Merge "Sepolicy for IRadio modules" am: 0185fc6e12 am: 703e69e517 am: 45849ee180 am: 1214fbd0bb am: 72798396a1
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1883570
Change-Id: If5ef8def0884635bbae2a0b404d5003a4f9d263e
diff --git a/apex/Android.bp b/apex/Android.bp
index faff4a6..bddb639 100644
--- a/apex/Android.bp
+++ b/apex/Android.bp
@@ -244,3 +244,10 @@
"com.android.car.framework-file_contexts",
],
}
+
+filegroup {
+ name: "com.android.supplementalprocess-file_contexts",
+ srcs: [
+ "com.android.supplementalprocess-file_contexts",
+ ],
+}
diff --git a/apex/com.android.supplementalprocess-file_contexts b/apex/com.android.supplementalprocess-file_contexts
new file mode 100644
index 0000000..9398505
--- /dev/null
+++ b/apex/com.android.supplementalprocess-file_contexts
@@ -0,0 +1 @@
+(/.*)? u:object_r:system_file:s0
diff --git a/private/compat/31.0/31.0.ignore.cil b/private/compat/31.0/31.0.ignore.cil
index 47a2e8c..59a51a8 100644
--- a/private/compat/31.0/31.0.ignore.cil
+++ b/private/compat/31.0/31.0.ignore.cil
@@ -8,6 +8,7 @@
artd_service
attestation_verification_service
camera2_extensions_prop
+ communal_manager_service
device_config_nnapi_native_prop
extra_free_kbytes
extra_free_kbytes_exec
diff --git a/private/gmscore_app.te b/private/gmscore_app.te
index 799d7ff..427e7d8 100644
--- a/private/gmscore_app.te
+++ b/private/gmscore_app.te
@@ -6,8 +6,6 @@
app_domain(gmscore_app)
allow gmscore_app sysfs_type:dir search;
-# Read access to /sys/class/net/wlan*/address
-r_dir_file(gmscore_app, sysfs_net)
# Read access to /sys/block/zram*/mm_stat
r_dir_file(gmscore_app, sysfs_zram)
@@ -54,6 +52,8 @@
dontaudit gmscore_app sysfs_android_usb:file r_file_perms;
dontaudit gmscore_app sysfs_dm:file r_file_perms;
dontaudit gmscore_app sysfs_loop:file r_file_perms;
+dontaudit gmscore_app sysfs_net:file r_file_perms;
+dontaudit gmscore_app sysfs_net:dir r_dir_perms;
dontaudit gmscore_app { wifi_prop wifi_hal_prop }:file r_file_perms;
dontaudit gmscore_app mirror_data_file:dir search;
dontaudit gmscore_app mnt_vendor_file:dir search;
@@ -142,3 +142,24 @@
# b/186488185: Allow GMSCore to read dck properties
get_prop(gmscore_app, dck_prop)
+
+# Do not allow getting permission-protected network information from sysfs.
+neverallow gmscore_app sysfs_net:file *;
+
+# Restrict socket ioctls. Either 1. disallow privileged ioctls, 2. disallow the
+# ioctl permission, or 3. disallow the socket class.
+neverallowxperm gmscore_app domain:{ icmp_socket rawip_socket tcp_socket udp_socket } ioctl priv_sock_ioctls;
+neverallow gmscore_app *:{ netlink_route_socket netlink_selinux_socket } ioctl;
+neverallow gmscore_app *:{
+ socket netlink_socket packet_socket key_socket appletalk_socket
+ netlink_tcpdiag_socket netlink_nflog_socket
+ netlink_xfrm_socket netlink_audit_socket
+ netlink_dnrt_socket netlink_kobject_uevent_socket tun_socket
+ netlink_iscsi_socket netlink_fib_lookup_socket netlink_connector_socket
+ netlink_netfilter_socket netlink_generic_socket netlink_scsitransport_socket
+ netlink_rdma_socket netlink_crypto_socket sctp_socket
+ ax25_socket ipx_socket netrom_socket atmpvc_socket x25_socket rose_socket decnet_socket
+ atmsvc_socket rds_socket irda_socket pppox_socket llc_socket can_socket tipc_socket
+ bluetooth_socket iucv_socket rxrpc_socket isdn_socket phonet_socket ieee802154_socket caif_socket
+ alg_socket nfc_socket kcm_socket qipcrtr_socket smc_socket xdp_socket
+} *;
diff --git a/private/priv_app.te b/private/priv_app.te
index 3ceb7a3..72e1c91 100644
--- a/private/priv_app.te
+++ b/private/priv_app.te
@@ -98,16 +98,11 @@
}:file r_file_perms;
allow priv_app sysfs_type:dir search;
-# Read access to /sys/class/net/wlan*/address
-r_dir_file(priv_app, sysfs_net)
# Read access to /sys/block/zram*/mm_stat
r_dir_file(priv_app, sysfs_zram)
r_dir_file(priv_app, rootfs)
-# access the mac address
-allowxperm priv_app self:udp_socket ioctl SIOCGIFHWADDR;
-
# Allow com.android.vending to communicate with statsd.
binder_call(priv_app, statsd)
@@ -260,3 +255,24 @@
# Do not follow untrusted app provided symlinks
neverallow priv_app app_data_file:lnk_file { open read getattr };
+
+# Do not allow getting permission-protected network information from sysfs.
+neverallow priv_app sysfs_net:file *;
+
+# Restrict socket ioctls. Either 1. disallow privileged ioctls, 2. disallow the
+# ioctl permission, or 3. disallow the socket class.
+neverallowxperm priv_app domain:{ icmp_socket rawip_socket tcp_socket udp_socket } ioctl priv_sock_ioctls;
+neverallow priv_app *:{ netlink_route_socket netlink_selinux_socket } ioctl;
+neverallow priv_app *:{
+ socket netlink_socket packet_socket key_socket appletalk_socket
+ netlink_tcpdiag_socket netlink_nflog_socket
+ netlink_xfrm_socket netlink_audit_socket
+ netlink_dnrt_socket netlink_kobject_uevent_socket tun_socket
+ netlink_iscsi_socket netlink_fib_lookup_socket netlink_connector_socket
+ netlink_netfilter_socket netlink_generic_socket netlink_scsitransport_socket
+ netlink_rdma_socket netlink_crypto_socket sctp_socket
+ ax25_socket ipx_socket netrom_socket atmpvc_socket x25_socket rose_socket decnet_socket
+ atmsvc_socket rds_socket irda_socket pppox_socket llc_socket can_socket tipc_socket
+ bluetooth_socket iucv_socket rxrpc_socket isdn_socket phonet_socket ieee802154_socket caif_socket
+ alg_socket nfc_socket kcm_socket qipcrtr_socket smc_socket xdp_socket
+} *;
diff --git a/private/service.te b/private/service.te
index 2ab6335..56c78e8 100644
--- a/private/service.te
+++ b/private/service.te
@@ -1,5 +1,6 @@
type attention_service, system_server_service, service_manager_type;
type compos_service, service_manager_type;
+type communal_manager_service, app_api_service, system_server_service, service_manager_type;
type dynamic_system_service, system_api_service, system_server_service, service_manager_type;
type gsi_service, service_manager_type;
type incidentcompanion_service, system_api_service, system_server_service, service_manager_type;
diff --git a/private/service_contexts b/private/service_contexts
index f79715d..4a23857 100644
--- a/private/service_contexts
+++ b/private/service_contexts
@@ -106,6 +106,7 @@
clipboard u:object_r:clipboard_service:s0
com.android.net.IProxyService u:object_r:IProxyService_service:s0
companiondevice u:object_r:companion_device_service:s0
+communal_manager u:object_r:communal_manager_service:s0
platform_compat u:object_r:platform_compat_service:s0
platform_compat_native u:object_r:platform_compat_service:s0
connectivity u:object_r:connectivity_service:s0