Merge "Revert "Move allow rules of sdk_sandbox to apex policy""
diff --git a/private/apexd.te b/private/apexd.te
index 0482090..b74d4ee 100644
--- a/private/apexd.te
+++ b/private/apexd.te
@@ -133,7 +133,6 @@
# Allow apexd to send control messages to load/unload apex from init
set_prop(apexd, ctl_apex_load_prop)
-get_prop(apexd, init_apex_status_private_prop)
# Find the vold service, and call into vold to manage FS checkpoints
allow apexd vold_service:service_manager find;
@@ -210,3 +209,6 @@
# Allow calling derive_classpath to gather BCP information for staged sessions
domain_auto_trans(apexd, derive_classpath_exec, apexd_derive_classpath);
+
+# Allow set apex ready property
+set_prop(apexd, apex_ready_prop)
diff --git a/private/compat/33.0/33.0.ignore.cil b/private/compat/33.0/33.0.ignore.cil
index 15f7c4a..90e2eaf 100644
--- a/private/compat/33.0/33.0.ignore.cil
+++ b/private/compat/33.0/33.0.ignore.cil
@@ -5,6 +5,7 @@
(typeattribute new_objects)
(typeattributeset new_objects
( new_objects
+ apex_ready_prop
artd
device_config_memory_safety_native_prop
device_config_vendor_system_native_prop
diff --git a/private/coredomain.te b/private/coredomain.te
index 9888fa4..c041ca3 100644
--- a/private/coredomain.te
+++ b/private/coredomain.te
@@ -1,3 +1,4 @@
+get_prop(coredomain, apex_ready_prop)
get_prop(coredomain, boot_status_prop)
get_prop(coredomain, camera_config_prop)
get_prop(coredomain, dalvik_config_prop)
@@ -7,7 +8,6 @@
get_prop(coredomain, graphics_config_prop)
get_prop(coredomain, hdmi_config_prop)
get_prop(coredomain, init_service_status_private_prop)
-get_prop(coredomain, init_apex_status_private_prop)
get_prop(coredomain, lmkd_config_prop)
get_prop(coredomain, localization_prop)
get_prop(coredomain, pm_prop)
diff --git a/private/crosvm.te b/private/crosvm.te
index 73ce3c6..f3fc9a8 100644
--- a/private/crosvm.te
+++ b/private/crosvm.te
@@ -63,6 +63,9 @@
allow crosvm adbd:fd use;
allow crosvm adbd:unix_stream_socket { read write };
+# crosvm tries to use netlink sockets as part its APCI implementation, but we don't need it for AVF (b/228077254)
+dontaudit crosvm self:netlink_generic_socket create_socket_perms_no_ioctl;
+
# crosvm can write files in /data/local/tmp which are usually used for instance.img and logging by
# compliance tests and demo apps. Write access to instance.img is particularily important because
# the VM has to initialize the disk image on its first boot. Note that open access is still not
diff --git a/private/file_contexts b/private/file_contexts
index fedea70..f5d40c8 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -369,7 +369,7 @@
/system/bin/gsid u:object_r:gsid_exec:s0
/system/bin/simpleperf u:object_r:simpleperf_exec:s0
/system/bin/simpleperf_app_runner u:object_r:simpleperf_app_runner_exec:s0
-/system/bin/migrate_legacy_obb_data\.sh u:object_r:migrate_legacy_obb_data_exec:s0
+/system/bin/migrate_legacy_obb_data u:object_r:migrate_legacy_obb_data_exec:s0
/system/bin/android\.frameworks\.automotive\.display@1\.0-service u:object_r:automotive_display_service_exec:s0
/system/bin/snapuserd u:object_r:snapuserd_exec:s0
/system/bin/odsign u:object_r:odsign_exec:s0
diff --git a/private/init.te b/private/init.te
index 997a184..9e50bd4 100644
--- a/private/init.te
+++ b/private/init.te
@@ -11,6 +11,7 @@
recovery_only(`
# Files in recovery image are labeled as rootfs.
domain_trans(init, rootfs, adbd)
+ domain_trans(init, rootfs, hal_bootctl_server)
domain_trans(init, rootfs, charger)
domain_trans(init, rootfs, fastbootd)
domain_trans(init, rootfs, hal_health_server)
diff --git a/private/installd.te b/private/installd.te
index 538641d..9673cfd 100644
--- a/private/installd.te
+++ b/private/installd.te
@@ -45,7 +45,7 @@
# Allow installd to delete files in /data/staging
allow installd staging_data_file:file unlink;
-allow installd staging_data_file:dir { open read remove_name rmdir search write };
+allow installd staging_data_file:dir { open read remove_name rmdir search write getattr };
allow installd { dex2oat dexoptanalyzer }:process { sigkill signal };
diff --git a/private/property.te b/private/property.te
index ddb427d..27a8e38 100644
--- a/private/property.te
+++ b/private/property.te
@@ -47,7 +47,6 @@
system_internal_prop(ctl_odsign_prop)
system_internal_prop(virtualizationservice_prop)
system_internal_prop(ctl_apex_load_prop)
-system_internal_prop(init_apex_status_private_prop)
# Properties which can't be written outside system
system_restricted_prop(device_config_virtualization_framework_native_prop)
@@ -633,11 +632,6 @@
neverallow {
domain
-init
-} init_apex_status_private_prop:property_service set;
-
-neverallow {
- domain
- -init
-apexd
} ctl_apex_load_prop:property_service set;
@@ -647,7 +641,21 @@
-init
-dumpstate
-apexd
-} {init_apex_status_private_prop ctl_apex_load_prop}:file no_rw_file_perms;
+} ctl_apex_load_prop:file no_rw_file_perms;
+
+neverallow {
+ domain
+ -init
+ -apexd
+} apex_ready_prop:property_service set;
+
+neverallow {
+ domain
+ -coredomain
+ -dumpstate
+ -apexd
+ -vendor_init
+} apex_ready_prop:file no_rw_file_perms;
neverallow {
# Only allow init and profcollectd to access profcollectd_node_id_prop
diff --git a/private/property_contexts b/private/property_contexts
index ed9de36..b2586f9 100644
--- a/private/property_contexts
+++ b/private/property_contexts
@@ -288,6 +288,9 @@
persist.vendor.apex. u:object_r:apexd_select_prop:s0
ro.boot.vendor.apex. u:object_r:apexd_select_prop:s0
+# Property that indicates if an apex is ready: apex.<apex-name>.ready
+apex. u:object_r:apex_ready_prop:s0 prefix bool
+
bpf.progs_loaded u:object_r:bpf_progs_loaded_prop:s0 exact bool
gsid. u:object_r:gsid_prop:s0
@@ -761,10 +764,6 @@
init.svc.tombstoned u:object_r:init_service_status_prop:s0 exact string
init.svc.zygote u:object_r:init_service_status_prop:s0 exact string
-# apexd reads this property to check if init has done with ctl.apex_* messages
-# This should be the form of init.apex.<apex_name>.
-init.apex. u:object_r:init_apex_status_private_prop:s0 prefix enum loaded unloaded
-
libc.debug.malloc.options u:object_r:libc_debug_prop:s0 exact string
libc.debug.malloc.program u:object_r:libc_debug_prop:s0 exact string
libc.debug.hooks.enable u:object_r:libc_debug_prop:s0 exact string
diff --git a/private/system_server.te b/private/system_server.te
index aa674d0..ab0bfe0 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -1076,14 +1076,11 @@
# Allow invoking tools like "timeout"
allow system_server toolbox_exec:file rx_file_perms;
-# Allow system process to setup and measure fs-verity
-allowxperm system_server apk_data_file:file ioctl {
- FS_IOC_ENABLE_VERITY FS_IOC_MEASURE_VERITY
-};
+# Allow system process to setup fs-verity
+allowxperm system_server apk_data_file:file ioctl FS_IOC_ENABLE_VERITY;
-allowxperm system_server system_file:file ioctl {
- FS_IOC_MEASURE_VERITY
-};
+# Allow system process to measure fs-verity for apps, apps being installed and system files
+allowxperm system_server { apk_data_file apk_tmp_file system_file }:file ioctl FS_IOC_MEASURE_VERITY;
# Postinstall
#
diff --git a/private/vendor_init.te b/private/vendor_init.te
index 70b3ef9..acbd84e 100644
--- a/private/vendor_init.te
+++ b/private/vendor_init.te
@@ -12,6 +12,9 @@
# Let vendor_init react to AVF device config changes
get_prop(vendor_init, device_config_virtualization_framework_native_prop)
+# Let vendor_init use apex.<name>.ready to start services from vendor APEX
+get_prop(vendor_init, apex_ready_prop)
+
# chown/chmod on devices, e.g. /dev/ttyHS0
allow vendor_init {
dev_type
diff --git a/public/property.te b/public/property.te
index 1688b54..80df624 100644
--- a/public/property.te
+++ b/public/property.te
@@ -52,6 +52,7 @@
# Properties which can't be written outside system
system_restricted_prop(aac_drc_prop)
+system_restricted_prop(apex_ready_prop)
system_restricted_prop(arm64_memtag_prop)
system_restricted_prop(binder_cache_bluetooth_server_prop)
system_restricted_prop(binder_cache_system_server_prop)