Merge "Add /data/misc/a11ytrace folder to store accessibility trace files."
diff --git a/build/soong/selinux_contexts.go b/build/soong/selinux_contexts.go
index 5d32e11..d7a0798 100644
--- a/build/soong/selinux_contexts.go
+++ b/build/soong/selinux_contexts.go
@@ -364,7 +364,76 @@
return m.buildGeneralContexts(ctx, inputs)
}
+func (m *selinuxContextsModule) checkVendorPropertyNamespace(ctx android.ModuleContext, inputs android.Paths) android.Paths {
+ shippingApiLevel := ctx.DeviceConfig().ShippingApiLevel()
+ ApiLevelR := android.ApiLevelOrPanic(ctx, "R")
+
+ rule := android.NewRuleBuilder(pctx, ctx)
+
+ // This list is from vts_treble_sys_prop_test.
+ allowedPropertyPrefixes := []string{
+ "ctl.odm.",
+ "ctl.vendor.",
+ "ctl.start$odm.",
+ "ctl.start$vendor.",
+ "ctl.stop$odm.",
+ "ctl.stop$vendor.",
+ "init.svc.odm.",
+ "init.svc.vendor.",
+ "ro.boot.",
+ "ro.hardware.",
+ "ro.odm.",
+ "ro.vendor.",
+ "odm.",
+ "persist.odm.",
+ "persist.vendor.",
+ "vendor.",
+ }
+
+ // persist.camera is also allowed for devices launching with R or eariler
+ if shippingApiLevel.LessThanOrEqualTo(ApiLevelR) {
+ allowedPropertyPrefixes = append(allowedPropertyPrefixes, "persist.camera.")
+ }
+
+ var allowedContextPrefixes []string
+
+ if shippingApiLevel.GreaterThanOrEqualTo(ApiLevelR) {
+ // This list is from vts_treble_sys_prop_test.
+ allowedContextPrefixes = []string{
+ "vendor_",
+ "odm_",
+ }
+ }
+
+ var ret android.Paths
+ for _, input := range inputs {
+ cmd := rule.Command().
+ BuiltTool("check_prop_prefix").
+ FlagWithInput("--property-contexts ", input).
+ FlagForEachArg("--allowed-property-prefix ", proptools.ShellEscapeList(allowedPropertyPrefixes)). // contains shell special character '$'
+ FlagForEachArg("--allowed-context-prefix ", allowedContextPrefixes)
+
+ if !ctx.DeviceConfig().BuildBrokenVendorPropertyNamespace() {
+ cmd.Flag("--strict")
+ }
+
+ out := android.PathForModuleGen(ctx, "namespace_checked").Join(ctx, input.String())
+ rule.Command().Text("cp -f").Input(input).Output(out)
+ ret = append(ret, out)
+ }
+ rule.Build("check_namespace", "checking namespace of "+ctx.ModuleName())
+ return ret
+}
+
func (m *selinuxContextsModule) buildPropertyContexts(ctx android.ModuleContext, inputs android.Paths) android.Path {
+ // vendor/odm properties are enforced for devices launching with Android Q or later. So, if
+ // vendor/odm, make sure that only vendor/odm properties exist.
+ shippingApiLevel := ctx.DeviceConfig().ShippingApiLevel()
+ ApiLevelQ := android.ApiLevelOrPanic(ctx, "Q")
+ if (ctx.SocSpecific() || ctx.DeviceSpecific()) && shippingApiLevel.GreaterThanOrEqualTo(ApiLevelQ) {
+ inputs = m.checkVendorPropertyNamespace(ctx, inputs)
+ }
+
builtCtxFile := m.buildGeneralContexts(ctx, inputs)
var apiFiles android.Paths
diff --git a/private/compat/30.0/30.0.ignore.cil b/private/compat/30.0/30.0.ignore.cil
index 0f0069a..8dd2d2f 100644
--- a/private/compat/30.0/30.0.ignore.cil
+++ b/private/compat/30.0/30.0.ignore.cil
@@ -49,6 +49,7 @@
hal_keymint_service
hal_neuralnetworks_service
hal_power_stats_service
+ hal_remotelyprovisionedcomponent_service
hal_secureclock_service
hal_sharedsecret_service
hal_weaver_service
@@ -79,7 +80,6 @@
profcollectd_data_file
profcollectd_exec
profcollectd_service
- qemu_hw_prop
radio_core_data_file
reboot_readiness_service
remote_prov_app
diff --git a/private/platform_app.te b/private/platform_app.te
index a112081..7bf14c8 100644
--- a/private/platform_app.te
+++ b/private/platform_app.te
@@ -90,9 +90,6 @@
# allow platform apps to read keyguard.no_require_sim
get_prop(platform_app, keyguard_config_prop)
-# allow platform apps to read qemu.hw.mainkeys
-get_prop(platform_app, qemu_hw_prop)
-
# allow platform apps to create symbolic link
allow platform_app app_data_file:lnk_file create_file_perms;
diff --git a/private/property_contexts b/private/property_contexts
index 42efcff..7d99a24 100644
--- a/private/property_contexts
+++ b/private/property_contexts
@@ -186,9 +186,6 @@
dalvik. u:object_r:dalvik_prop:s0
ro.dalvik. u:object_r:dalvik_prop:s0
-# qemu_hw_prop is read/written by both system and vendor.
-qemu.hw.mainkeys u:object_r:qemu_hw_prop:s0
-
# Shared between system server and wificond
wifi. u:object_r:wifi_prop:s0
wlan. u:object_r:wifi_prop:s0
diff --git a/private/service_contexts b/private/service_contexts
index 7e250db..c1aab48 100644
--- a/private/service_contexts
+++ b/private/service_contexts
@@ -12,6 +12,7 @@
android.hardware.power.stats.IPowerStats/default u:object_r:hal_power_stats_service:s0
android.hardware.rebootescrow.IRebootEscrow/default u:object_r:hal_rebootescrow_service:s0
android.hardware.security.keymint.IKeyMintDevice/default u:object_r:hal_keymint_service:s0
+android.hardware.security.keymint.IRemotelyProvisionedComponent/default u:object_r:hal_remotelyprovisionedcomponent_service:s0
android.hardware.security.secureclock.ISecureClock/default u:object_r:hal_secureclock_service:s0
android.hardware.security.sharedsecret.ISharedSecret/default u:object_r:hal_sharedsecret_service:s0
android.hardware.vibrator.IVibrator/default u:object_r:hal_vibrator_service:s0
diff --git a/private/system_server.te b/private/system_server.te
index 2c0eac9..c143999 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -770,9 +770,6 @@
allow system_server usb_device:chr_file rw_file_perms;
allow system_server usb_device:dir r_dir_perms;
-# Read from HW RNG (needed by EntropyMixer).
-allow system_server hw_random_device:chr_file r_file_perms;
-
# Read and delete files under /dev/fscklogs.
r_dir_file(system_server, fscklogs)
allow system_server fscklogs:dir { write remove_name };
@@ -1331,6 +1328,3 @@
# Only system server can write the font files.
neverallow { domain -init -system_server } font_data_file:file no_w_file_perms;
neverallow { domain -init -system_server } font_data_file:dir no_w_dir_perms;
-
-# Read qemu.hw.mainkeys property
-get_prop(system_server, qemu_hw_prop)
diff --git a/public/app.te b/public/app.te
index 39d67af..67a996a 100644
--- a/public/app.te
+++ b/public/app.te
@@ -318,6 +318,9 @@
# Allow app to access shared memory created by camera HAL1
allow { appdomain -isolated_app } hal_camera:fd use;
+# Allow apps to access shared memory file descriptor from the tuner HAL
+allow {appdomain -isolated_app} hal_tv_tuner_server:fd use;
+
# RenderScript always-passthrough HAL
allow { appdomain -isolated_app } hal_renderscript_hwservice:hwservice_manager find;
allow appdomain same_process_hal_file:file { execute read open getattr map };
diff --git a/public/domain.te b/public/domain.te
index 6b29595..81163d1 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -403,13 +403,11 @@
# that could be set from init.rc.
neverallow { domain -init } kernel:security setsecparam;
-# Only init, ueventd, shell and system_server should be able to access HW RNG
+# Only the kernel hwrng thread should be able to read from the HW RNG.
neverallow {
domain
- -init
- -shell # For CTS and is restricted to getattr in shell.te
- -system_server
- -ueventd
+ -shell # For CTS, restricted to just getattr in shell.te
+ -ueventd # To create the /dev/hw_random file
} hw_random_device:chr_file *;
# b/78174219 b/64114943
neverallow {
diff --git a/public/hal_keymint.te b/public/hal_keymint.te
index 7570188..e56ab99 100644
--- a/public/hal_keymint.te
+++ b/public/hal_keymint.te
@@ -1,4 +1,5 @@
binder_call(hal_keymint_client, hal_keymint_server)
hal_attribute_service(hal_keymint, hal_keymint_service)
+hal_attribute_service(hal_keymint, hal_remotelyprovisionedcomponent_service)
binder_call(hal_keymint_server, servicemanager)
diff --git a/public/init.te b/public/init.te
index e546ece..069f17d 100644
--- a/public/init.te
+++ b/public/init.te
@@ -309,7 +309,6 @@
devpts
dm_device
hwbinder_device
- hw_random_device
input_device
kmsg_device
null_device
@@ -324,6 +323,7 @@
# chown/chmod on devices.
allow init {
dev_type
+ -hw_random_device
-keychord_device
-port_device
}:chr_file setattr;
@@ -533,10 +533,6 @@
# system/core/fs_mgr/fs_mgr.c - fs_mgr_swapon_all
allow init swap_block_device:blk_file rw_file_perms;
-# Read from /dev/hw_random if present.
-# system/core/init/init.c - mix_hwrng_into_linux_rng_action
-allow init hw_random_device:chr_file r_file_perms;
-
# Create and access /dev files without a specific type,
# e.g. /dev/.coldboot_done, /dev/.booting
# TODO: Move these files into their own type unless they are
diff --git a/public/property.te b/public/property.te
index 3f3f148..37884f0 100644
--- a/public/property.te
+++ b/public/property.te
@@ -191,7 +191,6 @@
system_public_prop(nfc_prop)
system_public_prop(ota_prop)
system_public_prop(powerctl_prop)
-system_public_prop(qemu_hw_prop)
system_public_prop(radio_control_prop)
system_public_prop(radio_prop)
system_public_prop(serialno_prop)
diff --git a/public/service.te b/public/service.te
index 2e7f8b1..7292a97 100644
--- a/public/service.te
+++ b/public/service.te
@@ -252,6 +252,7 @@
type hal_power_service, vendor_service, protected_service, service_manager_type;
type hal_power_stats_service, vendor_service, protected_service, service_manager_type;
type hal_rebootescrow_service, vendor_service, protected_service, service_manager_type;
+type hal_remotelyprovisionedcomponent_service, vendor_service, protected_service, service_manager_type;
type hal_secureclock_service, vendor_service, protected_service, service_manager_type;
type hal_sharedsecret_service, vendor_service, protected_service, service_manager_type;
type hal_vibrator_service, vendor_service, protected_service, service_manager_type;
diff --git a/public/vendor_init.te b/public/vendor_init.te
index 97cbd0d..8d436b9 100644
--- a/public/vendor_init.te
+++ b/public/vendor_init.te
@@ -235,7 +235,6 @@
set_prop(vendor_init, logd_prop)
set_prop(vendor_init, log_tag_prop)
set_prop(vendor_init, log_prop)
-set_prop(vendor_init, qemu_hw_prop)
set_prop(vendor_init, radio_control_prop)
set_prop(vendor_init, rebootescrow_hal_prop)
set_prop(vendor_init, serialno_prop)
diff --git a/tests/Android.bp b/tests/Android.bp
index 5925fc2..6a86188 100644
--- a/tests/Android.bp
+++ b/tests/Android.bp
@@ -87,3 +87,8 @@
],
defaults: ["py2_only"],
}
+
+python_binary_host {
+ name: "check_prop_prefix",
+ srcs: ["check_prop_prefix.py"],
+}
diff --git a/tests/check_prop_prefix.py b/tests/check_prop_prefix.py
new file mode 100644
index 0000000..68511ce
--- /dev/null
+++ b/tests/check_prop_prefix.py
@@ -0,0 +1,89 @@
+#!/usr/bin/env python3
+
+# Copyright 2021 The Android Open Source Project
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+import argparse
+import re
+import sys
+
+# A line should look like:
+# {prop_name} u:object_r:{context_name}:s0
+line_regex = re.compile(r'^(\S+)\s+u:object_r:([^:]+):s0.*$')
+
+# Parses a line in property_contexts and return a (prop, ctx) tuple.
+# Raises an error for any malformed entries.
+def parse_line(line):
+ matched = line_regex.match(line)
+ if not matched:
+ raise ValueError('malformed entry "' + line + '" in property_contexts')
+
+ return matched.group(1, 2)
+
+def parse_args():
+ parser = argparse.ArgumentParser(
+ description="Finds any violations in property_contexts, with given allowed prefixes. "
+ "If any violations are found, return a nonzero (failure) exit code.")
+ parser.add_argument("--property-contexts", help="Path to property_contexts file.")
+ parser.add_argument("--allowed-property-prefix", action="extend", nargs="*",
+ help="Allowed property prefixes. If empty, any properties are allowed.")
+ parser.add_argument("--allowed-context-prefix", action="extend", nargs="*",
+ help="Allowed context prefixes. If empty, any contexts are allowed.")
+ parser.add_argument('--strict', action='store_true',
+ help="Make the script fail if any violations are found.")
+
+ return parser.parse_args()
+
+args = parse_args()
+
+violations = []
+
+with open(args.property_contexts, 'r') as f:
+ lines = f.read().split('\n')
+
+for line in lines:
+ tokens = line.strip()
+ # if this line empty or a comment, skip
+ if tokens == '' or tokens[0] == '#':
+ continue
+
+ prop, context = parse_line(line)
+
+ violated = False
+
+ if args.allowed_property_prefix and not prop.startswith(tuple(args.allowed_property_prefix)):
+ violated = True
+
+ if args.allowed_context_prefix and not context.startswith(tuple(args.allowed_context_prefix)):
+ violated = True
+
+ if violated:
+ violations.append(line)
+
+if len(violations) > 0:
+ print('******************************')
+ print('%d violations found:' % len(violations))
+ print('\n'.join(violations))
+ print('******************************')
+ print('%s contains properties which are not properly namespaced.' % args.property_contexts)
+ print('This is enforced by VTS, so please fix such offending properties.')
+ if args.allowed_property_prefix:
+ print('Allowed property prefixes for %s: %s' % (args.property_contexts, args.allowed_property_prefix))
+ if args.allowed_context_prefix:
+ print('Allowed context prefixes for %s: %s' % (args.property_contexts, args.allowed_context_prefix))
+ if args.strict:
+ print('You can temporarily disable this check with setting BUILD_BROKEN_VENDOR_PROPERTY_NAMESPACE := true in BoardConfig.mk.')
+ print('But property namespace is enforced by VTS, and you will need to fix such violations to pass VTS.')
+ print('See test/vts-testcase/security/system_property/vts_treble_sys_prop_test.py for the detail of the VTS.')
+ sys.exit(1)
diff --git a/vendor/file_contexts b/vendor/file_contexts
index d05431c..785f4cb 100644
--- a/vendor/file_contexts
+++ b/vendor/file_contexts
@@ -73,7 +73,7 @@
/(vendor|system/vendor)/bin/hw/android\.hardware\.security\.keymint-service u:object_r:hal_keymint_default_exec:s0
/(vendor|system/vendor)/bin/hw/rild u:object_r:rild_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.thermal@1\.[01]-service u:object_r:hal_thermal_default_exec:s0
-/(vendor|system/vendor)/bin/hw/android\.hardware\.tv\.cec@1\.0-service u:object_r:hal_tv_cec_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.tv\.cec@1\.[01]-service u:object_r:hal_tv_cec_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.tv\.input@1\.0-service u:object_r:hal_tv_input_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.tv\.tuner@1\.[01]-service u:object_r:hal_tv_tuner_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.usb@1\.0-service u:object_r:hal_usb_default_exec:s0