Merge "Add more neverallows to app_zygote policy."
diff --git a/Android.mk b/Android.mk
index 4387090..a6c4f2a 100644
--- a/Android.mk
+++ b/Android.mk
@@ -194,7 +194,7 @@
plat_mapping_file \
$(addsuffix .cil,$(PLATFORM_SEPOLICY_COMPAT_VERSIONS)) \
plat_sepolicy.cil \
- plat_and_mapping_sepolicy.cil.sha256 \
+ plat_sepolicy_and_mapping.sha256 \
secilc \
LOCAL_REQUIRED_MODULES += \
@@ -249,7 +249,8 @@
ifneq ($(PRODUCT_PRECOMPILED_SEPOLICY),false)
LOCAL_REQUIRED_MODULES += \
precompiled_sepolicy \
- precompiled_sepolicy.plat_and_mapping.sha256 \
+ precompiled_sepolicy.plat_sepolicy_and_mapping.sha256 \
+ precompiled_sepolicy.product_sepolicy_and_mapping.sha256 \
endif # ($(PRODUCT_PRECOMPILED_SEPOLICY),false)
@@ -289,6 +290,7 @@
product_service_contexts \
product_mac_permissions.xml \
product_mapping_file \
+ product_sepolicy_and_mapping.sha256 \
endif
include $(BUILD_PHONY_PACKAGE)
@@ -620,21 +622,6 @@
#################################
include $(CLEAR_VARS)
-LOCAL_MODULE := plat_and_mapping_sepolicy.cil.sha256
-LOCAL_MODULE_CLASS := ETC
-LOCAL_MODULE_TAGS := optional
-LOCAL_MODULE_PATH = $(TARGET_OUT)/etc/selinux
-
-include $(BUILD_SYSTEM)/base_rules.mk
-
-# TODO(b/119305624): Need one hash for system, one for product.
-$(LOCAL_BUILT_MODULE): $(built_plat_cil) $(built_product_cil) \
-$(built_plat_mapping_cil) $(built_product_mapping_cil)
- cat $^ | sha256sum | cut -d' ' -f1 > $@
-
-#################################
-include $(CLEAR_VARS)
-
# plat_pub_versioned.cil - the exported platform policy associated with the version
# that non-platform policy targets.
LOCAL_MODULE := plat_pub_versioned.cil
@@ -804,14 +791,47 @@
all_cil_files :=
#################################
-# SHA-256 digest of the plat_sepolicy.cil and mapping_sepolicy.cil files against
+# Precompiled sepolicy is loaded if and only if:
+# - plat_sepolicy_and_mapping.sha256 equals
+# precompiled_sepolicy.plat_sepolicy_and_mapping.sha256
+# AND
+# - product_sepolicy_and_mapping.sha256 equals
+# precompiled_sepolicy.product_sepolicy_and_mapping.sha256
+# See system/core/init/selinux.cpp for details.
+#################################
+include $(CLEAR_VARS)
+
+LOCAL_MODULE := plat_sepolicy_and_mapping.sha256
+LOCAL_MODULE_CLASS := ETC
+LOCAL_MODULE_TAGS := optional
+LOCAL_MODULE_PATH = $(TARGET_OUT)/etc/selinux
+
+include $(BUILD_SYSTEM)/base_rules.mk
+
+$(LOCAL_BUILT_MODULE): $(built_plat_cil) $(built_plat_mapping_cil)
+ cat $^ | sha256sum | cut -d' ' -f1 > $@
+
+#################################
+include $(CLEAR_VARS)
+
+LOCAL_MODULE := product_sepolicy_and_mapping.sha256
+LOCAL_MODULE_CLASS := ETC
+LOCAL_MODULE_TAGS := optional
+LOCAL_MODULE_PATH = $(TARGET_OUT_PRODUCT)/etc/selinux
+
+include $(BUILD_SYSTEM)/base_rules.mk
+
+$(LOCAL_BUILT_MODULE): $(built_product_cil) $(built_product_mapping_cil)
+ cat $^ | sha256sum | cut -d' ' -f1 > $@
+
+#################################
+# SHA-256 digest of the plat_sepolicy.cil and plat_mapping_file against
# which precompiled_policy was built.
#################################
include $(CLEAR_VARS)
-LOCAL_MODULE := precompiled_sepolicy.plat_and_mapping.sha256
+LOCAL_MODULE := precompiled_sepolicy.plat_sepolicy_and_mapping.sha256
LOCAL_MODULE_CLASS := ETC
LOCAL_MODULE_TAGS := optional
-LOCAL_PROPRIETARY_MODULE := true
ifeq ($(BOARD_USES_ODMIMAGE),true)
LOCAL_MODULE_PATH := $(TARGET_OUT_ODM)/etc/selinux
@@ -821,11 +841,29 @@
include $(BUILD_SYSTEM)/base_rules.mk
-# TODO(b/119305624): Need one hash for system, one for product.
-$(LOCAL_BUILT_MODULE): PRIVATE_CIL_FILES := $(built_plat_cil) $(built_product_cil) \
-$(built_plat_mapping_cil) $(built_product_mapping_cil)
-$(LOCAL_BUILT_MODULE): $(built_precompiled_sepolicy) $(built_plat_cil) $(built_product_cil)\
-$(built_plat_mapping_cil) $(built_product_cil)
+$(LOCAL_BUILT_MODULE): PRIVATE_CIL_FILES := $(built_plat_cil) $(built_plat_mapping_cil)
+$(LOCAL_BUILT_MODULE): $(built_precompiled_sepolicy) $(built_plat_cil) $(built_plat_mapping_cil)
+ cat $(PRIVATE_CIL_FILES) | sha256sum | cut -d' ' -f1 > $@
+
+#################################
+# SHA-256 digest of the product_sepolicy.cil and product_mapping_file against
+# which precompiled_policy was built.
+#################################
+include $(CLEAR_VARS)
+LOCAL_MODULE := precompiled_sepolicy.product_sepolicy_and_mapping.sha256
+LOCAL_MODULE_CLASS := ETC
+LOCAL_MODULE_TAGS := optional
+
+ifeq ($(BOARD_USES_ODMIMAGE),true)
+LOCAL_MODULE_PATH := $(TARGET_OUT_ODM)/etc/selinux
+else
+LOCAL_MODULE_PATH := $(TARGET_OUT_VENDOR)/etc/selinux
+endif
+
+include $(BUILD_SYSTEM)/base_rules.mk
+
+$(LOCAL_BUILT_MODULE): PRIVATE_CIL_FILES := $(built_product_cil) $(built_product_mapping_cil)
+$(LOCAL_BUILT_MODULE): $(built_precompiled_sepolicy) $(built_product_cil) $(built_product_mapping_cil)
cat $(PRIVATE_CIL_FILES) | sha256sum | cut -d' ' -f1 > $@
#################################
diff --git a/private/apexd.te b/private/apexd.te
index 5959035..5beaa4b 100644
--- a/private/apexd.te
+++ b/private/apexd.te
@@ -67,6 +67,9 @@
# See b/35323867#comment3
dontaudit apexd self:global_capability_class_set { dac_override dac_read_search };
+# Allow apexd to log to the kernel.
+allow apexd kmsg_device:chr_file w_file_perms;
+
neverallow { domain -apexd -init } apex_data_file:dir no_w_dir_perms;
neverallow { domain -apexd -init -kernel } apex_data_file:file no_w_file_perms;
neverallow { domain -apexd } apex_mnt_dir:lnk_file no_w_file_perms;
diff --git a/private/bug_map b/private/bug_map
index 9747704..60a7337 100644
--- a/private/bug_map
+++ b/private/bug_map
@@ -29,4 +29,5 @@
system_server zygote process 77856826
usbd usbd capability 72472544
vrcore_app mnt_user_file dir 118185801
+webview_zygote system_data_file lnk_file 123246126
zygote untrusted_app_25 process 77925912
diff --git a/private/compat/26.0/26.0.ignore.cil b/private/compat/26.0/26.0.ignore.cil
index 3633181..c9c127f 100644
--- a/private/compat/26.0/26.0.ignore.cil
+++ b/private/compat/26.0/26.0.ignore.cil
@@ -144,6 +144,8 @@
secure_element_tmpfs
secure_element_service
server_configurable_flags_data_file
+ simpleperf_app_runner
+ simpleperf_app_runner_exec
slice_service
staging_data_file
stats
diff --git a/private/compat/27.0/27.0.ignore.cil b/private/compat/27.0/27.0.ignore.cil
index 3b7f7ff..ddd4e06 100644
--- a/private/compat/27.0/27.0.ignore.cil
+++ b/private/compat/27.0/27.0.ignore.cil
@@ -131,6 +131,8 @@
secure_element_service
secure_element_tmpfs
server_configurable_flags_data_file
+ simpleperf_app_runner
+ simpleperf_app_runner_exec
slice_service
stats
stats_data_file
diff --git a/private/compat/28.0/28.0.ignore.cil b/private/compat/28.0/28.0.ignore.cil
index 8797d67..7c1a78d 100644
--- a/private/compat/28.0/28.0.ignore.cil
+++ b/private/compat/28.0/28.0.ignore.cil
@@ -25,6 +25,7 @@
content_suggestions_service
cpu_variant_prop
dev_cpu_variant
+ device_config_activity_manager_native_boot_prop
device_config_boot_count_prop
device_config_input_native_boot_prop
device_config_netd_native_prop
@@ -86,6 +87,8 @@
runtime_service
sensor_privacy_service
server_configurable_flags_data_file
+ simpleperf_app_runner
+ simpleperf_app_runner_exec
super_block_device
system_event_log_tags_file
system_lmk_prop
diff --git a/private/file_contexts b/private/file_contexts
index 474c637..01c5bb0 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -314,6 +314,7 @@
/system/bin/watchdogd u:object_r:watchdogd_exec:s0
/system/bin/apexd u:object_r:apexd_exec:s0
/system/bin/gsid u:object_r:gsid_exec:s0
+/system/bin/simpleperf_app_runner u:object_r:simpleperf_app_runner_exec:s0
#############################
# Vendor files
diff --git a/private/property_contexts b/private/property_contexts
index d7563bc..3296a04 100644
--- a/private/property_contexts
+++ b/private/property_contexts
@@ -168,6 +168,7 @@
# Properties that relate to server configurable flags
device_config.reset_performed u:object_r:device_config_reset_performed_prop:s0
+persist.device_config.activity_manager_native_boot. u:object_r:device_config_activity_manager_native_boot_prop:s0
persist.device_config.attempted_boot_count u:object_r:device_config_boot_count_prop:s0
persist.device_config.input_native_boot. u:object_r:device_config_input_native_boot_prop:s0
persist.device_config.netd_native. u:object_r:device_config_netd_native_prop:s0
diff --git a/private/simpleperf_app_runner.te b/private/simpleperf_app_runner.te
new file mode 100644
index 0000000..8501826
--- /dev/null
+++ b/private/simpleperf_app_runner.te
@@ -0,0 +1,3 @@
+typeattribute simpleperf_app_runner coredomain;
+
+domain_auto_trans(shell, simpleperf_app_runner_exec, simpleperf_app_runner)
diff --git a/private/system_server.te b/private/system_server.te
index 30235e5..8aa7785 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -584,6 +584,7 @@
# server configurable flags properties
set_prop(system_server, device_config_input_native_boot_prop)
set_prop(system_server, device_config_netd_native_prop)
+set_prop(system_server, device_config_activity_manager_native_boot_prop)
# BootReceiver to read ro.boot.bootreason
get_prop(system_server, bootloader_boot_reason_prop)
@@ -852,11 +853,15 @@
allow system_server zygote_exec:file rx_file_perms;
')
-# allow system_server to read the eBPF maps that stores the traffic stats information amd clean up
+# allow system_server to read the eBPF maps that stores the traffic stats information and update
# the map after snapshot is recorded
allow system_server fs_bpf:dir search;
-allow system_server fs_bpf:file read;
-allow system_server bpfloader:bpf map_read;
+allow system_server fs_bpf:file { read write };
+allow system_server bpfloader:bpf { map_read map_write };
+# in order to invoke side effect of close() on such a socket calling synchronize_rcu()
+# TODO: Remove this permission when 4.9 kernel is deprecated.
+allow system_server self:key_socket create;
+
# ART Profiles.
# Allow system_server to open profile snapshots for read.
@@ -936,6 +941,7 @@
-system_server
-flags_health_check
} {
+ device_config_activity_manager_native_boot_prop
device_config_input_native_boot_prop
device_config_netd_native_prop
}:property_service set;
diff --git a/public/domain.te b/public/domain.te
index 7c3a110..d29adc2 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -1205,8 +1205,9 @@
-zygote
} shell:process { transition dyntransition };
-# Only domains spawned from zygote and runas may have the appdomain attribute.
-neverallow { domain -runas -app_zygote -webview_zygote -zygote } {
+# Only domains spawned from zygote, runas and simpleperf_app_runner may have the appdomain
+# attribute.
+neverallow { domain -simpleperf_app_runner -runas -app_zygote -webview_zygote -zygote } {
appdomain -shell userdebug_or_eng(`-su')
}:process { transition dyntransition };
diff --git a/public/flags_heatlh_check.te b/public/flags_heatlh_check.te
index e5677c3..835a82a 100644
--- a/public/flags_heatlh_check.te
+++ b/public/flags_heatlh_check.te
@@ -6,6 +6,7 @@
set_prop(flags_health_check, device_config_reset_performed_prop)
set_prop(flags_health_check, device_config_input_native_boot_prop)
set_prop(flags_health_check, device_config_netd_native_prop)
+set_prop(flags_health_check, device_config_activity_manager_native_boot_prop)
allow flags_health_check server_configurable_flags_data_file:dir rw_dir_perms;
allow flags_health_check server_configurable_flags_data_file:file create_file_perms;
diff --git a/public/property.te b/public/property.te
index 980c3d0..379c4d3 100644
--- a/public/property.te
+++ b/public/property.te
@@ -28,6 +28,7 @@
type debuggerd_prop, property_type, core_property_type;
type debug_prop, property_type, core_property_type;
type default_prop, property_type, core_property_type;
+type device_config_activity_manager_native_boot_prop, property_type;
type device_config_boot_count_prop, property_type;
type device_config_reset_performed_prop, property_type;
type device_config_input_native_boot_prop, property_type;
@@ -399,6 +400,7 @@
-ffs_prop
-fingerprint_prop
-firstboot_prop
+ -device_config_activity_manager_native_boot_prop
-device_config_reset_performed_prop
-device_config_boot_count_prop
-device_config_input_native_boot_prop
diff --git a/public/simpleperf_app_runner.te b/public/simpleperf_app_runner.te
new file mode 100644
index 0000000..cabf04b
--- /dev/null
+++ b/public/simpleperf_app_runner.te
@@ -0,0 +1,34 @@
+type simpleperf_app_runner, domain, mlstrustedsubject;
+type simpleperf_app_runner_exec, system_file_type, exec_type, file_type;
+
+# run simpleperf_app_runner in adb shell.
+allow simpleperf_app_runner adbd:fd use;
+allow simpleperf_app_runner shell:fd use;
+allow simpleperf_app_runner devpts:chr_file { read write ioctl };
+
+# simpleperf_app_runner reads package information.
+allow simpleperf_app_runner system_data_file:file r_file_perms;
+allow simpleperf_app_runner system_data_file:lnk_file getattr;
+
+# The app's data dir may be accessed through a symlink.
+allow simpleperf_app_runner system_data_file:lnk_file read;
+
+# simpleperf_app_runner switches to the app UID/GID.
+allow simpleperf_app_runner self:global_capability_class_set { setuid setgid };
+
+# simpleperf_app_runner switches to the app security context.
+selinux_check_context(simpleperf_app_runner) # validate context
+allow simpleperf_app_runner self:process setcurrent;
+allow simpleperf_app_runner untrusted_app_all:process dyntransition; # setcon
+
+# simpleperf_app_runner/libselinux needs access to seapp_contexts_file to
+# determine which domain to transition to.
+allow simpleperf_app_runner seapp_contexts_file:file r_file_perms;
+
+###
+### neverallow rules
+###
+
+# simpleperf_app_runner cannot have capabilities other than CAP_SETUID and CAP_SETGID
+neverallow simpleperf_app_runner self:global_capability_class_set ~{ setuid setgid };
+neverallow simpleperf_app_runner self:global_capability2_class_set *;
diff --git a/public/vendor_init.te b/public/vendor_init.te
index ffd5e0c..d9dc72f 100644
--- a/public/vendor_init.te
+++ b/public/vendor_init.te
@@ -174,6 +174,7 @@
not_compatible_property(`
set_prop(vendor_init, {
property_type
+ -device_config_activity_manager_native_boot_prop
-device_config_boot_count_prop
-device_config_reset_performed_prop
-device_config_input_native_boot_prop
diff --git a/vendor/file_contexts b/vendor/file_contexts
index 08701b4..03b0ac6 100644
--- a/vendor/file_contexts
+++ b/vendor/file_contexts
@@ -34,6 +34,7 @@
/(vendor|system/vendor)/bin/hw/android\.hardware\.keymaster@3\.0-service u:object_r:hal_keymaster_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.keymaster@4\.0-service u:object_r:hal_keymaster_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.light@2\.0-service u:object_r:hal_light_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.light@2\.0-service-lazy u:object_r:hal_light_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.lowpan@1\.0-service u:object_r:hal_lowpan_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.memtrack@1\.0-service u:object_r:hal_memtrack_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.nfc@1\.0-service u:object_r:hal_nfc_default_exec:s0