Merge "Update SEPolicy for Tetheroffload AIDL"
diff --git a/apex/com.android.virt-file_contexts b/apex/com.android.virt-file_contexts
index caef62d..9c13bd5 100644
--- a/apex/com.android.virt-file_contexts
+++ b/apex/com.android.virt-file_contexts
@@ -1,5 +1,5 @@
(/.*)? u:object_r:system_file:s0
/bin/crosvm u:object_r:crosvm_exec:s0
/bin/fd_server u:object_r:fd_server_exec:s0
-/bin/virtmgr u:object_r:virtmgr_exec:s0
+/bin/virtmgr u:object_r:virtualizationmanager_exec:s0
/bin/virtualizationservice u:object_r:virtualizationservice_exec:s0
diff --git a/build/soong/selinux_contexts.go b/build/soong/selinux_contexts.go
index 463a978..6a971da 100644
--- a/build/soong/selinux_contexts.go
+++ b/build/soong/selinux_contexts.go
@@ -247,11 +247,21 @@
rule := android.NewRuleBuilder(pctx, ctx)
+ newlineFile := android.PathForModuleGen(ctx, "newline")
+
+ rule.Command().Text("echo").FlagWithOutput("> ", newlineFile)
+ rule.Temporary(newlineFile)
+
+ var inputsWithNewline android.Paths
+ for _, input := range inputs {
+ inputsWithNewline = append(inputsWithNewline, input, newlineFile)
+ }
+
rule.Command().
Tool(ctx.Config().PrebuiltBuildTool(ctx, "m4")).
Text("--fatal-warnings -s").
FlagForEachArg("-D", ctx.DeviceConfig().SepolicyM4Defs()).
- Inputs(inputs).
+ Inputs(inputsWithNewline).
FlagWithOutput("> ", builtContext)
if proptools.Bool(m.properties.Remove_comment) {
diff --git a/build/soong/service_fuzzer_bindings.go b/build/soong/service_fuzzer_bindings.go
index 847caf3..f706339 100644
--- a/build/soong/service_fuzzer_bindings.go
+++ b/build/soong/service_fuzzer_bindings.go
@@ -90,6 +90,9 @@
"android.hardware.radio.network.IRadioNetwork/slot1": EXCEPTION_NO_FUZZER,
"android.hardware.radio.network.IRadioNetwork/slot2": EXCEPTION_NO_FUZZER,
"android.hardware.radio.network.IRadioNetwork/slot3": EXCEPTION_NO_FUZZER,
+ "android.hardware.radio.satellite.IRadioSatellite/slot1": EXCEPTION_NO_FUZZER,
+ "android.hardware.radio.satellite.IRadioSatellite/slot2": EXCEPTION_NO_FUZZER,
+ "android.hardware.radio.satellite.IRadioSatellite/slot3": EXCEPTION_NO_FUZZER,
"android.hardware.radio.sim.IRadioSim/slot1": EXCEPTION_NO_FUZZER,
"android.hardware.radio.sim.IRadioSim/slot2": EXCEPTION_NO_FUZZER,
"android.hardware.radio.sim.IRadioSim/slot3": EXCEPTION_NO_FUZZER,
@@ -115,8 +118,9 @@
"android.hardware.soundtrigger3.ISoundTriggerHw/default": EXCEPTION_NO_FUZZER,
"android.hardware.tetheroffload.IOffload/default": EXCEPTION_NO_FUZZER,
"android.hardware.thermal.IThermal/default": EXCEPTION_NO_FUZZER,
- "android.hardware.tv.cec.IHdmiCec/default": EXCEPTION_NO_FUZZER,
- "android.hardware.tv.hdmi.IHdmi/default": EXCEPTION_NO_FUZZER,
+ "android.hardware.tv.hdmi.cec.IHdmiCec/default": EXCEPTION_NO_FUZZER,
+ "android.hardware.tv.hdmi.connection.IHdmiConnection/default": EXCEPTION_NO_FUZZER,
+ "android.hardware.tv.hdmi.earc.IEArc/default": EXCEPTION_NO_FUZZER,
"android.hardware.tv.input.ITvInput/default": EXCEPTION_NO_FUZZER,
"android.hardware.tv.tuner.ITuner/default": EXCEPTION_NO_FUZZER,
"android.hardware.usb.IUsb/default": EXCEPTION_NO_FUZZER,
diff --git a/prebuilts/api/33.0/private/compat/32.0/32.0.ignore.cil b/prebuilts/api/33.0/private/compat/32.0/32.0.ignore.cil
index b5aa501..767bfe3 100644
--- a/prebuilts/api/33.0/private/compat/32.0/32.0.ignore.cil
+++ b/prebuilts/api/33.0/private/compat/32.0/32.0.ignore.cil
@@ -59,6 +59,7 @@
mdns_service
nearby_service
persist_wm_debug_prop
+ prng_seeder
proc_watermark_boost_factor
proc_watermark_scale_factor
prng_seeder
diff --git a/prebuilts/api/33.0/private/property_contexts b/prebuilts/api/33.0/private/property_contexts
index 4eda4a1..db71be4 100644
--- a/prebuilts/api/33.0/private/property_contexts
+++ b/prebuilts/api/33.0/private/property_contexts
@@ -347,6 +347,11 @@
audio.offload.video u:object_r:audio_config_prop:s0 exact bool
audio.offload.min.duration.secs u:object_r:audio_config_prop:s0 exact int
+# spatializer tuning
+audio.spatializer.priority u:object_r:audio_config_prop:s0 exact int
+audio.spatializer.effect.affinity u:object_r:audio_config_prop:s0 exact int
+audio.spatializer.effect.util_clamp_min u:object_r:audio_config_prop:s0 exact int
+
ro.audio.ignore_effects u:object_r:audio_config_prop:s0 exact bool
ro.audio.monitorRotation u:object_r:audio_config_prop:s0 exact bool
ro.audio.offload_wakelock u:object_r:audio_config_prop:s0 exact bool
diff --git a/prebuilts/api/33.0/public/hal_audio.te b/prebuilts/api/33.0/public/hal_audio.te
index 52caa00..aabc884 100644
--- a/prebuilts/api/33.0/public/hal_audio.te
+++ b/prebuilts/api/33.0/public/hal_audio.te
@@ -23,6 +23,9 @@
# Needed to allow sound trigger hal to access shared memory from apps.
allow hal_audio_server appdomain:fd use;
+# allow self to set scheduler (and allows Binder RT PI)
+allow hal_audio_server self:global_capability_class_set sys_nice;
+
# allow hal audio to use vnbinder
vndbinder_use(hal_audio)
diff --git a/private/app.te b/private/app.te
index a7939b0..8838782 100644
--- a/private/app.te
+++ b/private/app.te
@@ -95,9 +95,9 @@
# Exception for crash_dump to allow for app crash reporting.
# Exception for renderscript binaries (/system/bin/bcc, /system/bin/ld.mc)
# to allow renderscript to create privileged executable files.
-# Exception for virtmgr to allow running VMs as child processes.
+# Exception for virtualizationmanager to allow running VMs as child processes.
neverallow { appdomain -shell userdebug_or_eng(`-su') }
- { domain -appdomain -crash_dump -rs -virtmgr }:process { transition };
+ { domain -appdomain -crash_dump -rs -virtualizationmanager }:process { transition };
neverallow { appdomain -shell userdebug_or_eng(`-su') }
{ domain -appdomain }:process { dyntransition };
diff --git a/private/artd.te b/private/artd.te
index 88094e7..ef54d8c 100644
--- a/private/artd.te
+++ b/private/artd.te
@@ -31,8 +31,10 @@
# Read access to primary dex'es on writable partitions
# ({/data,/mnt/expand/<volume-uuid>}/app/...).
+# Also allow creating the "oat" directory before restorecon.
allow artd mnt_expand_file:dir { getattr search };
-r_dir_file(artd, apk_data_file)
+allow artd apk_data_file:dir { rw_dir_perms create setattr relabelfrom };
+allow artd apk_data_file:file r_file_perms;
# Read access to vendor APKs ({/vendor,/odm}/{app,priv-app}/...).
r_dir_file(artd, vendor_app_file)
@@ -46,8 +48,8 @@
# Read/write access to all compilation artifacts generated on device for apps'
# primary dex'es. (/data/dalvik-cache/..., /data/app/.../oat/..., etc.)
-allow artd dalvikcache_data_file:dir create_dir_perms;
-allow artd dalvikcache_data_file:file create_file_perms;
+allow artd dalvikcache_data_file:dir { create_dir_perms relabelto };
+allow artd dalvikcache_data_file:file { create_file_perms relabelto };
# Read access to the ART APEX data directory.
# Needed for reading the boot image generated on device.
@@ -71,8 +73,9 @@
# profile files to the system or apps.
allow artd self:global_capability_class_set { dac_override dac_read_search fowner chown };
-# Read/write access to profiles (/data/misc/profiles/{ref,cur}/...).
-allow artd user_profile_root_file:dir { getattr search };
+# Read/write access to profiles (/data/misc/profiles/{ref,cur}/...). Also allow
+# scanning /data/misc/profiles/cur, for cleaning up obsolete managed files.
+allow artd user_profile_root_file:dir r_dir_perms;
allow artd user_profile_data_file:dir rw_dir_perms;
allow artd user_profile_data_file:file create_file_perms;
@@ -94,6 +97,26 @@
# Check validity of SELinux context, for restorecon.
selinux_check_context(artd)
+# Allow scanning /, for cleaning up obsolete managed files.
+allow artd rootfs:dir r_dir_perms;
+
+# Allow scanning /data, for cleaning up obsolete managed files.
+allow artd system_data_root_file:dir r_dir_perms;
+
+# Allow scanning /mnt, for cleaning up obsolete managed files.
+allow artd tmpfs:dir r_dir_perms;
+
+# Allow scanning /mnt/expand, for cleaning up obsolete managed files.
+allow artd mnt_expand_file:dir r_dir_perms;
+
+# Allow scanning {/data,/mnt/expand/<volume-uuid>}/{user,user_de}, for cleaning
+# up obsolete managed files.
+allow artd system_userdir_file:dir r_dir_perms;
+
+# Allow scanning {/data,/mnt/expand/<volume-uuid>}/{user,user_de}/<user-id> and
+# /mnt/expand/<volume-uuid>, for cleaning up obsolete managed files.
+allow artd system_data_file:dir r_dir_perms;
+
# Never allow running other binaries without a domain transition.
# The only exception is art_exec. It is allowed to use the artd domain because
# it is a thin wrapper that executes other binaries on behalf of artd.
diff --git a/private/bpfdomain.te b/private/bpfdomain.te
index ada65ae..7c8f5c0 100644
--- a/private/bpfdomain.te
+++ b/private/bpfdomain.te
@@ -19,3 +19,7 @@
# so let's allow all bpffs_type's instead,
# this will keep things working even if this is fixed.
allow bpfdomain bpffs_type:lnk_file read;
+
+# Needed for //frameworks/libs/net:
+# common/native/bpf_headers/include/bpf/WaitForProgsLoaded.h
+get_prop(bpfdomain, bpf_progs_loaded_prop)
diff --git a/private/compat/32.0/32.0.ignore.cil b/private/compat/32.0/32.0.ignore.cil
index 50e3be7..d810e0a 100644
--- a/private/compat/32.0/32.0.ignore.cil
+++ b/private/compat/32.0/32.0.ignore.cil
@@ -59,6 +59,7 @@
mdns_service
nearby_service
persist_wm_debug_prop
+ prng_seeder
proc_watermark_boost_factor
remotelyprovisionedkeypool_service
resources_manager_service
diff --git a/private/compat/33.0/33.0.ignore.cil b/private/compat/33.0/33.0.ignore.cil
index cc083d6..6464848 100644
--- a/private/compat/33.0/33.0.ignore.cil
+++ b/private/compat/33.0/33.0.ignore.cil
@@ -25,8 +25,9 @@
hal_thermal_service
hal_usb_gadget_service
hal_tv_input_service
- hal_tv_hdmi_service
hal_tv_hdmi_cec_service
+ hal_tv_hdmi_connection_service
+ hal_tv_hdmi_earc_service
hal_wifi_service
healthconnect_service
hypervisor_restricted_prop
diff --git a/private/crosvm.te b/private/crosvm.te
index d4d29b0..aae8323 100644
--- a/private/crosvm.te
+++ b/private/crosvm.te
@@ -14,10 +14,10 @@
tmpfs_domain(crosvm)
# Let crosvm receive file descriptors from VirtualizationService.
-allow crosvm virtualizationservice:fd use;
+allow crosvm virtualizationmanager:fd use;
-# Allow sending VirtualizationService the failure reason from the VM via pipe.
-allow crosvm virtualizationservice:fifo_file write;
+# Allow sending VirtualizationService the failure reason and console/log from the VM via pipe.
+allow crosvm virtualizationmanager:fifo_file write;
# Let crosvm read the composite disk images (virtualizationservice_data_file), APEXes
# (staging_data_file), APKs (apk_data_file and shell_data_file where the latter is for test apks in
@@ -36,11 +36,14 @@
# Allow searching the directory where the composite disk images are.
allow crosvm virtualizationservice_data_file:dir search;
+# Allow crosvm to mlock guest memory.
+allow crosvm self:capability ipc_lock;
+
# Let crosvm access its control socket as created by VS.
# read, write, getattr: listener socket polling
# accept: listener socket accepting new connection
# Note that the open permission is not given as the socket is passed by FD.
-allow crosvm virtualizationservice:unix_stream_socket { accept read write getattr getopt };
+allow crosvm virtualizationmanager:unix_stream_socket { accept read write getattr getopt };
# Let crosvm open test artifacts under /data/local/tmp with file path. (e.g. custom pvmfw.img)
userdebug_or_eng(`
@@ -71,6 +74,11 @@
# when the vm is created by the `vm` tool) and handed over to crosvm as FD.
allow crosvm shell_data_file:file write;
+# crosvm tries to read serial device, including the write-only pipe from virtualizationmanager (to
+# forward console/log to the host logcat).
+# crosvm only needs write permission, so dontaudit read
+dontaudit crosvm virtualizationmanager:fifo_file read;
+
# Don't allow crosvm to open files that it doesn't own.
# This is important because a malicious application could try to start a VM with a composite disk
# image referring by name to files which it doesn't have permission to open, trying to get crosvm to
@@ -110,9 +118,9 @@
-shell_data_file
}:file read;
-# Only virtualizationservice can run crosvm
+# Only virtualizationmanager can run crosvm
neverallow {
domain
-crosvm
- -virtualizationservice
+ -virtualizationmanager
} crosvm_exec:file no_x_file_perms;
diff --git a/private/domain.te b/private/domain.te
index 2b2619b..e0ba975 100644
--- a/private/domain.te
+++ b/private/domain.te
@@ -290,7 +290,7 @@
-apexd
-installd
-priv_app
- -virtualizationservice
+ -virtualizationmanager
} staging_data_file:dir *;
neverallow {
domain
@@ -303,7 +303,7 @@
-installd
-priv_app
-shell
- -virtualizationservice
+ -virtualizationmanager
-crosvm
} staging_data_file:file *;
neverallow { domain -init -system_server -installd} staging_data_file:dir no_w_dir_perms;
diff --git a/private/dumpstate.te b/private/dumpstate.te
index ee59cb7..fe442b3 100644
--- a/private/dumpstate.te
+++ b/private/dumpstate.te
@@ -30,6 +30,9 @@
# Allow dumpstate to make binder calls to incidentd
binder_call(dumpstate, incidentd)
+# Kill incident in case of a timeout
+allow dumpstate incident:process { signal sigkill };
+
# Allow dumpstate to make binder calls to storaged service
binder_call(dumpstate, storaged)
diff --git a/private/file.te b/private/file.te
index 134b377..e33469f 100644
--- a/private/file.te
+++ b/private/file.te
@@ -91,7 +91,9 @@
type odsign_metrics_file, file_type, data_file_type, core_data_file_type;
# /data/misc/virtualizationservice
-type virtualizationservice_data_file, file_type, data_file_type, core_data_file_type;
+# The type needs to be mlstrustedobject to allow for being accessed from
+# virtualizationmanager, which runs at a more constrained MLS level.
+type virtualizationservice_data_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
# /data/system/environ
type environ_system_data_file, file_type, data_file_type, core_data_file_type;
@@ -100,7 +102,9 @@
type bootanim_data_file, file_type, data_file_type, core_data_file_type;
# /dev/kvm
-type kvm_device, dev_type;
+# The type needs to be mlstrustedobject to allow for being accessed from
+# crosvm, which runs at a more constrained MLS level.
+type kvm_device, dev_type, mlstrustedobject;
# /apex/com.android.virt/bin/fd_server
type fd_server_exec, system_file_type, exec_type, file_type;
diff --git a/private/gpuservice.te b/private/gpuservice.te
index 76a2370..8388e89 100644
--- a/private/gpuservice.te
+++ b/private/gpuservice.te
@@ -59,9 +59,6 @@
# Needed for enabling bpf programs and accessing bpf maps (read-only and read/write).
allow gpuservice bpfloader:bpf { map_read map_write prog_run };
-# Needed for getting a prop to ensure bpf programs loaded.
-get_prop(gpuservice, bpf_progs_loaded_prop)
-
add_service(gpuservice, gpu_service)
# Only uncomment below line when in development
diff --git a/private/netd.te b/private/netd.te
index 4aa288b..ae43e47 100644
--- a/private/netd.te
+++ b/private/netd.te
@@ -23,7 +23,6 @@
set_prop(netd, netd_stable_secret_prop)
get_prop(netd, adbd_config_prop)
-get_prop(netd, bpf_progs_loaded_prop)
get_prop(netd, hwservicemanager_prop)
get_prop(netd, device_config_netd_native_prop)
diff --git a/private/property_contexts b/private/property_contexts
index 32746cd..8f0f851 100644
--- a/private/property_contexts
+++ b/private/property_contexts
@@ -363,6 +363,11 @@
audio.offload.video u:object_r:audio_config_prop:s0 exact bool
audio.offload.min.duration.secs u:object_r:audio_config_prop:s0 exact int
+# spatializer tuning
+audio.spatializer.priority u:object_r:audio_config_prop:s0 exact int
+audio.spatializer.effect.affinity u:object_r:audio_config_prop:s0 exact int
+audio.spatializer.effect.util_clamp_min u:object_r:audio_config_prop:s0 exact int
+
ro.audio.ignore_effects u:object_r:audio_config_prop:s0 exact bool
ro.audio.monitorRotation u:object_r:audio_config_prop:s0 exact bool
ro.audio.offload_wakelock u:object_r:audio_config_prop:s0 exact bool
@@ -587,6 +592,14 @@
ro.hdmi.cec.source.send_standby_on_sleep u:object_r:hdmi_config_prop:s0 exact enum to_tv broadcast none
ro.hdmi.cec.source.playback_device_action_on_routing_control u:object_r:hdmi_config_prop:s0 exact enum none wake_up_only wake_up_and_send_active_source
+# This is the namespace of all system properties used by ART Service.
+# As ART Service is in the updatable ART module, we need the prefix to allow us
+# to add new properties.
+pm.dexopt. u:object_r:exported_pm_prop:s0 prefix
+
+# A set of pm.dexopt properties that we should keep supporting for Treble
+# compatibility. We explicitly list them here to discourage renaming or
+# disregarding them.
pm.dexopt.ab-ota u:object_r:exported_pm_prop:s0 exact string
pm.dexopt.bg-dexopt u:object_r:exported_pm_prop:s0 exact string
pm.dexopt.boot u:object_r:exported_pm_prop:s0 exact string
diff --git a/private/rkpd_app.te b/private/rkpd_app.te
index 21f9b0c..2d25540 100644
--- a/private/rkpd_app.te
+++ b/private/rkpd_app.te
@@ -12,6 +12,7 @@
# Grant access to certain system properties related to RKP
get_prop(rkpdapp, device_config_remote_key_provisioning_native_prop)
+get_prop(rkpdapp, remote_prov_prop)
# Grant access to the normal services that are available to all apps
allow rkpdapp app_api_service:service_manager find;
diff --git a/private/service_contexts b/private/service_contexts
index c3cb72c..8de1d42 100644
--- a/private/service_contexts
+++ b/private/service_contexts
@@ -70,6 +70,9 @@
android.hardware.radio.network.IRadioNetwork/slot1 u:object_r:hal_radio_service:s0
android.hardware.radio.network.IRadioNetwork/slot2 u:object_r:hal_radio_service:s0
android.hardware.radio.network.IRadioNetwork/slot3 u:object_r:hal_radio_service:s0
+android.hardware.radio.satellite.IRadioSatellite/slot1 u:object_r:hal_radio_service:s0
+android.hardware.radio.satellite.IRadioSatellite/slot2 u:object_r:hal_radio_service:s0
+android.hardware.radio.satellite.IRadioSatellite/slot3 u:object_r:hal_radio_service:s0
android.hardware.radio.sim.IRadioSim/slot1 u:object_r:hal_radio_service:s0
android.hardware.radio.sim.IRadioSim/slot2 u:object_r:hal_radio_service:s0
android.hardware.radio.sim.IRadioSim/slot3 u:object_r:hal_radio_service:s0
@@ -90,8 +93,9 @@
android.hardware.soundtrigger3.ISoundTriggerHw/default u:object_r:hal_audio_service:s0
android.hardware.tetheroffload.IOffload/default u:object_r:hal_tetheroffload_service:s0
android.hardware.thermal.IThermal/default u:object_r:hal_thermal_service:s0
-android.hardware.tv.cec.IHdmiCec/default u:object_r:hal_tv_hdmi_cec_service:s0
-android.hardware.tv.hdmi.IHdmi/default u:object_r:hal_tv_hdmi_service:s0
+android.hardware.tv.hdmi.cec.IHdmiCec/default u:object_r:hal_tv_hdmi_cec_service:s0
+android.hardware.tv.hdmi.connection.IHdmiConnection/default u:object_r:hal_tv_hdmi_connection_service:s0
+android.hardware.tv.hdmi.earc.IEArc/default u:object_r:hal_tv_hdmi_earc_service:s0
android.hardware.tv.tuner.ITuner/default u:object_r:hal_tv_tuner_service:s0
android.hardware.tv.input.ITvInput/default u:object_r:hal_tv_input_service:s0
android.hardware.usb.IUsb/default u:object_r:hal_usb_service:s0
diff --git a/private/snapuserd.te b/private/snapuserd.te
index 1be5a5e..2f2d3e7 100644
--- a/private/snapuserd.te
+++ b/private/snapuserd.te
@@ -55,3 +55,8 @@
} snapuserd_prop:property_service set;
allow snapuserd self:anon_inode create_file_perms;
+
+# Allow to read/write/create OTA metadata files
+allow snapuserd metadata_file:dir search;
+allow snapuserd ota_metadata_file:dir rw_dir_perms;
+allow snapuserd ota_metadata_file:file create_file_perms;
diff --git a/private/su.te b/private/su.te
index 2496473..cc00e10 100644
--- a/private/su.te
+++ b/private/su.te
@@ -19,6 +19,9 @@
# Put the perfetto command into its domain so it is the same on user, userdebug and eng.
domain_auto_trans(su, perfetto_exec, perfetto)
+ # Put the virtmgr command into its domain.
+ domain_auto_trans(su, virtualizationmanager_exec, virtualizationmanager)
+
# su is also permissive to permit setenforce.
permissive su;
diff --git a/private/system_server.te b/private/system_server.te
index f85237f..53acab0 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -331,8 +331,9 @@
hal_client_domain(system_server, hal_tetheroffload)
hal_client_domain(system_server, hal_thermal)
hal_client_domain(system_server, hal_tv_cec)
-hal_client_domain(system_server, hal_tv_hdmi)
hal_client_domain(system_server, hal_tv_hdmi_cec)
+hal_client_domain(system_server, hal_tv_hdmi_connection)
+hal_client_domain(system_server, hal_tv_hdmi_earc)
hal_client_domain(system_server, hal_tv_input)
hal_client_domain(system_server, hal_usb)
hal_client_domain(system_server, hal_usb_gadget)
@@ -1183,8 +1184,9 @@
# System server may dump profile data for debuggable apps in the /data/misc/profman.
# As such it needs to be able create files but it should never read from them.
+# It also needs to stat the directory to check if it has the right permissions.
allow system_server profman_dump_data_file:file { create getattr setattr w_file_perms};
-allow system_server profman_dump_data_file:dir w_dir_perms;
+allow system_server profman_dump_data_file:dir rw_dir_perms;
# On userdebug build we may profile system server. Allow it to write and create its own profile.
userdebug_or_eng(`
diff --git a/private/system_suspend.te b/private/system_suspend.te
index d924187..bef7c6d 100644
--- a/private/system_suspend.te
+++ b/private/system_suspend.te
@@ -29,6 +29,14 @@
allow system_suspend dumpstate:fd use;
allow system_suspend dumpstate:fifo_file write;
+# Allow init to take kernel wakelock and system suspend to
+# remove kenel wakelocks and the capability to access these
+# files
+allow init sysfs_wake_lock:file rw_file_perms;
+allow init self:global_capability2_class_set block_suspend;
+allow system_suspend sysfs_wake_lock:file rw_file_perms;
+allow system_suspend self:global_capability2_class_set block_suspend;
+
neverallow {
domain
-atrace # tracing
diff --git a/private/virtmgr.te b/private/virtmgr.te
deleted file mode 100644
index 225b6cb..0000000
--- a/private/virtmgr.te
+++ /dev/null
@@ -1,8 +0,0 @@
-# Domain for a child process that manages virtual machines on behalf of its parent.
-
-type virtmgr, domain, coredomain;
-type virtmgr_exec, system_file_type, exec_type, file_type;
-
-# Allow virtmgr to communicate use, read and write over the adb connection.
-allow virtmgr adbd:fd use;
-allow virtmgr adbd:unix_stream_socket { read write };
diff --git a/private/virtualizationmanager.te b/private/virtualizationmanager.te
new file mode 100644
index 0000000..4cd32b7
--- /dev/null
+++ b/private/virtualizationmanager.te
@@ -0,0 +1,77 @@
+# Domain for a child process that manages virtual machines on behalf of its parent.
+
+type virtualizationmanager, domain, coredomain;
+type virtualizationmanager_exec, system_file_type, exec_type, file_type;
+
+# Allow virtualizationmanager to communicate use, read and write over the adb connection.
+allow virtualizationmanager adbd:fd use;
+allow virtualizationmanager adbd:unix_stream_socket { read write };
+
+# Let the virtualizationmanager domain use Binder.
+binder_use(virtualizationmanager)
+
+# Let virtualizationmanager find and communicate with virtualizationservice.
+allow virtualizationmanager virtualization_service:service_manager find;
+binder_call(virtualizationmanager, virtualizationservice)
+
+# Allow calling into the system server to find native services. "permission_service" to check
+# permissions, and "package_native" for staged apex info.
+binder_call(virtualizationmanager, system_server)
+allow virtualizationmanager { package_native_service permission_service }:service_manager find;
+
+# When virtualizationmanager execs a file with the crosvm_exec label, run it in the crosvm domain.
+domain_auto_trans(virtualizationmanager, crosvm_exec, crosvm)
+
+# Let virtualizationmanager kill crosvm.
+allow virtualizationmanager crosvm:process sigkill;
+
+# Let virtualizationmanager create files inside virtualizationservice's temporary directories.
+allow virtualizationmanager virtualizationservice_data_file:dir rw_dir_perms;
+allow virtualizationmanager virtualizationservice_data_file:{ file sock_file } create_file_perms;
+
+# Let virtualizationmanager read and write files from its various clients, but not open them
+# directly as they must be passed over Binder by the client.
+allow virtualizationmanager apk_data_file:file { getattr read };
+
+# Write access is needed for mutable partitions like instance.img
+allow virtualizationmanager {
+ app_data_file
+ apex_compos_data_file
+ privapp_data_file
+}:file { getattr read write };
+
+# shell_data_file is used for automated tests and manual debugging.
+allow virtualizationmanager shell_data_file:file { getattr read write };
+
+# Allow virtualizationmanager to read apex-info-list.xml and access the APEX files listed there.
+allow virtualizationmanager apex_info_file:file r_file_perms;
+allow virtualizationmanager apex_data_file:dir search;
+allow virtualizationmanager staging_data_file:file r_file_perms;
+allow virtualizationmanager staging_data_file:dir search;
+
+# Run derive_classpath in our domain
+allow virtualizationmanager derive_classpath_exec:file rx_file_perms;
+allow virtualizationmanager apex_mnt_dir:dir r_dir_perms;
+# Ignore harmless denials on /proc/self/fd
+dontaudit virtualizationmanager self:dir write;
+
+# Let virtualizationmanager to accept vsock connection from the guest VMs
+allow virtualizationmanager self:vsock_socket { create_socket_perms_no_ioctl listen accept };
+
+# Allow virtualizationmanager to inspect all hypervisor capabilities.
+get_prop(virtualizationmanager, hypervisor_prop)
+get_prop(virtualizationmanager, hypervisor_restricted_prop)
+
+# Allow virtualizationmanager service to talk to tombstoned to push guest ramdumps
+unix_socket_connect(virtualizationmanager, tombstoned_crash, tombstoned)
+
+# Append ramdumps to tombstone files passed as fds from tombstoned
+allow virtualizationmanager tombstone_data_file:file { append getattr };
+allow virtualizationmanager tombstoned:fd use;
+
+# Allow reading files under /proc/[crosvm pid]/, for collecting CPU & memory usage inside VM.
+r_dir_file(virtualizationmanager, crosvm);
+
+# For debug purposes we try to get the canonical path from /proc/self/fd/N. That triggers
+# a harmless denial for CompOS log files, so ignore that.
+dontaudit virtualizationmanager apex_module_data_file:dir search;
diff --git a/private/virtualizationservice.te b/private/virtualizationservice.te
index 883ff56..561e778 100644
--- a/private/virtualizationservice.te
+++ b/private/virtualizationservice.te
@@ -1,80 +1,49 @@
type virtualizationservice, domain, coredomain;
type virtualizationservice_exec, system_file_type, exec_type, file_type;
+# The domain needs to be a 'mlstrustedsubject' to change the memlock rlimit of
+# the virtualizationmanager domain running at a more constrained MLS level.
+typeattribute virtualizationservice mlstrustedsubject;
+
# When init runs a file labelled with virtualizationservice_exec, run it in the
# virtualizationservice domain.
init_daemon_domain(virtualizationservice)
# Let the virtualizationservice domain use Binder.
binder_use(virtualizationservice)
-# ... and host a binder service
-binder_service(virtualizationservice)
-
-# Allow calling into the system server so that it can check permissions.
-binder_call(virtualizationservice, system_server)
-allow virtualizationservice permission_service:service_manager find;
-# Allow virtualizationservice to access "package_native" service for staged apex info.
-allow virtualizationservice package_native_service:service_manager find;
# Let the virtualizationservice domain register the virtualization_service with ServiceManager.
add_service(virtualizationservice, virtualization_service)
-# When virtualizationservice execs a file with the crosvm_exec label, run it in the crosvm domain.
-domain_auto_trans(virtualizationservice, crosvm_exec, crosvm)
+# Allow calling into the system server to find "permission_service".
+binder_call(virtualizationservice, system_server)
+allow virtualizationservice permission_service:service_manager find;
-# Let virtualizationservice (and specifically its children) mlock VM memory and page tables.
+# Let virtualizationservice remove memlock rlimit of virtualizationmanager. This is necessary
+# to mlock VM memory and page tables.
allow virtualizationservice self:capability sys_resource;
+allow virtualizationservice virtualizationmanager:process setrlimit;
-# Let virtualizationservice kill crosvm.
-allow virtualizationservice crosvm:process sigkill;
+# Let virtualizationservice set the owner of a VM's temporary directory.
+allow virtualizationservice self:capability chown;
-# Let virtualizationservice access its data directory.
-allow virtualizationservice virtualizationservice_data_file:file create_file_perms;
+# Let virtualizationservice create and delete temporary directories of VMs. To remove old
+# directories, it needs the permission to unlink the files created by virtualizationmanager.
allow virtualizationservice virtualizationservice_data_file:dir create_dir_perms;
-
-# Let virtualizationservice manage crosvm control sockets.
-allow virtualizationservice virtualizationservice_data_file:sock_file create_file_perms;
+allow virtualizationservice virtualizationservice_data_file:{ file sock_file } unlink;
# Allow to use fd (e.g. /dev/pts/0) inherited from adbd so that we can redirect output from
# crosvm to the console
allow virtualizationservice adbd:fd use;
allow virtualizationservice adbd:unix_stream_socket { read write };
-# Let virtualizationservice read and write files from its various clients, but not open them
-# directly as they must be passed over Binder by the client.
-allow virtualizationservice apk_data_file:file { getattr read };
-# Write access is needed for mutable partitions like instance.img
-allow virtualizationservice {
- app_data_file
- apex_compos_data_file
- privapp_data_file
-}:file { getattr read write };
-
-# shell_data_file is used for automated tests and manual debugging.
-allow virtualizationservice shell_data_file:file { getattr read write };
-
-# Allow virtualizationservice to read apex-info-list.xml and access the APEX files listed there.
-allow virtualizationservice apex_info_file:file r_file_perms;
-allow virtualizationservice apex_data_file:dir search;
-allow virtualizationservice staging_data_file:file r_file_perms;
-allow virtualizationservice staging_data_file:dir search;
-
-# Run derive_classpath in our domain
-allow virtualizationservice derive_classpath_exec:file rx_file_perms;
-allow virtualizationservice apex_mnt_dir:dir r_dir_perms;
-# Ignore harmless denials on /proc/self/fd
-dontaudit virtualizationservice self:dir write;
-
-# Let virtualizationservice to accept vsock connection from the guest VMs
+# Let virtualizationservice to accept vsock connection from the guest VMs to singleton services
+# such as the guest tombstone server.
allow virtualizationservice self:vsock_socket { create_socket_perms_no_ioctl listen accept };
# Allow virtualizationservice to read/write its own sysprop. Only the process can do so.
set_prop(virtualizationservice, virtualizationservice_prop)
-# Allow virtualizationservice to inspect all hypervisor capabilities.
-get_prop(virtualizationservice, hypervisor_prop)
-get_prop(virtualizationservice, hypervisor_restricted_prop)
-
# Allow writing stats to statsd
unix_socket_send(virtualizationservice, statsdw, statsd)
@@ -85,9 +54,6 @@
allow virtualizationservice tombstone_data_file:file { append getattr };
allow virtualizationservice tombstoned:fd use;
-# Allow reading files under /proc/[crosvm pid]/, for collecting CPU & memory usage inside VM.
-r_dir_file(virtualizationservice, crosvm);
-
neverallow {
domain
-init
@@ -97,5 +63,12 @@
neverallow {
domain
-init
+ -virtualizationmanager
-virtualizationservice
} virtualizationservice_data_file:file { open create };
+
+neverallow virtualizationservice {
+ domain
+ -virtualizationmanager
+ -virtualizationservice
+}:process setrlimit;
diff --git a/public/attributes b/public/attributes
index 0478874..5509813 100644
--- a/public/attributes
+++ b/public/attributes
@@ -370,8 +370,9 @@
hal_attribute(tetheroffload);
hal_attribute(thermal);
hal_attribute(tv_cec);
-hal_attribute(tv_hdmi);
hal_attribute(tv_hdmi_cec);
+hal_attribute(tv_hdmi_connection);
+hal_attribute(tv_hdmi_earc);
hal_attribute(tv_input);
hal_attribute(tv_tuner);
hal_attribute(usb);
diff --git a/public/hal_audio.te b/public/hal_audio.te
index 52caa00..aabc884 100644
--- a/public/hal_audio.te
+++ b/public/hal_audio.te
@@ -23,6 +23,9 @@
# Needed to allow sound trigger hal to access shared memory from apps.
allow hal_audio_server appdomain:fd use;
+# allow self to set scheduler (and allows Binder RT PI)
+allow hal_audio_server self:global_capability_class_set sys_nice;
+
# allow hal audio to use vnbinder
vndbinder_use(hal_audio)
diff --git a/public/hal_tv_hdmi.te b/public/hal_tv_hdmi.te
deleted file mode 100644
index 8e91aa2..0000000
--- a/public/hal_tv_hdmi.te
+++ /dev/null
@@ -1,7 +0,0 @@
-# Binder IPC from clients into server, and callbacks
-binder_call(hal_tv_hdmi_client, hal_tv_hdmi_server)
-binder_call(hal_tv_hdmi_server, hal_tv_hdmi_client)
-binder_call(hal_tv_hdmi_client, servicemanager)
-binder_call(hal_tv_hdmi_server, servicemanager)
-
-hal_attribute_service(hal_tv_hdmi, hal_tv_hdmi_service)
diff --git a/public/hal_tv_hdmi_cec.te b/public/hal_tv_hdmi_cec.te
index 1b75676..eb01b67 100644
--- a/public/hal_tv_hdmi_cec.te
+++ b/public/hal_tv_hdmi_cec.te
@@ -1,7 +1,7 @@
# Binder IPC from clients into server, and callbacks
binder_call(hal_tv_hdmi_cec_client, hal_tv_hdmi_cec_server)
binder_call(hal_tv_hdmi_cec_server, hal_tv_hdmi_cec_client)
-binder_call(hal_tv_hdmi_cec_client, servicemanager)
-binder_call(hal_tv_hdmi_cec_server, servicemanager)
+binder_use(hal_tv_hdmi_cec_client)
+binder_use(hal_tv_hdmi_cec_server)
hal_attribute_service(hal_tv_hdmi_cec, hal_tv_hdmi_cec_service)
diff --git a/public/hal_tv_hdmi_connection.te b/public/hal_tv_hdmi_connection.te
new file mode 100644
index 0000000..f6de27d
--- /dev/null
+++ b/public/hal_tv_hdmi_connection.te
@@ -0,0 +1,7 @@
+# Binder IPC from clients into server, and callbacks
+binder_call(hal_tv_hdmi_connection_client, hal_tv_hdmi_connection_server)
+binder_call(hal_tv_hdmi_connection_server, hal_tv_hdmi_connection_client)
+binder_use(hal_tv_hdmi_connection_client)
+binder_use(hal_tv_hdmi_connection_server)
+
+hal_attribute_service(hal_tv_hdmi_connection, hal_tv_hdmi_connection_service)
diff --git a/public/hal_tv_hdmi_earc.te b/public/hal_tv_hdmi_earc.te
new file mode 100644
index 0000000..2d76fc6
--- /dev/null
+++ b/public/hal_tv_hdmi_earc.te
@@ -0,0 +1,7 @@
+# Binder IPC from clients into server, and callbacks
+binder_call(hal_tv_hdmi_earc_client, hal_tv_hdmi_earc_server)
+binder_call(hal_tv_hdmi_earc_server, hal_tv_hdmi_earc_client)
+binder_use(hal_tv_hdmi_earc_client)
+binder_use(hal_tv_hdmi_earc_server)
+
+hal_attribute_service(hal_tv_hdmi_earc, hal_tv_hdmi_earc_service)
diff --git a/public/service.te b/public/service.te
index 335733f..154ebb9 100644
--- a/public/service.te
+++ b/public/service.te
@@ -316,8 +316,9 @@
type hal_system_suspend_service, protected_service, hal_service_type, service_manager_type;
type hal_tetheroffload_service, protected_service, hal_service_type, service_manager_type;
type hal_thermal_service, protected_service, hal_service_type, service_manager_type;
-type hal_tv_hdmi_service, protected_service, hal_service_type, service_manager_type;
type hal_tv_hdmi_cec_service, protected_service, hal_service_type, service_manager_type;
+type hal_tv_hdmi_connection_service, protected_service, hal_service_type, service_manager_type;
+type hal_tv_hdmi_earc_service, protected_service, hal_service_type, service_manager_type;
type hal_tv_input_service, protected_service, hal_service_type, service_manager_type;
type hal_tv_tuner_service, protected_service, hal_service_type, service_manager_type;
type hal_usb_service, protected_service, hal_service_type, service_manager_type;
diff --git a/public/su.te b/public/su.te
index 730c1e0..3473e74 100644
--- a/public/su.te
+++ b/public/su.te
@@ -97,8 +97,9 @@
typeattribute su hal_tetheroffload_client;
typeattribute su hal_thermal_client;
typeattribute su hal_tv_cec_client;
- typeattribute su hal_tv_hdmi_client;
typeattribute su hal_tv_hdmi_cec_client;
+ typeattribute su hal_tv_hdmi_connection_client;
+ typeattribute su hal_tv_hdmi_earc_client;
typeattribute su hal_tv_input_client;
typeattribute su hal_tv_tuner_client;
typeattribute su hal_usb_client;
diff --git a/public/te_macros b/public/te_macros
index 3bb3904..11041b6 100644
--- a/public/te_macros
+++ b/public/te_macros
@@ -183,32 +183,25 @@
####################################
# virtualizationservice_use(domain)
# Allow domain to create and communicate with a virtual machine using
-# virtualizationservice.
+# virtualizationservice and virtualizationmanager.
define(`virtualizationservice_use', `
-allow $1 virtualization_service:service_manager find;
-# Let the client call virtualizationservice.
-binder_call($1, virtualizationservice)
-# Let virtualizationservice call back to the client.
-binder_call(virtualizationservice, $1)
-# Transition to virtmgr when the client executes it.
-domain_auto_trans($1, virtmgr_exec, virtmgr)
-# Allow virtmgr to communicate over UDS with the client.
-allow virtmgr $1:unix_stream_socket { getattr read write };
-# Allow virtmgr and the client to signal each other using pipes.
-allow virtmgr $1:fifo_file { getattr read write };
-# Let the client pass file descriptors to virtualizationservice/virtmgr and on
-# to crosvm
-allow { virtualizationservice virtmgr crosvm } $1:fd use;
+# Transition to virtualizationmanager when the client executes it.
+domain_auto_trans($1, virtualizationmanager_exec, virtualizationmanager)
+# Allow virtualizationmanager to communicate over UDS with the client.
+allow { virtualizationmanager crosvm } $1:unix_stream_socket { getattr read write };
+# Let the client pass file descriptors to virtualizationmanager and on to crosvm.
+allow { virtualizationmanager crosvm } $1:fd use;
+# Let the client use file descriptors created by virtualizationmanager.
+allow $1 virtualizationmanager:fd use;
# Allow piping console log to the client
-allow { virtualizationservice crosvm } $1:fifo_file { getattr write};
-# Allow client to read/write vsock created by virtualizationservice to
-# communicate with the VM that it created. Notice that we do not grant
-# permission to create a vsock; the client can only connect to VMs
-# that it owns.
-allow $1 virtualizationservice:vsock_socket { getattr getopt read write };
+allow { virtualizationmanager crosvm } $1:fifo_file { getattr read write };
+# Allow client to read/write vsock created by virtualizationmanager to communicate with the VM
+# that it created. Notice that we do not grant permission to create a vsock;
+# the client can only connect to VMs that it owns.
+allow $1 virtualizationmanager:vsock_socket { getattr getopt read write };
# Allow client to inspect hypervisor capabilities
get_prop($1, hypervisor_prop)
-# Allow client to read (but not open) the crashdump provided by virtualizationservice
+# Allow client to read (but not open) the crashdump provided by virtualizationmanager
allow $1 virtualizationservice_data_file:file { getattr read };
')
diff --git a/vendor/file_contexts b/vendor/file_contexts
index 02c8498..53c0b96 100644
--- a/vendor/file_contexts
+++ b/vendor/file_contexts
@@ -100,8 +100,9 @@
/(vendor|system/vendor)/bin/hw/android\.hardware\.thermal@1\.[01]-service u:object_r:hal_thermal_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.thermal-service\.example u:object_r:hal_thermal_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.tv\.cec@1\.[01]-service u:object_r:hal_tv_cec_default_exec:s0
-/(vendor|system/vendor)/bin/hw/android\.hardware\.tv\.cec-service u:object_r:hal_tv_hdmi_cec_default_exec:s0
-/(vendor|system/vendor)/bin/hw/android\.hardware\.tv\.hdmi-service u:object_r:hal_tv_hdmi_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.tv\.hdmi.cec-service u:object_r:hal_tv_hdmi_cec_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.tv\.hdmi.connection-service u:object_r:hal_tv_hdmi_connection_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.tv\.hdmi.earc-service u:object_r:hal_tv_hdmi_earc_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.tv\.input@1\.0-service u:object_r:hal_tv_input_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.tv\.input-service\.example u:object_r:hal_tv_input_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.tv\.tuner@1\.[01]-service u:object_r:hal_tv_tuner_default_exec:s0
diff --git a/vendor/hal_tv_hdmi_connection_default.te b/vendor/hal_tv_hdmi_connection_default.te
new file mode 100644
index 0000000..bad8961
--- /dev/null
+++ b/vendor/hal_tv_hdmi_connection_default.te
@@ -0,0 +1,5 @@
+type hal_tv_hdmi_connection_default, domain;
+hal_server_domain(hal_tv_hdmi_connection_default, hal_tv_hdmi_connection)
+
+type hal_tv_hdmi_connection_default_exec, exec_type, vendor_file_type, file_type;
+init_daemon_domain(hal_tv_hdmi_connection_default)
diff --git a/vendor/hal_tv_hdmi_default.te b/vendor/hal_tv_hdmi_default.te
deleted file mode 100644
index e974fd8..0000000
--- a/vendor/hal_tv_hdmi_default.te
+++ /dev/null
@@ -1,5 +0,0 @@
-type hal_tv_hdmi_default, domain;
-hal_server_domain(hal_tv_hdmi_default, hal_tv_hdmi)
-
-type hal_tv_hdmi_default_exec, exec_type, vendor_file_type, file_type;
-init_daemon_domain(hal_tv_hdmi_default)
diff --git a/vendor/hal_tv_hdmi_earc_default.te b/vendor/hal_tv_hdmi_earc_default.te
new file mode 100644
index 0000000..d2a729d
--- /dev/null
+++ b/vendor/hal_tv_hdmi_earc_default.te
@@ -0,0 +1,5 @@
+type hal_tv_hdmi_earc_default, domain;
+hal_server_domain(hal_tv_hdmi_earc_default, hal_tv_hdmi_earc)
+
+type hal_tv_hdmi_earc_default_exec, exec_type, vendor_file_type, file_type;
+init_daemon_domain(hal_tv_hdmi_earc_default)