Merge "Fix too-broad allows granted to domain"
diff --git a/microdroid/system/private/microdroid_manager.te b/microdroid/system/private/microdroid_manager.te
index d5b61dc..dbd45f3 100644
--- a/microdroid/system/private/microdroid_manager.te
+++ b/microdroid/system/private/microdroid_manager.te
@@ -93,6 +93,11 @@
# or not; if set, it executes kexec to load the crashkernel into memory.
allow microdroid_manager proc_cmdline:file r_file_perms;
+# microdroid_manager needs to read /proc/stat and /proc_meminfo to collect CPU & memory usage
+# for creating atoms used in AVF telemetry metrics
+allow microdroid_manager proc_meminfo:file r_file_perms;
+allow microdroid_manager proc_stat:file r_file_perms;
+
# Allow microdroid_manager to read/write failure serial device
allow microdroid_manager serial_device:chr_file w_file_perms;
diff --git a/prebuilts/api/33.0/private/kernel.te b/prebuilts/api/33.0/private/kernel.te
index 6775b3b..03ba79f 100644
--- a/prebuilts/api/33.0/private/kernel.te
+++ b/prebuilts/api/33.0/private/kernel.te
@@ -32,6 +32,19 @@
allow kernel kmsg_device:chr_file write;
allow kernel gsid:fd use;
+dontaudit kernel metadata_file:dir search;
+dontaudit kernel ota_metadata_file:dir rw_dir_perms;
+dontaudit kernel sysfs:dir r_dir_perms;
+dontaudit kernel sysfs:file { open read write };
+dontaudit kernel sysfs:chr_file { open read write };
+dontaudit kernel dm_device:chr_file ioctl;
+dontaudit kernel self:capability { sys_admin setgid mknod };
+
+dontaudit kernel dm_user_device:dir { write add_name };
+dontaudit kernel dm_user_device:chr_file { create setattr };
+dontaudit kernel tmpfs:lnk_file read;
+dontaudit kernel tmpfs:blk_file { open read };
+
# Some contexts are changed before the device is flipped into enforcing mode
# during the setup of Apex sepolicy. These denials can be suppressed since
# the permissions should not be allowed after the device is flipped into
diff --git a/private/crosvm.te b/private/crosvm.te
index 034107f..c750b50 100644
--- a/private/crosvm.te
+++ b/private/crosvm.te
@@ -42,7 +42,7 @@
# read, write, getattr: listener socket polling
# accept: listener socket accepting new connection
# Note that the open permission is not given as the socket is passed by FD.
-allow crosvm virtualizationservice:unix_stream_socket { accept read write getattr };
+allow crosvm virtualizationservice:unix_stream_socket { accept read write getattr getopt };
# Don't allow crosvm to open files that it doesn't own.
# This is important because a malicious application could try to start a VM with a composite disk
diff --git a/private/kernel.te b/private/kernel.te
index 6775b3b..03ba79f 100644
--- a/private/kernel.te
+++ b/private/kernel.te
@@ -32,6 +32,19 @@
allow kernel kmsg_device:chr_file write;
allow kernel gsid:fd use;
+dontaudit kernel metadata_file:dir search;
+dontaudit kernel ota_metadata_file:dir rw_dir_perms;
+dontaudit kernel sysfs:dir r_dir_perms;
+dontaudit kernel sysfs:file { open read write };
+dontaudit kernel sysfs:chr_file { open read write };
+dontaudit kernel dm_device:chr_file ioctl;
+dontaudit kernel self:capability { sys_admin setgid mknod };
+
+dontaudit kernel dm_user_device:dir { write add_name };
+dontaudit kernel dm_user_device:chr_file { create setattr };
+dontaudit kernel tmpfs:lnk_file read;
+dontaudit kernel tmpfs:blk_file { open read };
+
# Some contexts are changed before the device is flipped into enforcing mode
# during the setup of Apex sepolicy. These denials can be suppressed since
# the permissions should not be allowed after the device is flipped into
diff --git a/private/sdk_sandbox.te b/private/sdk_sandbox.te
index d851ab7..12310d2 100644
--- a/private/sdk_sandbox.te
+++ b/private/sdk_sandbox.te
@@ -10,6 +10,131 @@
net_domain(sdk_sandbox)
app_domain(sdk_sandbox)
+# TODO(b/252967582): remove this rule if it generates too much logs traffic.
+auditallow sdk_sandbox {
+ property_type
+ # remove expected properties to reduce noise.
+ -servicemanager_prop
+ -hwservicemanager_prop
+ -use_memfd_prop
+ -binder_cache_system_server_prop
+ -graphics_config_prop
+ -persist_wm_debug_prop
+ -aaudio_config_prop
+ -adbd_config_prop
+ -apex_ready_prop
+ -apexd_select_prop
+ -arm64_memtag_prop
+ -audio_prop
+ -binder_cache_bluetooth_server_prop
+ -binder_cache_telephony_server_prop
+ -bluetooth_config_prop
+ -boot_status_prop
+ -bootloader_prop
+ -bq_config_prop
+ -build_odm_prop
+ -build_prop
+ -build_vendor_prop
+ -camera2_extensions_prop
+ -camera_calibration_prop
+ -camera_config_prop
+ -camerax_extensions_prop
+ -codec2_config_prop
+ -config_prop
+ -cppreopt_prop
+ -dalvik_config_prop
+ -dalvik_prop
+ -dalvik_runtime_prop
+ -dck_prop
+ -debug_prop
+ -debuggerd_prop
+ -default_prop
+ -device_config_memory_safety_native_prop
+ -device_config_nnapi_native_prop
+ -device_config_runtime_native_boot_prop
+ -device_config_runtime_native_prop
+ -dhcp_prop
+ -dumpstate_prop
+ -exported3_system_prop
+ -exported_config_prop
+ -exported_default_prop
+ -exported_dumpstate_prop
+ -exported_pm_prop
+ -exported_system_prop
+ -ffs_config_prop
+ -fingerprint_prop
+ -framework_status_prop
+ -gwp_asan_prop
+ -hal_instrumentation_prop
+ -hdmi_config_prop
+ -heapprofd_prop
+ -hw_timeout_multiplier_prop
+ -init_service_status_private_prop
+ -init_service_status_prop
+ -libc_debug_prop
+ -lmkd_config_prop
+ -locale_prop
+ -localization_prop
+ -log_file_logger_prop
+ -log_prop
+ -log_tag_prop
+ -logd_prop
+ -media_config_prop
+ -media_variant_prop
+ -mediadrm_config_prop
+ -module_sdkextensions_prop
+ -net_radio_prop
+ -nfc_prop
+ -nnapi_ext_deny_product_prop
+ -ota_prop
+ -packagemanager_config_prop
+ -pan_result_prop
+ -permissive_mte_prop
+ -persist_debug_prop
+ -pm_prop
+ -powerctl_prop
+ -property_service_version_prop
+ -radio_control_prop
+ -radio_prop
+ -restorecon_prop
+ -rollback_test_prop
+ -sendbug_config_prop
+ -setupwizard_prop
+ -shell_prop
+ -soc_prop
+ -socket_hook_prop
+ -sqlite_log_prop
+ -storagemanager_config_prop
+ -surfaceflinger_color_prop
+ -surfaceflinger_prop
+ -system_prop
+ -system_user_mode_emulation_prop
+ -systemsound_config_prop
+ -telephony_config_prop
+ -telephony_status_prop
+ -test_harness_prop
+ -timezone_prop
+ -usb_config_prop
+ -usb_control_prop
+ -usb_prop
+ -userdebug_or_eng_prop
+ -userspace_reboot_config_prop
+ -userspace_reboot_exported_prop
+ -userspace_reboot_log_prop
+ -userspace_reboot_test_prop
+ -vendor_socket_hook_prop
+ -vndk_prop
+ -vold_config_prop
+ -vold_prop
+ -vold_status_prop
+ -vts_config_prop
+ -vts_status_prop
+ -wifi_log_prop
+ -zygote_config_prop
+ -zygote_wrap_prop
+ -init_service_status_prop
+}:file { getattr open read map };
+
# Allow finding services. This is different from ephemeral_app policy.
# Adding services manually to the allowlist is preferred hence app_api_service is not used.