(virtual_fingerprint)
+set_prop(virtual_fingerprint, virtual_fingerprint_hal_prop)
diff --git a/private/virtualizationmanager.te b/private/virtualizationmanager.te
index 9b3cfcf..023e3e9 100644
--- a/private/virtualizationmanager.te
+++ b/private/virtualizationmanager.te
@@ -70,12 +70,24 @@
# Allow virtualizationmanager to be read custom pvmfw.img configuration
userdebug_or_eng(`get_prop(virtualizationmanager, hypervisor_pvmfw_prop)')
dontaudit virtualizationmanager hypervisor_pvmfw_prop:file read;
-neverallow { domain -init -dumpstate userdebug_or_eng(`-virtualizationmanager') } hypervisor_pvmfw_prop:file no_rw_file_perms;
+neverallow {
+ domain
+ -init
+ -dumpstate
+ userdebug_or_eng(`-virtualizationmanager')
+ is_flag_enabled(RELEASE_AVF_ENABLE_EARLY_VM, -early_virtmgr)
+} hypervisor_pvmfw_prop:file no_rw_file_perms;
# Allow virtualizationmanager to be read custom virtualizationmanager configuration
userdebug_or_eng(`get_prop(virtualizationmanager, hypervisor_virtualizationmanager_prop)')
dontaudit virtualizationmanager hypervisor_virtualizationmanager_prop:file read;
-neverallow { domain -init -dumpstate userdebug_or_eng(`-virtualizationmanager') } hypervisor_virtualizationmanager_prop:file no_rw_file_perms;
+neverallow {
+ domain
+ -init
+ -dumpstate
+ userdebug_or_eng(`-virtualizationmanager')
+ is_flag_enabled(RELEASE_AVF_ENABLE_EARLY_VM, -early_virtmgr)
+} hypervisor_virtualizationmanager_prop:file no_rw_file_perms;
# Allow virtualizationmanager service to talk to tombstoned to push guest ramdumps
unix_socket_connect(virtualizationmanager, tombstoned_crash, tombstoned)
diff --git a/public/file.te b/public/file.te
index bed3e76..4f187ec 100644
--- a/public/file.te
+++ b/public/file.te
@@ -150,12 +150,6 @@
type fs_bpf_tethering, fs_type, bpffs_type;
type fs_bpf_vendor, fs_type, bpffs_type;
-starting_at_board_api(202504, `
- type fs_bpf_lmkd_memevents_rb, fs_type, bpffs_type;
- type fs_bpf_lmkd_memevents_prog, fs_type, bpffs_type;
-')
-
-
type configfs, fs_type;
# /sys/devices/cs_etm
type sysfs_devices_cs_etm, fs_type, sysfs_type;
diff --git a/public/otapreopt_chroot.te b/public/otapreopt_chroot.te
index 8a625f5..eb340c8 100644
--- a/public/otapreopt_chroot.te
+++ b/public/otapreopt_chroot.te
@@ -1,7 +1,7 @@
# otapreopt_chroot seclabel
# TODO: Only present to allow mediatek/wembley-sepolicy to see it for validation reasons.
-type otapreopt_chroot, domain;
+until_board_api(202504, `type otapreopt_chroot, domain;')
# system/sepolicy/public is for vendor-facing type and attribute definitions.
# DO NOT ADD allow, neverallow, or dontaudit statements here.
diff --git a/public/property.te b/public/property.te
index 47a1bde..4f1b369 100644
--- a/public/property.te
+++ b/public/property.te
@@ -276,7 +276,7 @@
vendor_internal_prop(virtual_face_hal_prop)
# Properties used in the default Fingerprint HAL implementations
-vendor_internal_prop(virtual_fingerprint_hal_prop)
+system_public_prop(virtual_fingerprint_hal_prop)
vendor_public_prop(persist_vendor_debug_wifi_prop)
diff --git a/public/te_macros b/public/te_macros
index 6d7533a..e446f56 100644
--- a/public/te_macros
+++ b/public/te_macros
@@ -203,6 +203,34 @@
allow $1 virtualizationservice_data_file:file { getattr read };
')
+####################################
+# early_virtmgr_use(domain)
+# Allow domain to create and communicate with an early virtual machine using
+# early_virtmgr.
+define(`early_virtmgr_use', `
+# Transition to early_virtmgr when the client executes it.
+domain_auto_trans($1, early_virtmgr_exec, early_virtmgr)
+# Allow early_virtmgr to communicate over UDS with the client.
+allow { early_virtmgr crosvm } $1:unix_stream_socket { ioctl getattr read write };
+# Let the client pass file descriptors to early_virtmgr and on to crosvm.
+allow { early_virtmgr crosvm } $1:fd use;
+allow { early_virtmgr crosvm } $1_tmpfs:file rw_file_perms;
+# Let the client use file descriptors created by early_virtmgr.
+allow $1 early_virtmgr:fd use;
+# Allow piping console log to the client
+allow { early_virtmgr crosvm } $1:fifo_file { ioctl getattr read write };
+# Allow client to read/write vsock created by early_virtmgr to communicate with the VM
+# that it created. Notice that we do not grant permission to create a vsock;
+# the client can only connect to VMs that it owns.
+allow $1 early_virtmgr:vsock_socket { getattr getopt read write };
+# Allow client to inspect hypervisor capabilities
+get_prop($1, hypervisor_prop)
+# Allow early_virtmgr to read the path of the client using /proc/{PID}/exe
+allow early_virtmgr $1:dir search;
+allow early_virtmgr $1:file read;
+allow early_virtmgr $1:lnk_file read;
+')
+
#####################################
# app_domain(domain)
# Allow a base set of permissions required for all apps.
diff --git a/tools/finalize-vintf-resources.sh b/tools/finalize-vintf-resources.sh
index 68ce0e5..cdf82f1 100755
--- a/tools/finalize-vintf-resources.sh
+++ b/tools/finalize-vintf-resources.sh
@@ -22,16 +22,20 @@
top=$1
ver=$2
-mkdir -p "$top/system/sepolicy/prebuilts/api/${ver}/"
-cp -r "$top/system/sepolicy/public/" "$top/system/sepolicy/prebuilts/api/${ver}/"
-cp -r "$top/system/sepolicy/private/" "$top/system/sepolicy/prebuilts/api/${ver}/"
+prebuilt_dir=$top/system/sepolicy/prebuilts/api/$ver
+mkdir -p "$prebuilt_dir"
+cp -r "$top/system/sepolicy/public/" "$prebuilt_dir"
+cp -r "$top/system/sepolicy/private/" "$prebuilt_dir"
-cat > "$top/system/sepolicy/prebuilts/api/${ver}/Android.bp" <<EOF
+cat > "$prebuilt_dir/Android.bp" <<EOF
// Automatically generated file, do not edit!
se_policy_conf {
name: "${ver}_plat_pub_policy.conf",
defaults: ["se_policy_conf_flags_defaults"],
- srcs: [":se_build_files{.plat_public_${ver}}", ":se_build_files{.reqd_mask}"],
+ srcs: [
+ ":se_build_files{.plat_public_${ver}}",
+ ":se_build_files{.reqd_mask}",
+ ],
installable: false,
build_variant: "user",
}
@@ -96,3 +100,26 @@
},
}
EOF
+
+# Build general_sepolicy.conf, plat_sepolicy.cil, and mapping file for CTS
+DIST_DIR=out/dist $top/build/soong/soong_ui.bash --make-mode dist sepolicy_finalize bpmodify
+
+cp "$top/out/dist/plat_sepolicy.cil" "$prebuilt_dir/${ver}_plat_sepolicy.cil"
+cp "$top/out/dist/general_sepolicy.conf" "$prebuilt_dir/${ver}_general_sepolicy.conf"
+cp "$top/out/dist/$ver.cil" "$prebuilt_dir/${ver}_mapping.cil"
+
+cat >> "$prebuilt_dir/Android.bp" <<EOF
+
+filegroup {
+ name: "${ver}_sepolicy_cts_data",
+ srcs: [
+ "${ver}_general_sepolicy.conf",
+ "${ver}_plat_sepolicy.cil",
+ "${ver}_mapping.cil",
+ ],
+}
+EOF
+
+bpmodify="$top/out/host/linux-x86/bin/bpmodify"
+$bpmodify -a ":${ver}_sepolicy_cts_data" -m prebuilt_sepolicy_cts_data -property srcs -w \
+ $top/system/sepolicy/tests/Android.bp
diff --git a/vendor/file_contexts b/vendor/file_contexts
index edd1c71..cd03ae1 100644
--- a/vendor/file_contexts
+++ b/vendor/file_contexts
@@ -26,7 +26,7 @@
/(vendor|system/vendor)/bin/hw/android\.hardware\.biometrics\.face-service\.example u:object_r:hal_face_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.biometrics\.fingerprint@2\.1-service u:object_r:hal_fingerprint_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.biometrics\.fingerprint@2\.2-service\.example u:object_r:hal_fingerprint_default_exec:s0
-/(vendor|system/vendor)/bin/hw/android\.hardware\.biometrics\.fingerprint-service\.example u:object_r:hal_fingerprint_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.biometrics\.fingerprint-service\.default u:object_r:hal_fingerprint_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.boot@1\.[0-9]+-service u:object_r:hal_bootctl_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.boot-service.default u:object_r:hal_bootctl_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.broadcastradio@\d+\.\d+-service u:object_r:hal_broadcastradio_default_exec:s0