Merge "Label ro.property_service.async_persist_write as build_config_prop" into main
diff --git a/apex/com.android.virt-file_contexts b/apex/com.android.virt-file_contexts
index 9c13bd5..afe9f51 100644
--- a/apex/com.android.virt-file_contexts
+++ b/apex/com.android.virt-file_contexts
@@ -3,3 +3,4 @@
/bin/fd_server u:object_r:fd_server_exec:s0
/bin/virtmgr u:object_r:virtualizationmanager_exec:s0
/bin/virtualizationservice u:object_r:virtualizationservice_exec:s0
+/bin/vfio_handler u:object_r:vfio_handler_exec:s0
diff --git a/build/soong/service_fuzzer_bindings.go b/build/soong/service_fuzzer_bindings.go
index f7e67d8..028b9b3 100644
--- a/build/soong/service_fuzzer_bindings.go
+++ b/build/soong/service_fuzzer_bindings.go
@@ -170,7 +170,9 @@
"android.security.metrics": EXCEPTION_NO_FUZZER,
"android.service.gatekeeper.IGateKeeperService": []string{"gatekeeperd_service_fuzzer"},
"android.system.composd": EXCEPTION_NO_FUZZER,
+ // TODO(b/294158658): add fuzzer
"android.system.virtualizationservice": EXCEPTION_NO_FUZZER,
+ "android.system.virtualizationservice_internal.IVfioHandler": EXCEPTION_NO_FUZZER,
"ambient_context": EXCEPTION_NO_FUZZER,
"app_binding": EXCEPTION_NO_FUZZER,
"app_hibernation": EXCEPTION_NO_FUZZER,
@@ -341,6 +343,7 @@
"oem_lock": EXCEPTION_NO_FUZZER,
"ondevicepersonalization_system_service": EXCEPTION_NO_FUZZER,
"otadexopt": EXCEPTION_NO_FUZZER,
+ "ot_daemon": []string{"ot_daemon_service_fuzzer"},
"overlay": EXCEPTION_NO_FUZZER,
"pac_proxy": EXCEPTION_NO_FUZZER,
"package": EXCEPTION_NO_FUZZER,
diff --git a/private/compat/34.0/34.0.cil b/private/compat/34.0/34.0.cil
index 80d48da..aa8a56c 100644
--- a/private/compat/34.0/34.0.cil
+++ b/private/compat/34.0/34.0.cil
@@ -1604,7 +1604,7 @@
(typeattributeset default_android_vndservice_34_0 (default_android_vndservice))
(typeattributeset default_prop_34_0 (default_prop))
(typeattributeset dev_cpu_variant_34_0 (dev_cpu_variant))
-(typeattributeset device_34_0 (device))
+(typeattributeset device_34_0 (device vfio_device))
(typeattributeset device_config_activity_manager_native_boot_prop_34_0 (device_config_activity_manager_native_boot_prop))
(typeattributeset device_config_boot_count_prop_34_0 (device_config_boot_count_prop))
(typeattributeset device_config_camera_native_prop_34_0 (device_config_camera_native_prop))
diff --git a/private/compat/34.0/34.0.ignore.cil b/private/compat/34.0/34.0.ignore.cil
index 47d6719..af13c62 100644
--- a/private/compat/34.0/34.0.ignore.cil
+++ b/private/compat/34.0/34.0.ignore.cil
@@ -9,4 +9,5 @@
snapuserd_log_data_file
hal_threadnetwork_service
virtual_camera_service
+ ot_daemon_service
))
diff --git a/private/coredomain.te b/private/coredomain.te
index 83930a5..f9b47df 100644
--- a/private/coredomain.te
+++ b/private/coredomain.te
@@ -150,6 +150,7 @@
-apexd
-init
-ueventd
+ -vfio_handler
-vold
} sysfs:file no_rw_file_perms;
diff --git a/private/crosvm.te b/private/crosvm.te
index 8a6bd24..3f39201 100644
--- a/private/crosvm.te
+++ b/private/crosvm.te
@@ -92,6 +92,14 @@
allow crosvm adbd:unix_stream_socket ioctl;
allow crosvm node:tcp_socket node_bind;
+# Allow crosvm to interact to VFIO device
+allow crosvm vfio_device:chr_file rw_file_perms;
+allow crosvm vfio_device:dir r_dir_perms;
+
+# Allow crosvm to access VM DTBO via a pipe created by vfio handler.
+allow crosvm vfio_handler:fd use;
+allow crosvm vfio_handler:fifo_file r_file_perms;
+
# Don't allow crosvm to open files that it doesn't own.
# This is important because a malicious application could try to start a VM with a composite disk
# image referring by name to files which it doesn't have permission to open, trying to get crosvm to
diff --git a/private/file_contexts b/private/file_contexts
index 0bae96e..c2a6269 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -190,6 +190,7 @@
/dev/urandom u:object_r:random_device:s0
/dev/usb_accessory u:object_r:usbaccessory_device:s0
/dev/v4l-touch[0-9]* u:object_r:input_device:s0
+/dev/vfio(/.*)? u:object_r:vfio_device:s0
/dev/vhost-vsock u:object_r:kvm_device:s0
/dev/video[0-9]* u:object_r:video_device:s0
/dev/vndbinder u:object_r:vndbinder_device:s0
diff --git a/private/ot_daemon.te b/private/ot_daemon.te
index b22ff90..cdf5486 100644
--- a/private/ot_daemon.te
+++ b/private/ot_daemon.te
@@ -17,4 +17,12 @@
allow ot_daemon threadnetwork_data_file:file create_file_perms;
allow ot_daemon threadnetwork_data_file:sock_file {create unlink};
+# Allow OT daemon to read/write the Thread tunnel interface
+allow ot_daemon tun_device:chr_file {read write};
+
hal_client_domain(ot_daemon, hal_threadnetwork)
+
+# Only ot_daemon can publish the binder service
+binder_use(ot_daemon)
+add_service(ot_daemon, ot_daemon_service)
+binder_call(ot_daemon, system_server)
diff --git a/private/runas_app.te b/private/runas_app.te
index a5f47f4..9142a19 100644
--- a/private/runas_app.te
+++ b/private/runas_app.te
@@ -30,3 +30,6 @@
# processes, but not the whole system.
allow runas_app self:perf_event { open read write kernel };
neverallow runas_app self:perf_event ~{ open read write kernel };
+
+# Suppress bionic loader denial /data/local/tests directories.
+dontaudit runas_app shell_test_data_file:dir search;
diff --git a/private/service.te b/private/service.te
index f07400b..ccb9e17 100644
--- a/private/service.te
+++ b/private/service.te
@@ -21,4 +21,5 @@
type statsmanager_service, system_api_service, system_server_service, service_manager_type;
type tracingproxy_service, system_server_service, service_manager_type;
type transparency_service, system_server_service, service_manager_type;
+type vfio_handler_service, service_manager_type;
type uce_service, service_manager_type;
diff --git a/private/service_contexts b/private/service_contexts
index 94f913d..624d472 100644
--- a/private/service_contexts
+++ b/private/service_contexts
@@ -147,6 +147,7 @@
android.service.gatekeeper.IGateKeeperService u:object_r:gatekeeper_service:s0
android.system.composd u:object_r:compos_service:s0
android.system.virtualizationservice u:object_r:virtualization_service:s0
+android.system.virtualizationservice_internal.IVfioHandler u:object_r:vfio_handler_service:s0
ambient_context u:object_r:ambient_context_service:s0
app_binding u:object_r:app_binding_service:s0
app_hibernation u:object_r:app_hibernation_service:s0
@@ -317,6 +318,7 @@
oem_lock u:object_r:oem_lock_service:s0
ondevicepersonalization_system_service u:object_r:ondevicepersonalization_system_service:s0
otadexopt u:object_r:otadexopt_service:s0
+ot_daemon u:object_r:ot_daemon_service:s0
overlay u:object_r:overlay_service:s0
pac_proxy u:object_r:pac_proxy_service:s0
package u:object_r:package_service:s0
diff --git a/private/system_server.te b/private/system_server.te
index cacb3c8..119a7ca 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -296,6 +296,7 @@
binder_call(system_server, installd)
binder_call(system_server, incidentd)
binder_call(system_server, netd)
+binder_call(system_server, ot_daemon)
userdebug_or_eng(`binder_call(system_server, profcollectd)')
binder_call(system_server, statsd)
binder_call(system_server, storaged)
@@ -954,6 +955,7 @@
allow system_server mediatuner_service:service_manager find;
allow system_server netd_service:service_manager find;
allow system_server nfc_service:service_manager find;
+allow system_server ot_daemon_service:service_manager find;
allow system_server radio_service:service_manager find;
allow system_server stats_service:service_manager find;
allow system_server storaged_service:service_manager find;
diff --git a/private/vfio_handler.te b/private/vfio_handler.te
new file mode 100644
index 0000000..706a6ca
--- /dev/null
+++ b/private/vfio_handler.te
@@ -0,0 +1,24 @@
+# vfio_handler is a helper service for VFIO tasks, like binding platform devices to VFIO driver.
+# vfio_handler is separate from virtualizationservice as VFIO tasks require root.
+type vfio_handler, domain, coredomain;
+type vfio_handler_exec, system_file_type, exec_type, file_type;
+
+# When init runs a file labelled with vfio_handler_exec, run it in the vfio_handler domain.
+init_daemon_domain(vfio_handler)
+
+# Let the vfio_handler domain register the vfio_handler_service with ServiceManager.
+add_service(vfio_handler, vfio_handler_service)
+
+# Let the vfio_handler domain use Binder.
+binder_use(vfio_handler)
+
+# Allow vfio_handler to check if VFIO is supported
+allow vfio_handler vfio_device:chr_file getattr;
+allow vfio_handler vfio_device:dir r_dir_perms;
+
+# Allow vfio_handler to bind/unbind platform devices
+allow vfio_handler sysfs:dir r_dir_perms;
+allow vfio_handler sysfs:file rw_file_perms;
+
+# Only vfio_handler can add vfio_handler_service
+neverallow { domain -vfio_handler } vfio_handler_service:service_manager add;
diff --git a/private/virtualizationmanager.te b/private/virtualizationmanager.te
index b6bcd98..a8fb202 100644
--- a/private/virtualizationmanager.te
+++ b/private/virtualizationmanager.te
@@ -89,3 +89,7 @@
# For debug purposes we try to get the canonical path from /proc/self/fd/N. That triggers
# a harmless denial for CompOS log files, so ignore that.
dontaudit virtualizationmanager apex_module_data_file:dir search;
+
+# Allow virtualizationmanager to access VM DTBO via a pipe created by vfio handler.
+allow virtualizationmanager vfio_handler:fd use;
+allow virtualizationmanager vfio_handler:fifo_file r_file_perms;
diff --git a/private/virtualizationservice.te b/private/virtualizationservice.te
index 561e778..a4588dc 100644
--- a/private/virtualizationservice.te
+++ b/private/virtualizationservice.te
@@ -15,6 +15,10 @@
# Let the virtualizationservice domain register the virtualization_service with ServiceManager.
add_service(virtualizationservice, virtualization_service)
+# Let virtualizationservice find and communicate with vfio_handler.
+allow virtualizationservice vfio_handler_service:service_manager find;
+binder_call(virtualizationservice, vfio_handler)
+
# Allow calling into the system server to find "permission_service".
binder_call(virtualizationservice, system_server)
allow virtualizationservice permission_service:service_manager find;
@@ -54,6 +58,14 @@
allow virtualizationservice tombstone_data_file:file { append getattr };
allow virtualizationservice tombstoned:fd use;
+# Allow virtualizationservice to check if VFIO is supported
+allow virtualizationservice vfio_device:chr_file getattr;
+allow virtualizationservice vfio_device:dir r_dir_perms;
+
+# Allow virtualizationservice to access VM DTBO via a pipe created by vfio handler.
+allow virtualizationservice vfio_handler:fd use;
+allow virtualizationservice vfio_handler:fifo_file r_file_perms;
+
neverallow {
domain
-init
@@ -72,3 +84,6 @@
-virtualizationmanager
-virtualizationservice
}:process setrlimit;
+
+# Only virtualizationservice can communicate to vfio_handler
+neverallow { domain -virtualizationservice -servicemanager } vfio_handler:binder call;
diff --git a/private/vold.te b/private/vold.te
index 957e5d0..4256ac3 100644
--- a/private/vold.te
+++ b/private/vold.te
@@ -7,6 +7,10 @@
domain_auto_trans(vold, sdcardd_exec, sdcardd);
domain_auto_trans(vold, fuseblkd_untrusted_exec, fuseblkd_untrusted);
+# Switch to e2fs domain when running mkfs.ext4 to format a partition
+domain_auto_trans(vold, e2fs_exec, e2fs);
+
+
# For a handful of probing tools, we choose an even more restrictive
# domain when working with untrusted block devices
domain_trans(vold, blkid_exec, blkid);
diff --git a/public/device.te b/public/device.te
index fa29256..36299d3 100644
--- a/public/device.te
+++ b/public/device.te
@@ -129,3 +129,6 @@
# Root disk file for disk tunables
type rootdisk_sysdev, dev_type;
+
+# vfio device
+type vfio_device, dev_type;
diff --git a/public/e2fs.te b/public/e2fs.te
index 6bce10f..973abb9 100644
--- a/public/e2fs.te
+++ b/public/e2fs.te
@@ -9,6 +9,12 @@
allow e2fs metadata_block_device:blk_file rw_file_perms;
allow e2fs dm_device:blk_file rw_file_perms;
allow e2fs zoned_block_device:blk_file rw_file_perms;
+# Vold needs to capture mkfs.ext4's output
+allow e2fs vold:fd use;
+# Need to be able to format a partition
+allow e2fs sysfs_dm:dir r_dir_perms;
+allow e2fs sysfs_dm:file r_file_perms;
+
allowxperm e2fs { userdata_block_device metadata_block_device dm_device zoned_block_device }:blk_file ioctl {
BLKSECDISCARD BLKDISCARD BLKPBSZGET BLKDISCARDZEROES BLKROGET BLKREPORTZONE BLKRESETZONE
};
diff --git a/public/service.te b/public/service.te
index fa19abc..39cbb10 100644
--- a/public/service.te
+++ b/public/service.te
@@ -37,6 +37,7 @@
type netd_service, service_manager_type;
type nfc_service, service_manager_type;
type ondevicepersonalization_system_service, system_api_service, system_server_service, service_manager_type;
+type ot_daemon_service, service_manager_type;
type radio_service, service_manager_type;
type secure_element_service, service_manager_type;
type service_manager_service, service_manager_type;