Merge "Remove perfprofd references."
diff --git a/private/compat/29.0/29.0.ignore.cil b/private/compat/29.0/29.0.ignore.cil
index 225b582..c3f4b29 100644
--- a/private/compat/29.0/29.0.ignore.cil
+++ b/private/compat/29.0/29.0.ignore.cil
@@ -6,8 +6,15 @@
(typeattributeset new_objects
( new_objects
cold_boot_done_prop
+ platform_compat_service
ctl_apexd_prop
device_config_sys_traced_prop
+ ota_metadata_file
runtime_apex_dir
system_ashmem_hwservice
- vendor_apex_file))
+ system_group_file
+ system_passwd_file
+ vendor_apex_file
+ wifi_stack
+ wifi_stack_service
+ wifi_stack_tmpfs))
diff --git a/private/file_contexts b/private/file_contexts
index 9f9ada5..79c3043 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -303,7 +303,9 @@
/system/bin/hw/android\.system\.suspend@1\.0-service u:object_r:system_suspend_exec:s0
/system/etc/cgroups\.json u:object_r:cgroup_desc_file:s0
/system/etc/event-log-tags u:object_r:system_event_log_tags_file:s0
+/system/etc/group u:object_r:system_group_file:s0
/system/etc/ld\.config.* u:object_r:system_linker_config_file:s0
+/system/etc/passwd u:object_r:system_passwd_file:s0
/system/etc/seccomp_policy(/.*)? u:object_r:system_seccomp_policy_file:s0
/system/etc/security/cacerts(/.*)? u:object_r:system_security_cacerts_file:s0
/system/etc/selinux/mapping/[0-9]+\.[0-9]+\.cil u:object_r:sepolicy_file:s0
@@ -397,6 +399,8 @@
# Product files
#
/(product|system/product)(/.*)? u:object_r:system_file:s0
+/(product|system/product)/etc/group u:object_r:system_group_file:s0
+/(product|system/product)/etc/passwd u:object_r:system_passwd_file:s0
/(product|system/product)/overlay(/.*)? u:object_r:vendor_overlay_file:s0
/(product|system/product)/etc/selinux/product_file_contexts u:object_r:file_contexts_file:s0
@@ -410,6 +414,8 @@
# SystemExt files
#
/(system_ext|system/system_ext)(/.*)? u:object_r:system_file:s0
+/(system_ext|system/system_ext)/etc/group u:object_r:system_group_file:s0
+/(system_ext|system/system_ext)/etc/passwd u:object_r:system_passwd_file:s0
/(system_ext|system/system_ext)/overlay(/.*)? u:object_r:vendor_overlay_file:s0
#############################
@@ -506,6 +512,7 @@
/data/misc/user(/.*)? u:object_r:misc_user_data_file:s0
/data/misc/vpn(/.*)? u:object_r:vpn_data_file:s0
/data/misc/wifi(/.*)? u:object_r:wifi_data_file:s0
+/data/misc_ce/[0-9]+/wifi(/.*)? u:object_r:wifi_data_file:s0
/data/misc/wifi/sockets(/.*)? u:object_r:wpa_socket:s0
/data/misc/wifi/sockets/wpa_ctrl.* u:object_r:system_wpa_socket:s0
/data/misc/zoneinfo(/.*)? u:object_r:zoneinfo_data_file:s0
@@ -629,6 +636,7 @@
/metadata/vold(/.*)? u:object_r:vold_metadata_file:s0
/metadata/gsi(/.*)? u:object_r:gsi_metadata_file:s0
/metadata/password_slots(/.*)? u:object_r:password_slot_metadata_file:s0
+/metadata/ota(/.*)? u:object_r:ota_metadata_file:s0
#############################
# asec containers
diff --git a/private/file_contexts_asan b/private/file_contexts_asan
index bd841a3..b37f086 100644
--- a/private/file_contexts_asan
+++ b/private/file_contexts_asan
@@ -4,6 +4,8 @@
/data/asan/vendor/lib64(/.*)? u:object_r:system_lib_file:s0
/data/asan/odm/lib(/.*)? u:object_r:system_lib_file:s0
/data/asan/odm/lib64(/.*)? u:object_r:system_lib_file:s0
+/data/asan/product/lib(/.*)? u:object_r:system_lib_file:s0
+/data/asan/product/lib64(/.*)? u:object_r:system_lib_file:s0
/system/asan.options u:object_r:system_asan_options_file:s0
/system/bin/asan_extract u:object_r:asan_extract_exec:s0
/system/bin/asanwrapper u:object_r:asanwrapper_exec:s0
diff --git a/private/gsid.te b/private/gsid.te
index 73b93fc..305b1c2 100644
--- a/private/gsid.te
+++ b/private/gsid.te
@@ -17,6 +17,20 @@
allow gsid self:global_capability_class_set sys_admin;
dontaudit gsid self:global_capability_class_set dac_override;
+# On FBE devices (not using dm-default-key), gsid will use loop devices to map
+# images rather than device-mapper.
+allow gsid loop_control_device:chr_file rw_file_perms;
+allow gsid loop_device:blk_file rw_file_perms;
+allowxperm gsid loop_device:blk_file ioctl {
+ LOOP_GET_STATUS64
+ LOOP_SET_STATUS64
+ LOOP_SET_FD
+ LOOP_SET_BLOCK_SIZE
+ LOOP_SET_DIRECT_IO
+ LOOP_CLR_FD
+ BLKFLSBUF
+};
+
# libfiemap_writer uses sysfs to derive the bottom of a device-mapper stacking.
# This requires traversing /sys/block/dm-N/slaves/* and reading the list of
# file names.
@@ -83,7 +97,7 @@
# booted - An empty file that, if exists, indicates that a GSI is
# currently running.
#
-allow gsid metadata_file:dir search;
+allow gsid metadata_file:dir { search getattr };
allow gsid gsi_metadata_file:dir rw_dir_perms;
allow gsid gsi_metadata_file:file create_file_perms;
diff --git a/private/linkerconfig.te b/private/linkerconfig.te
index 8acd734..01a9fbf 100644
--- a/private/linkerconfig.te
+++ b/private/linkerconfig.te
@@ -7,4 +7,7 @@
allow linkerconfig linkerconfig_file:dir rw_dir_perms;
allow linkerconfig linkerconfig_file:file create_file_perms;
+# Allow linkerconfig to log to the kernel.
+allow linkerconfig kmsg_device:chr_file w_file_perms;
+
neverallow { domain -init -linkerconfig } linkerconfig_exec:file no_x_file_perms;
diff --git a/private/logd.te b/private/logd.te
index ca92e20..a9c65b0 100644
--- a/private/logd.te
+++ b/private/logd.te
@@ -35,4 +35,5 @@
-shell
userdebug_or_eng(`-su')
-system_app
+ -wifi_stack
} runtime_event_log_tags_file:file no_rw_file_perms;
diff --git a/private/property_contexts b/private/property_contexts
index 520383d..14fe3de 100644
--- a/private/property_contexts
+++ b/private/property_contexts
@@ -107,7 +107,6 @@
# ctl properties
ctl.bootanim u:object_r:ctl_bootanim_prop:s0
-ctl.android.hardware.dumpstate u:object_r:ctl_dumpstate_prop:s0
ctl.dumpstate u:object_r:ctl_dumpstate_prop:s0
ctl.fuse_ u:object_r:ctl_fuse_prop:s0
ctl.mdnsd u:object_r:ctl_mdnsd_prop:s0
@@ -139,6 +138,9 @@
# Restrict access to stopping apexd.
ctl.stop$apexd u:object_r:ctl_apexd_prop:s0
+# Restrict access to restart dumpstate
+ctl.interface_restart$android.hardware.dumpstate u:object_r:ctl_dumpstate_prop:s0
+
# NFC properties
nfc. u:object_r:nfc_prop:s0
diff --git a/private/seapp_contexts b/private/seapp_contexts
index ad8a76c..705e03d 100644
--- a/private/seapp_contexts
+++ b/private/seapp_contexts
@@ -143,6 +143,8 @@
user=_app seinfo=platform name=com.android.traceur domain=traceur_app type=app_data_file levelFrom=all
user=system seinfo=platform domain=system_app type=system_app_data_file
user=bluetooth seinfo=platform domain=bluetooth type=bluetooth_data_file
+# TODO (b/135691051): wifi stack is temporarily a separate process. Will merge to network_stack once non-formal API dependencies are fixed.
+user=network_stack seinfo=network_stack name=com.android.server.wifistack domain=wifi_stack
user=network_stack seinfo=network_stack domain=network_stack levelFrom=all type=radio_data_file
user=nfc seinfo=platform domain=nfc type=nfc_data_file
user=secure_element seinfo=platform domain=secure_element levelFrom=all
diff --git a/private/service_contexts b/private/service_contexts
index 87fed88..8dc3fc2 100644
--- a/private/service_contexts
+++ b/private/service_contexts
@@ -32,6 +32,7 @@
clipboard u:object_r:clipboard_service:s0
com.android.net.IProxyService u:object_r:IProxyService_service:s0
companiondevice u:object_r:companion_device_service:s0
+platform_compat u:object_r:platform_compat_service:s0
connectivity u:object_r:connectivity_service:s0
connmetrics u:object_r:connmetrics_service:s0
consumer_ir u:object_r:consumer_ir_service:s0
@@ -218,5 +219,6 @@
wificond u:object_r:wificond_service:s0
wifiaware u:object_r:wifiaware_service:s0
wifirtt u:object_r:rttmanager_service:s0
+wifi_stack u:object_r:wifi_stack_service:s0
window u:object_r:window_service:s0
* u:object_r:default_android_service:s0
diff --git a/private/vold_prepare_subdirs.te b/private/vold_prepare_subdirs.te
index 348d3ce..e7f27b9 100644
--- a/private/vold_prepare_subdirs.te
+++ b/private/vold_prepare_subdirs.te
@@ -21,6 +21,7 @@
rollback_data_file
storaged_data_file
vold_data_file
+ wifi_data_file
}:dir { create_dir_perms relabelto };
allow vold_prepare_subdirs {
backup_data_file
@@ -31,6 +32,7 @@
storaged_data_file
system_data_file
vold_data_file
+ wifi_data_file
}:file { getattr unlink };
dontaudit vold_prepare_subdirs { proc unlabeled }:file r_file_perms;
diff --git a/private/wifi_stack.te b/private/wifi_stack.te
new file mode 100644
index 0000000..1f19faa
--- /dev/null
+++ b/private/wifi_stack.te
@@ -0,0 +1,56 @@
+# Wifi Stack Mandatory
+typeattribute wifi_stack coredomain;
+
+app_domain(wifi_stack)
+net_domain(wifi_stack)
+
+# Data file accesses.
+# Manage /data/misc/wifi.
+allow wifi_stack wifi_data_file:dir create_dir_perms;
+allow wifi_stack wifi_data_file:file create_file_perms;
+allow wifi_stack radio_data_file:dir search;
+
+# Property accesses
+userdebug_or_eng(`
+ set_prop(wifi_stack, wifi_log_prop)
+
+ # Allow wifi_stack to read dmesg
+ # TODO(b/137085509): Remove this.
+ allow wifi_stack kernel:system syslog_read;
+')
+
+# ctl interface
+
+# Perform Binder IPC.
+binder_use(wifi_stack)
+allow wifi_stack app_api_service:service_manager find;
+allow wifi_stack network_score_service:service_manager find;
+allow wifi_stack netd_service:service_manager find;
+allow wifi_stack network_stack_service:service_manager find;
+allow wifi_stack radio_service:service_manager find;
+allow wifi_stack wificond_service:service_manager find;
+allow wifi_stack wifiscanner_service:service_manager find;
+binder_call(wifi_stack, system_server)
+binder_call(wifi_stack, wificond)
+binder_call(wifi_stack, network_stack)
+
+# Perform HwBinder IPC.
+hwbinder_use(wifi_stack)
+hal_client_domain(wifi_stack, hal_wifi)
+hal_client_domain(wifi_stack, hal_wifi_hostapd)
+hal_client_domain(wifi_stack, hal_wifi_supplicant)
+
+# Allow WifiService to start, stop, and read wifi-specific trace events.
+allow wifi_stack debugfs_tracing_instances:dir search;
+allow wifi_stack debugfs_wifi_tracing:dir search;
+allow wifi_stack debugfs_wifi_tracing:file rw_file_perms;
+
+# Connectivity
+allow wifi_stack self:capability { net_bind_service net_admin net_raw };
+allow wifi_stack self:packet_socket create_socket_perms_no_ioctl;
+allow wifi_stack self:netlink_route_socket nlmsg_write;
+allowxperm wifi_stack self:udp_socket ioctl priv_sock_ioctls;
+
+# dumpstate support
+allow wifi_stack dumpstate:fd use;
+allow wifi_stack dumpstate:fifo_file write;
diff --git a/public/app.te b/public/app.te
index 36dd5e3..b523ad6 100644
--- a/public/app.te
+++ b/public/app.te
@@ -367,8 +367,8 @@
###
# Superuser capabilities.
-# bluetooth requires net_admin and wake_alarm. network stack app requires net_admin.
-neverallow { appdomain -bluetooth -network_stack } self:capability_class_set *;
+# bluetooth/wifi requires net_admin and wake_alarm. network stack app requires net_admin.
+neverallow { appdomain -bluetooth -network_stack -wifi_stack } self:capability_class_set *;
# Block device access.
neverallow appdomain dev_type:blk_file { read write };
@@ -491,9 +491,8 @@
neverallow appdomain
systemkeys_data_file:dir_file_class_set
{ create write setattr relabelfrom relabelto append unlink link rename };
-neverallow appdomain
- wifi_data_file:dir_file_class_set
- { create write setattr relabelfrom relabelto append unlink link rename };
+neverallow { appdomain -wifi_stack }
+ wifi_data_file:dir_file_class_set *;
neverallow appdomain
dhcp_data_file:dir_file_class_set
{ create write setattr relabelfrom relabelto append unlink link rename };
@@ -516,7 +515,7 @@
proc:dir_file_class_set write;
# Access to syslog(2) or /proc/kmsg.
-neverallow appdomain kernel:system { syslog_read syslog_mod syslog_console };
+neverallow { appdomain userdebug_or_eng(`-wifi_stack') } kernel:system { syslog_read syslog_mod syslog_console };
# SELinux is not an API for apps to use
neverallow { appdomain -shell } *:security { compute_av check_context };
diff --git a/public/domain.te b/public/domain.te
index cd08746..e12c224 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -141,10 +141,12 @@
allow domain system_file:lnk_file { getattr read };
# Global access to /system/etc/security/cacerts/*, /system/etc/seccomp_policy/*, /system/lib[64]/*,
-# linker and its config.
+# /(system|product|system_ext)/etc/(group|passwd), linker and its config.
allow domain system_seccomp_policy_file:file r_file_perms;
# cacerts are accessible from public Java API.
allow domain system_security_cacerts_file:file r_file_perms;
+allow domain system_group_file:file r_file_perms;
+allow domain system_passwd_file:file r_file_perms;
allow domain system_linker_exec:file { execute read open getattr map };
allow domain system_linker_config_file:file r_file_perms;
allow domain system_lib_file:file { execute read open getattr map };
@@ -1037,10 +1039,12 @@
-netutils_wrapper_exec
-property_contexts_file
-system_event_log_tags_file
+ -system_group_file
-system_lib_file
with_asan(`-system_asan_options_file')
-system_linker_exec
-system_linker_config_file
+ -system_passwd_file
-system_seccomp_policy_file
-system_security_cacerts_file
-system_zoneinfo_file
diff --git a/public/file.te b/public/file.te
index 4945686..1fd00a4 100644
--- a/public/file.te
+++ b/public/file.te
@@ -152,10 +152,14 @@
type system_lib_file, system_file_type, file_type;
# system libraries that are available only to bootstrap processes
type system_bootstrap_lib_file, system_file_type, file_type;
+# Default type for the group file /system/etc/group.
+type system_group_file, system_file_type, file_type;
# Default type for linker executable /system/bin/linker[64].
type system_linker_exec, system_file_type, file_type;
# Default type for linker config /system/etc/ld.config.*.
type system_linker_config_file, system_file_type, file_type;
+# Default type for the passwd file /system/etc/passwd.
+type system_passwd_file, system_file_type, file_type;
# Default type for linker config /system/etc/seccomp_policy/*.
type system_seccomp_policy_file, system_file_type, file_type;
# Default type for cacerts in /system/etc/security/cacerts/*.
@@ -212,6 +216,8 @@
type password_slot_metadata_file, file_type;
# APEX files within /metadata
type apex_metadata_file, file_type;
+# libsnapshot files within /metadata
+type ota_metadata_file, file_type;
# Type for /dev/cpu_variant:.*.
type dev_cpu_variant, file_type;
diff --git a/public/netd.te b/public/netd.te
index c15a03b..3e48bd2 100644
--- a/public/netd.te
+++ b/public/netd.te
@@ -141,6 +141,7 @@
-network_stack
-netd
-netutils_wrapper
+ -wifi_stack
} netd_service:service_manager find;
# only system_server, dumpstate and network stack app may find dnsresolver service
@@ -151,11 +152,12 @@
-network_stack
-netd
-netutils_wrapper
+ -wifi_stack
} dnsresolver_service:service_manager find;
# apps may not interact with netd over binder.
-neverallow { appdomain -network_stack } netd:binder call;
-neverallow netd { appdomain -network_stack userdebug_or_eng(`-su') }:binder call;
+neverallow { appdomain -network_stack -wifi_stack } netd:binder call;
+neverallow netd { appdomain -network_stack -wifi_stack userdebug_or_eng(`-su') }:binder call;
# persist.netd.stable_secret contains RFC 7217 secret key which should never be
# leaked to other processes. Make sure it never leaks.
diff --git a/public/service.te b/public/service.te
index 645f71c..c195b69 100644
--- a/public/service.te
+++ b/public/service.te
@@ -95,6 +95,7 @@
type ethernet_service, app_api_service, system_server_service, service_manager_type;
type biometric_service, app_api_service, system_server_service, service_manager_type;
type bugreport_service, system_api_service, system_server_service, service_manager_type;
+type platform_compat_service, system_server_service, service_manager_type;
type face_service, app_api_service, system_server_service, service_manager_type;
type fingerprint_service, app_api_service, system_server_service, service_manager_type;
type gfxinfo_service, system_api_service, system_server_service, service_manager_type;
@@ -181,6 +182,7 @@
type wifip2p_service, app_api_service, system_server_service, service_manager_type;
type wifiscanner_service, system_api_service, system_server_service, service_manager_type;
type wifi_service, app_api_service, system_server_service, service_manager_type;
+type wifi_stack_service, system_server_service, service_manager_type;
type wificond_service, service_manager_type;
type wifiaware_service, app_api_service, system_server_service, service_manager_type;
type window_service, system_api_service, system_server_service, service_manager_type;
diff --git a/public/vendor_init.te b/public/vendor_init.te
index c439ffd..3312ff8 100644
--- a/public/vendor_init.te
+++ b/public/vendor_init.te
@@ -51,6 +51,7 @@
-system_file_type
-mnt_product_file
-password_slot_metadata_file
+ -ota_metadata_file
-unlabeled
-vendor_file_type
-vold_metadata_file
@@ -65,6 +66,7 @@
-core_data_file_type
-exec_type
-password_slot_metadata_file
+ -ota_metadata_file
-runtime_event_log_tags_file
-system_file_type
-unlabeled
@@ -79,6 +81,7 @@
-core_data_file_type
-exec_type
-password_slot_metadata_file
+ -ota_metadata_file
-system_file_type
-unlabeled
-vendor_file_type
@@ -93,6 +96,7 @@
-core_data_file_type
-exec_type
-password_slot_metadata_file
+ -ota_metadata_file
-system_file_type
-unlabeled
-vendor_file_type
@@ -107,6 +111,7 @@
-exec_type
-mnt_product_file
-password_slot_metadata_file
+ -ota_metadata_file
-system_file_type
-vendor_file_type
-vold_metadata_file
diff --git a/public/wifi_stack.te b/public/wifi_stack.te
new file mode 100644
index 0000000..f1a26f5
--- /dev/null
+++ b/public/wifi_stack.te
@@ -0,0 +1,2 @@
+# Wifi Stack Mandatory
+type wifi_stack, domain;
diff --git a/public/wificond.te b/public/wificond.te
index 656abad..ae83846 100644
--- a/public/wificond.te
+++ b/public/wificond.te
@@ -4,6 +4,7 @@
binder_use(wificond)
binder_call(wificond, system_server)
+binder_call(wificond, wifi_stack)
add_service(wificond, wificond_service)