Merge "Add uhid_device to system_server"
diff --git a/microdroid/system/private/microdroid_manager.te b/microdroid/system/private/microdroid_manager.te
index 1db1c2a..6539e2c 100644
--- a/microdroid/system/private/microdroid_manager.te
+++ b/microdroid/system/private/microdroid_manager.te
@@ -14,6 +14,11 @@
# microdroid_manager verifies DM-verity mounted APK payload
allow microdroid_manager dm_device:blk_file r_file_perms;
+# Allow microdroid_manager to do blkflsbuf on instance disk image. The ioctl
+# requires sys_admin cap as well.
+allowxperm microdroid_manager vd_device:blk_file ioctl BLKFLSBUF;
+allow microdroid_manager self:global_capability_class_set sys_admin;
+
# Allow microdroid_manager to start payload tasks
domain_auto_trans(microdroid_manager, microdroid_app_exec, microdroid_app)
domain_auto_trans(microdroid_manager, compos_exec, compos)
diff --git a/private/bpfloader.te b/private/bpfloader.te
index 650117e..02337a0 100644
--- a/private/bpfloader.te
+++ b/private/bpfloader.te
@@ -3,6 +3,9 @@
type bpfloader_exec, system_file_type, exec_type, file_type;
typeattribute bpfloader coredomain;
+# allow bpfloader to write to the kernel log (starts early)
+allow bpfloader kmsg_device:chr_file w_file_perms;
+
# These permissions are required to pin ebpf maps & programs.
allow bpfloader { fs_bpf fs_bpf_tethering }:dir { add_name create search write };
allow bpfloader { fs_bpf fs_bpf_tethering }:file { create read setattr };
diff --git a/private/crosvm.te b/private/crosvm.te
index ec58875..426cb28 100644
--- a/private/crosvm.te
+++ b/private/crosvm.te
@@ -89,3 +89,10 @@
-app_data_file
userdebug_or_eng(`-shell_data_file')
}:file read;
+
+# Only virtualizationservice can run crosvm
+neverallow {
+ domain
+ -crosvm
+ -virtualizationservice
+} crosvm_exec:file no_x_file_perms;
diff --git a/private/priv_app.te b/private/priv_app.te
index 2535222..c7d6ab1 100644
--- a/private/priv_app.te
+++ b/private/priv_app.te
@@ -269,3 +269,6 @@
# Do not follow untrusted app provided symlinks
neverallow priv_app app_data_file:lnk_file { open read getattr };
+
+# Allow reporting off body events to keystore.
+allow priv_app keystore:keystore2 report_off_body;
diff --git a/private/property_contexts b/private/property_contexts
index 05e5179..7106a51 100644
--- a/private/property_contexts
+++ b/private/property_contexts
@@ -707,7 +707,7 @@
# shell-only props for ARM memory tagging (MTE).
arm64.memtag. u:object_r:arm64_memtag_prop:s0 prefix string
-persist.arm64.memtag.mode u:object_r:arm64_memtag_prop:s0 exact string
+persist.arm64.memtag.default u:object_r:arm64_memtag_prop:s0 exact string
net.redirect_socket_calls.hooked u:object_r:socket_hook_prop:s0 exact bool
diff --git a/private/service_contexts b/private/service_contexts
index a22f272..1ada543 100644
--- a/private/service_contexts
+++ b/private/service_contexts
@@ -342,7 +342,7 @@
translation u:object_r:translation_service:s0
transparency u:object_r:transparency_service:s0
trust u:object_r:trust_service:s0
-tv_iapp u:object_r:tv_iapp_service:s0
+tv_interactive_app u:object_r:tv_iapp_service:s0
tv_input u:object_r:tv_input_service:s0
tv_tuner_resource_mgr u:object_r:tv_tuner_resource_mgr_service:s0
uce u:object_r:uce_service:s0
diff --git a/private/system_app.te b/private/system_app.te
index 8c1fdbf..77cca3d 100644
--- a/private/system_app.te
+++ b/private/system_app.te
@@ -159,6 +159,7 @@
# Settings app writes to /dev/stune/foreground/tasks.
allow system_app cgroup:file w_file_perms;
allow system_app cgroup_v2:file w_file_perms;
+allow system_app cgroup_v2:dir w_dir_perms;
control_logd(system_app)
read_runtime_log_tags(system_app)
diff --git a/private/system_server.te b/private/system_server.te
index 91e0330..79817ef 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -788,6 +788,9 @@
# Read the net.464xlat.cellular.enabled property (written by init).
get_prop(system_server, net_464xlat_fromvendor_prop)
+# Read hypervisor capabilities ro.boot.hypervisor.*
+get_prop(system_server, hypervisor_prop)
+
# Create a socket for connections from debuggerd.
allow system_server system_ndebug_socket:sock_file create_file_perms;
diff --git a/tools/sepolicy_generate_compat.py b/tools/sepolicy_generate_compat.py
index 317a00e..17a4d75 100644
--- a/tools/sepolicy_generate_compat.py
+++ b/tools/sepolicy_generate_compat.py
@@ -23,11 +23,23 @@
import policy
import shutil
import subprocess
+import sys
import tempfile
import zipfile
"""This tool generates a mapping file for {ver} core sepolicy."""
temp_dir = ''
+compat_cil_template = ";; This file can't be empty.\n"
+ignore_cil_template = """;; new_objects - a collection of types that have been introduced that have no
+;; analogue in older policy. Thus, we do not need to map these types to
+;; previous ones. Add here to pass checkapi tests.
+(type new_objects)
+(typeattribute new_objects)
+(typeattributeset new_objects
+ ( new_objects
+ %s
+ ))
+"""
def check_run(cmd, cwd=None):
@@ -88,12 +100,12 @@
cmd = [
'debugfs', '-R',
- 'cat system/etc/selinux/mapping/%s.cil' % ver, img_path
+ 'cat system/etc/selinux/mapping/10000.0.cil', img_path
]
path = os.path.join(destination, '%s.cil' % ver)
with open(path, 'wb') as f:
logging.debug('Extracting %s.cil to %s' % (ver, destination))
- f.write(check_output(cmd).stdout)
+ f.write(check_output(cmd).stdout.replace(b'10000.0',b'33.0').replace(b'10000_0',b'33_0'))
return path
@@ -156,6 +168,28 @@
return base_policy_path, old_policy_path, pub_policy_cil_path
+def change_api_level(versioned_type, api_from, api_to):
+ """ Verifies the API version of versioned_type, and changes it to new API level.
+
+ For example, change_api_level("foo_32_0", "32.0", "31.0") will return
+ "foo_31_0".
+
+ Args:
+ versioned_type: string, type with version suffix
+ api_from: string, api version of versioned_type
+ api_to: string, new api version for versioned_type
+
+ Returns:
+ string, a new versioned type
+ """
+ old_suffix = api_from.replace('.', '_')
+ new_suffix = api_to.replace('.', '_')
+ if not versioned_type.endswith(old_suffix):
+ raise ValueError('Version of type %s is different from %s' %
+ (versioned_type, api_from))
+ return versioned_type.removesuffix(old_suffix) + new_suffix
+
+
def get_args():
parser = argparse.ArgumentParser()
parser.add_argument(
@@ -202,12 +236,10 @@
build_top = get_android_build_top()
sepolicy_path = os.path.join(build_top, 'system', 'sepolicy')
- target_compat_path = os.path.join(sepolicy_path, 'private', 'compat',
- args.target_version)
# Step 1. Download system/etc/selinux/mapping/{ver}.cil, and remove types/typeattributes
- mapping_file = download_mapping_file(args.branch, args.build,
- args.target_version)
+ mapping_file = download_mapping_file(
+ args.branch, args.build, args.target_version, destination=temp_dir)
mapping_file_cil = mini_parser.MiniCilParser(mapping_file)
mapping_file_cil.types = set()
mapping_file_cil.typeattributes = set()
@@ -231,7 +263,110 @@
logging.info('new types: %s' % new_types)
logging.info('removed types: %s' % removed_types)
- # TODO: Step 4. Map new types and removed types appropriately
+ # Step 4. Map new types and removed types appropriately, based on the latest mapping
+ latest_compat_path = os.path.join(sepolicy_path, 'private', 'compat',
+ args.latest_version)
+ latest_mapping_cil = mini_parser.MiniCilParser(
+ os.path.join(latest_compat_path, args.latest_version + '.cil'))
+ latest_ignore_cil = mini_parser.MiniCilParser(
+ os.path.join(latest_compat_path,
+ args.latest_version + '.ignore.cil'))
+
+ latest_ignored_types = list(latest_ignore_cil.rTypeattributesets.keys())
+ latest_removed_types = latest_mapping_cil.types
+ logging.debug('types ignored in latest policy: %s' %
+ latest_ignored_types)
+ logging.debug('types removed in latest policy: %s' %
+ latest_removed_types)
+
+ target_ignored_types = set()
+ target_removed_types = set()
+ invalid_new_types = set()
+ invalid_mapping_types = set()
+ invalid_removed_types = set()
+
+ logging.info('starting mapping')
+ for new_type in new_types:
+ # Either each new type should be in latest_ignore_cil, or mapped to existing types
+ if new_type in latest_ignored_types:
+ logging.debug('adding %s to ignore' % new_type)
+ target_ignored_types.add(new_type)
+ elif new_type in latest_mapping_cil.rTypeattributesets:
+ latest_mapped_types = latest_mapping_cil.rTypeattributesets[
+ new_type]
+ target_mapped_types = {change_api_level(t, args.latest_version,
+ args.target_version)
+ for t in latest_mapped_types}
+ logging.debug('mapping %s to %s' %
+ (new_type, target_mapped_types))
+
+ for t in target_mapped_types:
+ if t not in mapping_file_cil.typeattributesets:
+ logging.error(
+ 'Cannot find desired type %s in mapping file' % t)
+ invalid_mapping_types.add(t)
+ continue
+ mapping_file_cil.typeattributesets[t].add(new_type)
+ else:
+ logging.error('no mapping information for new type %s' %
+ new_type)
+ invalid_new_types.add(new_type)
+
+ for removed_type in removed_types:
+ # Removed type should be in latest_mapping_cil
+ if removed_type in latest_removed_types:
+ logging.debug('adding %s to removed' % removed_type)
+ target_removed_types.add(removed_type)
+ else:
+ logging.error('no mapping information for removed type %s' %
+ removed_type)
+ invalid_removed_types.add(removed_type)
+
+ error_msg = ''
+
+ if invalid_new_types:
+ error_msg += ('The following new types were not in the latest '
+ 'mapping: %s\n') % sorted(invalid_new_types)
+ if invalid_mapping_types:
+ error_msg += (
+ 'The following existing types were not in the '
+ 'downloaded mapping file: %s\n') % sorted(invalid_mapping_types)
+ if invalid_removed_types:
+ error_msg += ('The following removed types were not in the latest '
+ 'mapping: %s\n') % sorted(invalid_removed_types)
+
+ if error_msg:
+ error_msg += '\n'
+ error_msg += ('Please make sure the source tree and the build ID is'
+ ' up to date.\n')
+ sys.exit(error_msg)
+
+ # Step 5. Write to system/sepolicy/private/compat
+ target_compat_path = os.path.join(sepolicy_path, 'private', 'compat',
+ args.target_version)
+ target_mapping_file = os.path.join(target_compat_path,
+ args.target_version + '.cil')
+ target_compat_file = os.path.join(target_compat_path,
+ args.target_version + '.compat.cil')
+ target_ignore_file = os.path.join(target_compat_path,
+ args.target_version + '.ignore.cil')
+
+ with open(target_mapping_file, 'w') as f:
+ logging.info('writing %s' % target_mapping_file)
+ if removed_types:
+ f.write(';; types removed from current policy\n')
+ f.write('\n'.join(f'(type {x})' for x in sorted(target_removed_types)))
+ f.write('\n\n')
+ f.write(mapping_file_cil.unparse())
+
+ with open(target_compat_file, 'w') as f:
+ logging.info('writing %s' % target_compat_file)
+ f.write(compat_cil_template)
+
+ with open(target_ignore_file, 'w') as f:
+ logging.info('writing %s' % target_ignore_file)
+ f.write(ignore_cil_template %
+ ('\n '.join(sorted(target_ignored_types))))
finally:
logging.info('Deleting temporary dir: {}'.format(temp_dir))
shutil.rmtree(temp_dir)