Merge "Introduce vm_manager_device_type for crosvm"
diff --git a/build/soong/service_fuzzer_bindings.go b/build/soong/service_fuzzer_bindings.go
index 88cd32b..d91ef21 100644
--- a/build/soong/service_fuzzer_bindings.go
+++ b/build/soong/service_fuzzer_bindings.go
@@ -217,6 +217,7 @@
"country_detector": EXCEPTION_NO_FUZZER,
"coverage": EXCEPTION_NO_FUZZER,
"cpuinfo": EXCEPTION_NO_FUZZER,
+ "cpu_monitor": EXCEPTION_NO_FUZZER,
"credential": EXCEPTION_NO_FUZZER,
"crossprofileapps": EXCEPTION_NO_FUZZER,
"dataloader_manager": EXCEPTION_NO_FUZZER,
diff --git a/microdroid/system/private/crash_dump.te b/microdroid/system/private/crash_dump.te
index 6a43b56..3eae8c0 100644
--- a/microdroid/system/private/crash_dump.te
+++ b/microdroid/system/private/crash_dump.te
@@ -63,4 +63,5 @@
}:process { ptrace signal sigchld sigstop sigkill };
')
+neverallow crash_dump self:process ptrace;
neverallow crash_dump no_crash_dump_domain:process ptrace;
diff --git a/microdroid/system/private/domain.te b/microdroid/system/private/domain.te
index fbc9c75..1e8529b 100644
--- a/microdroid/system/private/domain.te
+++ b/microdroid/system/private/domain.te
@@ -538,3 +538,6 @@
# Ensure that no one can execute from encrypted storage, which is a writable partition in VM.
neverallow domain encryptedstore_file:file no_x_file_perms;
+
+# Only crash_dump is allowed to access ptrace
+neverallow { domain -crash_dump } domain:process ptrace;
diff --git a/private/bpfloader.te b/private/bpfloader.te
index 6bdc259..eecda30 100644
--- a/private/bpfloader.te
+++ b/private/bpfloader.te
@@ -33,14 +33,14 @@
neverallow { domain -bpfloader } bpffs_type:dir { add_name create remove_name write };
neverallow { domain } bpffs_type:file ~{ create getattr map open read rename setattr write };
-neverallow { domain -bpfloader } bpffs_type:file { create getattr map open rename setattr };
-neverallow { domain -bpfloader -gpuservice -lmkd -mediaprovider_app -netd -netutils_wrapper -system_server } fs_bpf:file read;
-neverallow { domain -bpfloader } fs_bpf_loader:file read;
-neverallow { domain -bpfloader -network_stack } fs_bpf_net_private:file read;
-neverallow { domain -bpfloader -network_stack -system_server } fs_bpf_net_shared:file read;
-neverallow { domain -bpfloader -netd -network_stack -system_server } fs_bpf_netd_readonly:file read;
-neverallow { domain -bpfloader -netd -netutils_wrapper -network_stack -system_server } fs_bpf_netd_shared:file read;
-neverallow { domain -bpfloader -network_stack } fs_bpf_tethering:file read;
+neverallow { domain -bpfloader } bpffs_type:file { create map open rename setattr };
+neverallow { domain -bpfloader -gpuservice -lmkd -mediaprovider_app -netd -netutils_wrapper -system_server } fs_bpf:file { getattr read };
+neverallow { domain -bpfloader } fs_bpf_loader:file { getattr read };
+neverallow { domain -bpfloader -network_stack } fs_bpf_net_private:file { getattr read };
+neverallow { domain -bpfloader -network_stack -system_server } fs_bpf_net_shared:file { getattr read };
+neverallow { domain -bpfloader -netd -network_stack -system_server } fs_bpf_netd_readonly:file { getattr read };
+neverallow { domain -bpfloader -netd -netutils_wrapper -network_stack -system_server } fs_bpf_netd_shared:file { getattr read };
+neverallow { domain -bpfloader -network_stack } fs_bpf_tethering:file { getattr read };
neverallow { domain -bpfloader -gpuservice -netd -netutils_wrapper -network_stack -system_server } { bpffs_type -fs_bpf_vendor }:file write;
neverallow { domain -bpfloader } bpffs_type:lnk_file ~read;
diff --git a/private/compat/33.0/33.0.ignore.cil b/private/compat/33.0/33.0.ignore.cil
index 4df0d0b..a2ff554 100644
--- a/private/compat/33.0/33.0.ignore.cil
+++ b/private/compat/33.0/33.0.ignore.cil
@@ -12,6 +12,7 @@
build_attestation_prop
composd_vm_art_prop
composd_vm_vendor_prop
+ cpu_monitor_service
credential_service
device_as_webcam
device_config_camera_native_prop
diff --git a/private/netd.te b/private/netd.te
index ae43e47..8be8212 100644
--- a/private/netd.te
+++ b/private/netd.te
@@ -7,7 +7,7 @@
domain_auto_trans(netd, dnsmasq_exec, dnsmasq)
allow netd { fs_bpf fs_bpf_netd_readonly fs_bpf_netd_shared }:dir search;
-allow netd { fs_bpf fs_bpf_netd_readonly fs_bpf_netd_shared }:file read;
+allow netd { fs_bpf fs_bpf_netd_readonly fs_bpf_netd_shared }:file { getattr read };
allow netd { fs_bpf fs_bpf_netd_shared }:file write;
# give netd permission to setup iptables rule with xt_bpf, attach program to cgroup, and read/write
diff --git a/private/netutils_wrapper.te b/private/netutils_wrapper.te
index 900b35c..01f1915 100644
--- a/private/netutils_wrapper.te
+++ b/private/netutils_wrapper.te
@@ -26,7 +26,7 @@
# the whole chain including the xt_bpf rules. They need to access to the pinned
# program when reloading the rule.
allow netutils_wrapper { fs_bpf fs_bpf_netd_shared }:dir search;
-allow netutils_wrapper { fs_bpf fs_bpf_netd_shared }:file read;
+allow netutils_wrapper { fs_bpf fs_bpf_netd_shared }:file { getattr read };
allow netutils_wrapper { fs_bpf }:file write;
allow netutils_wrapper bpfloader:bpf prog_run;
diff --git a/private/network_stack.te b/private/network_stack.te
index dfee019..d9135a1 100644
--- a/private/network_stack.te
+++ b/private/network_stack.te
@@ -61,7 +61,7 @@
allow network_stack network_stack_service:service_manager find;
# allow Tethering(network_stack process) to run/update/read the eBPF maps to offload tethering traffic by eBPF.
allow network_stack { fs_bpf_net_private fs_bpf_net_shared fs_bpf_netd_readonly fs_bpf_netd_shared fs_bpf_tethering }:dir search;
-allow network_stack { fs_bpf_net_private fs_bpf_net_shared fs_bpf_netd_readonly fs_bpf_netd_shared fs_bpf_tethering }:file { read write };
+allow network_stack { fs_bpf_net_private fs_bpf_net_shared fs_bpf_netd_readonly fs_bpf_netd_shared fs_bpf_tethering }:file { getattr read write };
allow network_stack bpfloader:bpf { map_read map_write prog_run };
# Use XFRM (IPsec) netlink sockets
diff --git a/private/perfetto.te b/private/perfetto.te
index 45fa60b..a87f2ad 100644
--- a/private/perfetto.te
+++ b/private/perfetto.te
@@ -22,6 +22,10 @@
allow perfetto perfetto_traces_data_file:dir rw_dir_perms;
allow perfetto perfetto_traces_data_file:file create_file_perms;
+# Allow to write and unlink trace into /data/misc/perfetto-traces/bugreport*
+allow perfetto perfetto_traces_bugreport_data_file:file create_file_perms;
+allow perfetto perfetto_traces_bugreport_data_file:dir rw_dir_perms;
+
# Allow perfetto to access the proxy service for reporting traces.
allow perfetto tracingproxy_service:service_manager find;
binder_use(perfetto)
@@ -117,6 +121,7 @@
# neverallow. Currently only getattr and search are allowed.
-vendor_data_file
-perfetto_traces_data_file
+ -perfetto_traces_bugreport_data_file
-perfetto_configs_data_file
with_native_coverage(`-method_trace_data_file')
}:dir *;
@@ -124,6 +129,7 @@
neverallow perfetto {
data_file_type
-perfetto_traces_data_file
+ -perfetto_traces_bugreport_data_file
-perfetto_configs_data_file
with_native_coverage(`-method_trace_data_file')
}:file ~write;
diff --git a/private/system_server.te b/private/system_server.te
index 27e5594..8d7057c 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -1175,7 +1175,7 @@
# the map after snapshot is recorded, and to read, update and run the maps and programs used for
# time in state accounting
allow system_server { fs_bpf fs_bpf_net_shared fs_bpf_netd_readonly fs_bpf_netd_shared }:dir search;
-allow system_server { fs_bpf fs_bpf_net_shared fs_bpf_netd_readonly fs_bpf_netd_shared }:file { read write };
+allow system_server { fs_bpf fs_bpf_net_shared fs_bpf_netd_readonly fs_bpf_netd_shared }:file { getattr read write };
allow system_server bpfloader:bpf { map_read map_write prog_run };
# in order to invoke side effect of close() on such a socket calling synchronize_rcu()
allow system_server self:key_socket create;
diff --git a/private/traced.te b/private/traced.te
index 171e092..fc75239 100644
--- a/private/traced.te
+++ b/private/traced.te
@@ -24,9 +24,6 @@
# Allow the service to create new files within /data/misc/perfetto-traces.
allow traced perfetto_traces_data_file:file create_file_perms;
allow traced perfetto_traces_data_file:dir rw_dir_perms;
-# ... and /data/misc/perfetto-traces/bugreport*
-allow traced perfetto_traces_bugreport_data_file:file create_file_perms;
-allow traced perfetto_traces_bugreport_data_file:dir rw_dir_perms;
# Allow traceur to pass open file descriptors to traced, so traced can directly
# write into the output file without doing roundtrips over IPC.
@@ -89,7 +86,6 @@
neverallow traced {
data_file_type
-perfetto_traces_data_file
- -perfetto_traces_bugreport_data_file
-system_data_file
-system_data_root_file
-media_userdir_file
@@ -104,7 +100,6 @@
neverallow traced {
data_file_type
-perfetto_traces_data_file
- -perfetto_traces_bugreport_data_file
-trace_data_file
with_native_coverage(`-method_trace_data_file')
}:file ~write;
diff --git a/public/iorap.te b/public/iorap.te
deleted file mode 100644
index 0671c34..0000000
--- a/public/iorap.te
+++ /dev/null
@@ -1,4 +0,0 @@
-# Define these types for now, as they may be used in device-specific policy.
-type iorapd;
-type iorap_inode2filename;
-type iorap_prefetcherd;
diff --git a/public/service.te b/public/service.te
index e8f97bb..3dc9d85 100644
--- a/public/service.te
+++ b/public/service.te
@@ -101,6 +101,7 @@
# with EMMA_INSTRUMENT=true. We should consider locking this down in the future.
type coverage_service, system_server_service, service_manager_type;
type cpuinfo_service, system_api_service, system_server_service, service_manager_type;
+type cpu_monitor_service, system_server_service, service_manager_type;
type credential_service, app_api_service, ephemeral_app_api_service, system_api_service, system_server_service, service_manager_type;
type dataloader_manager_service, system_server_service, service_manager_type;
type dbinfo_service, system_api_service, system_server_service, service_manager_type;
diff --git a/vendor/hal_evs_default.te b/vendor/hal_evs_default.te
index 59d6c39..0bdb7fd 100644
--- a/vendor/hal_evs_default.te
+++ b/vendor/hal_evs_default.te
@@ -29,3 +29,6 @@
# allow to monitor uevents and access video devices
allow hal_evs_default device:dir r_dir_perms;
allow hal_evs_default video_device:chr_file rw_file_perms;
+
+# allow to access graphics related properties
+get_prop(hal_evs_default, graphics_config_prop);