Merge "Revert "priv_app: use per-app selinux contexts""
diff --git a/OWNERS b/OWNERS
index 866b7b6..c5b61ae 100644
--- a/OWNERS
+++ b/OWNERS
@@ -9,3 +9,4 @@
jiyong@google.com
smoreland@google.com
trong@google.com
+tweek@google.com
diff --git a/apex/com.android.virt-file_contexts b/apex/com.android.virt-file_contexts
index 4703eba..ad8d55c 100644
--- a/apex/com.android.virt-file_contexts
+++ b/apex/com.android.virt-file_contexts
@@ -1,3 +1,3 @@
-(/.*)? u:object_r:system_file:s0
-/bin/crosvm u:object_r:crosvm_exec:s0
-/bin/virtmanager u:object_r:virtmanager_exec:s0
+(/.*)? u:object_r:system_file:s0
+/bin/crosvm u:object_r:crosvm_exec:s0
+/bin/virtualizationservice u:object_r:virtualizationservice_exec:s0
diff --git a/private/adbd.te b/private/adbd.te
index 3fc77a2..52070cb 100644
--- a/private/adbd.te
+++ b/private/adbd.te
@@ -84,6 +84,10 @@
allow adbd anr_data_file:dir r_dir_perms;
allow adbd anr_data_file:file r_file_perms;
+# adb pull /vendor/framework/*
+allow adbd vendor_framework_file:dir r_dir_perms;
+allow adbd vendor_framework_file:file r_file_perms;
+
# Set service.adb.*, sys.powerctl, and sys.usb.ffs.ready properties.
set_prop(adbd, shell_prop)
set_prop(adbd, powerctl_prop)
diff --git a/private/apexd.te b/private/apexd.te
index 48fbcb8..b6fff92 100644
--- a/private/apexd.te
+++ b/private/apexd.te
@@ -18,6 +18,8 @@
allow apexd apex_ota_reserved_file:file create_file_perms;
# Allow apexd to create files and directories for snapshots of apex data
+allow apexd apex_appsearch_data_file:dir { create_dir_perms relabelto };
+allow apexd apex_appsearch_data_file:file { create_file_perms relabelto };
allow apexd apex_art_data_file:dir { create_dir_perms relabelto };
allow apexd apex_art_data_file:file { create_file_perms relabelto };
allow apexd apex_permission_data_file:dir { create_dir_perms relabelto };
diff --git a/private/app.te b/private/app.te
index 94d24e0..2b3554f 100644
--- a/private/app.te
+++ b/private/app.te
@@ -14,6 +14,11 @@
get_prop(appdomain, vold_config_prop)
get_prop(appdomain, adbd_config_prop)
+# Allow ART to be configurable via device_config properties
+# (ART "runs" inside the app process)
+get_prop(appdomain, device_config_runtime_native_prop)
+get_prop(appdomain, device_config_runtime_native_boot_prop)
+
userdebug_or_eng(`perfetto_producer({ appdomain })')
# Prevent apps from causing presubmit failures.
diff --git a/private/app_zygote.te b/private/app_zygote.te
index 7f2236c..4ee3af7 100644
--- a/private/app_zygote.te
+++ b/private/app_zygote.te
@@ -75,6 +75,10 @@
# Send unsolicited message to system_server
unix_socket_send(app_zygote, system_unsolzygote, system_server)
+# Allow the app_zygote to access the runtime feature flag properties.
+get_prop(app_zygote, device_config_runtime_native_prop)
+get_prop(app_zygote, device_config_runtime_native_boot_prop)
+
#####
##### Neverallow
#####
diff --git a/private/artd.te b/private/artd.te
index a76074b..0aa12dc 100644
--- a/private/artd.te
+++ b/private/artd.te
@@ -10,3 +10,7 @@
typeattribute artd coredomain;
init_daemon_domain(artd)
+
+# Allow query ART device config properties
+get_prop(artd, device_config_runtime_native_prop)
+get_prop(artd, device_config_runtime_native_boot_prop)
diff --git a/private/compat/30.0/30.0.ignore.cil b/private/compat/30.0/30.0.ignore.cil
index 3464484..6e66493 100644
--- a/private/compat/30.0/30.0.ignore.cil
+++ b/private/compat/30.0/30.0.ignore.cil
@@ -8,6 +8,7 @@
ab_update_gki_prop
adbd_config_prop
apc_service
+ apex_appsearch_data_file
apex_art_data_file
apex_art_staging_data_file
apex_info_file
diff --git a/private/crosvm.te b/private/crosvm.te
index 5d7080a..f7729fd 100644
--- a/private/crosvm.te
+++ b/private/crosvm.te
@@ -5,8 +5,8 @@
# Let crosvm create temporary files.
tmpfs_domain(crosvm)
-# Let crosvm receive file descriptors from virtmanager.
-allow crosvm virtmanager:fd use;
+# Let crosvm receive file descriptors from VirtualizationService.
+allow crosvm virtualizationservice:fd use;
# Let crosvm open /dev/kvm.
allow crosvm kvm_device:chr_file rw_file_perms;
diff --git a/private/dexoptanalyzer.te b/private/dexoptanalyzer.te
index 5f0a41e..d194acb 100644
--- a/private/dexoptanalyzer.te
+++ b/private/dexoptanalyzer.te
@@ -47,3 +47,7 @@
# Allow testing /data/user/0 which symlinks to /data/data
allow dexoptanalyzer system_data_file:lnk_file { getattr };
+
+# Allow query ART device config properties
+get_prop(dexoptanalyzer, device_config_runtime_native_prop)
+get_prop(dexoptanalyzer, device_config_runtime_native_boot_prop)
diff --git a/private/domain.te b/private/domain.te
index c1dea0a..13cf988 100644
--- a/private/domain.te
+++ b/private/domain.te
@@ -216,7 +216,7 @@
-appdomain # for oemfs
-bootanim # for oemfs
-recovery # for /tmp/update_binary in tmpfs
- userdebug_or_eng(`-microdroid_launcher') # for executing shared libs on /mnt/apk in Microdroid
+ userdebug_or_eng(`-microdroid_launcher -microdroid_manager') # for executing shared libs on /mnt/apk in Microdroid
} { fs_type -rootfs }:file execute;
#
diff --git a/private/file_contexts b/private/file_contexts
index 60a94b3..89b63d6 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -565,12 +565,12 @@
# Misc data
/data/misc/adb(/.*)? u:object_r:adb_keys_file:s0
-/data/misc/a11ytrace(/.*)? u:object_r:accessibility_trace_data_file:s0
+/data/misc/a11ytrace(/.*)? u:object_r:accessibility_trace_data_file:s0
/data/misc/apexdata(/.*)? u:object_r:apex_module_data_file:s0
-/data/misc/apexdata/com\.android\.art(/.*)? u:object_r:apex_art_data_file:s0
+/data/misc/apexdata/com\.android\.art(/.*)? u:object_r:apex_art_data_file:s0
/data/misc/apexdata/com\.android\.permission(/.*)? u:object_r:apex_permission_data_file:s0
/data/misc/apexdata/com\.android\.scheduling(/.*)? u:object_r:apex_scheduling_data_file:s0
-/data/misc/apexdata/com\.android\.wifi(/.*)? u:object_r:apex_wifi_data_file:s0
+/data/misc/apexdata/com\.android\.wifi(/.*)? u:object_r:apex_wifi_data_file:s0
/data/misc/apexrollback(/.*)? u:object_r:apex_rollback_data_file:s0
/data/misc/apns(/.*)? u:object_r:radio_data_file:s0
/data/misc/appcompat(/.*)? u:object_r:appcompat_data_file:s0
@@ -672,6 +672,7 @@
# Apex data directories
/data/misc_de/[0-9]+/apexdata(/.*)? u:object_r:apex_module_data_file:s0
/data/misc_ce/[0-9]+/apexdata(/.*)? u:object_r:apex_module_data_file:s0
+/data/misc_ce/[0-9]+/apexdata/com\.android\.appsearch(/.*)? u:object_r:apex_appsearch_data_file:s0
/data/misc_de/[0-9]+/apexdata/com\.android\.permission(/.*)? u:object_r:apex_permission_data_file:s0
/data/misc_ce/[0-9]+/apexdata/com\.android\.permission(/.*)? u:object_r:apex_permission_data_file:s0
/data/misc_de/[0-9]+/apexdata/com\.android\.wifi(/.*)? u:object_r:apex_wifi_data_file:s0
diff --git a/private/fsck.te b/private/fsck.te
index f8e09b6..c2eb25b 100644
--- a/private/fsck.te
+++ b/private/fsck.te
@@ -3,3 +3,8 @@
init_daemon_domain(fsck)
allow fsck metadata_block_device:blk_file rw_file_perms;
+
+# TODO(b/189165759): move this to microdroid specific sepolicy
+userdebug_or_eng(`
+ allow fsck vd_device:blk_file rw_file_perms;
+')
diff --git a/private/microdroid_manager.te b/private/microdroid_manager.te
new file mode 100644
index 0000000..b1e4d75
--- /dev/null
+++ b/private/microdroid_manager.te
@@ -0,0 +1,30 @@
+# TODO(b/189165759) for moving this to packages/modules/Virtualization
+# microdroid_manager is a daemon running in the microdroid.
+
+type microdroid_manager, domain, coredomain;
+type microdroid_manager_exec, exec_type, file_type, system_file_type;
+
+# allow domain transition from init
+init_daemon_domain(microdroid_manager)
+
+# microdroid_manager accesses /dev/block/by-name/signature which points to
+# a /dev/vd* block device file.
+allow microdroid_manager block_device:dir r_dir_perms;
+allow microdroid_manager block_device:lnk_file r_file_perms;
+allow microdroid_manager vd_device:blk_file r_file_perms;
+
+# microdroid_manager start payload task via microdroid_launcher
+domain_auto_trans(microdroid_manager, microdroid_launcher_exec, microdroid_launcher);
+
+# Let microdroid_manager exec other files (e.g. payload command) in the same domain.
+# TODO(b/189706019) we need to a domain for the app process.
+allow microdroid_manager system_file:file execute_no_trans;
+# Until then, allow microdroid_manager to execute the shell or other system executables.
+allow microdroid_manager {shell_exec toolbox_exec}:file rx_file_perms;
+
+# Let microdroid_manager read a config file from /mnt/apk (fusefs)
+# TODO(b/188400186) remove the below two rules
+userdebug_or_eng(`
+ allow microdroid_manager fuse:dir r_dir_perms;
+ allow microdroid_manager fuse:file rx_file_perms;
+')
diff --git a/private/odrefresh.te b/private/odrefresh.te
index 3ea8ad2..7a64247 100644
--- a/private/odrefresh.te
+++ b/private/odrefresh.te
@@ -48,3 +48,7 @@
# Allow updating boot animation status.
set_prop(odrefresh, bootanim_system_prop)
+
+# Allow query ART device config properties
+get_prop(odrefresh, device_config_runtime_native_prop)
+get_prop(odrefresh, device_config_runtime_native_boot_prop)
diff --git a/private/property_contexts b/private/property_contexts
index 7868b56..605e912 100644
--- a/private/property_contexts
+++ b/private/property_contexts
@@ -330,7 +330,13 @@
ro.camerax.extensions.enabled u:object_r:camerax_extensions_prop:s0 exact bool
-# Should always_debuggable be bool? It's checked against the string "1".
+# ART properties
+dalvik.vm. u:object_r:dalvik_config_prop:s0
+ro.dalvik.vm. u:object_r:dalvik_config_prop:s0
+ro.zygote u:object_r:dalvik_config_prop:s0 exact string
+
+# A set of ART properties listed explicitly for compatibility purposes.
+ro.dalvik.vm.native.bridge u:object_r:dalvik_config_prop:s0 exact string
dalvik.vm.always_debuggable u:object_r:dalvik_config_prop:s0 exact int
dalvik.vm.appimageformat u:object_r:dalvik_config_prop:s0 exact string
dalvik.vm.backgroundgctype u:object_r:dalvik_config_prop:s0 exact string
@@ -406,7 +412,6 @@
dalvik.vm.usejit u:object_r:dalvik_config_prop:s0 exact bool
dalvik.vm.usejitprofiles u:object_r:dalvik_config_prop:s0 exact bool
dalvik.vm.zygote.max-boot-retry u:object_r:dalvik_config_prop:s0 exact int
-ro.zygote u:object_r:dalvik_config_prop:s0 exact string
persist.sys.dalvik.vm.lib.2 u:object_r:dalvik_runtime_prop:s0 exact string
@@ -494,8 +499,6 @@
ro.crypto.volume.metadata.method u:object_r:vold_config_prop:s0 exact string
ro.crypto.volume.options u:object_r:vold_config_prop:s0 exact string
-ro.dalvik.vm.native.bridge u:object_r:dalvik_config_prop:s0 exact string
-
external_storage.projid.enabled u:object_r:storage_config_prop:s0 exact bool
external_storage.casefold.enabled u:object_r:storage_config_prop:s0 exact bool
external_storage.sdcardfs.enabled u:object_r:storage_config_prop:s0 exact bool
@@ -831,6 +834,7 @@
ro.vendor.build.date u:object_r:build_vendor_prop:s0 exact string
ro.vendor.build.date.utc u:object_r:build_vendor_prop:s0 exact int
ro.vendor.build.fingerprint u:object_r:build_vendor_prop:s0 exact string
+ro.vendor.build.fingerprint_has_digest u:object_r:build_vendor_prop:s0 exact bool
ro.vendor.build.id u:object_r:build_vendor_prop:s0 exact string
ro.vendor.build.tags u:object_r:build_vendor_prop:s0 exact string
ro.vendor.build.type u:object_r:build_vendor_prop:s0 exact string
@@ -1192,5 +1196,4 @@
ro.bootanim.quiescent.enabled u:object_r:bootanim_config_prop:s0 exact bool
# dck properties
-ro.gms.dck.eligible_r2 u:object_r:dck_prop:s0 exact bool
-ro.gms.dck.eligible_r3 u:object_r:dck_prop:s0 exact bool
+ro.gms.dck.eligible_wcc u:object_r:dck_prop:s0 exact int
diff --git a/private/service_contexts b/private/service_contexts
index 3357943..b410b18 100644
--- a/private/service_contexts
+++ b/private/service_contexts
@@ -71,7 +71,7 @@
carrier_config u:object_r:radio_service:s0
clipboard u:object_r:clipboard_service:s0
com.android.net.IProxyService u:object_r:IProxyService_service:s0
-android.system.virtmanager u:object_r:virtualization_service:s0
+android.system.virtualizationservice u:object_r:virtualization_service:s0
companiondevice u:object_r:companion_device_service:s0
platform_compat u:object_r:platform_compat_service:s0
platform_compat_native u:object_r:platform_compat_service:s0
diff --git a/private/shell.te b/private/shell.te
index 231a63f..7c786c9 100644
--- a/private/shell.te
+++ b/private/shell.te
@@ -194,6 +194,7 @@
# Allow shell to launch microdroid_launcher in its own domain
# TODO(b/186396070) remove this when microdroid_manager can do this
domain_auto_trans(shell, microdroid_launcher_exec, microdroid_launcher)
+domain_auto_trans(shell, microdroid_manager_exec, microdroid_manager)
# Never allow others to set or get the perf.drop_caches property.
neverallow { domain -shell -init } perf_drop_caches_prop:property_service set;
diff --git a/private/system_server.te b/private/system_server.te
index c9f3f8e..0e57739 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -44,11 +44,28 @@
INCFS_IOCTL_FILL_BLOCKS
INCFS_IOCTL_GET_FILLED_BLOCKS
INCFS_IOCTL_GET_BLOCK_COUNT
+ F2FS_IOC_GET_FEATURES
+ F2FS_IOC_GET_COMPRESS_BLOCKS
+ F2FS_IOC_COMPRESS_FILE
+ F2FS_IOC_DECOMPRESS_FILE
+ F2FS_IOC_RELEASE_COMPRESS_BLOCKS
+ F2FS_IOC_RESERVE_COMPRESS_BLOCKS
+ FS_IOC_SETFLAGS
+ FS_IOC_GETFLAGS
+};
+
+allowxperm system_server apk_tmp_file:file ioctl {
+ F2FS_IOC_RELEASE_COMPRESS_BLOCKS
+ FS_IOC_GETFLAGS
};
# For Incremental Service to check incfs metrics
allow system_server sysfs_fs_incfs_metrics:file r_file_perms;
+# For f2fs-compression support
+allow system_server sysfs_fs_f2fs:dir r_dir_perms;
+allow system_server sysfs_fs_f2fs:file r_file_perms;
+
# For art.
allow system_server { apex_art_data_file dalvikcache_data_file }:dir r_dir_perms;
allow system_server { apex_art_data_file dalvikcache_data_file }:file r_file_perms;
@@ -689,6 +706,11 @@
set_prop(system_server, device_config_configuration_prop)
set_prop(system_server, device_config_connectivity_prop)
+
+# Allow query ART device config properties
+get_prop(system_server, device_config_runtime_native_boot_prop)
+get_prop(system_server, device_config_runtime_native_prop)
+
# BootReceiver to read ro.boot.bootreason
get_prop(system_server, bootloader_boot_reason_prop)
# PowerManager to read sys.boot.reason
@@ -1259,6 +1281,8 @@
# Allow the system server to manage relevant apex module data files.
allow system_server apex_module_data_file:dir { getattr search };
+allow system_server apex_appsearch_data_file:dir create_dir_perms;
+allow system_server apex_appsearch_data_file:file create_file_perms;
allow system_server apex_permission_data_file:dir create_dir_perms;
allow system_server apex_permission_data_file:file create_file_perms;
allow system_server apex_scheduling_data_file:dir create_dir_perms;
diff --git a/private/system_server_startup.te b/private/system_server_startup.te
index 902941e..3301304 100644
--- a/private/system_server_startup.te
+++ b/private/system_server_startup.te
@@ -14,3 +14,7 @@
# Child of the zygote.
allow system_server_startup zygote:process sigchld;
+
+# Allow query ART device config properties
+get_prop(system_server_startup, device_config_runtime_native_boot_prop)
+get_prop(system_server_startup, device_config_runtime_native_prop)
diff --git a/private/virtmanager.te b/private/virtmanager.te
deleted file mode 100644
index 26593f3..0000000
--- a/private/virtmanager.te
+++ /dev/null
@@ -1,24 +0,0 @@
-type virtmanager, domain, coredomain;
-type virtmanager_exec, system_file_type, exec_type, file_type;
-
-# When init runs a file labelled with virtmanager_exec, run it in the virtmanager domain.
-init_daemon_domain(virtmanager)
-
-# Let the virtmanager domain use Binder.
-binder_use(virtmanager)
-
-# Let the virtmanager domain register the virtualization_service with ServiceManager.
-add_service(virtmanager, virtualization_service)
-
-# When virtmanager execs a file with the crosvm_exec label, run it in the crosvm domain.
-domain_auto_trans(virtmanager, crosvm_exec, crosvm)
-
-# Let virtmanager exec other files (e.g. mk_cdisk) in the same domain.
-allow virtmanager system_file:file execute_no_trans;
-
-# Let virtmanager kill crosvm.
-allow virtmanager crosvm:process sigkill;
-
-# Let virtmanager access its data directory.
-allow virtmanager virtualizationservice_data_file:file create_file_perms;
-allow virtmanager virtualizationservice_data_file:dir create_dir_perms;
diff --git a/private/virtualizationservice.te b/private/virtualizationservice.te
new file mode 100644
index 0000000..4c6f1f9
--- /dev/null
+++ b/private/virtualizationservice.te
@@ -0,0 +1,25 @@
+type virtualizationservice, domain, coredomain;
+type virtualizationservice_exec, system_file_type, exec_type, file_type;
+
+# When init runs a file labelled with virtualizationservice_exec, run it in the
+# virtualizationservice domain.
+init_daemon_domain(virtualizationservice)
+
+# Let the virtualizationservice domain use Binder.
+binder_use(virtualizationservice)
+
+# Let the virtualizationservice domain register the virtualization_service with ServiceManager.
+add_service(virtualizationservice, virtualization_service)
+
+# When virtualizationservice execs a file with the crosvm_exec label, run it in the crosvm domain.
+domain_auto_trans(virtualizationservice, crosvm_exec, crosvm)
+
+# Let virtualizationservice exec other files (e.g. mk_cdisk) in the same domain.
+allow virtualizationservice system_file:file execute_no_trans;
+
+# Let virtualizationservice kill crosvm.
+allow virtualizationservice crosvm:process sigkill;
+
+# Let virtualizationservice access its data directory.
+allow virtualizationservice virtualizationservice_data_file:file create_file_perms;
+allow virtualizationservice virtualizationservice_data_file:dir create_dir_perms;
diff --git a/private/vold_prepare_subdirs.te b/private/vold_prepare_subdirs.te
index 1414f6c..956e94e 100644
--- a/private/vold_prepare_subdirs.te
+++ b/private/vold_prepare_subdirs.te
@@ -16,6 +16,7 @@
vendor_data_file
}:dir { open read write add_name remove_name rmdir relabelfrom };
allow vold_prepare_subdirs {
+ apex_appsearch_data_file
apex_art_data_file
apex_module_data_file
apex_permission_data_file
@@ -32,6 +33,7 @@
vold_data_file
}:dir { create_dir_perms relabelto };
allow vold_prepare_subdirs {
+ apex_appsearch_data_file
apex_art_data_file
apex_art_staging_data_file
apex_module_data_file
diff --git a/private/webview_zygote.te b/private/webview_zygote.te
index 3f217e1..10bcf1c 100644
--- a/private/webview_zygote.te
+++ b/private/webview_zygote.te
@@ -83,6 +83,10 @@
# Send unsolicited message to system_server
unix_socket_send(webview_zygote, system_unsolzygote, system_server)
+# Allow the webview_zygote to access the runtime feature flag properties.
+get_prop(webview_zygote, device_config_runtime_native_prop)
+get_prop(webview_zygote, device_config_runtime_native_boot_prop)
+
#####
##### Neverallow
#####
diff --git a/public/file.te b/public/file.te
index 2250482..20348b5 100644
--- a/public/file.te
+++ b/public/file.te
@@ -385,6 +385,7 @@
# /data/misc subdirectories
type adb_keys_file, file_type, data_file_type, core_data_file_type;
+type apex_appsearch_data_file, file_type, data_file_type, core_data_file_type;
type apex_module_data_file, file_type, data_file_type, core_data_file_type;
type apex_ota_reserved_file, file_type, data_file_type, core_data_file_type;
type apex_permission_data_file, file_type, data_file_type, core_data_file_type;
diff --git a/public/profman.te b/public/profman.te
index 8ff6271..c014d79 100644
--- a/public/profman.te
+++ b/public/profman.te
@@ -22,6 +22,10 @@
allow profman { privapp_data_file app_data_file }:file { getattr read write lock map };
allow profman { privapp_data_file app_data_file }:dir { getattr read search };
+# Allow query ART device config properties
+get_prop(profman, device_config_runtime_native_prop)
+get_prop(profman, device_config_runtime_native_boot_prop)
+
###
### neverallow rules
###
diff --git a/public/property.te b/public/property.te
index eca1a8c..57146a4 100644
--- a/public/property.te
+++ b/public/property.te
@@ -11,8 +11,6 @@
system_internal_prop(device_config_media_native_prop)
system_internal_prop(device_config_netd_native_prop)
system_internal_prop(device_config_reset_performed_prop)
-system_internal_prop(device_config_runtime_native_boot_prop)
-system_internal_prop(device_config_runtime_native_prop)
system_internal_prop(firstboot_prop)
compatible_property_only(`
@@ -67,6 +65,8 @@
system_restricted_prop(build_bootimage_prop)
system_restricted_prop(build_prop)
system_restricted_prop(charger_status_prop)
+system_restricted_prop(device_config_runtime_native_boot_prop)
+system_restricted_prop(device_config_runtime_native_prop)
system_restricted_prop(fingerprint_prop)
system_restricted_prop(hal_instrumentation_prop)
system_restricted_prop(init_service_status_prop)
diff --git a/public/uncrypt.te b/public/uncrypt.te
index 0f549c9..3b04671 100644
--- a/public/uncrypt.te
+++ b/public/uncrypt.te
@@ -32,8 +32,12 @@
r_dir_file(uncrypt, rootfs)
-# uncrypt reads /proc/cmdline
-allow uncrypt proc_cmdline:file r_file_perms;
+# Access to bootconfig is needed when calling ReadDefaultFstab.
+allow uncrypt {
+ proc_bootconfig
+ proc_cmdline
+
+}:file r_file_perms;
# Read files in /sys
r_dir_file(uncrypt, sysfs_dt_firmware_android)