Merge "Allow sysfs_dm in fsck.f2fs"

commit: c53f08e3b304437db2f4685c3811fac7ee722e8b [log] [tgz]
author: Treehugger Robot <treehugger-gerrit@google.com> Tue May 24 20:03:57 2022 +0000
committer: Gerrit Code Review <noreply-gerritcodereview@google.com> Tue May 24 20:03:57 2022 +0000
tree: 1e17039715e91a1e196be1d7930a14c1711bd96d
parent: b947c738505c39d5354b9aae6d2d26254e0df0e6 [diff]
parent: 74a884b23f69bc264a3cb2619d8e65cd2d0ff077 [diff]
diff --git a/prebuilts/api/33.0/private/file.te b/prebuilts/api/33.0/private/file.te
index 1afa50f..4161dc9 100644
--- a/prebuilts/api/33.0/private/file.te
+++ b/prebuilts/api/33.0/private/file.te

@@ -19,6 +19,8 @@
 # /data/misc/perfetto-configs for perfetto configs
 type perfetto_configs_data_file, file_type, data_file_type, core_data_file_type;
 
+# /data/misc_{ce/de}/<user>/sdksandbox root data directory for sdk sandbox processes
+type sdk_sandbox_system_data_file, file_type, data_file_type, core_data_file_type;
 # /data/misc_{ce/de}/<user>/sdksandbox/<app-name>/* subdirectory for sdk sandbox processes
 type sdk_sandbox_data_file, file_type, data_file_type, core_data_file_type, app_data_file_type;
 

diff --git a/prebuilts/api/33.0/private/file_contexts b/prebuilts/api/33.0/private/file_contexts
index af51799..e21c18c 100644
--- a/prebuilts/api/33.0/private/file_contexts
+++ b/prebuilts/api/33.0/private/file_contexts

@@ -691,6 +691,10 @@
 # Bootchart data
 /data/bootchart(/.*)?		u:object_r:bootchart_data_file:s0
 
+# Sandbox sdk data (managed by installd)
+/data/misc_de/[0-9]+/sdksandbox       u:object_r:sdk_sandbox_system_data_file:s0
+/data/misc_ce/[0-9]+/sdksandbox       u:object_r:sdk_sandbox_system_data_file:s0
+
 # App data snapshots (managed by installd).
 /data/misc_de/[0-9]+/rollback(/.*)?       u:object_r:rollback_data_file:s0
 /data/misc_ce/[0-9]+/rollback(/.*)?       u:object_r:rollback_data_file:s0

diff --git a/prebuilts/api/33.0/private/installd.te b/prebuilts/api/33.0/private/installd.te
index 251a14f..538641d 100644
--- a/prebuilts/api/33.0/private/installd.te
+++ b/prebuilts/api/33.0/private/installd.te

@@ -48,3 +48,6 @@
 allow installd staging_data_file:dir { open read remove_name rmdir search write };
 
 allow installd { dex2oat dexoptanalyzer }:process { sigkill signal };
+
+# Allow installd manage dirs in /data/misc_ce/0/sdksandbox
+allow installd sdk_sandbox_system_data_file:dir { create_dir_perms relabelfrom };

diff --git a/prebuilts/api/33.0/private/sdk_sandbox.te b/prebuilts/api/33.0/private/sdk_sandbox.te
index b18b7dd..7ca323f 100644
--- a/prebuilts/api/33.0/private/sdk_sandbox.te
+++ b/prebuilts/api/33.0/private/sdk_sandbox.te

@@ -39,7 +39,10 @@
 allow sdk_sandbox system_server:udp_socket {
         connect getattr read recvfrom sendto write getopt setopt };
 
-# allow access to sdksandbox data directory
+# allow sandbox to search in sdk system server directory
+# additionally, for webview to work, getattr has been permitted
+allow sdk_sandbox sdk_sandbox_system_data_file:dir { getattr search };
+# allow sandbox to create files and dirs in sdk data directory
 allow sdk_sandbox sdk_sandbox_data_file:dir create_dir_perms;
 allow sdk_sandbox sdk_sandbox_data_file:file create_file_perms;
 
@@ -88,3 +91,29 @@
 neverallow { sdk_sandbox } tmpfs:dir no_rw_file_perms;
 
 neverallow sdk_sandbox hal_drm_service:service_manager find;
+
+# Only certain system components should have access to sdk_sandbox_system_data_file
+# sdk_sandbox only needs search. Restricted in follow up neverallow rule.
+neverallow {
+    domain
+    -init
+    -installd
+    -system_server
+    -vold_prepare_subdirs
+} sdk_sandbox_system_data_file:dir { relabelfrom };
+
+neverallow {
+    domain
+    -init
+    -installd
+    -sdk_sandbox
+    -system_server
+    -vold_prepare_subdirs
+    -zygote
+} sdk_sandbox_system_data_file:dir { create_dir_perms relabelto };
+
+# sdk_sandbox only needs to traverse through the sdk_sandbox_system_data_file
+neverallow sdk_sandbox sdk_sandbox_system_data_file:dir ~{ getattr search };
+
+# Only dirs should be created at sdk_sandbox_system_data_file level
+neverallow { domain -init } sdk_sandbox_system_data_file:file *;

diff --git a/prebuilts/api/33.0/private/system_server.te b/prebuilts/api/33.0/private/system_server.te
index 6d9d960..ba097f2 100644
--- a/prebuilts/api/33.0/private/system_server.te
+++ b/prebuilts/api/33.0/private/system_server.te

@@ -72,6 +72,9 @@
 allow system_server sysfs_fs_f2fs:dir r_dir_perms;
 allow system_server sysfs_fs_f2fs:file r_file_perms;
 
+# For SdkSandboxManagerService
+allow system_server sdk_sandbox_system_data_file:dir create_dir_perms;
+
 # For art.
 allow system_server { apex_art_data_file dalvikcache_data_file }:dir r_dir_perms;
 allow system_server { apex_art_data_file dalvikcache_data_file }:file r_file_perms;

diff --git a/prebuilts/api/33.0/private/vold_prepare_subdirs.te b/prebuilts/api/33.0/private/vold_prepare_subdirs.te
index 818660c..ddb2828 100644
--- a/prebuilts/api/33.0/private/vold_prepare_subdirs.te
+++ b/prebuilts/api/33.0/private/vold_prepare_subdirs.te

@@ -12,6 +12,7 @@
 allow vold_prepare_subdirs self:global_capability_class_set { chown dac_override dac_read_search fowner };
 allow vold_prepare_subdirs self:process setfscreate;
 allow vold_prepare_subdirs {
+  sdk_sandbox_system_data_file
   system_data_file
   vendor_data_file
 }:dir { open read write add_name remove_name rmdir relabelfrom };
@@ -27,6 +28,7 @@
     rollback_data_file
     storaged_data_file
     sdk_sandbox_data_file
+    sdk_sandbox_system_data_file
     system_data_file
     vold_data_file
 }:dir { create_dir_perms relabelto };

diff --git a/prebuilts/api/33.0/private/zygote.te b/prebuilts/api/33.0/private/zygote.te
index c5ba180..41245c2 100644
--- a/prebuilts/api/33.0/private/zygote.te
+++ b/prebuilts/api/33.0/private/zygote.te

@@ -62,9 +62,10 @@
 # Bind mount on /data/data and mounted volumes
 allow zygote { system_data_file mnt_expand_file }:dir mounton;
 
-# Relabel /data/user /data/user_de and /data/data
+# Relabel /data/user /data/user_de /data/data and /data/misc_{ce,de}/<user-id>/sdksandbox
 allow zygote tmpfs:{ dir lnk_file } relabelfrom;
 allow zygote system_data_file:{ dir lnk_file } relabelto;
+allow zygote sdk_sandbox_system_data_file:dir { search relabelto };
 
 # Zygote opens /mnt/expand to mount CE DE storage on each vol
 allow zygote mnt_expand_file:dir { open read search relabelto };
@@ -94,6 +95,7 @@
   app_data_file_type
   system_data_file
   mnt_expand_file
+  sdk_sandbox_system_data_file
 }:dir getattr;
 
 # Allow zygote to create JIT memory.

diff --git a/private/file.te b/private/file.te
index 1afa50f..4161dc9 100644
--- a/private/file.te
+++ b/private/file.te

@@ -19,6 +19,8 @@
 # /data/misc/perfetto-configs for perfetto configs
 type perfetto_configs_data_file, file_type, data_file_type, core_data_file_type;
 
+# /data/misc_{ce/de}/<user>/sdksandbox root data directory for sdk sandbox processes
+type sdk_sandbox_system_data_file, file_type, data_file_type, core_data_file_type;
 # /data/misc_{ce/de}/<user>/sdksandbox/<app-name>/* subdirectory for sdk sandbox processes
 type sdk_sandbox_data_file, file_type, data_file_type, core_data_file_type, app_data_file_type;
 

diff --git a/private/file_contexts b/private/file_contexts
index addbb13..5490059 100644
--- a/private/file_contexts
+++ b/private/file_contexts

@@ -337,7 +337,7 @@
 /system/bin/virtual_touchpad     u:object_r:virtual_touchpad_exec:s0
 /system/bin/hw/android\.frameworks\.bufferhub@1\.0-service    u:object_r:fwk_bufferhub_exec:s0
 /system/bin/hw/android\.hidl\.allocator@1\.0-service          u:object_r:hal_allocator_default_exec:s0
-/system/bin/hw/android\.system\.suspend@1\.0-service          u:object_r:system_suspend_exec:s0
+/system/bin/hw/android\.system\.suspend-service               u:object_r:system_suspend_exec:s0
 /system/etc/cgroups\.json               u:object_r:cgroup_desc_file:s0
 /system/etc/task_profiles/cgroups_[0-9]+\.json               u:object_r:cgroup_desc_api_file:s0
 /system/etc/event-log-tags              u:object_r:system_event_log_tags_file:s0
@@ -696,6 +696,10 @@
 # Bootchart data
 /data/bootchart(/.*)?		u:object_r:bootchart_data_file:s0
 
+# Sandbox sdk data (managed by installd)
+/data/misc_de/[0-9]+/sdksandbox       u:object_r:sdk_sandbox_system_data_file:s0
+/data/misc_ce/[0-9]+/sdksandbox       u:object_r:sdk_sandbox_system_data_file:s0
+
 # App data snapshots (managed by installd).
 /data/misc_de/[0-9]+/rollback(/.*)?       u:object_r:rollback_data_file:s0
 /data/misc_ce/[0-9]+/rollback(/.*)?       u:object_r:rollback_data_file:s0

diff --git a/private/installd.te b/private/installd.te
index 251a14f..538641d 100644
--- a/private/installd.te
+++ b/private/installd.te

@@ -48,3 +48,6 @@
 allow installd staging_data_file:dir { open read remove_name rmdir search write };
 
 allow installd { dex2oat dexoptanalyzer }:process { sigkill signal };
+
+# Allow installd manage dirs in /data/misc_ce/0/sdksandbox
+allow installd sdk_sandbox_system_data_file:dir { create_dir_perms relabelfrom };

diff --git a/private/sdk_sandbox.te b/private/sdk_sandbox.te
index d30d3d9..20d3adf 100644
--- a/private/sdk_sandbox.te
+++ b/private/sdk_sandbox.te

@@ -105,7 +105,10 @@
 allow sdk_sandbox system_server:udp_socket {
         connect getattr read recvfrom sendto write getopt setopt };
 
-# allow access to sdksandbox data directory
+# allow sandbox to search in sdk system server directory
+# additionally, for webview to work, getattr has been permitted
+allow sdk_sandbox sdk_sandbox_system_data_file:dir { getattr search };
+# allow sandbox to create files and dirs in sdk data directory
 allow sdk_sandbox sdk_sandbox_data_file:dir create_dir_perms;
 allow sdk_sandbox sdk_sandbox_data_file:file create_file_perms;
 
@@ -154,3 +157,29 @@
 neverallow { sdk_sandbox } tmpfs:dir no_rw_file_perms;
 
 neverallow sdk_sandbox hal_drm_service:service_manager find;
+
+# Only certain system components should have access to sdk_sandbox_system_data_file
+# sdk_sandbox only needs search. Restricted in follow up neverallow rule.
+neverallow {
+    domain
+    -init
+    -installd
+    -system_server
+    -vold_prepare_subdirs
+} sdk_sandbox_system_data_file:dir { relabelfrom };
+
+neverallow {
+    domain
+    -init
+    -installd
+    -sdk_sandbox
+    -system_server
+    -vold_prepare_subdirs
+    -zygote
+} sdk_sandbox_system_data_file:dir { create_dir_perms relabelto };
+
+# sdk_sandbox only needs to traverse through the sdk_sandbox_system_data_file
+neverallow sdk_sandbox sdk_sandbox_system_data_file:dir ~{ getattr search };
+
+# Only dirs should be created at sdk_sandbox_system_data_file level
+neverallow { domain -init } sdk_sandbox_system_data_file:file *;

diff --git a/private/system_app.te b/private/system_app.te
index 4888072..df03566 100644
--- a/private/system_app.te
+++ b/private/system_app.te

@@ -111,6 +111,9 @@
 # suppress denials caused by debugfs_tracing
 dontaudit system_app debugfs_tracing:file rw_file_perms;
 
+# Ignore access to zram when Debug.getMemInfo is called.
+dontaudit system_app sysfs_zram:dir search;
+
 allow system_app keystore:keystore_key {
     get_state
     get

diff --git a/private/system_server.te b/private/system_server.te
index 78817b1..85675de 100644
--- a/private/system_server.te
+++ b/private/system_server.te

@@ -72,6 +72,9 @@
 allow system_server sysfs_fs_f2fs:dir r_dir_perms;
 allow system_server sysfs_fs_f2fs:file r_file_perms;
 
+# For SdkSandboxManagerService
+allow system_server sdk_sandbox_system_data_file:dir create_dir_perms;
+
 # For art.
 allow system_server { apex_art_data_file dalvikcache_data_file }:dir r_dir_perms;
 allow system_server { apex_art_data_file dalvikcache_data_file }:file r_file_perms;

diff --git a/private/vold_prepare_subdirs.te b/private/vold_prepare_subdirs.te
index 24007ed..dcd5a9e 100644
--- a/private/vold_prepare_subdirs.te
+++ b/private/vold_prepare_subdirs.te

@@ -12,6 +12,7 @@
 allow vold_prepare_subdirs self:global_capability_class_set { chown dac_override dac_read_search fowner };
 allow vold_prepare_subdirs self:process setfscreate;
 allow vold_prepare_subdirs {
+  sdk_sandbox_system_data_file
   system_data_file
   vendor_data_file
 }:dir { open read write add_name remove_name rmdir relabelfrom };
@@ -25,8 +26,9 @@
     fingerprint_vendor_data_file
     iris_vendor_data_file
     rollback_data_file
-    sdk_sandbox_data_file
     storaged_data_file
+    sdk_sandbox_data_file
+    sdk_sandbox_system_data_file
     system_data_file
     vold_data_file
 }:dir { create_dir_perms relabelto };

diff --git a/private/zygote.te b/private/zygote.te
index ab97f5b..baffcc4 100644
--- a/private/zygote.te
+++ b/private/zygote.te

@@ -98,12 +98,13 @@
 # when setting up app data isolation.
 allow zygote tmpfs:lnk_file create;
 
-# Relabel dirs and symlinks in the app data isolation tmpfs mounts to their
+# Relabel dirs and symlinks in the app and sdk sandbox data isolation tmpfs mounts to their
 # standard labels.  Note: it seems that not all dirs are actually relabeled yet,
 # but it works anyway since all domains can search tmpfs:dir.
 allow zygote tmpfs:{ dir lnk_file } relabelfrom;
 allow zygote system_userdir_file:dir relabelto;
 allow zygote system_data_file:{ dir lnk_file } relabelto;
+allow zygote sdk_sandbox_system_data_file:dir { getattr relabelto search };
 
 # Read if sdcardfs is supported
 allow zygote proc_filesystems:file r_file_perms;

diff --git a/public/hal_neuralnetworks.te b/public/hal_neuralnetworks.te
index 04d0b59..c7049fd 100644
--- a/public/hal_neuralnetworks.te
+++ b/public/hal_neuralnetworks.te

@@ -7,6 +7,8 @@
 allow hal_neuralnetworks hal_allocator:fd use;
 allow hal_neuralnetworks hal_graphics_mapper_hwservice:hwservice_manager find;
 allow hal_neuralnetworks hal_graphics_allocator:fd use;
+allow hal_neuralnetworks gpu_device:chr_file rw_file_perms;
+allow hal_neuralnetworks gpu_device:dir r_dir_perms;
 
 # Allow NN HAL service to use a client-provided fd residing in /data/data/.
 allow hal_neuralnetworks_server app_data_file:file { read write getattr map };
commit	c53f08e3b304437db2f4685c3811fac7ee722e8b	[log] [tgz]
author	Treehugger Robot <treehugger-gerrit@google.com>	Tue May 24 20:03:57 2022 +0000
committer	Gerrit Code Review <noreply-gerritcodereview@google.com>	Tue May 24 20:03:57 2022 +0000
tree	1e17039715e91a1e196be1d7930a14c1711bd96d
parent	b947c738505c39d5354b9aae6d2d26254e0df0e6 [diff]
parent	74a884b23f69bc264a3cb2619d8e65cd2d0ff077 [diff]