Merge "Allow hal_codec2_server to read fifo_file from untrusted_app_all" into main
diff --git a/build/soong/service_fuzzer_bindings.go b/build/soong/service_fuzzer_bindings.go
index 9118cba..49481bd 100644
--- a/build/soong/service_fuzzer_bindings.go
+++ b/build/soong/service_fuzzer_bindings.go
@@ -120,6 +120,7 @@
"android.hardware.security.dice.IDiceDevice/default": EXCEPTION_NO_FUZZER,
"android.hardware.security.keymint.IKeyMintDevice/default": EXCEPTION_NO_FUZZER,
"android.hardware.security.keymint.IRemotelyProvisionedComponent/default": EXCEPTION_NO_FUZZER,
+ "android.hardware.security.secretkeeper.ISecretkeeper/default": EXCEPTION_NO_FUZZER,
"android.hardware.security.secretkeeper.ISecretkeeper/nonsecure": EXCEPTION_NO_FUZZER,
"android.hardware.security.secureclock.ISecureClock/default": EXCEPTION_NO_FUZZER,
"android.hardware.security.sharedsecret.ISharedSecret/default": EXCEPTION_NO_FUZZER,
diff --git a/private/app.te b/private/app.te
index 19cb2e0..09f222b 100644
--- a/private/app.te
+++ b/private/app.te
@@ -149,6 +149,9 @@
# Perform binder IPC to sdk sandbox.
binder_call(appdomain, sdk_sandbox_all)
+# Allow apps to communicate via binder with virtual camera service.
+binder_call(appdomain, virtual_camera)
+
# Allow access to external storage; we have several visible mount points under /storage
# and symlinks to primary storage at places like /storage/sdcard0 and /mnt/user/0/primary
allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox_all } storage_file:dir r_dir_perms;
diff --git a/private/crash_dump.te b/private/crash_dump.te
index 6cc1828..27baaff 100644
--- a/private/crash_dump.te
+++ b/private/crash_dump.te
@@ -32,6 +32,10 @@
allow crash_dump apex_art_data_file:dir { getattr search };
allow crash_dump apex_art_data_file:file r_file_perms;
+# Allow crash dump to read bootstrap libraries
+allow crash_dump system_bootstrap_lib_file:dir { getattr search };
+allow crash_dump system_bootstrap_lib_file:file r_file_perms;
+
# Read Vendor APEX directories
allow crash_dump vendor_apex_metadata_file:dir { getattr search };
diff --git a/private/dumpstate.te b/private/dumpstate.te
index a40d73c..1faedb4 100644
--- a/private/dumpstate.te
+++ b/private/dumpstate.te
@@ -62,6 +62,9 @@
# Allow dumpstate to talk to virtual_camera service over binder
binder_call(dumpstate, virtual_camera)
+# Allow dumpstate to talk to ot_daemon service over binder
+binder_call(dumpstate, ot_daemon)
+
# Collect metrics on boot time created by init
get_prop(dumpstate, boottime_prop)
@@ -71,6 +74,7 @@
statsd
netd
virtual_camera
+ ot_daemon
}:process signal;
# Only allow dumpstate to dump Keystore on debuggable builds.
diff --git a/private/isolated_app_all.te b/private/isolated_app_all.te
index 189d064..1ffcabe 100644
--- a/private/isolated_app_all.te
+++ b/private/isolated_app_all.te
@@ -32,6 +32,9 @@
# suppress denials to /data/local/tmp
dontaudit isolated_app_all shell_data_file:dir search;
+# Allow to read (but not open) staged apks.
+allow isolated_app_all { apk_tmp_file apk_private_tmp_file }:file { read getattr };
+
#####
##### Neverallow
#####
diff --git a/private/ot_daemon.te b/private/ot_daemon.te
index 066d3d5..457e1bf 100644
--- a/private/ot_daemon.te
+++ b/private/ot_daemon.te
@@ -32,3 +32,7 @@
# Allow OT daemon to write to statsd
unix_socket_send(ot_daemon, statsdw, statsd)
+
+# For collecting bugreports.
+allow ot_daemon dumpstate:fd use;
+allow ot_daemon dumpstate:fifo_file write;
diff --git a/private/service_contexts b/private/service_contexts
index 2209c6a..091ab99 100644
--- a/private/service_contexts
+++ b/private/service_contexts
@@ -125,6 +125,7 @@
android.hardware.secure_element.ISecureElement/SIM1 u:object_r:hal_secure_element_service:s0
android.hardware.secure_element.ISecureElement/SIM2 u:object_r:hal_secure_element_service:s0
android.hardware.secure_element.ISecureElement/SIM3 u:object_r:hal_secure_element_service:s0
+android.hardware.security.secretkeeper.ISecretkeeper/default u:object_r:hal_secretkeeper_service:s0
android.hardware.security.secretkeeper.ISecretkeeper/nonsecure u:object_r:hal_secretkeeper_service:s0
android.system.keystore2.IKeystoreService/default u:object_r:keystore_service:s0
android.system.net.netd.INetd/default u:object_r:system_net_netd_service:s0
diff --git a/private/system_server.te b/private/system_server.te
index bab31ae..474a7b6 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -388,6 +388,7 @@
mediatuner
netd
sdcardd
+ servicemanager
statsd
surfaceflinger
vold
diff --git a/private/virtual_camera.te b/private/virtual_camera.te
index d8c5df7..4c4ac7a 100644
--- a/private/virtual_camera.te
+++ b/private/virtual_camera.te
@@ -12,6 +12,10 @@
binder_call(virtual_camera, cameraserver)
binder_call(virtual_camera, system_server)
+
+# Allow virtualCamera to call apps via binder.
+binder_call(virtual_camera, appdomain)
+
# Allow virtual_camera to use fd from apps
allow virtual_camera { appdomain -isolated_app }:fd use;
@@ -28,3 +32,6 @@
# For collecting bugreports.
allow virtual_camera dumpstate:fd use;
allow virtual_camera dumpstate:fifo_file write;
+
+# Needed for permission checks.
+allow virtual_camera permission_service:service_manager find;
diff --git a/public/app.te b/public/app.te
index a45149f..b539913 100644
--- a/public/app.te
+++ b/public/app.te
@@ -110,9 +110,6 @@
apk_data_file:dir_file_class_set
{ create write setattr relabelfrom relabelto append unlink link rename };
neverallow { appdomain -platform_app }
- apk_tmp_file:dir_file_class_set
- { create write setattr relabelfrom relabelto append unlink link rename };
-neverallow { appdomain -platform_app }
apk_private_data_file:dir_file_class_set
{ create write setattr relabelfrom relabelto append unlink link rename };
neverallow { appdomain -platform_app }
@@ -139,11 +136,15 @@
{ create write setattr relabelfrom relabelto append unlink link rename };
# access tmp apk files
-neverallow { appdomain -untrusted_app_all -platform_app -priv_app }
+neverallow { appdomain -platform_app }
+ apk_tmp_file:dir_file_class_set
+ { create write setattr relabelfrom relabelto append unlink link rename };
+
+neverallow { appdomain -untrusted_app_all -platform_app -priv_app -isolated_app_all }
{ apk_tmp_file apk_private_tmp_file }:dir_file_class_set *;
-neverallow untrusted_app_all { apk_tmp_file apk_private_tmp_file }:{ devfile_class_set dir fifo_file lnk_file sock_file } *;
-neverallow untrusted_app_all { apk_tmp_file apk_private_tmp_file }:file ~{ getattr read };
+neverallow { untrusted_app_all isolated_app_all } { apk_tmp_file apk_private_tmp_file }:{ devfile_class_set dir fifo_file lnk_file sock_file } *;
+neverallow { untrusted_app_all isolated_app_all } { apk_tmp_file apk_private_tmp_file }:file ~{ getattr read };
# Access to factory files.
neverallow appdomain efs_file:dir_file_class_set write;
diff --git a/public/hal_secretkeeper.te b/public/hal_secretkeeper.te
index 809ed77..359159f 100644
--- a/public/hal_secretkeeper.te
+++ b/public/hal_secretkeeper.te
@@ -6,3 +6,7 @@
binder_use(hal_secretkeeper_server)
binder_use(hal_secretkeeper_client)
+
+# The Secretkeeper HAL service needs to communicate with a trusted application running
+# in the TEE, which is represented by the tee_device permission.
+allow hal_secretkeeper_server tee_device:chr_file rw_file_perms;
diff --git a/vendor/file_contexts b/vendor/file_contexts
index 6888987..2790ef4 100644
--- a/vendor/file_contexts
+++ b/vendor/file_contexts
@@ -19,6 +19,7 @@
/(vendor|system/vendor)/bin/hw/android\.hardware\.bluetooth@1\.[0-9]+-service u:object_r:hal_bluetooth_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.bluetooth@1\.[0-9]+-service\.btlinux u:object_r:hal_bluetooth_btlinux_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.bluetooth-service.default u:object_r:hal_bluetooth_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.bluetooth\.finder-service\.default u:object_r:hal_bluetooth_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.biometrics\.face@1\.[0-9]+-service\.example u:object_r:hal_face_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.biometrics\.face-service\.example u:object_r:hal_face_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.biometrics\.fingerprint@2\.1-service u:object_r:hal_fingerprint_default_exec:s0