Merge "Connectivity Native AIDL interface Sepolicy"
diff --git a/Android.bp b/Android.bp
index 0ca82a6..8e2a966 100644
--- a/Android.bp
+++ b/Android.bp
@@ -189,6 +189,11 @@
srcs: ["seapp_contexts"],
}
+se_build_files {
+ name: "vndservice_contexts_files",
+ srcs: ["vndservice_contexts"],
+}
+
// For vts_treble_sys_prop_test
filegroup {
name: "private_property_contexts",
@@ -1103,3 +1108,29 @@
se_freeze_test {
name: "sepolicy_freeze_test",
}
+
+//////////////////////////////////
+// sepolicy_test checks various types of violations, which can't be easily done
+// by CIL itself. Refer tests/sepolicy_tests.py for more detail.
+//////////////////////////////////
+genrule {
+ name: "sepolicy_test",
+ srcs: [
+ ":plat_file_contexts",
+ ":vendor_file_contexts",
+ ":system_ext_file_contexts",
+ ":product_file_contexts",
+ ":odm_file_contexts",
+ ":precompiled_sepolicy",
+ ],
+ tools: ["sepolicy_tests"],
+ out: ["sepolicy_test"],
+ cmd: "$(location sepolicy_tests) " +
+ "-f $(location :plat_file_contexts) " +
+ "-f $(location :vendor_file_contexts) " +
+ "-f $(location :system_ext_file_contexts) " +
+ "-f $(location :product_file_contexts) " +
+ "-f $(location :odm_file_contexts) " +
+ "-p $(location :precompiled_sepolicy) && " +
+ "touch $(out)",
+}
diff --git a/Android.mk b/Android.mk
index 27123d7..c98de45 100644
--- a/Android.mk
+++ b/Android.mk
@@ -347,9 +347,13 @@
ifneq ($(with_asan),true)
ifneq ($(SELINUX_IGNORE_NEVERALLOWS),true)
LOCAL_REQUIRED_MODULES += \
- sepolicy_tests \
sepolicy_compat_test \
+# HACK: sepolicy_test is implemented as genrule
+# genrule modules aren't installable, so LOCAL_REQUIRED_MODULES doesn't work.
+# Instead, use LOCAL_ADDITIONAL_DEPENDENCIES with intermediate output
+LOCAL_ADDITIONAL_DEPENDENCIES += $(call intermediates-dir-for,ETC,sepolicy_test)/sepolicy_test
+
ifeq ($(PRODUCT_SEPOLICY_SPLIT),true)
LOCAL_REQUIRED_MODULES += \
$(addprefix treble_sepolicy_tests_,$(PLATFORM_SEPOLICY_COMPAT_VERSIONS)) \
@@ -505,6 +509,7 @@
vendor_hwservice_contexts_test \
vendor_bug_map \
vndservice_contexts \
+ vndservice_contexts_test \
ifdef BOARD_ODM_SEPOLICY_DIRS
LOCAL_REQUIRED_MODULES += \
@@ -664,50 +669,8 @@
file_contexts.modules.tmp :=
##################################
-include $(CLEAR_VARS)
-
-LOCAL_MODULE := vndservice_contexts
-LOCAL_LICENSE_KINDS := SPDX-license-identifier-Apache-2.0 legacy_unencumbered
-LOCAL_LICENSE_CONDITIONS := notice unencumbered
-LOCAL_NOTICE_FILE := $(LOCAL_PATH)/NOTICE
-LOCAL_MODULE_CLASS := ETC
-LOCAL_MODULE_TAGS := optional
-LOCAL_MODULE_PATH := $(TARGET_OUT_VENDOR)/etc/selinux
-
-include $(BUILD_SYSTEM)/base_rules.mk
-
-vnd_svcfiles := $(call build_policy, vndservice_contexts, $(BOARD_PLAT_VENDOR_POLICY) $(BOARD_VENDOR_SEPOLICY_DIRS) $(BOARD_REQD_MASK_POLICY))
-
-vndservice_contexts.tmp := $(intermediates)/vndservice_contexts.tmp
-$(vndservice_contexts.tmp): PRIVATE_SVC_FILES := $(vnd_svcfiles)
-$(vndservice_contexts.tmp): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
-$(vndservice_contexts.tmp): $(vnd_svcfiles) $(M4)
- @mkdir -p $(dir $@)
- $(hide) $(M4) --fatal-warnings -s $(PRIVATE_ADDITIONAL_M4DEFS) $(PRIVATE_SVC_FILES) > $@
-
-$(LOCAL_BUILT_MODULE): PRIVATE_SEPOLICY := $(built_sepolicy)
-$(LOCAL_BUILT_MODULE): $(vndservice_contexts.tmp) $(built_sepolicy) $(HOST_OUT_EXECUTABLES)/checkfc $(ACP)
- @mkdir -p $(dir $@)
- sed -e 's/#.*$$//' -e '/^$$/d' $< > $@
- $(hide) $(HOST_OUT_EXECUTABLES)/checkfc -e -v $(PRIVATE_SEPOLICY) $@
-
-vnd_svcfiles :=
-vndservice_contexts.tmp :=
-
-##################################
include $(LOCAL_PATH)/mac_permissions.mk
-#################################
-include $(CLEAR_VARS)
-LOCAL_MODULE := sepolicy_tests
-LOCAL_LICENSE_KINDS := SPDX-license-identifier-Apache-2.0 legacy_unencumbered
-LOCAL_LICENSE_CONDITIONS := notice unencumbered
-LOCAL_NOTICE_FILE := $(LOCAL_PATH)/NOTICE
-LOCAL_MODULE_CLASS := FAKE
-LOCAL_MODULE_TAGS := optional
-
-include $(BUILD_SYSTEM)/base_rules.mk
-
all_fc_files := $(TARGET_OUT)/etc/selinux/plat_file_contexts
all_fc_files += $(TARGET_OUT_VENDOR)/etc/selinux/vendor_file_contexts
ifdef HAS_SYSTEM_EXT_SEPOLICY_DIR
@@ -721,13 +684,6 @@
endif
all_fc_args := $(foreach file, $(all_fc_files), -f $(file))
-$(LOCAL_BUILT_MODULE): ALL_FC_ARGS := $(all_fc_args)
-$(LOCAL_BUILT_MODULE): PRIVATE_SEPOLICY := $(built_sepolicy)
-$(LOCAL_BUILT_MODULE): $(HOST_OUT_EXECUTABLES)/sepolicy_tests $(all_fc_files) $(built_sepolicy)
- @mkdir -p $(dir $@)
- $(hide) $(HOST_OUT_EXECUTABLES)/sepolicy_tests $(ALL_FC_ARGS) -p $(PRIVATE_SEPOLICY)
- $(hide) touch $@
-
##################################
# Tests for Treble compatibility of current platform policy and vendor policy of
# given release version.
diff --git a/METADATA b/METADATA
index cdcfa70..5a356a4 100644
--- a/METADATA
+++ b/METADATA
@@ -1,6 +1,4 @@
third_party {
- # would be UNENCUMBERED save for
- # tests/combine_maps.py
- # build/soong/
+ license_note: "would be UNENCUMBERED save for: tests/combine_maps.py and build/soong/"
license_type: NOTICE
}
diff --git a/apex/Android.bp b/apex/Android.bp
index 166c2d3..5d61303 100644
--- a/apex/Android.bp
+++ b/apex/Android.bp
@@ -251,8 +251,22 @@
}
filegroup {
+ name: "com.android.adservices-file_contexts",
+ srcs: [
+ "com.android.adservices-file_contexts",
+ ],
+}
+
+filegroup {
name: "com.android.car.framework-file_contexts",
srcs: [
"com.android.car.framework-file_contexts",
],
}
+
+filegroup {
+ name: "com.android.ondevicepersonalization-file_contexts",
+ srcs: [
+ "com.android.ondevicepersonalization-file_contexts",
+ ],
+}
diff --git a/apex/com.android.adservices-file_contexts b/apex/com.android.adservices-file_contexts
new file mode 100644
index 0000000..9398505
--- /dev/null
+++ b/apex/com.android.adservices-file_contexts
@@ -0,0 +1 @@
+(/.*)? u:object_r:system_file:s0
diff --git a/apex/com.android.compos-file_contexts b/apex/com.android.compos-file_contexts
index 0502084..799c2c4 100644
--- a/apex/com.android.compos-file_contexts
+++ b/apex/com.android.compos-file_contexts
@@ -1,4 +1,5 @@
(/.*)? u:object_r:system_file:s0
-/bin/compsvc u:object_r:compos_exec:s0
-/bin/compos_verify_key u:object_r:compos_verify_key_exec:s0
+/bin/compos_key_helper u:object_r:compos_key_helper_exec:s0
+/bin/compos_verify u:object_r:compos_verify_exec:s0
/bin/composd u:object_r:composd_exec:s0
+/bin/compsvc u:object_r:compos_exec:s0
diff --git a/apex/com.android.ondevicepersonalization-file_contexts b/apex/com.android.ondevicepersonalization-file_contexts
new file mode 100644
index 0000000..9398505
--- /dev/null
+++ b/apex/com.android.ondevicepersonalization-file_contexts
@@ -0,0 +1 @@
+(/.*)? u:object_r:system_file:s0
diff --git a/build/soong/policy.go b/build/soong/policy.go
index 390c439..b1840da 100644
--- a/build/soong/policy.go
+++ b/build/soong/policy.go
@@ -88,6 +88,9 @@
// Whether this module is directly installable to one of the partitions. Default is true
Installable *bool
+
+ // Desired number of MLS categories. Defaults to 1024
+ Mls_cats *int64
}
type policyConf struct {
@@ -189,6 +192,10 @@
return strconv.FormatBool(ctx.DeviceConfig().BuildDebugfsRestrictionsEnabled())
}
+func (c *policyConf) mlsCats() int {
+ return proptools.IntDefault(c.properties.Mls_cats, MlsCats)
+}
+
func findPolicyConfOrder(name string) int {
for idx, pattern := range policyConfOrder {
if pattern == name || (pattern == "*.te" && strings.HasSuffix(name, ".te")) {
@@ -212,7 +219,7 @@
Flag("--fatal-warnings").
FlagForEachArg("-D ", ctx.DeviceConfig().SepolicyM4Defs()).
FlagWithArg("-D mls_num_sens=", strconv.Itoa(MlsSens)).
- FlagWithArg("-D mls_num_cats=", strconv.Itoa(MlsCats)).
+ FlagWithArg("-D mls_num_cats=", strconv.Itoa(c.mlsCats())).
FlagWithArg("-D target_arch=", ctx.DeviceConfig().DeviceArch()).
FlagWithArg("-D target_with_asan=", c.withAsan(ctx)).
FlagWithArg("-D target_with_dexpreopt=", strconv.FormatBool(ctx.DeviceConfig().WithDexpreopt())).
diff --git a/build/soong/selinux_contexts.go b/build/soong/selinux_contexts.go
index 8894931..463a978 100644
--- a/build/soong/selinux_contexts.go
+++ b/build/soong/selinux_contexts.go
@@ -93,11 +93,13 @@
android.RegisterModuleType("service_contexts", serviceFactory)
android.RegisterModuleType("keystore2_key_contexts", keystoreKeyFactory)
android.RegisterModuleType("seapp_contexts", seappFactory)
+ android.RegisterModuleType("vndservice_contexts", vndServiceFactory)
android.RegisterModuleType("file_contexts_test", fileContextsTestFactory)
android.RegisterModuleType("property_contexts_test", propertyContextsTestFactory)
android.RegisterModuleType("hwservice_contexts_test", hwserviceContextsTestFactory)
android.RegisterModuleType("service_contexts_test", serviceContextsTestFactory)
+ android.RegisterModuleType("vndservice_contexts_test", vndServiceContextsTestFactory)
}
func (m *selinuxContextsModule) InstallInRoot() bool {
@@ -495,6 +497,18 @@
return m
}
+func vndServiceFactory() android.Module {
+ m := newModule()
+ m.build = m.buildGeneralContexts
+ android.AddLoadHook(m, func(ctx android.LoadHookContext) {
+ if !ctx.SocSpecific() {
+ ctx.ModuleErrorf(m.Name(), "must set vendor: true")
+ return
+ }
+ })
+ return m
+}
+
var _ android.OutputFileProducer = (*selinuxContextsModule)(nil)
// Implements android.OutputFileProducer
@@ -565,6 +579,14 @@
return m
}
+// vndservice_contexts_test tests given vndservice_contexts files with checkfc.
+func vndServiceContextsTestFactory() android.Module {
+ m := &contextsTestModule{tool: "checkfc", flags: []string{"-e" /* allow empty */, "-v" /* vnd service */}}
+ m.AddProperties(&m.properties)
+ android.InitAndroidArchModule(m, android.DeviceSupported, android.MultilibCommon)
+ return m
+}
+
func (m *contextsTestModule) GenerateAndroidBuildActions(ctx android.ModuleContext) {
tool := m.tool
if tool != "checkfc" && tool != "property_info_checker" {
diff --git a/contexts/Android.bp b/contexts/Android.bp
index 3062a61..2a5a058 100644
--- a/contexts/Android.bp
+++ b/contexts/Android.bp
@@ -67,28 +67,55 @@
":file_contexts_files{.vendor}",
],
soc_specific: true,
- recovery_available: true,
+}
+
+file_contexts {
+ name: "vendor_file_contexts.recovery",
+ srcs: [
+ ":file_contexts_files{.plat_vendor_for_vendor}",
+ ":file_contexts_files{.vendor}",
+ ],
+ stem: "vendor_file_contexts",
+ recovery: true,
}
file_contexts {
name: "system_ext_file_contexts",
srcs: [":file_contexts_files{.system_ext_private}"],
system_ext_specific: true,
- recovery_available: true,
+}
+
+file_contexts {
+ name: "system_ext_file_contexts.recovery",
+ srcs: [":file_contexts_files{.system_ext_private}"],
+ stem: "system_ext_file_contexts",
+ recovery: true,
}
file_contexts {
name: "product_file_contexts",
srcs: [":file_contexts_files{.product_private}"],
product_specific: true,
- recovery_available: true,
+}
+
+file_contexts {
+ name: "product_file_contexts.recovery",
+ srcs: [":file_contexts_files{.product_private}"],
+ stem: "product_file_contexts",
+ recovery: true,
}
file_contexts {
name: "odm_file_contexts",
srcs: [":file_contexts_files{.odm}"],
device_specific: true,
- recovery_available: true,
+}
+
+file_contexts {
+ name: "odm_file_contexts.recovery",
+ srcs: [":file_contexts_files{.odm}"],
+ stem: "odm_file_contexts",
+ recovery: true,
}
hwservice_contexts {
@@ -287,6 +314,16 @@
sepolicy: ":precompiled_sepolicy",
}
+vndservice_contexts {
+ name: "vndservice_contexts",
+ srcs: [
+ ":vndservice_contexts_files{.plat_vendor_for_vendor}",
+ ":vndservice_contexts_files{.vendor}",
+ ":vndservice_contexts_files{.reqd_mask_for_vendor}",
+ ],
+ soc_specific: true,
+}
+
// for CTS
genrule {
name: "plat_seapp_neverallows",
@@ -432,3 +469,9 @@
srcs: [":vendor_service_contexts"],
sepolicy: ":precompiled_sepolicy",
}
+
+vndservice_contexts_test {
+ name: "vndservice_contexts_test",
+ srcs: [":vndservice_contexts"],
+ sepolicy: ":precompiled_sepolicy",
+}
diff --git a/mac_permissions.mk b/mac_permissions.mk
index 7c478b4..43c98c9 100644
--- a/mac_permissions.mk
+++ b/mac_permissions.mk
@@ -22,7 +22,7 @@
$(hide) $(M4) --fatal-warnings -s $(PRIVATE_ADDITIONAL_M4DEFS) $(PRIVATE_KEYS) > $@
# Should be synced with keys.conf.
-all_plat_keys := platform media networkstack shared testkey
+all_plat_keys := platform media networkstack sdk_sandbox shared testkey
all_plat_keys := $(all_plat_keys:%=$(dir $(DEFAULT_SYSTEM_DEV_CERTIFICATE))/%.x509.pem)
$(LOCAL_BUILT_MODULE): PRIVATE_MAC_PERMS_FILES := $(all_plat_mac_perms_files)
diff --git a/microdroid/Android.bp b/microdroid/Android.bp
index 0600207..0628a5b 100644
--- a/microdroid/Android.bp
+++ b/microdroid/Android.bp
@@ -109,6 +109,7 @@
name: "microdroid_reqd_policy_mask.conf",
srcs: reqd_mask_files,
installable: false,
+ mls_cats: 1,
}
se_policy_cil {
@@ -122,6 +123,7 @@
name: "microdroid_plat_sepolicy.conf",
srcs: system_policy_files,
installable: false,
+ mls_cats: 1,
}
se_policy_cil {
@@ -135,6 +137,7 @@
name: "microdroid_plat_pub_policy.conf",
srcs: system_public_policy_files,
installable: false,
+ mls_cats: 1,
}
se_policy_cil {
@@ -171,6 +174,7 @@
name: "microdroid_vendor_sepolicy.conf",
srcs: vendor_policy_files,
installable: false,
+ mls_cats: 1,
}
se_policy_cil {
@@ -287,4 +291,5 @@
srcs: system_policy_files,
exclude_build_test: true,
installable: false,
+ mls_cats: 1,
}
diff --git a/microdroid/system/private/adbd.te b/microdroid/system/private/adbd.te
index 116c74d..ed74ddd 100644
--- a/microdroid/system/private/adbd.te
+++ b/microdroid/system/private/adbd.te
@@ -1,5 +1,4 @@
typeattribute adbd coredomain;
-typeattribute adbd mlstrustedsubject;
init_daemon_domain(adbd)
diff --git a/microdroid/system/private/attributes b/microdroid/system/private/attributes
index 991bac1..792d600 100644
--- a/microdroid/system/private/attributes
+++ b/microdroid/system/private/attributes
@@ -1,12 +1 @@
-hal_attribute(lazy_test);
-
-# This is applied to apps on vendor images with SDK <=30 only,
-# to exempt them from recent mls changes. It must not be applied
-# to any domain on newer system or vendor image.
-attribute mlsvendorcompat;
-
-# Attributes for property types having both system_property_type
-# and vendor_property_type. Such types are ill-formed because
-# property owner attributes must be exclusive.
-attribute system_and_vendor_property_type;
-expandattribute system_and_vendor_property_type false;
+#
diff --git a/microdroid/system/private/compos.te b/microdroid/system/private/compos.te
index d9edb67..49bc5b3 100644
--- a/microdroid/system/private/compos.te
+++ b/microdroid/system/private/compos.te
@@ -7,13 +7,8 @@
# Allow using various binder services
binder_use(compos);
-allow compos {
- authfs_binder_service
- dice_node_service
-}:service_manager find;
+allow compos authfs_binder_service:service_manager find;
binder_call(compos, authfs_service);
-binder_call(compos, diced);
-allow compos diced:diced { get_attestation_chain derive };
# Read artifacts created by odrefresh and create signature files.
allow compos authfs_fuse:dir rw_dir_perms;
@@ -30,5 +25,10 @@
# See b/35323867#comment3
dontaudit compos self:global_capability_class_set dac_override;
-# Allow domain transition into odrefresh.
+# Allow running odrefresh in its own domain
domain_auto_trans(compos, odrefresh_exec, odrefresh)
+
+# Allow running compos_key_helper in its own domain
+domain_auto_trans(compos, compos_key_helper_exec, compos_key_helper)
+# And killing it on error
+allow compos compos_key_helper:process sigkill;
diff --git a/microdroid/system/private/compos_key_helper.te b/microdroid/system/private/compos_key_helper.te
new file mode 100644
index 0000000..56f8d2a
--- /dev/null
+++ b/microdroid/system/private/compos_key_helper.te
@@ -0,0 +1,20 @@
+# Helper process for compos to perform key derivation & signing
+type compos_key_helper, domain, coredomain;
+type compos_key_helper_exec, exec_type, file_type, system_file_type;
+
+# This domain has access to DICE secrets & the private signing key.
+# Block crash dumps to ensure the secrets are not leaked.
+typeattribute compos_key_helper no_crash_dump_domain;
+
+# Allow using DICE binder service
+binder_use(compos_key_helper);
+allow compos_key_helper dice_node_service:service_manager find;
+binder_call(compos_key_helper, diced);
+allow compos_key_helper diced:diced { get_attestation_chain derive };
+
+# Communicate with compos via stdin/stdout pipes
+allow compos_key_helper compos:fd use;
+allow compos_key_helper compos:fifo_file { getattr read write };
+
+# Write to /dev/kmsg.
+allow compos_key_helper kmsg_device:chr_file rw_file_perms;
diff --git a/microdroid/system/private/crash_dump.te b/microdroid/system/private/crash_dump.te
index a636e9c..61dfa0b 100644
--- a/microdroid/system/private/crash_dump.te
+++ b/microdroid/system/private/crash_dump.te
@@ -57,6 +57,7 @@
-init
-kernel
-logd
+ -no_crash_dump_domain
-ueventd
-vendor_init
}:process { ptrace signal sigchld sigstop sigkill };
@@ -67,3 +68,5 @@
logd
}:process { ptrace signal sigchld sigstop sigkill };
')
+
+neverallow crash_dump no_crash_dump_domain:process ptrace;
diff --git a/microdroid/system/private/dex2oat.te b/microdroid/system/private/dex2oat.te
index c7c53c2..d259e1c 100644
--- a/microdroid/system/private/dex2oat.te
+++ b/microdroid/system/private/dex2oat.te
@@ -2,6 +2,8 @@
type dex2oat, domain, coredomain;
type dex2oat_exec, system_file_type, exec_type, file_type;
+userfaultfd_use(dex2oat)
+
allow dex2oat tmpfs:file { read getattr map };
# Allow dex2oat to use FDs from authfs_service via compos.
diff --git a/microdroid/system/private/diced.te b/microdroid/system/private/diced.te
index 9530794..2dba244 100644
--- a/microdroid/system/private/diced.te
+++ b/microdroid/system/private/diced.te
@@ -1,6 +1,9 @@
type diced, domain, coredomain;
type diced_exec, system_file_type, exec_type, file_type;
+# Block crash dumps to ensure the DICE secrets are not leaked.
+typeattribute diced no_crash_dump_domain;
+
# diced can be started by init
init_daemon_domain(diced)
diff --git a/microdroid/system/private/domain.te b/microdroid/system/private/domain.te
index ae97f75..d87df40 100644
--- a/microdroid/system/private/domain.te
+++ b/microdroid/system/private/domain.te
@@ -182,7 +182,7 @@
allowxperm domain domain:{ icmp_socket rawip_socket tcp_socket udp_socket }
ioctl { unpriv_sock_ioctls unpriv_tty_ioctls };
# default allowlist for unix sockets.
-allowxperm domain { domain pdx_channel_socket_type }:{ unix_dgram_socket unix_stream_socket }
+allowxperm domain domain:{ unix_dgram_socket unix_stream_socket }
ioctl unpriv_unix_sock_ioctls;
# Restrict PTYs to only allowed ioctls.
@@ -263,9 +263,7 @@
# Transition to crash_dump when /system/bin/crash_dump* is executed.
# This occurs when the process crashes.
-# We do not apply this to the su domain to avoid interfering with
-# tests (b/114136122)
-domain_auto_trans(domain, crash_dump_exec, crash_dump);
+domain_auto_trans({domain -no_crash_dump_domain}, crash_dump_exec, crash_dump);
allow domain crash_dump:process sigchld;
# Properties that microdroid doesn't have but some still want to read.
@@ -425,16 +423,6 @@
coredomain
} vendor_service:service_manager add;
-neverallow {
- domain
- -tombstoned
- -crash_dump
-
- # Processes that can't exec crash_dump
- -hal_codec2_server
- -hal_omx_server
-} tombstoned_crash_socket:unix_stream_socket connectto;
-
# Never allow anyone to connect or write to
# the tombstoned intercept socket.
neverallow { domain } tombstoned_intercept_socket:sock_file write;
@@ -502,7 +490,6 @@
domain
-adbd
-init
- -runas
} shell:process { transition dyntransition };
# Minimize read access to shell-writable symlinks.
@@ -605,3 +592,7 @@
# Linux lockdown "integrity" level is enforced for user builds.
neverallow { domain userdebug_or_eng(`-domain') } self:lockdown integrity;
+
+# These domains must not be crash dumped
+neverallow no_crash_dump_domain crash_dump_exec:file no_x_file_perms;
+neverallow no_crash_dump_domain crash_dump:process { transition dyntransition };
diff --git a/microdroid/system/private/file_contexts b/microdroid/system/private/file_contexts
index 50558f8..4f7a0ff 100644
--- a/microdroid/system/private/file_contexts
+++ b/microdroid/system/private/file_contexts
@@ -112,7 +112,6 @@
/system/bin/init u:object_r:init_exec:s0
/system/bin/logcat -- u:object_r:logcat_exec:s0
/system/bin/logd u:object_r:logd_exec:s0
-/system/bin/run-as -- u:object_r:runas_exec:s0
/system/bin/sh -- u:object_r:shell_exec:s0
/system/bin/tombstoned u:object_r:tombstoned_exec:s0
/system/bin/toolbox -- u:object_r:toolbox_exec:s0
@@ -132,11 +131,9 @@
/system/etc/seccomp_policy(/.*)? u:object_r:system_seccomp_policy_file:s0
/system/etc/security/cacerts(/.*)? u:object_r:system_security_cacerts_file:s0
/system/etc/selinux/mapping/[0-9]+\.[0-9]+\.cil u:object_r:sepolicy_file:s0
-/system/etc/selinux/plat_mac_permissions\.xml u:object_r:mac_perms_file:s0
/system/etc/selinux/plat_property_contexts u:object_r:property_contexts_file:s0
/system/etc/selinux/plat_service_contexts u:object_r:service_contexts_file:s0
/system/etc/selinux/plat_file_contexts u:object_r:file_contexts_file:s0
-/system/etc/selinux/plat_seapp_contexts u:object_r:seapp_contexts_file:s0
/system/etc/selinux/plat_sepolicy\.cil u:object_r:sepolicy_file:s0
/system/etc/selinux/plat_and_mapping_sepolicy\.cil\.sha256 u:object_r:sepolicy_file:s0
/system/etc/task_profiles\.json u:object_r:task_profiles_file:s0
diff --git a/microdroid/system/private/genfs_contexts b/microdroid/system/private/genfs_contexts
index 3499aa0..254dbe8 100644
--- a/microdroid/system/private/genfs_contexts
+++ b/microdroid/system/private/genfs_contexts
@@ -138,6 +138,8 @@
genfscon sysfs /devices/virtual/net u:object_r:sysfs_net:s0
genfscon sysfs /devices/virtual/switch u:object_r:sysfs_switch:s0
genfscon sysfs /devices/virtual/wakeup u:object_r:sysfs_wakeup:s0
+genfscon sysfs /firmware/devicetree/base/chosen/avf,new-instance u:object_r:sysfs_dt_avf:s0
+genfscon sysfs /firmware/devicetree/base/chosen/avf,strict-boot u:object_r:sysfs_dt_avf:s0
genfscon sysfs /firmware/devicetree/base/firmware/android u:object_r:sysfs_dt_firmware_android:s0
genfscon sysfs /fs/ext4/features u:object_r:sysfs_fs_ext4_features:s0
genfscon sysfs /fs/f2fs u:object_r:sysfs_fs_f2fs:s0
diff --git a/microdroid/system/private/init.te b/microdroid/system/private/init.te
index ff75f75..708d537 100644
--- a/microdroid/system/private/init.te
+++ b/microdroid/system/private/init.te
@@ -45,8 +45,9 @@
allow init runtime_event_log_tags_file:file { open write setattr relabelto create };
# /dev/socket
allow init { device socket_device dm_user_device }:dir relabelto;
-# Relabel /dev nodes created in first stage init, /dev/null, /dev/ptmx, /dev/random, /dev/urandom
-allow init { null_device ptmx_device random_device } : chr_file relabelto;
+# Relabel /dev nodes created in first stage init: /dev/console, /dev/null, /dev/ptmx, /dev/random
+# and /dev/urandom
+allow init { console_device null_device ptmx_device random_device } : chr_file relabelto;
# /dev/device-mapper, /dev/block(/.*)?
allow init tmpfs:{ chr_file blk_file } relabelfrom;
allow init tmpfs:blk_file getattr;
diff --git a/microdroid/system/private/kernel.te b/microdroid/system/private/kernel.te
index 2938be4..e81173d 100644
--- a/microdroid/system/private/kernel.te
+++ b/microdroid/system/private/kernel.te
@@ -90,9 +90,7 @@
dontaudit kernel tmpfs:file { getattr open read relabelfrom };
dontaudit kernel {
file_contexts_file
- mac_perms_file
property_contexts_file
- seapp_contexts_file
sepolicy_test_file
service_contexts_file
}:file relabelto;
diff --git a/microdroid/system/private/logd.te b/microdroid/system/private/logd.te
index 06d4fa6..46cdb7d 100644
--- a/microdroid/system/private/logd.te
+++ b/microdroid/system/private/logd.te
@@ -40,3 +40,5 @@
# Logd sets defaults if certain properties are empty.
set_prop(logd, logd_prop)
+
+dontaudit domain runtime_event_log_tags_file:file { map open read };
diff --git a/microdroid/system/private/microdroid_manager.te b/microdroid/system/private/microdroid_manager.te
index 3510e2f..bf344ac 100644
--- a/microdroid/system/private/microdroid_manager.te
+++ b/microdroid/system/private/microdroid_manager.te
@@ -14,6 +14,9 @@
# microdroid_manager verifies DM-verity mounted APK payload
allow microdroid_manager dm_device:blk_file r_file_perms;
+# microdroid_manager can query AVF flags in the device tree
+allow microdroid_manager sysfs_dt_avf:file r_file_perms;
+
# Allow microdroid_manager to do blkflsbuf on instance disk image. The ioctl
# requires sys_admin cap as well.
allowxperm microdroid_manager vd_device:blk_file ioctl BLKFLSBUF;
diff --git a/microdroid/system/private/mls b/microdroid/system/private/mls
index 303df81..cee6675 100644
--- a/microdroid/system/private/mls
+++ b/microdroid/system/private/mls
@@ -2,88 +2,11 @@
# MLS policy constraints
#
-#
-# Process constraints
-#
+# We aren't using MLS in Microdroid. But the policy grammar requires
+# at least one MLS declaration, and checkpolicy enforces this. We
+# don't want to disable MLS, since we share some file labels with the
+# host (e.g. files in APEXes) which does have MLS. So we include this
+# fairly harmless constraint.
-# Process transition: Require equivalence unless the subject is trusted.
-mlsconstrain process { transition dyntransition }
- ((h1 eq h2 and l1 eq l2) or t1 == mlstrustedsubject);
-
-# Process read operations: No read up unless trusted.
-mlsconstrain process { getsched getsession getpgid getcap getattr ptrace share }
- (l1 dom l2 or t1 == mlstrustedsubject);
-
-# Process write operations: Require equivalence unless trusted.
-mlsconstrain process { sigkill sigstop signal setsched setpgid setcap setrlimit ptrace share }
- (l1 eq l2 or t1 == mlstrustedsubject);
-
-#
-# Socket constraints
-#
-
-# Create/relabel operations: Subject must be equivalent to object unless
-# the subject is trusted. Sockets inherit the range of their creator.
-mlsconstrain socket_class_set { create relabelfrom relabelto }
- ((h1 eq h2 and l1 eq l2) or t1 == mlstrustedsubject);
-
-# Datagram send: Sender must be equivalent to the receiver unless one of them
-# is trusted.
-mlsconstrain unix_dgram_socket { sendto }
- (l1 eq l2 or t1 == mlstrustedsubject or t2 == mlstrustedsubject);
-
-# Stream connect: Client must be equivalent to server unless one of them
-# is trusted.
-mlsconstrain unix_stream_socket { connectto }
- (l1 eq l2 or t1 == mlstrustedsubject or t2 == mlstrustedsubject);
-
-#
-# Directory/file constraints
-#
-
-# Create/relabel operations: Subject must be equivalent to object unless
-# the subject is trusted. Also, files should always be single-level.
-# Do NOT exempt mlstrustedobject types from this constraint.
-mlsconstrain dir_file_class_set { create relabelfrom relabelto }
- (l2 eq h2 and (l1 eq l2 or t1 == mlstrustedsubject));
-
-#
-# Constraints for file types other than app data files.
-#
-
-# Read operations: Subject must dominate object unless the subject
-# or the object is trusted.
-mlsconstrain dir { read getattr search }
- (l1 dom l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject
- or (t1 == mlsvendorcompat and t2 == system_data_file) );
-
-mlsconstrain { file lnk_file sock_file chr_file blk_file } { read getattr execute }
- (l1 dom l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject);
-
-# Write operations: Subject must be equivalent to the object unless the
-# subject or the object is trusted.
-mlsconstrain dir { write setattr rename add_name remove_name reparent rmdir }
- (l1 eq l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject);
-
-mlsconstrain { file lnk_file sock_file chr_file blk_file } { write setattr append unlink link rename }
- (l1 eq l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject);
-
-# Special case for FIFOs.
-# These can be unnamed pipes, in which case they will be labeled with the
-# creating process' label. Thus we also have an exemption when the "object"
-# is a domain type, so that processes can communicate via unnamed pipes
-# passed by binder or local socket IPC.
-mlsconstrain fifo_file { read getattr }
- (l1 dom l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject or t2 == domain);
-
-mlsconstrain fifo_file { write setattr append unlink link rename }
- (l1 eq l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject or t2 == domain);
-
-#
-# Binder IPC constraints
-#
-# Presently commented out, as apps are expected to call one another.
-# This would only make sense if apps were assigned categories
-# based on allowable communications rather than per-app categories.
-#mlsconstrain binder call
-# (l1 eq l2 or t1 == mlstrustedsubject or t2 == mlstrustedsubject);
+# Process transition: Require equivalence.
+mlsconstrain process { transition dyntransition } (h1 eq h2 and l1 eq l2);
diff --git a/microdroid/system/private/odrefresh.te b/microdroid/system/private/odrefresh.te
index d8b4392..c083547 100644
--- a/microdroid/system/private/odrefresh.te
+++ b/microdroid/system/private/odrefresh.te
@@ -8,6 +8,14 @@
# Allow odrefresh to kill dex2oat if compilation times out.
allow odrefresh dex2oat:process sigkill;
+userfaultfd_use(odrefresh)
+
+# Allow odrefresh to read /apex/apex-info-list.xml to gather information of
+# the current APEXes.
+allow odrefresh apex_info_file:file r_file_perms;
+
+# The policies above are mirrored from Android's, while the below are tailored for using in CompOS.
+
# Allow odrefresh to read/write/lookup files/directories on authfs.
allow odrefresh authfs_fuse:file create_file_perms;
allow odrefresh authfs_fuse:dir create_dir_perms;
@@ -15,10 +23,6 @@
# Allow odrefresh to check the parent directory exists.
allow odrefresh authfs_data_file:dir { search getattr };
-# Allow odrefresh to read /apex/apex-info-list.xml to gather information of
-# the current APEXes.
-allow odrefresh apex_info_file:file r_file_perms;
-
# Minijail uses pipe for the parent process to signal the child (as a fallback
# mechanism, since Android does not support minijail's preload).
# TODO(196109647): We can probably remove this once the minijail preload is
@@ -30,3 +34,8 @@
# (unless specified otherwise). Without allowing the use, the execution will
# fail immediately. See b/210909688.
allow odrefresh compos:fd use;
+
+# Silently ignore the access to properties. Unlike on Android, parameters
+# should be passed from command line to avoid global state.
+dontaudit odrefresh property_socket:sock_file write;
+dontaudit odrefresh dalvik_config_prop:file read;
diff --git a/microdroid/system/private/shell.te b/microdroid/system/private/shell.te
index aaebf68..c93b488 100644
--- a/microdroid/system/private/shell.te
+++ b/microdroid/system/private/shell.te
@@ -1,4 +1,4 @@
-typeattribute shell coredomain, mlstrustedsubject;
+typeattribute shell coredomain;
# allow shell input injection
allow shell uhid_device:chr_file rw_file_perms;
diff --git a/microdroid/system/private/ueventd.te b/microdroid/system/private/ueventd.te
index c7d9fd6..a855509 100644
--- a/microdroid/system/private/ueventd.te
+++ b/microdroid/system/private/ueventd.te
@@ -49,8 +49,5 @@
# ueventd is using bootstrap bionic
use_bootstrap_libs(ueventd)
-# TODO(b/193118220): find out why this happens.
-dontaudit ueventd tmpfs:chr_file { relabelfrom setattr };
-
# ueventd sets ro.cold_boot_done to signal to init that cold boot has completed.
set_prop(ueventd, cold_boot_done_prop)
diff --git a/microdroid/system/public/attributes b/microdroid/system/public/attributes
index e3258ae..00b5f2b 100644
--- a/microdroid/system/public/attributes
+++ b/microdroid/system/public/attributes
@@ -37,11 +37,6 @@
attribute core_data_file_type;
expandattribute core_data_file_type false;
-# All types used for app private data files in seapp_contexts.
-# Such types should not be applied to any other files.
-attribute app_data_file_type;
-expandattribute app_data_file_type false;
-
# All types in /system
attribute system_file_type;
@@ -85,18 +80,6 @@
# definition in tools/checkfc.c.
attribute property_type;
-# All properties defined in core SELinux policy. Should not be
-# used by device specific properties
-attribute core_property_type;
-
-# All properties used to configure log filtering.
-attribute log_property_type;
-
-# All properties that are not specific to device but are added from
-# outside of AOSP. (e.g. OEM-specific properties)
-# These properties are not accessible from device-specific domains
-attribute extended_core_property_type;
-
# Properties used for representing ownership. All properties should have one
# of: system_property_type, product_property_type, or vendor_property_type.
@@ -116,9 +99,6 @@
attribute system_public_property_type;
expandattribute system_public_property_type false;
-# All keystore2_key labels.
-attribute keystore2_key_type;
-
# All properties defined by /product.
# Currently there are no enforcements between /system and /product, so for now
# /product attributes are just replaced to /system attributes.
@@ -143,21 +123,6 @@
attribute vendor_public_property_type;
expandattribute vendor_public_property_type false;
-# All service_manager types created by system_server
-attribute system_server_service;
-
-# services which should be available to all but isolated apps
-attribute app_api_service;
-
-# services which should be available to all ephemeral apps
-attribute ephemeral_app_api_service;
-
-# services which export only system_api
-attribute system_api_service;
-
-# services which are explicitly disallowed for untrusted apps to access
-attribute protected_service;
-
# services which served by vendor and also using the copy of libbinder on
# system (for instance via libbinder_ndk). services using a different copy
# of libbinder currently need their own context manager (e.g.
@@ -169,32 +134,6 @@
# definition in tools/checkfc.c.
attribute service_manager_type;
-# All types used for services managed by hwservicemanager
-attribute hwservice_manager_type;
-
-# All HwBinder services guaranteed to be passthrough. These services always run
-# in the process of their clients, and thus operate with the same access as
-# their clients.
-attribute same_process_hwservice;
-
-# All HwBinder services guaranteed to be offered only by core domain components
-attribute coredomain_hwservice;
-
-# All HwBinder services that untrusted apps can't directly access
-attribute protected_hwservice;
-
-# All types used for services managed by vndservicemanager
-attribute vndservice_manager_type;
-
-
-# All domains that can override MLS restrictions.
-# i.e. processes that can read up and write down.
-attribute mlstrustedsubject;
-
-# All types that can override MLS restrictions.
-# i.e. files that can be read by lower and written by higher
-attribute mlstrustedobject;
-
# All domains used for apps with network access.
attribute netdomain;
@@ -204,172 +143,30 @@
# All domains used for binder service domains.
attribute binderservicedomain;
-# update_engine related domains that need to apply an update and run
-# postinstall. This includes the background daemon and the sideload tool from
-# recovery for A/B devices.
-attribute update_engine_common;
-
# All core domains (as opposed to vendor/device-specific domains)
attribute coredomain;
-# All vendor hwservice.
-attribute vendor_hwservice_type;
-
# All socket devices owned by core domain components
attribute coredomain_socket;
expandattribute coredomain_socket false;
-# All vendor domains which violate the requirement of not using sockets for
-# communicating with core components
-# TODO(b/36577153): Remove this once there are no violations
-attribute socket_between_core_and_vendor_violators;
-expandattribute socket_between_core_and_vendor_violators false;
-
-# All vendor domains which violate the requirement of not executing
-# system processes
-# TODO(b/36463595)
-attribute vendor_executes_system_violators;
-expandattribute vendor_executes_system_violators false;
-
-# All domains which violate the requirement of not sharing files by path
-# between between vendor and core domains.
-# TODO(b/34980020)
-attribute data_between_core_and_vendor_violators;
-expandattribute data_between_core_and_vendor_violators false;
-
-# All system domains which violate the requirement of not executing vendor
-# binaries/libraries.
-# TODO(b/62041836)
-attribute system_executes_vendor_violators;
-expandattribute system_executes_vendor_violators false;
-
-# All system domains which violate the requirement of not writing vendor
-# properties.
-# TODO(b/78598545): Remove this once there are no violations
-attribute system_writes_vendor_properties_violators;
-expandattribute system_writes_vendor_properties_violators false;
-
-# All system domains which violate the requirement of not writing to
-# /mnt/vendor/*. Must not be used on devices launched with P or later.
-attribute system_writes_mnt_vendor_violators;
-expandattribute system_writes_mnt_vendor_violators false;
-
-# PDX services
-attribute pdx_endpoint_dir_type;
-attribute pdx_endpoint_socket_type;
-expandattribute pdx_endpoint_socket_type false;
-attribute pdx_channel_socket_type;
-expandattribute pdx_channel_socket_type false;
-
-pdx_service_attributes(display_client)
-pdx_service_attributes(display_manager)
-pdx_service_attributes(display_screenshot)
-pdx_service_attributes(display_vsync)
-pdx_service_attributes(performance_client)
-pdx_service_attributes(bufferhub_client)
-
# All HAL servers
attribute halserverdomain;
# All HAL clients
attribute halclientdomain;
expandattribute halclientdomain true;
-# Exempt for halserverdomain to access sockets. Only builds for automotive
-# device types are allowed to use this attribute (enforced by CTS).
-# Unlike phone, in a car many modules are external from Android perspective and
-# HALs should be able to communicate with those devices through sockets.
-attribute hal_automotive_socket_exemption;
-
# HALs
-hal_attribute(allocator);
-hal_attribute(atrace);
-hal_attribute(audio);
-hal_attribute(audiocontrol);
-hal_attribute(authsecret);
-hal_attribute(bluetooth);
-hal_attribute(bootctl);
-hal_attribute(bufferhub);
-hal_attribute(broadcastradio);
-hal_attribute(camera);
-hal_attribute(can_bus);
-hal_attribute(can_controller);
-hal_attribute(cas);
-hal_attribute(codec2);
-hal_attribute(configstore);
-hal_attribute(confirmationui);
-hal_attribute(contexthub);
hal_attribute(dice);
-hal_attribute(drm);
-hal_attribute(evs);
-hal_attribute(face);
-hal_attribute(fingerprint);
-hal_attribute(gatekeeper);
-hal_attribute(gnss);
-hal_attribute(graphics_allocator);
-hal_attribute(graphics_composer);
-hal_attribute(health);
-hal_attribute(health_storage);
-hal_attribute(identity);
-hal_attribute(input_classifier);
-hal_attribute(ir);
-hal_attribute(keymaster);
-hal_attribute(keymint);
-hal_attribute(light);
-hal_attribute(lowpan);
-hal_attribute(memtrack);
-hal_attribute(neuralnetworks);
-hal_attribute(nfc);
-hal_attribute(oemlock);
-hal_attribute(omx);
-hal_attribute(power);
-hal_attribute(power_stats);
-hal_attribute(rebootescrow);
-hal_attribute(secure_element);
-hal_attribute(sensors);
-hal_attribute(telephony);
-hal_attribute(tetheroffload);
-hal_attribute(thermal);
-hal_attribute(tv_cec);
-hal_attribute(tv_input);
-hal_attribute(tv_tuner);
-hal_attribute(usb);
-hal_attribute(usb_gadget);
-hal_attribute(vehicle);
-hal_attribute(vibrator);
-hal_attribute(vr);
-hal_attribute(weaver);
-hal_attribute(wifi);
-hal_attribute(wifi_hostapd);
-hal_attribute(wifi_supplicant);
-
-# HwBinder services offered across the core-vendor boundary
-#
-# We annotate server domains with x_server to loosen the coupling between
-# system and vendor images. For example, it should be possible to move a service
-# from one core domain to another, without having to update the vendor image
-# which contains clients of this service.
-
-attribute automotive_display_service_server;
-attribute camera_service_server;
-attribute display_service_server;
-attribute scheduler_service_server;
-attribute sensor_service_server;
-attribute stats_service_server;
-attribute system_suspend_internal_server;
-attribute system_suspend_server;
-attribute wifi_keystore_service_server;
-
-# All types used for super partition block devices.
-attribute super_block_device_type;
# All types used for DMA-BUF heaps
attribute dmabuf_heap_device_type;
expandattribute dmabuf_heap_device_type false;
-# All types used for DSU metadata files.
-attribute gsi_metadata_file_type;
-
attribute fusefs_type;
# All types run from microdroid_manager as a payload
attribute microdroid_payload;
+
+# Domains that are blocked from producing a crash dump
+attribute no_crash_dump_domain;
diff --git a/microdroid/system/public/device.te b/microdroid/system/public/device.te
index 4c008ea..f99084c 100644
--- a/microdroid/system/public/device.te
+++ b/microdroid/system/public/device.te
@@ -1,41 +1,41 @@
-type ashmem_device, dev_type, mlstrustedobject;
-type ashmem_libcutils_device, dev_type, mlstrustedobject;
-type binder_device, dev_type, mlstrustedobject;
+type ashmem_device, dev_type;
+type ashmem_libcutils_device, dev_type;
+type binder_device, dev_type;
type block_device, dev_type;
type console_device, dev_type;
type device, dev_type, fs_type;
type dm_device, dev_type;
type dm_user_device, dev_type;
-type dmabuf_heap_device, dev_type, mlstrustedobject, dmabuf_heap_device_type;
-type dmabuf_system_heap_device, dev_type, mlstrustedobject, dmabuf_heap_device_type;
-type dmabuf_system_secure_heap_device, dev_type, mlstrustedobject, dmabuf_heap_device_type;
-type fuse_device, dev_type, mlstrustedobject;
+type dmabuf_heap_device, dev_type, dmabuf_heap_device_type;
+type dmabuf_system_heap_device, dev_type, dmabuf_heap_device_type;
+type dmabuf_system_secure_heap_device, dev_type, dmabuf_heap_device_type;
+type fuse_device, dev_type;
type hw_random_device, dev_type;
-type hwbinder_device, dev_type, mlstrustedobject;
+type hwbinder_device, dev_type;
type kmsg_debug_device, dev_type;
-type kmsg_device, dev_type, mlstrustedobject;
+type kmsg_device, dev_type;
type kvm_device, dev_type;
type loop_control_device, dev_type;
type loop_device, dev_type;
-type null_device, dev_type, mlstrustedobject;
+type null_device, dev_type;
type open_dice_device, dev_type;
-type owntty_device, dev_type, mlstrustedobject;
+type owntty_device, dev_type;
type ppp_device, dev_type;
type properties_device, dev_type;
type properties_serial, dev_type;
type property_info, dev_type;
-type ptmx_device, dev_type, mlstrustedobject;
+type ptmx_device, dev_type;
type ram_device, dev_type;
-type random_device, dev_type, mlstrustedobject;
+type random_device, dev_type;
type rtc_device, dev_type;
type serial_device, dev_type;
type socket_device, dev_type;
type tty_device, dev_type;
-type tun_device, dev_type, mlstrustedobject;
-type uhid_device, dev_type, mlstrustedobject;
+type tun_device, dev_type;
+type uhid_device, dev_type;
type uio_device, dev_type;
type userdata_sysdev, dev_type;
type vd_device, dev_type;
type vndbinder_device, dev_type;
type vsock_device, dev_type;
-type zero_device, dev_type, mlstrustedobject;
+type zero_device, dev_type;
diff --git a/microdroid/system/public/file.te b/microdroid/system/public/file.te
index d15d9cd..57be060 100644
--- a/microdroid/system/public/file.te
+++ b/microdroid/system/public/file.te
@@ -2,7 +2,6 @@
# file types
type adbd_socket, file_type, coredomain_socket;
-type anr_data_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
type apex_info_file, file_type;
type apex_mnt_dir, file_type;
type authfs_data_file, file_type, data_file_type, core_data_file_type;
@@ -12,20 +11,18 @@
type extra_apk_file, file_type;
type file_contexts_file, file_type, system_file_type;
type linkerconfig_file, file_type;
-type logd_socket, file_type, mlstrustedobject, coredomain_socket;
-type logdr_socket, file_type, mlstrustedobject, coredomain_socket;
-type logdw_socket, file_type, mlstrustedobject, coredomain_socket;
-type mac_perms_file, file_type, system_file_type;
+type logd_socket, file_type, coredomain_socket;
+type logdr_socket, file_type, coredomain_socket;
+type logdw_socket, file_type, coredomain_socket;
type nativetest_data_file, file_type, data_file_type, core_data_file_type;
type property_contexts_file, file_type, system_file_type;
-type property_socket, file_type, mlstrustedobject, coredomain_socket;
+type property_socket, file_type, coredomain_socket;
type runtime_event_log_tags_file, file_type;
-type seapp_contexts_file, file_type, system_file_type;
type sepolicy_file, file_type, system_file_type;
type service_contexts_file, file_type, system_file_type;
-type shell_data_file, file_type, data_file_type, core_data_file_type, app_data_file_type, mlstrustedobject;
+type shell_data_file, file_type, data_file_type, core_data_file_type;
type shell_test_data_file, file_type, data_file_type, core_data_file_type;
-type statsdw_socket, file_type, coredomain_socket, mlstrustedobject;
+type statsdw_socket, file_type, coredomain_socket;
type system_bootstrap_lib_file, file_type, system_file_type;
type system_data_file, file_type, data_file_type, core_data_file_type;
type system_data_root_file, file_type, data_file_type, core_data_file_type;
@@ -39,11 +36,11 @@
type system_security_cacerts_file, file_type, system_file_type;
type task_profiles_api_file, file_type, system_file_type;
type task_profiles_file, file_type, system_file_type;
-type tombstone_data_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
-type tombstoned_crash_socket, file_type, mlstrustedobject, coredomain_socket;
+type tombstone_data_file, file_type, data_file_type, core_data_file_type;
+type tombstoned_crash_socket, file_type, coredomain_socket;
type tombstoned_intercept_socket, file_type, coredomain_socket;
-type tombstoned_java_trace_socket, file_type, mlstrustedobject;
-type trace_data_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
+type tombstoned_java_trace_socket, file_type;
+type trace_data_file, file_type, data_file_type, core_data_file_type;
type unlabeled, file_type;
type vendor_configs_file, file_type, vendor_file_type;
type vendor_data_file, file_type, data_file_type;
@@ -55,7 +52,7 @@
type binderfs_logs, fs_type;
type binderfs_logs_proc, fs_type;
type binfmt_miscfs, fs_type;
-type cgroup, fs_type, mlstrustedobject;
+type cgroup, fs_type;
type cgroup_v2, fs_type;
type config_gz, fs_type, proc_type;
type configfs, fs_type;
@@ -65,22 +62,22 @@
type debugfs_kprobes, fs_type, debugfs_type;
type debugfs_mm_events_tracing, fs_type, debugfs_type, tracefs_type;
type debugfs_mmc, fs_type, debugfs_type;
-type debugfs_trace_marker, fs_type, debugfs_type, tracefs_type, mlstrustedobject;
-type debugfs_tracing, fs_type, debugfs_type, tracefs_type, mlstrustedobject;
-type debugfs_tracing_debug, fs_type, debugfs_type, tracefs_type, mlstrustedobject;
+type debugfs_trace_marker, fs_type, debugfs_type, tracefs_type;
+type debugfs_tracing, fs_type, debugfs_type, tracefs_type;
+type debugfs_tracing_debug, fs_type, debugfs_type, tracefs_type;
type debugfs_tracing_instances, fs_type, debugfs_type, tracefs_type;
type debugfs_tracing_printk_formats, fs_type, debugfs_type, tracefs_type;
type debugfs_wakeup_sources, fs_type, debugfs_type;
type debugfs_wifi_tracing, fs_type, debugfs_type, tracefs_type;
-type devpts, fs_type, mlstrustedobject;
+type devpts, fs_type;
type devtmpfs;
-type exfat, fs_type, sdcard_type, mlstrustedobject;
+type exfat, fs_type, sdcard_type;
type fs_bpf, fs_type;
type fs_bpf_tethering, fs_type;
-type functionfs, fs_type, mlstrustedobject;
-type fuse, fs_type, fusefs_type, mlstrustedobject;
+type functionfs, fs_type;
+type fuse, fs_type, fusefs_type;
type fusectlfs, fs_type;
-type inotify, fs_type, mlstrustedobject;
+type inotify, fs_type;
type labeledfs, fs_type;
type mqueue, fs_type;
type pipefs, fs_type;
@@ -126,8 +123,8 @@
type proc_pressure_cpu, fs_type, proc_type;
type proc_pressure_io, fs_type, proc_type;
type proc_pressure_mem, fs_type, proc_type;
-type proc_qtaguid_ctrl, fs_type, proc_type, mlstrustedobject;
-type proc_qtaguid_stat, fs_type, proc_type, mlstrustedobject;
+type proc_qtaguid_ctrl, fs_type, proc_type;
+type proc_qtaguid_stat, fs_type, proc_type;
type proc_random, fs_type, proc_type;
type proc_sched, fs_type, proc_type;
type proc_security, fs_type, proc_type;
@@ -152,14 +149,14 @@
type proc_zoneinfo, fs_type, proc_type;
type pstorefs, fs_type;
type rootfs, fs_type;
-type sdcardfs, fs_type, sdcard_type, mlstrustedobject;
+type sdcardfs, fs_type, sdcard_type;
type securityfs, fs_type;
-type selinuxfs, fs_type, mlstrustedobject;
+type selinuxfs, fs_type;
type shm, fs_type;
type sockfs, fs_type;
-type sysfs, fs_type, sysfs_type, mlstrustedobject;
+type sysfs, fs_type, sysfs_type;
type sysfs_android_usb, fs_type, sysfs_type;
-type sysfs_bluetooth_writable, fs_type, sysfs_type, mlstrustedobject;
+type sysfs_bluetooth_writable, fs_type, sysfs_type;
type sysfs_devices_block, fs_type, sysfs_type;
type sysfs_devices_cs_etm, fs_type, sysfs_type;
type sysfs_devices_system_cpu, fs_type, sysfs_type;
@@ -167,6 +164,7 @@
type sysfs_dm_verity, fs_type, sysfs_type;
type sysfs_dma_heap, fs_type, sysfs_type;
type sysfs_dmabuf_stats, fs_type, sysfs_type;
+type sysfs_dt_avf, fs_type, sysfs_type;
type sysfs_dt_firmware_android, fs_type, sysfs_type;
type sysfs_extcon, fs_type, sysfs_type;
type sysfs_fs_ext4_features, fs_type, sysfs_type;
@@ -176,12 +174,12 @@
type sysfs_hwrandom, fs_type, sysfs_type;
type sysfs_ion, fs_type, sysfs_type;
type sysfs_ipv4, fs_type, sysfs_type;
-type sysfs_kernel_notes, fs_type, sysfs_type, mlstrustedobject;
+type sysfs_kernel_notes, fs_type, sysfs_type;
type sysfs_leds, fs_type, sysfs_type;
type sysfs_loop, fs_type, sysfs_type;
type sysfs_lowmemorykiller, fs_type, sysfs_type;
type sysfs_net, fs_type, sysfs_type;
-type sysfs_nfc_power_writable, fs_type, sysfs_type, mlstrustedobject;
+type sysfs_nfc_power_writable, fs_type, sysfs_type;
type sysfs_power, fs_type, sysfs_type;
type sysfs_rtc, fs_type, sysfs_type;
type sysfs_suspend_stats, fs_type, sysfs_type;
@@ -199,4 +197,4 @@
type tmpfs, fs_type;
type usbfs, fs_type;
type usermodehelper, fs_type, proc_type;
-type vfat, fs_type, sdcard_type, mlstrustedobject;
+type vfat, fs_type, sdcard_type;
diff --git a/microdroid/system/public/init.te b/microdroid/system/public/init.te
index bccdb70..b4def39 100644
--- a/microdroid/system/public/init.te
+++ b/microdroid/system/public/init.te
@@ -1,5 +1,5 @@
# init is its own domain.
-type init, domain, mlstrustedsubject;
+type init, domain;
type init_exec, system_file_type, exec_type, file_type;
type init_tmpfs, file_type;
diff --git a/microdroid/system/public/kernel.te b/microdroid/system/public/kernel.te
index c117a1a..9ea35c1 100644
--- a/microdroid/system/public/kernel.te
+++ b/microdroid/system/public/kernel.te
@@ -1,2 +1,2 @@
# Life begins with the kernel.
-type kernel, domain, mlstrustedsubject;
+type kernel, domain;
diff --git a/microdroid/system/public/runas.te b/microdroid/system/public/runas.te
deleted file mode 100644
index 4d8a6b3..0000000
--- a/microdroid/system/public/runas.te
+++ /dev/null
@@ -1,2 +0,0 @@
-type runas, domain, mlstrustedsubject, coredomain;
-type runas_exec, file_type, exec_type, system_file_type;
diff --git a/microdroid/system/public/shell.te b/microdroid/system/public/shell.te
index c84e377..00c2d0b 100644
--- a/microdroid/system/public/shell.te
+++ b/microdroid/system/public/shell.te
@@ -1,5 +1,5 @@
# Domain for shell processes spawned by ADB or console service.
-type shell, domain, mlstrustedsubject;
+type shell, domain;
type shell_exec, system_file_type, exec_type, file_type;
# Create and use network sockets.
@@ -77,6 +77,5 @@
# read selinux policy files
allow shell file_contexts_file:file r_file_perms;
allow shell property_contexts_file:file r_file_perms;
-allow shell seapp_contexts_file:file r_file_perms;
allow shell service_contexts_file:file r_file_perms;
allow shell sepolicy_file:file r_file_perms;
diff --git a/microdroid/system/public/statsd.te b/microdroid/system/public/statsd.te
index dea7c6b..ea8ffa0 100644
--- a/microdroid/system/public/statsd.te
+++ b/microdroid/system/public/statsd.te
@@ -1,4 +1,4 @@
-type statsd, domain, mlstrustedsubject;
+type statsd, domain;
type statsd_exec, system_file_type, exec_type, file_type;
binder_use(statsd)
diff --git a/microdroid/system/public/su.te b/microdroid/system/public/su.te
index e331bf6..aded9ae 100644
--- a/microdroid/system/public/su.te
+++ b/microdroid/system/public/su.te
@@ -1,3 +1,6 @@
+# Domain used for su processes, as well as for adbd and adb shell
+# after performing an adb root command.
+
# All types must be defined regardless of build variant to ensure
# policy compilation succeeds with userdebug/user combination at boot
type su, domain;
@@ -6,11 +9,6 @@
type su_exec, system_file_type, exec_type, file_type;
userdebug_or_eng(`
- # Domain used for su processes, as well as for adbd and adb shell
- # after performing an adb root command. The domain definition is
- # wrapped to ensure that it does not exist at all on -user builds.
- typeattribute su mlstrustedsubject;
-
# Add su to various domains
net_domain(su)
diff --git a/microdroid/system/public/type.te b/microdroid/system/public/type.te
index 818ae46..b21b2dd 100644
--- a/microdroid/system/public/type.te
+++ b/microdroid/system/public/type.te
@@ -1,11 +1,11 @@
# Miscellaneous types
-type adb_service, system_server_service, system_api_service, service_manager_type;
+type adb_service, service_manager_type;
type apex_service, service_manager_type;
type authfs_binder_service, service_manager_type;
type default_android_service, service_manager_type;
type dice_maintenance_service, service_manager_type;
type dice_node_service, service_manager_type;
-type hal_dice_service, protected_service, vendor_service, service_manager_type;
+type hal_dice_service, vendor_service, service_manager_type;
type service_manager_service, service_manager_type;
type system_linker;
type vm_payload_key;
diff --git a/microdroid/system/public/vendor_init.te b/microdroid/system/public/vendor_init.te
index 322abe3..fa5db03 100644
--- a/microdroid/system/public/vendor_init.te
+++ b/microdroid/system/public/vendor_init.te
@@ -1,5 +1,5 @@
# vendor_init is its own domain.
-type vendor_init, domain, mlstrustedsubject;
+type vendor_init, domain;
# Communication to the main init process
allow vendor_init init:unix_stream_socket { read write };
diff --git a/microdroid/vendor/hal_dice_default.te b/microdroid/vendor/hal_dice_default.te
index 3536ae1..9fbf90d 100644
--- a/microdroid/vendor/hal_dice_default.te
+++ b/microdroid/vendor/hal_dice_default.te
@@ -1,10 +1,14 @@
type hal_dice_default, domain;
hal_server_domain(hal_dice_default, hal_dice)
+# Block crash dumps to ensure the DICE secrets are not leaked.
+typeattribute hal_dice_default no_crash_dump_domain;
+
type hal_dice_default_exec, exec_type, vendor_file_type, file_type;
init_daemon_domain(hal_dice_default)
# hal_dice_default is using bootstrap bionic
use_bootstrap_libs(hal_dice_default)
+allow hal_dice_default sysfs_dt_avf:file r_file_perms;
allow hal_dice_default open_dice_device:chr_file rw_file_perms;
diff --git a/prebuilts/api/29.0/private/adbd.te b/prebuilts/api/29.0/private/adbd.te
index ec5c57e..ea9fb1e 100644
--- a/prebuilts/api/29.0/private/adbd.te
+++ b/prebuilts/api/29.0/private/adbd.te
@@ -152,6 +152,9 @@
# Allow pulling config.gz for CTS purposes
allow adbd config_gz:file r_file_perms;
+# For CTS listening ports test.
+allow adbd proc_net_tcp_udp:file r_file_perms;
+
allow adbd gpu_service:service_manager find;
allow adbd surfaceflinger_service:service_manager find;
allow adbd bootchart_data_file:dir search;
diff --git a/prebuilts/api/30.0/private/adbd.te b/prebuilts/api/30.0/private/adbd.te
index be4f0f7..e81aac7 100644
--- a/prebuilts/api/30.0/private/adbd.te
+++ b/prebuilts/api/30.0/private/adbd.te
@@ -158,6 +158,9 @@
# Allow pulling config.gz for CTS purposes
allow adbd config_gz:file r_file_perms;
+# For CTS listening ports test.
+allow adbd proc_net_tcp_udp:file r_file_perms;
+
allow adbd gpu_service:service_manager find;
allow adbd surfaceflinger_service:service_manager find;
allow adbd bootchart_data_file:dir search;
diff --git a/prebuilts/api/31.0/private/adbd.te b/prebuilts/api/31.0/private/adbd.te
index c2c6164..4273995 100644
--- a/prebuilts/api/31.0/private/adbd.te
+++ b/prebuilts/api/31.0/private/adbd.te
@@ -169,6 +169,9 @@
# Allow pulling config.gz for CTS purposes
allow adbd config_gz:file r_file_perms;
+# For CTS listening ports test.
+allow adbd proc_net_tcp_udp:file r_file_perms;
+
allow adbd gpu_service:service_manager find;
allow adbd surfaceflinger_service:service_manager find;
allow adbd bootchart_data_file:dir search;
diff --git a/private/apexd.te b/private/apexd.te
index 69645a1..040651d 100644
--- a/private/apexd.te
+++ b/private/apexd.te
@@ -16,6 +16,10 @@
# Allow creating and writing APEX files/dirs in the SEPolicy metadata dir
allow apexd sepolicy_metadata_file:dir create_dir_perms;
allow apexd sepolicy_metadata_file:file create_file_perms;
+# Allow apexd to setup fs-verity for SEPolicy files in metadata
+allowxperm apexd sepolicy_metadata_file:file ioctl {
+ FS_IOC_ENABLE_VERITY FS_IOC_MEASURE_VERITY
+};
# Allow reserving space on /data/apex/ota_reserved for apex decompression
allow apexd apex_ota_reserved_file:dir create_dir_perms;
diff --git a/private/app.te b/private/app.te
index 856f483..436af5a 100644
--- a/private/app.te
+++ b/private/app.te
@@ -14,6 +14,7 @@
get_prop(appdomain, vold_config_prop)
get_prop(appdomain, adbd_config_prop)
get_prop(appdomain, dck_prop)
+get_prop(appdomain, persist_wm_debug_prop)
# Allow ART to be configurable via device_config properties
# (ART "runs" inside the app process)
@@ -41,7 +42,7 @@
dontaudit appdomain vendor_default_prop:file read;
# Access to /mnt/media_rw/<vol> (limited by DAC to apps with external_storage gid)
-allow appdomain mnt_media_rw_file:dir search;
+allow { appdomain -sdk_sandbox } mnt_media_rw_file:dir search;
neverallow appdomain system_server:udp_socket {
accept append bind create ioctl listen lock name_bind
@@ -110,11 +111,11 @@
allow appdomain dalvikcache_data_file:file r_file_perms;
# Read the /sdcard and /mnt/sdcard symlinks
-allow { appdomain -isolated_app } rootfs:lnk_file r_file_perms;
-allow { appdomain -isolated_app } tmpfs:lnk_file r_file_perms;
+allow { appdomain -isolated_app -sdk_sandbox } rootfs:lnk_file r_file_perms;
+allow { appdomain -isolated_app -sdk_sandbox } tmpfs:lnk_file r_file_perms;
# Search /storage/emulated tmpfs mount.
-allow appdomain tmpfs:dir r_dir_perms;
+allow { appdomain -sdk_sandbox } tmpfs:dir r_dir_perms;
# Notify zygote of the wrapped process PID when using --invoke-with.
allow appdomain zygote:fifo_file write;
@@ -148,11 +149,11 @@
allow appdomain surfaceflinger:unix_stream_socket { read write setopt getattr getopt shutdown };
# App sandbox file accesses.
-allow { appdomain -isolated_app -mlstrustedsubject } { app_data_file privapp_data_file }:dir create_dir_perms;
-allow { appdomain -isolated_app -mlstrustedsubject } { app_data_file privapp_data_file }:file create_file_perms;
+allow { appdomain -isolated_app -mlstrustedsubject -sdk_sandbox } { app_data_file privapp_data_file }:dir create_dir_perms;
+allow { appdomain -isolated_app -mlstrustedsubject -sdk_sandbox } { app_data_file privapp_data_file }:file create_file_perms;
# Access via already open fds is ok even for mlstrustedsubject.
-allow { appdomain -isolated_app } { app_data_file privapp_data_file system_app_data_file }:file { getattr map read write };
+allow { appdomain -isolated_app -sdk_sandbox } { app_data_file privapp_data_file system_app_data_file }:file { getattr map read write };
# Traverse into expanded storage
allow appdomain mnt_expand_file:dir r_dir_perms;
@@ -170,10 +171,10 @@
allow appdomain oemfs:file rx_file_perms;
# Execute the shell or other system executables.
-allow { appdomain -ephemeral_app } shell_exec:file rx_file_perms;
-allow { appdomain -ephemeral_app } toolbox_exec:file rx_file_perms;
+allow { appdomain -ephemeral_app -sdk_sandbox } shell_exec:file rx_file_perms;
+allow { appdomain -ephemeral_app -sdk_sandbox } toolbox_exec:file rx_file_perms;
allow appdomain system_file:file x_file_perms;
-not_full_treble(`allow { appdomain -ephemeral_app } vendor_file:file x_file_perms;')
+not_full_treble(`allow { appdomain -ephemeral_app -sdk_sandbox } vendor_file:file x_file_perms;')
# Renderscript needs the ability to read directories on /system
allow appdomain system_file:dir r_dir_perms;
@@ -191,8 +192,11 @@
# Allow apps access to /vendor/app except for privileged
# apps which cannot be in /vendor.
-r_dir_file({ appdomain -ephemeral_app }, vendor_app_file)
-allow { appdomain -ephemeral_app } vendor_app_file:file execute;
+r_dir_file({ appdomain -ephemeral_app -sdk_sandbox }, vendor_app_file)
+allow { appdomain -ephemeral_app -sdk_sandbox } vendor_app_file:file execute;
+
+# Perform binder IPC to sdk sandbox.
+binder_call(appdomain, sdk_sandbox)
# Allow apps access to /vendor/overlay
r_dir_file(appdomain, vendor_overlay_file)
@@ -274,6 +278,7 @@
-isolated_app
-platform_app
-priv_app
+ -sdk_sandbox
-shell
-system_app
-untrusted_app_all
@@ -286,6 +291,7 @@
-isolated_app
-platform_app
-priv_app
+ -sdk_sandbox
-shell
-su
-system_app
@@ -327,33 +333,33 @@
allow appdomain system_data_file:file { getattr read map };
# Allow read/stat of /data/media files passed by Binder or local socket IPC.
-allow { appdomain -isolated_app } media_rw_data_file:file { read getattr };
+allow { appdomain -isolated_app -sdk_sandbox } media_rw_data_file:file { read getattr };
# Read and write /data/data/com.android.providers.telephony files passed over Binder.
allow { appdomain -isolated_app } radio_data_file:file { read write getattr };
# Allow access to external storage; we have several visible mount points under /storage
# and symlinks to primary storage at places like /storage/sdcard0 and /mnt/user/0/primary
-allow { appdomain -isolated_app -ephemeral_app } storage_file:dir r_dir_perms;
-allow { appdomain -isolated_app -ephemeral_app } storage_file:lnk_file r_file_perms;
-allow { appdomain -isolated_app -ephemeral_app } mnt_user_file:dir r_dir_perms;
-allow { appdomain -isolated_app -ephemeral_app } mnt_user_file:lnk_file r_file_perms;
+allow { appdomain -isolated_app -ephemeral_app -sdk_sandbox } storage_file:dir r_dir_perms;
+allow { appdomain -isolated_app -ephemeral_app -sdk_sandbox } storage_file:lnk_file r_file_perms;
+allow { appdomain -isolated_app -ephemeral_app -sdk_sandbox } mnt_user_file:dir r_dir_perms;
+allow { appdomain -isolated_app -ephemeral_app -sdk_sandbox } mnt_user_file:lnk_file r_file_perms;
# Read/write visible storage
-allow { appdomain -isolated_app -ephemeral_app } { sdcard_type fuse }:dir create_dir_perms;
-allow { appdomain -isolated_app -ephemeral_app } { sdcard_type fuse }:file create_file_perms;
+allow { appdomain -isolated_app -ephemeral_app -sdk_sandbox } { sdcard_type fuse }:dir create_dir_perms;
+allow { appdomain -isolated_app -ephemeral_app -sdk_sandbox } { sdcard_type fuse }:file create_file_perms;
# This should be removed if sdcardfs is modified to alter the secontext for its
# accesses to the underlying FS.
-allow { appdomain -isolated_app -ephemeral_app } media_rw_data_file:dir create_dir_perms;
-allow { appdomain -isolated_app -ephemeral_app } media_rw_data_file:file create_file_perms;
+allow { appdomain -isolated_app -ephemeral_app -sdk_sandbox } media_rw_data_file:dir create_dir_perms;
+allow { appdomain -isolated_app -ephemeral_app -sdk_sandbox } media_rw_data_file:file create_file_perms;
# Allow apps to use the USB Accessory interface.
# http://developer.android.com/guide/topics/connectivity/usb/accessory.html
#
# USB devices are first opened by the system server (USBDeviceManagerService)
# and the file descriptor is passed to the right Activity via binder.
-allow { appdomain -isolated_app -ephemeral_app } usb_device:chr_file { read write getattr ioctl };
-allow { appdomain -isolated_app -ephemeral_app } usbaccessory_device:chr_file { read write getattr };
+allow { appdomain -isolated_app -ephemeral_app -sdk_sandbox } usb_device:chr_file { read write getattr ioctl };
+allow { appdomain -isolated_app -ephemeral_app -sdk_sandbox } usbaccessory_device:chr_file { read write getattr };
# For art.
allow appdomain dalvikcache_data_file:file execute;
@@ -373,19 +379,19 @@
# logd access
read_logd(appdomain)
-control_logd({ appdomain -ephemeral_app })
+control_logd({ appdomain -ephemeral_app -sdk_sandbox })
# application inherit logd write socket (urge is to deprecate this long term)
allow appdomain zygote:unix_dgram_socket write;
-allow { appdomain -isolated_app -ephemeral_app } keystore:keystore_key { get_state get insert delete exist list sign verify };
-allow { appdomain -isolated_app -ephemeral_app } keystore:keystore2_key { delete use get_info rebind update };
+allow { appdomain -isolated_app -ephemeral_app -sdk_sandbox } keystore:keystore_key { get_state get insert delete exist list sign verify };
+allow { appdomain -isolated_app -ephemeral_app -sdk_sandbox } keystore:keystore2_key { delete use get_info rebind update };
-allow { appdomain -isolated_app -ephemeral_app } keystore_maintenance_service:service_manager find;
-allow { appdomain -isolated_app -ephemeral_app } keystore:keystore2 get_state;
+allow { appdomain -isolated_app -ephemeral_app -sdk_sandbox } keystore_maintenance_service:service_manager find;
+allow { appdomain -isolated_app -ephemeral_app -sdk_sandbox } keystore:keystore2 get_state;
-use_keystore({ appdomain -isolated_app -ephemeral_app })
+use_keystore({ appdomain -isolated_app -ephemeral_app -sdk_sandbox })
-use_credstore({ appdomain -isolated_app -ephemeral_app })
+use_credstore({ appdomain -isolated_app -ephemeral_app -sdk_sandbox })
allow appdomain console_device:chr_file { read write };
@@ -416,12 +422,12 @@
# For app fuse.
allow appdomain app_fuse_file:file { getattr read append write map };
-pdx_client({ appdomain -isolated_app -ephemeral_app }, display_client)
-pdx_client({ appdomain -isolated_app -ephemeral_app }, display_manager)
-pdx_client({ appdomain -isolated_app -ephemeral_app }, display_vsync)
-pdx_client({ appdomain -isolated_app -ephemeral_app }, performance_client)
+pdx_client({ appdomain -isolated_app -ephemeral_app -sdk_sandbox }, display_client)
+pdx_client({ appdomain -isolated_app -ephemeral_app -sdk_sandbox }, display_manager)
+pdx_client({ appdomain -isolated_app -ephemeral_app -sdk_sandbox }, display_vsync)
+pdx_client({ appdomain -isolated_app -ephemeral_app -sdk_sandbox }, performance_client)
# Apps do not directly open the IPC socket for bufferhubd.
-pdx_use({ appdomain -isolated_app -ephemeral_app }, bufferhub_client)
+pdx_use({ appdomain -isolated_app -ephemeral_app -sdk_sandbox }, bufferhub_client)
###
### CTS-specific rules
@@ -434,8 +440,8 @@
# Apps receive an open tun fd from the framework for
# device traffic. Do not allow untrusted app to directly open tun_device
-allow { appdomain -isolated_app -ephemeral_app } tun_device:chr_file { read write getattr append ioctl };
-allowxperm { appdomain -isolated_app -ephemeral_app } tun_device:chr_file ioctl TUNGETIFF;
+allow { appdomain -isolated_app -ephemeral_app -sdk_sandbox } tun_device:chr_file { read write getattr append ioctl };
+allowxperm { appdomain -isolated_app -ephemeral_app -sdk_sandbox } tun_device:chr_file ioctl TUNGETIFF;
# Connect to adbd and use a socket transferred from it.
# This is used for e.g. adb backup/restore.
@@ -464,6 +470,7 @@
isolated_app
nfc
radio
+ sdk_sandbox
shared_relro
system_app
} {
diff --git a/private/app_zygote.te b/private/app_zygote.te
index 004c108..8a62341 100644
--- a/private/app_zygote.te
+++ b/private/app_zygote.te
@@ -56,6 +56,9 @@
r_dir_file(app_zygote, dalvikcache_data_file);
allow app_zygote dalvikcache_data_file:file execute;
+# For ART (allow userfaultfd and related ioctls)
+userfaultfd_use(app_zygote)
+
# Read /data/misc/apexdata/ to (get to com.android.art/dalvik-cache).
allow app_zygote apex_module_data_file:dir search;
# For ART APEX (read /data/misc/apexdata/com.android.art/dalvik-cache).
diff --git a/private/atrace.te b/private/atrace.te
index 2ab8c69..ca0e527 100644
--- a/private/atrace.te
+++ b/private/atrace.te
@@ -12,10 +12,10 @@
allow atrace debugfs_tracing:file rw_file_perms;
allow atrace debugfs_trace_marker:file getattr;
-# Allow atrace to write data when a pipe is used for stdout/stderr
-# This is used by Perfetto to capture the output on error in atrace.
+# Allow atrace to write data when a pipe is used for stdout/stderr.
+# This is used by Perfetto to capture atrace stdout/stderr.
allow atrace traced_probes:fd use;
-allow atrace traced_probes:fifo_file write;
+allow atrace traced_probes:fifo_file { getattr write };
# atrace sets debug.atrace.* properties
set_prop(atrace, debug_prop)
diff --git a/private/bpfdomain.te b/private/bpfdomain.te
index f0888a7..2be7f88 100644
--- a/private/bpfdomain.te
+++ b/private/bpfdomain.te
@@ -11,3 +11,4 @@
# any domain which uses bpf is a bpfdomain
neverallow { domain -bpfdomain } *:bpf *;
+allow bpfdomain fs_bpf:dir search;
diff --git a/private/bpfloader.te b/private/bpfloader.te
index 7644cac..d7b27b5 100644
--- a/private/bpfloader.te
+++ b/private/bpfloader.te
@@ -40,7 +40,17 @@
neverallow { domain -bpfloader } *:bpf { map_create prog_load };
-neverallow { domain -bpfloader -gpuservice -mediaprovider_app -netd -netutils_wrapper -network_stack -system_server } *:bpf prog_run;
+neverallow {
+ domain
+ -bpfloader
+ -gpuservice
+ -hal_health_server
+ -mediaprovider_app
+ -netd
+ -netutils_wrapper
+ -network_stack
+ -system_server
+} *:bpf prog_run;
neverallow { domain -bpfloader -gpuservice -lmkd -mediaprovider_app -netd -network_stack -system_server } *:bpf { map_read map_write };
neverallow { domain -bpfloader -init } bpfloader_exec:file { execute execute_no_trans };
diff --git a/private/bug_map b/private/bug_map
index 5b042ae..38b445d 100644
--- a/private/bug_map
+++ b/private/bug_map
@@ -25,7 +25,6 @@
netd untrusted_app_27 unix_stream_socket b/77870037
netd untrusted_app_29 unix_stream_socket b/77870037
platform_app nfc_data_file dir b/74331887
-system_server crash_dump process b/73128755
system_server overlayfs_file file b/142390309
system_server sdcardfs file b/77856826
system_server zygote process b/77856826
diff --git a/private/compat/31.0/31.0.ignore.cil b/private/compat/31.0/31.0.ignore.cil
index 29378d4..22381b5 100644
--- a/private/compat/31.0/31.0.ignore.cil
+++ b/private/compat/31.0/31.0.ignore.cil
@@ -41,6 +41,7 @@
proc_watermark_scale_factor
untrusted_app_30
proc_vendor_sched
+ sdk_sandbox_service
sysfs_fs_fuse_bpf
sysfs_vendor_sched
tv_iapp_service
diff --git a/private/compat/32.0/32.0.ignore.cil b/private/compat/32.0/32.0.ignore.cil
index 78087e8..5a1d863 100644
--- a/private/compat/32.0/32.0.ignore.cil
+++ b/private/compat/32.0/32.0.ignore.cil
@@ -5,10 +5,12 @@
(typeattribute new_objects)
(typeattributeset new_objects
( new_objects
+ adservices_manager_service
apexd_select_prop
artd_service
attestation_verification_service
bluetooth_config_prop
+ binderfs_features
charger_vendor
cloudsearch
cloudsearch_service
@@ -25,6 +27,7 @@
extra_free_kbytes
extra_free_kbytes_exec
fs_bpf_vendor
+ game_mode_intervention_list_file
gesture_prop
hal_contexthub_service
hal_camera_service
@@ -51,13 +54,16 @@
locale_service
mdns_service
nearby_service
+ persist_wm_debug_prop
proc_watermark_boost_factor
proc_watermark_scale_factor
remotelyprovisionedkeypool_service
resources_manager_service
+ rootdisk_sysdev
+ sdk_sandbox_service
selection_toolbar_service
+ smart_idle_maint_enabled_prop
snapuserd_proxy_socket
- supplemental_process_service
sysfs_fs_fuse_bpf
system_dlkm_file
tare_service
diff --git a/private/compos.te b/private/compos.te
deleted file mode 100644
index ffbb33e..0000000
--- a/private/compos.te
+++ /dev/null
@@ -1 +0,0 @@
-type compos_exec, exec_type, file_type, system_file_type;
diff --git a/private/compos_verify.te b/private/compos_verify.te
new file mode 100644
index 0000000..0a281f8
--- /dev/null
+++ b/private/compos_verify.te
@@ -0,0 +1,23 @@
+# Run by odsign to verify a CompOS signature
+type compos_verify, domain, coredomain;
+type compos_verify_exec, exec_type, file_type, system_file_type;
+
+# Start a VM
+binder_use(compos_verify);
+virtualizationservice_use(compos_verify);
+
+# Access instance image files
+allow compos_verify apex_module_data_file:dir search;
+r_dir_file(compos_verify, apex_compos_data_file)
+
+# Read CompOS info & signature files
+allow compos_verify apex_art_data_file:dir search;
+allow compos_verify apex_art_data_file:file r_file_perms;
+
+# Allow odsign to redirect our stdout/stderr to log
+allow compos_verify odsign:fd use;
+allow compos_verify odsign_devpts:chr_file { read write };
+
+# Only odsign can enter the domain via exec
+neverallow { domain -odsign } compos_verify:process transition;
+neverallow * compos_verify:process dyntransition;
diff --git a/private/compos_verify_key.te b/private/compos_verify_key.te
deleted file mode 100644
index e55ff17..0000000
--- a/private/compos_verify_key.te
+++ /dev/null
@@ -1,20 +0,0 @@
-# Run by odsign to verify a CompOs instance's keys.
-type compos_verify_key, domain, coredomain;
-
-type compos_verify_key_exec, exec_type, file_type, system_file_type;
-
-binder_use(compos_verify_key);
-virtualizationservice_use(compos_verify_key);
-
-# Access the image & key files, delete on failure, rename pending to current
-allow compos_verify_key apex_module_data_file:dir search;
-allow compos_verify_key apex_compos_data_file:dir create_dir_perms;
-allow compos_verify_key apex_compos_data_file:file create_file_perms;
-
-# Allow odsign to redirect our stdout/stderr to log
-allow compos_verify_key odsign:fd use;
-allow compos_verify_key odsign_devpts:chr_file { read write };
-
-# Only odsign can enter the domain via exec
-neverallow { domain -odsign } compos_verify_key:process transition;
-neverallow * compos_verify_key:process dyntransition;
diff --git a/private/crosvm.te b/private/crosvm.te
index 426cb28..26b1df3 100644
--- a/private/crosvm.te
+++ b/private/crosvm.te
@@ -19,6 +19,9 @@
# Let crosvm receive file descriptors from VirtualizationService.
allow crosvm virtualizationservice:fd use;
+# Allow sending VirtualizationService the failure reason from the VM via pipe.
+allow crosvm virtualizationservice:fifo_file write;
+
# Let crosvm read the composite disk images (virtualizationservice_data_file), APEXes
# (staging_data_file), APKs (apk_data_file and shell_data_file where the latter is for test apks in
# /data/local/tmp), and instance.img (app_data_file). Note that the open permission is not given as
@@ -59,7 +62,6 @@
# Allow crosvm to pipe console log to shell or app which could be the owner of a VM.
allow crosvm adbd:fd use;
allow crosvm adbd:unix_stream_socket { read write };
-allow crosvm appdomain:fifo_file { read write };
# The console log can also be written to /data/local/tmp. This is not safe as the log then can be
# visible to the processes which don't own the VM. Therefore, this is a debugging only feature.
diff --git a/private/domain.te b/private/domain.te
index 988bd56..f95df34 100644
--- a/private/domain.te
+++ b/private/domain.te
@@ -245,6 +245,7 @@
-installd
-iorap_inode2filename
-priv_app
+ -shell
-virtualizationservice
-crosvm
} staging_data_file:file *;
@@ -499,6 +500,7 @@
-init
-tombstoned # linker to tombstoned
userdebug_or_eng(`-heapprofd')
+ userdebug_or_eng(`-traced')
userdebug_or_eng(`-traced_perf')
});
')
@@ -610,3 +612,22 @@
userdebug_or_eng(`-virtualizationservice')
userdebug_or_eng(`-crosvm')
} shell_data_file:file open;
+
+# respect system_app sandboxes
+neverallow {
+ domain
+ -appdomain # finer-grained rules for appdomain are listed below
+ -system_server #populate com.android.providers.settings/databases/settings.db.
+ -installd # creation of app sandbox
+ -iorap_inode2filename
+ -traced_probes # resolve inodes for i/o tracing.
+ # only needs open and read, the rest is neverallow in
+ # traced_probes.te.
+} system_app_data_file:dir_file_class_set { create unlink open };
+neverallow {
+ isolated_app
+ untrusted_app_all # finer-grained rules for appdomain are listed below
+ ephemeral_app
+ priv_app
+ sdk_sandbox
+} system_app_data_file:dir_file_class_set { create unlink open };
diff --git a/private/dumpstate.te b/private/dumpstate.te
index 4fad585..149d389 100644
--- a/private/dumpstate.te
+++ b/private/dumpstate.te
@@ -6,6 +6,10 @@
# Execute and transition to the vdc domain
domain_auto_trans(dumpstate, vdc_exec, vdc)
+# Create tmpfs files for using memfd descriptors to get output from child
+# processes.
+tmpfs_domain(dumpstate)
+
# Acquire advisory lock on /system/etc/xtables.lock from ip[6]tables
allow dumpstate system_file:file lock;
@@ -116,3 +120,6 @@
# /dev/null.
allow perfetto dumpstate_tmpfs:file rw_file_perms;
allow perfetto dumpstate:fd use;
+
+# system_dlkm_file for /system_dlkm partition
+allow dumpstate system_dlkm_file:dir getattr;
diff --git a/private/file.te b/private/file.te
index 9dd0615..54d6df6 100644
--- a/private/file.te
+++ b/private/file.te
@@ -19,6 +19,9 @@
# /data/misc/perfetto-configs for perfetto configs
type perfetto_configs_data_file, file_type, data_file_type, core_data_file_type;
+# /data/misc_{ce/de}/<user>/sdksandbox/<app-name>/* subdirectory for sdk sandbox processes
+type sdk_sandbox_data_file, file_type, data_file_type, core_data_file_type, app_data_file_type;
+
# /sys/kernel/debug/kcov for coverage guided kernel fuzzing in userdebug builds.
type debugfs_kcov, fs_type, debugfs_type;
@@ -88,6 +91,11 @@
# /apex/com.android.virt/bin/fd_server
type fd_server_exec, system_file_type, exec_type, file_type;
+# /apex/com.android.compos/bin/compsvc
+type compos_exec, exec_type, file_type, system_file_type;
+# /apex/com.android.compos/bin/compos_key_helper
+type compos_key_helper_exec, exec_type, file_type, system_file_type;
+
# /metadata/sepolicy
type sepolicy_metadata_file, file_type;
diff --git a/private/file_contexts b/private/file_contexts
index d8c6fbf..b075839 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -171,6 +171,7 @@
/dev/socket/usap_pool_primary u:object_r:zygote_socket:s0
/dev/socket/usap_pool_secondary u:object_r:zygote_socket:s0
/dev/spdif_out.* u:object_r:audio_device:s0
+/dev/sys/block/by-name/rootdisk(/.*)? u:object_r:rootdisk_sysdev:s0
/dev/sys/block/by-name/userdata(/.*)? u:object_r:userdata_sysdev:s0
/dev/sys/fs/by-name/userdata(/.*)? u:object_r:userdata_sysdev:s0
/dev/tty u:object_r:owntty_device:s0
@@ -526,6 +527,7 @@
/data/(.*)? u:object_r:system_data_file:s0
/data/system/environ(/.*)? u:object_r:environ_system_data_file:s0
/data/system/packages\.list u:object_r:packages_list_file:s0
+/data/system/game_mode_intervention\.list u:object_r:game_mode_intervention_list_file:s0
/data/unencrypted(/.*)? u:object_r:unencrypted_data_file:s0
/data/backup(/.*)? u:object_r:backup_data_file:s0
/data/secure/backup(/.*)? u:object_r:backup_data_file:s0
diff --git a/private/genfs_contexts b/private/genfs_contexts
index f20251d..ca64733 100644
--- a/private/genfs_contexts
+++ b/private/genfs_contexts
@@ -377,6 +377,7 @@
genfscon binder /vndbinder u:object_r:vndbinder_device:s0
genfscon binder /binder_logs u:object_r:binderfs_logs:s0
genfscon binder /binder_logs/proc u:object_r:binderfs_logs_proc:s0
+genfscon binder /features u:object_r:binderfs_features:s0
genfscon inotifyfs / u:object_r:inotify:s0
genfscon vfat / u:object_r:vfat:s0
diff --git a/private/gpuservice.te b/private/gpuservice.te
index 35167d5..76a2370 100644
--- a/private/gpuservice.te
+++ b/private/gpuservice.te
@@ -54,7 +54,6 @@
# Needed for interact with bpf fs.
# Write is needed to open read/write bpf maps.
-allow gpuservice fs_bpf:dir search;
allow gpuservice fs_bpf:file { read write };
# Needed for enabling bpf programs and accessing bpf maps (read-only and read/write).
diff --git a/private/gsid.te b/private/gsid.te
index fa76da0..e795cea 100644
--- a/private/gsid.te
+++ b/private/gsid.te
@@ -48,7 +48,7 @@
# Needed to read fstab, which is used to validate that system verity does not
# use check_once_at_most for sdcard installs. (Note: proc_cmdline is needed
# to get the A/B slot suffix).
-allow gsid proc_cmdline:file r_file_perms;
+read_fstab(gsid)
allow gsid sysfs_dt_firmware_android:dir r_dir_perms;
allow gsid sysfs_dt_firmware_android:file r_file_perms;
diff --git a/private/isolated_app.te b/private/isolated_app.te
index 800775b..828ffb1 100644
--- a/private/isolated_app.te
+++ b/private/isolated_app.te
@@ -11,7 +11,7 @@
app_domain(isolated_app)
# Access already open app data files received over Binder or local socket IPC.
-allow isolated_app { app_data_file privapp_data_file }:file { append read write getattr lock map };
+allow isolated_app { app_data_file privapp_data_file sdk_sandbox_data_file}:file { append read write getattr lock map };
# Allow access to network sockets received over IPC. New socket creation is not
# permitted.
@@ -72,7 +72,7 @@
#####
# Isolated apps should not directly open app data files themselves.
-neverallow isolated_app { app_data_file privapp_data_file }:file open;
+neverallow isolated_app { app_data_file privapp_data_file sdk_sandbox_data_file}:file open;
# Only allow appending to /data/anr/traces.txt (b/27853304, b/18340553)
# TODO: are there situations where isolated_apps write to this file?
@@ -136,7 +136,7 @@
# excluding unix_stream_socket and unix_dgram_socket.
# Many of these are socket families which have never and will never
# be compiled into the Android kernel.
-neverallow isolated_app { self ephemeral_app priv_app untrusted_app_all }:{
+neverallow isolated_app { self ephemeral_app priv_app sdk_sandbox untrusted_app_all }:{
socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket
key_socket appletalk_socket netlink_route_socket
netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket
diff --git a/private/keys.conf b/private/keys.conf
index 362e73d..30739f9 100644
--- a/private/keys.conf
+++ b/private/keys.conf
@@ -11,6 +11,9 @@
[@PLATFORM]
ALL : $DEFAULT_SYSTEM_DEV_CERTIFICATE/platform.x509.pem
+[@SDK_SANDBOX]
+ALL : $MAINLINE_SEPOLICY_DEV_CERTIFICATES/sdk_sandbox.x509.pem
+
[@MEDIA]
ALL : $DEFAULT_SYSTEM_DEV_CERTIFICATE/media.x509.pem
diff --git a/private/lmkd.te b/private/lmkd.te
index 13828a4..51d6204 100644
--- a/private/lmkd.te
+++ b/private/lmkd.te
@@ -12,7 +12,6 @@
# Get persist.device_config.lmk_native.* properties.
get_prop(lmkd, device_config_lmkd_native_prop)
-allow lmkd fs_bpf:dir search;
allow lmkd fs_bpf:file read;
allow lmkd bpfloader:bpf map_read;
diff --git a/private/mac_permissions.xml b/private/mac_permissions.xml
index 7fc37c1..ec3df0f 100644
--- a/private/mac_permissions.xml
+++ b/private/mac_permissions.xml
@@ -51,6 +51,11 @@
<seinfo value="platform" />
</signer>
+ <!-- Sdk Sandbox key -->
+ <signer signature="@SDK_SANDBOX" >
+ <seinfo value="sdk_sandbox" />
+ </signer>
+
<!-- Media key in AOSP -->
<signer signature="@MEDIA" >
<seinfo value="media" />
diff --git a/private/mediaprovider_app.te b/private/mediaprovider_app.te
index bcbbfcc..630183e 100644
--- a/private/mediaprovider_app.te
+++ b/private/mediaprovider_app.te
@@ -65,6 +65,5 @@
dontaudit mediaprovider_app sysfs_vendor_sched:file w_file_perms;
# bpfprog access for FUSE BPF
-allow mediaprovider_app fs_bpf:dir search;
allow mediaprovider_app fs_bpf:file read;
allow mediaprovider_app bpfloader:bpf { map_read map_write prog_run };
diff --git a/private/net.te b/private/net.te
new file mode 100644
index 0000000..25bd538
--- /dev/null
+++ b/private/net.te
@@ -0,0 +1,17 @@
+# Bind to ports.
+allow {netdomain -ephemeral_app -sdk_sandbox} node_type:{ icmp_socket rawip_socket tcp_socket udp_socket } node_bind;
+allow {netdomain -ephemeral_app -sdk_sandbox} port_type:udp_socket name_bind;
+allow {netdomain -ephemeral_app -sdk_sandbox} port_type:tcp_socket name_bind;
+
+# b/141455849 gate RTM_GETLINK with a new permission nlmsg_readpriv and block access from
+# untrusted_apps.
+# b/171572148 gate RTM_GETNEIGH{TBL} with a new permission nlmsg_getneigh and block access from
+# untrusted_apps. Some untrusted apps (e.g. untrusted_app_25-30) are granted access elsewhere
+# to avoid app-compat breakage.
+allow {
+ netdomain
+ -ephemeral_app
+ -mediaprovider
+ -sdk_sandbox
+ -untrusted_app_all
+} self:netlink_route_socket { bind nlmsg_readpriv nlmsg_getneigh };
diff --git a/private/netutils_wrapper.te b/private/netutils_wrapper.te
index 06aadc2..af0360f 100644
--- a/private/netutils_wrapper.te
+++ b/private/netutils_wrapper.te
@@ -25,7 +25,6 @@
# For vendor code that update the iptables rules at runtime. They need to reload
# the whole chain including the xt_bpf rules. They need to access to the pinned
# program when reloading the rule.
-allow netutils_wrapper fs_bpf:dir search;
allow netutils_wrapper fs_bpf:file { read write };
allow netutils_wrapper bpfloader:bpf prog_run;
diff --git a/private/odsign.te b/private/odsign.te
index bf097d7..86a0a6b 100644
--- a/private/odsign.te
+++ b/private/odsign.te
@@ -44,18 +44,14 @@
allow odsign apex_art_data_file:dir { rw_dir_perms rmdir rename };
allow odsign apex_art_data_file:file { rw_file_perms unlink };
-# For CompOS instance & key files
-allow odsign apex_compos_data_file:dir { getattr search };
-allow odsign apex_compos_data_file:file r_file_perms;
-
# Run odrefresh to refresh ART artifacts
domain_auto_trans(odsign, odrefresh_exec, odrefresh)
# Run fsverity_init to add key to fsverity keyring
domain_auto_trans(odsign, fsverity_init_exec, fsverity_init)
-# Run compos_verify_key to verify CompOs instances
-domain_auto_trans(odsign, compos_verify_key_exec, compos_verify_key)
+# Run compos_verify to verify CompOs signatures
+domain_auto_trans(odsign, compos_verify_exec, compos_verify)
# only odsign can set odsign sysprop
set_prop(odsign, odsign_prop)
diff --git a/private/platform_app.te b/private/platform_app.te
index 20c9820..b723633 100644
--- a/private/platform_app.te
+++ b/private/platform_app.te
@@ -40,6 +40,10 @@
# com.android.systemui
allow platform_app rootfs:dir getattr;
get_prop(platform_app, radio_cdma_ecm_prop)
+userdebug_or_eng(`
+ set_prop(platform_app, persist_wm_debug_prop)
+')
+neverallow { domain -init -dumpstate userdebug_or_eng(`-domain') } persist_wm_debug_prop:property_service set;
# com.android.captiveportallogin reads /proc/vmstat
allow platform_app {
diff --git a/private/profcollectd.te b/private/profcollectd.te
index 1dc6849..f83d4a8 100644
--- a/private/profcollectd.te
+++ b/private/profcollectd.te
@@ -52,6 +52,9 @@
binder_call(profcollectd, system_server)
add_service(profcollectd, profcollectd_service)
+ # Allow profcollectd to request wakelock from system-suspend.
+ wakelock_use(profcollectd)
+
# Allow to temporarily lift the kptr_restrict setting and get kernel start address
# by reading /proc/kallsyms, get module start address by reading /proc/modules.
set_prop(profcollectd, lower_kptr_restrict_prop)
diff --git a/private/property_contexts b/private/property_contexts
index dcaa432..04e77e4 100644
--- a/private/property_contexts
+++ b/private/property_contexts
@@ -73,6 +73,7 @@
persist.sys.tap_gesture u:object_r:gesture_prop:s0
persist.sys.theme u:object_r:theme_prop:s0
persist.sys.fflag.override.settings_dynamic_system u:object_r:dynamic_system_prop:s0
+dynamic_system.data_transfer.shared_memory.size u:object_r:dynamic_system_prop:s0 exact uint
ro.sys.safemode u:object_r:safemode_prop:s0
persist.sys.audit_safemode u:object_r:safemode_prop:s0
persist.sys.dalvik.jvmtiagent u:object_r:system_jvmti_agent_prop:s0
@@ -102,6 +103,7 @@
sys.lmk. u:object_r:system_lmk_prop:s0
sys.trace. u:object_r:system_trace_prop:s0
wrap. u:object_r:zygote_wrap_prop:s0 prefix string
+persist.wm.debug. u:object_r:persist_wm_debug_prop:s0
# Suspend service properties
suspend.max_sleep_time_millis u:object_r:suspend_prop:s0 exact uint
@@ -256,6 +258,9 @@
persist.device_config.virtualization_framework_native. u:object_r:device_config_virtualization_framework_native_prop:s0
persist.device_config.window_manager_native_boot. u:object_r:device_config_window_manager_native_boot_prop:s0
+# F2FS smart idle maint prop
+persist.device_config.storage_native_boot.smart_idle_maint_enabled u:object_r:smart_idle_maint_enabled_prop:s0 exact bool
+
# MM Events config props
persist.mm_events.enabled u:object_r:mm_events_config_prop:s0 exact bool
@@ -339,6 +344,9 @@
ro.audio.ignore_effects u:object_r:audio_config_prop:s0 exact bool
ro.audio.monitorRotation u:object_r:audio_config_prop:s0 exact bool
ro.audio.offload_wakelock u:object_r:audio_config_prop:s0 exact bool
+# Boolean property used in AudioService to configure whether
+# spatializer functionality should be initialized
+ro.audio.spatializer_enabled u:object_r:audio_config_prop:s0 exact bool
persist.config.calibration_fac u:object_r:camera_calibration_prop:s0 exact string
@@ -483,6 +491,7 @@
bluetooth.profile.bap.broadcast.assist.enabled u:object_r:bluetooth_config_prop:s0 exact bool
bluetooth.profile.bap.broadcast.source.enabled u:object_r:bluetooth_config_prop:s0 exact bool
bluetooth.profile.bap.unicast.server.enabled u:object_r:bluetooth_config_prop:s0 exact bool
+bluetooth.profile.bas.client.enabled u:object_r:bluetooth_config_prop:s0 exact bool
bluetooth.profile.bass.client.enabled u:object_r:bluetooth_config_prop:s0 exact bool
bluetooth.profile.csip.set_coordinator.enabled u:object_r:bluetooth_config_prop:s0 exact bool
bluetooth.profile.gatt.enabled u:object_r:bluetooth_config_prop:s0 exact bool
@@ -506,6 +515,7 @@
persist.nfc.debug_enabled u:object_r:nfc_prop:s0 exact bool
persist.radio.multisim.config u:object_r:radio_control_prop:s0 exact string
+persist.radio.allow_mock_modem u:object_r:radio_control_prop:s0 exact bool
persist.sys.hdmi.keep_awake u:object_r:hdmi_config_prop:s0 exact bool
ro.hdmi.cec_device_types u:object_r:hdmi_config_prop:s0 exact string
@@ -574,6 +584,7 @@
external_storage.casefold.enabled u:object_r:storage_config_prop:s0 exact bool
external_storage.sdcardfs.enabled u:object_r:storage_config_prop:s0 exact bool
external_storage.cross_user.enabled u:object_r:storage_config_prop:s0 exact bool
+ro.fuse.bpf.enabled u:object_r:storage_config_prop:s0 exact bool
ro.config.per_app_memcg u:object_r:lmkd_config_prop:s0 exact bool
ro.lmk.critical u:object_r:lmkd_config_prop:s0 exact int
@@ -588,6 +599,7 @@
ro.lmk.medium u:object_r:lmkd_config_prop:s0 exact int
ro.lmk.psi_partial_stall_ms u:object_r:lmkd_config_prop:s0 exact int
ro.lmk.psi_complete_stall_ms u:object_r:lmkd_config_prop:s0 exact int
+ro.lmk.stall_limit_critical u:object_r:lmkd_config_prop:s0 exact int
ro.lmk.swap_free_low_percentage u:object_r:lmkd_config_prop:s0 exact int
ro.lmk.swap_util_max u:object_r:lmkd_config_prop:s0 exact int
ro.lmk.thrashing_limit u:object_r:lmkd_config_prop:s0 exact int
diff --git a/private/sdk_sandbox.te b/private/sdk_sandbox.te
new file mode 100644
index 0000000..b18b7dd
--- /dev/null
+++ b/private/sdk_sandbox.te
@@ -0,0 +1,90 @@
+###
+### SDK Sandbox process.
+###
+### This file defines the security policy for the sdk sandbox processes.
+
+type sdk_sandbox, domain;
+
+typeattribute sdk_sandbox coredomain;
+
+net_domain(sdk_sandbox)
+app_domain(sdk_sandbox)
+
+# Allow finding services. This is different from ephemeral_app policy.
+# Adding services manually to the allowlist is preferred hence app_api_service is not used.
+allow sdk_sandbox activity_service:service_manager find;
+allow sdk_sandbox activity_task_service:service_manager find;
+allow sdk_sandbox audio_service:service_manager find;
+# Audit the access to signal that we are still investigating whether sdk_sandbox
+# should have access to audio_service
+# TODO(b/211632068): remove this line
+auditallow sdk_sandbox audio_service:service_manager find;
+allow sdk_sandbox hint_service:service_manager find;
+allow sdk_sandbox surfaceflinger_service:service_manager find;
+allow sdk_sandbox thermal_service:service_manager find;
+allow sdk_sandbox trust_service:service_manager find;
+allow sdk_sandbox uimode_service:service_manager find;
+allow sdk_sandbox webviewupdate_service:service_manager find;
+
+# Write app-specific trace data to the Perfetto traced damon. This requires
+# connecting to its producer socket and obtaining a (per-process) tmpfs fd.
+perfetto_producer(sdk_sandbox)
+
+# Allow profiling if the app opts in by being marked profileable/debuggable.
+can_profile_heap(sdk_sandbox)
+can_profile_perf(sdk_sandbox)
+
+# allow sdk sandbox to use UDP sockets provided by the system server but not
+# modify them other than to connect
+allow sdk_sandbox system_server:udp_socket {
+ connect getattr read recvfrom sendto write getopt setopt };
+
+# allow access to sdksandbox data directory
+allow sdk_sandbox sdk_sandbox_data_file:dir create_dir_perms;
+allow sdk_sandbox sdk_sandbox_data_file:file create_file_perms;
+
+###
+### neverallow rules
+###
+
+neverallow sdk_sandbox { app_data_file privapp_data_file }:file { execute execute_no_trans };
+
+# Receive or send uevent messages.
+neverallow sdk_sandbox domain:netlink_kobject_uevent_socket *;
+
+# Receive or send generic netlink messages
+neverallow sdk_sandbox domain:netlink_socket *;
+
+# Too much leaky information in debugfs. It's a security
+# best practice to ensure these files aren't readable.
+neverallow sdk_sandbox debugfs:file read;
+
+# execute gpu_device
+neverallow sdk_sandbox gpu_device:chr_file execute;
+
+# access files in /sys with the default sysfs label
+neverallow sdk_sandbox sysfs:file *;
+
+# Avoid reads from generically labeled /proc files
+# Create a more specific label if needed
+neverallow sdk_sandbox proc:file { no_rw_file_perms no_x_file_perms };
+
+# Directly access external storage
+neverallow sdk_sandbox { sdcard_type media_rw_data_file }:file {open create};
+neverallow sdk_sandbox { sdcard_type media_rw_data_file }:dir search;
+
+# Avoid reads to proc_net, it contains too much device wide information about
+# ongoing connections.
+neverallow sdk_sandbox proc_net:file no_rw_file_perms;
+
+# SDK sandbox processes have their own storage not related to app_data_file or privapp_data_file
+neverallow sdk_sandbox { app_data_file privapp_data_file }:dir no_rw_file_perms;
+neverallow sdk_sandbox { app_data_file privapp_data_file }:file no_rw_file_perms;
+
+# SDK sandbox processes don't have any access to external storage
+neverallow sdk_sandbox { media_rw_data_file }:dir no_rw_file_perms;
+neverallow sdk_sandbox { media_rw_data_file }:file no_rw_file_perms;
+
+neverallow { sdk_sandbox } tmpfs:dir no_rw_file_perms;
+
+neverallow sdk_sandbox hal_drm_service:service_manager find;
diff --git a/private/seapp_contexts b/private/seapp_contexts
index 5cf0711..78a98e1 100644
--- a/private/seapp_contexts
+++ b/private/seapp_contexts
@@ -26,6 +26,7 @@
# isEphemeralApp=true will match apps marked by PackageManager as Ephemeral
# user=_app will match any regular app process.
# user=_isolated will match any isolated service process.
+# user=_sdksandbox will match sdk sandbox process for an app.
# Other values of user are matched against the name associated with the process
# UID.
# seinfo= matches aginst the seinfo tag for the app, determined from
@@ -137,6 +138,9 @@
isSystemServer=true domain=system_server_startup
+# sdksandbox must run in the sdksandbox domain
+neverallow name=com.android.sdksandbox domain=((?!sdk_sandbox).)*
+
user=_app seinfo=platform name=com.android.traceur domain=traceur_app type=app_data_file levelFrom=all
user=_app isPrivApp=true name=com.android.remoteprovisioner domain=remote_prov_app type=app_data_file levelFrom=all
user=system seinfo=platform domain=system_app type=system_app_data_file
@@ -149,6 +153,7 @@
user=shell seinfo=platform domain=shell name=com.android.shell type=shell_data_file
user=webview_zygote seinfo=webview_zygote domain=webview_zygote
user=_isolated domain=isolated_app levelFrom=user
+user=_sdksandbox domain=sdk_sandbox type=sdk_sandbox_data_file levelFrom=all
user=_app seinfo=app_zygote domain=app_zygote levelFrom=user
user=_app seinfo=media domain=mediaprovider type=app_data_file levelFrom=user
user=_app seinfo=platform domain=platform_app type=app_data_file levelFrom=user
diff --git a/private/service_contexts b/private/service_contexts
index d73e84e..ee5b6a9 100644
--- a/private/service_contexts
+++ b/private/service_contexts
@@ -1,3 +1,5 @@
+android.hardware.audio.core.IConfig/default u:object_r:hal_audio_service:s0
+android.hardware.audio.core.IModule/default u:object_r:hal_audio_service:s0
android.hardware.authsecret.IAuthSecret/default u:object_r:hal_authsecret_service:s0
android.hardware.automotive.evs.IEvsEnumerator/hw/0 u:object_r:hal_evs_service:s0
android.hardware.automotive.evs.IEvsEnumerator/hw/1 u:object_r:hal_evs_service:s0
@@ -73,6 +75,7 @@
activity u:object_r:activity_service:s0
activity_task u:object_r:activity_task_service:s0
adb u:object_r:adb_service:s0
+adservices_manager u:object_r:adservices_manager_service:s0
aidl_lazy_test_1 u:object_r:aidl_lazy_test_service:s0
aidl_lazy_test_2 u:object_r:aidl_lazy_test_service:s0
aidl_lazy_cb_test u:object_r:aidl_lazy_test_service:s0
@@ -295,6 +298,7 @@
safety_center u:object_r:safety_center_service:s0
samplingprofiler u:object_r:samplingprofiler_service:s0
scheduling_policy u:object_r:scheduling_policy_service:s0
+sdk_sandbox u:object_r:sdk_sandbox_service:s0
search u:object_r:search_service:s0
search_ui u:object_r:search_ui_service:s0
secure_element u:object_r:secure_element_service:s0
diff --git a/private/shell.te b/private/shell.te
index 63746f6..ae5ff55 100644
--- a/private/shell.te
+++ b/private/shell.te
@@ -130,6 +130,10 @@
allow shell vendor_apex_file:file r_file_perms;
allow shell vendor_apex_file:dir r_dir_perms;
+# Allow shell to read updated APEXes under /data/apex
+allow shell apex_data_file:dir search;
+allow shell staging_data_file:file r_file_perms;
+
# Set properties.
set_prop(shell, shell_prop)
set_prop(shell, ctl_bugreport_prop)
@@ -223,3 +227,6 @@
# Let the shell user call virtualizationservice (and
# virtualizationservice call back to shell) for debugging.
virtualizationservice_use(shell)
+
+# Allow shell to set persist.wm.debug properties
+userdebug_or_eng(`set_prop(shell, persist_wm_debug_prop)')
diff --git a/private/system_server.te b/private/system_server.te
index 682be60..7ca6019 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -472,6 +472,7 @@
allow system_server system_data_file:dir create_dir_perms;
allow system_server system_data_file:notdevfile_class_set create_file_perms;
allow system_server packages_list_file:file create_file_perms;
+allow system_server game_mode_intervention_list_file:file create_file_perms;
allow system_server keychain_data_file:dir create_dir_perms;
allow system_server keychain_data_file:file create_file_perms;
allow system_server keychain_data_file:lnk_file create_file_perms;
@@ -736,6 +737,7 @@
set_prop(system_server, device_config_connectivity_prop)
set_prop(system_server, device_config_surface_flinger_native_boot_prop)
set_prop(system_server, device_config_virtualization_framework_native_prop)
+set_prop(system_server, smart_idle_maint_enabled_prop)
# Allow query ART device config properties
get_prop(system_server, device_config_runtime_native_boot_prop)
@@ -799,6 +801,9 @@
# Read hypervisor capabilities ro.boot.hypervisor.*
get_prop(system_server, hypervisor_prop)
+# Read persist.wm.debug. properties
+get_prop(system_server, persist_wm_debug_prop)
+
# Create a socket for connections from debuggerd.
allow system_server system_ndebug_socket:sock_file create_file_perms;
@@ -1130,7 +1135,6 @@
# allow system_server to read the eBPF maps that stores the traffic stats information and update
# the map after snapshot is recorded, and to read, update and run the maps and programs used for
# time in state accounting
-allow system_server fs_bpf:dir search;
allow system_server fs_bpf:file { read write };
allow system_server bpfloader:bpf { map_read map_write prog_run };
# in order to invoke side effect of close() on such a socket calling synchronize_rcu()
diff --git a/private/technical_debt.cil b/private/technical_debt.cil
index 4c746fb..fcd4fe7 100644
--- a/private/technical_debt.cil
+++ b/private/technical_debt.cil
@@ -20,9 +20,9 @@
; Unfortunately, we can't currently express this in module policy language:
(typeattributeset hal_codec2_client ((and (appdomain) ((not (isolated_app))))))
-; Apps, except isolated apps, are clients of Drm-related services
+; Apps, except isolated apps and SDK sandboxes, are clients of Drm-related services
; Unfortunately, we can't currently express this in module policy language:
-(typeattributeset hal_drm_client ((and (appdomain) ((not (isolated_app))))))
+(typeattributeset hal_drm_client ((and (appdomain) ((not (or (isolated_app) (sdk_sandbox)))))))
; Apps, except isolated apps, are clients of Configstore HAL
; Unfortunately, we can't currently express this in module policy language:
diff --git a/private/vold_prepare_subdirs.te b/private/vold_prepare_subdirs.te
index e4004e4..3171ee0 100644
--- a/private/vold_prepare_subdirs.te
+++ b/private/vold_prepare_subdirs.te
@@ -25,6 +25,7 @@
fingerprint_vendor_data_file
iris_vendor_data_file
rollback_data_file
+ sdk_sandbox_data_file
storaged_data_file
system_data_file
vold_data_file
@@ -40,6 +41,7 @@
fingerprint_vendor_data_file
iris_vendor_data_file
rollback_data_file
+ sdk_sandbox_data_file
storaged_data_file
system_data_file
vold_data_file
diff --git a/public/app.te b/public/app.te
index 09e30ca..da24012 100644
--- a/public/app.te
+++ b/public/app.te
@@ -203,6 +203,9 @@
# allow system_app to access Nfc-related system properties.
set_prop(system_app, nfc_prop)
+# allow system_app to access radio_config system properties.
+set_prop(system_app, radio_control_prop)
+
# Apps cannot access proc_uid_time_in_state
neverallow appdomain proc_uid_time_in_state:file *;
diff --git a/public/charger_vendor.te b/public/charger_vendor.te
index 2dd106f..d8f3bb2 100644
--- a/public/charger_vendor.te
+++ b/public/charger_vendor.te
@@ -2,3 +2,5 @@
type charger_vendor, charger_type, domain;
hal_server_domain(charger_vendor, hal_health)
+
+typeattribute charger_vendor bpfdomain;
diff --git a/public/device.te b/public/device.te
index 686f955..4ca8a6f 100644
--- a/public/device.te
+++ b/public/device.te
@@ -121,3 +121,6 @@
# Userdata device file for filesystem tunables
type userdata_sysdev, dev_type;
+
+# Root disk file for disk tunables
+type rootdisk_sysdev, dev_type;
diff --git a/public/domain.te b/public/domain.te
index 2be67f5..0edd887 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -88,6 +88,8 @@
# /dev/binderfs needs to be accessed by everyone too!
allow domain binderfs:dir { getattr search };
allow domain binderfs_logs_proc:dir search;
+allow domain binderfs_features:dir search;
+allow domain binderfs_features:file r_file_perms;
allow { domain -servicemanager -vndservicemanager -isolated_app } hwbinder_device:chr_file rw_file_perms;
allow domain ptmx_device:chr_file rw_file_perms;
@@ -1027,19 +1029,7 @@
neverallow { domain -system_server } webview_zygote:sock_file write;
neverallow { domain -system_server } app_zygote:sock_file write;
-neverallow {
- domain
- -tombstoned
- -crash_dump
- -dumpstate
- -incidentd
- -system_server
-
- # Processes that can't exec crash_dump
- -hal_codec2_server
- -hal_omx_server
- -mediaextractor
-} tombstoned_crash_socket:unix_stream_socket connectto;
+neverallow domain tombstoned_crash_socket:unix_stream_socket connectto;
# Never allow anyone except dumpstate, incidentd, or the system server to connect or write to
# the tombstoned intercept socket.
@@ -1129,24 +1119,6 @@
# to installd
neverallow installd system_data_file:file ~{ r_file_perms relabelfrom unlink };
-# respect system_app sandboxes
-neverallow {
- domain
- -appdomain # finer-grained rules for appdomain are listed below
- -system_server #populate com.android.providers.settings/databases/settings.db.
- -installd # creation of app sandbox
- -iorap_inode2filename
- -traced_probes # resolve inodes for i/o tracing.
- # only needs open and read, the rest is neverallow in
- # traced_probes.te.
-} system_app_data_file:dir_file_class_set { create unlink open };
-neverallow {
- isolated_app
- untrusted_app_all # finer-grained rules for appdomain are listed below
- ephemeral_app
- priv_app
-} system_app_data_file:dir_file_class_set { create unlink open };
-
#
# Only these domains should transition to shell domain. This domain is
# permissible for the "shell user". If you need a process to exec a shell
diff --git a/public/dumpstate.te b/public/dumpstate.te
index 18f481b..871403a 100644
--- a/public/dumpstate.te
+++ b/public/dumpstate.te
@@ -157,6 +157,7 @@
dump_hal(hal_fingerprint)
dump_hal(hal_gnss)
dump_hal(hal_contexthub)
+dump_hal(hal_drm)
# Vibrate the device after we are done collecting the bugreport
hal_client_domain(dumpstate, hal_vibrator)
diff --git a/public/file.te b/public/file.te
index c0b7679..55f65b6 100644
--- a/public/file.te
+++ b/public/file.te
@@ -7,6 +7,7 @@
type binderfs, fs_type;
type binderfs_logs, fs_type;
type binderfs_logs_proc, fs_type;
+type binderfs_features, fs_type;
# Security-sensitive proc nodes that should not be writable to most.
type proc_security, fs_type, proc_type;
type proc_drop_caches, fs_type, proc_type;
@@ -300,6 +301,7 @@
# TODO(b/129332765): Narrow down permissions to this.
# Find out users of system_data_file that should be granted only this.
type packages_list_file, file_type, data_file_type, core_data_file_type;
+type game_mode_intervention_list_file, file_type, data_file_type, core_data_file_type;
# Default type for anything under /data/vendor{_ce,_de}.
type vendor_data_file, file_type, data_file_type;
# Unencrypted data
diff --git a/public/hal_audio.te b/public/hal_audio.te
index d1970b9..52caa00 100644
--- a/public/hal_audio.te
+++ b/public/hal_audio.te
@@ -7,6 +7,8 @@
allow hal_audio ion_device:chr_file r_file_perms;
+binder_call(hal_audio_server, servicemanager)
+
r_dir_file(hal_audio, proc)
r_dir_file(hal_audio, proc_asound)
allow hal_audio_server audio_device:dir r_dir_perms;
diff --git a/public/hal_graphics_composer.te b/public/hal_graphics_composer.te
index 7327256..3dbc1d8 100644
--- a/public/hal_graphics_composer.te
+++ b/public/hal_graphics_composer.te
@@ -31,6 +31,10 @@
# allow self to set SCHED_FIFO
allow hal_graphics_composer self:global_capability_class_set sys_nice;
+# allow surfaceflinger to use a pipe for dumpsys output
+allow hal_graphics_composer_server hal_graphics_composer_client:fifo_file write;
+
+
binder_call(hal_graphics_composer_client, servicemanager)
binder_call(hal_graphics_composer_server, servicemanager)
diff --git a/public/hal_health.te b/public/hal_health.te
index e2a6a60..5d7aff5 100644
--- a/public/hal_health.te
+++ b/public/hal_health.te
@@ -26,3 +26,8 @@
# Allow to use timerfd to wake itself up periodically to send health info.
allow hal_health_server self:capability2 wake_alarm;
+
+# Use bpf programs
+allow hal_health_server fs_bpf_vendor:dir search;
+allow hal_health_server fs_bpf_vendor:file read;
+allow hal_health_server bpfloader:bpf prog_run;
diff --git a/public/init.te b/public/init.te
index 362c41e..5139038 100644
--- a/public/init.te
+++ b/public/init.te
@@ -36,8 +36,9 @@
allow init { device socket_device dm_user_device }:dir relabelto;
# allow init to establish connection and communicate with lmkd
unix_socket_connect(init, lmkd, lmkd)
-# Relabel /dev nodes created in first stage init, /dev/null, /dev/ptmx, /dev/random, /dev/urandom
-allow init { null_device ptmx_device random_device } : chr_file relabelto;
+# Relabel /dev nodes created in first stage init: /dev/console, /dev/null, /dev/ptmx, /dev/random
+# and /dev/urandom
+allow init { console_device null_device ptmx_device random_device } : chr_file relabelto;
# /dev/device-mapper, /dev/block(/.*)?
allow init tmpfs:{ chr_file blk_file } relabelfrom;
allow init tmpfs:blk_file getattr;
@@ -625,6 +626,9 @@
# allow filesystem tuning
allow init userdata_sysdev:file create_file_perms;
+# allow disk tuning
+allow init rootdisk_sysdev:file create_file_perms;
+
###
### neverallow rules
###
diff --git a/public/installd.te b/public/installd.te
index 1ef4fc7..84ef1fd 100644
--- a/public/installd.te
+++ b/public/installd.te
@@ -115,6 +115,16 @@
allow installd app_data_file_type:dir { create_dir_perms relabelfrom relabelto };
allow installd app_data_file_type:notdevfile_class_set { create_file_perms relabelfrom relabelto };
+# Allow setting extended attributes (for project quota IDs) on dirs and files
+# and to enable project ID inheritance through FS_IOC_SETFLAGS
+# Added install_data_file to be able to create file under /data/misc/installd/ioctl_check
+allowxperm installd { app_data_file_type system_data_file install_data_file}:{ dir file } ioctl {
+ FS_IOC_FSGETXATTR
+ FS_IOC_FSSETXATTR
+ FS_IOC_GETFLAGS
+ FS_IOC_SETFLAGS
+};
+
# Similar for the files under /data/misc/profiles/
allow installd user_profile_root_file:dir { create_dir_perms relabelfrom };
allow installd user_profile_data_file:dir { create_dir_perms relabelto };
diff --git a/public/net.te b/public/net.te
index 714bcde..31c9c45 100644
--- a/public/net.te
+++ b/public/net.te
@@ -13,23 +13,8 @@
# Connect to ports.
allow netdomain port_type:tcp_socket name_connect;
-# Bind to ports.
-allow {netdomain -ephemeral_app} node_type:{ icmp_socket rawip_socket tcp_socket udp_socket } node_bind;
-allow {netdomain -ephemeral_app} port_type:udp_socket name_bind;
-allow {netdomain -ephemeral_app} port_type:tcp_socket name_bind;
# See changes to the routing table.
allow netdomain self:netlink_route_socket { create read getattr write setattr lock append connect getopt setopt shutdown nlmsg_read };
-# b/141455849 gate RTM_GETLINK with a new permission nlmsg_readpriv and block access from
-# untrusted_apps.
-# b/171572148 gate RTM_GETNEIGH{TBL} with a new permission nlmsg_getneigh and block access from
-# untrusted_apps. Some untrusted apps (e.g. untrusted_app_25-30) are granted access elsewhere
-# to avoid app-compat breakage.
-allow {
- netdomain
- -ephemeral_app
- -mediaprovider
- -untrusted_app_all
-} self:netlink_route_socket { bind nlmsg_readpriv nlmsg_getneigh };
# Talks to netd via dnsproxyd socket.
unix_socket_connect(netdomain, dnsproxyd, netd)
diff --git a/public/netd.te b/public/netd.te
index 899df88..64b4c7d 100644
--- a/public/netd.te
+++ b/public/netd.te
@@ -64,7 +64,6 @@
r_dir_file(netd, cgroup_v2)
-allow netd fs_bpf:dir search;
allow netd fs_bpf:file { read write };
# TODO: netd previously thought it needed these permissions to do WiFi related
diff --git a/public/property.te b/public/property.te
index 7957f8c..55d94b8 100644
--- a/public/property.te
+++ b/public/property.te
@@ -74,11 +74,13 @@
system_restricted_prop(libc_debug_prop)
system_restricted_prop(module_sdkextensions_prop)
system_restricted_prop(nnapi_ext_deny_product_prop)
+system_restricted_prop(persist_wm_debug_prop)
system_restricted_prop(power_debug_prop)
system_restricted_prop(property_service_version_prop)
system_restricted_prop(provisioned_prop)
system_restricted_prop(restorecon_prop)
system_restricted_prop(retaildemo_prop)
+system_restricted_prop(smart_idle_maint_enabled_prop)
system_restricted_prop(socket_hook_prop)
system_restricted_prop(sqlite_log_prop)
system_restricted_prop(surfaceflinger_display_prop)
diff --git a/public/rootdisk_sysdev.te b/public/rootdisk_sysdev.te
new file mode 100644
index 0000000..f92fd79
--- /dev/null
+++ b/public/rootdisk_sysdev.te
@@ -0,0 +1 @@
+allow rootdisk_sysdev sysfs:filesystem associate;
diff --git a/public/service.te b/public/service.te
index afe1006..dbd9bfa 100644
--- a/public/service.te
+++ b/public/service.te
@@ -61,6 +61,7 @@
type activity_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type activity_task_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type adb_service, system_api_service, system_server_service, service_manager_type;
+type adservices_manager_service, system_api_service, system_server_service, service_manager_type;
type alarm_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type app_binding_service, system_server_service, service_manager_type;
type app_hibernation_service, app_api_service, system_api_service, system_server_service, service_manager_type;
@@ -198,6 +199,7 @@
type rttmanager_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type samplingprofiler_service, system_server_service, service_manager_type;
type scheduling_policy_service, system_server_service, service_manager_type;
+type sdk_sandbox_service, app_api_service, system_server_service, service_manager_type;
type search_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type search_ui_service, app_api_service, system_server_service, service_manager_type;
type sec_key_att_app_id_provider_service, app_api_service, system_server_service, service_manager_type;
diff --git a/public/su.te b/public/su.te
index 074ff2e..8328140 100644
--- a/public/su.te
+++ b/public/su.te
@@ -1,3 +1,6 @@
+# Domain used for su processes, as well as for adbd and adb shell
+# after performing an adb root command.
+
# All types must be defined regardless of build variant to ensure
# policy compilation succeeds with userdebug/user combination at boot
type su, domain;
@@ -6,9 +9,6 @@
type su_exec, system_file_type, exec_type, file_type;
userdebug_or_eng(`
- # Domain used for su processes, as well as for adbd and adb shell
- # after performing an adb root command. The domain definition is
- # wrapped to ensure that it does not exist at all on -user builds.
typeattribute su mlstrustedsubject;
# Add su to various domains
@@ -22,6 +22,7 @@
dontaudit su kernel:security *;
dontaudit su { kernel file_type }:system *;
dontaudit su self:memprotect *;
+ dontaudit su domain:anon_inode *;
dontaudit su domain:{ process process2 } *;
dontaudit su domain:fd *;
dontaudit su domain:dir *;
diff --git a/public/te_macros b/public/te_macros
index 5c3438f..58d04b4 100644
--- a/public/te_macros
+++ b/public/te_macros
@@ -172,6 +172,8 @@
type_transition $1 $1:anon_inode $1_userfaultfd "[userfaultfd]";
# Allow domain to create/use userfaultfd anon_inode.
allow $1 $1_userfaultfd:anon_inode { create ioctl read };
+# Suppress errors generate during bugreport
+dontaudit su $1_userfaultfd:anon_inode *;
# Other domains may not use userfaultfd anon_inodes created by this domain.
neverallow { domain -$1 } $1_userfaultfd:anon_inode *;
# This domain may not use userfaultfd anon_inodes created by other domains.
@@ -191,6 +193,8 @@
# Let the client pass file descriptors to virtualizationservice and on
# to crosvm
allow { virtualizationservice crosvm } $1:fd use;
+# Allow piping console log to the client
+allow { virtualizationservice crosvm } $1:fifo_file write;
# Allow client to read/write vsock created by virtualizationservice to
# communicate with the VM that it created. Notice that we do not grant
# permission to create a vsock; the client can only connect to VMs
@@ -1021,7 +1025,7 @@
define(`read_fstab', `
allow $1 { metadata_file gsi_metadata_file_type }:dir search;
allow $1 gsi_public_metadata_file:file r_file_perms;
- allow $1 proc_bootconfig:file r_file_perms;
+ allow $1 { proc_bootconfig proc_cmdline }:file r_file_perms;
')
######################################
diff --git a/treble_sepolicy_tests_for_release.mk b/treble_sepolicy_tests_for_release.mk
index e221eae..c8d5b46 100644
--- a/treble_sepolicy_tests_for_release.mk
+++ b/treble_sepolicy_tests_for_release.mk
@@ -77,6 +77,8 @@
$(hide) cat $(PRIVATE_ADDITIONAL_CIL_FILES) >> $@
$(hide) $(HOST_OUT_EXECUTABLES)/secilc -m -M true -G -c $(POLICYVERS) $(PRIVATE_NEVERALLOW_ARG) $@ -o $@ -f /dev/null
+$(call declare-1p-target,$(built_$(version)_plat_sepolicy),system/sepolicy)
+
# TODO(b/214336258): move to Soong
$(call dist-for-goals,base-sepolicy-files-for-mapping,$(built_$(version)_plat_sepolicy):$(version)_plat_sepolicy)
diff --git a/vendor/file_contexts b/vendor/file_contexts
index 4faa05a..5a8d0aa 100644
--- a/vendor/file_contexts
+++ b/vendor/file_contexts
@@ -4,6 +4,7 @@
/(vendor|system/vendor)/bin/hw/android\.hardware\.atrace@1\.0-service u:object_r:hal_atrace_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.audio(@2\.0-|\.)service u:object_r:hal_audio_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.audio@7\.0-service\.example u:object_r:hal_audio_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.audio\.service-aidl.example u:object_r:hal_audio_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.automotive\.audiocontrol@1\.0-service u:object_r:hal_audiocontrol_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.automotive\.audiocontrol@2\.0-service u:object_r:hal_audiocontrol_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.automotive\.audiocontrol-service.example u:object_r:hal_audiocontrol_default_exec:s0
@@ -32,7 +33,7 @@
/(vendor|system/vendor)/bin/hw/android\.hardware\.contexthub-service\.example u:object_r:hal_contexthub_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.drm@1\.0-service u:object_r:hal_drm_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.drm@1\.0-service-lazy u:object_r:hal_drm_default_exec:s0
-/(vendor|system/vendor)/bin/hw/android\.hardware\.drm-service\.clearkey(-lazy)? u:object_r:hal_drm_clearkey_aidl_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.drm-service(-lazy)?\.clearkey u:object_r:hal_drm_clearkey_aidl_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.cas@1\.[0-2]-service u:object_r:hal_cas_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.cas@1\.[0-2]-service-lazy u:object_r:hal_cas_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.dumpstate@1\.[0-1]-service\.example u:object_r:hal_dumpstate_default_exec:s0
@@ -43,6 +44,7 @@
/(vendor|system/vendor)/bin/hw/android\.hardware\.graphics\.allocator@2\.0-service u:object_r:hal_graphics_allocator_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.graphics\.allocator@3\.0-service u:object_r:hal_graphics_allocator_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.graphics\.allocator@4\.0-service u:object_r:hal_graphics_allocator_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.graphics\.allocator-V1-service u:object_r:hal_graphics_allocator_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.graphics\.composer@[0-9]\.[0-9]-service u:object_r:hal_graphics_composer_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.graphics\.composer3-service\.example u:object_r:hal_graphics_composer_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.health@1\.0-service u:object_r:hal_health_default_exec:s0
diff --git a/vendor/hal_evs_default.te b/vendor/hal_evs_default.te
index d1d4559..59d6c39 100644
--- a/vendor/hal_evs_default.te
+++ b/vendor/hal_evs_default.te
@@ -14,6 +14,13 @@
# allow to use automotive display service
binder_call(hal_evs_default, automotive_display_service_server)
allow hal_evs_default fwk_automotive_display_hwservice:hwservice_manager find;
+allow hal_evs_default fwk_automotive_display_service:service_manager find;
+
+# allow to use hidl token service to retrieve HGBP object
+allow hal_evs_default hidl_token_hwservice:hwservice_manager find;
+
+# allow to access data from surfaceflinger
+allow hal_evs_default surfaceflinger:fd use;
# allow to access EGL
allow hal_evs_default gpu_device:chr_file rw_file_perms;
diff --git a/vendor/hal_health_default.te b/vendor/hal_health_default.te
index a48c7b8..8e118e9 100644
--- a/vendor/hal_health_default.te
+++ b/vendor/hal_health_default.te
@@ -1,5 +1,8 @@
# health info abstraction
type hal_health_default, domain;
+
+typeattribute hal_health_default bpfdomain;
+
hal_server_domain(hal_health_default, hal_health)
type hal_health_default_exec, exec_type, vendor_file_type, file_type;
diff --git a/vendor/hal_wifi_supplicant_default.te b/vendor/hal_wifi_supplicant_default.te
index b6b9e09..7c08468 100644
--- a/vendor/hal_wifi_supplicant_default.te
+++ b/vendor/hal_wifi_supplicant_default.te
@@ -30,3 +30,6 @@
# policy. This is dontaudited here to avoid conditional
# device-specific behavior in wpa_supplicant.
dontaudit hal_wifi_supplicant_default wifi_data_file:dir search;
+
+# Allow wpa supplicant to access Netlink Interceptor
+hal_client_domain(hal_wifi_supplicant_default, hal_nlinterceptor)