Merge "Reland "[res] Allow accessing idmap files in all zygotes"" into main
diff --git a/build/soong/Android.bp b/build/soong/Android.bp
index 0abfdf6..3f2e2df 100644
--- a/build/soong/Android.bp
+++ b/build/soong/Android.bp
@@ -47,5 +47,6 @@
"service_fuzzer_bindings.go",
"validate_bindings.go",
],
+ testSrcs: ["selinux_test.go"],
pluginFor: ["soong_build"],
}
diff --git a/build/soong/flags.go b/build/soong/flags.go
index b1aebac..c7aeb32 100644
--- a/build/soong/flags.go
+++ b/build/soong/flags.go
@@ -15,22 +15,141 @@
package selinux
import (
+ "maps"
+
"android/soong/android"
+
+ "github.com/google/blueprint"
)
+var (
+ flagsDepTag = dependencyTag{name: "flags"}
+ buildFlagsDepTag = dependencyTag{name: "build_flags"}
+)
+
+func init() {
+ ctx := android.InitRegistrationContext
+ ctx.RegisterModuleType("se_flags", flagsFactory)
+ ctx.RegisterModuleType("se_flags_collector", flagsCollectorFactory)
+}
+
type flagsProperties struct {
- // List of flags to be passed to M4 macro.
+ // List of build time flags for flag-guarding.
Flags []string
+
+ // List of se_flags_collector modules to export flags to.
+ Export_to []string
+}
+
+type flagsModule struct {
+ android.ModuleBase
+ properties flagsProperties
+}
+
+type flagsInfo struct {
+ Flags []string
+}
+
+var flagsProviderKey = blueprint.NewProvider[flagsInfo]()
+
+// se_flags contains a list of build time flags for sepolicy. Build time flags are defined under
+// .scl files (e.g. build/release/build_flags.scl). By importing flags with se_flags modules,
+// sepolicy rules can be guarded by `is_flag_enabled` / `is_flag_disabled` macro.
+//
+// For example, an Android.bp file could have:
+//
+// se_flags {
+// name: "aosp_selinux_flags",
+// flags: ["RELEASE_AVF_ENABLE_DEVICE_ASSIGNMENT"],
+// export_to: ["all_selinux_flags"],
+// }
+//
+// And then one could flag-guard .te file rules:
+//
+// is_flag_enabled(RELEASE_AVF_ENABLE_DEVICE_ASSIGNMENT, `
+// type vfio_handler, domain, coredomain;
+// binder_use(vfio_handler)
+// ')
+//
+// or contexts entries:
+//
+// is_flag_enabled(RELEASE_AVF_ENABLE_DEVICE_ASSIGNMENT, `
+// android.system.virtualizationservice_internal.IVfioHandler u:object_r:vfio_handler_service:s0
+// ')
+func flagsFactory() android.Module {
+ module := &flagsModule{}
+ module.AddProperties(&module.properties)
+ android.InitAndroidModule(module)
+ return module
+}
+
+func (f *flagsModule) DepsMutator(ctx android.BottomUpMutatorContext) {
+ // dep se_flag_collector -> se_flags
+ for _, export := range f.properties.Export_to {
+ ctx.AddReverseDependency(ctx.Module(), flagsDepTag, export)
+ }
+}
+
+func (f *flagsModule) GenerateAndroidBuildActions(ctx android.ModuleContext) {
+ android.SetProvider(ctx, flagsProviderKey, flagsInfo{
+ Flags: f.properties.Flags,
+ })
+}
+
+type buildFlagsInfo struct {
+ BuildFlags map[string]string
+}
+
+var buildFlagsProviderKey = blueprint.NewProvider[buildFlagsInfo]()
+
+type flagsCollectorModule struct {
+ android.ModuleBase
+ buildFlags map[string]string
+}
+
+// se_flags_collector module collects flags from exported se_flags modules (see export_to property
+// of se_flags modules), and then converts them into build-time flags. It will be used to generate
+// M4 macros to flag-guard sepolicy.
+func flagsCollectorFactory() android.Module {
+ module := &flagsCollectorModule{}
+ android.InitAndroidModule(module)
+ return module
+}
+
+func (f *flagsCollectorModule) GenerateAndroidBuildActions(ctx android.ModuleContext) {
+ var flags []string
+ ctx.VisitDirectDepsWithTag(flagsDepTag, func(m android.Module) {
+ if dep, ok := android.OtherModuleProvider(ctx, m, flagsProviderKey); ok {
+ flags = append(flags, dep.Flags...)
+ } else {
+ ctx.ModuleErrorf("unknown dependency %q", ctx.OtherModuleName(m))
+ }
+ })
+ buildFlags := make(map[string]string)
+ for _, flag := range android.SortedUniqueStrings(flags) {
+ if val, ok := ctx.Config().GetBuildFlag(flag); ok {
+ buildFlags[flag] = val
+ }
+ }
+ android.SetProvider(ctx, buildFlagsProviderKey, buildFlagsInfo{
+ BuildFlags: buildFlags,
+ })
+}
+
+type flaggableModuleProperties struct {
+ // List of se_flag_collector modules to be passed to M4 macro.
+ Build_flags []string
}
type flaggableModule interface {
android.Module
flagModuleBase() *flaggableModuleBase
+ flagDeps(ctx android.BottomUpMutatorContext)
getBuildFlags(ctx android.ModuleContext) map[string]string
}
type flaggableModuleBase struct {
- properties flagsProperties
+ properties flaggableModuleProperties
}
func initFlaggableModule(m flaggableModule) {
@@ -42,13 +161,19 @@
return f
}
+func (f *flaggableModuleBase) flagDeps(ctx android.BottomUpMutatorContext) {
+ ctx.AddDependency(ctx.Module(), buildFlagsDepTag, f.properties.Build_flags...)
+}
+
// getBuildFlags returns a map from flag names to flag values.
func (f *flaggableModuleBase) getBuildFlags(ctx android.ModuleContext) map[string]string {
ret := make(map[string]string)
- for _, flag := range android.SortedUniqueStrings(f.properties.Flags) {
- if val, ok := ctx.Config().GetBuildFlag(flag); ok {
- ret[flag] = val
+ ctx.VisitDirectDepsWithTag(buildFlagsDepTag, func(m android.Module) {
+ if dep, ok := android.OtherModuleProvider(ctx, m, buildFlagsProviderKey); ok {
+ maps.Copy(ret, dep.BuildFlags)
+ } else {
+ ctx.PropertyErrorf("build_flags", "unknown dependency %q", ctx.OtherModuleName(m))
}
- }
+ })
return ret
}
diff --git a/build/soong/policy.go b/build/soong/policy.go
index 9d87275..cbcc57a 100644
--- a/build/soong/policy.go
+++ b/build/soong/policy.go
@@ -129,7 +129,7 @@
c := &policyConfDefaults{}
c.AddProperties(
&policyConfProperties{},
- &flagsProperties{},
+ &flaggableModuleProperties{},
)
android.InitDefaultsModule(c)
return c
@@ -270,6 +270,10 @@
return conf
}
+func (c *policyConf) DepsMutator(ctx android.BottomUpMutatorContext) {
+ c.flagDeps(ctx)
+}
+
func (c *policyConf) GenerateAndroidBuildActions(ctx android.ModuleContext) {
if !c.installable() {
c.SkipInstall()
diff --git a/build/soong/selinux_contexts.go b/build/soong/selinux_contexts.go
index 5cc9c70..1282b90 100644
--- a/build/soong/selinux_contexts.go
+++ b/build/soong/selinux_contexts.go
@@ -110,6 +110,8 @@
}
func (m *selinuxContextsModule) DepsMutator(ctx android.BottomUpMutatorContext) {
+ m.flagDeps(ctx)
+
if m.deps != nil {
m.deps(ctx)
}
@@ -182,7 +184,7 @@
m.AddProperties(
&selinuxContextsProperties{},
&seappProperties{},
- &flagsProperties{},
+ &flaggableModuleProperties{},
)
android.InitDefaultsModule(m)
return m
diff --git a/build/soong/selinux_test.go b/build/soong/selinux_test.go
new file mode 100644
index 0000000..dd980a5
--- /dev/null
+++ b/build/soong/selinux_test.go
@@ -0,0 +1,96 @@
+// Copyright 2024 The Android Open Source Project
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package selinux
+
+import (
+ "os"
+ "reflect"
+ "testing"
+
+ "android/soong/android"
+)
+
+func TestMain(m *testing.M) {
+ os.Exit(m.Run())
+}
+
+var prepareForTest = android.GroupFixturePreparers(
+ android.FixtureModifyProductVariables(func(variables android.FixtureProductVariables) {
+ buildFlags := make(map[string]string)
+ buildFlags["RELEASE_FLAGS_BAR"] = "true"
+ buildFlags["RELEASE_FLAGS_FOO1"] = "false"
+ // "RELEASE_FLAGS_FOO2" is missing
+ buildFlags["RELEASE_AVF_ENABLE_DEVICE_ASSIGNMENT"] = "true"
+ variables.BuildFlags = buildFlags
+ }),
+ android.FixtureRegisterWithContext(func(ctx android.RegistrationContext) {
+ ctx.RegisterModuleType("se_flags", flagsFactory)
+ ctx.RegisterModuleType("se_flags_collector", flagsCollectorFactory)
+ }),
+)
+
+func TestFlagCollector(t *testing.T) {
+ t.Parallel()
+
+ ctx := android.GroupFixturePreparers(
+ prepareForTest,
+ android.FixtureAddTextFile("package_bar/Android.bp", `
+ se_flags {
+ name: "se_flags_bar",
+ flags: ["RELEASE_FLAGS_BAR"],
+ export_to: ["se_flags_collector"],
+ }
+ `),
+ android.FixtureAddTextFile("package_foo/Android.bp", `
+ se_flags {
+ name: "se_flags_foo",
+ flags: ["RELEASE_FLAGS_FOO1", "RELEASE_FLAGS_FOO2"],
+ export_to: ["se_flags_collector"],
+ }
+ `),
+ android.FixtureAddTextFile("system/sepolicy/Android.bp", `
+ se_flags {
+ name: "se_flags",
+ flags: ["RELEASE_AVF_ENABLE_DEVICE_ASSIGNMENT"],
+ export_to: ["se_flags_collector"],
+ }
+ se_flags_collector {
+ name: "se_flags_collector",
+ }
+ `),
+ ).RunTest(t).TestContext
+
+ collectorModule := ctx.ModuleForTests("se_flags_collector", "").Module()
+ collectorData, ok := android.OtherModuleProvider(ctx.OtherModuleProviderAdaptor(), collectorModule, buildFlagsProviderKey)
+ if !ok {
+ t.Errorf("se_flags_collector must provide buildFlags")
+ return
+ }
+
+ actual := flagsToM4Macros(collectorData.BuildFlags)
+ expected := []string{
+ "-D target_flag_RELEASE_AVF_ENABLE_DEVICE_ASSIGNMENT=true",
+ "-D target_flag_RELEASE_FLAGS_BAR=true",
+ "-D target_flag_RELEASE_FLAGS_FOO1=false",
+ }
+ if !reflect.DeepEqual(actual, expected) {
+ t.Errorf("M4 macros were not exported correctly"+
+ "\nactual: %v"+
+ "\nexpected: %v",
+ actual,
+ expected,
+ )
+ }
+}
diff --git a/contexts/plat_file_contexts_test b/contexts/plat_file_contexts_test
index f75312a..e002b15 100644
--- a/contexts/plat_file_contexts_test
+++ b/contexts/plat_file_contexts_test
@@ -653,6 +653,9 @@
/oem oemfs
/oem/does_not_exist oemfs
+/oem/media/bootanimation.zip bootanim_oem_file
+/oem/media/shutdownanimation.zip bootanim_oem_file
+/oem/media/userspace-reboot.zip bootanim_oem_file
/oem/overlay vendor_overlay_file
/oem/overlay/does_not_exist vendor_overlay_file
@@ -992,10 +995,12 @@
/data/misc/odsign/test odsign_data_file
/data/misc/odsign/metrics odsign_metrics_file
/data/misc/odsign/metrics/test odsign_metrics_file
-/data/misc/perfetto-traces/bugreport perfetto_traces_bugreport_data_file
-/data/misc/perfetto-traces/bugreport/test perfetto_traces_bugreport_data_file
+/data/misc/perfetto-traces/bugreport perfetto_traces_bugreport_data_file
+/data/misc/perfetto-traces/bugreport/test perfetto_traces_bugreport_data_file
/data/misc/perfetto-traces perfetto_traces_data_file
/data/misc/perfetto-traces/test perfetto_traces_data_file
+/data/misc/perfetto-traces/profiling perfetto_traces_profiling_data_file
+/data/misc/perfetto-traces/profiling/test perfetto_traces_profiling_data_file
/data/misc/perfetto-configs perfetto_configs_data_file
/data/misc/perfetto-configs/test perfetto_configs_data_file
/data/misc/prereboot prereboot_data_file
@@ -1215,6 +1220,12 @@
/metadata metadata_file
/metadata/test metadata_file
+/metadata/aconfig aconfig_storage_metadata_file
+/metadata/aconfig/test aconfig_storage_metadata_file
+/metadata/aconfig/flags aconfig_storage_flags_metadata_file
+/metadata/aconfig/flags/test aconfig_storage_flags_metadata_file
+/metadata/aconfig/boot aconfig_storage_metadata_file
+/metadata/aconfig/boot/test aconfig_storage_metadata_file
/metadata/apex apex_metadata_file
/metadata/apex/test apex_metadata_file
/metadata/vold vold_metadata_file
diff --git a/flagging/Android.bp b/flagging/Android.bp
index 55e116b..8f7355a 100644
--- a/flagging/Android.bp
+++ b/flagging/Android.bp
@@ -12,24 +12,33 @@
// See the License for the specific language governing permissions and
// limitations under the License.
-// This file contains a list of flags for sepolicy.
-se_policy_conf_defaults {
- name: "se_policy_conf_flags_defaults",
- srcs: [":sepolicy_flagging_macros"],
+// This module contains a list of build time flags (defined on AOSP) for sepolicy.
+// Additional se_flags modules can be added anywhere for additional flags.
+se_flags {
+ name: "aosp_selinux_flags",
flags: [
"RELEASE_AVF_ENABLE_DEVICE_ASSIGNMENT",
"RELEASE_HARDWARE_BLUETOOTH_RANGING_SERVICE",
],
+ export_to: ["all_selinux_flags"],
+}
+
+// se_flags_collector collects flags from exported se_flags modules and converts it to build flags.
+se_flags_collector {
+ name: "all_selinux_flags",
+}
+
+se_policy_conf_defaults {
+ name: "se_policy_conf_flags_defaults",
+ srcs: [":sepolicy_flagging_macros"],
+ build_flags: ["all_selinux_flags"],
}
contexts_defaults {
name: "contexts_flags_defaults",
srcs: [":sepolicy_flagging_macros"],
neverallow_files: [":sepolicy_flagging_macros"], // for seapp_contexts
- flags: [
- "RELEASE_AVF_ENABLE_DEVICE_ASSIGNMENT",
- "RELEASE_HARDWARE_BLUETOOTH_RANGING_SERVICE",
- ],
+ build_flags: ["all_selinux_flags"],
}
filegroup {
diff --git a/private/app_neverallows.te b/private/app_neverallows.te
index 5ea924a..ab8b8d5 100644
--- a/private/app_neverallows.te
+++ b/private/app_neverallows.te
@@ -258,6 +258,9 @@
# Only privileged apps may find the incident service
neverallow all_untrusted_apps incident_service:service_manager find;
+# Only privileged apps may find stats service
+neverallow all_untrusted_apps stats_service:service_manager find;
+
# Do not allow untrusted app to read hidden system proprerties.
# We do not include in the exclusions other normally untrusted applications such as mediaprovider
# due to the specific logging use cases.
diff --git a/private/audioserver.te b/private/audioserver.te
index 7a5e8bc..74d5e88 100644
--- a/private/audioserver.te
+++ b/private/audioserver.te
@@ -105,3 +105,4 @@
# Allow reading audio config props, e.g. af.fast_track_multiplier
get_prop(audioserver, audio_config_prop)
+get_prop(audioserver, system_audio_config_prop)
diff --git a/private/compat/34.0/34.0.cil b/private/compat/34.0/34.0.cil
index 595d53e..7d80433 100644
--- a/private/compat/34.0/34.0.cil
+++ b/private/compat/34.0/34.0.cil
@@ -2099,7 +2099,7 @@
(typeattributeset null_device_34_0 (null_device))
(typeattributeset oem_lock_service_34_0 (oem_lock_service))
(typeattributeset oem_unlock_prop_34_0 (oem_unlock_prop))
-(typeattributeset oemfs_34_0 (oemfs))
+(typeattributeset oemfs_34_0 (oemfs bootanim_oem_file))
(typeattributeset ondevicepersonalization_system_service_34_0 (ondevicepersonalization_system_service))
(typeattributeset ota_data_file_34_0 (ota_data_file))
(typeattributeset ota_metadata_file_34_0 (ota_metadata_file))
diff --git a/private/compat/34.0/34.0.ignore.cil b/private/compat/34.0/34.0.ignore.cil
index 1de001e..351d647 100644
--- a/private/compat/34.0/34.0.ignore.cil
+++ b/private/compat/34.0/34.0.ignore.cil
@@ -43,4 +43,6 @@
vendor_microdroid_file
threadnetwork_config_prop
profiling_service
+ aconfig_storage_metadata_file
+ aconfig_storage_flags_metadata_file
))
diff --git a/private/domain.te b/private/domain.te
index 2f107dd..3454fd1 100644
--- a/private/domain.te
+++ b/private/domain.te
@@ -179,6 +179,35 @@
# Allow all processes to connect to PRNG seeder daemon.
unix_socket_connect(domain, prng_seeder, prng_seeder)
+# Allow calls to system(3), popen(3), ...
+allow {
+ domain
+ # Except domains that explicitly neverallow it.
+ -kernel
+ -init
+ -vendor_init
+ -app_zygote
+ -webview_zygote
+ -system_server
+ -artd
+ -audioserver
+ -cameraserver
+ -mediadrmserver
+ -mediaextractor
+ -mediametrics
+ -mediaserver
+ -mediatuner
+ -mediatranscoding
+ -ueventd
+ -hal_audio_server
+ -hal_camera_server
+ -hal_cas_server
+ -hal_codec2_server
+ -hal_configstore_server
+ -hal_drm_server
+ -hal_omx_server
+} {shell_exec toolbox_exec}:file rx_file_perms;
+
# No domains other than a select few can access the misc_block_device. This
# block device is reserved for OTA use.
# Do not assert this rule on userdebug/eng builds, due to some devices using
diff --git a/private/file.te b/private/file.te
index 450fe2c..24c118a 100644
--- a/private/file.te
+++ b/private/file.te
@@ -25,6 +25,9 @@
# /data/misc/perfetto-traces/bugreport for perfetto traces for bugreports.
type perfetto_traces_bugreport_data_file, file_type, data_file_type, core_data_file_type;
+# /data/misc/perfetto-traces/profiling for perfetto traces from profiling apis.
+type perfetto_traces_profiling_data_file, file_type, data_file_type, core_data_file_type;
+
# /data/misc/perfetto-configs for perfetto configs
type perfetto_configs_data_file, file_type, data_file_type, core_data_file_type;
diff --git a/private/file_contexts b/private/file_contexts
index cba5660..5e234f7 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -457,6 +457,9 @@
/oem(/.*)? u:object_r:oemfs:s0
/oem/overlay(/.*)? u:object_r:vendor_overlay_file:s0
+/oem/media/bootanimation.zip u:object_r:bootanim_oem_file:s0
+/oem/media/shutdownanimation.zip u:object_r:bootanim_oem_file:s0
+/oem/media/userspace-reboot.zip u:object_r:bootanim_oem_file:s0
# The precompiled monolithic sepolicy will be under /odm only when
# BOARD_USES_ODMIMAGE is true: a separate odm.img is built.
@@ -657,9 +660,10 @@
/data/misc/odrefresh(/.*)? u:object_r:odrefresh_data_file:s0
/data/misc/odsign(/.*)? u:object_r:odsign_data_file:s0
/data/misc/odsign/metrics(/.*)? u:object_r:odsign_metrics_file:s0
-/data/misc/perfetto-traces(/.*)? u:object_r:perfetto_traces_data_file:s0
-/data/misc/perfetto-traces/bugreport(.*)? u:object_r:perfetto_traces_bugreport_data_file:s0
-/data/misc/perfetto-configs(/.*)? u:object_r:perfetto_configs_data_file:s0
+/data/misc/perfetto-traces(/.*)? u:object_r:perfetto_traces_data_file:s0
+/data/misc/perfetto-traces/bugreport(.*)? u:object_r:perfetto_traces_bugreport_data_file:s0
+/data/misc/perfetto-traces/profiling(/.*)? u:object_r:perfetto_traces_profiling_data_file:s0
+/data/misc/perfetto-configs(/.*)? u:object_r:perfetto_configs_data_file:s0
/data/misc/uprobestats-configs(/.*)? u:object_r:uprobestats_configs_data_file:s0
/data/misc/prereboot(/.*)? u:object_r:prereboot_data_file:s0
/data/misc/profcollectd(/.*)? u:object_r:profcollectd_data_file:s0
@@ -855,6 +859,8 @@
/metadata/userspacereboot(/.*)? u:object_r:userspace_reboot_metadata_file:s0
/metadata/watchdog(/.*)? u:object_r:watchdog_metadata_file:s0
/metadata/repair-mode(/.*)? u:object_r:repair_mode_metadata_file:s0
+/metadata/aconfig(/.*)? u:object_r:aconfig_storage_metadata_file:s0
+/metadata/aconfig/flags(/.*)? u:object_r:aconfig_storage_flags_metadata_file:s0
#############################
# asec containers
diff --git a/private/gpuservice.te b/private/gpuservice.te
index 297a876..5638543 100644
--- a/private/gpuservice.te
+++ b/private/gpuservice.te
@@ -25,15 +25,14 @@
allow gpuservice graphics_device:dir search;
allow gpuservice graphics_device:chr_file rw_file_perms;
-# Needed for dumpsys pipes.
-allow gpuservice shell:fifo_file write;
+# Allow shell access
+allow gpuservice adbd:fd use;
+allow gpuservice adbd:unix_stream_socket { getattr read write };
+allow gpuservice shell:fifo_file { getattr read write };
# Needed for perfetto producer.
perfetto_producer(gpuservice)
-# Use socket supplied by adbd, for cmd gpu vkjson etc.
-allow gpuservice adbd:unix_stream_socket { read write getattr };
-
# Needed for interactive shell
allow gpuservice devpts:chr_file { read write getattr };
diff --git a/private/mediaprovider_app.te b/private/mediaprovider_app.te
index 7ad8feb..064d0d9 100644
--- a/private/mediaprovider_app.te
+++ b/private/mediaprovider_app.te
@@ -73,3 +73,6 @@
# bpfprog access for FUSE BPF
allow mediaprovider_app fs_bpf:file read;
allow mediaprovider_app bpfloader:bpf { map_read map_write prog_run };
+
+# boot animations on oem are stored with specific label
+allow mediaprovider_app bootanim_oem_file:file r_file_perms;
diff --git a/private/perfetto.te b/private/perfetto.te
index aae61a6..d0088ef 100644
--- a/private/perfetto.te
+++ b/private/perfetto.te
@@ -26,6 +26,10 @@
allow perfetto perfetto_traces_bugreport_data_file:file create_file_perms;
allow perfetto perfetto_traces_bugreport_data_file:dir rw_dir_perms;
+# Allow to write and unlink traces into /data/misc/perfetto-traces/profiling.
+allow perfetto perfetto_traces_profiling_data_file:dir rw_dir_perms;
+allow perfetto perfetto_traces_profiling_data_file:file create_file_perms;
+
# Allow perfetto to access the proxy service for reporting traces.
allow perfetto tracingproxy_service:service_manager find;
binder_use(perfetto)
@@ -86,6 +90,7 @@
-dumpstate # For attaching traces to bugreports.
-incidentd # For receiving reported traces. TODO(lalitm): remove this.
-priv_app # For stating traces for bug-report UI.
+ -system_server # For accessing traces started by profiling apis.
} perfetto_traces_data_file:dir *;
neverallow {
domain
@@ -122,14 +127,20 @@
-vendor_data_file
-perfetto_traces_data_file
-perfetto_traces_bugreport_data_file
+ -perfetto_traces_profiling_data_file
-perfetto_configs_data_file
with_native_coverage(`-method_trace_data_file')
}:dir *;
-neverallow perfetto { system_data_file -perfetto_traces_data_file }:dir ~{ getattr search };
+neverallow perfetto {
+ system_data_file
+ -perfetto_traces_data_file
+ -perfetto_traces_profiling_data_file
+}:dir ~{ getattr search };
neverallow perfetto {
data_file_type
-perfetto_traces_data_file
-perfetto_traces_bugreport_data_file
+ -perfetto_traces_profiling_data_file
-perfetto_configs_data_file
with_native_coverage(`-method_trace_data_file')
}:file ~write;
diff --git a/private/property.te b/private/property.te
index 38e69bb..d21df55 100644
--- a/private/property.te
+++ b/private/property.te
@@ -44,6 +44,7 @@
system_internal_prop(setupwizard_prop)
system_internal_prop(snapuserd_prop)
system_internal_prop(system_adbd_prop)
+system_internal_prop(system_audio_config_prop)
system_internal_prop(timezone_metadata_prop)
system_internal_prop(traced_perf_enabled_prop)
system_internal_prop(uprobestats_start_with_config_prop)
diff --git a/private/property_contexts b/private/property_contexts
index c5f679e..568bdc1 100644
--- a/private/property_contexts
+++ b/private/property_contexts
@@ -418,6 +418,11 @@
# USB devices can be connected to audio system at a certain time
ro.audio.multi_usb_mode u:object_r:audio_config_prop:s0 exact bool
+# Boolean property used in libaudiohal@aidl to check if the SoC vendor
+# provides an implementation of IHalAdapterVendorExtension interface.
+# See b/323989070 for the discussion why this approach was chosen.
+ro.audio.ihaladaptervendorextension_enabled u:object_r:system_audio_config_prop:s0 exact bool
+
persist.config.calibration_fac u:object_r:camera_calibration_prop:s0 exact string
config.disable_cameraservice u:object_r:camera_config_prop:s0 exact bool
diff --git a/private/stats.te b/private/stats.te
index 5790faa..6261303 100644
--- a/private/stats.te
+++ b/private/stats.te
@@ -33,28 +33,3 @@
# Allow statsd to call back to stats with status updates.
binder_call(statsd, stats)
-###
-### neverallow rules
-###
-
-neverallow {
- domain
- -dumpstate
- -gmscore_app
- -gpuservice
- -incidentd
- -keystore
- -mediametrics
- -mediaserver
- -platform_app
- -priv_app
- -rkpdapp
- -shell
- -stats
- -statsd
- -surfaceflinger
- -system_app
- -system_server
- -traceur_app
- -traced_probes
-} stats_service:service_manager find;
diff --git a/private/system_server.te b/private/system_server.te
index e5ade71..eda5695 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -582,6 +582,11 @@
domain_auto_trans(system_server, perfetto_exec, perfetto);
allow system_server perfetto:fifo_file { read write };
+# Allow system server to manage perfetto traces for ProfilingService.
+allow system_server perfetto_traces_profiling_data_file:dir rw_dir_perms;
+allow system_server perfetto_traces_profiling_data_file:file { rw_file_perms unlink };
+allow system_server perfetto_traces_data_file:dir search;
+
# Manage /data/backup.
allow system_server backup_data_file:dir create_dir_perms;
allow system_server backup_data_file:file create_file_perms;
@@ -1299,6 +1304,9 @@
neverallow system_server { domain -clatd -crash_dump -perfetto }:process transition;
neverallow system_server *:process dyntransition;
+# Ensure that system_server doesn't access anything but search in perfetto_traces_data_file:dir.
+neverallow system_server perfetto_traces_data_file:dir ~search;
+
# Only allow crash_dump to connect to system_ndebug_socket.
neverallow { domain -init -system_server -crash_dump } system_ndebug_socket:sock_file { open write };
@@ -1456,6 +1464,9 @@
allow system_server watchdog_metadata_file:dir rw_dir_perms;
allow system_server watchdog_metadata_file:file create_file_perms;
+allow system_server aconfig_storage_flags_metadata_file:dir rw_dir_perms;
+allow system_server aconfig_storage_flags_metadata_file:file create_file_perms;
+
allow system_server repair_mode_metadata_file:dir rw_dir_perms;
allow system_server repair_mode_metadata_file:file create_file_perms;
@@ -1512,6 +1523,11 @@
neverallow { domain -init -system_server } userspace_reboot_metadata_file:dir *;
neverallow { domain -init -system_server } userspace_reboot_metadata_file:file no_rw_file_perms;
+# Only system server should access /metadata/aconfig
+# TODO: add storage daemon to neverallow exception when it is introduced
+neverallow { domain -init -system_server } aconfig_storage_flags_metadata_file:dir *;
+neverallow { domain -init -system_server } aconfig_storage_flags_metadata_file:file no_rw_file_perms;
+
# Allow systemserver to read/write the invalidation property
set_prop(system_server, binder_cache_system_server_prop)
neverallow { domain -system_server -init }
diff --git a/private/virtualizationservice.te b/private/virtualizationservice.te
index 972f376..0a9ff8b 100644
--- a/private/virtualizationservice.te
+++ b/private/virtualizationservice.te
@@ -33,6 +33,9 @@
binder_call(virtualizationservice, remote_provisioning_service)
allow virtualizationservice remote_provisioning_service:service_manager find;
+# Allow virtualizationservice to manage VM secrets via Secretkeeper.
+hal_client_domain(virtualizationservice, hal_secretkeeper)
+
# Let virtualizationservice remove memlock rlimit of virtualizationmanager. This is necessary
# to mlock VM memory and page tables.
allow virtualizationservice self:capability sys_resource;
@@ -56,8 +59,9 @@
virtualizationservice_use(virtualizationservice)
# Allow virtualizationservice to read and write in the apex data directory
-# /data/misc/apexdata/com.android.virt
-allow virtualizationservice apex_module_data_file:dir search;
+# /data/misc/apexdata/com.android.virt. Also allow checking of the parent directory
+# (needed for SQLite database creation).
+allow virtualizationservice apex_module_data_file:dir { search getattr };
allow virtualizationservice apex_virt_data_file:dir create_dir_perms;
allow virtualizationservice apex_virt_data_file:file create_file_perms;
diff --git a/public/bootanim.te b/public/bootanim.te
index a9616b7..239393c 100644
--- a/public/bootanim.te
+++ b/public/bootanim.te
@@ -17,7 +17,9 @@
allow bootanim sysfs_gpu:file r_file_perms;
# /oem access
-r_dir_file(bootanim, oemfs);
+allow bootanim oemfs:dir r_dir_perms;
+# boot animations on oem are stored with specific label
+allow bootanim bootanim_oem_file:file r_file_perms;
allow bootanim audio_device:dir r_dir_perms;
allow bootanim audio_device:chr_file rw_file_perms;
diff --git a/public/domain.te b/public/domain.te
index d630a24..755b4b2 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -341,6 +341,12 @@
# configured using server-configurable flags
get_prop(domain, device_config_media_native_prop)
+# Allow everyone to read from flag value boot snapshot files and general pb files
+# The boot copy of the flag value files serves flag read traffic for all processes, thus
+# needs to be readable by everybody. Also, the metadata directory will contain pb file
+# that records where flag storage files are, so also needs to be readable by everbody.
+allow domain { aconfig_storage_metadata_file }:file r_file_perms;
+
###
### neverallow rules
###
@@ -623,6 +629,11 @@
neverallow vndservicemanager binder_device:chr_file no_rw_file_perms;
neverallow vndservicemanager hwbinder_device:chr_file no_rw_file_perms;
+# Do not allow write access to the general aconfig pb file and boot flag value files except init
+# TODO: need to add storage daemon into this exception list once it is created
+neverallow { domain -init } aconfig_storage_metadata_file:dir *;
+neverallow { domain -init } aconfig_storage_metadata_file:file no_w_file_perms;
+
full_treble_only(`
# Vendor apps are permited to use only stable public services. If they were to use arbitrary
# services which can change any time framework/core is updated, breakage is likely.
@@ -913,6 +924,9 @@
-crash_dump_exec
-netutils_wrapper_exec
userdebug_or_eng(`-tcpdump_exec')
+ # Vendor components still can invoke shell commands via /system/bin/sh
+ -shell_exec
+ -toolbox_exec
}:file { entrypoint execute execute_no_trans };
')
@@ -993,6 +1007,9 @@
-task_profiles_api_file
-task_profiles_file
userdebug_or_eng(`-tcpdump_exec')
+ # Vendor components still can invoke shell commands via /system/bin/sh
+ -shell_exec
+ -toolbox_exec
}:file *;
')
diff --git a/public/file.te b/public/file.te
index 32c0cd8..209fdb1 100644
--- a/public/file.te
+++ b/public/file.te
@@ -229,6 +229,8 @@
type linkerconfig_file, file_type;
# Control files under /data/incremental
type incremental_control_file, file_type, data_file_type, core_data_file_type;
+# /oem/media/bootanimation.zip|shutdownanimation.zip|userspace-reboot.zip
+type bootanim_oem_file, file_type, system_file_type;
# Default type for directories search for
# HAL implementations
@@ -295,6 +297,10 @@
type watchdog_metadata_file, file_type;
# Repair mode files within /metadata/repair-mode
type repair_mode_metadata_file, file_type;
+# Aconfig storage file
+type aconfig_storage_metadata_file, file_type;
+# Aconfig storage flag value persistent copy
+type aconfig_storage_flags_metadata_file, file_type;
# Type for /dev/cpu_variant:.*.
type dev_cpu_variant, file_type;
diff --git a/public/hal_neverallows.te b/public/hal_neverallows.te
index 621a0b8..6730c32 100644
--- a/public/hal_neverallows.te
+++ b/public/hal_neverallows.te
@@ -85,7 +85,13 @@
halserverdomain
-hal_dumpstate_server
-hal_telephony_server
-} { file_type fs_type }:file execute_no_trans;
+} {
+ file_type
+ fs_type
+ # May invoke shell commands via /system/bin/sh
+ -shell_exec
+ -toolbox_exec
+}:file execute_no_trans;
# Do not allow a process other than init to transition into a HAL domain.
neverallow { domain -init } halserverdomain:process transition;
# Only allow transitioning to a domain by running its executable. Do not
diff --git a/public/mediaserver.te b/public/mediaserver.te
index 367012c..9b86c86 100644
--- a/public/mediaserver.te
+++ b/public/mediaserver.te
@@ -98,6 +98,9 @@
allow mediaserver oemfs:dir search;
allow mediaserver oemfs:file r_file_perms;
+# /oem boot animation file
+allow mediaserver bootanim_oem_file:file r_file_perms;
+
# /vendor apk access
allow mediaserver vendor_app_file:file { read map getattr };
diff --git a/public/vendor_init.te b/public/vendor_init.te
index a9d1b5d..7a74e7c 100644
--- a/public/vendor_init.te
+++ b/public/vendor_init.te
@@ -62,6 +62,8 @@
-gsi_metadata_file_type
-apex_metadata_file
-userspace_reboot_metadata_file
+ -aconfig_storage_metadata_file
+ -aconfig_storage_flags_metadata_file
}:dir { create search getattr open read setattr ioctl write add_name remove_name rmdir relabelfrom };
allow vendor_init unlabeled:{ dir notdevfile_class_set } { getattr relabelfrom };
@@ -83,6 +85,8 @@
-apex_metadata_file
-apex_info_file
-userspace_reboot_metadata_file
+ -aconfig_storage_metadata_file
+ -aconfig_storage_flags_metadata_file
enforce_debugfs_restriction(`-debugfs_type')
}:file { create getattr open read write setattr relabelfrom unlink map };
@@ -101,6 +105,8 @@
-gsi_metadata_file_type
-apex_metadata_file
-userspace_reboot_metadata_file
+ -aconfig_storage_metadata_file
+ -aconfig_storage_flags_metadata_file
}:{ sock_file fifo_file } { create getattr open read setattr relabelfrom unlink };
allow vendor_init {
@@ -119,6 +125,8 @@
-gsi_metadata_file_type
-apex_metadata_file
-userspace_reboot_metadata_file
+ -aconfig_storage_metadata_file
+ -aconfig_storage_flags_metadata_file
}:lnk_file { create getattr setattr relabelfrom unlink };
allow vendor_init {
@@ -136,6 +144,8 @@
-gsi_metadata_file_type
-apex_metadata_file
-userspace_reboot_metadata_file
+ -aconfig_storage_metadata_file
+ -aconfig_storage_flags_metadata_file
}:dir_file_class_set relabelto;
allow vendor_init dev_type:dir create_dir_perms;