Merge "Let apps read tombstones given to them."
diff --git a/build/soong/selinux_contexts.go b/build/soong/selinux_contexts.go
index 5d32e11..d7a0798 100644
--- a/build/soong/selinux_contexts.go
+++ b/build/soong/selinux_contexts.go
@@ -364,7 +364,76 @@
return m.buildGeneralContexts(ctx, inputs)
}
+func (m *selinuxContextsModule) checkVendorPropertyNamespace(ctx android.ModuleContext, inputs android.Paths) android.Paths {
+ shippingApiLevel := ctx.DeviceConfig().ShippingApiLevel()
+ ApiLevelR := android.ApiLevelOrPanic(ctx, "R")
+
+ rule := android.NewRuleBuilder(pctx, ctx)
+
+ // This list is from vts_treble_sys_prop_test.
+ allowedPropertyPrefixes := []string{
+ "ctl.odm.",
+ "ctl.vendor.",
+ "ctl.start$odm.",
+ "ctl.start$vendor.",
+ "ctl.stop$odm.",
+ "ctl.stop$vendor.",
+ "init.svc.odm.",
+ "init.svc.vendor.",
+ "ro.boot.",
+ "ro.hardware.",
+ "ro.odm.",
+ "ro.vendor.",
+ "odm.",
+ "persist.odm.",
+ "persist.vendor.",
+ "vendor.",
+ }
+
+ // persist.camera is also allowed for devices launching with R or eariler
+ if shippingApiLevel.LessThanOrEqualTo(ApiLevelR) {
+ allowedPropertyPrefixes = append(allowedPropertyPrefixes, "persist.camera.")
+ }
+
+ var allowedContextPrefixes []string
+
+ if shippingApiLevel.GreaterThanOrEqualTo(ApiLevelR) {
+ // This list is from vts_treble_sys_prop_test.
+ allowedContextPrefixes = []string{
+ "vendor_",
+ "odm_",
+ }
+ }
+
+ var ret android.Paths
+ for _, input := range inputs {
+ cmd := rule.Command().
+ BuiltTool("check_prop_prefix").
+ FlagWithInput("--property-contexts ", input).
+ FlagForEachArg("--allowed-property-prefix ", proptools.ShellEscapeList(allowedPropertyPrefixes)). // contains shell special character '$'
+ FlagForEachArg("--allowed-context-prefix ", allowedContextPrefixes)
+
+ if !ctx.DeviceConfig().BuildBrokenVendorPropertyNamespace() {
+ cmd.Flag("--strict")
+ }
+
+ out := android.PathForModuleGen(ctx, "namespace_checked").Join(ctx, input.String())
+ rule.Command().Text("cp -f").Input(input).Output(out)
+ ret = append(ret, out)
+ }
+ rule.Build("check_namespace", "checking namespace of "+ctx.ModuleName())
+ return ret
+}
+
func (m *selinuxContextsModule) buildPropertyContexts(ctx android.ModuleContext, inputs android.Paths) android.Path {
+ // vendor/odm properties are enforced for devices launching with Android Q or later. So, if
+ // vendor/odm, make sure that only vendor/odm properties exist.
+ shippingApiLevel := ctx.DeviceConfig().ShippingApiLevel()
+ ApiLevelQ := android.ApiLevelOrPanic(ctx, "Q")
+ if (ctx.SocSpecific() || ctx.DeviceSpecific()) && shippingApiLevel.GreaterThanOrEqualTo(ApiLevelQ) {
+ inputs = m.checkVendorPropertyNamespace(ctx, inputs)
+ }
+
builtCtxFile := m.buildGeneralContexts(ctx, inputs)
var apiFiles android.Paths
diff --git a/private/apexd.te b/private/apexd.te
index c3da0fe..f6e8058 100644
--- a/private/apexd.te
+++ b/private/apexd.te
@@ -5,6 +5,8 @@
# Allow creating, reading and writing of APEX files/dirs in the APEX data dir
allow apexd apex_data_file:dir create_dir_perms;
allow apexd apex_data_file:file create_file_perms;
+# Allow relabeling file created in /data/apex/decompressed
+allow apexd apex_data_file:file relabelfrom;
# Allow creating, reading and writing of APEX files/dirs in the APEX metadata dir
allow apexd metadata_file:dir search;
@@ -78,6 +80,8 @@
# allow apexd to read files from /data/app-staging and hardlink them to /data/apex.
allow apexd staging_data_file:dir r_dir_perms;
allow apexd staging_data_file:file { r_file_perms link };
+# # Allow relabeling file created in /data/apex/decompressed
+allow apexd staging_data_file:file relabelto;
# allow apexd to read files from /vendor/apex
allow apexd vendor_apex_file:dir r_dir_perms;
diff --git a/private/app_neverallows.te b/private/app_neverallows.te
index cf0fa67..aff3a0a 100644
--- a/private/app_neverallows.te
+++ b/private/app_neverallows.te
@@ -228,6 +228,7 @@
# Untrusted apps are not allowed to use cgroups.
neverallow all_untrusted_apps cgroup:file *;
+neverallow all_untrusted_apps cgroup_v2:file *;
# /mnt/sdcard symlink was supposed to have been removed in Gingerbread. Apps
# must not use it.
diff --git a/private/bpfloader.te b/private/bpfloader.te
index b2e5992..f1932bb 100644
--- a/private/bpfloader.te
+++ b/private/bpfloader.te
@@ -4,27 +4,32 @@
typeattribute bpfloader coredomain;
# These permissions are required to pin ebpf maps & programs.
-allow bpfloader fs_bpf:dir { create search write add_name };
-allow bpfloader fs_bpf:file { create setattr read };
+allow bpfloader { fs_bpf fs_bpf_tethering }:dir { add_name create search write };
+allow bpfloader { fs_bpf fs_bpf_tethering }:file { create read setattr };
+allow fs_bpf_tethering fs_bpf:filesystem associate;
# Allow bpfloader to create bpf maps and programs.
allow bpfloader self:bpf { map_create map_read map_write prog_load prog_run };
allow bpfloader self:capability { chown sys_admin };
+set_prop(bpfloader, bpf_progs_loaded_prop)
+
###
### Neverallow rules
###
-# TODO: get rid of init & vendor_init
-neverallow { domain -init -vendor_init } fs_bpf:dir setattr;
-neverallow { domain -bpfloader } fs_bpf:dir { create write add_name };
-neverallow domain fs_bpf:dir { reparent rename rmdir };
+# TODO: get rid of init & vendor_init; Note: we don't care about getattr/mounton/search
+neverallow { domain -init -vendor_init } { fs_bpf fs_bpf_tethering }:dir { open read setattr };
+neverallow { domain -bpfloader } { fs_bpf fs_bpf_tethering }:dir { add_name create write };
+neverallow domain { fs_bpf fs_bpf_tethering }:dir ~{ add_name create getattr mounton open read search setattr write };
# TODO: get rid of init & vendor_init
-neverallow { domain -bpfloader -init -vendor_init } fs_bpf:file setattr;
-neverallow { domain -bpfloader } fs_bpf:file create;
-neverallow domain fs_bpf:file { rename unlink };
+neverallow { domain -bpfloader -init -vendor_init } { fs_bpf fs_bpf_tethering }:file { map open setattr };
+neverallow { domain -bpfloader } { fs_bpf fs_bpf_tethering }:file create;
+neverallow { domain -bpfloader -gpuservice -init -netd -netutils_wrapper -network_stack -system_server -vendor_init } { fs_bpf fs_bpf_tethering }:file read;
+neverallow { domain -bpfloader -gpuservice -netd -netutils_wrapper -network_stack -system_server } { fs_bpf fs_bpf_tethering }:file write;
+neverallow domain { fs_bpf fs_bpf_tethering }:file ~{ create map open read setattr write };
neverallow { domain -bpfloader } *:bpf { map_create prog_load };
neverallow { domain -bpfloader -gpuservice -netd -netutils_wrapper -network_stack -system_server } *:bpf prog_run;
@@ -32,9 +37,7 @@
neverallow { domain -bpfloader -init } bpfloader_exec:file { execute execute_no_trans };
-neverallow bpfloader domain:{ tcp_socket udp_socket rawip_socket } *;
+neverallow bpfloader *:{ tcp_socket udp_socket rawip_socket } *;
# No domain should be allowed to ptrace bpfloader
neverallow { domain userdebug_or_eng(`-llkd') } bpfloader:process ptrace;
-
-set_prop(bpfloader, bpf_progs_loaded_prop)
diff --git a/private/compat/30.0/30.0.ignore.cil b/private/compat/30.0/30.0.ignore.cil
index e2e9633..ac7da6e 100644
--- a/private/compat/30.0/30.0.ignore.cil
+++ b/private/compat/30.0/30.0.ignore.cil
@@ -22,6 +22,7 @@
debugfs_mm_events_tracing
device_config_profcollect_native_boot_prop
device_config_connectivity_prop
+ device_config_swcodec_native_prop
device_state_service
dm_user_device
dmabuf_heap_device
@@ -30,6 +31,8 @@
domain_verification_service
dumpstate_tmpfs
framework_watchdog_config_prop
+ fs_bpf_tethering
+ fwk_stats_service
game_service
font_data_file
gki_apex_prepostinstall
@@ -47,12 +50,16 @@
hal_keymint_service
hal_neuralnetworks_service
hal_power_stats_service
+ hal_remotelyprovisionedcomponent_service
+ hal_secureclock_service
+ hal_sharedsecret_service
hal_weaver_service
keystore_compat_hal_service
keystore2_key_contexts_file
legacy_permission_service
location_time_zone_manager_service
media_communication_service
+ media_metrics_service
mediatuner_exec
mediatuner_service
mediatuner
@@ -76,6 +83,8 @@
profcollectd_service
radio_core_data_file
reboot_readiness_service
+ remote_prov_app
+ remoteprovisioning_service
resolver_service
search_ui_service
shell_test_data_file
@@ -86,6 +95,7 @@
soc_prop
speech_recognition_service
sysfs_devices_cs_etm
+ sysfs_dma_heap
sysfs_dmabuf_stats
sysfs_uhid
system_server_dumper_service
@@ -99,4 +109,5 @@
vibrator_manager_service
vpn_management_service
watchdog_metadata_file
+ wifi_key
zygote_config_prop))
diff --git a/private/domain.te b/private/domain.te
index 57e93e4..94bd059 100644
--- a/private/domain.te
+++ b/private/domain.te
@@ -54,6 +54,10 @@
allow { domain -appdomain -rs } cgroup:dir w_dir_perms;
allow { domain -appdomain -rs } cgroup:file w_file_perms;
+allow domain cgroup_v2:dir search;
+allow { domain -appdomain -rs } cgroup_v2:dir w_dir_perms;
+allow { domain -appdomain -rs } cgroup_v2:file w_file_perms;
+
allow domain cgroup_rc_file:dir search;
allow domain cgroup_rc_file:file r_file_perms;
allow domain task_profiles_file:file r_file_perms;
diff --git a/private/dumpstate.te b/private/dumpstate.te
index 16f4add..13e3b4c 100644
--- a/private/dumpstate.te
+++ b/private/dumpstate.te
@@ -11,6 +11,12 @@
allow dumpstate storaged_exec:file rx_file_perms;
+# /data/misc/a11ytrace for accessibility traces
+userdebug_or_eng(`
+ allow dumpstate accessibility_trace_data_file:dir r_dir_perms;
+ allow dumpstate accessibility_trace_data_file:file r_file_perms;
+')
+
# /data/misc/wmtrace for wm traces
userdebug_or_eng(`
allow dumpstate wm_trace_data_file:dir r_dir_perms;
diff --git a/private/file.te b/private/file.te
index fd50649..4b0f48a 100644
--- a/private/file.te
+++ b/private/file.te
@@ -7,6 +7,9 @@
# /data/misc/wmtrace for wm traces
type wm_trace_data_file, file_type, data_file_type, core_data_file_type;
+# /data/misc/a11ytrace for accessibility traces
+type accessibility_trace_data_file, file_type, data_file_type, core_data_file_type;
+
# /data/misc/perfetto-traces for perfetto traces
type perfetto_traces_data_file, file_type, data_file_type, core_data_file_type;
diff --git a/private/file_contexts b/private/file_contexts
index 8399cc8..580ce0e 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -519,6 +519,7 @@
/data/apex(/.*)? u:object_r:apex_data_file:s0
/data/apex/active/(.*)? u:object_r:staging_data_file:s0
/data/apex/backup/(.*)? u:object_r:staging_data_file:s0
+/data/apex/decompressed/(.*)? u:object_r:staging_data_file:s0
/data/app(/.*)? u:object_r:apk_data_file:s0
# Traditional /data/app/[packageName]-[randomString]/base.apk location
/data/app/[^/]+/oat(/.*)? u:object_r:dalvikcache_data_file:s0
@@ -556,6 +557,7 @@
# Misc data
/data/misc/adb(/.*)? u:object_r:adb_keys_file:s0
+/data/misc/a11ytrace(/.*)? u:object_r:accessibility_trace_data_file:s0
/data/misc/apexdata(/.*)? u:object_r:apex_module_data_file:s0
/data/misc/apexdata/com\.android\.art(/.*)? u:object_r:apex_art_data_file:s0
/data/misc/apexdata/com\.android\.permission(/.*)? u:object_r:apex_permission_data_file:s0
diff --git a/private/flags_health_check.te b/private/flags_health_check.te
index 983bad6..55d1a9a 100644
--- a/private/flags_health_check.te
+++ b/private/flags_health_check.te
@@ -14,6 +14,7 @@
set_prop(flags_health_check, device_config_statsd_native_prop)
set_prop(flags_health_check, device_config_statsd_native_boot_prop)
set_prop(flags_health_check, device_config_storage_native_boot_prop)
+set_prop(flags_health_check, device_config_swcodec_native_prop)
set_prop(flags_health_check, device_config_sys_traced_prop)
set_prop(flags_health_check, device_config_window_manager_native_boot_prop)
set_prop(flags_health_check, device_config_configuration_prop)
diff --git a/private/genfs_contexts b/private/genfs_contexts
index 960110f..d205cd5 100644
--- a/private/genfs_contexts
+++ b/private/genfs_contexts
@@ -148,6 +148,7 @@
genfscon sysfs /power/wake_lock u:object_r:sysfs_wake_lock:s0
genfscon sysfs /power/wake_unlock u:object_r:sysfs_wake_lock:s0
genfscon sysfs /kernel/memory_state_time u:object_r:sysfs_power:s0
+genfscon sysfs /kernel/dma_heap u:object_r:sysfs_dma_heap:s0
genfscon sysfs /kernel/ion u:object_r:sysfs_ion:s0
genfscon sysfs /kernel/ipv4 u:object_r:sysfs_ipv4:s0
genfscon sysfs /kernel/mm/transparent_hugepage u:object_r:sysfs_transparent_hugepage:s0
@@ -348,3 +349,4 @@
genfscon usbfs / u:object_r:usbfs:s0
genfscon binfmt_misc / u:object_r:binfmt_miscfs:s0
genfscon bpf / u:object_r:fs_bpf:s0
+genfscon bpf /tethering u:object_r:fs_bpf_tethering:s0
diff --git a/private/gmscore_app.te b/private/gmscore_app.te
index ff7444f..10de777 100644
--- a/private/gmscore_app.te
+++ b/private/gmscore_app.te
@@ -75,6 +75,10 @@
# TODO: Tighten (b/112357170)
allow gmscore_app privapp_data_file:file execute;
+# Chrome Crashpad uses the the dynamic linker to load native executables
+# from an APK (b/112050209, crbug.com/928422)
+allow gmscore_app system_linker_exec:file execute_no_trans;
+
allow gmscore_app privapp_data_file:lnk_file create_file_perms;
# /proc access
diff --git a/private/heapprofd.te b/private/heapprofd.te
index d34830c..246f936 100644
--- a/private/heapprofd.te
+++ b/private/heapprofd.te
@@ -45,6 +45,7 @@
r_dir_file(heapprofd, apk_data_file)
r_dir_file(heapprofd, dalvikcache_data_file)
r_dir_file(heapprofd, vendor_file_type)
+r_dir_file(heapprofd, shell_test_data_file)
# Some dex files are not world-readable.
# We are still constrained by the SELinux rules above.
allow heapprofd self:global_capability_class_set dac_read_search;
diff --git a/private/keystore2_key_contexts b/private/keystore2_key_contexts
index b926265..9612b90 100644
--- a/private/keystore2_key_contexts
+++ b/private/keystore2_key_contexts
@@ -15,3 +15,8 @@
# odsign_key is a keystore2_key namespace for the on-device signing daemon.
101 u:object_r:odsign_key:s0
+
+# wifi_key is a keystore2_key namspace for the WI-FI subsystem. It replaces the WIFI_UID
+# namespace in keystore.
+102 u:object_r:wifi_key:s0
+
diff --git a/private/logpersist.te b/private/logpersist.te
index ac324df..ab2c9c6 100644
--- a/private/logpersist.te
+++ b/private/logpersist.te
@@ -4,6 +4,7 @@
userdebug_or_eng(`
r_dir_file(logpersist, cgroup)
+ r_dir_file(logpersist, cgroup_v2)
allow logpersist misc_logd_file:file create_file_perms;
allow logpersist misc_logd_file:dir rw_dir_perms;
diff --git a/private/mediaextractor.te b/private/mediaextractor.te
index 7f626c4..7bcf5c8 100644
--- a/private/mediaextractor.te
+++ b/private/mediaextractor.te
@@ -7,3 +7,4 @@
allow mediaextractor system_server_tmpfs:file { getattr map read write };
get_prop(mediaextractor, device_config_media_native_prop)
+get_prop(mediaextractor, device_config_swcodec_native_prop)
diff --git a/private/mediaswcodec.te b/private/mediaswcodec.te
index cef802d..02079c1 100644
--- a/private/mediaswcodec.te
+++ b/private/mediaswcodec.te
@@ -3,3 +3,4 @@
init_daemon_domain(mediaswcodec)
get_prop(mediaswcodec, device_config_media_native_prop)
+get_prop(mediaswcodec, device_config_swcodec_native_prop)
diff --git a/private/network_stack.te b/private/network_stack.te
index f130e80..9598fa5 100644
--- a/private/network_stack.te
+++ b/private/network_stack.te
@@ -29,6 +29,13 @@
binder_call(network_stack, netd);
+# in order to invoke side effect of close() on such a socket calling synchronize_rcu()
+# TODO: Remove this permission when 4.9 kernel is deprecated.
+allow network_stack self:key_socket create;
+
+# Grant read permission of connectivity namespace system property prefix.
+get_prop(network_stack, device_config_connectivity_prop)
+
# Create/use netlink_tcpdiag_socket to get tcp info
allow network_stack self:netlink_tcpdiag_socket { create_socket_perms_no_ioctl nlmsg_read nlmsg_write };
############### Tethering Service app - Tethering.apk ##############
@@ -37,13 +44,15 @@
allow network_stack self:netlink_netfilter_socket create_socket_perms_no_ioctl;
allow network_stack network_stack_service:service_manager find;
# allow Tethering(network_stack process) to run/update/read the eBPF maps to offload tethering traffic by eBPF.
-allow network_stack fs_bpf:dir search;
-allow network_stack fs_bpf:file { read write };
+allow network_stack { fs_bpf fs_bpf_tethering }:dir search;
+allow network_stack { fs_bpf fs_bpf_tethering }:file { read write };
allow network_stack bpfloader:bpf { map_read map_write prog_run };
-# in order to invoke side effect of close() on such a socket calling synchronize_rcu()
-# TODO: Remove this permission when 4.9 kernel is deprecated.
-allow network_stack self:key_socket create;
+# Only the bpfloader and the network_stack should ever touch 'fs_bpf_tethering' programs/maps.
+# TODO: remove netd once netd/tethering mainline module split is complete
+# Unfortunately init/vendor_init have all sorts of extra privs
+neverallow { domain -bpfloader -init -netd -network_stack -vendor_init } fs_bpf_tethering:dir ~getattr;
+neverallow { domain -bpfloader -init -netd -network_stack -vendor_init } fs_bpf_tethering:file *;
-# Grant read permission of connectivity namespace system property prefix.
-get_prop(network_stack, device_config_connectivity_prop)
+neverallow { domain -bpfloader -netd -network_stack } fs_bpf_tethering:dir ~{ getattr open read search setattr };
+neverallow { domain -bpfloader -netd -network_stack } fs_bpf_tethering:file ~{ map open read setattr };
diff --git a/private/priv_app.te b/private/priv_app.te
index 4b0218e..e5889d1 100644
--- a/private/priv_app.te
+++ b/private/priv_app.te
@@ -25,6 +25,10 @@
# TODO: Tighten (b/112357170)
allow priv_app privapp_data_file:file execute;
+# Chrome Crashpad uses the the dynamic linker to load native executables
+# from an APK (b/112050209, crbug.com/928422)
+allow priv_app system_linker_exec:file execute_no_trans;
+
allow priv_app privapp_data_file:lnk_file create_file_perms;
# Priv apps can find services that expose both @SystemAPI and normal APIs.
@@ -156,11 +160,12 @@
r_dir_file(priv_app, sysfs_fs_incfs_features)
# allow apps like Phonesky to check the file signature of an apk installed on
-# the Incremental File System, fill missing blocks and get the app status
+# the Incremental File System, fill missing blocks and get the app status and loading progress
allowxperm priv_app apk_data_file:file ioctl {
INCFS_IOCTL_READ_SIGNATURE
INCFS_IOCTL_FILL_BLOCKS
INCFS_IOCTL_GET_BLOCK_COUNT
+ INCFS_IOCTL_GET_FILLED_BLOCKS
};
# allow privileged data loader apps (e.g. com.android.vending) to read logs from Incremental File System
@@ -235,6 +240,7 @@
# Do not allow priv_app access to cgroups.
neverallow priv_app cgroup:file *;
+neverallow priv_app cgroup_v2:file *;
# Do not allow loading executable code from non-privileged
# application home directories. Code loading across a security boundary
diff --git a/private/property.te b/private/property.te
index 5dc75b8..1ffb8ee 100644
--- a/private/property.te
+++ b/private/property.te
@@ -9,6 +9,7 @@
system_internal_prop(device_config_window_manager_native_boot_prop)
system_internal_prop(device_config_configuration_prop)
system_internal_prop(device_config_connectivity_prop)
+system_internal_prop(device_config_swcodec_native_prop)
system_internal_prop(fastbootd_protocol_prop)
system_internal_prop(gsid_prop)
system_internal_prop(init_perf_lsm_hooks_prop)
diff --git a/private/property_contexts b/private/property_contexts
index 8778016..25e9d87 100644
--- a/private/property_contexts
+++ b/private/property_contexts
@@ -231,6 +231,7 @@
persist.device_config.statsd_native. u:object_r:device_config_statsd_native_prop:s0
persist.device_config.statsd_native_boot. u:object_r:device_config_statsd_native_boot_prop:s0
persist.device_config.storage_native_boot. u:object_r:device_config_storage_native_boot_prop:s0
+persist.device_config.swcodec_native. u:object_r:device_config_swcodec_native_prop:s0
persist.device_config.window_manager_native_boot. u:object_r:device_config_window_manager_native_boot_prop:s0
# Properties that relate to legacy server configurable flags
@@ -264,6 +265,9 @@
ro.product.ab_ota_partitions u:object_r:ota_prop:s0 exact string
# Property to set/clear the warm reset flag after an OTA update.
ota.warm_reset u:object_r:ota_prop:s0
+# The vbmeta digest for the inactive slot. It can be set after installing
+# ota updates to the b partition of a/b devices.
+ota.other.vbmeta_digest u:object_r:ota_prop:s0 exact string
# Module properties
com.android.sdkext. u:object_r:module_sdkextensions_prop:s0
@@ -979,6 +983,7 @@
ro.surface_flinger.set_touch_timer_ms u:object_r:surfaceflinger_prop:s0 exact int
ro.surface_flinger.set_display_power_timer_ms u:object_r:surfaceflinger_prop:s0 exact int
ro.surface_flinger.support_kernel_idle_timer u:object_r:surfaceflinger_prop:s0 exact bool
+ro.surface_flinger.supports_background_blur u:object_r:surfaceflinger_prop:s0 exact bool
ro.surface_flinger.use_smart_90_for_video u:object_r:surfaceflinger_prop:s0 exact bool
ro.surface_flinger.use_content_detection_for_refresh_rate u:object_r:surfaceflinger_prop:s0 exact bool
ro.surface_flinger.color_space_agnostic_dataspace u:object_r:surfaceflinger_prop:s0 exact int
diff --git a/private/remote_prov_app.te b/private/remote_prov_app.te
new file mode 100644
index 0000000..e877981
--- /dev/null
+++ b/private/remote_prov_app.te
@@ -0,0 +1,10 @@
+type remote_prov_app, domain;
+typeattribute remote_prov_app coredomain;
+
+app_domain(remote_prov_app)
+net_domain(remote_prov_app)
+
+allow remote_prov_app {
+ activity_service
+ remoteprovisioning_service
+}:service_manager find;
diff --git a/private/seapp_contexts b/private/seapp_contexts
index 929f073..b8e42ea 100644
--- a/private/seapp_contexts
+++ b/private/seapp_contexts
@@ -143,6 +143,7 @@
isSystemServer=true domain=system_server_startup
user=_app isPrivApp=true name=com.android.traceur domain=traceur_app type=app_data_file levelFrom=all
+user=_app isPrivApp=true name=com.android.remoteprovisioner domain=remote_prov_app type=app_data_file levelFrom=all
user=system seinfo=platform domain=system_app type=system_app_data_file
user=bluetooth seinfo=platform domain=bluetooth type=bluetooth_data_file
user=network_stack seinfo=network_stack domain=network_stack type=radio_data_file
diff --git a/private/service_contexts b/private/service_contexts
index ed457ee..c1aab48 100644
--- a/private/service_contexts
+++ b/private/service_contexts
@@ -9,12 +9,16 @@
android.hardware.memtrack.IMemtrack/default u:object_r:hal_memtrack_service:s0
android.hardware.oemlock.IOemLock/default u:object_r:hal_oemlock_service:s0
android.hardware.power.IPower/default u:object_r:hal_power_service:s0
-android.hardware.power.stats.IPowerStats/default u:object_r:hal_power_stats_service:s0
+android.hardware.power.stats.IPowerStats/default u:object_r:hal_power_stats_service:s0
android.hardware.rebootescrow.IRebootEscrow/default u:object_r:hal_rebootescrow_service:s0
android.hardware.security.keymint.IKeyMintDevice/default u:object_r:hal_keymint_service:s0
+android.hardware.security.keymint.IRemotelyProvisionedComponent/default u:object_r:hal_remotelyprovisionedcomponent_service:s0
+android.hardware.security.secureclock.ISecureClock/default u:object_r:hal_secureclock_service:s0
+android.hardware.security.sharedsecret.ISharedSecret/default u:object_r:hal_sharedsecret_service:s0
android.hardware.vibrator.IVibrator/default u:object_r:hal_vibrator_service:s0
android.hardware.vibrator.IVibratorManager/default u:object_r:hal_vibrator_service:s0
android.hardware.weaver.IWeaver/default u:object_r:hal_weaver_service:s0
+android.frameworks.stats.IStats/default u:object_r:fwk_stats_service:s0
accessibility u:object_r:accessibility_service:s0
account u:object_r:account_service:s0
@@ -31,6 +35,7 @@
android.security.compat u:object_r:keystore_compat_hal_service:s0
android.security.identity u:object_r:credstore_service:s0
android.security.keystore u:object_r:keystore_service:s0
+android.security.remoteprovisioning u:object_r:remoteprovisioning_service:s0
android.service.gatekeeper.IGateKeeperService u:object_r:gatekeeper_service:s0
android.system.keystore2 u:object_r:keystore_service:s0
app_binding u:object_r:app_binding_service:s0
@@ -162,6 +167,7 @@
media.drm u:object_r:mediadrmserver_service:s0
media.tuner u:object_r:mediatuner_service:s0
media_communication u:object_r:media_communication_service:s0
+media_metrics u:object_r:media_metrics_service:s0
media_projection u:object_r:media_projection_service:s0
media_resource_monitor u:object_r:media_session_service:s0
media_router u:object_r:media_router_service:s0
diff --git a/private/shell.te b/private/shell.te
index 0cdf43d..3ca8360 100644
--- a/private/shell.te
+++ b/private/shell.te
@@ -48,6 +48,12 @@
# Allow shell to run adb shell cmd stats commands. Needed for CTS.
binder_call(shell, statsd);
+# Allow shell to read and unlink traces stored in /data/misc/a11ytraces.
+userdebug_or_eng(`
+ allow shell accessibility_trace_data_file:dir rw_dir_perms;
+ allow shell accessibility_trace_data_file:file { r_file_perms unlink };
+')
+
# Allow shell to read and unlink traces stored in /data/misc/perfetto-traces.
allow shell perfetto_traces_data_file:dir rw_dir_perms;
allow shell perfetto_traces_data_file:file { r_file_perms unlink };
diff --git a/private/surfaceflinger.te b/private/surfaceflinger.te
index 37601b9..8549bd5 100644
--- a/private/surfaceflinger.te
+++ b/private/surfaceflinger.te
@@ -100,6 +100,7 @@
allow surfaceflinger self:global_capability_class_set sys_nice;
allow surfaceflinger proc_meminfo:file r_file_perms;
r_dir_file(surfaceflinger, cgroup)
+r_dir_file(surfaceflinger, cgroup_v2)
r_dir_file(surfaceflinger, system_file)
allow surfaceflinger tmpfs:dir r_dir_perms;
allow surfaceflinger system_server:fd use;
diff --git a/private/system_app.te b/private/system_app.te
index 4284835..36208bf 100644
--- a/private/system_app.te
+++ b/private/system_app.te
@@ -142,6 +142,15 @@
use
};
+# Allow Settings to manage WI-FI keys.
+allow system_app wifi_key:keystore2_key {
+ delete
+ get_info
+ rebind
+ update
+ use
+};
+
# settings app reads /proc/version
allow system_app {
proc_version
@@ -149,6 +158,7 @@
# Settings app writes to /dev/stune/foreground/tasks.
allow system_app cgroup:file w_file_perms;
+allow system_app cgroup_v2:file w_file_perms;
control_logd(system_app)
read_runtime_log_tags(system_app)
diff --git a/private/system_server.te b/private/system_server.te
index 65a5e1e..9e903d5 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -189,6 +189,17 @@
# Read /sys/kernel/ion/*.
allow system_server sysfs_ion:file r_file_perms;
+# Read /sys/kernel/dma_heap/*.
+allow system_server sysfs_dma_heap:file r_file_perms;
+
+# Allow reading DMA-BUF sysfs stats from /sys/kernel/dmabuf.
+allow system_server sysfs_dmabuf_stats:dir r_dir_perms;
+allow system_server sysfs_dmabuf_stats:file r_file_perms;
+
+# Allow ActivityManager to look at the list of DMA-BUF heaps from /dev/dma_heap
+# for dumpsys meminfo
+allow system_server dmabuf_heap_device:dir r_dir_perms;
+
# The DhcpClient and WifiWatchdog use packet_sockets
allow system_server self:packet_socket create_socket_perms_no_ioctl;
@@ -292,6 +303,7 @@
# List HAL interfaces to get ANR traces.
allow system_server hwservicemanager:hwservice_manager list;
+allow system_server servicemanager:service_manager list;
# Send signals to trigger ANR traces.
allow system_server {
@@ -664,6 +676,7 @@
set_prop(system_server, device_config_statsd_native_prop)
set_prop(system_server, device_config_statsd_native_boot_prop)
set_prop(system_server, device_config_storage_native_boot_prop)
+set_prop(system_server, device_config_swcodec_native_prop)
set_prop(system_server, device_config_sys_traced_prop)
set_prop(system_server, device_config_window_manager_native_boot_prop)
set_prop(system_server, device_config_configuration_prop)
@@ -758,9 +771,6 @@
allow system_server usb_device:chr_file rw_file_perms;
allow system_server usb_device:dir r_dir_perms;
-# Read from HW RNG (needed by EntropyMixer).
-allow system_server hw_random_device:chr_file r_file_perms;
-
# Read and delete files under /dev/fscklogs.
r_dir_file(system_server, fscklogs)
allow system_server fscklogs:dir { write remove_name };
@@ -868,14 +878,25 @@
use
};
+# Allow Wifi module to manage Wi-Fi keys.
+allow system_server wifi_key:keystore2_key {
+ delete
+ get_info
+ rebind
+ update
+ use
+};
+
# Allow system server to search and write to the persistent factory reset
# protection partition. This block device does not get wiped in a factory reset.
allow system_server block_device:dir search;
allow system_server frp_block_device:blk_file rw_file_perms;
allowxperm system_server frp_block_device:blk_file ioctl { BLKSECDISCARD BLKDISCARD };
-# Clean up old cgroups
+# Create new process groups and clean up old cgroups
allow system_server cgroup:dir { remove_name rmdir };
+allow system_server cgroup_v2:dir create_dir_perms;
+allow system_server cgroup_v2:file { r_file_perms setattr };
# /oem access
r_dir_file(system_server, oemfs)
@@ -907,6 +928,10 @@
# Allow writing and removing window traces in /data/misc/wmtrace.
allow system_server wm_trace_data_file:dir rw_dir_perms;
allow system_server wm_trace_data_file:file { getattr setattr create unlink w_file_perms };
+
+ # Allow writing and removing accessibility traces in /data/misc/a11ytrace.
+ allow system_server accessibility_trace_data_file:dir rw_dir_perms;
+ allow system_server accessibility_trace_data_file:file { getattr setattr create unlink w_file_perms };
')
# For AppFuse.
@@ -954,9 +979,8 @@
allow system_server preloads_media_file:dir { r_dir_perms write remove_name rmdir };
r_dir_file(system_server, cgroup)
+r_dir_file(system_server, cgroup_v2)
allow system_server ion_device:chr_file r_file_perms;
-allow system_server cgroup_v2:dir rw_dir_perms;
-allow system_server cgroup_v2:file rw_file_perms;
# Access to /dev/dma_heap/system
allow system_server dmabuf_system_heap_device:chr_file r_file_perms;
@@ -1125,6 +1149,7 @@
device_config_media_native_prop
device_config_storage_native_boot_prop
device_config_sys_traced_prop
+ device_config_swcodec_native_prop
device_config_window_manager_native_boot_prop
}:property_service set;
diff --git a/private/zygote.te b/private/zygote.te
index 23fed52..1a3bcc6 100644
--- a/private/zygote.te
+++ b/private/zygote.te
@@ -108,6 +108,8 @@
# Control cgroups.
allow zygote cgroup:dir create_dir_perms;
allow zygote cgroup:{ file lnk_file } r_file_perms;
+allow zygote cgroup_v2:dir create_dir_perms;
+allow zygote cgroup_v2:{ file lnk_file } { r_file_perms setattr };
allow zygote self:global_capability_class_set sys_admin;
# Allow zygote to stat the files that it opens. The zygote must
@@ -190,7 +192,10 @@
get_prop(zygote, device_config_window_manager_native_boot_prop)
# ingore spurious denials
-dontaudit zygote self:global_capability_class_set sys_resource;
+# fsetid can be checked as a consequence of chmod when using cgroup v2 uid/pid hierarchy. This is
+# done to determine if the file should inherit setgid. In this case, setgid on the file is
+# undesirable, so suppress the denial.
+dontaudit zygote self:global_capability_class_set { sys_resource fsetid };
# Ignore spurious denials calling access() on fuse
# TODO(b/151316657): avoid the denials
diff --git a/public/app.te b/public/app.te
index 39d67af..67a996a 100644
--- a/public/app.te
+++ b/public/app.te
@@ -318,6 +318,9 @@
# Allow app to access shared memory created by camera HAL1
allow { appdomain -isolated_app } hal_camera:fd use;
+# Allow apps to access shared memory file descriptor from the tuner HAL
+allow {appdomain -isolated_app} hal_tv_tuner_server:fd use;
+
# RenderScript always-passthrough HAL
allow { appdomain -isolated_app } hal_renderscript_hwservice:hwservice_manager find;
allow appdomain same_process_hal_file:file { execute read open getattr map };
diff --git a/public/charger.te b/public/charger.te
index f57853a..37359e3 100644
--- a/public/charger.te
+++ b/public/charger.te
@@ -7,6 +7,7 @@
# Read access to pseudo filesystems.
r_dir_file(charger, rootfs)
r_dir_file(charger, cgroup)
+r_dir_file(charger, cgroup_v2)
# Allow to read /sys/class/power_supply directory
allow charger sysfs_type:dir r_dir_perms;
diff --git a/public/credstore.te b/public/credstore.te
index db16a8d..a2376d2 100644
--- a/public/credstore.te
+++ b/public/credstore.te
@@ -14,3 +14,4 @@
allow credstore dropbox_service:service_manager find;
r_dir_file(credstore, cgroup)
+r_dir_file(credstore, cgroup_v2)
diff --git a/public/dhcp.te b/public/dhcp.te
index 67fd038..1d875ab 100644
--- a/public/dhcp.te
+++ b/public/dhcp.te
@@ -4,6 +4,7 @@
net_domain(dhcp)
allow dhcp cgroup:dir { create write add_name };
+allow dhcp cgroup_v2:dir { create write add_name };
allow dhcp self:global_capability_class_set { setgid setuid net_admin net_raw net_bind_service };
allow dhcp self:packet_socket create_socket_perms_no_ioctl;
allow dhcp self:netlink_route_socket nlmsg_write;
diff --git a/public/domain.te b/public/domain.te
index 29b0258..81163d1 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -403,13 +403,11 @@
# that could be set from init.rc.
neverallow { domain -init } kernel:security setsecparam;
-# Only init, ueventd, shell and system_server should be able to access HW RNG
+# Only the kernel hwrng thread should be able to read from the HW RNG.
neverallow {
domain
- -init
- -shell # For CTS and is restricted to getattr in shell.te
- -system_server
- -ueventd
+ -shell # For CTS, restricted to just getattr in shell.te
+ -ueventd # To create the /dev/hw_random file
} hw_random_device:chr_file *;
# b/78174219 b/64114943
neverallow {
@@ -478,7 +476,9 @@
neverallow { domain -shell -init -adbd } shell_test_data_file:file_class_set no_w_file_perms;
neverallow { domain -shell -init -adbd } shell_test_data_file:dir no_w_dir_perms;
-neverallow { domain -shell -init -adbd } shell_test_data_file:file *;
+neverallow { domain -shell -init -adbd -heapprofd } shell_test_data_file:file *;
+neverallow heapprofd shell_test_data_file:file { no_w_file_perms no_x_file_perms };
+neverallow { domain -shell -init -adbd } shell_test_data_file:sock_file *;
# Only the init property service should write to /data/property and /dev/__properties__
neverallow { domain -init } property_data_file:dir no_w_dir_perms;
@@ -1320,10 +1320,12 @@
# cgroupfs directories can be created, but not files within them.
neverallow domain cgroup:file create;
+neverallow domain cgroup_v2:file create;
dontaudit domain proc_type:dir write;
dontaudit domain sysfs_type:dir write;
dontaudit domain cgroup:file create;
+dontaudit domain cgroup_v2:file create;
# These are only needed in permissive mode - in enforcing mode the
# directory write check fails and so these are never attempted.
diff --git a/public/drmserver.te b/public/drmserver.te
index a24ad41..eede0fc 100644
--- a/public/drmserver.te
+++ b/public/drmserver.te
@@ -61,4 +61,5 @@
selinux_check_access(drmserver)
r_dir_file(drmserver, cgroup)
+r_dir_file(drmserver, cgroup_v2)
r_dir_file(drmserver, system_file)
diff --git a/public/dumpstate.te b/public/dumpstate.te
index 2c5086f..45540b3 100644
--- a/public/dumpstate.te
+++ b/public/dumpstate.te
@@ -134,6 +134,7 @@
# Read /dev/cpuctl and /dev/cpuset
r_dir_file(dumpstate, cgroup)
+r_dir_file(dumpstate, cgroup_v2)
# Allow dumpstate to make binder calls to any binder service
binder_call(dumpstate, binderservicedomain)
diff --git a/public/file.te b/public/file.te
index 0cf465c..a188c78 100644
--- a/public/file.te
+++ b/public/file.te
@@ -88,6 +88,7 @@
type sysfs_devices_block, fs_type, sysfs_type;
type sysfs_dm, fs_type, sysfs_type;
type sysfs_dm_verity, fs_type, sysfs_type;
+type sysfs_dma_heap, fs_type, sysfs_type;
type sysfs_dmabuf_stats, fs_type, sysfs_type;
type sysfs_dt_firmware_android, fs_type, sysfs_type;
type sysfs_extcon, fs_type, sysfs_type;
@@ -112,6 +113,7 @@
type sysfs_fs_f2fs, sysfs_type, fs_type;
type sysfs_fs_incfs_features, sysfs_type, fs_type;
type fs_bpf, fs_type;
+type fs_bpf_tethering, fs_type;
type configfs, fs_type;
# /sys/devices/cs_etm
type sysfs_devices_cs_etm, fs_type, sysfs_type;
diff --git a/public/gatekeeperd.te b/public/gatekeeperd.te
index 7295c24..d48c5f8 100644
--- a/public/gatekeeperd.te
+++ b/public/gatekeeperd.te
@@ -39,3 +39,4 @@
allow gatekeeperd hardware_properties_service:service_manager find;
r_dir_file(gatekeeperd, cgroup)
+r_dir_file(gatekeeperd, cgroup_v2)
diff --git a/public/hal_cas.te b/public/hal_cas.te
index 7de6a13..e699a6b 100644
--- a/public/hal_cas.te
+++ b/public/hal_cas.te
@@ -16,6 +16,10 @@
allow hal_cas cgroup:dir { search write };
allow hal_cas cgroup:file w_file_perms;
+r_dir_file(hal_cas, cgroup_v2)
+allow hal_cas cgroup_v2:dir { search write };
+allow hal_cas cgroup_v2:file w_file_perms;
+
# Allow access to ion memory allocation device
allow hal_cas ion_device:chr_file rw_file_perms;
allow hal_cas hal_graphics_allocator:fd use;
diff --git a/public/hal_drm.te b/public/hal_drm.te
index 5987491..bb1bd91 100644
--- a/public/hal_drm.te
+++ b/public/hal_drm.te
@@ -20,6 +20,10 @@
allow hal_drm cgroup:dir { search write };
allow hal_drm cgroup:file w_file_perms;
+r_dir_file(hal_drm, cgroup_v2)
+allow hal_drm cgroup_v2:dir { search write };
+allow hal_drm cgroup_v2:file w_file_perms;
+
# Allow access to ion memory allocation device
allow hal_drm ion_device:chr_file rw_file_perms;
allow hal_drm hal_graphics_allocator:fd use;
diff --git a/public/hal_fingerprint.te b/public/hal_fingerprint.te
index 99b6065..444cfda 100644
--- a/public/hal_fingerprint.te
+++ b/public/hal_fingerprint.te
@@ -14,6 +14,7 @@
allow hal_fingerprint fingerprint_vendor_data_file:dir rw_dir_perms;
r_dir_file(hal_fingerprint, cgroup)
+r_dir_file(hal_fingerprint, cgroup_v2)
r_dir_file(hal_fingerprint, sysfs)
diff --git a/public/hal_keymint.te b/public/hal_keymint.te
index 7570188..e56ab99 100644
--- a/public/hal_keymint.te
+++ b/public/hal_keymint.te
@@ -1,4 +1,5 @@
binder_call(hal_keymint_client, hal_keymint_server)
hal_attribute_service(hal_keymint, hal_keymint_service)
+hal_attribute_service(hal_keymint, hal_remotelyprovisionedcomponent_service)
binder_call(hal_keymint_server, servicemanager)
diff --git a/public/hal_telephony.te b/public/hal_telephony.te
index 4cb0c5a..f0cf075 100644
--- a/public/hal_telephony.te
+++ b/public/hal_telephony.te
@@ -11,6 +11,8 @@
allow hal_telephony_server self:global_capability_class_set { setpcap setgid setuid net_admin net_raw };
allow hal_telephony_server cgroup:dir create_dir_perms;
allow hal_telephony_server cgroup:{ file lnk_file } r_file_perms;
+allow hal_telephony_server cgroup_v2:dir create_dir_perms;
+allow hal_telephony_server cgroup_v2:{ file lnk_file } r_file_perms;
allow hal_telephony_server radio_device:chr_file rw_file_perms;
allow hal_telephony_server radio_device:blk_file r_file_perms;
allow hal_telephony_server efs_file:dir create_dir_perms;
diff --git a/public/hal_wifi_supplicant.te b/public/hal_wifi_supplicant.te
index 79a0667..e19ad1c 100644
--- a/public/hal_wifi_supplicant.te
+++ b/public/hal_wifi_supplicant.te
@@ -13,12 +13,21 @@
allow hal_wifi_supplicant kernel:system module_request;
allow hal_wifi_supplicant self:global_capability_class_set { setuid net_admin setgid net_raw };
allow hal_wifi_supplicant cgroup:dir create_dir_perms;
+allow hal_wifi_supplicant cgroup_v2:dir create_dir_perms;
allow hal_wifi_supplicant self:netlink_route_socket nlmsg_write;
allow hal_wifi_supplicant self:netlink_socket create_socket_perms_no_ioctl;
allow hal_wifi_supplicant self:netlink_generic_socket create_socket_perms_no_ioctl;
allow hal_wifi_supplicant self:packet_socket create_socket_perms;
allowxperm hal_wifi_supplicant self:packet_socket ioctl { unpriv_sock_ioctls priv_sock_ioctls unpriv_tty_ioctls };
+use_keystore(hal_wifi_supplicant)
+
+# Allow the WI-FI HAL to use keys in the keystore namespace wifi_key.
+allow hal_wifi_supplicant wifi_key:keystore2_key {
+ get_info
+ use
+};
+
###
### neverallow rules
###
diff --git a/public/healthd.te b/public/healthd.te
index 8673846..05acb84 100644
--- a/public/healthd.te
+++ b/public/healthd.te
@@ -11,6 +11,7 @@
allow healthd sysfs:dir r_dir_perms;
r_dir_file(healthd, rootfs)
r_dir_file(healthd, cgroup)
+r_dir_file(healthd, cgroup_v2)
allow healthd self:global_capability_class_set { sys_tty_config };
allow healthd self:global_capability_class_set sys_boot;
diff --git a/public/init.te b/public/init.te
index 59e6b4e..069f17d 100644
--- a/public/init.te
+++ b/public/init.te
@@ -103,7 +103,6 @@
postinstall_mnt_dir
mirror_data_file
}:dir mounton;
-allow init cgroup_v2:dir { mounton create_dir_perms };
# Mount bpf fs on sys/fs/bpf
allow init fs_bpf:dir mounton;
@@ -132,6 +131,8 @@
allow init cgroup_desc_file:file r_file_perms;
allow init cgroup_desc_api_file:file r_file_perms;
allow init vendor_cgroup_desc_file:file r_file_perms;
+allow init cgroup_v2:dir { mounton create_dir_perms};
+allow init cgroup_v2:file rw_file_perms;
# /config
allow init configfs:dir mounton;
@@ -308,7 +309,6 @@
devpts
dm_device
hwbinder_device
- hw_random_device
input_device
kmsg_device
null_device
@@ -323,6 +323,7 @@
# chown/chmod on devices.
allow init {
dev_type
+ -hw_random_device
-keychord_device
-port_device
}:chr_file setattr;
@@ -532,10 +533,6 @@
# system/core/fs_mgr/fs_mgr.c - fs_mgr_swapon_all
allow init swap_block_device:blk_file rw_file_perms;
-# Read from /dev/hw_random if present.
-# system/core/init/init.c - mix_hwrng_into_linux_rng_action
-allow init hw_random_device:chr_file r_file_perms;
-
# Create and access /dev files without a specific type,
# e.g. /dev/.coldboot_done, /dev/.booting
# TODO: Move these files into their own type unless they are
diff --git a/public/inputflinger.te b/public/inputflinger.te
index c3f4da8..b62c06d 100644
--- a/public/inputflinger.te
+++ b/public/inputflinger.te
@@ -13,3 +13,4 @@
allow inputflinger input_device:chr_file rw_file_perms;
r_dir_file(inputflinger, cgroup)
+r_dir_file(inputflinger, cgroup_v2)
diff --git a/public/installd.te b/public/installd.te
index b9c7b3e..61c8bce 100644
--- a/public/installd.te
+++ b/public/installd.te
@@ -26,6 +26,7 @@
allow installd oemfs:dir r_dir_perms;
allow installd oemfs:file r_file_perms;
allow installd cgroup:dir create_dir_perms;
+allow installd cgroup_v2:dir create_dir_perms;
allow installd mnt_expand_file:dir { search getattr };
# Check validity of SELinux context before use.
selinux_check_context(installd)
diff --git a/public/keystore.te b/public/keystore.te
index 8c64090..1c8d3bd 100644
--- a/public/keystore.te
+++ b/public/keystore.te
@@ -13,6 +13,7 @@
allow keystore keystore_exec:file { getattr };
add_service(keystore, keystore_service)
+add_service(keystore, remoteprovisioning_service)
allow keystore sec_key_att_app_id_provider_service:service_manager find;
allow keystore dropbox_service:service_manager find;
add_service(keystore, apc_service)
@@ -23,6 +24,7 @@
selinux_check_access(keystore)
r_dir_file(keystore, cgroup)
+r_dir_file(keystore, cgroup_v2)
###
### Neverallow rules
diff --git a/public/keystore_keys.te b/public/keystore_keys.te
new file mode 100644
index 0000000..3c35984
--- /dev/null
+++ b/public/keystore_keys.te
@@ -0,0 +1,2 @@
+# A keystore2 namespace for WI-FI.
+type wifi_key, keystore2_key_type;
diff --git a/public/lmkd.te b/public/lmkd.te
index c9f2e64..de6052d 100644
--- a/public/lmkd.te
+++ b/public/lmkd.te
@@ -26,9 +26,11 @@
# Clean up old cgroups
allow lmkd cgroup:dir { remove_name rmdir };
+allow lmkd cgroup_v2:dir { remove_name rmdir };
# Allow to read memcg stats
allow lmkd cgroup:file r_file_perms;
+allow lmkd cgroup_v2:file r_file_perms;
# Set self to SCHED_FIFO
allow lmkd self:global_capability_class_set sys_nice;
diff --git a/public/logd.te b/public/logd.te
index b0acb14..8187179 100644
--- a/public/logd.te
+++ b/public/logd.te
@@ -4,6 +4,7 @@
# Read access to pseudo filesystems.
r_dir_file(logd, cgroup)
+r_dir_file(logd, cgroup_v2)
r_dir_file(logd, proc_kmsg)
r_dir_file(logd, proc_meminfo)
diff --git a/public/mediaextractor.te b/public/mediaextractor.te
index 1f34030..06f7928 100644
--- a/public/mediaextractor.te
+++ b/public/mediaextractor.te
@@ -20,6 +20,7 @@
hal_client_domain(mediaextractor, hal_allocator)
r_dir_file(mediaextractor, cgroup)
+r_dir_file(mediaextractor, cgroup_v2)
allow mediaextractor proc_meminfo:file r_file_perms;
crash_dump_fallback(mediaextractor)
diff --git a/public/mediametrics.te b/public/mediametrics.te
index 0e56b07..468c0d0 100644
--- a/public/mediametrics.te
+++ b/public/mediametrics.te
@@ -12,6 +12,7 @@
allow mediametrics system_server:fd use;
r_dir_file(mediametrics, cgroup)
+r_dir_file(mediametrics, cgroup_v2)
allow mediametrics proc_meminfo:file r_file_perms;
# allows interactions with dumpsys to GMScore
diff --git a/public/mediaserver.te b/public/mediaserver.te
index d32b9d9..388001d 100644
--- a/public/mediaserver.te
+++ b/public/mediaserver.te
@@ -9,6 +9,7 @@
r_dir_file(mediaserver, sdcard_type)
r_dir_file(mediaserver, cgroup)
+r_dir_file(mediaserver, cgroup_v2)
# stat /proc/self
allow mediaserver proc:lnk_file getattr;
diff --git a/public/netd.te b/public/netd.te
index ff0bff6..4472938 100644
--- a/public/netd.te
+++ b/public/netd.te
@@ -64,8 +64,9 @@
r_dir_file(netd, cgroup_v2)
-allow netd fs_bpf:dir search;
-allow netd fs_bpf:file { read write };
+# TODO: remove 'fs_bpf_tethering' once netd/tethering mainline module split is completed.
+allow netd { fs_bpf fs_bpf_tethering }:dir search;
+allow netd { fs_bpf fs_bpf_tethering }:file { read write };
# TODO: netd previously thought it needed these permissions to do WiFi related
# work. However, after all the WiFi stuff is gone, we still need them.
diff --git a/public/performanced.te b/public/performanced.te
index 7dcb5ea..d694fda 100644
--- a/public/performanced.te
+++ b/public/performanced.te
@@ -28,3 +28,4 @@
# Access /dev/cpuset/cpuset.cpus
r_dir_file(performanced, cgroup)
+r_dir_file(performanced, cgroup_v2)
diff --git a/public/racoon.te b/public/racoon.te
index 6888740..e4b299e 100644
--- a/public/racoon.te
+++ b/public/racoon.te
@@ -12,6 +12,7 @@
allow racoon tun_device:chr_file r_file_perms;
allowxperm racoon tun_device:chr_file ioctl TUNSETIFF;
allow racoon cgroup:dir { add_name create };
+allow racoon cgroup_v2:dir { add_name create };
allow racoon kernel:system module_request;
allow racoon self:key_socket create_socket_perms_no_ioctl;
diff --git a/public/sdcardd.te b/public/sdcardd.te
index 1ae3770..bb1c919 100644
--- a/public/sdcardd.te
+++ b/public/sdcardd.te
@@ -2,6 +2,7 @@
type sdcardd_exec, system_file_type, exec_type, file_type;
allow sdcardd cgroup:dir create_dir_perms;
+allow sdcardd cgroup_v2:dir create_dir_perms;
allow sdcardd fuse_device:chr_file rw_file_perms;
allow sdcardd rootfs:dir mounton; # TODO: deprecated in M
allow sdcardd sdcardfs:filesystem remount;
diff --git a/public/service.te b/public/service.te
index 928016b..7292a97 100644
--- a/public/service.te
+++ b/public/service.te
@@ -29,6 +29,7 @@
type netd_service, service_manager_type;
type nfc_service, service_manager_type;
type radio_service, service_manager_type;
+type remoteprovisioning_service, service_manager_type;
type secure_element_service, service_manager_type;
type service_manager_service, service_manager_type;
type storaged_service, service_manager_type;
@@ -113,6 +114,7 @@
type platform_compat_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type face_service, app_api_service, system_server_service, service_manager_type;
type fingerprint_service, app_api_service, system_server_service, service_manager_type;
+type fwk_stats_service, system_server_service, service_manager_type;
type game_service, app_api_service, system_server_service, service_manager_type;
type gfxinfo_service, system_api_service, system_server_service, service_manager_type;
type graphicsstats_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
@@ -134,6 +136,7 @@
type lock_settings_service, system_api_service, system_server_service, service_manager_type;
type looper_stats_service, system_server_service, service_manager_type;
type media_communication_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type media_metrics_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type media_projection_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type media_router_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type media_session_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
@@ -249,6 +252,9 @@
type hal_power_service, vendor_service, protected_service, service_manager_type;
type hal_power_stats_service, vendor_service, protected_service, service_manager_type;
type hal_rebootescrow_service, vendor_service, protected_service, service_manager_type;
+type hal_remotelyprovisionedcomponent_service, vendor_service, protected_service, service_manager_type;
+type hal_secureclock_service, vendor_service, protected_service, service_manager_type;
+type hal_sharedsecret_service, vendor_service, protected_service, service_manager_type;
type hal_vibrator_service, vendor_service, protected_service, service_manager_type;
type hal_weaver_service, vendor_service, protected_service, service_manager_type;
diff --git a/public/shell.te b/public/shell.te
index 1e73e49..29c07a4 100644
--- a/public/shell.te
+++ b/public/shell.te
@@ -30,6 +30,7 @@
allow shell shell_test_data_file:file create_file_perms;
allow shell shell_test_data_file:file rx_file_perms;
allow shell shell_test_data_file:lnk_file create_file_perms;
+allow shell shell_test_data_file:sock_file create_file_perms;
# Read and delete from /data/local/traces.
allow shell trace_data_file:file { r_file_perms unlink };
@@ -125,6 +126,7 @@
allow shell cgroup_desc_file:file r_file_perms;
allow shell cgroup_desc_api_file:file r_file_perms;
allow shell vendor_cgroup_desc_file:file r_file_perms;
+r_dir_file(shell, cgroup_v2)
allow shell domain:dir { search open read getattr };
allow shell domain:{ file lnk_file } { open read getattr };
diff --git a/public/stats_service_server.te b/public/stats_service_server.te
index 564ae23..ab8e58a 100644
--- a/public/stats_service_server.te
+++ b/public/stats_service_server.te
@@ -1 +1,4 @@
add_hwservice(stats_service_server, fwk_stats_hwservice)
+add_service(stats_service_server, fwk_stats_service)
+
+binder_use(stats_service_server)
diff --git a/public/vendor_init.te b/public/vendor_init.te
index 685317b..8d436b9 100644
--- a/public/vendor_init.te
+++ b/public/vendor_init.te
@@ -16,6 +16,8 @@
# Create cgroups mount points in tmpfs and mount cgroups on them.
allow vendor_init cgroup:dir create_dir_perms;
allow vendor_init cgroup:file w_file_perms;
+allow vendor_init cgroup_v2:dir create_dir_perms;
+allow vendor_init cgroup_v2:file w_file_perms;
# /config
allow vendor_init configfs:dir mounton;
diff --git a/public/wificond.te b/public/wificond.te
index 6a1932b..254fcbc 100644
--- a/public/wificond.te
+++ b/public/wificond.te
@@ -35,3 +35,9 @@
# Allow keystore binder access to serve the HwBinder service.
allow wificond keystore_service:service_manager find;
allow wificond keystore:keystore_key get;
+
+# Allow keystore2 binder access to serve the HwBinder service.
+allow wificond wifi_key:keystore2_key {
+ get_info
+ use
+};
diff --git a/tests/Android.bp b/tests/Android.bp
index 5925fc2..6a86188 100644
--- a/tests/Android.bp
+++ b/tests/Android.bp
@@ -87,3 +87,8 @@
],
defaults: ["py2_only"],
}
+
+python_binary_host {
+ name: "check_prop_prefix",
+ srcs: ["check_prop_prefix.py"],
+}
diff --git a/tests/check_prop_prefix.py b/tests/check_prop_prefix.py
new file mode 100644
index 0000000..68511ce
--- /dev/null
+++ b/tests/check_prop_prefix.py
@@ -0,0 +1,89 @@
+#!/usr/bin/env python3
+
+# Copyright 2021 The Android Open Source Project
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+import argparse
+import re
+import sys
+
+# A line should look like:
+# {prop_name} u:object_r:{context_name}:s0
+line_regex = re.compile(r'^(\S+)\s+u:object_r:([^:]+):s0.*$')
+
+# Parses a line in property_contexts and return a (prop, ctx) tuple.
+# Raises an error for any malformed entries.
+def parse_line(line):
+ matched = line_regex.match(line)
+ if not matched:
+ raise ValueError('malformed entry "' + line + '" in property_contexts')
+
+ return matched.group(1, 2)
+
+def parse_args():
+ parser = argparse.ArgumentParser(
+ description="Finds any violations in property_contexts, with given allowed prefixes. "
+ "If any violations are found, return a nonzero (failure) exit code.")
+ parser.add_argument("--property-contexts", help="Path to property_contexts file.")
+ parser.add_argument("--allowed-property-prefix", action="extend", nargs="*",
+ help="Allowed property prefixes. If empty, any properties are allowed.")
+ parser.add_argument("--allowed-context-prefix", action="extend", nargs="*",
+ help="Allowed context prefixes. If empty, any contexts are allowed.")
+ parser.add_argument('--strict', action='store_true',
+ help="Make the script fail if any violations are found.")
+
+ return parser.parse_args()
+
+args = parse_args()
+
+violations = []
+
+with open(args.property_contexts, 'r') as f:
+ lines = f.read().split('\n')
+
+for line in lines:
+ tokens = line.strip()
+ # if this line empty or a comment, skip
+ if tokens == '' or tokens[0] == '#':
+ continue
+
+ prop, context = parse_line(line)
+
+ violated = False
+
+ if args.allowed_property_prefix and not prop.startswith(tuple(args.allowed_property_prefix)):
+ violated = True
+
+ if args.allowed_context_prefix and not context.startswith(tuple(args.allowed_context_prefix)):
+ violated = True
+
+ if violated:
+ violations.append(line)
+
+if len(violations) > 0:
+ print('******************************')
+ print('%d violations found:' % len(violations))
+ print('\n'.join(violations))
+ print('******************************')
+ print('%s contains properties which are not properly namespaced.' % args.property_contexts)
+ print('This is enforced by VTS, so please fix such offending properties.')
+ if args.allowed_property_prefix:
+ print('Allowed property prefixes for %s: %s' % (args.property_contexts, args.allowed_property_prefix))
+ if args.allowed_context_prefix:
+ print('Allowed context prefixes for %s: %s' % (args.property_contexts, args.allowed_context_prefix))
+ if args.strict:
+ print('You can temporarily disable this check with setting BUILD_BROKEN_VENDOR_PROPERTY_NAMESPACE := true in BoardConfig.mk.')
+ print('But property namespace is enforced by VTS, and you will need to fix such violations to pass VTS.')
+ print('See test/vts-testcase/security/system_property/vts_treble_sys_prop_test.py for the detail of the VTS.')
+ sys.exit(1)
diff --git a/vendor/file_contexts b/vendor/file_contexts
index d05431c..785f4cb 100644
--- a/vendor/file_contexts
+++ b/vendor/file_contexts
@@ -73,7 +73,7 @@
/(vendor|system/vendor)/bin/hw/android\.hardware\.security\.keymint-service u:object_r:hal_keymint_default_exec:s0
/(vendor|system/vendor)/bin/hw/rild u:object_r:rild_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.thermal@1\.[01]-service u:object_r:hal_thermal_default_exec:s0
-/(vendor|system/vendor)/bin/hw/android\.hardware\.tv\.cec@1\.0-service u:object_r:hal_tv_cec_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.tv\.cec@1\.[01]-service u:object_r:hal_tv_cec_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.tv\.input@1\.0-service u:object_r:hal_tv_input_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.tv\.tuner@1\.[01]-service u:object_r:hal_tv_tuner_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.usb@1\.0-service u:object_r:hal_usb_default_exec:s0
diff --git a/vendor/hal_keymint_default.te b/vendor/hal_keymint_default.te
index d86b7b4..3b86a1b 100644
--- a/vendor/hal_keymint_default.te
+++ b/vendor/hal_keymint_default.te
@@ -4,4 +4,7 @@
type hal_keymint_default_exec, exec_type, vendor_file_type, file_type;
init_daemon_domain(hal_keymint_default)
+hal_attribute_service(hal_keymint, hal_secureclock_service)
+hal_attribute_service(hal_keymint, hal_sharedsecret_service)
+
get_prop(hal_keymint_default, vendor_security_patch_level_prop);