Merge "remove inprocess tethering"
diff --git a/private/compat/33.0/33.0.ignore.cil b/private/compat/33.0/33.0.ignore.cil
index 3bfdcc8..3a49745 100644
--- a/private/compat/33.0/33.0.ignore.cil
+++ b/private/compat/33.0/33.0.ignore.cil
@@ -59,7 +59,9 @@
remote_provisioning_service
rkpdapp
servicemanager_prop
+ setupwizard_esim_prop
shutdown_checkpoints_system_data_file
+ snapuserd_log_data_file
stats_config_data_file
sysfs_fs_fuse_features
system_net_netd_service
diff --git a/private/coredomain.te b/private/coredomain.te
index 83930a5..8abc646 100644
--- a/private/coredomain.te
+++ b/private/coredomain.te
@@ -14,6 +14,7 @@
get_prop(coredomain, pm_prop)
get_prop(coredomain, radio_control_prop)
get_prop(coredomain, rollback_test_prop)
+get_prop(coredomain, setupwizard_esim_prop)
get_prop(coredomain, setupwizard_prop)
get_prop(coredomain, sqlite_log_prop)
get_prop(coredomain, storagemanager_config_prop)
diff --git a/private/fastbootd.te b/private/fastbootd.te
index 7dc1741..a189d23 100644
--- a/private/fastbootd.te
+++ b/private/fastbootd.te
@@ -42,6 +42,7 @@
# Mount /metadata to interact with Virtual A/B snapshots.
allow fastbootd labeledfs:filesystem { mount unmount };
+ set_prop(fastbootd, boottime_prop)
# Needed for reading boot properties.
allow fastbootd proc_bootconfig:file r_file_perms;
diff --git a/private/file_contexts b/private/file_contexts
index b1c7508..bb86761 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -664,6 +664,7 @@
/data/misc/vold(/.*)? u:object_r:vold_data_file:s0
/data/misc/update_engine(/.*)? u:object_r:update_engine_data_file:s0
/data/misc/update_engine_log(/.*)? u:object_r:update_engine_log_data_file:s0
+/data/misc/snapuserd_log(/.*)? u:object_r:snapuserd_log_data_file:s0
/data/system/dropbox(/.*)? u:object_r:dropbox_data_file:s0
/data/system/heapdump(/.*)? u:object_r:heapdump_data_file:s0
/data/misc/trace(/.*)? u:object_r:method_trace_data_file:s0
diff --git a/private/gpuservice.te b/private/gpuservice.te
index 08c3902..297a876 100644
--- a/private/gpuservice.te
+++ b/private/gpuservice.te
@@ -64,6 +64,8 @@
# Needed for enabling write access to persist.graphics.egl from developer option switch UI, through gpuservice.
set_prop(gpuservice, graphics_config_writable_prop)
+neverallow { domain -init -vendor_init -gpuservice } graphics_config_writable_prop:property_service set;
+
# Needed for querying permission
allow gpuservice permission_service:service_manager find;
diff --git a/private/gsid.te b/private/gsid.te
index e795cea..9391016 100644
--- a/private/gsid.te
+++ b/private/gsid.te
@@ -150,7 +150,7 @@
allow gsid {
gsi_data_file
ota_image_data_file
-}:dir rw_dir_perms;
+}:dir create_dir_perms;
allow gsid {
gsi_data_file
ota_image_data_file
diff --git a/private/mediaprovider_app.te b/private/mediaprovider_app.te
index 7ad8feb..1f84eca 100644
--- a/private/mediaprovider_app.te
+++ b/private/mediaprovider_app.te
@@ -35,6 +35,9 @@
# Talk to regular app services
allow mediaprovider_app app_api_service:service_manager find;
+# Read SDK sandbox data files
+allow mediaprovider_app sdk_sandbox_data_file:file { getattr read };
+
# Talk to the GPU service
binder_call(mediaprovider_app, gpuservice)
diff --git a/private/mediaserver.te b/private/mediaserver.te
index aaf49f6..f44cbde 100644
--- a/private/mediaserver.te
+++ b/private/mediaserver.te
@@ -19,6 +19,9 @@
# Allow mediaserver to start media.transcoding service via ctl.start.
set_prop(mediaserver, ctl_mediatranscoding_prop);
+# Allow mediaserver to read SDK sandbox data files
+allow mediaserver sdk_sandbox_data_file:file { getattr read };
+
# Needed for stats callback registration to statsd.
allow mediaserver stats_service:service_manager find;
allow mediaserver statsmanager_service:service_manager find;
diff --git a/private/property.te b/private/property.te
index 35f9bc7..928f86c 100644
--- a/private/property.te
+++ b/private/property.te
@@ -598,6 +598,10 @@
-init
} setupwizard_prop:property_service set;
+neverallow {
+ domain
+ -init
+} setupwizard_esim_prop:property_service set;
# ro.product.property_source_order is useless after initialization of ro.product.* props.
# So making it accessible only from init and vendor_init.
neverallow {
diff --git a/private/property_contexts b/private/property_contexts
index d67d673..8135ae5 100644
--- a/private/property_contexts
+++ b/private/property_contexts
@@ -949,6 +949,8 @@
ro.product.cpu.abilist32 u:object_r:build_prop:s0 exact string
ro.product.cpu.abilist64 u:object_r:build_prop:s0 exact string
+ro.product.cpu.pagesize.max u:object_r:build_prop:s0 exact enum 4096 16384 65536
+
ro.product.system.brand u:object_r:build_prop:s0 exact string
ro.product.system.device u:object_r:build_prop:s0 exact string
ro.product.system.manufacturer u:object_r:build_prop:s0 exact string
@@ -1448,8 +1450,8 @@
partition.vendor.verified.root_digest u:object_r:verity_status_prop:s0 exact string
partition.odm.verified.root_digest u:object_r:verity_status_prop:s0 exact string
+ro.setupwizard.esim_cid_ignore u:object_r:setupwizard_esim_prop:s0 exact string
ro.setupwizard.enterprise_mode u:object_r:setupwizard_prop:s0 exact bool
-ro.setupwizard.esim_cid_ignore u:object_r:setupwizard_prop:s0 exact string
ro.setupwizard.rotation_locked u:object_r:setupwizard_prop:s0 exact bool
ro.setupwizard.wifi_on_exit u:object_r:setupwizard_prop:s0 exact bool
diff --git a/private/sdk_sandbox.te b/private/sdk_sandbox.te
index 4806e6d..3aca881 100644
--- a/private/sdk_sandbox.te
+++ b/private/sdk_sandbox.te
@@ -10,208 +10,86 @@
net_domain(sdk_sandbox)
app_domain(sdk_sandbox)
-# TODO(b/252967582): remove this rule if it generates too much logs traffic.
-auditallow sdk_sandbox {
- property_type
- # remove expected properties to reduce noise.
- -servicemanager_prop
- -hwservicemanager_prop
- -use_memfd_prop
- -binder_cache_system_server_prop
- -graphics_config_prop
- -persist_wm_debug_prop
- -aaudio_config_prop
- -adbd_config_prop
- -apex_ready_prop
- -apexd_select_prop
- -arm64_memtag_prop
- -audio_prop
- -binder_cache_bluetooth_server_prop
- -binder_cache_telephony_server_prop
- -bluetooth_config_prop
- -boot_status_prop
- -bootloader_prop
- -bq_config_prop
- -build_odm_prop
- -build_prop
- -build_vendor_prop
- -camera2_extensions_prop
- -camera_calibration_prop
- -camera_config_prop
- -camerax_extensions_prop
- -codec2_config_prop
- -config_prop
- -cppreopt_prop
- -dalvik_config_prop_type
- -dalvik_prop
- -dalvik_runtime_prop
- -dck_prop
- -debug_prop
- -debuggerd_prop
- -default_prop
- -device_config_memory_safety_native_boot_prop
- -device_config_memory_safety_native_prop
- -device_config_nnapi_native_prop
- -device_config_runtime_native_boot_prop
- -device_config_runtime_native_prop
- -dhcp_prop
- -dumpstate_prop
- -exported3_system_prop
- -exported_config_prop
- -exported_default_prop
- -exported_dumpstate_prop
- -exported_pm_prop
- -exported_system_prop
- -ffs_config_prop
- -fingerprint_prop
- -framework_status_prop
- -gwp_asan_prop
- -hal_instrumentation_prop
- -hdmi_config_prop
- -heapprofd_prop
- -hw_timeout_multiplier_prop
- -init_service_status_private_prop
- -init_service_status_prop
- -libc_debug_prop
- -lmkd_config_prop
- -locale_prop
- -localization_prop
- -log_file_logger_prop
- -log_prop
- -log_tag_prop
- -logd_prop
- -media_config_prop
- -media_variant_prop
- -mediadrm_config_prop
- -module_sdkextensions_prop
- -net_radio_prop
- -nfc_prop
- -nnapi_ext_deny_product_prop
- -ota_prop
- -packagemanager_config_prop
- -pan_result_prop
- -permissive_mte_prop
- -persist_debug_prop
- -persist_sysui_builder_extras_prop
- -pm_prop
- -powerctl_prop
- -property_service_version_prop
- -radio_control_prop
- -radio_prop
- -restorecon_prop
- -rollback_test_prop
- -sendbug_config_prop
- -setupwizard_prop
- -shell_prop
- -soc_prop
- -socket_hook_prop
- -sqlite_log_prop
- -storagemanager_config_prop
- -surfaceflinger_color_prop
- -surfaceflinger_prop
- -system_prop
- -system_user_mode_emulation_prop
- -systemsound_config_prop
- -telephony_config_prop
- -telephony_status_prop
- -test_harness_prop
- -timezone_prop
- -usb_config_prop
- -usb_control_prop
- -usb_prop
- -userdebug_or_eng_prop
- -userspace_reboot_config_prop
- -userspace_reboot_exported_prop
- -userspace_reboot_log_prop
- -userspace_reboot_test_prop
- -vendor_socket_hook_prop
- -vndk_prop
- -vold_config_prop
- -vold_prop
- -vold_status_prop
- -vts_config_prop
- -vts_status_prop
- -wifi_log_prop
- -zygote_config_prop
- -zygote_wrap_prop
- -init_service_status_prop
-}:file { getattr open read map };
-
# Allow finding services. This is different from ephemeral_app policy.
# Adding services manually to the allowlist is preferred hence app_api_service is not used.
-
-allow sdk_sandbox activity_service:service_manager find;
-allow sdk_sandbox activity_task_service:service_manager find;
-allow sdk_sandbox appops_service:service_manager find;
-allow sdk_sandbox audio_service:service_manager find;
-allow sdk_sandbox audioserver_service:service_manager find;
-allow sdk_sandbox batteryproperties_service:service_manager find;
-allow sdk_sandbox batterystats_service:service_manager find;
-allow sdk_sandbox connectivity_service:service_manager find;
-allow sdk_sandbox connmetrics_service:service_manager find;
-allow sdk_sandbox deviceidle_service:service_manager find;
-allow sdk_sandbox display_service:service_manager find;
-allow sdk_sandbox dropbox_service:service_manager find;
-allow sdk_sandbox font_service:service_manager find;
-allow sdk_sandbox game_service:service_manager find;
-allow sdk_sandbox gpu_service:service_manager find;
-allow sdk_sandbox graphicsstats_service:service_manager find;
-allow sdk_sandbox hardware_properties_service:service_manager find;
-allow sdk_sandbox hint_service:service_manager find;
-allow sdk_sandbox imms_service:service_manager find;
-allow sdk_sandbox input_method_service:service_manager find;
-allow sdk_sandbox input_service:service_manager find;
-allow sdk_sandbox IProxyService_service:service_manager find;
-allow sdk_sandbox ipsec_service:service_manager find;
-allow sdk_sandbox launcherapps_service:service_manager find;
-allow sdk_sandbox legacy_permission_service:service_manager find;
-allow sdk_sandbox light_service:service_manager find;
-allow sdk_sandbox locale_service:service_manager find;
-allow sdk_sandbox media_communication_service:service_manager find;
-allow sdk_sandbox mediaextractor_service:service_manager find;
-allow sdk_sandbox mediametrics_service:service_manager find;
-allow sdk_sandbox media_projection_service:service_manager find;
-allow sdk_sandbox media_router_service:service_manager find;
-allow sdk_sandbox mediaserver_service:service_manager find;
-allow sdk_sandbox media_session_service:service_manager find;
-allow sdk_sandbox memtrackproxy_service:service_manager find;
-allow sdk_sandbox midi_service:service_manager find;
-allow sdk_sandbox netpolicy_service:service_manager find;
-allow sdk_sandbox netstats_service:service_manager find;
-allow sdk_sandbox network_management_service:service_manager find;
-allow sdk_sandbox notification_service:service_manager find;
-allow sdk_sandbox package_service:service_manager find;
-allow sdk_sandbox permission_checker_service:service_manager find;
-allow sdk_sandbox permission_service:service_manager find;
-allow sdk_sandbox permissionmgr_service:service_manager find;
-allow sdk_sandbox platform_compat_service:service_manager find;
-allow sdk_sandbox power_service:service_manager find;
-allow sdk_sandbox procstats_service:service_manager find;
-allow sdk_sandbox registry_service:service_manager find;
-allow sdk_sandbox restrictions_service:service_manager find;
-allow sdk_sandbox rttmanager_service:service_manager find;
-allow sdk_sandbox search_service:service_manager find;
-allow sdk_sandbox selection_toolbar_service:service_manager find;
-allow sdk_sandbox sensor_privacy_service:service_manager find;
-allow sdk_sandbox sensorservice_service:service_manager find;
-allow sdk_sandbox servicediscovery_service:service_manager find;
-allow sdk_sandbox settings_service:service_manager find;
-allow sdk_sandbox speech_recognition_service:service_manager find;
-allow sdk_sandbox statusbar_service:service_manager find;
-allow sdk_sandbox storagestats_service:service_manager find;
-allow sdk_sandbox surfaceflinger_service:service_manager find;
-allow sdk_sandbox telecom_service:service_manager find;
-allow sdk_sandbox tethering_service:service_manager find;
-allow sdk_sandbox textclassification_service:service_manager find;
-allow sdk_sandbox textservices_service:service_manager find;
-allow sdk_sandbox texttospeech_service:service_manager find;
-allow sdk_sandbox thermal_service:service_manager find;
-allow sdk_sandbox translation_service:service_manager find;
-allow sdk_sandbox tv_iapp_service:service_manager find;
-allow sdk_sandbox tv_input_service:service_manager find;
-allow sdk_sandbox uimode_service:service_manager find;
-allow sdk_sandbox vcn_management_service:service_manager find;
-allow sdk_sandbox webviewupdate_service:service_manager find;
+allow sdk_sandbox {
+ activity_service
+ activity_task_service
+ appops_service
+ audio_service
+ audioserver_service
+ batteryproperties_service
+ batterystats_service
+ cameraserver_service
+ connectivity_service
+ connmetrics_service
+ deviceidle_service
+ display_service
+ dropbox_service
+ ephemeral_app_api_service
+ font_service
+ game_service
+ gpu_service
+ graphicsstats_service
+ hardware_properties_service
+ hint_service
+ imms_service
+ input_method_service
+ input_service
+ IProxyService_service
+ ipsec_service
+ launcherapps_service
+ legacy_permission_service
+ light_service
+ locale_service
+ media_communication_service
+ mediadrmserver_service
+ mediaextractor_service
+ mediametrics_service
+ media_projection_service
+ media_router_service
+ mediaserver_service
+ media_session_service
+ memtrackproxy_service
+ midi_service
+ netpolicy_service
+ netstats_service
+ network_management_service
+ notification_service
+ package_service
+ permission_checker_service
+ permission_service
+ permissionmgr_service
+ platform_compat_service
+ power_service
+ procstats_service
+ radio_service
+ registry_service
+ restrictions_service
+ rttmanager_service
+ search_service
+ selection_toolbar_service
+ sensor_privacy_service
+ sensorservice_service
+ servicediscovery_service
+ settings_service
+ speech_recognition_service
+ statusbar_service
+ storagestats_service
+ surfaceflinger_service
+ telecom_service
+ tethering_service
+ textclassification_service
+ textservices_service
+ texttospeech_service
+ thermal_service
+ translation_service
+ tv_iapp_service
+ tv_input_service
+ uimode_service
+ vcn_management_service
+ webviewupdate_service
+}:service_manager find;
allow sdk_sandbox system_linker_exec:file execute_no_trans;
@@ -297,6 +175,26 @@
-zygote
} sdk_sandbox_system_data_file:dir { create_dir_perms relabelto };
+# Only certain domains should be able to open and write to the SDK's data directory.
+neverallow {
+ domain
+ -artd
+ -init
+ -installd
+ -sdk_sandbox
+ -vold_prepare_subdirs
+} sdk_sandbox_data_file:dir ~{read getattr search};
+
+# Most domains shouldn't be able to open files in the SDK's data directory, unless given an open FD.
+neverallow {
+ domain
+ -artd
+ -init
+ -installd
+ -sdk_sandbox
+ -vold_prepare_subdirs
+} sdk_sandbox_data_file:file ~{append read write getattr lock map};
+
# sdk_sandbox only needs to traverse through the sdk_sandbox_system_data_file
neverallow sdk_sandbox sdk_sandbox_system_data_file:dir ~{ getattr search };
diff --git a/private/snapuserd.te b/private/snapuserd.te
index 797a6c2..8cd9e63 100644
--- a/private/snapuserd.te
+++ b/private/snapuserd.te
@@ -57,6 +57,13 @@
allow snapuserd ota_metadata_file:dir rw_dir_perms;
allow snapuserd ota_metadata_file:file create_file_perms;
+# write to /data/misc/snapuserd_log
+allow snapuserd snapuserd_log_data_file:dir create_dir_perms;
+allow snapuserd snapuserd_log_data_file:file create_file_perms;
+
+# Read /proc/stat to determine boot time
+allow snapuserd proc_stat:file r_file_perms;
+
# This capability allows snapuserd to circumvent memlock rlimits while using
# io_uring. An Alternative would be to up the memlock rlimit for the snapuserd service.
allow snapuserd self:capability ipc_lock;
diff --git a/private/system_server.te b/private/system_server.te
index df0dfa7..db6820d 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -1106,10 +1106,9 @@
# Allow system process to setup fs-verity
allowxperm system_server { apk_data_file system_data_file apex_system_server_data_file }:file ioctl FS_IOC_ENABLE_VERITY;
-# Allow system process to measure fs-verity for apps, apps being installed and system files
-allowxperm system_server { apk_data_file apk_tmp_file system_file }:file ioctl FS_IOC_MEASURE_VERITY;
+# Allow system process to measure fs-verity for apps, including those being installed
+allowxperm system_server { apk_data_file apk_tmp_file }:file ioctl FS_IOC_MEASURE_VERITY;
allowxperm system_server apk_tmp_file:file ioctl FS_IOC_SETFLAGS;
-allow system_server system_file:file ioctl;
# Postinstall
#
diff --git a/public/dumpstate.te b/public/dumpstate.te
index 58d6efa..cc3678c 100644
--- a/public/dumpstate.te
+++ b/public/dumpstate.te
@@ -259,6 +259,9 @@
# Access /data/misc/update_engine & /data/misc/update_engine_log
allow dumpstate { update_engine_data_file update_engine_log_data_file }:dir r_dir_perms;
allow dumpstate { update_engine_data_file update_engine_log_data_file }:file r_file_perms;
+# Access /data/misc/snapuserd_log
+allow dumpstate snapuserd_log_data_file:dir r_dir_perms;
+allow dumpstate snapuserd_log_data_file:file r_file_perms;
# Access /data/misc/profiles/{cur,ref}/
userdebug_or_eng(`
diff --git a/public/file.te b/public/file.te
index da76aee..7aad936 100644
--- a/public/file.te
+++ b/public/file.te
@@ -460,6 +460,7 @@
type tee_data_file, file_type, data_file_type;
type update_engine_data_file, file_type, data_file_type, core_data_file_type;
type update_engine_log_data_file, file_type, data_file_type, core_data_file_type;
+type snapuserd_log_data_file, file_type, data_file_type, core_data_file_type;
# /data/misc/trace for method traces on userdebug / eng builds
type method_trace_data_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
type gsi_data_file, file_type, data_file_type, core_data_file_type;
diff --git a/public/hal_gnss.te b/public/hal_gnss.te
index 832bc8d..59a6df8 100644
--- a/public/hal_gnss.te
+++ b/public/hal_gnss.te
@@ -4,6 +4,6 @@
hal_attribute_hwservice(hal_gnss, hal_gnss_hwservice)
hal_attribute_service(hal_gnss, hal_gnss_service)
-binder_call(hal_gnss_server, servicemanager)
-binder_call(hal_gnss_client, servicemanager)
+binder_use(hal_gnss_server)
+binder_use(hal_gnss_client)
diff --git a/public/property.te b/public/property.te
index 8d6b8ee..076ced9 100644
--- a/public/property.te
+++ b/public/property.te
@@ -88,6 +88,7 @@
system_restricted_prop(provisioned_prop)
system_restricted_prop(restorecon_prop)
system_restricted_prop(retaildemo_prop)
+system_restricted_prop(setupwizard_esim_prop)
system_restricted_prop(servicemanager_prop)
system_restricted_prop(smart_idle_maint_enabled_prop)
system_restricted_prop(socket_hook_prop)
@@ -101,7 +102,6 @@
system_restricted_prop(userspace_reboot_exported_prop)
system_restricted_prop(vold_status_prop)
system_restricted_prop(vts_status_prop)
-system_restricted_prop(graphics_config_writable_prop)
compatible_property_only(`
@@ -223,6 +223,7 @@
system_public_prop(ffs_control_prop)
system_public_prop(framework_status_prop)
system_public_prop(gesture_prop)
+system_public_prop(graphics_config_writable_prop)
system_public_prop(hal_dumpstate_config_prop)
system_public_prop(sota_prop)
system_public_prop(hwservicemanager_prop)
diff --git a/public/vendor_init.te b/public/vendor_init.te
index 288d035..3942c27 100644
--- a/public/vendor_init.te
+++ b/public/vendor_init.te
@@ -251,6 +251,7 @@
set_prop(vendor_init, logd_prop)
set_prop(vendor_init, log_tag_prop)
set_prop(vendor_init, log_prop)
+set_prop(vendor_init, graphics_config_writable_prop)
set_prop(vendor_init, qemu_hw_prop)
set_prop(vendor_init, radio_control_prop)
set_prop(vendor_init, rebootescrow_hal_prop)
diff --git a/vendor/hal_camera_default.te b/vendor/hal_camera_default.te
index ff28a03..710e2df 100644
--- a/vendor/hal_camera_default.te
+++ b/vendor/hal_camera_default.te
@@ -13,6 +13,7 @@
# Allow reading graphics properties, specifically for EGL blobcache mode
get_prop(hal_camera_default, graphics_config_prop);
+get_prop(hal_camera_default, graphics_config_writable_prop);
# For collecting bugreports.
allow hal_camera_default dumpstate:fd use;