Merge "Add Suspend service fuzzers to bindings"
diff --git a/README.apps.md b/README.apps.md
new file mode 100644
index 0000000..bdb13e9
--- /dev/null
+++ b/README.apps.md
@@ -0,0 +1,57 @@
+The policy defines multiple types and attributes for apps. This document is a
+high-level overview of these. For further details on each type, refer to their
+specific files in the public/ and private/ directories.
+
+## appdomain
+In general, all apps will have the `appdomain` attribute. You can think of
+`appdomain` as any app started by Zygote. The macro `app_domain()` should be
+used to define a type that is considered an app (see public/te_macros).
+
+## untrusted_app
+Third-party apps (for example, installed from the Play Store), targeting the
+most recent SDK version will be typed as `untrusted_app`. This is the default
+domain for apps, unless a more specific criteria applies.
+
+When an app is targeting a previous SDK version, it may have the
+`untrusted_app_xx` type where xx is the targetSdkVersion. For instance, an app
+with `targetSdkVersion = 32` in its manifest will be typed as `untrusted_app_32`.
+Not all targetSdkVersion have a specific type, some version are skipped when no
+differences were introduced (see public/untrusted_app.te for more details).
+
+The `untrusted_app_all` attribute can be used to reference all the types
+described in this section (that is, `untrusted_app`, `untrusted_app_30`,
+`untrusted_app_32`, etc.).
+
+## isolated_app
+Apps may be restricted when using isolatedProcess=true in their manifest. In
+this case, they will be assigned the `isolated_app` type. A similar type
+`isolated_compute_app` exist for some restricted services.
+
+Both types `isolated_app` and `isolated_compute_app` are grouped under the
+attribute `isolated_app_all`.
+
+## ephemeral_app
+Apps that are run without installation. These are apps deployed for example via
+Google Play Instant. These are more constrained than `untrusted_app`.
+
+## sdk_sandbox
+SDK runtime apps, installed as part of the Privacy Sandbox project. These are
+sandboxed to limit their communication channels.
+
+## platform_app
+Apps that are signed with the platform key. These are installed within the
+system or vendor image. com.android.systemui is an example of an app running
+with this type.
+
+## system_app
+Apps pre-installed on a device, signed by the platform key and running with the
+system UID. com.android.settings is an example of an app running with this
+type.
+
+## priv_app
+Apps shipped as part of the device and installed in one of the
+`/{system,vendor,product}/priv-app` directories.
+com.google.android.apps.messaging is an example of an app running as priv_app.
+Permissions for these apps need to be explicitly granted, see
+https://source.android.com/docs/core/permissions/perms-allowlist for more
+details.
diff --git a/build/soong/service_fuzzer_bindings.go b/build/soong/service_fuzzer_bindings.go
index 7ff0702..dac85a2 100644
--- a/build/soong/service_fuzzer_bindings.go
+++ b/build/soong/service_fuzzer_bindings.go
@@ -260,14 +260,14 @@
"gnss_time_update_service": EXCEPTION_NO_FUZZER,
"grammatical_inflection": EXCEPTION_NO_FUZZER,
"graphicsstats": EXCEPTION_NO_FUZZER,
- "gpu": EXCEPTION_NO_FUZZER,
+ "gpu": []string{"gpu_service_fuzzer"},
"hardware": EXCEPTION_NO_FUZZER,
"hardware_properties": EXCEPTION_NO_FUZZER,
"hdmi_control": EXCEPTION_NO_FUZZER,
"healthconnect": EXCEPTION_NO_FUZZER,
"ions": EXCEPTION_NO_FUZZER,
"idmap": EXCEPTION_NO_FUZZER,
- "incident": EXCEPTION_NO_FUZZER,
+ "incident": []string{"incidentd_service_fuzzer"},
"incidentcompanion": EXCEPTION_NO_FUZZER,
"inputflinger": EXCEPTION_NO_FUZZER,
"input_method": EXCEPTION_NO_FUZZER,
diff --git a/private/app.te b/private/app.te
index da60086..754c802 100644
--- a/private/app.te
+++ b/private/app.te
@@ -48,11 +48,6 @@
get_prop(appdomain, persist_wm_debug_prop)
get_prop(appdomain, persist_sysui_builder_extras_prop)
-# Allow ART to be configurable via device_config properties
-# (ART "runs" inside the app process)
-get_prop(appdomain, device_config_runtime_native_prop)
-get_prop(appdomain, device_config_runtime_native_boot_prop)
-
# Allow the heap dump ART plugin to the count of sessions waiting for OOME
get_prop(appdomain, traced_oome_heap_session_count_prop)
@@ -267,6 +262,9 @@
# Access via already open fds is ok even for mlstrustedsubject.
allow { appdomain -isolated_app_all -sdk_sandbox_all } { app_data_file privapp_data_file system_app_data_file }:file { getattr map read write };
+# Access open fds from SDK sandbox
+allow appdomain sdk_sandbox_data_file:file { getattr read };
+
# Traverse into expanded storage
allow appdomain mnt_expand_file:dir r_dir_perms;
diff --git a/private/domain.te b/private/domain.te
index 30ceb24..2cffdd8 100644
--- a/private/domain.te
+++ b/private/domain.te
@@ -87,8 +87,13 @@
# Allow all domains to check whether MTE is set to permissive mode.
get_prop(domain, permissive_mte_prop);
+# Allow ART to be configurable via device_config properties
+# (ART "runs" inside the app process), and MTE bootloader override to be
+# observed by everything
get_prop(domain, device_config_memory_safety_native_boot_prop);
get_prop(domain, device_config_memory_safety_native_prop);
+get_prop(domain, device_config_runtime_native_boot_prop);
+get_prop(domain, device_config_runtime_native_prop);
# For now, everyone can access core property files
# Device specific properties are not granted by default
diff --git a/private/mediaprovider_app.te b/private/mediaprovider_app.te
index 1f84eca..7ad8feb 100644
--- a/private/mediaprovider_app.te
+++ b/private/mediaprovider_app.te
@@ -35,9 +35,6 @@
# Talk to regular app services
allow mediaprovider_app app_api_service:service_manager find;
-# Read SDK sandbox data files
-allow mediaprovider_app sdk_sandbox_data_file:file { getattr read };
-
# Talk to the GPU service
binder_call(mediaprovider_app, gpuservice)
diff --git a/private/property_contexts b/private/property_contexts
index 8135ae5..102c111 100644
--- a/private/property_contexts
+++ b/private/property_contexts
@@ -406,6 +406,8 @@
ro.camera.notify_nfc u:object_r:camera_config_prop:s0 exact bool
ro.camera.enableLazyHal u:object_r:camera_config_prop:s0 exact bool
ro.camera.enableCamera1MaxZsl u:object_r:camera_config_prop:s0 exact bool
+ro.camera.disableJpegR u:object_r:camera_config_prop:s0 exact bool
+ro.camera.enableCompositeAPI0JpegR u:object_r:camera_config_prop:s0 exact bool
ro.camerax.extensions.enabled u:object_r:camerax_extensions_prop:s0 exact bool
diff --git a/private/sdk_sandbox_all.te b/private/sdk_sandbox_all.te
index 9a3f05f..6e7ba50 100644
--- a/private/sdk_sandbox_all.te
+++ b/private/sdk_sandbox_all.te
@@ -28,6 +28,9 @@
allow sdk_sandbox_all sdk_sandbox_data_file:dir create_dir_perms;
allow sdk_sandbox_all sdk_sandbox_data_file:file create_file_perms;
+# allow apps to pass open fds to the sdk sandbox
+allow sdk_sandbox_all { app_data_file privapp_data_file }:file { getattr read };
+
###
### neverallow rules
###
@@ -64,7 +67,7 @@
# SDK sandbox processes have their own storage not related to app_data_file or privapp_data_file
neverallow sdk_sandbox_all { app_data_file privapp_data_file }:dir no_rw_file_perms;
-neverallow sdk_sandbox_all { app_data_file privapp_data_file }:file no_rw_file_perms;
+neverallow sdk_sandbox_all { app_data_file privapp_data_file }:file ~{ getattr read };
# SDK sandbox processes don't have any access to external storage
neverallow sdk_sandbox_all { media_rw_data_file }:dir no_rw_file_perms;
diff --git a/private/sdk_sandbox_next.te b/private/sdk_sandbox_next.te
new file mode 100644
index 0000000..6fd16ca
--- /dev/null
+++ b/private/sdk_sandbox_next.te
@@ -0,0 +1,89 @@
+###
+### SDK Sandbox process.
+###
+### This file defines the security policy for the sdk sandbox processes
+### for a test set of restrictions. These restrictions will be adapted
+### with modifications, into the set of restrictions for the next SDK
+### level.
+type sdk_sandbox_next, domain, coredomain, sdk_sandbox_all;
+
+net_domain(sdk_sandbox_next)
+app_domain(sdk_sandbox_next)
+
+# Allow finding services. This is different from ephemeral_app policy.
+# Adding services manually to the allowlist is preferred hence app_api_service is not used.
+allow sdk_sandbox_next {
+ activity_service
+ activity_task_service
+ appops_service
+ audio_service
+ audioserver_service
+ batteryproperties_service
+ batterystats_service
+ connectivity_service
+ connmetrics_service
+ deviceidle_service
+ display_service
+ dropbox_service
+ font_service
+ game_service
+ gpu_service
+ graphicsstats_service
+ hardware_properties_service
+ hint_service
+ imms_service
+ input_method_service
+ input_service
+ IProxyService_service
+ ipsec_service
+ launcherapps_service
+ legacy_permission_service
+ light_service
+ locale_service
+ media_communication_service
+ mediaextractor_service
+ mediametrics_service
+ media_projection_service
+ media_router_service
+ mediaserver_service
+ media_session_service
+ memtrackproxy_service
+ midi_service
+ netpolicy_service
+ netstats_service
+ network_management_service
+ notification_service
+ package_service
+ permission_checker_service
+ permission_service
+ permissionmgr_service
+ platform_compat_service
+ power_service
+ procstats_service
+ registry_service
+ restrictions_service
+ rttmanager_service
+ search_service
+ selection_toolbar_service
+ sensor_privacy_service
+ sensorservice_service
+ servicediscovery_service
+ settings_service
+ speech_recognition_service
+ statusbar_service
+ storagestats_service
+ surfaceflinger_service
+ telecom_service
+ tethering_service
+ textclassification_service
+ textservices_service
+ texttospeech_service
+ thermal_service
+ translation_service
+ tv_iapp_service
+ tv_input_service
+ uimode_service
+ vcn_management_service
+ webviewupdate_service
+}:service_manager find;
+
diff --git a/private/seapp_contexts b/private/seapp_contexts
index fbdd93f..4454bd7 100644
--- a/private/seapp_contexts
+++ b/private/seapp_contexts
@@ -12,6 +12,7 @@
# minTargetSdkVersion (unsigned integer)
# fromRunAs (boolean)
# isIsolatedComputeApp (boolean)
+# isSdkSandboxNext (boolean)
#
# All specified input selectors in an entry must match (i.e. logical AND).
# An unspecified string or boolean selector with no default will match any
@@ -47,6 +48,9 @@
# with user=_isolated. This selector should not be used unless it is intended
# to provide isolated processes with relaxed security restrictions.
#
+# isSdkSandboxNext=true means sdk sandbox processes will get
+# sdk_sandbox_next sepolicy applied to them.
+#
# Precedence: entries are compared using the following rules, in the order shown
# (see external/selinux/libselinux/src/android/android_platform.c,
# seapp_context_cmp()).
@@ -64,6 +68,7 @@
# defaults to 0 if unspecified.
# (8) fromRunAs=true before fromRunAs=false.
# (9) isIsolatedComputeApp=true before isIsolatedComputeApp=false
+# (10) isSdkSandboxNext=true before isSdkSandboxNext=false
# (A fixed selector is more specific than a prefix, i.e. ending in *, and a
# longer prefix is more specific than a shorter prefix.)
# Apps are checked against entries in precedence order until the first match,
@@ -165,6 +170,7 @@
user=_isolated domain=isolated_app levelFrom=user
user=_isolated isIsolatedComputeApp=true domain=isolated_compute_app levelFrom=user
user=_sdksandbox domain=sdk_sandbox_34 type=sdk_sandbox_data_file levelFrom=all
+user=_sdksandbox isSdkSandboxNext=true domain=sdk_sandbox_next type=sdk_sandbox_data_file levelFrom=all
user=_app seinfo=app_zygote domain=app_zygote levelFrom=user
user=_app seinfo=media domain=mediaprovider type=app_data_file levelFrom=user
user=_app seinfo=platform domain=platform_app type=app_data_file levelFrom=user
diff --git a/private/system_server.te b/private/system_server.te
index db6820d..4356c26 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -1207,6 +1207,7 @@
# On userdebug build we may profile system server. Allow it to write and create its own profile.
userdebug_or_eng(`
+ allow system_server user_profile_data_file:dir w_dir_perms;
allow system_server user_profile_data_file:file create_file_perms;
')
# Allow system server to load JVMTI agents under control of a property.
diff --git a/public/netd.te b/public/netd.te
index e3ea1cb..3854017 100644
--- a/public/netd.te
+++ b/public/netd.te
@@ -80,7 +80,7 @@
allow netd system_file:file lock;
# Allow netd to spawn dnsmasq in it's own domain
-allow netd dnsmasq:process signal;
+allow netd dnsmasq:process { sigkill signal };
# Allow netd to publish a binder service and make binder calls.
binder_use(netd)
diff --git a/tools/check_seapp.c b/tools/check_seapp.c
index e57a6b3..0d7a4d1 100644
--- a/tools/check_seapp.c
+++ b/tools/check_seapp.c
@@ -214,6 +214,7 @@
{ .name = "minTargetSdkVersion", .dir = dir_in, .fn_validate = validate_uint },
{ .name = "fromRunAs", .dir = dir_in, .fn_validate = validate_bool },
{ .name = "isIsolatedComputeApp", .dir = dir_in, .fn_validate = validate_bool },
+ { .name = "isSdkSandboxNext", .dir = dir_in, .fn_validate = validate_bool },
/*Outputs*/
{ .name = "domain", .dir = dir_out, .fn_validate = validate_domain },
{ .name = "type", .dir = dir_out, .fn_validate = validate_type },