Merge "Add sepolicy for ro.build.ab_update.ab_ota_partitions"
diff --git a/build/soong/compat_cil.go b/build/soong/compat_cil.go
index afd2396..881f7da 100644
--- a/build/soong/compat_cil.go
+++ b/build/soong/compat_cil.go
@@ -29,7 +29,7 @@
func init() {
ctx := android.InitRegistrationContext
ctx.RegisterModuleType("se_compat_cil", compatCilFactory)
- ctx.RegisterSingletonModuleType("se_compat_test", compatTestFactory)
+ ctx.RegisterParallelSingletonModuleType("se_compat_test", compatTestFactory)
}
// se_compat_cil collects and installs backwards compatibility cil files.
diff --git a/build/soong/sepolicy_freeze.go b/build/soong/sepolicy_freeze.go
index c5513d0..9ae7826 100644
--- a/build/soong/sepolicy_freeze.go
+++ b/build/soong/sepolicy_freeze.go
@@ -23,7 +23,7 @@
func init() {
ctx := android.InitRegistrationContext
- ctx.RegisterSingletonModuleType("se_freeze_test", freezeTestFactory)
+ ctx.RegisterParallelSingletonModuleType("se_freeze_test", freezeTestFactory)
}
// se_freeze_test compares the plat sepolicy with the prebuilt sepolicy. Additional directories can
diff --git a/build/soong/service_fuzzer_bindings.go b/build/soong/service_fuzzer_bindings.go
index 7eac769..711e6d8 100644
--- a/build/soong/service_fuzzer_bindings.go
+++ b/build/soong/service_fuzzer_bindings.go
@@ -267,12 +267,12 @@
"healthconnect": EXCEPTION_NO_FUZZER,
"ions": EXCEPTION_NO_FUZZER,
"idmap": EXCEPTION_NO_FUZZER,
- "incident": EXCEPTION_NO_FUZZER,
+ "incident": []string{"incidentd_service_fuzzer"},
"incidentcompanion": EXCEPTION_NO_FUZZER,
"inputflinger": EXCEPTION_NO_FUZZER,
"input_method": EXCEPTION_NO_FUZZER,
"input": EXCEPTION_NO_FUZZER,
- "installd": EXCEPTION_NO_FUZZER,
+ "installd": []string{"installd_service_fuzzer"},
"iphonesubinfo_msim": EXCEPTION_NO_FUZZER,
"iphonesubinfo2": EXCEPTION_NO_FUZZER,
"iphonesubinfo": EXCEPTION_NO_FUZZER,
@@ -302,11 +302,11 @@
"media.aaudio": EXCEPTION_NO_FUZZER,
"media.audio_flinger": EXCEPTION_NO_FUZZER,
"media.audio_policy": EXCEPTION_NO_FUZZER,
- "media.camera": EXCEPTION_NO_FUZZER,
+ "media.camera": []string{"camera_service_aidl_fuzzer"},
"media.camera.proxy": EXCEPTION_NO_FUZZER,
"media.log": EXCEPTION_NO_FUZZER,
"media.player": EXCEPTION_NO_FUZZER,
- "media.metrics": EXCEPTION_NO_FUZZER,
+ "media.metrics": []string{"mediametrics_aidl_fuzzer"},
"media.extractor": EXCEPTION_NO_FUZZER,
"media.transcoding": EXCEPTION_NO_FUZZER,
"media.resource_manager": EXCEPTION_NO_FUZZER,
@@ -410,8 +410,8 @@
"sdk_sandbox": EXCEPTION_NO_FUZZER,
"SurfaceFlinger": EXCEPTION_NO_FUZZER,
"SurfaceFlingerAIDL": EXCEPTION_NO_FUZZER,
- "suspend_control": EXCEPTION_NO_FUZZER,
- "suspend_control_internal": EXCEPTION_NO_FUZZER,
+ "suspend_control": []string{"suspend_service_fuzzer"},
+ "suspend_control_internal": []string{"suspend_service_internal_fuzzer"},
"system_config": EXCEPTION_NO_FUZZER,
"system_server_dumper": EXCEPTION_NO_FUZZER,
"system_update": EXCEPTION_NO_FUZZER,
diff --git a/microdroid/system/private/domain.te b/microdroid/system/private/domain.te
index 1e8529b..c940eca 100644
--- a/microdroid/system/private/domain.te
+++ b/microdroid/system/private/domain.te
@@ -410,7 +410,7 @@
# Feature parity with Chromium LSM.
neverallow * { file_type fs_type dev_type }:{ lnk_file fifo_file sock_file } mounton;
-neverallow { domain -init } proc:{ file dir } mounton;
+neverallow { domain -init } proc_type:{ file dir } mounton;
# Ensure that all types assigned to processes are included
# in the domain attribute, so that all allow and neverallow rules
diff --git a/microdroid/system/private/ueventd.te b/microdroid/system/private/ueventd.te
index a855509..4bd55cf 100644
--- a/microdroid/system/private/ueventd.te
+++ b/microdroid/system/private/ueventd.te
@@ -46,6 +46,10 @@
allow ueventd vendor_file:system module_load;
allow ueventd kernel:key search;
+# Query device-mapper to extract name/uuid in response to uevents.
+allow ueventd dm_device:chr_file rw_file_perms;
+allow ueventd self:capability sys_admin;
+
# ueventd is using bootstrap bionic
use_bootstrap_libs(ueventd)
diff --git a/private/app.te b/private/app.te
index 34cd2f0..754c802 100644
--- a/private/app.te
+++ b/private/app.te
@@ -48,11 +48,6 @@
get_prop(appdomain, persist_wm_debug_prop)
get_prop(appdomain, persist_sysui_builder_extras_prop)
-# Allow ART to be configurable via device_config properties
-# (ART "runs" inside the app process)
-get_prop(appdomain, device_config_runtime_native_prop)
-get_prop(appdomain, device_config_runtime_native_boot_prop)
-
# Allow the heap dump ART plugin to the count of sessions waiting for OOME
get_prop(appdomain, traced_oome_heap_session_count_prop)
diff --git a/private/compat/33.0/33.0.ignore.cil b/private/compat/33.0/33.0.ignore.cil
index d06db62..aa42c19 100644
--- a/private/compat/33.0/33.0.ignore.cil
+++ b/private/compat/33.0/33.0.ignore.cil
@@ -60,7 +60,6 @@
remote_provisioning_service
rkpdapp
servicemanager_prop
- setupwizard_esim_prop
shutdown_checkpoints_system_data_file
snapuserd_log_data_file
stats_config_data_file
diff --git a/private/coredomain.te b/private/coredomain.te
index 8abc646..83930a5 100644
--- a/private/coredomain.te
+++ b/private/coredomain.te
@@ -14,7 +14,6 @@
get_prop(coredomain, pm_prop)
get_prop(coredomain, radio_control_prop)
get_prop(coredomain, rollback_test_prop)
-get_prop(coredomain, setupwizard_esim_prop)
get_prop(coredomain, setupwizard_prop)
get_prop(coredomain, sqlite_log_prop)
get_prop(coredomain, storagemanager_config_prop)
diff --git a/private/domain.te b/private/domain.te
index 30ceb24..2cffdd8 100644
--- a/private/domain.te
+++ b/private/domain.te
@@ -87,8 +87,13 @@
# Allow all domains to check whether MTE is set to permissive mode.
get_prop(domain, permissive_mte_prop);
+# Allow ART to be configurable via device_config properties
+# (ART "runs" inside the app process), and MTE bootloader override to be
+# observed by everything
get_prop(domain, device_config_memory_safety_native_boot_prop);
get_prop(domain, device_config_memory_safety_native_prop);
+get_prop(domain, device_config_runtime_native_boot_prop);
+get_prop(domain, device_config_runtime_native_prop);
# For now, everyone can access core property files
# Device specific properties are not granted by default
diff --git a/private/ephemeral_app.te b/private/ephemeral_app.te
index 9f2b1d5..0491a33 100644
--- a/private/ephemeral_app.te
+++ b/private/ephemeral_app.te
@@ -66,7 +66,7 @@
# Too much leaky information in debugfs. It's a security
# best practice to ensure these files aren't readable.
-neverallow ephemeral_app debugfs:file read;
+neverallow ephemeral_app debugfs_type:file read;
# execute gpu_device
neverallow ephemeral_app gpu_device:chr_file execute;
diff --git a/private/file_contexts b/private/file_contexts
index bb86761..c9c51e4 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -263,6 +263,8 @@
/system/bin/bufferhubd u:object_r:bufferhubd_exec:s0
/system/bin/performanced u:object_r:performanced_exec:s0
/system/bin/drmserver u:object_r:drmserver_exec:s0
+/system/bin/drmserver32 u:object_r:drmserver_exec:s0
+/system/bin/drmserver64 u:object_r:drmserver_exec:s0
/system/bin/dumpstate u:object_r:dumpstate_exec:s0
/system/bin/incident u:object_r:incident_exec:s0
/system/bin/incidentd u:object_r:incidentd_exec:s0
diff --git a/private/heapprofd.te b/private/heapprofd.te
index 91418b5..39d0bbb 100644
--- a/private/heapprofd.te
+++ b/private/heapprofd.te
@@ -70,5 +70,6 @@
}')
full_treble_only(`
- neverallow heapprofd vendor_file:file { no_w_file_perms no_x_file_perms };
+ neverallow heapprofd vendor_file_type:file no_w_file_perms;
+ neverallow heapprofd { vendor_file_type -vndk_sp_file }:file no_x_file_perms;
')
diff --git a/private/mediaserver.te b/private/mediaserver.te
index f44cbde..92ec40d 100644
--- a/private/mediaserver.te
+++ b/private/mediaserver.te
@@ -16,6 +16,9 @@
get_prop(mediaserver, drm_service_config_prop)
get_prop(mediaserver, media_config_prop)
+# Allow MediaCodec running on mediaserver to read media_native flags
+get_prop(mediaserver, device_config_media_native_prop)
+
# Allow mediaserver to start media.transcoding service via ctl.start.
set_prop(mediaserver, ctl_mediatranscoding_prop);
diff --git a/private/priv_app.te b/private/priv_app.te
index cfd8721..b455732 100644
--- a/private/priv_app.te
+++ b/private/priv_app.te
@@ -218,7 +218,7 @@
# Too much leaky information in debugfs. It's a security
# best practice to ensure these files aren't readable.
-neverallow priv_app debugfs:file read;
+neverallow priv_app debugfs_type:file read;
# Do not allow privileged apps to register services.
# Only trusted components of Android should be registering
diff --git a/private/property.te b/private/property.te
index 928f86c..35f9bc7 100644
--- a/private/property.te
+++ b/private/property.te
@@ -598,10 +598,6 @@
-init
} setupwizard_prop:property_service set;
-neverallow {
- domain
- -init
-} setupwizard_esim_prop:property_service set;
# ro.product.property_source_order is useless after initialization of ro.product.* props.
# So making it accessible only from init and vendor_init.
neverallow {
diff --git a/private/property_contexts b/private/property_contexts
index 5093d10..2399163 100644
--- a/private/property_contexts
+++ b/private/property_contexts
@@ -1204,7 +1204,6 @@
ro.hardware.consumerir u:object_r:exported_default_prop:s0 exact string
ro.hardware.context_hub u:object_r:exported_default_prop:s0 exact string
ro.hardware.egl u:object_r:exported_default_prop:s0 exact string
-ro.hardware.egl_legacy u:object_r:graphics_config_prop:s0 exact string
ro.hardware.fingerprint u:object_r:exported_default_prop:s0 exact string
ro.hardware.flp u:object_r:exported_default_prop:s0 exact string
ro.hardware.gatekeeper u:object_r:exported_default_prop:s0 exact string
@@ -1453,8 +1452,8 @@
partition.vendor.verified.root_digest u:object_r:verity_status_prop:s0 exact string
partition.odm.verified.root_digest u:object_r:verity_status_prop:s0 exact string
-ro.setupwizard.esim_cid_ignore u:object_r:setupwizard_esim_prop:s0 exact string
ro.setupwizard.enterprise_mode u:object_r:setupwizard_prop:s0 exact bool
+ro.setupwizard.esim_cid_ignore u:object_r:setupwizard_prop:s0 exact string
ro.setupwizard.rotation_locked u:object_r:setupwizard_prop:s0 exact bool
ro.setupwizard.wifi_on_exit u:object_r:setupwizard_prop:s0 exact bool
diff --git a/private/sdk_sandbox_all.te b/private/sdk_sandbox_all.te
index 6e7ba50..8e46ca3 100644
--- a/private/sdk_sandbox_all.te
+++ b/private/sdk_sandbox_all.te
@@ -45,7 +45,7 @@
# Too much leaky information in debugfs. It's a security
# best practice to ensure these files aren't readable.
-neverallow sdk_sandbox_all debugfs:file read;
+neverallow sdk_sandbox_all debugfs_type:file read;
# execute gpu_device
neverallow sdk_sandbox_all gpu_device:chr_file execute;
diff --git a/public/app.te b/public/app.te
index da59f32..a45149f 100644
--- a/public/app.te
+++ b/public/app.te
@@ -89,7 +89,7 @@
{ create write setattr relabelfrom relabelto append unlink link rename };
# Write to /system.
-neverallow appdomain system_file:dir_file_class_set
+neverallow appdomain system_file_type:dir_file_class_set
{ create write setattr relabelfrom relabelto append unlink link rename };
# Write to entrypoint executables.
diff --git a/public/domain.te b/public/domain.te
index 56c3142..4336770 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -1053,6 +1053,7 @@
neverallow { domain -untrusted_app_25 -untrusted_app_27 } file_type:file execmod;
neverallow { domain -init } proc:{ file dir } mounton;
+neverallow { domain -init -zygote } proc_type:{ file dir } mounton;
# Ensure that all types assigned to processes are included
# in the domain attribute, so that all allow and neverallow rules
diff --git a/public/logd.te b/public/logd.te
index 8187179..7f3c7bc 100644
--- a/public/logd.te
+++ b/public/logd.te
@@ -57,7 +57,7 @@
neverallow { domain userdebug_or_eng(`-crash_dump -llkd') } logd:process ptrace;
# Write to /system.
-neverallow logd system_file:dir_file_class_set write;
+neverallow logd system_file_type:dir_file_class_set write;
# Write to files in /data/data or system files on /data
neverallow logd { app_data_file privapp_data_file system_data_file packages_list_file }:dir_file_class_set write;
diff --git a/public/modprobe.te b/public/modprobe.te
index 2c7d64b..910aebd 100644
--- a/public/modprobe.te
+++ b/public/modprobe.te
@@ -4,6 +4,9 @@
allow modprobe proc_cmdline:file r_file_perms;
allow modprobe self:global_capability_class_set sys_module;
allow modprobe kernel:key search;
+allow modprobe system_dlkm_file:dir search;
+allow modprobe system_dlkm_file:file r_file_perms;
+allow modprobe system_dlkm_file:system module_load;
recovery_only(`
allow modprobe rootfs:system module_load;
allow modprobe rootfs:file r_file_perms;
diff --git a/public/netd.te b/public/netd.te
index 3854017..a5c27f9 100644
--- a/public/netd.te
+++ b/public/netd.te
@@ -129,7 +129,7 @@
neverallow netd { domain }:process ptrace;
# Write to /system.
-neverallow netd system_file:dir_file_class_set write;
+neverallow netd system_file_type:dir_file_class_set write;
# Write to files in /data/data or system files on /data
neverallow netd { app_data_file_type system_data_file }:dir_file_class_set write;
diff --git a/public/property.te b/public/property.te
index 8087e99..a1f4ab5 100644
--- a/public/property.te
+++ b/public/property.te
@@ -88,7 +88,6 @@
system_restricted_prop(provisioned_prop)
system_restricted_prop(restorecon_prop)
system_restricted_prop(retaildemo_prop)
-system_restricted_prop(setupwizard_esim_prop)
system_restricted_prop(servicemanager_prop)
system_restricted_prop(smart_idle_maint_enabled_prop)
system_restricted_prop(socket_hook_prop)
diff --git a/public/recovery_persist.te b/public/recovery_persist.te
index d4b4562..b59d538 100644
--- a/public/recovery_persist.te
+++ b/public/recovery_persist.te
@@ -25,7 +25,7 @@
neverallow recovery_persist domain:process ptrace;
# Write to /system.
-neverallow recovery_persist system_file:dir_file_class_set write;
+neverallow recovery_persist system_file_type:dir_file_class_set write;
# Write to files in /data/data
neverallow recovery_persist { privapp_data_file app_data_file system_data_file }:dir_file_class_set write;
diff --git a/public/recovery_refresh.te b/public/recovery_refresh.te
index d6870dc..78f93db 100644
--- a/public/recovery_refresh.te
+++ b/public/recovery_refresh.te
@@ -18,7 +18,7 @@
neverallow recovery_refresh domain:process ptrace;
# Write to /system.
-neverallow recovery_refresh system_file:dir_file_class_set write;
+neverallow recovery_refresh system_file_type:dir_file_class_set write;
# Write to files in /data/data or system files on /data
neverallow recovery_refresh { app_data_file privapp_data_file system_data_file }:dir_file_class_set write;
diff --git a/public/ueventd.te b/public/ueventd.te
index 4e3c7c2..3135a7f 100644
--- a/public/ueventd.te
+++ b/public/ueventd.te
@@ -65,6 +65,13 @@
# Allow ueventd to run shell scripts from vendor
allow ueventd vendor_shell_exec:file execute;
+# Query device-mapper to extract name/uuid in response to uevents.
+allow ueventd dm_device:chr_file rw_file_perms;
+allow ueventd self:capability sys_admin;
+
+# Allow ueventd to read apexd property
+get_prop(ueventd, apexd_prop)
+
#####
##### neverallow rules
#####