Merge changes from topics "apex-ready-prop", "apex-update-prop"
* changes:
Modifed sepolicy for new apex ready prop
Remove init.apex.<apex-name>.load/unload property
diff --git a/Android.bp b/Android.bp
index 467f80e..677c014 100644
--- a/Android.bp
+++ b/Android.bp
@@ -44,177 +44,6 @@
cc_defaults { name: "selinux_policy_version", cflags: ["-DSEPOLICY_VERSION=30"], }
-se_build_files {
- name: "28.0.board.compat.map",
- srcs: [
- "compat/28.0/28.0.cil",
- ],
-}
-
-se_build_files {
- name: "29.0.board.compat.map",
- srcs: [
- "compat/29.0/29.0.cil",
- ],
-}
-
-se_build_files {
- name: "30.0.board.compat.map",
- srcs: [
- "compat/30.0/30.0.cil",
- ],
-}
-
-se_build_files {
- name: "31.0.board.compat.map",
- srcs: [
- "compat/31.0/31.0.cil",
- ],
-}
-
-se_build_files {
- name: "32.0.board.compat.map",
- srcs: [
- "compat/32.0/32.0.cil",
- ],
-}
-
-se_build_files {
- name: "33.0.board.compat.map",
- srcs: [
- "compat/33.0/33.0.cil",
- ],
-}
-
-se_build_files {
- name: "28.0.board.compat.cil",
- srcs: [
- "compat/28.0/28.0.compat.cil",
- ],
-}
-
-se_build_files {
- name: "29.0.board.compat.cil",
- srcs: [
- "compat/29.0/29.0.compat.cil",
- ],
-}
-
-se_build_files {
- name: "30.0.board.compat.cil",
- srcs: [
- "compat/30.0/30.0.compat.cil",
- ],
-}
-
-se_build_files {
- name: "31.0.board.compat.cil",
- srcs: [
- "compat/31.0/31.0.compat.cil",
- ],
-}
-
-se_build_files {
- name: "32.0.board.compat.cil",
- srcs: [
- "compat/32.0/32.0.compat.cil",
- ],
-}
-
-se_build_files {
- name: "33.0.board.compat.cil",
- srcs: [
- "compat/33.0/33.0.compat.cil",
- ],
-}
-
-se_build_files {
- name: "28.0.board.ignore.map",
- srcs: [
- "compat/28.0/28.0.ignore.cil",
- ],
-}
-
-se_build_files {
- name: "29.0.board.ignore.map",
- srcs: [
- "compat/29.0/29.0.ignore.cil",
- ],
-}
-
-se_build_files {
- name: "30.0.board.ignore.map",
- srcs: [
- "compat/30.0/30.0.ignore.cil",
- ],
-}
-
-se_build_files {
- name: "31.0.board.ignore.map",
- srcs: [
- "compat/31.0/31.0.ignore.cil",
- ],
-}
-
-se_build_files {
- name: "32.0.board.ignore.map",
- srcs: [
- "compat/32.0/32.0.ignore.cil",
- ],
-}
-
-se_build_files {
- name: "33.0.board.ignore.map",
- srcs: [
- "compat/33.0/33.0.ignore.cil",
- ],
-}
-
-se_build_files {
- name: "file_contexts_files",
- srcs: ["file_contexts"],
-}
-
-se_build_files {
- name: "file_contexts_asan_files",
- srcs: ["file_contexts_asan"],
-}
-
-se_build_files {
- name: "file_contexts_overlayfs_files",
- srcs: ["file_contexts_overlayfs"],
-}
-
-se_build_files {
- name: "hwservice_contexts_files",
- srcs: ["hwservice_contexts"],
-}
-
-se_build_files {
- name: "property_contexts_files",
- srcs: ["property_contexts"],
-}
-
-se_build_files {
- name: "service_contexts_files",
- srcs: ["service_contexts"],
-}
-
-se_build_files {
- name: "keystore2_key_contexts_files",
- srcs: ["keystore2_key_contexts"],
-}
-
-se_build_files {
- name: "seapp_contexts_files",
- srcs: ["seapp_contexts"],
-}
-
-se_build_files {
- name: "vndservice_contexts_files",
- srcs: ["vndservice_contexts"],
-}
-
// For vts_treble_sys_prop_test
filegroup {
name: "private_property_contexts",
@@ -388,6 +217,21 @@
stem: "apex_sepolicy.cil",
}
+se_policy_cil {
+ name: "decompiled_sepolicy-without_apex.cil",
+ src: ":precompiled_sepolicy-without_apex",
+ decompile_binary: true,
+}
+
+se_policy_cil {
+ name: "apex_sepolicy-decompiled.cil",
+ src: ":precompiled_sepolicy",
+ decompile_binary: true,
+ filter_out: [":decompiled_sepolicy-without_apex.cil"],
+ additional_cil_files: ["com.android.sepolicy/33/definitions/definitions.cil"],
+ secilc_check: false,
+}
+
// userdebug_plat_policy.conf - the userdebug version plat_sepolicy.cil
se_policy_conf {
name: "userdebug_plat_sepolicy.conf",
@@ -896,6 +740,50 @@
},
}
+precompiled_se_policy_binary {
+ name: "precompiled_sepolicy-without_apex",
+ srcs: [
+ ":plat_sepolicy.cil",
+ ":plat_pub_versioned.cil",
+ ":system_ext_sepolicy.cil",
+ ":product_sepolicy.cil",
+ ":vendor_sepolicy.cil",
+ ":odm_sepolicy.cil",
+ ],
+ soong_config_variables: {
+ BOARD_USES_ODMIMAGE: {
+ device_specific: true,
+ conditions_default: {
+ vendor: true,
+ },
+ },
+ IS_TARGET_MIXED_SEPOLICY: {
+ ignore_neverallow: true,
+ },
+ MIXED_SEPOLICY_VERSION: {
+ srcs: [
+ ":plat_%s.cil",
+ ":system_ext_%s.cil",
+ ":product_%s.cil",
+ ],
+ conditions_default: {
+ srcs: [
+ ":plat_mapping_file",
+ ":system_ext_mapping_file",
+ ":product_mapping_file",
+ ],
+ },
+ },
+ },
+ required: [
+ "sepolicy_neverallows",
+ "sepolicy_neverallows_vendor",
+ ],
+ dist: {
+ targets: ["base-sepolicy-files-for-mapping"],
+ },
+}
+
// policy for recovery
se_policy_conf {
name: "recovery_sepolicy.conf",
diff --git a/Android.mk b/Android.mk
index fae4cba..21bc6a9 100644
--- a/Android.mk
+++ b/Android.mk
@@ -477,7 +477,6 @@
LOCAL_REQUIRED_MODULES += precompiled_sepolicy.product_sepolicy_and_mapping.sha256
endif
-LOCAL_REQUIRED_MODULES += precompiled_sepolicy.apex_sepolicy.sha256
endif # ($(PRODUCT_PRECOMPILED_SEPOLICY),false)
@@ -661,7 +660,6 @@
file_contexts.modules.tmp :=
##################################
-include $(LOCAL_PATH)/mac_permissions.mk
all_fc_files := $(TARGET_OUT)/etc/selinux/plat_file_contexts
all_fc_files += $(TARGET_OUT_VENDOR)/etc/selinux/vendor_file_contexts
diff --git a/TEST_MAPPING b/TEST_MAPPING
index cf99902..efcdb36 100644
--- a/TEST_MAPPING
+++ b/TEST_MAPPING
@@ -11,8 +11,10 @@
},
{
"include-filter": "android.security.cts.SELinuxHostTest#testGMSCoreDomain"
+ },
+ {
+ "include-filter": "android.security.cts.SeamendcHostTest"
}
-
]
},
{
diff --git a/apex/Android.bp b/apex/Android.bp
index 8f11771..8c9db86 100644
--- a/apex/Android.bp
+++ b/apex/Android.bp
@@ -21,6 +21,8 @@
default_applicable_licenses: ["system_sepolicy_license"],
}
+// TODO(b/236681553): Remove com.android.bluetooth-file_contexts
+
filegroup {
name: "apex_file_contexts_files",
srcs: ["*-file_contexts"],
@@ -263,3 +265,10 @@
"com.android.ondevicepersonalization-file_contexts",
],
}
+
+filegroup {
+ name: "com.android.healthconnect-file_contexts",
+ srcs: [
+ "com.android.healthconnect-file_contexts",
+ ],
+}
diff --git a/apex/com.android.art-file_contexts b/apex/com.android.art-file_contexts
index 2533cac..f1aa92b 100644
--- a/apex/com.android.art-file_contexts
+++ b/apex/com.android.art-file_contexts
@@ -1,10 +1,11 @@
#############################
# System files
#
-(/.*)? u:object_r:system_file:s0
-/bin/artd u:object_r:artd_exec:s0
-/bin/dex2oat(32|64)? u:object_r:dex2oat_exec:s0
-/bin/dexoptanalyzer u:object_r:dexoptanalyzer_exec:s0
-/bin/odrefresh u:object_r:odrefresh_exec:s0
-/bin/profman u:object_r:profman_exec:s0
-/lib(64)?(/.*)? u:object_r:system_lib_file:s0
+(/.*)? u:object_r:system_file:s0
+/bin/art_exec u:object_r:art_exec_exec:s0
+/bin/artd u:object_r:artd_exec:s0
+/bin/dex2oat(32|64)? u:object_r:dex2oat_exec:s0
+/bin/dexoptanalyzer u:object_r:dexoptanalyzer_exec:s0
+/bin/odrefresh u:object_r:odrefresh_exec:s0
+/bin/profman u:object_r:profman_exec:s0
+/lib(64)?(/.*)? u:object_r:system_lib_file:s0
diff --git a/apex/com.android.art.debug-file_contexts b/apex/com.android.art.debug-file_contexts
index a0e9ea0..cc60b70 100644
--- a/apex/com.android.art.debug-file_contexts
+++ b/apex/com.android.art.debug-file_contexts
@@ -2,6 +2,8 @@
# System files
#
(/.*)? u:object_r:system_file:s0
+/bin/art_exec u:object_r:art_exec_exec:s0
+/bin/artd u:object_r:artd_exec:s0
/bin/dex2oat(d)?(32|64)? u:object_r:dex2oat_exec:s0
/bin/dexoptanalyzer(d)? u:object_r:dexoptanalyzer_exec:s0
/bin/odrefresh u:object_r:odrefresh_exec:s0
diff --git a/apex/com.android.btservices-file_contexts b/apex/com.android.btservices-file_contexts
new file mode 100644
index 0000000..f6b21da
--- /dev/null
+++ b/apex/com.android.btservices-file_contexts
@@ -0,0 +1,2 @@
+(/.*)? u:object_r:system_file:s0
+/lib(64)?(/.*) u:object_r:system_lib_file:s0
diff --git a/apex/com.android.healthconnect-file_contexts b/apex/com.android.healthconnect-file_contexts
new file mode 100644
index 0000000..9398505
--- /dev/null
+++ b/apex/com.android.healthconnect-file_contexts
@@ -0,0 +1 @@
+(/.*)? u:object_r:system_file:s0
diff --git a/build/soong/Android.bp b/build/soong/Android.bp
index d1cead3..99dd662 100644
--- a/build/soong/Android.bp
+++ b/build/soong/Android.bp
@@ -35,6 +35,7 @@
"build_files.go",
"cil_compat_map.go",
"compat_cil.go",
+ "mac_permissions.go",
"policy.go",
"selinux.go",
"selinux_contexts.go",
diff --git a/build/soong/build_files.go b/build/soong/build_files.go
index 6cc40c6..383a282 100644
--- a/build/soong/build_files.go
+++ b/build/soong/build_files.go
@@ -92,10 +92,10 @@
func (b *buildFiles) GenerateAndroidBuildActions(ctx android.ModuleContext) {
b.srcs = make(map[string]android.Paths)
- b.srcs[".reqd_mask"] = b.findSrcsInDirs(ctx, filepath.Join(ctx.ModuleDir(), "reqd_mask"))
- b.srcs[".plat_public"] = b.findSrcsInDirs(ctx, filepath.Join(ctx.ModuleDir(), "public"))
- b.srcs[".plat_private"] = b.findSrcsInDirs(ctx, filepath.Join(ctx.ModuleDir(), "private"))
- b.srcs[".plat_vendor"] = b.findSrcsInDirs(ctx, filepath.Join(ctx.ModuleDir(), "vendor"))
+ b.srcs[".reqd_mask"] = b.findSrcsInDirs(ctx, filepath.Join("system", "sepolicy", "reqd_mask"))
+ b.srcs[".plat_public"] = b.findSrcsInDirs(ctx, filepath.Join("system", "sepolicy", "public"))
+ b.srcs[".plat_private"] = b.findSrcsInDirs(ctx, filepath.Join("system", "sepolicy", "private"))
+ b.srcs[".plat_vendor"] = b.findSrcsInDirs(ctx, filepath.Join("system", "sepolicy", "vendor"))
b.srcs[".system_ext_public"] = b.findSrcsInDirs(ctx, ctx.DeviceConfig().SystemExtPublicSepolicyDirs()...)
b.srcs[".system_ext_private"] = b.findSrcsInDirs(ctx, ctx.DeviceConfig().SystemExtPrivateSepolicyDirs()...)
b.srcs[".product_public"] = b.findSrcsInDirs(ctx, ctx.Config().ProductPublicSepolicyDirs()...)
@@ -117,8 +117,8 @@
// use vendor-supplied plat prebuilts
b.srcs[".reqd_mask_for_vendor"] = b.findSrcsInDirs(ctx, ctx.DeviceConfig().BoardReqdMaskPolicy()...)
b.srcs[".plat_vendor_for_vendor"] = b.findSrcsInDirs(ctx, ctx.DeviceConfig().BoardPlatVendorPolicy()...)
- b.srcs[".plat_public_for_vendor"] = b.findSrcsInDirs(ctx, filepath.Join(ctx.ModuleDir(), "prebuilts", "api", ctx.DeviceConfig().BoardSepolicyVers(), "public"))
- b.srcs[".plat_private_for_vendor"] = b.findSrcsInDirs(ctx, filepath.Join(ctx.ModuleDir(), "prebuilts", "api", ctx.DeviceConfig().BoardSepolicyVers(), "private"))
+ b.srcs[".plat_public_for_vendor"] = b.findSrcsInDirs(ctx, filepath.Join("system", "sepolicy", "prebuilts", "api", ctx.DeviceConfig().BoardSepolicyVers(), "public"))
+ b.srcs[".plat_private_for_vendor"] = b.findSrcsInDirs(ctx, filepath.Join("system", "sepolicy", "prebuilts", "api", ctx.DeviceConfig().BoardSepolicyVers(), "private"))
b.srcs[".system_ext_public_for_vendor"] = b.findSrcsInDirs(ctx, ctx.DeviceConfig().BoardSystemExtPublicPrebuiltDirs()...)
b.srcs[".system_ext_private_for_vendor"] = b.findSrcsInDirs(ctx, ctx.DeviceConfig().BoardSystemExtPrivatePrebuiltDirs()...)
b.srcs[".product_public_for_vendor"] = b.findSrcsInDirs(ctx, ctx.DeviceConfig().BoardProductPublicPrebuiltDirs()...)
@@ -127,8 +127,8 @@
// directories used for compat tests and Treble tests
for _, ver := range ctx.DeviceConfig().PlatformSepolicyCompatVersions() {
- b.srcs[".plat_public_"+ver] = b.findSrcsInDirs(ctx, filepath.Join(ctx.ModuleDir(), "prebuilts", "api", ver, "public"))
- b.srcs[".plat_private_"+ver] = b.findSrcsInDirs(ctx, filepath.Join(ctx.ModuleDir(), "prebuilts", "api", ver, "private"))
+ b.srcs[".plat_public_"+ver] = b.findSrcsInDirs(ctx, filepath.Join("system", "sepolicy", "prebuilts", "api", ver, "public"))
+ b.srcs[".plat_private_"+ver] = b.findSrcsInDirs(ctx, filepath.Join("system", "sepolicy", "prebuilts", "api", ver, "private"))
b.srcs[".system_ext_public_"+ver] = b.findSrcsInDirs(ctx, filepath.Join(ctx.DeviceConfig().SystemExtSepolicyPrebuiltApiDir(), "prebuilts", "api", ver, "public"))
b.srcs[".system_ext_private_"+ver] = b.findSrcsInDirs(ctx, filepath.Join(ctx.DeviceConfig().SystemExtSepolicyPrebuiltApiDir(), "prebuilts", "api", ver, "private"))
b.srcs[".product_public_"+ver] = b.findSrcsInDirs(ctx, filepath.Join(ctx.DeviceConfig().ProductSepolicyPrebuiltApiDir(), "prebuilts", "api", ver, "public"))
diff --git a/build/soong/go.mod b/build/soong/go.mod
new file mode 100644
index 0000000..37bc985
--- /dev/null
+++ b/build/soong/go.mod
@@ -0,0 +1,23 @@
+module android/soong/sepolicy
+
+require (
+ android/soong v0.0.0
+ github.com/google/blueprint v0.0.0
+ golang.org/x/xerrors v0.0.0-20220609144429-65e65417b02f // indirect
+)
+
+replace android/soong v0.0.0 => ../../../../build/soong
+
+replace google.golang.org/protobuf v0.0.0 => ../../../../external/golang-protobuf
+
+replace github.com/google/blueprint v0.0.0 => ../../../../build/blueprint
+
+// Indirect deps from golang-protobuf
+exclude github.com/golang/protobuf v1.5.0
+
+replace github.com/google/go-cmp v0.5.5 => ../../../../external/go-cmp
+
+// Indirect dep from go-cmp
+exclude golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543
+
+go 1.13
diff --git a/build/soong/go.sum b/build/soong/go.sum
new file mode 100644
index 0000000..cbe76d9
--- /dev/null
+++ b/build/soong/go.sum
@@ -0,0 +1,2 @@
+golang.org/x/xerrors v0.0.0-20220609144429-65e65417b02f h1:uF6paiQQebLeSXkrTqHqz0MXhXXS1KgF41eUdBNvxK0=
+golang.org/x/xerrors v0.0.0-20220609144429-65e65417b02f/go.mod h1:K8+ghG5WaK9qNqU5K3HdILfMLy1f3aNYFI/wnl100a8=
diff --git a/build/soong/mac_permissions.go b/build/soong/mac_permissions.go
new file mode 100644
index 0000000..9615d12
--- /dev/null
+++ b/build/soong/mac_permissions.go
@@ -0,0 +1,144 @@
+// Copyright (C) 2019 The Android Open Source Project
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package selinux
+
+import (
+ "fmt"
+ "io"
+
+ "github.com/google/blueprint/proptools"
+
+ "android/soong/android"
+)
+
+var (
+ // Should be synced with keys.conf.
+ AllPlatformKeys = []string{
+ "platform",
+ "sdk_sandbox",
+ "media",
+ "networkstack",
+ "shared",
+ "testkey",
+ "bluetooth",
+ }
+)
+
+type macPermissionsProperties struct {
+ // keys.conf files to control the mapping of "tags" found in the mac_permissions.xml files.
+ Keys []string `android:"path"`
+
+ // Source files for the generated mac_permissions.xml file.
+ Srcs []string `android:"path"`
+
+ // Output file name. Defaults to module name
+ Stem *string
+}
+
+type macPermissionsModule struct {
+ android.ModuleBase
+
+ properties macPermissionsProperties
+ outputPath android.ModuleOutPath
+ installPath android.InstallPath
+}
+
+func init() {
+ android.RegisterModuleType("mac_permissions", macPermissionsFactory)
+}
+
+func getAllPlatformKeyPaths(ctx android.ModuleContext) android.Paths {
+ var platformKeys android.Paths
+
+ defaultCertificateDir := ctx.Config().DefaultAppCertificateDir(ctx)
+ for _, key := range AllPlatformKeys {
+ platformKeys = append(platformKeys, defaultCertificateDir.Join(ctx, key+".x509.pem"))
+ }
+
+ return platformKeys
+}
+
+func (m *macPermissionsModule) DepsMutator(ctx android.BottomUpMutatorContext) {
+ // do nothing
+}
+
+func (m *macPermissionsModule) stem() string {
+ return proptools.StringDefault(m.properties.Stem, m.Name())
+}
+
+func buildVariant(ctx android.ModuleContext) string {
+ if ctx.Config().Eng() {
+ return "eng"
+ }
+ if ctx.Config().Debuggable() {
+ return "userdebug"
+ }
+ return "user"
+}
+
+func (m *macPermissionsModule) GenerateAndroidBuildActions(ctx android.ModuleContext) {
+ platformKeys := getAllPlatformKeyPaths(ctx)
+ keys := android.PathsForModuleSrc(ctx, m.properties.Keys)
+ srcs := android.PathsForModuleSrc(ctx, m.properties.Srcs)
+
+ m4Keys := android.PathForModuleGen(ctx, "mac_perms_keys.tmp")
+ rule := android.NewRuleBuilder(pctx, ctx)
+ rule.Command().
+ Tool(ctx.Config().PrebuiltBuildTool(ctx, "m4")).
+ Text("--fatal-warnings -s").
+ FlagForEachArg("-D", ctx.DeviceConfig().SepolicyM4Defs()).
+ Inputs(keys).
+ FlagWithOutput("> ", m4Keys).
+ Implicits(platformKeys)
+
+ m.outputPath = android.PathForModuleOut(ctx, m.stem())
+ rule.Command().Text("DEFAULT_SYSTEM_DEV_CERTIFICATE="+ctx.Config().DefaultAppCertificateDir(ctx).String()).
+ Text("MAINLINE_SEPOLICY_DEV_CERTIFICATES="+ctx.Config().MainlineSepolicyDevCertificatesDir(ctx).String()).
+ BuiltTool("insertkeys").
+ FlagWithArg("-t ", buildVariant(ctx)).
+ Input(m4Keys).
+ FlagWithOutput("-o ", m.outputPath).
+ Inputs(srcs)
+
+ rule.Build("mac_permission", "build "+m.Name())
+
+ m.installPath = android.PathForModuleInstall(ctx, "etc", "selinux")
+ ctx.InstallFile(m.installPath, m.stem(), m.outputPath)
+}
+
+func (m *macPermissionsModule) AndroidMk() android.AndroidMkData {
+ return android.AndroidMkData{
+ Class: "ETC",
+ OutputFile: android.OptionalPathForPath(m.outputPath),
+ Extra: []android.AndroidMkExtraFunc{
+ func(w io.Writer, outputFile android.Path) {
+ fmt.Fprintln(w, "LOCAL_MODULE_PATH :=", m.installPath.String())
+ fmt.Fprintln(w, "LOCAL_INSTALLED_MODULE_STEM :=", m.stem())
+ },
+ },
+ }
+}
+
+// mac_permissions module generates a mac_permissions.xml file from given keys.conf and
+// source files. The following variables are supported for keys.conf files.
+//
+// DEFAULT_SYSTEM_DEV_CERTIFICATE
+// MAINLINE_SEPOLICY_DEV_CERTIFICATES
+func macPermissionsFactory() android.Module {
+ m := &macPermissionsModule{}
+ m.AddProperties(&m.properties)
+ android.InitAndroidArchModule(m, android.DeviceSupported, android.MultilibCommon)
+ return m
+}
diff --git a/build/soong/policy.go b/build/soong/policy.go
index 3946a04..4161bb3 100644
--- a/build/soong/policy.go
+++ b/build/soong/policy.go
@@ -287,6 +287,10 @@
// Policy file to be compiled to cil file.
Src *string `android:"path"`
+ // If true, the input policy file is a binary policy that will be decompiled to a cil file.
+ // Defaults to false.
+ Decompile_binary *bool
+
// Additional cil files to be added in the end of the output. This is to support workarounds
// which are not supported by the policy language.
Additional_cil_files []string `android:"path"`
@@ -338,17 +342,15 @@
func (c *policyCil) compileConfToCil(ctx android.ModuleContext, conf android.Path) android.OutputPath {
cil := android.PathForModuleOut(ctx, c.stem()).OutputPath
rule := android.NewRuleBuilder(pctx, ctx)
- rule.Command().BuiltTool("checkpolicy").
+ checkpolicyCmd := rule.Command().BuiltTool("checkpolicy").
Flag("-C"). // Write CIL
Flag("-M"). // Enable MLS
FlagWithArg("-c ", strconv.Itoa(PolicyVers)).
FlagWithOutput("-o ", cil).
Input(conf)
- if len(c.properties.Additional_cil_files) > 0 {
- rule.Command().Text("cat").
- Inputs(android.PathsForModuleSrc(ctx, c.properties.Additional_cil_files)).
- Text(">> ").Output(cil)
+ if proptools.Bool(c.properties.Decompile_binary) {
+ checkpolicyCmd.Flag("-b") // Read binary
}
if len(c.properties.Filter_out) > 0 {
@@ -359,6 +361,12 @@
FlagWithOutput("-t ", cil)
}
+ if len(c.properties.Additional_cil_files) > 0 {
+ rule.Command().Text("cat").
+ Inputs(android.PathsForModuleSrc(ctx, c.properties.Additional_cil_files)).
+ Text(">> ").Output(cil)
+ }
+
if proptools.Bool(c.properties.Remove_line_marker) {
rule.Command().Text("grep -v").
Text(proptools.ShellEscape(";;")).
diff --git a/com.android.sepolicy/33/definitions/definitions.cil b/com.android.sepolicy/33/definitions/definitions.cil
new file mode 100644
index 0000000..9b35268
--- /dev/null
+++ b/com.android.sepolicy/33/definitions/definitions.cil
@@ -0,0 +1,8 @@
+(sid apex)
+(sidorder (apex))
+
+(classorder (file))
+
+(type shell)
+(type sepolicy_test_file)
+(class file (ioctl read getattr lock map open watch watch_reads))
diff --git a/compat/Android.bp b/compat/Android.bp
index 2370c7b..895b5e7 100644
--- a/compat/Android.bp
+++ b/compat/Android.bp
@@ -23,6 +23,132 @@
default_applicable_licenses: ["system_sepolicy_license"],
}
+se_build_files {
+ name: "28.0.board.compat.map",
+ srcs: [
+ "compat/28.0/28.0.cil",
+ ],
+}
+
+se_build_files {
+ name: "29.0.board.compat.map",
+ srcs: [
+ "compat/29.0/29.0.cil",
+ ],
+}
+
+se_build_files {
+ name: "30.0.board.compat.map",
+ srcs: [
+ "compat/30.0/30.0.cil",
+ ],
+}
+
+se_build_files {
+ name: "31.0.board.compat.map",
+ srcs: [
+ "compat/31.0/31.0.cil",
+ ],
+}
+
+se_build_files {
+ name: "32.0.board.compat.map",
+ srcs: [
+ "compat/32.0/32.0.cil",
+ ],
+}
+
+se_build_files {
+ name: "33.0.board.compat.map",
+ srcs: [
+ "compat/33.0/33.0.cil",
+ ],
+}
+
+se_build_files {
+ name: "28.0.board.compat.cil",
+ srcs: [
+ "compat/28.0/28.0.compat.cil",
+ ],
+}
+
+se_build_files {
+ name: "29.0.board.compat.cil",
+ srcs: [
+ "compat/29.0/29.0.compat.cil",
+ ],
+}
+
+se_build_files {
+ name: "30.0.board.compat.cil",
+ srcs: [
+ "compat/30.0/30.0.compat.cil",
+ ],
+}
+
+se_build_files {
+ name: "31.0.board.compat.cil",
+ srcs: [
+ "compat/31.0/31.0.compat.cil",
+ ],
+}
+
+se_build_files {
+ name: "32.0.board.compat.cil",
+ srcs: [
+ "compat/32.0/32.0.compat.cil",
+ ],
+}
+
+se_build_files {
+ name: "33.0.board.compat.cil",
+ srcs: [
+ "compat/33.0/33.0.compat.cil",
+ ],
+}
+
+se_build_files {
+ name: "28.0.board.ignore.map",
+ srcs: [
+ "compat/28.0/28.0.ignore.cil",
+ ],
+}
+
+se_build_files {
+ name: "29.0.board.ignore.map",
+ srcs: [
+ "compat/29.0/29.0.ignore.cil",
+ ],
+}
+
+se_build_files {
+ name: "30.0.board.ignore.map",
+ srcs: [
+ "compat/30.0/30.0.ignore.cil",
+ ],
+}
+
+se_build_files {
+ name: "31.0.board.ignore.map",
+ srcs: [
+ "compat/31.0/31.0.ignore.cil",
+ ],
+}
+
+se_build_files {
+ name: "32.0.board.ignore.map",
+ srcs: [
+ "compat/32.0/32.0.ignore.cil",
+ ],
+}
+
+se_build_files {
+ name: "33.0.board.ignore.map",
+ srcs: [
+ "compat/33.0/33.0.ignore.cil",
+ ],
+}
+
se_cil_compat_map {
name: "plat_28.0.cil",
stem: "28.0.cil",
diff --git a/contexts/Android.bp b/contexts/Android.bp
index 2a5a058..04a0c11 100644
--- a/contexts/Android.bp
+++ b/contexts/Android.bp
@@ -23,6 +23,51 @@
default_applicable_licenses: ["system_sepolicy_license"],
}
+se_build_files {
+ name: "file_contexts_files",
+ srcs: ["file_contexts"],
+}
+
+se_build_files {
+ name: "file_contexts_asan_files",
+ srcs: ["file_contexts_asan"],
+}
+
+se_build_files {
+ name: "file_contexts_overlayfs_files",
+ srcs: ["file_contexts_overlayfs"],
+}
+
+se_build_files {
+ name: "hwservice_contexts_files",
+ srcs: ["hwservice_contexts"],
+}
+
+se_build_files {
+ name: "property_contexts_files",
+ srcs: ["property_contexts"],
+}
+
+se_build_files {
+ name: "service_contexts_files",
+ srcs: ["service_contexts"],
+}
+
+se_build_files {
+ name: "keystore2_key_contexts_files",
+ srcs: ["keystore2_key_contexts"],
+}
+
+se_build_files {
+ name: "seapp_contexts_files",
+ srcs: ["seapp_contexts"],
+}
+
+se_build_files {
+ name: "vndservice_contexts_files",
+ srcs: ["vndservice_contexts"],
+}
+
file_contexts {
name: "plat_file_contexts",
srcs: [":file_contexts_files{.plat_private}"],
diff --git a/mac_permissions.mk b/mac_permissions.mk
deleted file mode 100644
index 43c98c9..0000000
--- a/mac_permissions.mk
+++ /dev/null
@@ -1,175 +0,0 @@
-include $(CLEAR_VARS)
-
-LOCAL_MODULE := plat_mac_permissions.xml
-LOCAL_LICENSE_KINDS := SPDX-license-identifier-Apache-2.0 legacy_unencumbered
-LOCAL_LICENSE_CONDITIONS := notice unencumbered
-LOCAL_NOTICE_FILE := $(LOCAL_PATH)/NOTICE
-LOCAL_MODULE_CLASS := ETC
-LOCAL_MODULE_TAGS := optional
-LOCAL_MODULE_PATH := $(TARGET_OUT)/etc/selinux
-
-include $(BUILD_SYSTEM)/base_rules.mk
-
-all_plat_mac_perms_keys := $(call build_policy, keys.conf, $(PLAT_PRIVATE_POLICY) $(SYSTEM_EXT_PRIVATE_POLICY) $(PRODUCT_PRIVATE_POLICY))
-all_plat_mac_perms_files := $(call build_policy, mac_permissions.xml, $(PLAT_PRIVATE_POLICY))
-
-# Build keys.conf
-plat_mac_perms_keys.tmp := $(intermediates)/plat_keys.tmp
-$(plat_mac_perms_keys.tmp): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
-$(plat_mac_perms_keys.tmp): PRIVATE_KEYS := $(all_plat_mac_perms_keys)
-$(plat_mac_perms_keys.tmp): $(all_plat_mac_perms_keys) $(M4)
- @mkdir -p $(dir $@)
- $(hide) $(M4) --fatal-warnings -s $(PRIVATE_ADDITIONAL_M4DEFS) $(PRIVATE_KEYS) > $@
-
-# Should be synced with keys.conf.
-all_plat_keys := platform media networkstack sdk_sandbox shared testkey
-all_plat_keys := $(all_plat_keys:%=$(dir $(DEFAULT_SYSTEM_DEV_CERTIFICATE))/%.x509.pem)
-
-$(LOCAL_BUILT_MODULE): PRIVATE_MAC_PERMS_FILES := $(all_plat_mac_perms_files)
-$(LOCAL_BUILT_MODULE): $(plat_mac_perms_keys.tmp) $(HOST_OUT_EXECUTABLES)/insertkeys \
-$(all_plat_mac_perms_files) $(all_plat_keys)
- @mkdir -p $(dir $@)
- $(hide) DEFAULT_SYSTEM_DEV_CERTIFICATE="$(dir $(DEFAULT_SYSTEM_DEV_CERTIFICATE))" \
- MAINLINE_SEPOLICY_DEV_CERTIFICATES="$(MAINLINE_SEPOLICY_DEV_CERTIFICATES)" \
- $(HOST_OUT_EXECUTABLES)/insertkeys -t $(TARGET_BUILD_VARIANT) -c $(TOP) $< -o $@ $(PRIVATE_MAC_PERMS_FILES)
-
-all_plat_keys :=
-all_plat_mac_perms_files :=
-all_plat_mac_perms_keys :=
-plat_mac_perms_keys.tmp :=
-
-##################################
-include $(CLEAR_VARS)
-
-LOCAL_MODULE := system_ext_mac_permissions.xml
-LOCAL_LICENSE_KINDS := SPDX-license-identifier-Apache-2.0 legacy_unencumbered
-LOCAL_LICENSE_CONDITIONS := notice unencumbered
-LOCAL_NOTICE_FILE := $(LOCAL_PATH)/NOTICE
-LOCAL_MODULE_CLASS := ETC
-LOCAL_MODULE_TAGS := optional
-LOCAL_MODULE_PATH := $(TARGET_OUT_SYSTEM_EXT)/etc/selinux
-
-include $(BUILD_SYSTEM)/base_rules.mk
-
-all_system_ext_mac_perms_keys := $(call build_policy, keys.conf, $(SYSTEM_EXT_PRIVATE_POLICY) $(REQD_MASK_POLICY))
-all_system_ext_mac_perms_files := $(call build_policy, mac_permissions.xml, $(SYSTEM_EXT_PRIVATE_POLICY) $(REQD_MASK_POLICY))
-
-# Build keys.conf
-system_ext_mac_perms_keys.tmp := $(intermediates)/system_ext_keys.tmp
-$(system_ext_mac_perms_keys.tmp): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
-$(system_ext_mac_perms_keys.tmp): PRIVATE_KEYS := $(all_system_ext_mac_perms_keys)
-$(system_ext_mac_perms_keys.tmp): $(all_system_ext_mac_perms_keys) $(M4)
- @mkdir -p $(dir $@)
- $(hide) $(M4) --fatal-warnings -s $(PRIVATE_ADDITIONAL_M4DEFS) $(PRIVATE_KEYS) > $@
-
-$(LOCAL_BUILT_MODULE): PRIVATE_MAC_PERMS_FILES := $(all_system_ext_mac_perms_files)
-$(LOCAL_BUILT_MODULE): $(system_ext_mac_perms_keys.tmp) $(HOST_OUT_EXECUTABLES)/insertkeys \
-$(all_system_ext_mac_perms_files)
- @mkdir -p $(dir $@)
- $(hide) $(HOST_OUT_EXECUTABLES)/insertkeys -t $(TARGET_BUILD_VARIANT) -c $(TOP) $< -o $@ $(PRIVATE_MAC_PERMS_FILES)
-
-system_ext_mac_perms_keys.tmp :=
-all_system_ext_mac_perms_files :=
-all_system_ext_mac_perms_keys :=
-
-##################################
-include $(CLEAR_VARS)
-
-LOCAL_MODULE := product_mac_permissions.xml
-LOCAL_LICENSE_KINDS := SPDX-license-identifier-Apache-2.0 legacy_unencumbered
-LOCAL_LICENSE_CONDITIONS := notice unencumbered
-LOCAL_NOTICE_FILE := $(LOCAL_PATH)/NOTICE
-LOCAL_MODULE_CLASS := ETC
-LOCAL_MODULE_TAGS := optional
-LOCAL_MODULE_PATH := $(TARGET_OUT_PRODUCT)/etc/selinux
-
-include $(BUILD_SYSTEM)/base_rules.mk
-
-all_product_mac_perms_keys := $(call build_policy, keys.conf, $(PRODUCT_PRIVATE_POLICY) $(REQD_MASK_POLICY))
-all_product_mac_perms_files := $(call build_policy, mac_permissions.xml, $(PRODUCT_PRIVATE_POLICY) $(REQD_MASK_POLICY))
-
-# Build keys.conf
-product_mac_perms_keys.tmp := $(intermediates)/product_keys.tmp
-$(product_mac_perms_keys.tmp): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
-$(product_mac_perms_keys.tmp): PRIVATE_KEYS := $(all_product_mac_perms_keys)
-$(product_mac_perms_keys.tmp): $(all_product_mac_perms_keys) $(M4)
- @mkdir -p $(dir $@)
- $(hide) $(M4) --fatal-warnings -s $(PRIVATE_ADDITIONAL_M4DEFS) $(PRIVATE_KEYS) > $@
-
-$(LOCAL_BUILT_MODULE): PRIVATE_MAC_PERMS_FILES := $(all_product_mac_perms_files)
-$(LOCAL_BUILT_MODULE): $(product_mac_perms_keys.tmp) $(HOST_OUT_EXECUTABLES)/insertkeys \
-$(all_product_mac_perms_files)
- @mkdir -p $(dir $@)
- $(hide) $(HOST_OUT_EXECUTABLES)/insertkeys -t $(TARGET_BUILD_VARIANT) -c $(TOP) $< -o $@ $(PRIVATE_MAC_PERMS_FILES)
-
-product_mac_perms_keys.tmp :=
-all_product_mac_perms_files :=
-all_product_mac_perms_keys :=
-
-##################################
-include $(CLEAR_VARS)
-
-LOCAL_MODULE := vendor_mac_permissions.xml
-LOCAL_LICENSE_KINDS := SPDX-license-identifier-Apache-2.0 legacy_unencumbered
-LOCAL_LICENSE_CONDITIONS := notice unencumbered
-LOCAL_NOTICE_FILE := $(LOCAL_PATH)/NOTICE
-LOCAL_MODULE_CLASS := ETC
-LOCAL_MODULE_TAGS := optional
-LOCAL_MODULE_PATH := $(TARGET_OUT_VENDOR)/etc/selinux
-
-include $(BUILD_SYSTEM)/base_rules.mk
-
-all_vendor_mac_perms_keys := $(call build_policy, keys.conf, $(BOARD_PLAT_VENDOR_POLICY) $(BOARD_VENDOR_SEPOLICY_DIRS) $(BOARD_REQD_MASK_POLICY))
-all_vendor_mac_perms_files := $(call build_policy, mac_permissions.xml, $(BOARD_PLAT_VENDOR_POLICY) $(BOARD_VENDOR_SEPOLICY_DIRS) $(BOARD_REQD_MASK_POLICY))
-
-# Build keys.conf
-vendor_mac_perms_keys.tmp := $(intermediates)/vendor_keys.tmp
-$(vendor_mac_perms_keys.tmp): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
-$(vendor_mac_perms_keys.tmp): PRIVATE_KEYS := $(all_vendor_mac_perms_keys)
-$(vendor_mac_perms_keys.tmp): $(all_vendor_mac_perms_keys) $(M4)
- @mkdir -p $(dir $@)
- $(hide) $(M4) --fatal-warnings -s $(PRIVATE_ADDITIONAL_M4DEFS) $(PRIVATE_KEYS) > $@
-
-$(LOCAL_BUILT_MODULE): PRIVATE_MAC_PERMS_FILES := $(all_vendor_mac_perms_files)
-$(LOCAL_BUILT_MODULE): $(vendor_mac_perms_keys.tmp) $(HOST_OUT_EXECUTABLES)/insertkeys \
-$(all_vendor_mac_perms_files)
- @mkdir -p $(dir $@)
- $(hide) DEFAULT_SYSTEM_DEV_CERTIFICATE="$(dir $(DEFAULT_SYSTEM_DEV_CERTIFICATE))" \
- $(HOST_OUT_EXECUTABLES)/insertkeys -t $(TARGET_BUILD_VARIANT) -c $(TOP) $< -o $@ $(PRIVATE_MAC_PERMS_FILES)
-
-vendor_mac_perms_keys.tmp :=
-all_vendor_mac_perms_files :=
-all_vendor_mac_perms_keys :=
-
-##################################
-include $(CLEAR_VARS)
-
-LOCAL_MODULE := odm_mac_permissions.xml
-LOCAL_LICENSE_KINDS := SPDX-license-identifier-Apache-2.0 legacy_unencumbered
-LOCAL_LICENSE_CONDITIONS := notice unencumbered
-LOCAL_NOTICE_FILE := $(LOCAL_PATH)/NOTICE
-LOCAL_MODULE_CLASS := ETC
-LOCAL_MODULE_TAGS := optional
-LOCAL_MODULE_PATH := $(TARGET_OUT_ODM)/etc/selinux
-
-include $(BUILD_SYSTEM)/base_rules.mk
-
-all_odm_mac_perms_keys := $(call build_policy, keys.conf, $(BOARD_ODM_SEPOLICY_DIRS) $(REQD_MASK_POLICY))
-all_odm_mac_perms_files := $(call build_policy, mac_permissions.xml, $(BOARD_ODM_SEPOLICY_DIRS) $(REQD_MASK_POLICY))
-
-# Build keys.conf
-odm_mac_perms_keys.tmp := $(intermediates)/odm_keys.tmp
-$(odm_mac_perms_keys.tmp): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
-$(odm_mac_perms_keys.tmp): PRIVATE_KEYS := $(all_odm_mac_perms_keys)
-$(odm_mac_perms_keys.tmp): $(all_odm_mac_perms_keys) $(M4)
- @mkdir -p $(dir $@)
- $(hide) $(M4) --fatal-warnings -s $(PRIVATE_ADDITIONAL_M4DEFS) $(PRIVATE_KEYS) > $@
-
-$(LOCAL_BUILT_MODULE): PRIVATE_MAC_PERMS_FILES := $(all_odm_mac_perms_files)
-$(LOCAL_BUILT_MODULE): $(odm_mac_perms_keys.tmp) $(HOST_OUT_EXECUTABLES)/insertkeys \
-$(all_odm_mac_perms_files)
- @mkdir -p $(dir $@)
- $(hide) $(HOST_OUT_EXECUTABLES)/insertkeys -t $(TARGET_BUILD_VARIANT) -c $(TOP) $< -o $@ $(PRIVATE_MAC_PERMS_FILES)
-
-odm_mac_perms_keys.tmp :=
-all_odm_mac_perms_files :=
diff --git a/mac_permissions/Android.bp b/mac_permissions/Android.bp
new file mode 100644
index 0000000..401f78c
--- /dev/null
+++ b/mac_permissions/Android.bp
@@ -0,0 +1,98 @@
+// Copyright (C) 2022 The Android Open Source Project
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+// This file contains module definitions for mac_permissions.xml files.
+
+package {
+ // See: http://go/android-license-faq
+ // A large-scale-change added 'default_applicable_licenses' to import
+ // all of the 'license_kinds' from "system_sepolicy_license"
+ // to get the below license kinds:
+ // SPDX-license-identifier-Apache-2.0
+ default_applicable_licenses: ["system_sepolicy_license"],
+}
+
+se_build_files {
+ name: "keys.conf",
+ srcs: ["keys.conf"],
+}
+
+se_build_files {
+ name: "mac_permissions.xml",
+ srcs: ["mac_permissions.xml"],
+}
+
+mac_permissions {
+ name: "plat_mac_permissions.xml",
+ keys: [
+ ":keys.conf{.plat_private}",
+ ":keys.conf{.system_ext_private}",
+ ":keys.conf{.product_private}",
+ ],
+ srcs: [":mac_permissions.xml{.plat_private}"],
+}
+
+mac_permissions {
+ name: "system_ext_mac_permissions.xml",
+ keys: [
+ ":keys.conf{.system_ext_private}",
+ ":keys.conf{.reqd_mask}",
+ ],
+ srcs: [
+ ":mac_permissions.xml{.system_ext_private}",
+ ":mac_permissions.xml{.reqd_mask}",
+ ],
+ system_ext_specific: true,
+}
+
+mac_permissions {
+ name: "product_mac_permissions.xml",
+ keys: [
+ ":keys.conf{.product_private}",
+ ":keys.conf{.reqd_mask}",
+ ],
+ srcs: [
+ ":mac_permissions.xml{.product_private}",
+ ":mac_permissions.xml{.reqd_mask}",
+ ],
+ product_specific: true,
+}
+
+mac_permissions {
+ name: "vendor_mac_permissions.xml",
+ keys: [
+ ":keys.conf{.plat_vendor_for_vendor}",
+ ":keys.conf{.vendor}",
+ ":keys.conf{.reqd_mask_for_vendor}",
+ ],
+ srcs: [
+ ":mac_permissions.xml{.plat_vendor_for_vendor}",
+ ":mac_permissions.xml{.vendor}",
+ ":mac_permissions.xml{.reqd_mask_for_vendor}",
+ ],
+ vendor: true,
+}
+
+mac_permissions {
+ name: "odm_mac_permissions.xml",
+ keys: [
+ ":keys.conf{.odm}",
+ ":keys.conf{.reqd_mask_for_vendor}",
+ ],
+ srcs: [
+ ":mac_permissions.xml{.odm}",
+ ":mac_permissions.xml{.reqd_mask_for_vendor}",
+ ],
+ device_specific: true,
+}
diff --git a/microdroid/system/private/compos.te b/microdroid/system/private/compos.te
index 386f11e..26dffe5 100644
--- a/microdroid/system/private/compos.te
+++ b/microdroid/system/private/compos.te
@@ -2,9 +2,6 @@
type compos, domain, coredomain, microdroid_payload;
type compos_exec, exec_type, file_type, system_file_type;
-# Expose RPC Binder service over vsock
-allow compos self:vsock_socket { create_socket_perms_no_ioctl listen accept };
-
# Allow using various binder services
binder_use(compos);
allow compos authfs_binder_service:service_manager find;
diff --git a/microdroid/system/private/domain.te b/microdroid/system/private/domain.te
index d87df40..4c1baf5 100644
--- a/microdroid/system/private/domain.te
+++ b/microdroid/system/private/domain.te
@@ -48,6 +48,7 @@
# /dev/binder can be accessed by ... everyone! :)
allow domain binder_device:chr_file rw_file_perms;
+get_prop(domain, servicemanager_prop)
# Restrict binder ioctls to an allowlist. Additional ioctl commands may be
# added to individual domains, but this sets safe defaults for all processes.
@@ -418,11 +419,6 @@
neverallow servicemanager hwbinder_device:chr_file no_rw_file_perms;
neverallow servicemanager vndbinder_device:chr_file no_rw_file_perms;
-# system services cant add vendor services
-neverallow {
- coredomain
-} vendor_service:service_manager add;
-
# Never allow anyone to connect or write to
# the tombstoned intercept socket.
neverallow { domain } tombstoned_intercept_socket:sock_file write;
diff --git a/microdroid/system/private/file_contexts b/microdroid/system/private/file_contexts
index 83eceb0..cd1961f 100644
--- a/microdroid/system/private/file_contexts
+++ b/microdroid/system/private/file_contexts
@@ -123,6 +123,7 @@
/system/bin/apkdmverity u:object_r:apkdmverity_exec:s0
/system/bin/authfs u:object_r:authfs_exec:s0
/system/bin/authfs_service u:object_r:authfs_service_exec:s0
+/system/bin/kexec_load u:object_r:kexec_exec:s0
/system/etc/cgroups\.json u:object_r:cgroup_desc_file:s0
/system/etc/task_profiles/cgroups_[0-9]+\.json u:object_r:cgroup_desc_api_file:s0
/system/etc/event-log-tags u:object_r:system_event_log_tags_file:s0
diff --git a/microdroid/system/private/kexec.te b/microdroid/system/private/kexec.te
new file mode 100644
index 0000000..c0ab735
--- /dev/null
+++ b/microdroid/system/private/kexec.te
@@ -0,0 +1,12 @@
+# kexec loads a crashdump kernel into memory using the kexec_file_load syscall.
+type kexec, domain, coredomain;
+type kexec_exec, exec_type, file_type, system_file_type;
+
+# allow kexec to write into /dev/kmsg for logging
+allow kexec kmsg_device:chr_file w_file_perms;
+
+# kexec is launched by microdroid_manager with fork/execvp.
+allow kexec microdroid_manager:fd use;
+
+# allow kexec to have SYS_BOOT
+allow kexec self:capability sys_boot;
diff --git a/microdroid/system/private/microdroid_manager.te b/microdroid/system/private/microdroid_manager.te
index 37ffadb..d4ad862 100644
--- a/microdroid/system/private/microdroid_manager.te
+++ b/microdroid/system/private/microdroid_manager.te
@@ -33,15 +33,12 @@
domain_auto_trans(microdroid_manager, apkdmverity_exec, apkdmverity)
domain_auto_trans(microdroid_manager, zipfuse_exec, zipfuse)
+# Allow microdroid_manager to run kexec to load crashkernel
+domain_auto_trans(microdroid_manager, kexec_exec, kexec)
+
# Let microdroid_manager kernel-log.
allow microdroid_manager kmsg_device:chr_file w_file_perms;
-# Let microdroid_manager read a config file from /mnt/apk (fusefs)
-# TODO(b/188400186) remove the below rule
-userdebug_or_eng(`
- r_dir_file(microdroid_manager, fuse)
-')
-
# Let microdroid_manager to create a vsock connection back to the host VM
allow microdroid_manager self:vsock_socket { create_socket_perms_no_ioctl };
@@ -82,6 +79,10 @@
# that is different from what is recorded in the instance.img file.
allow microdroid_manager proc_bootconfig:file r_file_perms;
+# microdroid_manager needs to read /proc/cmdline to see if crashkernel= parameter is set
+# or not; if set, it executes kexec to load the crashkernel into memory.
+allow microdroid_manager proc_cmdline:file r_file_perms;
+
# Allow microdroid_manager to read/write failure serial device
allow microdroid_manager serial_device:chr_file w_file_perms;
diff --git a/microdroid/system/private/microdroid_payload.te b/microdroid/system/private/microdroid_payload.te
index fea0768..fd36b02 100644
--- a/microdroid/system/private/microdroid_payload.te
+++ b/microdroid/system/private/microdroid_payload.te
@@ -27,11 +27,21 @@
# Write to /dev/kmsg.
allow microdroid_payload kmsg_device:chr_file rw_file_perms;
-# Only microdroid_payload and apk verity binaries can be run by microdroid_manager
-neverallow microdroid_manager { domain -crash_dump -microdroid_payload -apkdmverity -zipfuse }:process transition;
+# Only microdroid_payload and a few other critical binaries can be run by microdroid_manager
+neverallow microdroid_manager {
+ domain
+ -crash_dump
+ -microdroid_payload
+ -apkdmverity
+ -zipfuse
+ -kexec
+}:process transition;
# Allow microdroid_payload to open binder servers via vsock.
allow microdroid_payload self:vsock_socket { create_socket_perms_no_ioctl listen accept };
# Payload can read extra apks
r_dir_file(microdroid_payload, extra_apk_file)
+
+# Payload can read /proc/meminfo.
+allow microdroid_payload proc_meminfo:file r_file_perms;
diff --git a/microdroid/system/private/property_contexts b/microdroid/system/private/property_contexts
index 16b40bc..89609b9 100644
--- a/microdroid/system/private/property_contexts
+++ b/microdroid/system/private/property_contexts
@@ -156,6 +156,8 @@
heapprofd.enable u:object_r:heapprofd_prop:s0 exact bool
+servicemanager.ready u:object_r:servicemanager_prop:s0 exact bool
+
# ART properties for CompOS
dalvik.vm. u:object_r:dalvik_config_prop:s0 prefix
ro.dalvik.vm. u:object_r:dalvik_config_prop:s0 prefix
diff --git a/microdroid/system/private/servicemanager.te b/microdroid/system/private/servicemanager.te
index d51c827..91a8ad2 100644
--- a/microdroid/system/private/servicemanager.te
+++ b/microdroid/system/private/servicemanager.te
@@ -24,6 +24,7 @@
add_service(servicemanager, service_manager_service)
set_prop(servicemanager, ctl_interface_start_prop)
+set_prop(servicemanager, servicemanager_prop)
# servicemanager is using bootstrap bionic
use_bootstrap_libs(servicemanager)
diff --git a/microdroid/system/public/attributes b/microdroid/system/public/attributes
index 00b5f2b..7d351a9 100644
--- a/microdroid/system/public/attributes
+++ b/microdroid/system/public/attributes
@@ -7,9 +7,6 @@
# in tools/checkfc.c
attribute dev_type;
-# TODO(b/202520796) Remove this attribute once the sc-dev branch stops using it.
-attribute bdev_type;
-
# All types used for processes.
attribute domain;
@@ -123,12 +120,6 @@
attribute vendor_public_property_type;
expandattribute vendor_public_property_type false;
-# services which served by vendor and also using the copy of libbinder on
-# system (for instance via libbinder_ndk). services using a different copy
-# of libbinder currently need their own context manager (e.g.
-# vndservicemanager)
-attribute vendor_service;
-
# All types used for services managed by servicemanager.
# On change, update CHECK_SC_ASSERT_ATTRS
# definition in tools/checkfc.c.
diff --git a/microdroid/system/public/property.te b/microdroid/system/public/property.te
index f85ba76..a04fc19 100644
--- a/microdroid/system/public/property.te
+++ b/microdroid/system/public/property.te
@@ -24,6 +24,7 @@
type ctl_stop_prop, property_type;
type ctl_tombstone_transmit_prop, property_type;
type ctl_zipfuse_prop, property_type;
+type servicemanager_prop, property_type;
type debug_prop, property_type;
type default_prop, property_type;
type dev_mnt_prop, property_type;
diff --git a/microdroid/system/public/type.te b/microdroid/system/public/type.te
index b21b2dd..b4c49c8 100644
--- a/microdroid/system/public/type.te
+++ b/microdroid/system/public/type.te
@@ -5,7 +5,7 @@
type default_android_service, service_manager_type;
type dice_maintenance_service, service_manager_type;
type dice_node_service, service_manager_type;
-type hal_dice_service, vendor_service, service_manager_type;
+type hal_dice_service, service_manager_type;
type service_manager_service, service_manager_type;
type system_linker;
type vm_payload_key;
diff --git a/prebuilts/api/31.0/private/property.te b/prebuilts/api/31.0/private/property.te
index 29f4f1a..e72693a 100644
--- a/prebuilts/api/31.0/private/property.te
+++ b/prebuilts/api/31.0/private/property.te
@@ -395,10 +395,12 @@
# Allow the shell to set MTE props, so that non-root users with adb shell
# access can control the settings on their device.
+# Allow system apps to set MTE props, so Developer Options can set them.
neverallow {
domain
-init
-shell
+ -system_app
} {
arm64_memtag_prop
}:property_service set;
diff --git a/prebuilts/api/31.0/private/system_app.te b/prebuilts/api/31.0/private/system_app.te
index 239686e..41fac62 100644
--- a/prebuilts/api/31.0/private/system_app.te
+++ b/prebuilts/api/31.0/private/system_app.te
@@ -34,6 +34,7 @@
allow system_app icon_file:file r_file_perms;
# Write to properties
+set_prop(system_app, arm64_memtag_prop)
set_prop(system_app, bluetooth_a2dp_offload_prop)
set_prop(system_app, bluetooth_audio_hal_prop)
set_prop(system_app, bluetooth_prop)
diff --git a/prebuilts/api/32.0/private/property.te b/prebuilts/api/32.0/private/property.te
index 587cf5e..77e1a7d 100644
--- a/prebuilts/api/32.0/private/property.te
+++ b/prebuilts/api/32.0/private/property.te
@@ -396,10 +396,12 @@
# Allow the shell to set MTE props, so that non-root users with adb shell
# access can control the settings on their device.
+# Allow system apps to set MTE props, so Developer Options can set them.
neverallow {
domain
-init
-shell
+ -system_app
} {
arm64_memtag_prop
}:property_service set;
diff --git a/prebuilts/api/32.0/private/system_app.te b/prebuilts/api/32.0/private/system_app.te
index 239686e..41fac62 100644
--- a/prebuilts/api/32.0/private/system_app.te
+++ b/prebuilts/api/32.0/private/system_app.te
@@ -34,6 +34,7 @@
allow system_app icon_file:file r_file_perms;
# Write to properties
+set_prop(system_app, arm64_memtag_prop)
set_prop(system_app, bluetooth_a2dp_offload_prop)
set_prop(system_app, bluetooth_audio_hal_prop)
set_prop(system_app, bluetooth_prop)
diff --git a/prebuilts/api/33.0/private/compat/32.0/32.0.ignore.cil b/prebuilts/api/33.0/private/compat/32.0/32.0.ignore.cil
index a07f5ae..c1fc736 100644
--- a/prebuilts/api/33.0/private/compat/32.0/32.0.ignore.cil
+++ b/prebuilts/api/33.0/private/compat/32.0/32.0.ignore.cil
@@ -18,6 +18,7 @@
device_config_nnapi_native_prop
device_config_surface_flinger_native_boot_prop
device_config_vendor_system_native_prop
+ device_config_vendor_system_native_boot_prop
dice_maintenance_service
dice_node_service
diced
diff --git a/prebuilts/api/33.0/private/composd.te b/prebuilts/api/33.0/private/composd.te
index 5f99a92..d007d66 100644
--- a/prebuilts/api/33.0/private/composd.te
+++ b/prebuilts/api/33.0/private/composd.te
@@ -31,6 +31,7 @@
# Read ART's properties
get_prop(composd, dalvik_config_prop)
+get_prop(composd, device_config_runtime_native_boot_prop)
# We never create any artifact files directly
neverallow composd apex_art_data_file:file ~unlink;
diff --git a/prebuilts/api/33.0/private/flags_health_check.te b/prebuilts/api/33.0/private/flags_health_check.te
index 54ecd45..58275ff 100644
--- a/prebuilts/api/33.0/private/flags_health_check.te
+++ b/prebuilts/api/33.0/private/flags_health_check.te
@@ -24,6 +24,7 @@
set_prop(flags_health_check, device_config_connectivity_prop)
set_prop(flags_health_check, device_config_surface_flinger_native_boot_prop)
set_prop(flags_health_check, device_config_vendor_system_native_prop)
+set_prop(flags_health_check, device_config_vendor_system_native_boot_prop)
set_prop(flags_health_check, device_config_virtualization_framework_native_prop)
# system property device_config_boot_count_prop is used for deciding when to perform server
diff --git a/prebuilts/api/33.0/private/property_contexts b/prebuilts/api/33.0/private/property_contexts
index 1b2360d..4eda4a1 100644
--- a/prebuilts/api/33.0/private/property_contexts
+++ b/prebuilts/api/33.0/private/property_contexts
@@ -257,6 +257,7 @@
persist.device_config.surface_flinger_native_boot. u:object_r:device_config_surface_flinger_native_boot_prop:s0
persist.device_config.swcodec_native. u:object_r:device_config_swcodec_native_prop:s0
persist.device_config.vendor_system_native. u:object_r:device_config_vendor_system_native_prop:s0
+persist.device_config.vendor_system_native_boot. u:object_r:device_config_vendor_system_native_boot_prop:s0
persist.device_config.virtualization_framework_native. u:object_r:device_config_virtualization_framework_native_prop:s0
persist.device_config.window_manager_native_boot. u:object_r:device_config_window_manager_native_boot_prop:s0
@@ -728,7 +729,8 @@
# GWP-ASan props. Separate from other libc.debug.* props, because we want users
# to be able to set them from `adb shell` even on release devices.
-libc.debug.gwp_asan. u:object_r:gwp_asan_prop:s0 prefix string
+libc.debug.gwp_asan. u:object_r:gwp_asan_prop:s0 prefix string
+persist.libc.debug.gwp_asan. u:object_r:gwp_asan_prop:s0 prefix string
# shell-only props for ARM memory tagging (MTE).
arm64.memtag. u:object_r:arm64_memtag_prop:s0 prefix string
diff --git a/prebuilts/api/33.0/private/system_server.te b/prebuilts/api/33.0/private/system_server.te
index 0f72c7f..8a7947d 100644
--- a/prebuilts/api/33.0/private/system_server.te
+++ b/prebuilts/api/33.0/private/system_server.te
@@ -752,6 +752,7 @@
set_prop(system_server, device_config_connectivity_prop)
set_prop(system_server, device_config_surface_flinger_native_boot_prop)
set_prop(system_server, device_config_vendor_system_native_prop)
+set_prop(system_server, device_config_vendor_system_native_boot_prop)
set_prop(system_server, device_config_virtualization_framework_native_prop)
set_prop(system_server, smart_idle_maint_enabled_prop)
diff --git a/prebuilts/api/33.0/private/vehicle_binding_util.te b/prebuilts/api/33.0/private/vehicle_binding_util.te
index 76d0756..f527944 100644
--- a/prebuilts/api/33.0/private/vehicle_binding_util.te
+++ b/prebuilts/api/33.0/private/vehicle_binding_util.te
@@ -8,8 +8,10 @@
# allow writing to kmsg during boot
allow vehicle_binding_util kmsg_device:chr_file { getattr w_file_perms };
-# allow reading the binding property from vhal
+# allow reading the binding property from HIDL VHAL.
hwbinder_use(vehicle_binding_util)
+# allow reading the binding property from AIDL VHAL.
+binder_use(vehicle_binding_util)
hal_client_domain(vehicle_binding_util, hal_vehicle)
# allow executing vdc
diff --git a/prebuilts/api/33.0/public/dumpstate.te b/prebuilts/api/33.0/public/dumpstate.te
index 05a7317..8d3e556 100644
--- a/prebuilts/api/33.0/public/dumpstate.te
+++ b/prebuilts/api/33.0/public/dumpstate.te
@@ -113,6 +113,9 @@
sysfs_zram
}:file r_file_perms;
+# Ignore other file access under /sys.
+dontaudit dumpstate sysfs:file r_file_perms;
+
# Other random bits of data we want to collect
no_debugfs_restriction(`
allow dumpstate debugfs:file r_file_perms;
diff --git a/prebuilts/api/33.0/public/property.te b/prebuilts/api/33.0/public/property.te
index a235634..42fe979 100644
--- a/prebuilts/api/33.0/public/property.te
+++ b/prebuilts/api/33.0/public/property.te
@@ -68,6 +68,7 @@
system_restricted_prop(device_config_runtime_native_prop)
system_restricted_prop(device_config_surface_flinger_native_boot_prop)
system_restricted_prop(device_config_vendor_system_native_prop)
+system_restricted_prop(device_config_vendor_system_native_boot_prop)
system_restricted_prop(fingerprint_prop)
system_restricted_prop(gwp_asan_prop)
system_restricted_prop(hal_instrumentation_prop)
diff --git a/prebuilts/api/33.0/public/vendor_init.te b/prebuilts/api/33.0/public/vendor_init.te
index b7302d4..57df54c 100644
--- a/prebuilts/api/33.0/public/vendor_init.te
+++ b/prebuilts/api/33.0/public/vendor_init.te
@@ -274,6 +274,7 @@
# Allow vendor_init to read vendor_system_native device config changes
get_prop(vendor_init, device_config_vendor_system_native_prop)
+get_prop(vendor_init, device_config_vendor_system_native_boot_prop)
###
### neverallow rules
diff --git a/private/app.te b/private/app.te
index 269609a..69ec868 100644
--- a/private/app.te
+++ b/private/app.te
@@ -1,3 +1,34 @@
+# /proc/net access.
+# TODO(b/9496886) Audit access for removal.
+# proc_net access for the negated domains below is granted (or not) in their
+# individual .te files.
+r_dir_file({
+ appdomain
+ -ephemeral_app
+ -isolated_app
+ -platform_app
+ -priv_app
+ -shell
+ -sdk_sandbox
+ -system_app
+ -untrusted_app_all
+}, proc_net_type)
+# audit access for all these non-core app domains.
+userdebug_or_eng(`
+ auditallow {
+ appdomain
+ -ephemeral_app
+ -isolated_app
+ -platform_app
+ -priv_app
+ -shell
+ -su
+ -sdk_sandbox
+ -system_app
+ -untrusted_app_all
+ } proc_net_type:{ dir file lnk_file } { getattr open read };
+')
+
# Allow apps to read the Test Harness Mode property. This property is used in
# the implementation of ActivityManager.isDeviceInTestHarnessMode()
get_prop(appdomain, test_harness_prop)
@@ -96,6 +127,70 @@
allow appdomain tombstone_data_file:file { getattr read };
neverallow appdomain tombstone_data_file:file ~{ getattr read };
+# Execute the shell or other system executables.
+allow { appdomain -ephemeral_app -sdk_sandbox } shell_exec:file rx_file_perms;
+allow { appdomain -ephemeral_app -sdk_sandbox } toolbox_exec:file rx_file_perms;
+not_full_treble(`allow { appdomain -ephemeral_app -sdk_sandbox } vendor_file:file x_file_perms;')
+
+# Allow apps access to /vendor/app except for privileged
+# apps which cannot be in /vendor.
+r_dir_file({ appdomain -ephemeral_app -sdk_sandbox }, vendor_app_file)
+allow { appdomain -ephemeral_app -sdk_sandbox } vendor_app_file:file execute;
+
+# Perform binder IPC to sdk sandbox.
+binder_call(appdomain, sdk_sandbox)
+
+# Allow access to external storage; we have several visible mount points under /storage
+# and symlinks to primary storage at places like /storage/sdcard0 and /mnt/user/0/primary
+allow { appdomain -isolated_app -ephemeral_app -sdk_sandbox } storage_file:dir r_dir_perms;
+allow { appdomain -isolated_app -ephemeral_app -sdk_sandbox } storage_file:lnk_file r_file_perms;
+allow { appdomain -isolated_app -ephemeral_app -sdk_sandbox } mnt_user_file:dir r_dir_perms;
+allow { appdomain -isolated_app -ephemeral_app -sdk_sandbox } mnt_user_file:lnk_file r_file_perms;
+
+# Read/write visible storage
+allow { appdomain -isolated_app -ephemeral_app -sdk_sandbox } { sdcard_type fuse }:dir create_dir_perms;
+allow { appdomain -isolated_app -ephemeral_app -sdk_sandbox } { sdcard_type fuse }:file create_file_perms;
+# This should be removed if sdcardfs is modified to alter the secontext for its
+# accesses to the underlying FS.
+allow { appdomain -isolated_app -ephemeral_app -sdk_sandbox } media_rw_data_file:dir create_dir_perms;
+allow { appdomain -isolated_app -ephemeral_app -sdk_sandbox } media_rw_data_file:file create_file_perms;
+
+# Allow apps to use the USB Accessory interface.
+# http://developer.android.com/guide/topics/connectivity/usb/accessory.html
+#
+# USB devices are first opened by the system server (USBDeviceManagerService)
+# and the file descriptor is passed to the right Activity via binder.
+allow { appdomain -isolated_app -ephemeral_app -sdk_sandbox } usb_device:chr_file { read write getattr ioctl };
+allow { appdomain -isolated_app -ephemeral_app -sdk_sandbox } usbaccessory_device:chr_file { read write getattr };
+
+#logd access
+control_logd({ appdomain -ephemeral_app -sdk_sandbox })
+
+# application inherit logd write socket (urge is to deprecate this long term)
+allow { appdomain -isolated_app -ephemeral_app -sdk_sandbox } keystore:keystore_key { get_state get insert delete exist list sign verify };
+allow { appdomain -isolated_app -ephemeral_app -sdk_sandbox } keystore:keystore2_key { delete use get_info rebind update };
+
+allow { appdomain -isolated_app -ephemeral_app -sdk_sandbox } keystore_maintenance_service:service_manager find;
+allow { appdomain -isolated_app -ephemeral_app -sdk_sandbox } keystore:keystore2 get_state;
+
+use_keystore({ appdomain -isolated_app -ephemeral_app -sdk_sandbox })
+
+use_credstore({ appdomain -isolated_app -ephemeral_app -sdk_sandbox })
+
+# For app fuse.
+pdx_client({ appdomain -isolated_app -ephemeral_app -sdk_sandbox }, display_client)
+pdx_client({ appdomain -isolated_app -ephemeral_app -sdk_sandbox }, display_manager)
+pdx_client({ appdomain -isolated_app -ephemeral_app -sdk_sandbox }, display_vsync)
+pdx_client({ appdomain -isolated_app -ephemeral_app -sdk_sandbox }, performance_client)
+# Apps do not directly open the IPC socket for bufferhubd.
+pdx_use({ appdomain -isolated_app -ephemeral_app -sdk_sandbox }, bufferhub_client)
+
+# Apps receive an open tun fd from the framework for
+# device traffic. Do not allow untrusted app to directly open tun_device
+allow { appdomain -isolated_app -ephemeral_app -sdk_sandbox } tun_device:chr_file { read write getattr append ioctl };
+allowxperm { appdomain -isolated_app -ephemeral_app -sdk_sandbox } tun_device:chr_file ioctl TUNGETIFF;
+
+
# WebView and other application-specific JIT compilers
allow appdomain self:process execmem;
@@ -178,11 +273,7 @@
allow appdomain oemfs:dir r_dir_perms;
allow appdomain oemfs:file rx_file_perms;
-# Execute the shell or other system executables.
-allow { appdomain -ephemeral_app -sdk_sandbox } shell_exec:file rx_file_perms;
-allow { appdomain -ephemeral_app -sdk_sandbox } toolbox_exec:file rx_file_perms;
allow appdomain system_file:file x_file_perms;
-not_full_treble(`allow { appdomain -ephemeral_app -sdk_sandbox } vendor_file:file x_file_perms;')
# Renderscript needs the ability to read directories on /system
allow appdomain system_file:dir r_dir_perms;
@@ -198,14 +289,6 @@
allow { appdomain -isolated_app } vendor_file:dir { open read };
')
-# Allow apps access to /vendor/app except for privileged
-# apps which cannot be in /vendor.
-r_dir_file({ appdomain -ephemeral_app -sdk_sandbox }, vendor_app_file)
-allow { appdomain -ephemeral_app -sdk_sandbox } vendor_app_file:file execute;
-
-# Perform binder IPC to sdk sandbox.
-binder_call(appdomain, sdk_sandbox)
-
# Allow apps access to /vendor/overlay
r_dir_file(appdomain, vendor_overlay_file)
@@ -276,37 +359,6 @@
allow appdomain heapdump_data_file:file append;
')
-# /proc/net access.
-# TODO(b/9496886) Audit access for removal.
-# proc_net access for the negated domains below is granted (or not) in their
-# individual .te files.
-r_dir_file({
- appdomain
- -ephemeral_app
- -isolated_app
- -platform_app
- -priv_app
- -sdk_sandbox
- -shell
- -system_app
- -untrusted_app_all
-}, proc_net_type)
-# audit access for all these non-core app domains.
-userdebug_or_eng(`
- auditallow {
- appdomain
- -ephemeral_app
- -isolated_app
- -platform_app
- -priv_app
- -sdk_sandbox
- -shell
- -su
- -system_app
- -untrusted_app_all
- } proc_net_type:{ dir file lnk_file } { getattr open read };
-')
-
# Grant GPU access to all processes started by Zygote.
# They need that to render the standard UI.
allow { appdomain -isolated_app } gpu_device:chr_file rw_file_perms;
@@ -349,29 +401,6 @@
# Read and write /data/data/com.android.providers.telephony files passed over Binder.
allow { appdomain -isolated_app } radio_data_file:file { read write getattr };
-# Allow access to external storage; we have several visible mount points under /storage
-# and symlinks to primary storage at places like /storage/sdcard0 and /mnt/user/0/primary
-allow { appdomain -isolated_app -ephemeral_app -sdk_sandbox } storage_file:dir r_dir_perms;
-allow { appdomain -isolated_app -ephemeral_app -sdk_sandbox } storage_file:lnk_file r_file_perms;
-allow { appdomain -isolated_app -ephemeral_app -sdk_sandbox } mnt_user_file:dir r_dir_perms;
-allow { appdomain -isolated_app -ephemeral_app -sdk_sandbox } mnt_user_file:lnk_file r_file_perms;
-
-# Read/write visible storage
-allow { appdomain -isolated_app -ephemeral_app -sdk_sandbox } { sdcard_type fuse }:dir create_dir_perms;
-allow { appdomain -isolated_app -ephemeral_app -sdk_sandbox } { sdcard_type fuse }:file create_file_perms;
-# This should be removed if sdcardfs is modified to alter the secontext for its
-# accesses to the underlying FS.
-allow { appdomain -isolated_app -ephemeral_app -sdk_sandbox } media_rw_data_file:dir create_dir_perms;
-allow { appdomain -isolated_app -ephemeral_app -sdk_sandbox } media_rw_data_file:file create_file_perms;
-
-# Allow apps to use the USB Accessory interface.
-# http://developer.android.com/guide/topics/connectivity/usb/accessory.html
-#
-# USB devices are first opened by the system server (USBDeviceManagerService)
-# and the file descriptor is passed to the right Activity via binder.
-allow { appdomain -isolated_app -ephemeral_app -sdk_sandbox } usb_device:chr_file { read write getattr ioctl };
-allow { appdomain -isolated_app -ephemeral_app -sdk_sandbox } usbaccessory_device:chr_file { read write getattr };
-
# For art.
allow appdomain dalvikcache_data_file:file execute;
allow appdomain dalvikcache_data_file:lnk_file r_file_perms;
@@ -390,20 +419,9 @@
# logd access
read_logd(appdomain)
-control_logd({ appdomain -ephemeral_app -sdk_sandbox })
-# application inherit logd write socket (urge is to deprecate this long term)
+
allow appdomain zygote:unix_dgram_socket write;
-allow { appdomain -isolated_app -ephemeral_app -sdk_sandbox } keystore:keystore_key { get_state get insert delete exist list sign verify };
-allow { appdomain -isolated_app -ephemeral_app -sdk_sandbox } keystore:keystore2_key { delete use get_info rebind update };
-
-allow { appdomain -isolated_app -ephemeral_app -sdk_sandbox } keystore_maintenance_service:service_manager find;
-allow { appdomain -isolated_app -ephemeral_app -sdk_sandbox } keystore:keystore2 get_state;
-
-use_keystore({ appdomain -isolated_app -ephemeral_app -sdk_sandbox })
-
-use_credstore({ appdomain -isolated_app -ephemeral_app -sdk_sandbox })
-
allow appdomain console_device:chr_file { read write };
# only allow unprivileged socket ioctl commands
@@ -433,13 +451,6 @@
# For app fuse.
allow appdomain app_fuse_file:file { getattr read append write map };
-pdx_client({ appdomain -isolated_app -ephemeral_app -sdk_sandbox }, display_client)
-pdx_client({ appdomain -isolated_app -ephemeral_app -sdk_sandbox }, display_manager)
-pdx_client({ appdomain -isolated_app -ephemeral_app -sdk_sandbox }, display_vsync)
-pdx_client({ appdomain -isolated_app -ephemeral_app -sdk_sandbox }, performance_client)
-# Apps do not directly open the IPC socket for bufferhubd.
-pdx_use({ appdomain -isolated_app -ephemeral_app -sdk_sandbox }, bufferhub_client)
-
###
### CTS-specific rules
###
@@ -449,11 +460,6 @@
allow appdomain runas_exec:file getattr;
# Others are either allowed elsewhere or not desired.
-# Apps receive an open tun fd from the framework for
-# device traffic. Do not allow untrusted app to directly open tun_device
-allow { appdomain -isolated_app -ephemeral_app -sdk_sandbox } tun_device:chr_file { read write getattr append ioctl };
-allowxperm { appdomain -isolated_app -ephemeral_app -sdk_sandbox } tun_device:chr_file ioctl TUNGETIFF;
-
# Connect to adbd and use a socket transferred from it.
# This is used for e.g. adb backup/restore.
allow appdomain adbd:unix_stream_socket connectto;
@@ -481,8 +487,8 @@
isolated_app
nfc
radio
- sdk_sandbox
shared_relro
+ sdk_sandbox
system_app
} {
data_file_type
diff --git a/private/app_neverallows.te b/private/app_neverallows.te
index f716367..1a1ed62 100644
--- a/private/app_neverallows.te
+++ b/private/app_neverallows.te
@@ -123,7 +123,7 @@
# Apps can read/write an already open vsock (e.g. created by
# virtualizationservice) but nothing more than that (e.g. creating a
# new vsock, etc.)
-neverallow all_untrusted_apps *:vsock_socket ~{ getattr read write };
+neverallow all_untrusted_apps *:vsock_socket ~{ getattr getopt read write };
# Disallow sending RTM_GETLINK messages on netlink sockets.
neverallow all_untrusted_apps domain:netlink_route_socket { bind nlmsg_readpriv };
@@ -255,3 +255,15 @@
# Only privileged apps may find the incident service
neverallow all_untrusted_apps incident_service:service_manager find;
+
+# Do not allow untrusted app to read hidden system proprerties
+# We exclude older application for compatibility and we do not include in the exclusions other normally
+# untrusted applications such as mediaprovider due to the specific logging use cases.
+# Context: b/193912100
+neverallow {
+ untrusted_app_all
+ -untrusted_app_25
+ -untrusted_app_27
+ -untrusted_app_29
+ -untrusted_app_30
+} { userdebug_or_eng_prop }:file read;
diff --git a/private/artd.te b/private/artd.te
index 4f0db69..dc6855e 100644
--- a/private/artd.te
+++ b/private/artd.te
@@ -1,5 +1,5 @@
-# art service daemon
-type artd, domain, coredomain;
+# ART service daemon.
+typeattribute artd coredomain;
type artd_exec, system_file_type, exec_type, file_type;
type artd_tmpfs, file_type;
@@ -57,4 +57,23 @@
# - managing (CRUD) profile files for both primary dex'es and secondary dex'es
# - "fowner" is for adjusting the file permissions of compilation artifacts and
# profile files based on whether they include user data or not.
-allow artd self:global_capability_class_set { dac_override dac_read_search fowner };
+# - "chown" is for transferring the ownership of compilation artifacts and
+# profile files to the system or apps.
+allow artd self:global_capability_class_set { dac_override dac_read_search fowner chown };
+
+# Read/write access to profiles (/data/misc/profiles/{ref,cur}/...).
+allow artd user_profile_data_file:dir { getattr search };
+allow artd user_profile_data_file:file create_file_perms;
+
+# Never allow running other binaries without a domain transition.
+# The only exception is art_exec. It is allowed to use the artd domain because
+# it is a thin wrapper that executes other binaries on behalf of artd.
+neverallow artd ~{art_exec_exec}:file execute_no_trans;
+allow artd art_exec_exec:file rx_file_perms;
+
+# Allow running other binaries in their own domains.
+domain_auto_trans(artd, profman_exec, profman)
+domain_auto_trans(artd, dex2oat_exec, dex2oat)
+
+# Allow sending sigkill to subprocesses.
+allow artd { profman dex2oat }:process sigkill;
diff --git a/private/audioserver.te b/private/audioserver.te
index ca29373..7a5e8bc 100644
--- a/private/audioserver.te
+++ b/private/audioserver.te
@@ -43,6 +43,7 @@
allow audioserver mediametrics_service:service_manager find;
allow audioserver sensor_privacy_service:service_manager find;
allow audioserver soundtrigger_middleware_service:service_manager find;
+allow audioserver audio_service:service_manager find;
# Allow read/write access to bluetooth-specific properties
set_prop(audioserver, bluetooth_a2dp_offload_prop)
diff --git a/private/compat/29.0/29.0.cil b/private/compat/29.0/29.0.cil
index 0fb0a1c..5dba020 100644
--- a/private/compat/29.0/29.0.cil
+++ b/private/compat/29.0/29.0.cil
@@ -1577,7 +1577,8 @@
(typeattributeset proc_29_0
( proc
proc_kpageflags
- proc_lowmemorykiller))
+ proc_lowmemorykiller
+ proc_watermark_scale_factor))
(typeattributeset proc_abi_29_0 (proc_abi))
(typeattributeset proc_asound_29_0 (proc_asound))
(typeattributeset proc_bluetooth_writable_29_0 (proc_bluetooth_writable))
diff --git a/private/compat/30.0/30.0.cil b/private/compat/30.0/30.0.cil
index 9f40876..44044fb 100644
--- a/private/compat/30.0/30.0.cil
+++ b/private/compat/30.0/30.0.cil
@@ -1820,7 +1820,8 @@
(typeattributeset privapp_data_file_30_0 (privapp_data_file))
(typeattributeset proc_30_0
( proc
- proc_bootconfig))
+ proc_bootconfig
+ proc_watermark_scale_factor))
(typeattributeset proc_abi_30_0 (proc_abi))
(typeattributeset proc_asound_30_0 (proc_asound))
(typeattributeset proc_bluetooth_writable_30_0 (proc_bluetooth_writable))
diff --git a/private/compat/31.0/31.0.cil b/private/compat/31.0/31.0.cil
index ba6944e..0e90912 100644
--- a/private/compat/31.0/31.0.cil
+++ b/private/compat/31.0/31.0.cil
@@ -1974,6 +1974,7 @@
( proc
proc_bpf
proc_cpu_alignment
+ proc_watermark_scale_factor
))
(typeattributeset proc_abi_31_0 (proc_abi))
(typeattributeset proc_asound_31_0 (proc_asound))
diff --git a/private/compat/31.0/31.0.ignore.cil b/private/compat/31.0/31.0.ignore.cil
index 22381b5..a5a3475 100644
--- a/private/compat/31.0/31.0.ignore.cil
+++ b/private/compat/31.0/31.0.ignore.cil
@@ -9,6 +9,7 @@
artd_service
attestation_verification_service
camera2_extensions_prop
+ communal_service
device_config_nnapi_native_prop
dice_maintenance_service
dice_node_service
@@ -38,7 +39,6 @@
tare_service
transformer_service
proc_watermark_boost_factor
- proc_watermark_scale_factor
untrusted_app_30
proc_vendor_sched
sdk_sandbox_service
diff --git a/private/compat/32.0/32.0.cil b/private/compat/32.0/32.0.cil
index a99b628..3672436 100644
--- a/private/compat/32.0/32.0.cil
+++ b/private/compat/32.0/32.0.cil
@@ -1972,7 +1972,10 @@
(typeattributeset print_service_32_0 (print_service))
(typeattributeset priv_app_32_0 (priv_app))
(typeattributeset privapp_data_file_32_0 (privapp_data_file))
-(typeattributeset proc_32_0 (proc proc_bpf proc_cpu_alignment))
+(typeattributeset proc_32_0 (proc))
+(typeattributeset proc_32_0 (proc_bpf))
+(typeattributeset proc_32_0 (proc_cpu_alignment))
+(typeattributeset proc_32_0 (proc_watermark_scale_factor))
(typeattributeset proc_abi_32_0 (proc_abi))
(typeattributeset proc_asound_32_0 (proc_asound))
(typeattributeset proc_bluetooth_writable_32_0 (proc_bluetooth_writable))
diff --git a/private/compat/32.0/32.0.ignore.cil b/private/compat/32.0/32.0.ignore.cil
index 805ca7c..50e3be7 100644
--- a/private/compat/32.0/32.0.ignore.cil
+++ b/private/compat/32.0/32.0.ignore.cil
@@ -18,6 +18,7 @@
device_config_nnapi_native_prop
device_config_surface_flinger_native_boot_prop
device_config_vendor_system_native_prop
+ device_config_vendor_system_native_boot_prop
dice_maintenance_service
dice_node_service
diced
@@ -59,7 +60,6 @@
nearby_service
persist_wm_debug_prop
proc_watermark_boost_factor
- proc_watermark_scale_factor
remotelyprovisionedkeypool_service
resources_manager_service
rootdisk_sysdev
diff --git a/private/compat/33.0/33.0.cil b/private/compat/33.0/33.0.cil
index d71298a..163a300 100644
--- a/private/compat/33.0/33.0.cil
+++ b/private/compat/33.0/33.0.cil
@@ -10,9 +10,13 @@
(type iorapd_exec)
(type iorapd_service)
(type iorapd_tmpfs)
+(type lowpan_service)
(type timezone_service)
(type tzdatacheck)
(type tzdatacheck_exec)
+(type wpantund)
+(type wpantund_exec)
+(type wpantund_service)
(type zoneinfo_data_file)
(expandtypeattribute (DockObserver_service_33_0) true)
@@ -1455,6 +1459,7 @@
(typeattributeset build_config_prop_33_0 (build_config_prop))
(typeattributeset build_odm_prop_33_0 (build_odm_prop))
(typeattributeset build_prop_33_0 (build_prop))
+(typeattributeset build_prop_33_0 (userdebug_or_eng_prop))
(typeattributeset build_vendor_prop_33_0 (build_vendor_prop))
(typeattributeset cache_backup_file_33_0 (cache_backup_file))
(typeattributeset cache_block_device_33_0 (cache_block_device))
diff --git a/private/compat/33.0/33.0.ignore.cil b/private/compat/33.0/33.0.ignore.cil
index 305116c..15f7c4a 100644
--- a/private/compat/33.0/33.0.ignore.cil
+++ b/private/compat/33.0/33.0.ignore.cil
@@ -5,11 +5,17 @@
(typeattribute new_objects)
(typeattributeset new_objects
( new_objects
+ artd
device_config_memory_safety_native_prop
device_config_vendor_system_native_prop
hal_bootctl_service
+ hal_tv_input_service
+ keystore_config_prop
permissive_mte_prop
+ servicemanager_prop
system_net_netd_service
+ tuner_config_prop
+ tuner_server_ctl_prop
virtual_face_hal_prop
virtual_fingerprint_hal_prop
))
diff --git a/private/coredomain.te b/private/coredomain.te
index de8daaa..c041ca3 100644
--- a/private/coredomain.te
+++ b/private/coredomain.te
@@ -78,6 +78,7 @@
-heapprofd
userdebug_or_eng(`-profcollectd')
-postinstall_dexopt
+ -profman
-rs # spawned by appdomain, so carryover the exception above
userdebug_or_eng(`-simpleperf_boot')
-system_server
diff --git a/private/crash_dump.te b/private/crash_dump.te
index 82ca403..31f0128 100644
--- a/private/crash_dump.te
+++ b/private/crash_dump.te
@@ -20,7 +20,6 @@
-vold
}:process { ptrace signal sigchld sigstop sigkill };
-# TODO(b/186868271): Remove the keystore exception soon-ish (maybe by May 14, 2021?)
userdebug_or_eng(`
allow crash_dump {
apexd
diff --git a/private/dex2oat.te b/private/dex2oat.te
index e7cdd5f..2ce2459 100644
--- a/private/dex2oat.te
+++ b/private/dex2oat.te
@@ -15,7 +15,6 @@
r_dir_file(dex2oat, dalvikcache_data_file)
allow dex2oat dalvikcache_data_file:file write;
-allow dex2oat installd:fd use;
# Acquire advisory lock on /system/framework/arm/*
allow dex2oat system_file:file lock;
@@ -38,12 +37,8 @@
# Allow dex2oat to find files and directories under /data/misc/apexdata/com.android.runtime.
allow dex2oat apex_module_data_file:dir search;
-# Allow dex2oat to use file descriptors passed from odrefresh.
-allow dex2oat odrefresh:fd use;
-
-# Allow dex2oat to use devpts and file descriptors passed from odsign
+# Allow dex2oat to use devpts passed from odsign.
allow dex2oat odsign_devpts:chr_file { read write };
-allow dex2oat odsign:fd use;
# Allow dex2oat to write to file descriptors from odrefresh for files
# in the staging area.
@@ -61,6 +56,9 @@
# Allow dex2oat to read /apex/apex-info-list.xml
allow dex2oat apex_info_file:file r_file_perms;
+# Allow dex2oat to use file descriptors passed from privileged programs.
+allow dex2oat { artd installd odrefresh odsign }:fd use;
+
##################
# A/B OTA Dexopt #
##################
diff --git a/private/domain.te b/private/domain.te
index 81e781e..c585613 100644
--- a/private/domain.te
+++ b/private/domain.te
@@ -612,7 +612,7 @@
# respect system_app sandboxes
neverallow {
domain
- -appdomain # finer-grained rules for appdomain are listed below
+ -appdomain
-system_server #populate com.android.providers.settings/databases/settings.db.
-installd # creation of app sandbox
-traced_probes # resolve inodes for i/o tracing.
@@ -621,8 +621,8 @@
} system_app_data_file:dir_file_class_set { create unlink open };
neverallow {
isolated_app
- untrusted_app_all # finer-grained rules for appdomain are listed below
ephemeral_app
priv_app
sdk_sandbox
+ untrusted_app_all
} system_app_data_file:dir_file_class_set { create unlink open };
diff --git a/private/file.te b/private/file.te
index c4ee2aa..3f5531f 100644
--- a/private/file.te
+++ b/private/file.te
@@ -115,3 +115,8 @@
# /dev/selinux/test - used to verify that apex sepolicy is loaded and
# property labeled.
type sepolicy_test_file, file_type;
+
+# /apex/com.android.art/bin/art_exec
+# This executable does not have its own domain because it is executed in the caller's domain. For
+# example, it is executed in the `artd` domain when artd calls it.
+type art_exec_exec, system_file_type, exec_type, file_type;
diff --git a/private/file_contexts b/private/file_contexts
index de2c898..fedea70 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -333,7 +333,6 @@
/system/bin/profcollectd u:object_r:profcollectd_exec:s0
/system/bin/profcollectctl u:object_r:profcollectd_exec:s0
/system/bin/storaged u:object_r:storaged_exec:s0
-/system/bin/wpantund u:object_r:wpantund_exec:s0
/system/bin/virtual_touchpad u:object_r:virtual_touchpad_exec:s0
/system/bin/hw/android\.frameworks\.bufferhub@1\.0-service u:object_r:fwk_bufferhub_exec:s0
/system/bin/hw/android\.hidl\.allocator@1\.0-service u:object_r:hal_allocator_default_exec:s0
diff --git a/private/flags_health_check.te b/private/flags_health_check.te
index cef7bde..64b595d 100644
--- a/private/flags_health_check.te
+++ b/private/flags_health_check.te
@@ -24,6 +24,7 @@
set_prop(flags_health_check, device_config_connectivity_prop)
set_prop(flags_health_check, device_config_surface_flinger_native_boot_prop)
set_prop(flags_health_check, device_config_vendor_system_native_prop)
+set_prop(flags_health_check, device_config_vendor_system_native_boot_prop)
set_prop(flags_health_check, device_config_virtualization_framework_native_prop)
set_prop(flags_health_check, device_config_memory_safety_native_prop)
diff --git a/private/gmscore_app.te b/private/gmscore_app.te
index e2d16cc..8795798 100644
--- a/private/gmscore_app.te
+++ b/private/gmscore_app.te
@@ -6,8 +6,6 @@
app_domain(gmscore_app)
allow gmscore_app sysfs_type:dir search;
-# Read access to /sys/class/net/wlan*/address
-r_dir_file(gmscore_app, sysfs_net)
# Read access to /sys/block/zram*/mm_stat
r_dir_file(gmscore_app, sysfs_zram)
@@ -60,6 +58,8 @@
dontaudit gmscore_app sysfs_android_usb:file r_file_perms;
dontaudit gmscore_app sysfs_dm:file r_file_perms;
dontaudit gmscore_app sysfs_loop:file r_file_perms;
+dontaudit gmscore_app sysfs_net:file r_file_perms;
+dontaudit gmscore_app sysfs_net:dir r_dir_perms;
dontaudit gmscore_app { wifi_prop wifi_hal_prop }:file r_file_perms;
dontaudit gmscore_app mirror_data_file:dir search;
dontaudit gmscore_app mnt_vendor_file:dir search;
@@ -148,3 +148,24 @@
# b/186488185: Allow GMSCore to read dck properties
get_prop(gmscore_app, dck_prop)
+
+# Do not allow getting permission-protected network information from sysfs.
+neverallow gmscore_app sysfs_net:file *;
+
+# Restrict socket ioctls. Either 1. disallow privileged ioctls, 2. disallow the
+# ioctl permission, or 3. disallow the socket class.
+neverallowxperm gmscore_app domain:{ icmp_socket rawip_socket tcp_socket udp_socket } ioctl priv_sock_ioctls;
+neverallow gmscore_app *:{ netlink_route_socket netlink_selinux_socket } ioctl;
+neverallow gmscore_app *:{
+ socket netlink_socket packet_socket key_socket appletalk_socket
+ netlink_tcpdiag_socket netlink_nflog_socket
+ netlink_xfrm_socket netlink_audit_socket
+ netlink_dnrt_socket netlink_kobject_uevent_socket tun_socket
+ netlink_iscsi_socket netlink_fib_lookup_socket netlink_connector_socket
+ netlink_netfilter_socket netlink_generic_socket netlink_scsitransport_socket
+ netlink_rdma_socket netlink_crypto_socket sctp_socket
+ ax25_socket ipx_socket netrom_socket atmpvc_socket x25_socket rose_socket decnet_socket
+ atmsvc_socket rds_socket irda_socket pppox_socket llc_socket can_socket tipc_socket
+ bluetooth_socket iucv_socket rxrpc_socket isdn_socket phonet_socket ieee802154_socket caif_socket
+ alg_socket nfc_socket kcm_socket qipcrtr_socket smc_socket xdp_socket
+} *;
diff --git a/private/heapprofd.te b/private/heapprofd.te
index 246f936..36d2938 100644
--- a/private/heapprofd.te
+++ b/private/heapprofd.te
@@ -41,11 +41,14 @@
# executables/libraries/etc to do stack unwinding.
r_dir_file(heapprofd, nativetest_data_file)
r_dir_file(heapprofd, system_file_type)
-r_dir_file(heapprofd, apex_art_data_file)
r_dir_file(heapprofd, apk_data_file)
r_dir_file(heapprofd, dalvikcache_data_file)
r_dir_file(heapprofd, vendor_file_type)
r_dir_file(heapprofd, shell_test_data_file)
+# ART apex files and directory access to the containing /data/misc/apexdata.
+r_dir_file(heapprofd, apex_art_data_file)
+allow heapprofd apex_module_data_file:dir { getattr search };
+
# Some dex files are not world-readable.
# We are still constrained by the SELinux rules above.
allow heapprofd self:global_capability_class_set dac_read_search;
diff --git a/private/keys.conf b/private/keys.conf
index 30739f9..18c1a8c 100644
--- a/private/keys.conf
+++ b/private/keys.conf
@@ -14,6 +14,9 @@
[@SDK_SANDBOX]
ALL : $MAINLINE_SEPOLICY_DEV_CERTIFICATES/sdk_sandbox.x509.pem
+[@BLUETOOTH]
+ALL : $MAINLINE_SEPOLICY_DEV_CERTIFICATES/bluetooth.x509.pem
+
[@MEDIA]
ALL : $DEFAULT_SYSTEM_DEV_CERTIFICATE/media.x509.pem
diff --git a/private/keystore.te b/private/keystore.te
index 78c0198..8e681b1 100644
--- a/private/keystore.te
+++ b/private/keystore.te
@@ -26,6 +26,7 @@
# Keystore need access to the keystore_key context files to load the keystore key backend.
allow keystore keystore2_key_contexts_file:file r_file_perms;
+# Allow keystore to listen to changing boot levels
get_prop(keystore, keystore_listen_prop)
# Keystore needs to transfer binder references to vold so that it
diff --git a/private/mac_permissions.xml b/private/mac_permissions.xml
index ec3df0f..c9a9aca 100644
--- a/private/mac_permissions.xml
+++ b/private/mac_permissions.xml
@@ -56,6 +56,11 @@
<seinfo value="sdk_sandbox" />
</signer>
+ <!-- Bluetooth key in AOSP -->
+ <signer signature="@BLUETOOTH" >
+ <seinfo value="bluetooth" />
+ </signer>
+
<!-- Media key in AOSP -->
<signer signature="@MEDIA" >
<seinfo value="media" />
diff --git a/private/mediatuner.te b/private/mediatuner.te
index 413d2e5..bfb264e 100644
--- a/private/mediatuner.te
+++ b/private/mediatuner.te
@@ -17,6 +17,9 @@
allow mediatuner package_native_service:service_manager find;
binder_call(mediatuner, system_server)
+# Read ro.tuner.lazyhal
+get_prop(mediatuner, tuner_config_prop)
+
###
### neverallow rules
###
diff --git a/private/net.te b/private/net.te
index c2bac03..07e4271 100644
--- a/private/net.te
+++ b/private/net.te
@@ -16,3 +16,4 @@
-sdk_sandbox
-untrusted_app_all
} self:netlink_route_socket { bind nlmsg_readpriv nlmsg_getneigh };
+
diff --git a/private/priv_app.te b/private/priv_app.te
index c7d6ab1..9d7a0f6 100644
--- a/private/priv_app.te
+++ b/private/priv_app.te
@@ -107,16 +107,11 @@
}:file r_file_perms;
allow priv_app sysfs_type:dir search;
-# Read access to /sys/class/net/wlan*/address
-r_dir_file(priv_app, sysfs_net)
# Read access to /sys/block/zram*/mm_stat
r_dir_file(priv_app, sysfs_zram)
r_dir_file(priv_app, rootfs)
-# access the mac address
-allowxperm priv_app self:udp_socket ioctl SIOCGIFHWADDR;
-
# Allow com.android.vending to communicate with statsd.
binder_call(priv_app, statsd)
@@ -270,5 +265,26 @@
# Do not follow untrusted app provided symlinks
neverallow priv_app app_data_file:lnk_file { open read getattr };
-# Allow reporting off body events to keystore.
+# Do not allow getting permission-protected network information from sysfs.
+neverallow priv_app sysfs_net:file *;
+
+# Restrict socket ioctls. Either 1. disallow privileged ioctls, 2. disallow the
+# ioctl permission, or 3. disallow the socket class.
+neverallowxperm priv_app domain:{ icmp_socket rawip_socket tcp_socket udp_socket } ioctl priv_sock_ioctls;
+neverallow priv_app *:{ netlink_route_socket netlink_selinux_socket } ioctl;
+neverallow priv_app *:{
+ socket netlink_socket packet_socket key_socket appletalk_socket
+ netlink_tcpdiag_socket netlink_nflog_socket
+ netlink_xfrm_socket netlink_audit_socket
+ netlink_dnrt_socket netlink_kobject_uevent_socket tun_socket
+ netlink_iscsi_socket netlink_fib_lookup_socket netlink_connector_socket
+ netlink_netfilter_socket netlink_generic_socket netlink_scsitransport_socket
+ netlink_rdma_socket netlink_crypto_socket sctp_socket
+ ax25_socket ipx_socket netrom_socket atmpvc_socket x25_socket rose_socket decnet_socket
+ atmsvc_socket rds_socket irda_socket pppox_socket llc_socket can_socket tipc_socket
+ bluetooth_socket iucv_socket rxrpc_socket isdn_socket phonet_socket ieee802154_socket caif_socket
+ alg_socket nfc_socket kcm_socket qipcrtr_socket smc_socket xdp_socket
+} *;
+
+# Allow priv apps to report off body events to keystore2.
allow priv_app keystore:keystore2 report_off_body;
diff --git a/private/profman.te b/private/profman.te
index f61d05e..390f83e 100644
--- a/private/profman.te
+++ b/private/profman.te
@@ -1 +1,12 @@
typeattribute profman coredomain;
+
+# Allow profman to read APKs and profile files next to them by FDs passed from
+# other programs. In addition, allow profman to acquire flocks on those files.
+allow profman {
+ system_file
+ apk_data_file
+ vendor_app_file
+}:file { getattr read map lock };
+
+# Allow profman to use file descriptors passed from privileged programs.
+allow profman { artd installd }:fd use;
diff --git a/private/property.te b/private/property.te
index ba5f4ec..90db686 100644
--- a/private/property.te
+++ b/private/property.te
@@ -38,6 +38,7 @@
system_internal_prop(snapuserd_prop)
system_internal_prop(system_adbd_prop)
system_internal_prop(traced_perf_enabled_prop)
+system_internal_prop(tuner_server_ctl_prop)
system_internal_prop(userspace_reboot_log_prop)
system_internal_prop(userspace_reboot_test_prop)
system_internal_prop(verity_status_prop)
diff --git a/private/property_contexts b/private/property_contexts
index fdb8d36..b2586f9 100644
--- a/private/property_contexts
+++ b/private/property_contexts
@@ -220,6 +220,9 @@
# heapprofd properties
heapprofd. u:object_r:heapprofd_prop:s0
+# servicemanager properties
+servicemanager.ready u:object_r:servicemanager_prop:s0 exact bool
+
# hwservicemanager properties
hwservicemanager. u:object_r:hwservicemanager_prop:s0
@@ -259,6 +262,7 @@
persist.device_config.surface_flinger_native_boot. u:object_r:device_config_surface_flinger_native_boot_prop:s0
persist.device_config.swcodec_native. u:object_r:device_config_swcodec_native_prop:s0
persist.device_config.vendor_system_native. u:object_r:device_config_vendor_system_native_prop:s0
+persist.device_config.vendor_system_native_boot. u:object_r:device_config_vendor_system_native_boot_prop:s0
persist.device_config.virtualization_framework_native. u:object_r:device_config_virtualization_framework_native_prop:s0
persist.device_config.window_manager_native_boot. u:object_r:device_config_window_manager_native_boot_prop:s0
persist.device_config.memory_safety_native. u:object_r:device_config_memory_safety_native_prop:s0
@@ -497,6 +501,7 @@
bluetooth.framework.adapter_address_validation u:object_r:bluetooth_config_prop:s0 exact bool
bluetooth.core.gap.le.privacy.enabled u:object_r:bluetooth_config_prop:s0 exact bool
+bluetooth.core.gap.le.conn.min.limit u:object_r:bluetooth_config_prop:s0 exact int
bluetooth.device.default_name u:object_r:bluetooth_config_prop:s0 exact string
bluetooth.device.class_of_device u:object_r:bluetooth_config_prop:s0 exact string
@@ -538,6 +543,22 @@
bluetooth.core.classic.inq_scan_interval u:object_r:bluetooth_config_prop:s0 exact uint
bluetooth.core.classic.inq_scan_window u:object_r:bluetooth_config_prop:s0 exact uint
bluetooth.core.classic.page_timeout u:object_r:bluetooth_config_prop:s0 exact uint
+bluetooth.core.classic.sniff_max_intervals u:object_r:bluetooth_config_prop:s0 exact string
+bluetooth.core.classic.sniff_min_intervals u:object_r:bluetooth_config_prop:s0 exact string
+bluetooth.core.classic.sniff_attempts u:object_r:bluetooth_config_prop:s0 exact string
+bluetooth.core.classic.sniff_timeouts u:object_r:bluetooth_config_prop:s0 exact string
+
+bluetooth.core.le.min_connection_interval u:object_r:bluetooth_config_prop:s0 exact uint
+bluetooth.core.le.max_connection_interval u:object_r:bluetooth_config_prop:s0 exact uint
+bluetooth.core.le.connection_latency u:object_r:bluetooth_config_prop:s0 exact uint
+bluetooth.core.le.connection_supervision_timeout u:object_r:bluetooth_config_prop:s0 exact uint
+bluetooth.core.le.direct_connection_timeout u:object_r:bluetooth_config_prop:s0 exact uint
+bluetooth.core.le.connection_scan_interval_fast u:object_r:bluetooth_config_prop:s0 exact uint
+bluetooth.core.le.connection_scan_window_fast u:object_r:bluetooth_config_prop:s0 exact uint
+bluetooth.core.le.connection_scan_window_2m_fast u:object_r:bluetooth_config_prop:s0 exact uint
+bluetooth.core.le.connection_scan_window_coded_fast u:object_r:bluetooth_config_prop:s0 exact uint
+bluetooth.core.le.connection_scan_interval_slow u:object_r:bluetooth_config_prop:s0 exact uint
+bluetooth.core.le.connection_scan_window_slow u:object_r:bluetooth_config_prop:s0 exact uint
persist.nfc.debug_enabled u:object_r:nfc_prop:s0 exact bool
@@ -677,6 +698,7 @@
sys.usb.config. u:object_r:usb_prop:s0
sys.usb.ffs.aio_compat u:object_r:ffs_config_prop:s0 exact bool
+sys.usb.ffs.io_uring_enabled u:object_r:ffs_config_prop:s0 exact bool
sys.usb.ffs.max_read u:object_r:ffs_config_prop:s0 exact int
sys.usb.ffs.max_write u:object_r:ffs_config_prop:s0 exact int
@@ -773,6 +795,7 @@
ro.boot.bootloader u:object_r:bootloader_prop:s0 exact string
ro.boot.boottime u:object_r:bootloader_prop:s0 exact string
ro.boot.console u:object_r:bootloader_prop:s0 exact string
+ro.boot.ddr_size u:object_r:bootloader_prop:s0 exact string
ro.boot.hardware u:object_r:bootloader_prop:s0 exact string
ro.boot.hardware.color u:object_r:bootloader_prop:s0 exact string
ro.boot.hardware.sku u:object_r:bootloader_prop:s0 exact string
@@ -829,7 +852,7 @@
ro.actionable_compatible_property.enabled u:object_r:build_prop:s0 exact bool
-ro.debuggable u:object_r:build_prop:s0 exact bool
+ro.debuggable u:object_r:userdebug_or_eng_prop:s0 exact bool
ro.force.debuggable u:object_r:build_prop:s0 exact bool
ro.treble.enabled u:object_r:build_prop:s0 exact bool
@@ -857,7 +880,7 @@
ro.system.build.version.sdk u:object_r:build_prop:s0 exact int
ro.adb.secure u:object_r:build_prop:s0 exact bool
-ro.secure u:object_r:build_prop:s0 exact int
+ro.secure u:object_r:userdebug_or_eng_prop:s0 exact int
ro.product.system_ext.brand u:object_r:build_prop:s0 exact string
ro.product.system_ext.device u:object_r:build_prop:s0 exact string
@@ -1200,6 +1223,7 @@
ro.surface_flinger.enable_layer_caching u:object_r:surfaceflinger_prop:s0 exact bool
ro.surface_flinger.display_update_imminent_timeout_ms u:object_r:surfaceflinger_prop:s0 exact int
ro.surface_flinger.uclamp.min u:object_r:surfaceflinger_prop:s0 exact int
+ro.surface_flinger.ignore_hdr_camera_layers u:object_r:surfaceflinger_prop:s0 exact bool
ro.sf.disable_triple_buffer u:object_r:surfaceflinger_prop:s0 exact bool
ro.sf.lcd_density u:object_r:surfaceflinger_prop:s0 exact int
@@ -1298,6 +1322,9 @@
# Property that tracks keystore crash counts during a boot cycle.
keystore.crash_count u:object_r:keystore_crash_prop:s0 exact int
+# Configure the means by which we protect the L0 key from the future
+ro.keystore.boot_level_key.strategy u:object_r:keystore_config_prop:s0 exact string
+
partition.system.verified u:object_r:verity_status_prop:s0 exact string
partition.system_ext.verified u:object_r:verity_status_prop:s0 exact string
partition.product.verified u:object_r:verity_status_prop:s0 exact string
@@ -1397,3 +1424,7 @@
vendor.fingerprint.virtual.operation_detect_interaction_latency u:object_r:virtual_fingerprint_hal_prop:s0 exact int
vendor.fingerprint.virtual.operation_enroll_latency u:object_r:virtual_fingerprint_hal_prop:s0 exact int
vendor.fingerprint.virtual.operation_authenticate_duration u:object_r:virtual_fingerprint_hal_prop:s0 exact int
+
+# properties for tuner
+ro.tuner.lazyhal u:object_r:tuner_config_prop:s0 exact bool
+tuner.server.enable u:object_r:tuner_server_ctl_prop:s0 exact bool
diff --git a/private/sdk_sandbox.te b/private/sdk_sandbox.te
index 20d3adf..d851ab7 100644
--- a/private/sdk_sandbox.te
+++ b/private/sdk_sandbox.te
@@ -12,10 +12,6 @@
# Allow finding services. This is different from ephemeral_app policy.
# Adding services manually to the allowlist is preferred hence app_api_service is not used.
-# Audit the access to signal that we are still investigating whether sdk_sandbox
-# should have access to audio_service
-# TODO(b/211632068): remove this line
-auditallow sdk_sandbox audio_service:service_manager find;
allow sdk_sandbox activity_service:service_manager find;
allow sdk_sandbox activity_task_service:service_manager find;
diff --git a/private/seapp_contexts b/private/seapp_contexts
index 78a98e1..b26d977 100644
--- a/private/seapp_contexts
+++ b/private/seapp_contexts
@@ -144,7 +144,7 @@
user=_app seinfo=platform name=com.android.traceur domain=traceur_app type=app_data_file levelFrom=all
user=_app isPrivApp=true name=com.android.remoteprovisioner domain=remote_prov_app type=app_data_file levelFrom=all
user=system seinfo=platform domain=system_app type=system_app_data_file
-user=bluetooth seinfo=platform domain=bluetooth type=bluetooth_data_file
+user=bluetooth seinfo=bluetooth domain=bluetooth type=bluetooth_data_file
user=network_stack seinfo=network_stack domain=network_stack type=radio_data_file
user=nfc seinfo=platform domain=nfc type=nfc_data_file
user=secure_element seinfo=platform domain=secure_element levelFrom=all
@@ -176,3 +176,4 @@
user=_app domain=untrusted_app_25 type=app_data_file levelFrom=user
user=_app minTargetSdkVersion=28 fromRunAs=true domain=runas_app levelFrom=all
user=_app fromRunAs=true domain=runas_app levelFrom=user
+
diff --git a/private/service.te b/private/service.te
index cd2cec6..1f407a6 100644
--- a/private/service.te
+++ b/private/service.te
@@ -1,6 +1,7 @@
type ambient_context_service, app_api_service, system_server_service, service_manager_type;
type attention_service, system_server_service, service_manager_type;
type compos_service, service_manager_type;
+type communal_service, app_api_service, system_server_service, service_manager_type;
type dynamic_system_service, system_api_service, system_server_service, service_manager_type;
type gsi_service, service_manager_type;
type incidentcompanion_service, app_api_service, system_api_service, system_server_service, service_manager_type;
diff --git a/private/service_contexts b/private/service_contexts
index 8aa7497..1504bac 100644
--- a/private/service_contexts
+++ b/private/service_contexts
@@ -1,5 +1,6 @@
android.hardware.audio.core.IConfig/default u:object_r:hal_audio_service:s0
android.hardware.audio.core.IModule/default u:object_r:hal_audio_service:s0
+android.hardware.audio.effect.IFactory/default u:object_r:hal_audio_service:s0
android.hardware.authsecret.IAuthSecret/default u:object_r:hal_authsecret_service:s0
android.hardware.automotive.evs.IEvsEnumerator/hw/0 u:object_r:hal_evs_service:s0
android.hardware.boot.IBootControl/default u:object_r:hal_bootctl_service:s0
@@ -60,6 +61,7 @@
android.hardware.sensors.ISensors/default u:object_r:hal_sensors_service:s0
android.hardware.soundtrigger3.ISoundTriggerHw/default u:object_r:hal_audio_service:s0
android.hardware.tv.tuner.ITuner/default u:object_r:hal_tv_tuner_service:s0
+android.hardware.tv.input.ITvInput/default u:object_r:hal_tv_input_service:s0
android.hardware.usb.IUsb/default u:object_r:hal_usb_service:s0
android.hardware.uwb.IUwb/default u:object_r:hal_uwb_service:s0
android.hardware.vibrator.IVibrator/default u:object_r:hal_vibrator_service:s0
@@ -137,6 +139,7 @@
cloudsearch_service u:object_r:cloudsearch_service:s0
com.android.net.IProxyService u:object_r:IProxyService_service:s0
companiondevice u:object_r:companion_device_service:s0
+communal u:object_r:communal_service:s0
platform_compat u:object_r:platform_compat_service:s0
platform_compat_native u:object_r:platform_compat_service:s0
connectivity u:object_r:connectivity_service:s0
@@ -176,7 +179,6 @@
emergency_affordance u:object_r:emergency_affordance_service:s0
euicc_card_controller u:object_r:radio_service:s0
external_vibrator_service u:object_r:external_vibrator_service:s0
-lowpan u:object_r:lowpan_service:s0
ethernet u:object_r:ethernet_service:s0
face u:object_r:face_service:s0
file_integrity u:object_r:file_integrity_service:s0
@@ -300,7 +302,6 @@
safety_center u:object_r:safety_center_service:s0
samplingprofiler u:object_r:samplingprofiler_service:s0
scheduling_policy u:object_r:scheduling_policy_service:s0
-sdk_sandbox u:object_r:sdk_sandbox_service:s0
search u:object_r:search_service:s0
search_ui u:object_r:search_ui_service:s0
secure_element u:object_r:secure_element_service:s0
@@ -330,6 +331,7 @@
storaged u:object_r:storaged_service:s0
storaged_pri u:object_r:storaged_service:s0
storagestats u:object_r:storagestats_service:s0
+sdk_sandbox u:object_r:sdk_sandbox_service:s0
SurfaceFlinger u:object_r:surfaceflinger_service:s0
SurfaceFlingerAIDL u:object_r:surfaceflinger_service:s0
suspend_control u:object_r:system_suspend_control_service:s0
diff --git a/private/servicemanager.te b/private/servicemanager.te
index 56a41e1..95a9496 100644
--- a/private/servicemanager.te
+++ b/private/servicemanager.te
@@ -5,6 +5,7 @@
read_runtime_log_tags(servicemanager)
set_prop(servicemanager, ctl_interface_start_prop)
+set_prop(servicemanager, servicemanager_prop)
# servicemanager is using bootstrap bionic
use_bootstrap_libs(servicemanager)
diff --git a/private/system_server.te b/private/system_server.te
index 9ccd22d..aa674d0 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -300,7 +300,6 @@
binder_call(system_server, vold)
binder_call(system_server, logd)
binder_call(system_server, wificond)
-binder_call(system_server, wpantund)
binder_service(system_server)
# Use HALs
@@ -604,12 +603,9 @@
allow system_server textclassifier_data_file:dir create_dir_perms;
allow system_server textclassifier_data_file:file create_file_perms;
-# Access /data/tombstones.
-allow system_server tombstone_data_file:dir r_dir_perms;
-allow system_server tombstone_data_file:file r_file_perms;
-
-# Allow write access to be able to truncate tombstones.
-allow system_server tombstone_data_file:file write;
+# Manage /data/tombstones.
+allow system_server tombstone_data_file:dir rw_dir_perms;
+allow system_server tombstone_data_file:file create_file_perms;
# Manage /data/misc/vpn.
allow system_server vpn_data_file:dir create_dir_perms;
@@ -753,6 +749,7 @@
set_prop(system_server, device_config_connectivity_prop)
set_prop(system_server, device_config_surface_flinger_native_boot_prop)
set_prop(system_server, device_config_vendor_system_native_prop)
+set_prop(system_server, device_config_vendor_system_native_boot_prop)
set_prop(system_server, device_config_virtualization_framework_native_prop)
set_prop(system_server, device_config_memory_safety_native_prop)
set_prop(system_server, smart_idle_maint_enabled_prop)
@@ -822,6 +819,11 @@
# Read persist.wm.debug. properties
get_prop(system_server, persist_wm_debug_prop)
+# Read ro.tuner.lazyhal
+get_prop(system_server, tuner_config_prop)
+# Write tuner.server.enable
+set_prop(system_server, tuner_server_ctl_prop)
+
# Create a socket for connections from debuggerd.
allow system_server system_ndebug_socket:sock_file create_file_perms;
@@ -1293,6 +1295,13 @@
device_config_window_manager_native_boot_prop
}:property_service set;
+# Only allow system_server and init to set tuner_server_ctl_prop
+neverallow {
+ domain
+ -system_server
+ -init
+} tuner_server_ctl_prop:property_service set;
+
# system_server should never be executing dex2oat. This is either
# a bug (for example, bug 16317188), or represents an attempt by
# system server to dynamically load a dex file, something we do not
diff --git a/private/traced_perf.te b/private/traced_perf.te
index 96a7263..811bf48 100644
--- a/private/traced_perf.te
+++ b/private/traced_perf.te
@@ -28,10 +28,12 @@
# Allow reading files for stack unwinding and symbolization.
r_dir_file(traced_perf, nativetest_data_file)
r_dir_file(traced_perf, system_file_type)
-r_dir_file(traced_perf, apex_art_data_file)
r_dir_file(traced_perf, apk_data_file)
r_dir_file(traced_perf, dalvikcache_data_file)
r_dir_file(traced_perf, vendor_file_type)
+# ART apex files and directory access to the containing /data/misc/apexdata.
+r_dir_file(traced_perf, apex_art_data_file)
+allow traced_perf apex_module_data_file:dir { getattr search };
# Allow to temporarily lift the kptr_restrict setting and build a symbolization
# map reading /proc/kallsyms.
diff --git a/private/traced_probes.te b/private/traced_probes.te
index 204ea08..5cc271c 100644
--- a/private/traced_probes.te
+++ b/private/traced_probes.te
@@ -83,6 +83,7 @@
proc_meminfo
proc_vmstat
proc_stat
+ proc_buddyinfo
}:file r_file_perms;
# Allow access to read /sys/class/devfreq/ and /$DEVICE/cur_freq files
diff --git a/private/untrusted_app_25.te b/private/untrusted_app_25.te
index 4235d7e..51cb514 100644
--- a/private/untrusted_app_25.te
+++ b/private/untrusted_app_25.te
@@ -52,3 +52,7 @@
# allow sending RTM_GETNEIGH{TBL} messages.
allow untrusted_app_25 self:netlink_route_socket nlmsg_getneigh;
auditallow untrusted_app_25 self:netlink_route_socket nlmsg_getneigh;
+
+
+# Allow hidden build props
+get_prop(untrusted_app_25, userdebug_or_eng_prop)
diff --git a/private/untrusted_app_27.te b/private/untrusted_app_27.te
index c747af1..0dde760 100644
--- a/private/untrusted_app_27.te
+++ b/private/untrusted_app_27.te
@@ -40,3 +40,6 @@
# allow sending RTM_GETNEIGH{TBL} messages.
allow untrusted_app_27 self:netlink_route_socket nlmsg_getneigh;
auditallow untrusted_app_27 self:netlink_route_socket nlmsg_getneigh;
+
+# Allow hidden build props
+get_prop(untrusted_app_27, userdebug_or_eng_prop)
diff --git a/private/untrusted_app_29.te b/private/untrusted_app_29.te
index 6bb2606..0360184 100644
--- a/private/untrusted_app_29.te
+++ b/private/untrusted_app_29.te
@@ -18,3 +18,6 @@
# allow sending RTM_GETNEIGH{TBL} messages.
allow untrusted_app_29 self:netlink_route_socket nlmsg_getneigh;
auditallow untrusted_app_29 self:netlink_route_socket nlmsg_getneigh;
+
+# Allow hidden build props
+get_prop(untrusted_app_29, userdebug_or_eng_prop)
diff --git a/private/untrusted_app_30.te b/private/untrusted_app_30.te
index e0a71ef..6893aca 100644
--- a/private/untrusted_app_30.te
+++ b/private/untrusted_app_30.te
@@ -20,3 +20,6 @@
# allow sending RTM_GETNEIGH{TBL} messages.
allow untrusted_app_30 self:netlink_route_socket nlmsg_getneigh;
auditallow untrusted_app_30 self:netlink_route_socket nlmsg_getneigh;
+
+# Allow hidden build props
+get_prop(untrusted_app_30, userdebug_or_eng_prop)
diff --git a/private/virtualizationservice.te b/private/virtualizationservice.te
index c369a90..9ae5308 100644
--- a/private/virtualizationservice.te
+++ b/private/virtualizationservice.te
@@ -82,3 +82,9 @@
-init
-virtualizationservice
} virtualizationservice_prop:property_service set;
+
+neverallow {
+ domain
+ -init
+ -virtualizationservice
+} virtualizationservice_data_file:file { open create };
diff --git a/private/vold_prepare_subdirs.te b/private/vold_prepare_subdirs.te
index dcd5a9e..ddb2828 100644
--- a/private/vold_prepare_subdirs.te
+++ b/private/vold_prepare_subdirs.te
@@ -43,8 +43,8 @@
fingerprint_vendor_data_file
iris_vendor_data_file
rollback_data_file
- sdk_sandbox_data_file
storaged_data_file
+ sdk_sandbox_data_file
system_data_file
vold_data_file
}:file { getattr unlink };
diff --git a/private/wpantund.te b/private/wpantund.te
deleted file mode 100644
index e91662c..0000000
--- a/private/wpantund.te
+++ /dev/null
@@ -1,3 +0,0 @@
-typeattribute wpantund coredomain;
-
-init_daemon_domain(wpantund)
diff --git a/private/zygote.te b/private/zygote.te
index baffcc4..0df84db 100644
--- a/private/zygote.te
+++ b/private/zygote.te
@@ -240,6 +240,10 @@
# Allow zygote to read qemu.sf.lcd_density
get_prop(zygote, qemu_sf_lcd_density_prop)
+# Allow zygote to read persist.wm.debug.* to toggle experimental window manager features in
+# preloaded classes
+get_prop(zygote, persist_wm_debug_prop)
+
# Allow zygote to read /apex/apex-info-list.xml
allow zygote apex_info_file:file r_file_perms;
diff --git a/public/artd.te b/public/artd.te
new file mode 100644
index 0000000..0731adc
--- /dev/null
+++ b/public/artd.te
@@ -0,0 +1,2 @@
+# ART service daemon.
+type artd, domain;
diff --git a/public/attributes b/public/attributes
index 742264a..aeed208 100644
--- a/public/attributes
+++ b/public/attributes
@@ -7,9 +7,6 @@
# in tools/checkfc.c
attribute dev_type;
-# TODO(b/202520796) Remove this attribute once the sc-dev branch stops using it.
-attribute bdev_type;
-
# Attribute for all bpf filesystem subtypes.
attribute bpffs_type;
@@ -74,9 +71,6 @@
# All types used for sysfs files.
attribute sysfs_type;
-# TODO(b/202520796) Remove this attribute once the sc-dev branch stops using it.
-attribute sysfs_block_type;
-
# All types use for debugfs files.
attribute debugfs_type;
@@ -173,12 +167,6 @@
# services which are explicitly disallowed for untrusted apps to access
attribute protected_service;
-# services which served by vendor and also using the copy of libbinder on
-# system (for instance via libbinder_ndk). services using a different copy
-# of libbinder currently need their own context manager (e.g.
-# vndservicemanager)
-attribute vendor_service;
-
# All types used for services managed by servicemanager.
# On change, update CHECK_SC_ASSERT_ATTRS
# definition in tools/checkfc.c.
diff --git a/public/domain.te b/public/domain.te
index c0c6699..11a14c5 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -80,6 +80,7 @@
# /dev/binder can be accessed by ... everyone! :)
allow { domain -hwservicemanager -vndservicemanager } binder_device:chr_file rw_file_perms;
+get_prop({domain -hwservicemanager -vndservicemanager }, servicemanager_prop)
# Restrict binder ioctls to an allowlist. Additional ioctl commands may be
# added to individual domains, but this sets safe defaults for all processes.
@@ -129,6 +130,7 @@
get_prop(domain, socket_hook_prop)
get_prop(domain, surfaceflinger_prop)
get_prop(domain, telephony_status_prop)
+get_prop({domain - untrusted_app_all }, userdebug_or_eng_prop)
get_prop(domain, vendor_socket_hook_prop)
get_prop(domain, vndk_prop)
get_prop(domain, vold_status_prop)
@@ -576,6 +578,7 @@
neverallow { domain -init } aac_drc_prop:property_service set;
neverallow { domain -init } build_prop:property_service set;
+neverallow { domain -init } userdebug_or_eng_prop:property_service set;
# Do not allow reading device's serial number from system properties except form
# a few allowed domains.
@@ -639,22 +642,6 @@
neverallow vndservicemanager binder_device:chr_file no_rw_file_perms;
neverallow vndservicemanager hwbinder_device:chr_file no_rw_file_perms;
-# system services cant add vendor services
-neverallow {
- coredomain
-} vendor_service:service_manager add;
-
-full_treble_only(`
- # vendor services cant add system services
- neverallow {
- domain
- -coredomain
- } {
- service_manager_type
- -vendor_service
- }:service_manager add;
-')
-
full_treble_only(`
# Vendor apps are permited to use only stable public services. If they were to use arbitrary
# services which can change any time framework/core is updated, breakage is likely.
@@ -667,7 +654,6 @@
service_manager_type
-app_api_service
- -vendor_service # must be @VintfStability to be used by an app
-ephemeral_app_api_service
-hal_service_type # see app_neverallows.te
@@ -1232,11 +1218,12 @@
neverallow { domain -vold -init -vendor_init } fusectlfs:file no_rw_file_perms;
# Profiles contain untrusted data and profman parses that. We should only run
-# in from installd forked processes.
+# it from installd and artd forked processes.
neverallow {
domain
-installd
-profman
+ -artd
} profman_exec:file no_x_file_perms;
# Enforce restrictions on kernel module origin.
diff --git a/public/dumpstate.te b/public/dumpstate.te
index 84c12d9..a2d2417 100644
--- a/public/dumpstate.te
+++ b/public/dumpstate.te
@@ -147,22 +147,28 @@
binder_call(dumpstate, { appdomain netd wificond })
# Allow dumpstate to call dump() on specific hals.
+dump_hal(hal_authsecret)
+dump_hal(hal_contexthub)
+dump_hal(hal_drm)
dump_hal(hal_dumpstate)
-dump_hal(hal_wifi)
-dump_hal(hal_graphics_allocator)
-dump_hal(hal_input_processor)
-dump_hal(hal_light)
-dump_hal(hal_neuralnetworks)
-dump_hal(hal_nfc)
-dump_hal(hal_thermal)
-dump_hal(hal_power)
-dump_hal(hal_power_stats)
-dump_hal(hal_identity)
dump_hal(hal_face)
dump_hal(hal_fingerprint)
dump_hal(hal_gnss)
-dump_hal(hal_contexthub)
-dump_hal(hal_drm)
+dump_hal(hal_graphics_allocator)
+dump_hal(hal_identity)
+dump_hal(hal_input_processor)
+dump_hal(hal_keymint)
+dump_hal(hal_light)
+dump_hal(hal_memtrack)
+dump_hal(hal_neuralnetworks)
+dump_hal(hal_nfc)
+dump_hal(hal_oemlock)
+dump_hal(hal_power)
+dump_hal(hal_power_stats)
+dump_hal(hal_rebootescrow)
+dump_hal(hal_thermal)
+dump_hal(hal_weaver)
+dump_hal(hal_wifi)
# Vibrate the device after we are done collecting the bugreport
hal_client_domain(dumpstate, hal_vibrator)
@@ -348,31 +354,6 @@
# Allow dumpstate to talk to mediaswcodec over binder
binder_call(dumpstate, mediaswcodec);
-# Allow dumpstate to talk to these stable AIDL services over binder
-binder_call(dumpstate, hal_rebootescrow_server)
-allow hal_rebootescrow_server dumpstate:fifo_file write;
-allow hal_rebootescrow_server dumpstate:fd use;
-
-binder_call(dumpstate, hal_authsecret_server)
-allow hal_authsecret_server dumpstate:fifo_file write;
-allow hal_authsecret_server dumpstate:fd use;
-
-binder_call(dumpstate, hal_keymint_server)
-allow hal_keymint_server dumpstate:fifo_file write;
-allow hal_keymint_server dumpstate:fd use;
-
-binder_call(dumpstate, hal_memtrack_server)
-allow hal_memtrack_server dumpstate:fifo_file write;
-allow hal_memtrack_server dumpstate:fd use;
-
-binder_call(dumpstate, hal_oemlock_server)
-allow hal_oemlock_server dumpstate:fifo_file write;
-allow hal_oemlock_server dumpstate:fd use;
-
-binder_call(dumpstate, hal_weaver_server)
-allow hal_weaver_server dumpstate:fifo_file write;
-allow hal_weaver_server dumpstate:fd use;
-
#Access /data/misc/snapshotctl_log
allow dumpstate snapshotctl_log_data_file:dir r_dir_perms;
allow dumpstate snapshotctl_log_data_file:file r_file_perms;
diff --git a/public/hal_drm.te b/public/hal_drm.te
index 72fa308..43d0a7c 100644
--- a/public/hal_drm.te
+++ b/public/hal_drm.te
@@ -26,6 +26,12 @@
allow hal_drm cgroup_v2:dir { search write };
allow hal_drm cgroup_v2:file w_file_perms;
+# Allow dumpsys Widevine without root
+userdebug_or_eng(`
+ allow hal_drm_server shell:fd use;
+ allow hal_drm_server shell:fifo_file write;
+')
+
# Allow access to ion memory allocation device
allow hal_drm ion_device:chr_file rw_file_perms;
allow hal_drm hal_graphics_allocator:fd use;
diff --git a/public/hal_dumpstate.te b/public/hal_dumpstate.te
index aee283a..193b05a 100644
--- a/public/hal_dumpstate.te
+++ b/public/hal_dumpstate.te
@@ -13,3 +13,6 @@
allow hal_dumpstate shell_data_file:file write;
# allow reading /proc/interrupts for all hal impls
allow hal_dumpstate proc_interrupts:file r_file_perms;
+
+# Log fsck results
+r_dir_file(hal_dumpstate, fscklogs)
diff --git a/public/hal_tv_input.te b/public/hal_tv_input.te
index 5a5bdda..b345189 100644
--- a/public/hal_tv_input.te
+++ b/public/hal_tv_input.te
@@ -3,3 +3,7 @@
binder_call(hal_tv_input_server, hal_tv_input_client)
hal_attribute_hwservice(hal_tv_input, hal_tv_input_hwservice)
+hal_attribute_service(hal_tv_input, hal_tv_input_service)
+
+binder_call(hal_tv_input_server, servicemanager)
+binder_call(hal_tv_input_client, servicemanager)
diff --git a/public/kernel.te b/public/kernel.te
index 09d2480..b01c07a 100644
--- a/public/kernel.te
+++ b/public/kernel.te
@@ -95,10 +95,10 @@
staging_data_file
vendor_apex_file
}:file read;
-# Also allow the kernel to read /data/local/tmp files via loop device
-# for ApexTestCases
+# Also allow the kernel to read/write /data/local/tmp files via loop device
+# for ApexTestCases and fiemap_image_test.
userdebug_or_eng(`
- allow kernel shell_data_file:file read;
+ allow kernel shell_data_file:file { read write };
')
# Allow the first-stage init (which is running in the kernel domain) to execute the
diff --git a/public/keystore.te b/public/keystore.te
index e1c58a4..8ac503e 100644
--- a/public/keystore.te
+++ b/public/keystore.te
@@ -48,3 +48,6 @@
# The software KeyMint implementation used in km_compat needs
# to read the vendor security patch level.
get_prop(keystore, vendor_security_patch_level_prop);
+
+# Allow keystore to read its vendor configuration
+get_prop(keystore, keystore_config_prop)
diff --git a/public/profman.te b/public/profman.te
index c014d79..727daee 100644
--- a/public/profman.te
+++ b/public/profman.te
@@ -14,8 +14,6 @@
allow profman tmpfs:file { read map };
allow profman profman_dump_data_file:file { write map };
-allow profman installd:fd use;
-
# Allow profman to analyze profiles for the secondary dex files. These
# are application dex files reported back to the framework when using
# BaseDexClassLoader.
diff --git a/public/property.te b/public/property.te
index 9b538cf..1688b54 100644
--- a/public/property.te
+++ b/public/property.te
@@ -68,9 +68,11 @@
system_restricted_prop(device_config_runtime_native_prop)
system_restricted_prop(device_config_surface_flinger_native_boot_prop)
system_restricted_prop(device_config_vendor_system_native_prop)
+system_restricted_prop(device_config_vendor_system_native_boot_prop)
system_restricted_prop(fingerprint_prop)
system_restricted_prop(gwp_asan_prop)
system_restricted_prop(hal_instrumentation_prop)
+system_restricted_prop(userdebug_or_eng_prop)
system_restricted_prop(hypervisor_prop)
system_restricted_prop(init_service_status_prop)
system_restricted_prop(libc_debug_prop)
@@ -82,6 +84,7 @@
system_restricted_prop(provisioned_prop)
system_restricted_prop(restorecon_prop)
system_restricted_prop(retaildemo_prop)
+system_restricted_prop(servicemanager_prop)
system_restricted_prop(smart_idle_maint_enabled_prop)
system_restricted_prop(socket_hook_prop)
system_restricted_prop(sqlite_log_prop)
@@ -148,6 +151,7 @@
system_vendor_config_prop(hw_timeout_multiplier_prop)
system_vendor_config_prop(incremental_prop)
system_vendor_config_prop(keyguard_config_prop)
+system_vendor_config_prop(keystore_config_prop)
system_vendor_config_prop(lmkd_config_prop)
system_vendor_config_prop(media_config_prop)
system_vendor_config_prop(media_variant_prop)
@@ -178,6 +182,7 @@
system_vendor_config_prop(zram_config_prop)
system_vendor_config_prop(zygote_config_prop)
system_vendor_config_prop(dck_prop)
+system_vendor_config_prop(tuner_config_prop)
# Properties with no restrictions
system_public_prop(adbd_config_prop)
diff --git a/public/service.te b/public/service.te
index cba419e..4bd5e65 100644
--- a/public/service.te
+++ b/public/service.te
@@ -122,7 +122,6 @@
type DockObserver_service, system_server_service, service_manager_type;
type dreams_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type dropbox_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type lowpan_service, system_api_service, system_server_service, service_manager_type;
type ethernet_service, app_api_service, system_server_service, service_manager_type;
type biometric_service, app_api_service, system_server_service, service_manager_type;
type bugreport_service, app_api_service, system_server_service, service_manager_type;
@@ -199,7 +198,6 @@
type rttmanager_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type samplingprofiler_service, system_server_service, service_manager_type;
type scheduling_policy_service, system_server_service, service_manager_type;
-type sdk_sandbox_service, app_api_service, system_server_service, service_manager_type;
type search_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type search_ui_service, app_api_service, system_server_service, service_manager_type;
type sec_key_att_app_id_provider_service, app_api_service, system_server_service, service_manager_type;
@@ -214,6 +212,7 @@
type smartspace_service, app_api_service, system_server_service, service_manager_type;
type statusbar_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type storagestats_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type sdk_sandbox_service, app_api_service, system_server_service, service_manager_type;
type system_config_service, system_api_service, system_server_service, service_manager_type;
type system_server_dumper_service, system_api_service, system_server_service, service_manager_type;
type system_update_service, system_server_service, service_manager_type;
@@ -258,7 +257,6 @@
type wifiaware_service, app_api_service, system_server_service, service_manager_type;
type window_service, system_api_service, system_server_service, service_manager_type;
type inputflinger_service, system_api_service, system_server_service, service_manager_type;
-type wpantund_service, system_api_service, service_manager_type;
type tethering_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type emergency_affordance_service, system_server_service, service_manager_type;
@@ -266,50 +264,51 @@
### HAL Services
###
-type hal_audio_service, vendor_service, protected_service, hal_service_type, service_manager_type;
-type hal_audiocontrol_service, vendor_service, hal_service_type, service_manager_type;
-type hal_authsecret_service, vendor_service, protected_service, hal_service_type, service_manager_type;
-type hal_bootctl_service, vendor_service, protected_service, hal_service_type, service_manager_type;
-type hal_camera_service, vendor_service, protected_service, hal_service_type, service_manager_type;
-type hal_contexthub_service, vendor_service, protected_service, hal_service_type, service_manager_type;
-type hal_dice_service, vendor_service, protected_service, hal_service_type, service_manager_type;
-type hal_drm_service, vendor_service, hal_service_type, service_manager_type;
-type hal_dumpstate_service, vendor_service, protected_service, hal_service_type, service_manager_type;
-type hal_evs_service, vendor_service, protected_service, hal_service_type, service_manager_type;
-type hal_face_service, vendor_service, protected_service, hal_service_type, service_manager_type;
-type hal_fingerprint_service, vendor_service, protected_service, hal_service_type, service_manager_type;
-type hal_gnss_service, vendor_service, protected_service, hal_service_type, service_manager_type;
-type hal_graphics_allocator_service, vendor_service, hal_service_type, service_manager_type;
-type hal_graphics_composer_service, vendor_service, protected_service, hal_service_type, service_manager_type;
-type hal_health_service, vendor_service, protected_service, hal_service_type, service_manager_type;
-type hal_health_storage_service, vendor_service, protected_service, hal_service_type, service_manager_type;
-type hal_identity_service, vendor_service, protected_service, hal_service_type, service_manager_type;
-type hal_input_processor_service, vendor_service, protected_service, hal_service_type, service_manager_type;
-type hal_ir_service, vendor_service, protected_service, hal_service_type, service_manager_type;
-type hal_keymint_service, vendor_service, protected_service, hal_service_type, service_manager_type;
-type hal_light_service, vendor_service, protected_service, hal_service_type, service_manager_type;
-type hal_memtrack_service, vendor_service, protected_service, hal_service_type, service_manager_type;
-type hal_neuralnetworks_service, vendor_service, hal_service_type, service_manager_type;
-type hal_nfc_service, vendor_service, protected_service, hal_service_type, service_manager_type;
-type hal_oemlock_service, vendor_service, protected_service, hal_service_type, service_manager_type;
-type hal_power_service, vendor_service, protected_service, hal_service_type, service_manager_type;
-type hal_power_stats_service, vendor_service, protected_service, hal_service_type, service_manager_type;
-type hal_radio_service, vendor_service, protected_service, hal_service_type, service_manager_type;
-type hal_rebootescrow_service, vendor_service, protected_service, hal_service_type, service_manager_type;
-type hal_remotelyprovisionedcomponent_service, vendor_service, protected_service, hal_service_type, service_manager_type;
-type hal_sensors_service, vendor_service, protected_service, hal_service_type, service_manager_type;
-type hal_secureclock_service, vendor_service, protected_service, hal_service_type, service_manager_type;
-type hal_sharedsecret_service, vendor_service, protected_service, hal_service_type, service_manager_type;
+type hal_audio_service, protected_service, hal_service_type, service_manager_type;
+type hal_audiocontrol_service, hal_service_type, service_manager_type;
+type hal_authsecret_service, protected_service, hal_service_type, service_manager_type;
+type hal_bootctl_service, protected_service, hal_service_type, service_manager_type;
+type hal_camera_service, protected_service, hal_service_type, service_manager_type;
+type hal_contexthub_service, protected_service, hal_service_type, service_manager_type;
+type hal_dice_service, protected_service, hal_service_type, service_manager_type;
+type hal_drm_service, hal_service_type, service_manager_type;
+type hal_dumpstate_service, protected_service, hal_service_type, service_manager_type;
+type hal_evs_service, protected_service, hal_service_type, service_manager_type;
+type hal_face_service, protected_service, hal_service_type, service_manager_type;
+type hal_fingerprint_service, protected_service, hal_service_type, service_manager_type;
+type hal_gnss_service, protected_service, hal_service_type, service_manager_type;
+type hal_graphics_allocator_service, hal_service_type, service_manager_type;
+type hal_graphics_composer_service, protected_service, hal_service_type, service_manager_type;
+type hal_health_service, protected_service, hal_service_type, service_manager_type;
+type hal_health_storage_service, protected_service, hal_service_type, service_manager_type;
+type hal_identity_service, protected_service, hal_service_type, service_manager_type;
+type hal_input_processor_service, protected_service, hal_service_type, service_manager_type;
+type hal_ir_service, protected_service, hal_service_type, service_manager_type;
+type hal_keymint_service, protected_service, hal_service_type, service_manager_type;
+type hal_light_service, protected_service, hal_service_type, service_manager_type;
+type hal_memtrack_service, protected_service, hal_service_type, service_manager_type;
+type hal_neuralnetworks_service, hal_service_type, service_manager_type;
+type hal_nfc_service, protected_service, hal_service_type, service_manager_type;
+type hal_oemlock_service, protected_service, hal_service_type, service_manager_type;
+type hal_power_service, protected_service, hal_service_type, service_manager_type;
+type hal_power_stats_service, protected_service, hal_service_type, service_manager_type;
+type hal_radio_service, protected_service, hal_service_type, service_manager_type;
+type hal_rebootescrow_service, protected_service, hal_service_type, service_manager_type;
+type hal_remotelyprovisionedcomponent_service, protected_service, hal_service_type, service_manager_type;
+type hal_sensors_service, protected_service, hal_service_type, service_manager_type;
+type hal_secureclock_service, protected_service, hal_service_type, service_manager_type;
+type hal_sharedsecret_service, protected_service, hal_service_type, service_manager_type;
type hal_system_suspend_service, protected_service, hal_service_type, service_manager_type;
-type hal_tv_tuner_service, vendor_service, protected_service, hal_service_type, service_manager_type;
-type hal_usb_service, vendor_service, protected_service, hal_service_type, service_manager_type;
-type hal_uwb_service, vendor_service, protected_service, hal_service_type, service_manager_type;
-type hal_vehicle_service, vendor_service, protected_service, hal_service_type, service_manager_type;
-type hal_vibrator_service, vendor_service, protected_service, hal_service_type, service_manager_type;
-type hal_weaver_service, vendor_service, protected_service, hal_service_type, service_manager_type;
-type hal_nlinterceptor_service, vendor_service, protected_service, hal_service_type, service_manager_type;
-type hal_wifi_hostapd_service, vendor_service, protected_service, hal_service_type, service_manager_type;
-type hal_wifi_supplicant_service, vendor_service, protected_service, hal_service_type, service_manager_type;
+type hal_tv_input_service, protected_service, hal_service_type, service_manager_type;
+type hal_tv_tuner_service, protected_service, hal_service_type, service_manager_type;
+type hal_usb_service, protected_service, hal_service_type, service_manager_type;
+type hal_uwb_service, protected_service, hal_service_type, service_manager_type;
+type hal_vehicle_service, protected_service, hal_service_type, service_manager_type;
+type hal_vibrator_service, protected_service, hal_service_type, service_manager_type;
+type hal_weaver_service, protected_service, hal_service_type, service_manager_type;
+type hal_nlinterceptor_service, protected_service, hal_service_type, service_manager_type;
+type hal_wifi_hostapd_service, protected_service, hal_service_type, service_manager_type;
+type hal_wifi_supplicant_service, protected_service, hal_service_type, service_manager_type;
###
### Neverallow rules
diff --git a/public/te_macros b/public/te_macros
index 58d04b4..551f4f3 100644
--- a/public/te_macros
+++ b/public/te_macros
@@ -199,9 +199,11 @@
# communicate with the VM that it created. Notice that we do not grant
# permission to create a vsock; the client can only connect to VMs
# that it owns.
-allow $1 virtualizationservice:vsock_socket { getattr read write };
+allow $1 virtualizationservice:vsock_socket { getattr getopt read write };
# Allow client to inspect hypervisor capabilities
get_prop($1, hypervisor_prop)
+# Allow client to read (but not open) the crashdump provided by virtualizationservice
+allow $1 virtualizationservice_data_file:file { getattr read };
')
#####################################
@@ -758,7 +760,6 @@
-$1_server
# some services are allowed to find all services
-atrace
- -dumpstate
-shell
-system_app
-traceur_app
diff --git a/public/vendor_init.te b/public/vendor_init.te
index b7302d4..c8ddfb9 100644
--- a/public/vendor_init.te
+++ b/public/vendor_init.te
@@ -253,6 +253,7 @@
set_prop(vendor_init, userspace_reboot_config_prop)
set_prop(vendor_init, vehicle_hal_prop)
set_prop(vendor_init, vendor_default_prop)
+set_prop(vendor_init, keystore_config_prop)
set_prop(vendor_init, vendor_security_patch_level_prop)
set_prop(vendor_init, vndk_prop)
set_prop(vendor_init, virtual_ab_prop)
@@ -274,6 +275,7 @@
# Allow vendor_init to read vendor_system_native device config changes
get_prop(vendor_init, device_config_vendor_system_native_prop)
+get_prop(vendor_init, device_config_vendor_system_native_boot_prop)
###
### neverallow rules
diff --git a/public/wpantund.te b/public/wpantund.te
deleted file mode 100644
index 8ddd693..0000000
--- a/public/wpantund.te
+++ /dev/null
@@ -1,29 +0,0 @@
-type wpantund, domain;
-type wpantund_exec, system_file_type, exec_type, file_type;
-
-hal_client_domain(wpantund, hal_lowpan)
-net_domain(wpantund)
-
-binder_use(wpantund)
-binder_call(wpantund, system_server)
-
-# wpantund needs to be able to check in with the lowpan_service
-allow wpantund lowpan_service:service_manager find;
-
-# Allow wpantund to call any callbacks that have been registered with it.
-# Generally, only privileged apps are able to register callbacks with
-# wpantund, so we are limiting the scope for callbacks to only privileged
-# apps. We also add shell to allow the command-line utility `lowpanctl`
-# to work properly from `adb shell`.
-allow wpantund {priv_app shell}:binder call;
-
-# create sockets to set interfaces up and down, add multicast groups, etc.
-allow wpantund self:udp_socket create_socket_perms;
-
-# setting interface state up/down and changing MTU are privileged ioctls
-allowxperm wpantund self:udp_socket ioctl { SIOCSIFFLAGS SIOCSIFMTU };
-
-# Allow us to bring up a TUN network interface.
-allow wpantund tun_device:chr_file rw_file_perms;
-allow wpantund self:global_capability_class_set { net_admin net_raw };
-allow wpantund self:tun_socket create;
diff --git a/tests/Android.bp b/tests/Android.bp
index 8ca952d..e271346 100644
--- a/tests/Android.bp
+++ b/tests/Android.bp
@@ -43,6 +43,11 @@
srcs: [
"treble_sepolicy_tests.py",
],
+ version: {
+ py3: {
+ embedded_launcher: true,
+ },
+ },
libs: [
"mini_cil_parser",
"pysepolwrap",
@@ -55,6 +60,11 @@
srcs: [
"sepolicy_tests.py",
],
+ version: {
+ py3: {
+ embedded_launcher: true,
+ },
+ },
libs: ["pysepolwrap"],
data: [":libsepolwrap"],
}
diff --git a/tests/policy.py b/tests/policy.py
index 60c6962..910dd3d 100644
--- a/tests/policy.py
+++ b/tests/policy.py
@@ -222,11 +222,15 @@
scontext = set()
for sctx in kwargs['scontext']:
scontext |= self.ResolveTypeAttribute(sctx)
+ if (len(scontext) == 0):
+ return []
kwargs['scontext'] = scontext
if ("tcontext" in kwargs and len(kwargs['tcontext']) > 0):
tcontext = set()
for tctx in kwargs['tcontext']:
tcontext |= self.ResolveTypeAttribute(tctx)
+ if (len(tcontext) == 0):
+ return []
kwargs['tcontext'] = tcontext
for Rule in self.__Rules:
if self.__TERuleMatch(Rule, **kwargs):
diff --git a/tests/sepolicy_tests.py b/tests/sepolicy_tests.py
index e940681..63144dd 100644
--- a/tests/sepolicy_tests.py
+++ b/tests/sepolicy_tests.py
@@ -15,9 +15,12 @@
from optparse import OptionParser
from optparse import Option, OptionValueError
import os
+import pkgutil
import policy
import re
+import shutil
import sys
+import tempfile
SHARED_LIB_EXTENSION = '.dylib' if sys.platform == 'darwin' else '.so'
@@ -146,7 +149,11 @@
"TestDmaHeapDevTypeViolations",
]
-if __name__ == '__main__':
+def do_main(libpath):
+ """
+ Args:
+ libpath: string, path to libsepolwrap.so
+ """
usage = "sepolicy_tests -f vendor_file_contexts -f "
usage +="plat_file_contexts -p policy [--test test] [--help]"
parser = OptionParser(option_class=MultipleOption, usage=usage)
@@ -158,11 +165,6 @@
(options, args) = parser.parse_args()
- libpath = os.path.join(os.path.dirname(os.path.realpath(__file__)),
- "libsepolwrap" + SHARED_LIB_EXTENSION)
- if not os.path.exists(libpath):
- sys.exit("Error: libsepolwrap does not exist. Is this binary corrupted?\n")
-
if not options.policy:
sys.exit("Must specify monolithic policy file\n" + parser.usage)
if not os.path.exists(options.policy):
@@ -207,3 +209,17 @@
if len(results) > 0:
sys.exit(results)
+
+if __name__ == '__main__':
+ temp_dir = tempfile.mkdtemp()
+ try:
+ libname = "libsepolwrap" + SHARED_LIB_EXTENSION
+ libpath = os.path.join(temp_dir, libname)
+ with open(libpath, "wb") as f:
+ blob = pkgutil.get_data("sepolicy_tests", libname)
+ if not blob:
+ sys.exit("Error: libsepolwrap does not exist. Is this binary corrupted?\n")
+ f.write(blob)
+ do_main(libpath)
+ finally:
+ shutil.rmtree(temp_dir)
diff --git a/tests/treble_sepolicy_tests.py b/tests/treble_sepolicy_tests.py
index 64a9e95..b49f138 100644
--- a/tests/treble_sepolicy_tests.py
+++ b/tests/treble_sepolicy_tests.py
@@ -16,10 +16,13 @@
from optparse import Option, OptionValueError
import os
import mini_parser
+import pkgutil
import policy
from policy import MatchPathPrefix
import re
+import shutil
import sys
+import tempfile
DEBUG=False
SHARED_LIB_EXTENSION = '.dylib' if sys.platform == 'darwin' else '.so'
@@ -341,7 +344,13 @@
"TrebleCompatMapping": TestTrebleCompatMapping,
"ViolatorAttributes": TestViolatorAttributes}
-if __name__ == '__main__':
+def do_main(libpath):
+ """
+ Args:
+ libpath: string, path to libsepolwrap.so
+ """
+ global pol, FakeTreble
+
usage = "treble_sepolicy_tests "
usage += "-f nonplat_file_contexts -f plat_file_contexts "
usage += "-p curr_policy -b base_policy -o old_policy "
@@ -374,11 +383,6 @@
sys.exit("Error: File_contexts file " + f + " does not exist\n" +
parser.usage)
- libpath = os.path.join(os.path.dirname(os.path.realpath(__file__)),
- "libsepolwrap" + SHARED_LIB_EXTENSION)
- if not os.path.exists(libpath):
- sys.exit("Error: libsepolwrap does not exist. Is this binary corrupted?\n")
-
# Mapping files and public platform policy are only necessary for the
# TrebleCompatMapping test.
if options.tests is None or options.tests == "TrebleCompatMapping":
@@ -428,3 +432,17 @@
if len(results) > 0:
sys.exit(results)
+
+if __name__ == '__main__':
+ temp_dir = tempfile.mkdtemp()
+ try:
+ libname = "libsepolwrap" + SHARED_LIB_EXTENSION
+ libpath = os.path.join(temp_dir, libname)
+ with open(libpath, "wb") as f:
+ blob = pkgutil.get_data("treble_sepolicy_tests", libname)
+ if not blob:
+ sys.exit("Error: libsepolwrap does not exist. Is this binary corrupted?\n")
+ f.write(blob)
+ do_main(libpath)
+ finally:
+ shutil.rmtree(temp_dir)
diff --git a/tools/seamendc.c b/tools/seamendc.c
index 2e49c1b..cd79c76 100644
--- a/tools/seamendc.c
+++ b/tools/seamendc.c
@@ -9,6 +9,7 @@
#include <cil/cil.h>
#include <cil/android.h>
#include <sepol/policydb.h>
+#include "sepol/handle.h"
void usage(const char *prog)
{
@@ -26,10 +27,17 @@
/*
* Read binary policy file from path into the allocated pdb.
+ *
+ * We first read the binary policy into memory, and then we parse it to a
+ * policydb object using sepol_policydb_from_image. This combination is slightly
+ * faster than using sepol_policydb_read that reads the binary file in small
+ * chunks at a time.
*/
static int read_binary_policy(char *path, sepol_policydb_t *pdb)
{
int rc = SEPOL_OK;
+ char *buff = NULL;
+ sepol_handle_t *handle = NULL;
FILE *file = fopen(path, "r");
if (!file) {
@@ -44,24 +52,38 @@
fprintf(stderr, "Could not stat %s: %s.\n", path, strerror(errno));
goto exit;
}
- if (!binarydata.st_size) {
+
+ uint32_t file_size = binarydata.st_size;
+ if (!file_size) {
fprintf(stderr, "Binary policy file is empty.\n");
rc = SEPOL_ERR;
goto exit;
}
- struct sepol_policy_file *pf = NULL;
- rc = sepol_policy_file_create(&pf);
- if (rc != 0) {
- fprintf(stderr, "Failed to create policy file: %d.\n", rc);
+ buff = malloc(file_size);
+ if (buff == NULL) {
+ perror("malloc failed");
+ rc = SEPOL_ERR;
goto exit;
}
- sepol_policy_file_set_fp(pf, file);
- rc = sepol_policydb_read(pdb, pf);
+ rc = fread(buff, file_size, 1, file);
+ if (rc != 1) {
+ fprintf(stderr, "Failure reading %s: %s.\n", path, strerror(errno));
+ rc = SEPOL_ERR;
+ goto exit;
+ }
+
+ handle = sepol_handle_create();
+ if (!handle) {
+ perror("Could not create policy handle");
+ rc = SEPOL_ERR;
+ goto exit;
+ }
+
+ rc = sepol_policydb_from_image(handle, buff, file_size, pdb);
if (rc != 0) {
fprintf(stderr, "Failed to read binary policy: %d.\n", rc);
- goto exit;
}
exit:
@@ -69,6 +91,10 @@
perror("Failure closing binary file");
rc = SEPOL_ERR;
}
+ if(handle != NULL) {
+ sepol_handle_destroy(handle);
+ }
+ free(buff);
return rc;
}
diff --git a/vendor/file_contexts b/vendor/file_contexts
index 3646d4b..24f0d51 100644
--- a/vendor/file_contexts
+++ b/vendor/file_contexts
@@ -4,7 +4,8 @@
/(vendor|system/vendor)/bin/hw/android\.hardware\.atrace@1\.0-service u:object_r:hal_atrace_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.audio(@2\.0-|\.)service u:object_r:hal_audio_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.audio@7\.0-service\.example u:object_r:hal_audio_default_exec:s0
-/(vendor|system/vendor)/bin/hw/android\.hardware\.audio\.service-aidl.example u:object_r:hal_audio_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.audio\.service-aidl\.example u:object_r:hal_audio_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.audio\.effect\.service-aidl\.example u:object_r:hal_audio_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.automotive\.audiocontrol@1\.0-service u:object_r:hal_audiocontrol_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.automotive\.audiocontrol@2\.0-service u:object_r:hal_audiocontrol_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.automotive\.audiocontrol-service.example u:object_r:hal_audiocontrol_default_exec:s0
@@ -91,8 +92,9 @@
/(vendor|system/vendor)/bin/hw/android\.hardware\.thermal@1\.[01]-service u:object_r:hal_thermal_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.tv\.cec@1\.[01]-service u:object_r:hal_tv_cec_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.tv\.input@1\.0-service u:object_r:hal_tv_input_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.tv\.input-service\.example u:object_r:hal_tv_input_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.tv\.tuner@1\.[01]-service u:object_r:hal_tv_tuner_default_exec:s0
-/(vendor|system/vendor)/bin/hw/android\.hardware\.tv\.tuner-service\.example u:object_r:hal_tv_tuner_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.tv\.tuner-service\.example(-lazy)? u:object_r:hal_tv_tuner_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.usb@1\.0-service u:object_r:hal_usb_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.usb-service\.example u:object_r:hal_usb_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.usb\.gadget@1\.1-service u:object_r:hal_usb_gadget_default_exec:s0
diff --git a/vendor/hal_tv_tuner_default.te b/vendor/hal_tv_tuner_default.te
index 639c7bd..e11d4dd 100644
--- a/vendor/hal_tv_tuner_default.te
+++ b/vendor/hal_tv_tuner_default.te
@@ -8,3 +8,6 @@
# Access to /dev/dma_heap/system
allow hal_tv_tuner_default dmabuf_system_heap_device:chr_file r_file_perms;
+
+# Allow servicemanager to notify hal_tv_tuner_default clients status
+binder_use(hal_tv_tuner_default)