Merge "Build precompiled_sepolicy.apex_sepolicy.sha256"
diff --git a/Android.bp b/Android.bp
index fdd97ff..0ca82a6 100644
--- a/Android.bp
+++ b/Android.bp
@@ -184,6 +184,11 @@
srcs: ["keystore2_key_contexts"],
}
+se_build_files {
+ name: "seapp_contexts_files",
+ srcs: ["seapp_contexts"],
+}
+
// For vts_treble_sys_prop_test
filegroup {
name: "private_property_contexts",
@@ -860,6 +865,9 @@
"sepolicy_neverallows",
"sepolicy_neverallows_vendor",
],
+ dist: {
+ targets: ["base-sepolicy-files-for-mapping"],
+ },
}
// policy for recovery
@@ -928,6 +936,9 @@
name: "base_plat_sepolicy",
srcs: [":base_plat_sepolicy.cil"],
installable: false,
+ dist: {
+ targets: ["base-sepolicy-files-for-mapping"],
+ },
}
se_policy_conf {
@@ -998,6 +1009,9 @@
filter_out: [":reqd_policy_mask.cil"],
secilc_check: false,
installable: false,
+ dist: {
+ targets: ["base-sepolicy-files-for-mapping"],
+ },
}
se_policy_conf {
@@ -1089,17 +1103,3 @@
se_freeze_test {
name: "sepolicy_freeze_test",
}
-
-//////////////////////////////////
-// Makefile rules temporary imported to Soong
-// TODO(b/33691272): remove these after migrating seapp to Soong
-//////////////////////////////////
-makefile_goal {
- name: "plat_seapp_contexts_rule",
- product_out_path: "obj/ETC/plat_seapp_contexts_intermediates/plat_seapp_contexts",
-}
-
-makefile_goal {
- name: "plat_seapp_neverallows_rule",
- product_out_path: "obj/ETC/plat_seapp_neverallows_intermediates/plat_seapp_neverallows",
-}
diff --git a/Android.mk b/Android.mk
index 729a163..2e74b25 100644
--- a/Android.mk
+++ b/Android.mk
@@ -681,9 +681,6 @@
file_contexts.modules.tmp :=
##################################
-include $(LOCAL_PATH)/seapp_contexts.mk
-
-##################################
include $(LOCAL_PATH)/contexts_tests.mk
##################################
@@ -748,8 +745,7 @@
$(LOCAL_BUILT_MODULE): PRIVATE_SEPOLICY := $(built_sepolicy)
$(LOCAL_BUILT_MODULE): $(HOST_OUT_EXECUTABLES)/sepolicy_tests $(all_fc_files) $(built_sepolicy)
@mkdir -p $(dir $@)
- $(hide) $(HOST_OUT_EXECUTABLES)/sepolicy_tests -l $(HOST_OUT)/lib64/libsepolwrap.$(SHAREDLIB_EXT) \
- $(ALL_FC_ARGS) -p $(PRIVATE_SEPOLICY)
+ $(hide) $(HOST_OUT_EXECUTABLES)/sepolicy_tests $(ALL_FC_ARGS) -p $(PRIVATE_SEPOLICY)
$(hide) touch $@
##################################
diff --git a/apex/com.android.tethering-file_contexts b/apex/com.android.tethering-file_contexts
index 9398505..1b578ea 100644
--- a/apex/com.android.tethering-file_contexts
+++ b/apex/com.android.tethering-file_contexts
@@ -1 +1,2 @@
-(/.*)? u:object_r:system_file:s0
+(/.*)? u:object_r:system_file:s0
+/bin/for-system/clatd u:object_r:clatd_exec:s0
diff --git a/build/soong/bug_map.go b/build/soong/bug_map.go
index 91c6347..00df33c 100644
--- a/build/soong/bug_map.go
+++ b/build/soong/bug_map.go
@@ -104,7 +104,7 @@
OutputFile: android.OptionalPathForPath(b.installSource),
ExtraEntries: []android.AndroidMkExtraEntriesFunc{
func(ctx android.AndroidMkExtraEntriesContext, entries *android.AndroidMkEntries) {
- entries.SetPath("LOCAL_MODULE_PATH", b.installPath.ToMakePath())
+ entries.SetPath("LOCAL_MODULE_PATH", b.installPath)
entries.SetString("LOCAL_INSTALLED_MODULE_STEM", b.stem())
},
},
diff --git a/build/soong/cil_compat_map.go b/build/soong/cil_compat_map.go
index 59d1172..78e870e 100644
--- a/build/soong/cil_compat_map.go
+++ b/build/soong/cil_compat_map.go
@@ -172,7 +172,7 @@
Class: "ETC",
}
ret.Extra = append(ret.Extra, func(w io.Writer, outputFile android.Path) {
- fmt.Fprintln(w, "LOCAL_MODULE_PATH :=", c.installPath.ToMakePath().String())
+ fmt.Fprintln(w, "LOCAL_MODULE_PATH :=", c.installPath.String())
if c.properties.Stem != nil {
fmt.Fprintln(w, "LOCAL_INSTALLED_MODULE_STEM :=", String(c.properties.Stem))
}
diff --git a/build/soong/compat_cil.go b/build/soong/compat_cil.go
index 3044425..6a1925d 100644
--- a/build/soong/compat_cil.go
+++ b/build/soong/compat_cil.go
@@ -109,7 +109,7 @@
OutputFile: android.OptionalPathForPath(c.installSource),
ExtraEntries: []android.AndroidMkExtraEntriesFunc{
func(ctx android.AndroidMkExtraEntriesContext, entries *android.AndroidMkEntries) {
- entries.SetPath("LOCAL_MODULE_PATH", c.installPath.ToMakePath())
+ entries.SetPath("LOCAL_MODULE_PATH", c.installPath)
entries.SetString("LOCAL_INSTALLED_MODULE_STEM", c.stem())
},
},
diff --git a/build/soong/policy.go b/build/soong/policy.go
index 2b190e6..4becbc1 100644
--- a/build/soong/policy.go
+++ b/build/soong/policy.go
@@ -255,7 +255,7 @@
ExtraEntries: []android.AndroidMkExtraEntriesFunc{
func(ctx android.AndroidMkExtraEntriesContext, entries *android.AndroidMkEntries) {
entries.SetBool("LOCAL_UNINSTALLABLE_MODULE", !c.installable())
- entries.SetPath("LOCAL_MODULE_PATH", c.installPath.ToMakePath())
+ entries.SetPath("LOCAL_MODULE_PATH", c.installPath)
entries.SetString("LOCAL_INSTALLED_MODULE_STEM", c.stem())
},
},
@@ -410,7 +410,7 @@
ExtraEntries: []android.AndroidMkExtraEntriesFunc{
func(ctx android.AndroidMkExtraEntriesContext, entries *android.AndroidMkEntries) {
entries.SetBool("LOCAL_UNINSTALLABLE_MODULE", !c.Installable())
- entries.SetPath("LOCAL_MODULE_PATH", c.installPath.ToMakePath())
+ entries.SetPath("LOCAL_MODULE_PATH", c.installPath)
entries.SetString("LOCAL_INSTALLED_MODULE_STEM", c.stem())
},
},
@@ -546,7 +546,7 @@
ExtraEntries: []android.AndroidMkExtraEntriesFunc{
func(ctx android.AndroidMkExtraEntriesContext, entries *android.AndroidMkEntries) {
entries.SetBool("LOCAL_UNINSTALLABLE_MODULE", !c.Installable())
- entries.SetPath("LOCAL_MODULE_PATH", c.installPath.ToMakePath())
+ entries.SetPath("LOCAL_MODULE_PATH", c.installPath)
entries.SetString("LOCAL_INSTALLED_MODULE_STEM", c.stem())
},
},
diff --git a/build/soong/selinux_contexts.go b/build/soong/selinux_contexts.go
index 71de38a..b30f35e 100644
--- a/build/soong/selinux_contexts.go
+++ b/build/soong/selinux_contexts.go
@@ -17,6 +17,7 @@
import (
"fmt"
"io"
+ "os"
"strings"
"github.com/google/blueprint"
@@ -58,11 +59,20 @@
}
}
+type seappProperties struct {
+ // Files containing neverallow rules.
+ Neverallow_files []string `android:"path"`
+
+ // Precompiled sepolicy binary file which will be fed to checkseapp.
+ Sepolicy *string `android:"path"`
+}
+
type selinuxContextsModule struct {
android.ModuleBase
properties selinuxContextsProperties
fileContextsProperties fileContextsProperties
+ seappProperties seappProperties
build func(ctx android.ModuleContext, inputs android.Paths) android.Path
deps func(ctx android.BottomUpMutatorContext)
outputPath android.Path
@@ -82,6 +92,7 @@
android.RegisterModuleType("property_contexts", propertyFactory)
android.RegisterModuleType("service_contexts", serviceFactory)
android.RegisterModuleType("keystore2_key_contexts", keystoreKeyFactory)
+ android.RegisterModuleType("seapp_contexts", seappFactory)
}
func (m *selinuxContextsModule) InstallInRoot() bool {
@@ -147,6 +158,7 @@
m.AddProperties(
&m.properties,
&m.fileContextsProperties,
+ &m.seappProperties,
)
android.InitAndroidArchModule(m, android.DeviceSupported, android.MultilibCommon)
android.AddLoadHook(m, func(ctx android.LoadHookContext) {
@@ -180,7 +192,7 @@
SubName: nameSuffix,
Extra: []android.AndroidMkExtraFunc{
func(w io.Writer, outputFile android.Path) {
- fmt.Fprintln(w, "LOCAL_MODULE_PATH :=", m.installPath.ToMakePath().String())
+ fmt.Fprintln(w, "LOCAL_MODULE_PATH :=", m.installPath.String())
fmt.Fprintln(w, "LOCAL_INSTALLED_MODULE_STEM :=", m.stem())
},
},
@@ -422,6 +434,31 @@
return builtCtxFile
}
+func (m *selinuxContextsModule) buildSeappContexts(ctx android.ModuleContext, inputs android.Paths) android.Path {
+ neverallowFile := android.PathForModuleGen(ctx, "neverallow")
+ ret := android.PathForModuleGen(ctx, m.stem())
+
+ rule := android.NewRuleBuilder(pctx, ctx)
+ rule.Command().Text("(grep").
+ Flag("-ihe").
+ Text("'^neverallow'").
+ Inputs(android.PathsForModuleSrc(ctx, m.seappProperties.Neverallow_files)).
+ Text(os.DevNull). // to make grep happy even when Neverallow_files is empty
+ Text(">").
+ Output(neverallowFile).
+ Text("|| true)") // to make ninja happy even when result is empty
+
+ rule.Temporary(neverallowFile)
+ rule.Command().BuiltTool("checkseapp").
+ FlagWithInput("-p ", android.PathForModuleSrc(ctx, proptools.String(m.seappProperties.Sepolicy))).
+ FlagWithOutput("-o ", ret).
+ Inputs(inputs).
+ Input(neverallowFile)
+
+ rule.Build("seapp_contexts", "Building seapp_contexts: "+m.Name())
+ return ret
+}
+
func hwServiceFactory() android.Module {
m := newModule()
m.build = m.buildHwServiceContexts
@@ -447,6 +484,12 @@
return m
}
+func seappFactory() android.Module {
+ m := newModule()
+ m.build = m.buildSeappContexts
+ return m
+}
+
var _ android.OutputFileProducer = (*selinuxContextsModule)(nil)
// Implements android.OutputFileProducer
diff --git a/build/soong/sepolicy_neverallow.go b/build/soong/sepolicy_neverallow.go
index 119e477..98dd3cf 100644
--- a/build/soong/sepolicy_neverallow.go
+++ b/build/soong/sepolicy_neverallow.go
@@ -152,10 +152,11 @@
FlagWithArg("-c ", strconv.Itoa(PolicyVers)).
FlagWithOutput("-o ", binaryPolicy).
Input(checkpolicyConfPath)
+ rule.Build("neverallow_checkpolicy", "Neverallow check: "+ctx.ModuleName())
// Step 2. Run sepolicy-analyze with the conf file without the build test and binary policy
// file from Step 1
-
+ rule = android.NewRuleBuilder(pctx, ctx)
msg := `sepolicy-analyze failed. This is most likely due to the use\n` +
`of an expanded attribute in a neverallow assertion. Please fix\n` +
`the policy.`
@@ -170,9 +171,8 @@
Text(`"` + msg + `"`).
Text("; exit 1)")
- rule.Temporary(binaryPolicy)
rule.Command().Text("touch").Output(n.testTimestamp)
- rule.Build("neverallow", "Neverallow check: "+ctx.ModuleName())
+ rule.Build("neverallow_sepolicy-analyze", "Neverallow check: "+ctx.ModuleName())
}
func (n *neverallowTestModule) AndroidMkEntries() []android.AndroidMkEntries {
diff --git a/build/soong/sepolicy_vers.go b/build/soong/sepolicy_vers.go
index 9d1fe78..ca40173 100644
--- a/build/soong/sepolicy_vers.go
+++ b/build/soong/sepolicy_vers.go
@@ -97,7 +97,7 @@
OutputFile: android.OptionalPathForPath(v.installSource),
ExtraEntries: []android.AndroidMkExtraEntriesFunc{
func(ctx android.AndroidMkExtraEntriesContext, entries *android.AndroidMkEntries) {
- entries.SetPath("LOCAL_MODULE_PATH", v.installPath.ToMakePath())
+ entries.SetPath("LOCAL_MODULE_PATH", v.installPath)
entries.SetString("LOCAL_INSTALLED_MODULE_STEM", v.stem())
},
},
diff --git a/build/soong/versioned_policy.go b/build/soong/versioned_policy.go
index dc07910..c316d2a 100644
--- a/build/soong/versioned_policy.go
+++ b/build/soong/versioned_policy.go
@@ -172,7 +172,7 @@
ExtraEntries: []android.AndroidMkExtraEntriesFunc{
func(ctx android.AndroidMkExtraEntriesContext, entries *android.AndroidMkEntries) {
entries.SetBool("LOCAL_UNINSTALLABLE_MODULE", !m.installable())
- entries.SetPath("LOCAL_MODULE_PATH", m.installPath.ToMakePath())
+ entries.SetPath("LOCAL_MODULE_PATH", m.installPath)
entries.SetString("LOCAL_INSTALLED_MODULE_STEM", m.installSource.Base())
},
},
diff --git a/contexts/Android.bp b/contexts/Android.bp
index ed183ef..1dc710a 100644
--- a/contexts/Android.bp
+++ b/contexts/Android.bp
@@ -231,3 +231,70 @@
],
soc_specific: true,
}
+
+seapp_contexts {
+ name: "plat_seapp_contexts",
+ srcs: [":seapp_contexts_files{.plat_private}"],
+ sepolicy: ":precompiled_sepolicy",
+}
+
+seapp_contexts {
+ name: "system_ext_seapp_contexts",
+ srcs: [":seapp_contexts_files{.system_ext_private}"],
+ neverallow_files: [":seapp_contexts_files{.plat_private}"],
+ system_ext_specific: true,
+ sepolicy: ":precompiled_sepolicy",
+}
+
+seapp_contexts {
+ name: "product_seapp_contexts",
+ srcs: [":seapp_contexts_files{.product_private}"],
+ neverallow_files: [
+ ":seapp_contexts_files{.plat_private}",
+ ":seapp_contexts_files{.system_ext_private}",
+ ],
+ product_specific: true,
+ sepolicy: ":precompiled_sepolicy",
+}
+
+seapp_contexts {
+ name: "vendor_seapp_contexts",
+ srcs: [
+ ":seapp_contexts_files{.plat_vendor_for_vendor}",
+ ":seapp_contexts_files{.vendor}",
+ ":seapp_contexts_files{.reqd_mask_for_vendor}",
+ ],
+ neverallow_files: [
+ ":seapp_contexts_files{.plat_private_for_vendor}",
+ ":seapp_contexts_files{.system_ext_private_for_vendor}",
+ ":seapp_contexts_files{.product_private_for_vendor}",
+ ],
+ soc_specific: true,
+ sepolicy: ":precompiled_sepolicy",
+}
+
+seapp_contexts {
+ name: "odm_seapp_contexts",
+ srcs: [
+ ":seapp_contexts_files{.odm}",
+ ],
+ neverallow_files: [
+ ":seapp_contexts_files{.plat_private_for_vendor}",
+ ":seapp_contexts_files{.system_ext_private_for_vendor}",
+ ":seapp_contexts_files{.product_private_for_vendor}",
+ ],
+ device_specific: true,
+ sepolicy: ":precompiled_sepolicy",
+}
+
+// for CTS
+genrule {
+ name: "plat_seapp_neverallows",
+ srcs: [
+ ":seapp_contexts_files{.plat_private}",
+ ":seapp_contexts_files{.system_ext_private}",
+ ":seapp_contexts_files{.product_private}",
+ ],
+ out: ["plat_seapp_neverallows"],
+ cmd: "grep -ihe '^neverallow' $(in) > $(out) || true",
+}
diff --git a/microdroid/Android.bp b/microdroid/Android.bp
index 3c82d4b..2e8766c 100644
--- a/microdroid/Android.bp
+++ b/microdroid/Android.bp
@@ -266,14 +266,6 @@
}
prebuilt_etc {
- name: "microdroid_hwservice_contexts",
- filename: "plat_hwservice_contexts",
- src: "system/private/hwservice_contexts",
- relative_install_path: "selinux",
- installable: false,
-}
-
-prebuilt_etc {
name: "microdroid_property_contexts",
filename: "plat_property_contexts",
src: "system/private/property_contexts",
@@ -288,11 +280,3 @@
relative_install_path: "selinux",
installable: false,
}
-
-prebuilt_etc {
- name: "microdroid_keystore2_key_contexts",
- filename: "plat_keystore2_key_contexts",
- src: "system/private/keystore2_key_contexts",
- relative_install_path: "selinux",
- installable: false,
-}
diff --git a/microdroid/system/private/access_vectors b/microdroid/system/private/access_vectors
index 22f2ffa..477f78f 100644
--- a/microdroid/system/private/access_vectors
+++ b/microdroid/system/private/access_vectors
@@ -746,6 +746,16 @@
use_dev_id
}
+class diced
+{
+ demote
+ demote_self
+ derive
+ get_attestation_chain
+ use_seal
+ use_sign
+}
+
class drmservice {
consumeRights
setPlaybackStatus
diff --git a/microdroid/system/private/apexd.te b/microdroid/system/private/apexd.te
index cca95c2..275a455 100644
--- a/microdroid/system/private/apexd.te
+++ b/microdroid/system/private/apexd.te
@@ -81,8 +81,7 @@
allow apexd rootfs:dir mounton;
# apexd is using bootstrap bionic
-allow apexd system_bootstrap_lib_file:dir r_dir_perms;
-allow apexd system_bootstrap_lib_file:file { execute read open getattr map };
+use_bootstrap_libs(apexd)
# Allow apexd to read file contexts when performing restorecon
allow apexd file_contexts_file:file r_file_perms;
diff --git a/microdroid/system/private/apkdmverity.te b/microdroid/system/private/apkdmverity.te
index 84e1575..c56f05e 100644
--- a/microdroid/system/private/apkdmverity.te
+++ b/microdroid/system/private/apkdmverity.te
@@ -4,8 +4,7 @@
type apkdmverity_exec, exec_type, file_type, system_file_type;
# apkdmverity is using bootstrap bionic
-allow apkdmverity system_bootstrap_lib_file:dir r_dir_perms;
-allow apkdmverity system_bootstrap_lib_file:file { execute read open getattr map };
+use_bootstrap_libs(apkdmverity)
# apkdmverity accesses "payload metadata disk" which points to
# a /dev/vd* block device file.
diff --git a/microdroid/system/private/authfs.te b/microdroid/system/private/authfs.te
index 7bd39e4..23e881d 100644
--- a/microdroid/system/private/authfs.te
+++ b/microdroid/system/private/authfs.te
@@ -17,5 +17,9 @@
allow authfs authfs_fuse:filesystem { mount relabelfrom relabelto };
allow authfs authfs_data_file:dir { mounton search };
+# Allow authfs to access extra APK mount.
+allow authfs extra_apk_file:file r_file_perms;
+allow authfs extra_apk_file:dir search;
+
# TODO(195568812): Don't pass FD 0,1,2 unnecessarily.
allow authfs authfs_service:fd use;
diff --git a/microdroid/system/private/binderservicedomain.te b/microdroid/system/private/binderservicedomain.te
deleted file mode 100644
index 99006bf..0000000
--- a/microdroid/system/private/binderservicedomain.te
+++ /dev/null
@@ -1,5 +0,0 @@
-allow binderservicedomain keystore:keystore_key { get_state get insert delete exist list sign verify };
-allow binderservicedomain keystore:keystore2 { get_state };
-allow binderservicedomain keystore:keystore2_key { delete get_info rebind use };
-
-use_keystore(binderservicedomain)
diff --git a/microdroid/system/private/compos.te b/microdroid/system/private/compos.te
index 174eda3..d9edb67 100644
--- a/microdroid/system/private/compos.te
+++ b/microdroid/system/private/compos.te
@@ -2,22 +2,18 @@
type compos, domain, coredomain, microdroid_payload;
type compos_exec, exec_type, file_type, system_file_type;
+# Expose RPC Binder service over vsock
allow compos self:vsock_socket { create_socket_perms_no_ioctl listen accept };
-# Allow using keystore and authfs_service binder services
+# Allow using various binder services
binder_use(compos);
-use_keystore(compos);
-allow compos authfs_binder_service:service_manager find;
+allow compos {
+ authfs_binder_service
+ dice_node_service
+}:service_manager find;
binder_call(compos, authfs_service);
-
-# Allow payloads to use and manage their keys
-allow compos vm_payload_key:keystore2_key {
- delete
- get_info
- manage_blob
- rebind
- use
-};
+binder_call(compos, diced);
+allow compos diced:diced { get_attestation_chain derive };
# Read artifacts created by odrefresh and create signature files.
allow compos authfs_fuse:dir rw_dir_perms;
@@ -34,7 +30,5 @@
# See b/35323867#comment3
dontaudit compos self:global_capability_class_set dac_override;
-# Allow domain transition into odrefresh and dex2oat.
-# TODO(b/209008712): Remove dex2oat once the migration is done.
+# Allow domain transition into odrefresh.
domain_auto_trans(compos, odrefresh_exec, odrefresh)
-domain_auto_trans(compos, dex2oat_exec, dex2oat)
diff --git a/microdroid/system/private/crash_dump.te b/microdroid/system/private/crash_dump.te
index 90587fa..a636e9c 100644
--- a/microdroid/system/private/crash_dump.te
+++ b/microdroid/system/private/crash_dump.te
@@ -56,7 +56,6 @@
-crash_dump
-init
-kernel
- -keystore
-logd
-ueventd
-vendor_init
@@ -65,7 +64,6 @@
userdebug_or_eng(`
allow crash_dump {
apexd
- keystore
logd
}:process { ptrace signal sigchld sigstop sigkill };
')
diff --git a/microdroid/system/private/diced.te b/microdroid/system/private/diced.te
new file mode 100644
index 0000000..9530794
--- /dev/null
+++ b/microdroid/system/private/diced.te
@@ -0,0 +1,20 @@
+type diced, domain, coredomain;
+type diced_exec, system_file_type, exec_type, file_type;
+
+# diced can be started by init
+init_daemon_domain(diced)
+
+# diced can talk to dice HAL
+hal_client_domain(diced, hal_dice)
+
+# diced hosts AIDL services
+binder_use(diced)
+binder_service(diced)
+add_service(diced, dice_node_service)
+add_service(diced, dice_maintenance_service)
+
+# diced can check SELinux permissions.
+selinux_check_access(diced)
+
+# diced is using bootstrap bionic
+use_bootstrap_libs(diced)
diff --git a/microdroid/system/private/domain.te b/microdroid/system/private/domain.te
index ad2c645..ae97f75 100644
--- a/microdroid/system/private/domain.te
+++ b/microdroid/system/private/domain.te
@@ -47,7 +47,7 @@
allow domain zero_device:chr_file rw_file_perms;
# /dev/binder can be accessed by ... everyone! :)
-allow { domain -hwservicemanager } binder_device:chr_file rw_file_perms;
+allow domain binder_device:chr_file rw_file_perms;
# Restrict binder ioctls to an allowlist. Additional ioctl commands may be
# added to individual domains, but this sets safe defaults for all processes.
@@ -411,15 +411,6 @@
# from service name to service_type are defined in {,hw,vnd}service_contexts.
neverallow * default_android_service:service_manager *;
-# Looking up the base class/interface of all HwBinder services is a bad idea.
-# hwservicemanager currently offer such lookups only to make it so that security
-# decisions are expressed in SELinux policy. However, it's unclear whether this
-# lookup has security implications. If it doesn't, hwservicemanager should be
-# modified to not offer this lookup.
-# This rule can be removed if hwservicemanager is modified to not permit these
-# lookups.
-neverallow * hidl_base_hwservice:hwservice_manager find;
-
neverallow { domain -init -vendor_init } vendor_default_prop:property_service set;
neverallow { domain -init } build_prop:property_service set;
@@ -428,8 +419,6 @@
# The service managers are only allowed to access their own device node
neverallow servicemanager hwbinder_device:chr_file no_rw_file_perms;
neverallow servicemanager vndbinder_device:chr_file no_rw_file_perms;
-neverallow hwservicemanager binder_device:chr_file no_rw_file_perms;
-neverallow hwservicemanager vndbinder_device:chr_file no_rw_file_perms;
# system services cant add vendor services
neverallow {
@@ -549,11 +538,6 @@
servicemanager
}:service_manager list;
-# hwservicemanager is the only process which handles hw list requests
-neverallow * ~{
- hwservicemanager
- }:hwservice_manager list;
-
# only service_manager_types can be added to service_manager
# TODO - rework this: neverallow * ~service_manager_type:service_manager { add find };
@@ -596,15 +580,6 @@
# Enforce AT_SECURE for executing crash_dump.
neverallow domain crash_dump:process noatsecure;
-# Do not permit non-core domains to register HwBinder services which are
-# guaranteed to be provided by core domains only.
-neverallow ~coredomain coredomain_hwservice:hwservice_manager add;
-
-# Do not permit the registeration of HwBinder services which are guaranteed to
-# be passthrough only (i.e., run in the process of their clients instead of a
-# separate server process).
-neverallow * same_process_hwservice:hwservice_manager add;
-
# If an already existing file is opened with O_CREAT, the kernel might generate
# a false report of a create denial. Silence these denials and make sure that
# inappropriate permissions are not granted.
diff --git a/microdroid/system/private/file_contexts b/microdroid/system/private/file_contexts
index 933c63f..50558f8 100644
--- a/microdroid/system/private/file_contexts
+++ b/microdroid/system/private/file_contexts
@@ -63,6 +63,7 @@
/dev/kmsg_debug u:object_r:kmsg_debug_device:s0
/dev/kvm u:object_r:kvm_device:s0
/dev/null u:object_r:null_device:s0
+/dev/open-dice0 u:object_r:open_dice_device:s0
/dev/random u:object_r:random_device:s0
/dev/rtc[0-9] u:object_r:rtc_device:s0
/dev/socket(/.*)? u:object_r:socket_device:s0
@@ -106,10 +107,9 @@
/system/bin/linkerconfig u:object_r:linkerconfig_exec:s0
/system/bin/bootstrap/linker(64)? u:object_r:system_linker_exec:s0
/system/bin/bootstrap/linkerconfig u:object_r:linkerconfig_exec:s0
-/system/bin/servicemanager u:object_r:servicemanager_exec:s0
-/system/bin/hwservicemanager u:object_r:hwservicemanager_exec:s0
+/system/bin/diced.microdroid u:object_r:diced_exec:s0
+/system/bin/servicemanager.microdroid u:object_r:servicemanager_exec:s0
/system/bin/init u:object_r:init_exec:s0
-/system/bin/keystore2 u:object_r:keystore_exec:s0
/system/bin/logcat -- u:object_r:logcat_exec:s0
/system/bin/logd u:object_r:logd_exec:s0
/system/bin/run-as -- u:object_r:runas_exec:s0
@@ -135,8 +135,6 @@
/system/etc/selinux/plat_mac_permissions\.xml u:object_r:mac_perms_file:s0
/system/etc/selinux/plat_property_contexts u:object_r:property_contexts_file:s0
/system/etc/selinux/plat_service_contexts u:object_r:service_contexts_file:s0
-/system/etc/selinux/plat_hwservice_contexts u:object_r:hwservice_contexts_file:s0
-/system/etc/selinux/plat_keystore2_key_contexts u:object_r:keystore2_key_contexts_file:s0
/system/etc/selinux/plat_file_contexts u:object_r:file_contexts_file:s0
/system/etc/selinux/plat_seapp_contexts u:object_r:seapp_contexts_file:s0
/system/etc/selinux/plat_sepolicy\.cil u:object_r:sepolicy_file:s0
@@ -163,7 +161,6 @@
/data/local/tmp(/.*)? u:object_r:shell_data_file:s0
/data/local/tmp/ltp(/.*)? u:object_r:nativetest_data_file:s0
/data/local/traces(/.*)? u:object_r:trace_data_file:s0
-/data/misc/keystore(/.*)? u:object_r:keystore_data_file:s0
/data/misc/authfs(/.*)? u:object_r:authfs_data_file:s0
/data/tombstones(/.*)? u:object_r:tombstone_data_file:s0
/data/vendor(/.*)? u:object_r:vendor_data_file:s0
diff --git a/microdroid/system/private/halclientdomain.te b/microdroid/system/private/halclientdomain.te
deleted file mode 100644
index f9b15f0..0000000
--- a/microdroid/system/private/halclientdomain.te
+++ /dev/null
@@ -1,12 +0,0 @@
-###
-### Rules for all domains which are clients of a HAL
-###
-
-# Find out whether a HAL in passthrough/in-process mode or
-# binderized/out-of-process mode
-hwbinder_use(halclientdomain)
-
-# Wait for HAL server to be up (used by getService)
-allow halclientdomain hidl_manager_hwservice:hwservice_manager find;
-
-get_prop(halclientdomain, hwservicemanager_prop)
diff --git a/microdroid/system/private/hwservice_contexts b/microdroid/system/private/hwservice_contexts
deleted file mode 100644
index 9b47b06..0000000
--- a/microdroid/system/private/hwservice_contexts
+++ /dev/null
@@ -1,7 +0,0 @@
-android.hardware.keymaster::IKeymasterDevice u:object_r:hal_keymaster_hwservice:s0
-android.hidl.allocator::IAllocator u:object_r:hidl_allocator_hwservice:s0
-android.hidl.base::IBase u:object_r:hidl_base_hwservice:s0
-android.hidl.manager::IServiceManager u:object_r:hidl_manager_hwservice:s0
-android.hidl.memory::IMapper u:object_r:hidl_memory_hwservice:s0
-android.hidl.token::ITokenManager u:object_r:hidl_token_hwservice:s0
-* u:object_r:default_android_hwservice:s0
diff --git a/microdroid/system/private/hwservicemanager.te b/microdroid/system/private/hwservicemanager.te
deleted file mode 100644
index 88b9e89..0000000
--- a/microdroid/system/private/hwservicemanager.te
+++ /dev/null
@@ -1,27 +0,0 @@
-typeattribute hwservicemanager coredomain;
-
-init_daemon_domain(hwservicemanager)
-
-allow hwservicemanager vendor_configs_file:file { open getattr };
-
-# Note that we do not use the binder_* macros here.
-# hwservicemanager provides name service (aka context manager)
-# for hwbinder.
-# Additionally, it initiates binder IPC calls to
-# clients who request service notifications. The permission
-# to do this is granted in the hwbinder_use macro.
-allow hwservicemanager self:binder set_context_mgr;
-
-# Scan through /system/lib64/hw looking for installed HALs
-allow hwservicemanager system_file:dir r_dir_perms;
-
-# Read hwservice_contexts
-allow hwservicemanager hwservice_contexts_file:file r_file_perms;
-
-# Check SELinux permissions.
-selinux_check_access(hwservicemanager)
-
-add_hwservice(hwservicemanager, hidl_manager_hwservice)
-add_hwservice(hwservicemanager, hidl_token_hwservice)
-
-set_prop(hwservicemanager, hwservicemanager_prop)
diff --git a/microdroid/system/private/init.te b/microdroid/system/private/init.te
index ff3f6f5..ff75f75 100644
--- a/microdroid/system/private/init.te
+++ b/microdroid/system/private/init.te
@@ -171,7 +171,6 @@
allow init {
file_type
-exec_type
- -keystore_data_file
-shell_data_file
-system_file_type
-vendor_file_type
@@ -181,7 +180,6 @@
file_type
-apex_info_file
-exec_type
- -keystore_data_file
-runtime_event_log_tags_file
-shell_data_file
-system_file_type
@@ -193,7 +191,6 @@
allow init {
file_type
-exec_type
- -keystore_data_file
-shell_data_file
-system_file_type
-vendor_file_type
@@ -203,7 +200,6 @@
file_type
-apex_mnt_dir
-exec_type
- -keystore_data_file
-shell_data_file
-system_file_type
-vendor_file_type
@@ -356,11 +352,6 @@
allow init self:global_capability_class_set kill;
allow init domain:process { getpgid sigkill signal };
-# Init creates keystore's directory on boot, and walks through
-# the directory as part of a recursive restorecon.
-allow init keystore_data_file:dir { open create read getattr setattr search };
-allow init keystore_data_file:file { getattr };
-
# Init creates /data/local/tmp at boot
allow init shell_data_file:dir { open create read getattr setattr search };
allow init shell_data_file:file { getattr };
@@ -437,8 +428,7 @@
allow init proc_pressure_mem:file { rw_file_perms setattr };
# init is using bootstrap bionic
-allow init system_bootstrap_lib_file:dir r_dir_perms;
-allow init system_bootstrap_lib_file:file { execute read open getattr map };
+use_bootstrap_libs(init)
# stat the root dir of fuse filesystems (for the mount handler)
allow init fuse:dir { search getattr };
diff --git a/microdroid/system/private/kernel.te b/microdroid/system/private/kernel.te
index 258c8d7..2938be4 100644
--- a/microdroid/system/private/kernel.te
+++ b/microdroid/system/private/kernel.te
@@ -90,7 +90,6 @@
dontaudit kernel tmpfs:file { getattr open read relabelfrom };
dontaudit kernel {
file_contexts_file
- hwservice_contexts_file
mac_perms_file
property_contexts_file
seapp_contexts_file
diff --git a/microdroid/system/private/keystore.te b/microdroid/system/private/keystore.te
deleted file mode 100644
index ee10910..0000000
--- a/microdroid/system/private/keystore.te
+++ /dev/null
@@ -1,20 +0,0 @@
-typeattribute keystore coredomain;
-
-init_daemon_domain(keystore)
-
-# talk to keymint
-hal_client_domain(keystore, hal_keymint)
-
-# Allow keystore to write to statsd.
-unix_socket_send(keystore, statsdw, statsd)
-
-# Keystore need access to the keystore_key context files to load the keystore key backend.
-allow keystore keystore2_key_contexts_file:file r_file_perms;
-
-# microdroid doesn't use keymaster HAL
-dontaudit keystore hal_keymaster_hwservice:hwservice_manager find;
-
-# microdroid isn't related to F2FS, but sqlite3 tries to query F2FS features.
-dontauditxperm keystore keystore_data_file:file ioctl F2FS_IOC_GET_FEATURES;
-
-set_prop(keystore, keystore_crash_prop)
diff --git a/microdroid/system/private/keystore2_key_contexts b/microdroid/system/private/keystore2_key_contexts
deleted file mode 100644
index 02cdd5e..0000000
--- a/microdroid/system/private/keystore2_key_contexts
+++ /dev/null
@@ -1,11 +0,0 @@
-# Keystore 2.0 key contexts.
-# This file defines Keystore 2.0 namespaces and maps them to labels.
-# Format:
-# <namespace> <label>
-#
-# <namespace> must be an integer in the interval [0 ... 2^31)
-
-# vm_payload_key is a keystore2_key namespace intended for microdroid VM payloads.
-# TODO(b/191843770): sort out a longer term policy
-140 u:object_r:vm_payload_key:s0
-
diff --git a/microdroid/system/private/logd.te b/microdroid/system/private/logd.te
index fa1cb40..06d4fa6 100644
--- a/microdroid/system/private/logd.te
+++ b/microdroid/system/private/logd.te
@@ -5,16 +5,12 @@
allow logd adbd:dir search;
allow logd adbd:file { getattr open read };
allow logd device:dir search;
-allow logd hwservicemanager:dir search;
-allow logd hwservicemanager:file { open read };
allow logd init:dir search;
allow logd init:fd use;
allow logd init:file { getattr open read };
allow logd kernel:dir search;
allow logd kernel:file { getattr open read };
allow logd kernel:system { syslog_mod syslog_read };
-allow logd keystore:dir search;
-allow logd keystore:file { getattr open read };
allow logd linkerconfig_file:dir search;
allow logd microdroid_manager:dir search;
allow logd microdroid_manager:file { getattr open read };
diff --git a/microdroid/system/private/microdroid_app.te b/microdroid/system/private/microdroid_app.te
index de1c8d6..b71ae8d 100644
--- a/microdroid/system/private/microdroid_app.te
+++ b/microdroid/system/private/microdroid_app.te
@@ -9,17 +9,5 @@
type microdroid_app, domain, coredomain, microdroid_payload;
type microdroid_app_exec, exec_type, file_type, system_file_type;
-# Talk to binder services (for keystore)
+# Talk to binder services (for diced)
binder_use(microdroid_app);
-
-# Allow payloads to use keystore
-use_keystore(microdroid_app);
-
-# Allow payloads to use and manage their keys
-allow microdroid_app vm_payload_key:keystore2_key {
- delete
- get_info
- manage_blob
- rebind
- use
-};
diff --git a/microdroid/system/private/microdroid_manager.te b/microdroid/system/private/microdroid_manager.te
index 36a5f53..1db1c2a 100644
--- a/microdroid/system/private/microdroid_manager.te
+++ b/microdroid/system/private/microdroid_manager.te
@@ -25,9 +25,6 @@
# Let microdroid_manager kernel-log.
allow microdroid_manager kmsg_device:chr_file w_file_perms;
-# Let microdroid_manager initialize the derived VM secrets.
-set_prop(microdroid_manager, vmsecret_keymint_prop);
-
# Let microdroid_manager read a config file from /mnt/apk (fusefs)
# TODO(b/188400186) remove the below rule
userdebug_or_eng(`
@@ -38,21 +35,19 @@
allow microdroid_manager self:vsock_socket { create_socket_perms_no_ioctl };
# microdroid_manager is using bootstrap bionic
-allow microdroid_manager system_bootstrap_lib_file:dir r_dir_perms;
-allow microdroid_manager system_bootstrap_lib_file:file { execute read open getattr map };
+use_bootstrap_libs(microdroid_manager)
+
+# microdroid_manager can talk to diced over binder
+binder_use(microdroid_manager)
+binder_call(microdroid_manager, diced)
+allow microdroid_manager { dice_node_service dice_maintenance_service }:service_manager find;
+allow microdroid_manager diced:diced { derive demote_self };
# microdroid_manager create /apex/vm-payload-metadata for apexd
# TODO(b/199371341) create a new label for the file so that only microdroid_manager can create it.
allow microdroid_manager apex_mnt_dir:dir w_dir_perms;
allow microdroid_manager apex_mnt_dir:file create_file_perms;
-# Allow microdroid_manager to ioctl /dev/vsock.
-# TODO(b/199259751): remove the below rules
-allow microdroid_manager vsock_device:chr_file r_file_perms;
-allowxperm microdroid_manager vsock_device:chr_file ioctl {
- IOCTL_VM_SOCKETS_GET_LOCAL_CID
-};
-
# Allow microdroid_manager to start the services apexd-vm, apkdmverity and zipfuse
set_prop(microdroid_manager, ctl_apexd_vm_prop)
set_prop(microdroid_manager, ctl_apkdmverity_prop)
diff --git a/microdroid/system/private/microdroid_payload.te b/microdroid/system/private/microdroid_payload.te
index 2fa101f..fea0768 100644
--- a/microdroid/system/private/microdroid_payload.te
+++ b/microdroid/system/private/microdroid_payload.te
@@ -33,12 +33,5 @@
# Allow microdroid_payload to open binder servers via vsock.
allow microdroid_payload self:vsock_socket { create_socket_perms_no_ioctl listen accept };
-# Allow microdroid_payload to ioctl /dev/vsock.
-# TODO(b/199259751): remove the below rules
-allow microdroid_payload vsock_device:chr_file r_file_perms;
-allowxperm microdroid_payload vsock_device:chr_file ioctl {
- IOCTL_VM_SOCKETS_GET_LOCAL_CID
-};
-
# Payload can read extra apks
r_dir_file(microdroid_payload, extra_apk_file)
diff --git a/microdroid/system/private/property.te b/microdroid/system/private/property.te
index 7911753..01aa5e4 100644
--- a/microdroid/system/private/property.te
+++ b/microdroid/system/private/property.te
@@ -14,19 +14,6 @@
### Neverallow rules
###
-neverallow {
- domain
- -init
- -microdroid_manager
-} vmsecret_keymint_prop:property_service set;
-
-neverallow {
- domain
- -init
- -microdroid_manager
- -hal_keymint_server
-} vmsecret_keymint_prop:file no_rw_file_perms;
-
# microdroid_manager_roothash_prop can only be set by microdroid_manager
# and read by apkdmverity
neverallow {
diff --git a/microdroid/system/private/property_contexts b/microdroid/system/private/property_contexts
index 7b63cae..518ae87 100644
--- a/microdroid/system/private/property_contexts
+++ b/microdroid/system/private/property_contexts
@@ -46,28 +46,21 @@
ro.boottime.apexd-vm u:object_r:boottime_prop:s0 exact int
ro.boottime.apkdmverity u:object_r:boottime_prop:s0 exact int
ro.boottime.authfs_service u:object_r:boottime_prop:s0 exact int
-ro.boottime.hwservicemanager u:object_r:boottime_prop:s0 exact int
ro.boottime.init u:object_r:boottime_prop:s0 exact int
ro.boottime.init.cold_boot_wait u:object_r:boottime_prop:s0 exact int
ro.boottime.init.first_stage u:object_r:boottime_prop:s0 exact int
ro.boottime.init.modules u:object_r:boottime_prop:s0 exact int
ro.boottime.init.selinux u:object_r:boottime_prop:s0 exact int
-ro.boottime.keystore2 u:object_r:boottime_prop:s0 exact int
ro.boottime.logd u:object_r:boottime_prop:s0 exact int
ro.boottime.logd-reinit u:object_r:boottime_prop:s0 exact int
ro.boottime.microdroid_manager u:object_r:boottime_prop:s0 exact int
ro.boottime.servicemanager u:object_r:boottime_prop:s0 exact int
ro.boottime.tombstoned u:object_r:boottime_prop:s0 exact int
ro.boottime.ueventd u:object_r:boottime_prop:s0 exact int
-ro.boottime.vendor.keymint-microdroid u:object_r:boottime_prop:s0 exact int
ro.boottime.zipfuse u:object_r:boottime_prop:s0 exact int
ro.build.fingerprint u:object_r:fingerprint_prop:s0 exact string
-ro.vmsecret.keymint u:object_r:vmsecret_keymint_prop:s0 exact string
-
-hwservicemanager.ready u:object_r:hwservicemanager_prop:s0 exact bool
-
apexd.status u:object_r:apexd_prop:s0 exact enum starting activated ready
ro.apex.updatable u:object_r:apexd_prop:s0 exact bool
@@ -79,8 +72,6 @@
init.svc.apexd-vm u:object_r:init_service_status_private_prop:s0 exact string
init.svc.apkdmverity u:object_r:init_service_status_private_prop:s0 exact string
init.svc.authfs_service u:object_r:init_service_status_private_prop:s0 exact string
-init.svc.hwservicemanager u:object_r:init_service_status_private_prop:s0 exact string
-init.svc.keystore2 u:object_r:init_service_status_private_prop:s0 exact string
init.svc.logd u:object_r:init_service_status_private_prop:s0 exact string
init.svc.logd-reinit u:object_r:init_service_status_private_prop:s0 exact string
init.svc.microdroid_manager u:object_r:init_service_status_private_prop:s0 exact string
@@ -91,8 +82,6 @@
init.svc.adbd u:object_r:init_service_status_prop:s0 exact string
init.svc.tombstoned u:object_r:init_service_status_prop:s0 exact string
-init.svc.vendor.keymint-microdroid u:object_r:vendor_default_prop:s0 exact string
-
ro.boot.adb.enabled u:object_r:bootloader_prop:s0 exact bool
ro.boot.avb_version u:object_r:bootloader_prop:s0 exact string
ro.boot.boot_devices u:object_r:bootloader_prop:s0 exact string
@@ -100,6 +89,7 @@
ro.boot.force_normal_boot u:object_r:bootloader_prop:s0 exact string
ro.boot.hardware u:object_r:bootloader_prop:s0 exact string
ro.boot.logd.enabled u:object_r:bootloader_prop:s0 exact bool
+ro.boot.microdroid.debuggable u:object_r:bootloader_prop:s0 exact bool
ro.boot.slot_suffix u:object_r:bootloader_prop:s0 exact string
ro.boot.vbmeta.avb_version u:object_r:bootloader_prop:s0 exact string
ro.boot.vbmeta.device_state u:object_r:bootloader_prop:s0 exact string
@@ -127,10 +117,6 @@
ro.property_service.version u:object_r:property_service_version_prop:s0 exact int
-keystore.boot_level u:object_r:keystore_listen_prop:s0 exact int
-
-keystore.crash_count u:object_r:keystore_crash_prop:s0 exact int
-
apex_config.done u:object_r:apex_config_prop:s0 exact bool
microdroid_manager.apk_root_hash u:object_r:microdroid_manager_roothash_prop:s0 exact string
diff --git a/microdroid/system/private/security_classes b/microdroid/system/private/security_classes
index 200b030..0d3cc80 100644
--- a/microdroid/system/private/security_classes
+++ b/microdroid/system/private/security_classes
@@ -163,5 +163,8 @@
# Keystore 2.0 key permissions
class keystore2_key # userspace
+# Diced permissions
+class diced # userspace
+
class drmservice # userspace
# FLASK
diff --git a/microdroid/system/private/service_contexts b/microdroid/system/private/service_contexts
index 3489055..9a27306 100644
--- a/microdroid/system/private/service_contexts
+++ b/microdroid/system/private/service_contexts
@@ -1,19 +1,8 @@
-android.hardware.security.keymint.IKeyMintDevice/default u:object_r:hal_keymint_service:s0
-android.hardware.security.keymint.IRemotelyProvisionedComponent/default u:object_r:hal_remotelyprovisionedcomponent_service:s0
-android.hardware.security.secureclock.ISecureClock/default u:object_r:hal_secureclock_service:s0
-android.hardware.security.sharedsecret.ISharedSecret/default u:object_r:hal_sharedsecret_service:s0
-android.system.keystore2.IKeystoreService/default u:object_r:keystore_service:s0
+android.hardware.security.dice.IDiceDevice/default u:object_r:hal_dice_service:s0
adb u:object_r:adb_service:s0
-android.security.apc u:object_r:apc_service:s0
-android.security.authorization u:object_r:authorization_service:s0
-android.security.compat u:object_r:keystore_compat_hal_service:s0
-android.security.identity u:object_r:credstore_service:s0
-android.security.keystore u:object_r:keystore_service:s0
-android.security.legacykeystore u:object_r:legacykeystore_service:s0
-android.security.maintenance u:object_r:keystore_maintenance_service:s0
-android.security.metrics u:object_r:keystore_metrics_service:s0
-android.security.remoteprovisioning u:object_r:remoteprovisioning_service:s0
+android.security.dice.IDiceMaintenance u:object_r:dice_maintenance_service:s0
+android.security.dice.IDiceNode u:object_r:dice_node_service:s0
apexservice u:object_r:apex_service:s0
authfs_service u:object_r:authfs_binder_service:s0
manager u:object_r:service_manager_service:s0
diff --git a/microdroid/system/private/servicemanager.te b/microdroid/system/private/servicemanager.te
index 5dad3c1..d51c827 100644
--- a/microdroid/system/private/servicemanager.te
+++ b/microdroid/system/private/servicemanager.te
@@ -15,7 +15,6 @@
domain
-init
-vendor_init
- -hwservicemanager
}:binder transfer;
allow servicemanager service_contexts_file:file r_file_perms;
@@ -25,3 +24,6 @@
add_service(servicemanager, service_manager_service)
set_prop(servicemanager, ctl_interface_start_prop)
+
+# servicemanager is using bootstrap bionic
+use_bootstrap_libs(servicemanager)
diff --git a/microdroid/system/private/su.te b/microdroid/system/private/su.te
index 55b7308..1196262 100644
--- a/microdroid/system/private/su.te
+++ b/microdroid/system/private/su.te
@@ -6,7 +6,4 @@
# su is also permissive to permit setenforce.
permissive su;
- # Do not audit accesses to keystore2 namespace for the su domain.
- dontaudit su keystore2_key_type:{ keystore2 keystore2_key } *;
-
')
diff --git a/microdroid/system/private/ueventd.te b/microdroid/system/private/ueventd.te
index 8524c18..c7d9fd6 100644
--- a/microdroid/system/private/ueventd.te
+++ b/microdroid/system/private/ueventd.te
@@ -47,8 +47,7 @@
allow ueventd kernel:key search;
# ueventd is using bootstrap bionic
-allow ueventd system_bootstrap_lib_file:dir r_dir_perms;
-allow ueventd system_bootstrap_lib_file:file { execute read open getattr map };
+use_bootstrap_libs(ueventd)
# TODO(b/193118220): find out why this happens.
dontaudit ueventd tmpfs:chr_file { relabelfrom setattr };
diff --git a/microdroid/system/private/zipfuse.te b/microdroid/system/private/zipfuse.te
index da0cd0f..6652e27 100644
--- a/microdroid/system/private/zipfuse.te
+++ b/microdroid/system/private/zipfuse.te
@@ -7,8 +7,7 @@
type zipfuse_exec, exec_type, file_type, system_file_type;
# zipfuse is using bootstrap bionic
-allow zipfuse system_bootstrap_lib_file:dir r_dir_perms;
-allow zipfuse system_bootstrap_lib_file:file { execute read open getattr map };
+use_bootstrap_libs(zipfuse)
# allow basic rules to implement FUSE
allow zipfuse fuse_device:chr_file rw_file_perms;
diff --git a/microdroid/system/public/attributes b/microdroid/system/public/attributes
index 6479c55..e3258ae 100644
--- a/microdroid/system/public/attributes
+++ b/microdroid/system/public/attributes
@@ -298,6 +298,7 @@
hal_attribute(configstore);
hal_attribute(confirmationui);
hal_attribute(contexthub);
+hal_attribute(dice);
hal_attribute(drm);
hal_attribute(evs);
hal_attribute(face);
diff --git a/microdroid/system/public/device.te b/microdroid/system/public/device.te
index c03fb4d..4c008ea 100644
--- a/microdroid/system/public/device.te
+++ b/microdroid/system/public/device.te
@@ -18,6 +18,7 @@
type loop_control_device, dev_type;
type loop_device, dev_type;
type null_device, dev_type, mlstrustedobject;
+type open_dice_device, dev_type;
type owntty_device, dev_type, mlstrustedobject;
type ppp_device, dev_type;
type properties_device, dev_type;
diff --git a/microdroid/system/public/file.te b/microdroid/system/public/file.te
index 5b678ba..d15d9cd 100644
--- a/microdroid/system/public/file.te
+++ b/microdroid/system/public/file.te
@@ -2,7 +2,6 @@
# file types
type adbd_socket, file_type, coredomain_socket;
-type apc_service, service_manager_type;
type anr_data_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
type apex_info_file, file_type;
type apex_mnt_dir, file_type;
@@ -12,9 +11,6 @@
type cgroup_rc_file, file_type;
type extra_apk_file, file_type;
type file_contexts_file, file_type, system_file_type;
-type hwservice_contexts_file, file_type, system_file_type;
-type keystore2_key_contexts_file, file_type, system_file_type;
-type keystore_data_file, file_type, data_file_type, core_data_file_type;
type linkerconfig_file, file_type;
type logd_socket, file_type, mlstrustedobject, coredomain_socket;
type logdr_socket, file_type, mlstrustedobject, coredomain_socket;
diff --git a/microdroid/system/public/hal_dice.te b/microdroid/system/public/hal_dice.te
new file mode 100644
index 0000000..92222c5
--- /dev/null
+++ b/microdroid/system/public/hal_dice.te
@@ -0,0 +1,4 @@
+binder_call(hal_dice_client, hal_dice_server)
+
+hal_attribute_service(hal_dice, hal_dice_service)
+binder_call(hal_dice_server, servicemanager)
diff --git a/microdroid/system/public/hal_keymint.te b/microdroid/system/public/hal_keymint.te
deleted file mode 100644
index 7570188..0000000
--- a/microdroid/system/public/hal_keymint.te
+++ /dev/null
@@ -1,4 +0,0 @@
-binder_call(hal_keymint_client, hal_keymint_server)
-
-hal_attribute_service(hal_keymint, hal_keymint_service)
-binder_call(hal_keymint_server, servicemanager)
diff --git a/microdroid/system/public/hwservicemanager.te b/microdroid/system/public/hwservicemanager.te
deleted file mode 100644
index 5421b11..0000000
--- a/microdroid/system/public/hwservicemanager.te
+++ /dev/null
@@ -1,2 +0,0 @@
-type hwservicemanager, domain, mlstrustedsubject;
-type hwservicemanager_exec, file_type, exec_type, system_file_type;
diff --git a/microdroid/system/public/keystore.te b/microdroid/system/public/keystore.te
deleted file mode 100644
index 295d3d9..0000000
--- a/microdroid/system/public/keystore.te
+++ /dev/null
@@ -1,26 +0,0 @@
-type keystore, domain;
-type keystore_exec, file_type, exec_type, system_file_type;
-
-# keystore daemon
-typeattribute keystore mlstrustedsubject;
-binder_use(keystore)
-binder_service(keystore)
-
-allow keystore keystore_data_file:dir create_dir_perms;
-allow keystore keystore_data_file:notdevfile_class_set create_file_perms;
-allow keystore keystore_exec:file { getattr };
-
-add_service(keystore, keystore_service)
-add_service(keystore, remoteprovisioning_service)
-add_service(keystore, apc_service)
-add_service(keystore, keystore_compat_hal_service)
-add_service(keystore, authorization_service)
-add_service(keystore, keystore_maintenance_service)
-add_service(keystore, keystore_metrics_service)
-add_service(keystore, legacykeystore_service)
-
-# Check SELinux permissions.
-selinux_check_access(keystore)
-
-r_dir_file(keystore, cgroup)
-r_dir_file(keystore, cgroup_v2)
diff --git a/microdroid/system/public/property.te b/microdroid/system/public/property.te
index c62e091..d00a618 100644
--- a/microdroid/system/public/property.te
+++ b/microdroid/system/public/property.te
@@ -29,13 +29,10 @@
type fingerprint_prop, property_type;
type gsid_prop, property_type;
type heapprofd_prop, property_type;
-type hwservicemanager_prop, property_type;
type init_perf_lsm_hooks_prop, property_type;
type init_service_status_private_prop, property_type;
type init_service_status_prop, property_type;
type init_svc_debug_prop, property_type;
-type keystore_crash_prop, property_type;
-type keystore_listen_prop, property_type;
type libc_debug_prop, property_type;
type log_tag_prop, property_type;
type logd_prop, property_type;
@@ -45,7 +42,6 @@
type timezone_prop, property_type;
type usb_control_prop, property_type;
type vendor_default_prop, property_type;
-type vmsecret_keymint_prop, property_type;
type powerctl_prop, property_type;
allow property_type tmpfs:filesystem associate;
diff --git a/microdroid/system/public/statsd.te b/microdroid/system/public/statsd.te
index 5da3ec9..dea7c6b 100644
--- a/microdroid/system/public/statsd.te
+++ b/microdroid/system/public/statsd.te
@@ -15,10 +15,6 @@
allow statsd system_file:file execute_no_trans;
allow statsd toolbox_exec:file rx_file_perms;
-# Allow statsd to interact with keystore to pull atoms
-allow statsd keystore_service:service_manager find;
-binder_call(statsd, keystore)
-
# Allow logd access.
read_logd(statsd)
control_logd(statsd)
diff --git a/microdroid/system/public/su.te b/microdroid/system/public/su.te
index a440c21..e331bf6 100644
--- a/microdroid/system/public/su.te
+++ b/microdroid/system/public/su.te
@@ -39,11 +39,7 @@
dontaudit su property_type:property_service *;
dontaudit su property_type:file *;
dontaudit su service_manager_type:service_manager *;
- dontaudit su hwservice_manager_type:hwservice_manager *;
dontaudit su servicemanager:service_manager list;
- dontaudit su hwservicemanager:hwservice_manager list;
- dontaudit su keystore:keystore_key *;
- dontaudit su keystore:keystore2 *;
dontaudit su domain:drmservice *;
dontaudit su unlabeled:filesystem *;
dontaudit su domain:bpf *;
diff --git a/microdroid/system/public/te_macros b/microdroid/system/public/te_macros
index 1a7aaa4..6db0d70 100644
--- a/microdroid/system/public/te_macros
+++ b/microdroid/system/public/te_macros
@@ -987,3 +987,11 @@
allow $1 gsi_public_metadata_file:file r_file_perms;
allow $1 proc_bootconfig:file r_file_perms;
')
+
+######################################
+# use_bootstrap_libs(domain)
+# Allow domain to use bootstrap bionic libraries in system/lib[64]/bootstrap
+define(`use_bootstrap_libs', `
+ allow $1 system_bootstrap_lib_file:dir r_dir_perms;
+ allow $1 system_bootstrap_lib_file:file { execute read open getattr map };
+')
diff --git a/microdroid/system/public/type.te b/microdroid/system/public/type.te
index 0ee9f89..818ae46 100644
--- a/microdroid/system/public/type.te
+++ b/microdroid/system/public/type.te
@@ -2,24 +2,10 @@
type adb_service, system_server_service, system_api_service, service_manager_type;
type apex_service, service_manager_type;
type authfs_binder_service, service_manager_type;
-type authorization_service, service_manager_type;
-type credstore_service, app_api_service, service_manager_type;
-type default_android_hwservice, hwservice_manager_type, protected_hwservice;
type default_android_service, service_manager_type;
-type hal_keymint_service, protected_service, vendor_service, service_manager_type;
-type hal_remotelyprovisionedcomponent_service, protected_service, vendor_service, service_manager_type;
-type hidl_allocator_hwservice, hwservice_manager_type, coredomain_hwservice;
-type hidl_base_hwservice, hwservice_manager_type;
-type hidl_manager_hwservice, hwservice_manager_type, coredomain_hwservice;
-type hidl_memory_hwservice, hwservice_manager_type, coredomain_hwservice;
-type hidl_token_hwservice, hwservice_manager_type, coredomain_hwservice;
-type hal_keymaster_hwservice, hwservice_manager_type, protected_hwservice;
-type keystore_compat_hal_service, service_manager_type;
-type keystore_maintenance_service, service_manager_type;
-type keystore_metrics_service, service_manager_type;
-type keystore_service, service_manager_type;
-type legacykeystore_service, service_manager_type;
-type remoteprovisioning_service, service_manager_type;
+type dice_maintenance_service, service_manager_type;
+type dice_node_service, service_manager_type;
+type hal_dice_service, protected_service, vendor_service, service_manager_type;
type service_manager_service, service_manager_type;
type system_linker;
type vm_payload_key;
diff --git a/microdroid/system/public/vendor_init.te b/microdroid/system/public/vendor_init.te
index b66caa9..322abe3 100644
--- a/microdroid/system/public/vendor_init.te
+++ b/microdroid/system/public/vendor_init.te
@@ -133,8 +133,7 @@
allow vendor_init self:global_capability_class_set sys_admin;
# vendor_init is using bootstrap bionic
-allow vendor_init system_bootstrap_lib_file:dir r_dir_perms;
-allow vendor_init system_bootstrap_lib_file:file { execute read open getattr map };
+use_bootstrap_libs(vendor_init)
# Get file context
allow vendor_init file_contexts_file:file r_file_perms;
diff --git a/microdroid/vendor/file_contexts b/microdroid/vendor/file_contexts
index 0aa85cf..c86f862 100644
--- a/microdroid/vendor/file_contexts
+++ b/microdroid/vendor/file_contexts
@@ -35,4 +35,4 @@
/bin/install-recovery\.sh u:object_r:vendor_install_recovery_exec:s0
-/bin/hw/android\.hardware\.security\.keymint-service\.microdroid u:object_r:hal_keymint_default_exec:s0
+/bin/hw/android\.hardware\.security\.dice-service\.microdroid u:object_r:hal_dice_default_exec:s0
diff --git a/microdroid/vendor/hal_dice_default.te b/microdroid/vendor/hal_dice_default.te
new file mode 100644
index 0000000..c203550
--- /dev/null
+++ b/microdroid/vendor/hal_dice_default.te
@@ -0,0 +1,10 @@
+type hal_dice_default, domain;
+hal_server_domain(hal_dice_default, hal_dice)
+
+type hal_dice_default_exec, exec_type, vendor_file_type, file_type;
+init_daemon_domain(hal_dice_default)
+
+# hal_dice_default is using bootstrap bionic
+use_bootstrap_libs(hal_dice_default)
+
+allow hal_dice_default open_dice_device:chr_file { read write open map };
diff --git a/microdroid/vendor/hal_keymint_default.te b/microdroid/vendor/hal_keymint_default.te
deleted file mode 100644
index 359ca60..0000000
--- a/microdroid/vendor/hal_keymint_default.te
+++ /dev/null
@@ -1,13 +0,0 @@
-type hal_keymint_default, domain;
-hal_server_domain(hal_keymint_default, hal_keymint)
-
-type hal_keymint_default_exec, exec_type, vendor_file_type, file_type;
-init_daemon_domain(hal_keymint_default)
-
-allow hal_keymint_default keystore:binder transfer;
-allow hal_keymint_default system_lib_file:file execute;
-
-allow logd hal_keymint_default:dir search;
-allow logd hal_keymint_default:file { getattr open read };
-
-get_prop(hal_keymint_default, vmsecret_keymint_prop);
diff --git a/prebuilts/api/31.0/private/zygote.te b/prebuilts/api/31.0/private/zygote.te
index 090e121..743647e 100644
--- a/prebuilts/api/31.0/private/zygote.te
+++ b/prebuilts/api/31.0/private/zygote.te
@@ -112,7 +112,7 @@
# Control cgroups.
allow zygote cgroup:dir create_dir_perms;
-allow zygote cgroup:{ file lnk_file } r_file_perms;
+allow zygote cgroup:{ file lnk_file } { r_file_perms setattr };
allow zygote cgroup_v2:dir create_dir_perms;
allow zygote cgroup_v2:{ file lnk_file } { r_file_perms setattr };
allow zygote self:global_capability_class_set sys_admin;
diff --git a/prebuilts/api/32.0/private/mediaprovider_app.te b/prebuilts/api/32.0/private/mediaprovider_app.te
index 16d0d6d..742da1f 100644
--- a/prebuilts/api/32.0/private/mediaprovider_app.te
+++ b/prebuilts/api/32.0/private/mediaprovider_app.te
@@ -21,6 +21,9 @@
# Talk to the MediaServer service
allow mediaprovider_app mediaserver_service:service_manager find;
+# Talk to the MediaCodec APIs that log media metrics
+allow mediaprovider_app mediametrics_service:service_manager find;
+
# Talk to regular app services
allow mediaprovider_app app_api_service:service_manager find;
diff --git a/private/access_vectors b/private/access_vectors
index fc17c1d..0f8dd5f 100644
--- a/private/access_vectors
+++ b/private/access_vectors
@@ -722,7 +722,9 @@
change_user
clear_ns
clear_uid
+ delete_all_keys
early_boot_ended
+ get_attestation_key
get_auth_token
get_state
list
@@ -732,7 +734,6 @@
report_off_body
reset
unlock
- delete_all_keys
}
class keystore2_key
diff --git a/private/apexd.te b/private/apexd.te
index 9dfe45f..791a4ff 100644
--- a/private/apexd.te
+++ b/private/apexd.te
@@ -126,8 +126,7 @@
binder_call(apexd, vold)
# apexd is using bootstrap bionic
-allow apexd system_bootstrap_lib_file:dir r_dir_perms;
-allow apexd system_bootstrap_lib_file:file { execute read open getattr map };
+use_bootstrap_libs(apexd)
# Allow apexd to be invoked with logwrapper from init during userspace reboot.
allow apexd devpts:chr_file { read write };
diff --git a/private/app.te b/private/app.te
index 7177b92..856f483 100644
--- a/private/app.te
+++ b/private/app.te
@@ -87,6 +87,375 @@
allow appdomain tombstone_data_file:file { getattr read };
neverallow appdomain tombstone_data_file:file ~{ getattr read };
+# WebView and other application-specific JIT compilers
+allow appdomain self:process execmem;
+
+allow appdomain { ashmem_device ashmem_libcutils_device }:chr_file execute;
+
+# Receive and use open file descriptors inherited from zygote.
+allow appdomain zygote:fd use;
+
+# Receive and use open file descriptors inherited from app zygote.
+allow appdomain app_zygote:fd use;
+
+# gdbserver for ndk-gdb reads the zygote.
+# valgrind needs mmap exec for zygote
+allow appdomain zygote_exec:file rx_file_perms;
+
+# Notify zygote of death;
+allow appdomain zygote:process sigchld;
+
+# Read /data/dalvik-cache.
+allow appdomain dalvikcache_data_file:dir { search getattr };
+allow appdomain dalvikcache_data_file:file r_file_perms;
+
+# Read the /sdcard and /mnt/sdcard symlinks
+allow { appdomain -isolated_app } rootfs:lnk_file r_file_perms;
+allow { appdomain -isolated_app } tmpfs:lnk_file r_file_perms;
+
+# Search /storage/emulated tmpfs mount.
+allow appdomain tmpfs:dir r_dir_perms;
+
+# Notify zygote of the wrapped process PID when using --invoke-with.
+allow appdomain zygote:fifo_file write;
+
+userdebug_or_eng(`
+ # Allow apps to create and write method traces in /data/misc/trace.
+ allow appdomain method_trace_data_file:dir w_dir_perms;
+ allow appdomain method_trace_data_file:file { create w_file_perms };
+')
+
+# Notify shell and adbd of death when spawned via runas for ndk-gdb.
+allow appdomain shell:process sigchld;
+allow appdomain adbd:process sigchld;
+
+# child shell or gdbserver pty access for runas.
+allow appdomain devpts:chr_file { getattr read write ioctl };
+
+# Use pipes and sockets provided by system_server via binder or local socket.
+allow appdomain system_server:fd use;
+allow appdomain system_server:fifo_file rw_file_perms;
+allow appdomain system_server:unix_stream_socket { read write setopt getattr getopt shutdown };
+allow appdomain system_server:tcp_socket { read write getattr getopt shutdown };
+
+# For AppFuse.
+allow appdomain vold:fd use;
+
+# Communication with other apps via fifos
+allow appdomain appdomain:fifo_file rw_file_perms;
+
+# Communicate with surfaceflinger.
+allow appdomain surfaceflinger:unix_stream_socket { read write setopt getattr getopt shutdown };
+
+# App sandbox file accesses.
+allow { appdomain -isolated_app -mlstrustedsubject } { app_data_file privapp_data_file }:dir create_dir_perms;
+allow { appdomain -isolated_app -mlstrustedsubject } { app_data_file privapp_data_file }:file create_file_perms;
+
+# Access via already open fds is ok even for mlstrustedsubject.
+allow { appdomain -isolated_app } { app_data_file privapp_data_file system_app_data_file }:file { getattr map read write };
+
+# Traverse into expanded storage
+allow appdomain mnt_expand_file:dir r_dir_perms;
+
+# Keychain and user-trusted credentials
+r_dir_file(appdomain, keychain_data_file)
+allow appdomain misc_user_data_file:dir r_dir_perms;
+allow appdomain misc_user_data_file:file r_file_perms;
+
+# TextClassifier
+r_dir_file({ appdomain -isolated_app }, textclassifier_data_file)
+
+# Access to OEM provided data and apps
+allow appdomain oemfs:dir r_dir_perms;
+allow appdomain oemfs:file rx_file_perms;
+
+# Execute the shell or other system executables.
+allow { appdomain -ephemeral_app } shell_exec:file rx_file_perms;
+allow { appdomain -ephemeral_app } toolbox_exec:file rx_file_perms;
+allow appdomain system_file:file x_file_perms;
+not_full_treble(`allow { appdomain -ephemeral_app } vendor_file:file x_file_perms;')
+
+# Renderscript needs the ability to read directories on /system
+allow appdomain system_file:dir r_dir_perms;
+allow appdomain system_file:lnk_file { getattr open read };
+# Renderscript specific permissions to open /system/vendor/lib64.
+not_full_treble(`
+ allow appdomain vendor_file_type:dir r_dir_perms;
+ allow appdomain vendor_file_type:lnk_file { getattr open read };
+')
+
+full_treble_only(`
+ # For looking up Renderscript vendor drivers
+ allow { appdomain -isolated_app } vendor_file:dir { open read };
+')
+
+# Allow apps access to /vendor/app except for privileged
+# apps which cannot be in /vendor.
+r_dir_file({ appdomain -ephemeral_app }, vendor_app_file)
+allow { appdomain -ephemeral_app } vendor_app_file:file execute;
+
+# Allow apps access to /vendor/overlay
+r_dir_file(appdomain, vendor_overlay_file)
+
+# Allow apps access to /vendor/framework
+# for vendor provided libraries.
+r_dir_file(appdomain, vendor_framework_file)
+
+# Allow apps read / execute access to vendor public libraries.
+allow appdomain {vendor_public_framework_file vendor_public_lib_file}:dir r_dir_perms;
+allow appdomain {vendor_public_framework_file vendor_public_lib_file}:file { execute read open getattr map };
+
+# Read/write wallpaper file (opened by system).
+allow appdomain wallpaper_file:file { getattr read write map };
+
+# Read/write cached ringtones (opened by system).
+allow appdomain ringtone_file:file { getattr read write map };
+
+# Read ShortcutManager icon files (opened by system).
+allow appdomain shortcut_manager_icons:file { getattr read map };
+
+# Read icon file (opened by system).
+allow appdomain icon_file:file { getattr read map };
+
+# Old stack dumping scheme : append to a global trace file (/data/anr/traces.txt).
+#
+# TODO: All of these permissions except for anr_data_file:file append can be
+# withdrawn once we've switched to the new stack dumping mechanism, see b/32064548
+# and the rules below.
+allow appdomain anr_data_file:dir search;
+allow appdomain anr_data_file:file { open append };
+
+# New stack dumping scheme : request an output FD from tombstoned via a unix
+# domain socket.
+#
+# Allow apps to connect and write to the tombstoned java trace socket in
+# order to dump their traces. Also allow them to append traces to pipes
+# created by dumptrace. (Also see the rules below where they are given
+# additional permissions to dumpstate pipes for other aspects of bug report
+# creation).
+unix_socket_connect(appdomain, tombstoned_java_trace, tombstoned)
+allow appdomain tombstoned:fd use;
+allow appdomain dumpstate:fifo_file append;
+allow appdomain incidentd:fifo_file append;
+
+# Allow apps to send dump information to dumpstate
+allow appdomain dumpstate:fd use;
+allow appdomain dumpstate:unix_stream_socket { read write getopt getattr shutdown };
+allow appdomain dumpstate:fifo_file { write getattr };
+allow appdomain shell_data_file:file { write getattr };
+
+# Allow apps to send dump information to incidentd
+allow appdomain incidentd:fd use;
+allow appdomain incidentd:fifo_file { write getattr };
+
+# Allow apps to send information to statsd socket.
+unix_socket_send(appdomain, statsdw, statsd)
+
+# Write profiles /data/misc/profiles
+allow appdomain user_profile_root_file:dir search;
+allow appdomain user_profile_data_file:dir { search write add_name };
+allow appdomain user_profile_data_file:file create_file_perms;
+
+# Send heap dumps to system_server via an already open file descriptor
+# % adb shell am set-watch-heap com.android.systemui 1048576
+# % adb shell dumpsys procstats --start-testing
+# debuggable builds only.
+userdebug_or_eng(`
+ allow appdomain heapdump_data_file:file append;
+')
+
+# /proc/net access.
+# TODO(b/9496886) Audit access for removal.
+# proc_net access for the negated domains below is granted (or not) in their
+# individual .te files.
+r_dir_file({
+ appdomain
+ -ephemeral_app
+ -isolated_app
+ -platform_app
+ -priv_app
+ -shell
+ -system_app
+ -untrusted_app_all
+}, proc_net_type)
+# audit access for all these non-core app domains.
+userdebug_or_eng(`
+ auditallow {
+ appdomain
+ -ephemeral_app
+ -isolated_app
+ -platform_app
+ -priv_app
+ -shell
+ -su
+ -system_app
+ -untrusted_app_all
+ } proc_net_type:{ dir file lnk_file } { getattr open read };
+')
+
+# Grant GPU access to all processes started by Zygote.
+# They need that to render the standard UI.
+allow { appdomain -isolated_app } gpu_device:chr_file rw_file_perms;
+
+# Use the Binder.
+binder_use(appdomain)
+# Perform binder IPC to binder services.
+binder_call(appdomain, binderservicedomain)
+# Perform binder IPC to other apps.
+binder_call(appdomain, appdomain)
+# Perform binder IPC to ephemeral apps.
+binder_call(appdomain, ephemeral_app)
+# Perform binder IPC to gpuservice.
+binder_call({ appdomain -isolated_app }, gpuservice)
+
+# Talk with graphics composer fences
+allow appdomain hal_graphics_composer:fd use;
+
+# Already connected, unnamed sockets being passed over some other IPC
+# hence no sock_file or connectto permission. This appears to be how
+# Chrome works, may need to be updated as more apps using isolated services
+# are examined.
+allow appdomain appdomain:unix_stream_socket { getopt getattr read write shutdown };
+
+# Backup ability for every app. BMS opens and passes the fd
+# to any app that has backup ability. Hence, no open permissions here.
+allow appdomain backup_data_file:file { read write getattr map };
+allow appdomain cache_backup_file:file { read write getattr map };
+allow appdomain cache_backup_file:dir getattr;
+# Backup ability using 'adb backup'
+allow appdomain system_data_file:lnk_file r_file_perms;
+allow appdomain system_data_file:file { getattr read map };
+
+# Allow read/stat of /data/media files passed by Binder or local socket IPC.
+allow { appdomain -isolated_app } media_rw_data_file:file { read getattr };
+
+# Read and write /data/data/com.android.providers.telephony files passed over Binder.
+allow { appdomain -isolated_app } radio_data_file:file { read write getattr };
+
+# Allow access to external storage; we have several visible mount points under /storage
+# and symlinks to primary storage at places like /storage/sdcard0 and /mnt/user/0/primary
+allow { appdomain -isolated_app -ephemeral_app } storage_file:dir r_dir_perms;
+allow { appdomain -isolated_app -ephemeral_app } storage_file:lnk_file r_file_perms;
+allow { appdomain -isolated_app -ephemeral_app } mnt_user_file:dir r_dir_perms;
+allow { appdomain -isolated_app -ephemeral_app } mnt_user_file:lnk_file r_file_perms;
+
+# Read/write visible storage
+allow { appdomain -isolated_app -ephemeral_app } { sdcard_type fuse }:dir create_dir_perms;
+allow { appdomain -isolated_app -ephemeral_app } { sdcard_type fuse }:file create_file_perms;
+# This should be removed if sdcardfs is modified to alter the secontext for its
+# accesses to the underlying FS.
+allow { appdomain -isolated_app -ephemeral_app } media_rw_data_file:dir create_dir_perms;
+allow { appdomain -isolated_app -ephemeral_app } media_rw_data_file:file create_file_perms;
+
+# Allow apps to use the USB Accessory interface.
+# http://developer.android.com/guide/topics/connectivity/usb/accessory.html
+#
+# USB devices are first opened by the system server (USBDeviceManagerService)
+# and the file descriptor is passed to the right Activity via binder.
+allow { appdomain -isolated_app -ephemeral_app } usb_device:chr_file { read write getattr ioctl };
+allow { appdomain -isolated_app -ephemeral_app } usbaccessory_device:chr_file { read write getattr };
+
+# For art.
+allow appdomain dalvikcache_data_file:file execute;
+allow appdomain dalvikcache_data_file:lnk_file r_file_perms;
+
+# Allow any app to read shared RELRO files.
+allow appdomain shared_relro_file:dir search;
+allow appdomain shared_relro_file:file r_file_perms;
+
+# Allow apps to read/execute installed binaries
+allow appdomain apk_data_file:dir r_dir_perms;
+allow appdomain apk_data_file:file rx_file_perms;
+
+# /data/resource-cache
+allow appdomain resourcecache_data_file:file r_file_perms;
+allow appdomain resourcecache_data_file:dir r_dir_perms;
+
+# logd access
+read_logd(appdomain)
+control_logd({ appdomain -ephemeral_app })
+# application inherit logd write socket (urge is to deprecate this long term)
+allow appdomain zygote:unix_dgram_socket write;
+
+allow { appdomain -isolated_app -ephemeral_app } keystore:keystore_key { get_state get insert delete exist list sign verify };
+allow { appdomain -isolated_app -ephemeral_app } keystore:keystore2_key { delete use get_info rebind update };
+
+allow { appdomain -isolated_app -ephemeral_app } keystore_maintenance_service:service_manager find;
+allow { appdomain -isolated_app -ephemeral_app } keystore:keystore2 get_state;
+
+use_keystore({ appdomain -isolated_app -ephemeral_app })
+
+use_credstore({ appdomain -isolated_app -ephemeral_app })
+
+allow appdomain console_device:chr_file { read write };
+
+# only allow unprivileged socket ioctl commands
+allowxperm { appdomain -bluetooth } self:{ rawip_socket tcp_socket udp_socket }
+ ioctl { unpriv_sock_ioctls unpriv_tty_ioctls };
+
+allow { appdomain -isolated_app } ion_device:chr_file r_file_perms;
+allow { appdomain -isolated_app } dmabuf_system_heap_device:chr_file r_file_perms;
+allow { appdomain -isolated_app } dmabuf_system_secure_heap_device:chr_file r_file_perms;
+
+# Allow AAudio apps to use shared memory file descriptors from the HAL
+allow { appdomain -isolated_app } hal_audio:fd use;
+
+# Allow app to access shared memory created by camera HAL1
+allow { appdomain -isolated_app } hal_camera:fd use;
+
+# Allow apps to access shared memory file descriptor from the tuner HAL
+allow {appdomain -isolated_app} hal_tv_tuner_server:fd use;
+
+# RenderScript always-passthrough HAL
+allow { appdomain -isolated_app } hal_renderscript_hwservice:hwservice_manager find;
+allow appdomain same_process_hal_file:file { execute read open getattr map };
+
+# TODO: switch to meminfo service
+allow appdomain proc_meminfo:file r_file_perms;
+
+# For app fuse.
+allow appdomain app_fuse_file:file { getattr read append write map };
+
+pdx_client({ appdomain -isolated_app -ephemeral_app }, display_client)
+pdx_client({ appdomain -isolated_app -ephemeral_app }, display_manager)
+pdx_client({ appdomain -isolated_app -ephemeral_app }, display_vsync)
+pdx_client({ appdomain -isolated_app -ephemeral_app }, performance_client)
+# Apps do not directly open the IPC socket for bufferhubd.
+pdx_use({ appdomain -isolated_app -ephemeral_app }, bufferhub_client)
+
+###
+### CTS-specific rules
+###
+
+# For cts/tests/tests/permission/src/android/permission/cts/FileSystemPermissionTest.java.
+# testRunAsHasCorrectCapabilities
+allow appdomain runas_exec:file getattr;
+# Others are either allowed elsewhere or not desired.
+
+# Apps receive an open tun fd from the framework for
+# device traffic. Do not allow untrusted app to directly open tun_device
+allow { appdomain -isolated_app -ephemeral_app } tun_device:chr_file { read write getattr append ioctl };
+allowxperm { appdomain -isolated_app -ephemeral_app } tun_device:chr_file ioctl TUNGETIFF;
+
+# Connect to adbd and use a socket transferred from it.
+# This is used for e.g. adb backup/restore.
+allow appdomain adbd:unix_stream_socket connectto;
+allow appdomain adbd:fd use;
+allow appdomain adbd:unix_stream_socket { getattr getopt ioctl read write shutdown };
+
+allow appdomain cache_file:dir getattr;
+
+# Allow apps to run with asanwrapper.
+with_asan(`allow appdomain asanwrapper_exec:file rx_file_perms;')
+
+# Read access to FDs from the DropboxManagerService.
+allow appdomain dropbox_data_file:file { getattr read };
+
+# Read tmpfs types from these processes.
+allow appdomain audioserver_tmpfs:file { getattr map read write };
+allow appdomain system_server_tmpfs:file { getattr map read write };
+allow appdomain zygote_tmpfs:file { map read };
+
# Sensitive app domains are not allowed to execute from /data
# to prevent persistence attacks and ensure all code is executed
# from read-only locations.
diff --git a/private/atrace.te b/private/atrace.te
index cbb5b7c..2ab8c69 100644
--- a/private/atrace.te
+++ b/private/atrace.te
@@ -33,6 +33,7 @@
-installd_service
-iorapd_service
-lpdump_service
+ -mdns_service
-netd_service
-stats_service
-tracingproxy_service
diff --git a/private/bluetooth.te b/private/bluetooth.te
index 0e0cf7f..5522e32 100644
--- a/private/bluetooth.te
+++ b/private/bluetooth.te
@@ -62,6 +62,7 @@
allow bluetooth system_api_service:service_manager find;
allow bluetooth network_stack_service:service_manager find;
allow bluetooth system_suspend_control_service:service_manager find;
+allow bluetooth hal_audio_service:service_manager find;
# already open bugreport file descriptors may be shared with
# the bluetooth process, from a file in
diff --git a/private/bpfloader.te b/private/bpfloader.te
index 78cd37e..650117e 100644
--- a/private/bpfloader.te
+++ b/private/bpfloader.te
@@ -17,6 +17,8 @@
set_prop(bpfloader, bpf_progs_loaded_prop)
+allow bpfloader bpfloader_exec:file execute_no_trans;
+
###
### Neverallow rules
###
diff --git a/private/clatd.te b/private/clatd.te
index da6820c..57eee78 100644
--- a/private/clatd.te
+++ b/private/clatd.te
@@ -4,18 +4,10 @@
net_domain(clatd)
-r_dir_file(clatd, proc_net_type)
-userdebug_or_eng(`
- auditallow clatd proc_net_type:{ dir file lnk_file } { getattr open read };
-')
-
# Access objects inherited from netd.
allow clatd netd:fd use;
-allow clatd netd:fifo_file { read write };
allow clatd netd:packet_socket { read write };
allow clatd netd:rawip_socket { read write };
-allow clatd self:global_capability_class_set { net_admin net_raw setuid setgid };
-
allow clatd self:netlink_route_socket nlmsg_write;
allow clatd tun_device:chr_file rw_file_perms;
diff --git a/private/compat/31.0/31.0.ignore.cil b/private/compat/31.0/31.0.ignore.cil
index 2ae6a5f..29378d4 100644
--- a/private/compat/31.0/31.0.ignore.cil
+++ b/private/compat/31.0/31.0.ignore.cil
@@ -21,13 +21,7 @@
hal_dumpstate_service
hal_graphics_composer_service
hal_health_service
- hal_radio_config_service
- hal_radio_data_service
- hal_radio_messaging_service
- hal_radio_modem_service
- hal_radio_network_service
- hal_radio_sim_service
- hal_radio_voice_service
+ hal_radio_service
hal_sensors_service
hal_system_suspend_service
hal_tv_tuner_service
diff --git a/private/compat/32.0/32.0.ignore.cil b/private/compat/32.0/32.0.ignore.cil
index cddf39b..fdb9b0d 100644
--- a/private/compat/32.0/32.0.ignore.cil
+++ b/private/compat/32.0/32.0.ignore.cil
@@ -8,7 +8,9 @@
apexd_select_prop
artd_service
attestation_verification_service
+ bluetooth_config_prop
charger_vendor
+ cloudsearch
cloudsearch_service
device_config_nnapi_native_prop
device_config_surface_flinger_native_boot_prop
@@ -21,29 +23,30 @@
gesture_prop
hal_contexthub_service
hal_dice_service
+ hal_drm_service
hal_dumpstate_service
+ hal_graphics_allocator_service
hal_graphics_composer_service
hal_health_service
+ hal_input_processor_service
hal_ir_service
+ hal_nfc_service
hal_nlinterceptor_service
- hal_radio_config_service
- hal_radio_data_service
- hal_radio_messaging_service
- hal_radio_modem_service
- hal_radio_network_service
- hal_radio_sim_service
- hal_radio_voice_service
+ hal_radio_service
hal_sensors_service
hal_system_suspend_service
hal_tv_tuner_service
+ hal_usb_service
hal_uwb_service
hal_vehicle_service
hal_wifi_hostapd_service
hal_wifi_supplicant_service
locale_service
+ mdns_service
nearby_service
proc_watermark_boost_factor
proc_watermark_scale_factor
+ resources_manager_service
selection_toolbar_service
snapuserd_proxy_socket
supplemental_process_service
@@ -55,4 +58,5 @@
vendor_vm_data_file
vendor_vm_file
virtual_device_service
- ))
+ wallpaper_effects_generation_service
+))
diff --git a/private/compos_fd_server.te b/private/compos_fd_server.te
index a1a8a64..01504ee 100644
--- a/private/compos_fd_server.te
+++ b/private/compos_fd_server.te
@@ -1,10 +1,6 @@
# Make ART inputs and outputs available to the CompOS VM
type compos_fd_server, domain, coredomain;
-# Allow access to open fds inherited from odrefresh - read inputs, generate outputs
-# TODO(b/209008712): Remove once migration is done.
-allow compos_fd_server odrefresh:fd use;
-
# Allow access to open fds inherited from composd
allow compos_fd_server composd:fd use;
@@ -17,18 +13,14 @@
allow compos_fd_server apex_art_data_file:file create_file_perms;
# Use a pipe to signal readiness
-# TODO(b/205750213): Removed odrefresh when we run odrefresh in the VM
-allow compos_fd_server odrefresh:fifo_file write;
allow compos_fd_server composd:fifo_file write;
# TODO(b/196109647) - remove this when no longer needed by minijail
-allow compos_fd_server odrefresh:fifo_file read;
allow compos_fd_server composd:fifo_file read;
# Create a listening vsock for the VM to connect back to
allow compos_fd_server self:vsock_socket { create_socket_perms_no_ioctl listen accept };
-# Only composd and odrefresh can enter the domain via exec
-# TODO(b/209008712): Remove odrefresh once migration is done.
-neverallow { domain -composd -odrefresh } compos_fd_server:process transition;
+# Only composd can enter the domain via exec
+neverallow { domain -composd } compos_fd_server:process transition;
neverallow * compos_fd_server:process dyntransition;
diff --git a/private/composd.te b/private/composd.te
index dd61e39..5f99a92 100644
--- a/private/composd.te
+++ b/private/composd.te
@@ -5,7 +5,6 @@
init_daemon_domain(composd)
binder_use(composd)
add_service(composd, compos_service)
-add_service(composd, compos_internal_service)
# Call back into system server
binder_call(composd, system_server)
@@ -26,11 +25,6 @@
allow composd apex_compos_data_file:dir create_dir_perms;
allow composd apex_compos_data_file:file create_file_perms;
-# TODO(b/209008712): Remove these when we run odrefresh in the VM
-# Run odrefresh to refresh ART artifacts, and kill it if we need to
-domain_auto_trans(composd, odrefresh_exec, odrefresh)
-allow composd odrefresh:process sigkill;
-
# Run fd_server in its own domain, and send SIGTERM when finished.
domain_auto_trans(composd, fd_server_exec, compos_fd_server)
allow composd compos_fd_server:process signal;
diff --git a/private/coredomain.te b/private/coredomain.te
index f8a61d2..e4c9a52 100644
--- a/private/coredomain.te
+++ b/private/coredomain.te
@@ -76,6 +76,7 @@
userdebug_or_eng(`-profcollectd')
-postinstall_dexopt
-rs # spawned by appdomain, so carryover the exception above
+ userdebug_or_eng(`-simpleperf_boot')
-system_server
-traced_perf
-mediaserver
@@ -121,6 +122,7 @@
-zygote
-heapprofd
userdebug_or_eng(`-profcollectd')
+ userdebug_or_eng(`-simpleperf_boot')
} vendor_overlay_file:file open;
')
@@ -176,6 +178,7 @@
-system_server
-traceur_app
userdebug_or_eng(`-profcollectd')
+ userdebug_or_eng(`-simpleperf_boot')
} debugfs_tracing:file no_rw_file_perms;
# inotifyfs
diff --git a/private/crosvm.te b/private/crosvm.te
index 5106f87..b3d96c8 100644
--- a/private/crosvm.te
+++ b/private/crosvm.te
@@ -10,6 +10,9 @@
neverallow { domain -crosvm -ueventd -virtualizationservice } kvm_device:chr_file ~getattr;
neverallowxperm { domain -crosvm } kvm_device:chr_file ioctl ~{ KVM_CHECK_EXTENSION };
+# Let crosvm mlock VM memory and page tables.
+allow crosvm self:capability ipc_lock;
+
# Let crosvm create temporary files.
tmpfs_domain(crosvm)
diff --git a/private/domain.te b/private/domain.te
index d12cbc7..988bd56 100644
--- a/private/domain.te
+++ b/private/domain.te
@@ -112,6 +112,26 @@
# Allow all processes to check for the existence of the boringssl_self_test_marker files.
allow domain boringssl_self_test_marker:dir search;
+# No domains other than a select few can access the misc_block_device. This
+# block device is reserved for OTA use.
+# Do not assert this rule on userdebug/eng builds, due to some devices using
+# this partition for testing purposes.
+neverallow {
+ domain
+ userdebug_or_eng(`-domain') # exclude debuggable builds
+ -fastbootd
+ -hal_bootctl_server
+ -init
+ -uncrypt
+ -update_engine
+ -vendor_init
+ -vendor_misc_writer
+ -vold
+ -recovery
+ -ueventd
+ -mtectrl
+} misc_block_device:blk_file { append link relabelfrom rename write open read ioctl lock };
+
# Limit ability to ptrace or read sensitive /proc/pid files of processes
# with other UIDs to these allowlisted domains.
neverallow {
@@ -121,6 +141,7 @@
-dumpstate
userdebug_or_eng(`-incidentd')
userdebug_or_eng(`-profcollectd')
+ userdebug_or_eng(`-simpleperf_boot')
-storaged
-system_server
} self:global_capability_class_set sys_ptrace;
@@ -456,6 +477,7 @@
-iorap_inode2filename
-iorap_prefetcherd
-kernel
+ userdebug_or_eng(`-simpleperf_boot')
-traced_perf
-ueventd
} vendor_file:file { no_w_file_perms no_x_file_perms open };
@@ -496,6 +518,7 @@
-heapprofd
userdebug_or_eng(`-profcollectd')
-shell
+ userdebug_or_eng(`-simpleperf_boot')
-system_executes_vendor_violators
-traced_perf # library/binary access for symbolization
-ueventd # reads /vendor/ueventd.rc
@@ -547,6 +570,7 @@
-init
userdebug_or_eng(`-profcollectd')
-vendor_init
+ userdebug_or_eng(`-simpleperf_boot')
-traced_probes
-traced_perf
} proc_kallsyms:file { open read };
@@ -569,6 +593,9 @@
}:file no_rw_file_perms;
')
+# Restrict write access to etm sysfs interface.
+neverallow { domain -ueventd -vendor_init } sysfs_devices_cs_etm:file no_w_file_perms;
+
# Restrict write access to shell owned files. The /data/local/tmp directory is
# untrustworthy, and non-allowed domains should not be trusting any content in
# those directories. We allow shell files to be passed around by file
diff --git a/private/file_contexts b/private/file_contexts
index 4a04532..422d83a 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -296,7 +296,6 @@
/system/bin/racoon u:object_r:racoon_exec:s0
/system/xbin/su u:object_r:su_exec:s0
/system/bin/dnsmasq u:object_r:dnsmasq_exec:s0
-/system/bin/clatd u:object_r:clatd_exec:s0
/system/bin/linker(64)? u:object_r:system_linker_exec:s0
/system/bin/linkerconfig u:object_r:linkerconfig_exec:s0
/system/bin/bootstrap/linker(64)? u:object_r:system_linker_exec:s0
@@ -309,6 +308,7 @@
/system/bin/lpdumpd u:object_r:lpdumpd_exec:s0
/system/bin/rss_hwm_reset u:object_r:rss_hwm_reset_exec:s0
/system/bin/perfetto u:object_r:perfetto_exec:s0
+/system/bin/mtectrl u:object_r:mtectrl_exec:s0
/system/bin/traced u:object_r:traced_exec:s0
/system/bin/traced_perf u:object_r:traced_perf_exec:s0
/system/bin/traced_probes u:object_r:traced_probes_exec:s0
@@ -365,6 +365,7 @@
/system/bin/stats u:object_r:stats_exec:s0
/system/bin/statsd u:object_r:statsd_exec:s0
/system/bin/bpfloader u:object_r:bpfloader_exec:s0
+/system/bin/btfloader u:object_r:bpfloader_exec:s0
/system/bin/watchdogd u:object_r:watchdogd_exec:s0
/system/bin/apexd u:object_r:apexd_exec:s0
/system/bin/gsid u:object_r:gsid_exec:s0
diff --git a/private/genfs_contexts b/private/genfs_contexts
index a7cdeb8..cb28221 100644
--- a/private/genfs_contexts
+++ b/private/genfs_contexts
@@ -262,6 +262,7 @@
genfscon tracefs /events/power/clock_set_rate/ u:object_r:debugfs_tracing:s0
genfscon tracefs /events/power/cpu_frequency_limits/ u:object_r:debugfs_tracing:s0
genfscon tracefs /events/power/gpu_frequency/ u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/power/gpu_work_period/ u:object_r:debugfs_tracing:s0
genfscon tracefs /events/power/suspend_resume/ u:object_r:debugfs_tracing:s0
genfscon tracefs /events/cpufreq_interactive/ u:object_r:debugfs_tracing:s0
genfscon tracefs /events/vmscan/mm_vmscan_direct_reclaim_begin/ u:object_r:debugfs_tracing:s0
@@ -326,6 +327,7 @@
genfscon debugfs /tracing/events/power/clock_set_rate/ u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/events/power/cpu_frequency_limits/ u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/events/power/gpu_frequency/ u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/power/gpu_work_period/ u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/events/power/suspend_resume/ u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/events/cpufreq_interactive/ u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/events/vmscan/mm_vmscan_direct_reclaim_begin/ u:object_r:debugfs_tracing:s0
diff --git a/private/gmscore_app.te b/private/gmscore_app.te
index 799d7ff..36cccdf 100644
--- a/private/gmscore_app.te
+++ b/private/gmscore_app.te
@@ -31,6 +31,12 @@
# Allow GMS core to communicate with statsd.
binder_call(gmscore_app, statsd)
+# Allow GMS core to receive Perfetto traces through the framework
+# (i.e. TracingServiceProxy) and sendfile them into its private directory
+# for reporting when network and battery conditions are appropriate.
+allow gmscore_app perfetto:fd use;
+allow gmscore_app perfetto_traces_data_file:file { read getattr };
+
# Allow GMS core to generate unique hardware IDs
allow gmscore_app keystore:keystore_key gen_unique_id;
allow gmscore_app keystore:keystore2_key gen_unique_id;
diff --git a/private/gpuservice.te b/private/gpuservice.te
index 2e4254c..f20d932 100644
--- a/private/gpuservice.te
+++ b/private/gpuservice.te
@@ -51,11 +51,12 @@
neverallow gpuservice self:perf_event ~{ cpu kernel open write };
# Needed for interact with bpf fs.
+# Write is needed to open read/write bpf maps.
allow gpuservice fs_bpf:dir search;
-allow gpuservice fs_bpf:file read;
+allow gpuservice fs_bpf:file { read write };
-# Needed for enable the bpf program and read the map.
-allow gpuservice bpfloader:bpf { map_read prog_run };
+# Needed for enabling bpf programs and accessing bpf maps (read-only and read/write).
+allow gpuservice bpfloader:bpf { map_read map_write prog_run };
# Needed for getting a prop to ensure bpf programs loaded.
get_prop(gpuservice, bpf_progs_loaded_prop)
diff --git a/private/logd.te b/private/logd.te
index 7112c4f..62d4196 100644
--- a/private/logd.te
+++ b/private/logd.te
@@ -10,6 +10,8 @@
neverallow logd {
file_type
-runtime_event_log_tags_file
+ # shell_data_file access is needed to dump bugreports
+ -shell_data_file
userdebug_or_eng(`-coredump_file -misc_logd_file')
with_native_coverage(`-method_trace_data_file')
}:file { create write append };
@@ -39,3 +41,11 @@
userdebug_or_eng(`-su')
-system_app
} runtime_event_log_tags_file:file no_rw_file_perms;
+
+# Only binder communication between logd and system_server is allowed
+binder_use(logd)
+binder_service(logd)
+binder_call(logd, system_server)
+
+add_service(logd, logd_service)
+allow logd logcat_service:service_manager find;
diff --git a/private/mtectrl.te b/private/mtectrl.te
new file mode 100644
index 0000000..436dcae
--- /dev/null
+++ b/private/mtectrl.te
@@ -0,0 +1,10 @@
+# mtectrl is a tool to request MTE (Memory Tagging Extensions) from the bootloader.
+type mtectrl, domain, coredomain;
+type mtectrl_exec, system_file_type, exec_type, file_type;
+
+init_daemon_domain(mtectrl)
+
+# mtectrl communicates the request to the bootloader via the misc partition.
+allow mtectrl misc_block_device:blk_file w_file_perms;
+allow mtectrl block_device:dir r_dir_perms;
+read_fstab(mtectrl)
diff --git a/private/netd.te b/private/netd.te
index d87b9a6..a0c8f8f 100644
--- a/private/netd.te
+++ b/private/netd.te
@@ -18,6 +18,7 @@
# in order to invoke side effect of close() on such a socket calling synchronize_rcu()
# TODO: Remove this permission when 4.9 kernel is deprecated.
+# TODO: Remove this after we remove all bpf interactions from netd.
allow netd self:key_socket create;
set_prop(netd, ctl_mdnsd_prop)
diff --git a/private/netutils_wrapper.te b/private/netutils_wrapper.te
index ca3b515..cdc342d 100644
--- a/private/netutils_wrapper.te
+++ b/private/netutils_wrapper.te
@@ -17,6 +17,7 @@
# For netutils (ndc) to be able to talk to netd
allow netutils_wrapper netd_service:service_manager find;
allow netutils_wrapper dnsresolver_service:service_manager find;
+allow netutils_wrapper mdns_service:service_manager find;
binder_use(netutils_wrapper);
binder_call(netutils_wrapper, netd);
diff --git a/private/network_stack.te b/private/network_stack.te
index 09a98b5..2546888 100644
--- a/private/network_stack.te
+++ b/private/network_stack.te
@@ -22,6 +22,7 @@
allow network_stack app_api_service:service_manager find;
allow network_stack dnsresolver_service:service_manager find;
+allow network_stack mdns_service:service_manager find;
allow network_stack netd_service:service_manager find;
allow network_stack network_watchlist_service:service_manager find;
allow network_stack radio_service:service_manager find;
diff --git a/private/odrefresh.te b/private/odrefresh.te
index 9febf45..d716309 100644
--- a/private/odrefresh.te
+++ b/private/odrefresh.te
@@ -45,24 +45,6 @@
get_prop(odrefresh, device_config_runtime_native_prop)
get_prop(odrefresh, device_config_runtime_native_boot_prop)
-# Use inherited stdin/stdout/stderr from composd which exec()'s
-# odrefesh.
-allow odrefresh composd:fd use;
-
-# Run binaries from the CompOS APEX in the same domain
-allow odrefresh system_file:file execute_no_trans;
-
-# Make binder calls back to composd
-binder_use(odrefresh)
-allow odrefresh compos_internal_service:service_manager find;
-binder_call(odrefresh, composd)
-
-# Run fd_server in its own domain
-domain_auto_trans(odrefresh, fd_server_exec, compos_fd_server)
-
-# And kill it via SIGTERM
-allow odrefresh compos_fd_server:process signal;
-
# Do not audit unused resources from parent processes (adb, shell, su).
# These appear to be unnecessary for odrefresh.
dontaudit odrefresh { adbd shell }:fd use;
diff --git a/private/perfetto.te b/private/perfetto.te
index 174855f..5897aed 100644
--- a/private/perfetto.te
+++ b/private/perfetto.te
@@ -22,10 +22,10 @@
allow perfetto perfetto_traces_data_file:dir rw_dir_perms;
allow perfetto perfetto_traces_data_file:file create_file_perms;
-# Allow to access binder to pass the traces to Dropbox.
+# Allow perfetto to access the proxy service for reporting traces.
+allow perfetto tracingproxy_service:service_manager find;
binder_use(perfetto)
binder_call(perfetto, system_server)
-allow perfetto dropbox_service:service_manager find;
# Allow perfetto to read the trace config from /data/misc/perfetto-configs.
# shell and adb can write files into that directory.
@@ -52,6 +52,7 @@
allow perfetto devpts:chr_file rw_file_perms;
# Allow perfetto to ask incidentd to start a report.
+# TODO(lalitm): remove all incidentd rules when proxy service is stable.
allow perfetto incident_service:service_manager find;
binder_call(perfetto, incidentd)
@@ -68,7 +69,31 @@
###
### Neverallow rules
###
-### perfetto should NEVER do any of this
+
+# Disallow anyone else from being able to handle traces except selected system
+# components.
+neverallow {
+ domain
+ -init # The creator of the folder.
+ -perfetto # The owner of the folder.
+ -adbd # For pulling traces.
+ -shell # For devepment purposes.
+ -traced # For write_into_file traces.
+ -dumpstate # For attaching traces to bugreports.
+ -incidentd # For receiving reported traces. TODO(lalitm): remove this.
+ -priv_app # For stating traces for bug-report UI.
+} perfetto_traces_data_file:dir *;
+neverallow {
+ domain
+ -init # The creator of the folder.
+ -perfetto # The owner of the folder.
+ -adbd # For pulling traces.
+ -shell # For devepment purposes.
+ -traced # For write_into_file traces.
+ -incidentd # For receiving reported traces. TODO(lalitm): remove this.
+} perfetto_traces_data_file:file ~{ getattr read };
+
+### perfetto should NEVER do any of the following
# Disallow mapping executable memory (execstack and exec are already disallowed
# globally in domain.te).
diff --git a/private/priv_app.te b/private/priv_app.te
index 909e676..2535222 100644
--- a/private/priv_app.te
+++ b/private/priv_app.te
@@ -86,6 +86,13 @@
# Required to traverse the parent dir (/data/misc/perfetto-traces).
allow priv_app perfetto_traces_data_file:dir { search };
+# Allow priv apps (e.g. BetterBug) to receive Perfetto traces through
+# the framework (i.e. TracingServiceProxy) and sendfile them into their private
+# directories for reporting when network and battery conditions are
+# appropriate.
+allow priv_app perfetto:fd use;
+allow priv_app perfetto_traces_data_file:file { read getattr };
+
# Allow verifier to access staged apks.
allow priv_app { apk_tmp_file apk_private_tmp_file }:dir r_dir_perms;
allow priv_app { apk_tmp_file apk_private_tmp_file }:file r_file_perms;
diff --git a/private/profcollectd.te b/private/profcollectd.te
index efde321..63f42cb 100644
--- a/private/profcollectd.te
+++ b/private/profcollectd.te
@@ -23,7 +23,7 @@
allow profcollectd vendor_file:dir r_dir_perms;
allow profcollectd vendor_kernel_modules:file r_file_perms;
- # Allow profcollectd to read system bootstrap libs.
+ # Allow profcollectd to read (but not execute) system bootstrap libs.
allow profcollectd system_bootstrap_lib_file:dir search;
allow profcollectd system_bootstrap_lib_file:file r_file_perms;
diff --git a/private/property.te b/private/property.te
index 5d5869c..c9c811a 100644
--- a/private/property.te
+++ b/private/property.te
@@ -411,10 +411,12 @@
# Allow the shell to set MTE props, so that non-root users with adb shell
# access can control the settings on their device.
+# Allow system apps to set MTE props, so Developer Options can set them.
neverallow {
domain
-init
-shell
+ -system_app
} {
arm64_memtag_prop
}:property_service set;
@@ -555,6 +557,7 @@
domain
-init
userdebug_or_eng(`-profcollectd')
+ userdebug_or_eng(`-simpleperf_boot')
userdebug_or_eng(`-traced_probes')
userdebug_or_eng(`-traced_perf')
} {
diff --git a/private/property_contexts b/private/property_contexts
index 3650a44..1474d00 100644
--- a/private/property_contexts
+++ b/private/property_contexts
@@ -296,9 +296,11 @@
ro.virtual_ab.compression.enabled u:object_r:virtual_ab_prop:s0 exact bool
ro.virtual_ab.compression.xor.enabled u:object_r:virtual_ab_prop:s0 exact bool
ro.virtual_ab.userspace.snapshots.enabled u:object_r:virtual_ab_prop:s0 exact bool
+ro.virtual_ab.io_uring.enabled u:object_r:virtual_ab_prop:s0 exact bool
snapuserd.ready u:object_r:snapuserd_prop:s0 exact bool
snapuserd.proxy_ready u:object_r:snapuserd_prop:s0 exact bool
snapuserd.test.dm.snapshots u:object_r:snapuserd_prop:s0 exact bool
+snapuserd.test.io_uring.force_disable u:object_r:snapuserd_prop:s0 exact bool
ro.product.ab_ota_partitions u:object_r:ota_prop:s0 exact string
# Property to set/clear the warm reset flag after an OTA update.
@@ -462,6 +464,45 @@
persist.bluetooth.btsnooplogmode u:object_r:bluetooth_prop:s0 exact enum empty disabled filtered full
persist.bluetooth.factoryreset u:object_r:bluetooth_prop:s0 exact bool
+bluetooth.hardware.power.operating_voltage_mv u:object_r:bluetooth_config_prop:s0 exact int
+bluetooth.hardware.power.idle_cur_ma u:object_r:bluetooth_config_prop:s0 exact int
+bluetooth.hardware.power.tx_cur_ma u:object_r:bluetooth_config_prop:s0 exact int
+bluetooth.hardware.power.rx_cur_ma u:object_r:bluetooth_config_prop:s0 exact int
+
+bluetooth.framework.support_persisted_state u:object_r:bluetooth_config_prop:s0 exact bool
+bluetooth.framework.adapter_address_validation u:object_r:bluetooth_config_prop:s0 exact bool
+
+bluetooth.device.default_name u:object_r:bluetooth_config_prop:s0 exact string
+bluetooth.device.class_of_device u:object_r:bluetooth_config_prop:s0 exact uint
+
+bluetooth.profile.a2dp.sink.enabled u:object_r:bluetooth_config_prop:s0 exact bool
+bluetooth.profile.a2dp.source.enabled u:object_r:bluetooth_config_prop:s0 exact bool
+bluetooth.profile.asha.central.enabled u:object_r:bluetooth_config_prop:s0 exact bool
+bluetooth.profile.avrcp.controller.enabled u:object_r:bluetooth_config_prop:s0 exact bool
+bluetooth.profile.avrcp.target.enabled u:object_r:bluetooth_config_prop:s0 exact bool
+bluetooth.profile.bap.broadcast.assist.enabled u:object_r:bluetooth_config_prop:s0 exact bool
+bluetooth.profile.bap.broadcast.source.enabled u:object_r:bluetooth_config_prop:s0 exact bool
+bluetooth.profile.bap.unicast.server.enabled u:object_r:bluetooth_config_prop:s0 exact bool
+bluetooth.profile.bass.client.enabled u:object_r:bluetooth_config_prop:s0 exact bool
+bluetooth.profile.csip.set_coordinator.enabled u:object_r:bluetooth_config_prop:s0 exact bool
+bluetooth.profile.gatt.enabled u:object_r:bluetooth_config_prop:s0 exact bool
+bluetooth.profile.hap.client.enabled u:object_r:bluetooth_config_prop:s0 exact bool
+bluetooth.profile.hfp.ag.enabled u:object_r:bluetooth_config_prop:s0 exact bool
+bluetooth.profile.hfp.hf.enabled u:object_r:bluetooth_config_prop:s0 exact bool
+bluetooth.profile.hid.device.enabled u:object_r:bluetooth_config_prop:s0 exact bool
+bluetooth.profile.hid.host.enabled u:object_r:bluetooth_config_prop:s0 exact bool
+bluetooth.profile.map.client.enabled u:object_r:bluetooth_config_prop:s0 exact bool
+bluetooth.profile.map.server.enabled u:object_r:bluetooth_config_prop:s0 exact bool
+bluetooth.profile.mcp.server.enabled u:object_r:bluetooth_config_prop:s0 exact bool
+bluetooth.profile.opp.enabled u:object_r:bluetooth_config_prop:s0 exact bool
+bluetooth.profile.pan.nap.enabled u:object_r:bluetooth_config_prop:s0 exact bool
+bluetooth.profile.pan.panu.enabled u:object_r:bluetooth_config_prop:s0 exact bool
+bluetooth.profile.pbap.client.enabled u:object_r:bluetooth_config_prop:s0 exact bool
+bluetooth.profile.pbap.server.enabled u:object_r:bluetooth_config_prop:s0 exact bool
+bluetooth.profile.sap.server.enabled u:object_r:bluetooth_config_prop:s0 exact bool
+bluetooth.profile.tbs.server.enabled u:object_r:bluetooth_config_prop:s0 exact bool
+bluetooth.profile.vc.server.enabled u:object_r:bluetooth_config_prop:s0 exact bool
+
persist.nfc.debug_enabled u:object_r:nfc_prop:s0 exact bool
persist.radio.multisim.config u:object_r:radio_control_prop:s0 exact string
@@ -666,6 +707,7 @@
# shell-only props for ARM memory tagging (MTE).
arm64.memtag. u:object_r:arm64_memtag_prop:s0 prefix string
+persist.arm64.memtag.mode u:object_r:arm64_memtag_prop:s0 exact string
net.redirect_socket_calls.hooked u:object_r:socket_hook_prop:s0 exact bool
diff --git a/private/service.te b/private/service.te
index 10461ec..cd2cec6 100644
--- a/private/service.te
+++ b/private/service.te
@@ -1,8 +1,11 @@
+type ambient_context_service, app_api_service, system_server_service, service_manager_type;
type attention_service, system_server_service, service_manager_type;
type compos_service, service_manager_type;
type dynamic_system_service, system_api_service, system_server_service, service_manager_type;
type gsi_service, service_manager_type;
type incidentcompanion_service, app_api_service, system_api_service, system_server_service, service_manager_type;
+type logcat_service, system_server_service, service_manager_type;
+type logd_service, service_manager_type;
type mediatuner_service, app_api_service, service_manager_type;
type profcollectd_service, service_manager_type;
type resolver_service, system_server_service, service_manager_type;
@@ -12,5 +15,5 @@
type statscompanion_service, system_server_service, service_manager_type;
type statsmanager_service, system_api_service, system_server_service, service_manager_type;
type tracingproxy_service, system_server_service, service_manager_type;
+type transparency_service, system_server_service, service_manager_type;
type uce_service, service_manager_type;
-type compos_internal_service, service_manager_type;
diff --git a/private/service_contexts b/private/service_contexts
index 4bb1a5b..95da67d 100644
--- a/private/service_contexts
+++ b/private/service_contexts
@@ -3,39 +3,45 @@
android.hardware.automotive.audiocontrol.IAudioControl/default u:object_r:hal_audiocontrol_service:s0
android.hardware.biometrics.face.IFace/default u:object_r:hal_face_service:s0
android.hardware.biometrics.fingerprint.IFingerprint/default u:object_r:hal_fingerprint_service:s0
+android.hardware.bluetooth.audio.IBluetoothAudioProviderFactory/default u:object_r:hal_audio_service:s0
android.hardware.contexthub.IContextHub/default u:object_r:hal_contexthub_service:s0
+android.hardware.drm.IDrmFactory/clearkey u:object_r:hal_drm_service:s0
+android.hardware.drm.ICryptoFactory/clearkey u:object_r:hal_drm_service:s0
android.hardware.dumpstate.IDumpstateDevice/default u:object_r:hal_dumpstate_service:s0
android.hardware.gnss.IGnss/default u:object_r:hal_gnss_service:s0
+android.hardware.graphics.allocator.IAllocator/default u:object_r:hal_graphics_allocator_service:s0
android.hardware.graphics.composer3.IComposer/default u:object_r:hal_graphics_composer_service:s0
android.hardware.health.storage.IStorage/default u:object_r:hal_health_storage_service:s0
android.hardware.health.IHealth/default u:object_r:hal_health_service:s0
android.hardware.identity.IIdentityCredentialStore/default u:object_r:hal_identity_service:s0
+android.hardware.input.processor.IInputProcessor/default u:object_r:hal_input_processor_service:s0
android.hardware.ir.IConsumerIr/default u:object_r:hal_ir_service:s0
android.hardware.light.ILights/default u:object_r:hal_light_service:s0
android.hardware.memtrack.IMemtrack/default u:object_r:hal_memtrack_service:s0
android.hardware.net.nlinterceptor.IInterceptor/default u:object_r:hal_nlinterceptor_service:s0
+android.hardware.nfc.INfc/default u:object_r:hal_nfc_service:s0
android.hardware.oemlock.IOemLock/default u:object_r:hal_oemlock_service:s0
android.hardware.power.IPower/default u:object_r:hal_power_service:s0
android.hardware.power.stats.IPowerStats/default u:object_r:hal_power_stats_service:s0
-android.hardware.radio.config.IRadioConfig/default u:object_r:hal_radio_config_service:s0
-android.hardware.radio.data.IRadioData/slot1 u:object_r:hal_radio_data_service:s0
-android.hardware.radio.data.IRadioData/slot2 u:object_r:hal_radio_data_service:s0
-android.hardware.radio.data.IRadioData/slot3 u:object_r:hal_radio_data_service:s0
-android.hardware.radio.messaging.IRadioMessaging/slot1 u:object_r:hal_radio_messaging_service:s0
-android.hardware.radio.messaging.IRadioMessaging/slot2 u:object_r:hal_radio_messaging_service:s0
-android.hardware.radio.messaging.IRadioMessaging/slot3 u:object_r:hal_radio_messaging_service:s0
-android.hardware.radio.modem.IRadioModem/slot1 u:object_r:hal_radio_modem_service:s0
-android.hardware.radio.modem.IRadioModem/slot2 u:object_r:hal_radio_modem_service:s0
-android.hardware.radio.modem.IRadioModem/slot3 u:object_r:hal_radio_modem_service:s0
-android.hardware.radio.network.IRadioNetwork/slot1 u:object_r:hal_radio_network_service:s0
-android.hardware.radio.network.IRadioNetwork/slot2 u:object_r:hal_radio_network_service:s0
-android.hardware.radio.network.IRadioNetwork/slot3 u:object_r:hal_radio_network_service:s0
-android.hardware.radio.sim.IRadioSim/slot1 u:object_r:hal_radio_sim_service:s0
-android.hardware.radio.sim.IRadioSim/slot2 u:object_r:hal_radio_sim_service:s0
-android.hardware.radio.sim.IRadioSim/slot3 u:object_r:hal_radio_sim_service:s0
-android.hardware.radio.voice.IRadioVoice/slot1 u:object_r:hal_radio_voice_service:s0
-android.hardware.radio.voice.IRadioVoice/slot2 u:object_r:hal_radio_voice_service:s0
-android.hardware.radio.voice.IRadioVoice/slot3 u:object_r:hal_radio_voice_service:s0
+android.hardware.radio.config.IRadioConfig/default u:object_r:hal_radio_service:s0
+android.hardware.radio.data.IRadioData/slot1 u:object_r:hal_radio_service:s0
+android.hardware.radio.data.IRadioData/slot2 u:object_r:hal_radio_service:s0
+android.hardware.radio.data.IRadioData/slot3 u:object_r:hal_radio_service:s0
+android.hardware.radio.messaging.IRadioMessaging/slot1 u:object_r:hal_radio_service:s0
+android.hardware.radio.messaging.IRadioMessaging/slot2 u:object_r:hal_radio_service:s0
+android.hardware.radio.messaging.IRadioMessaging/slot3 u:object_r:hal_radio_service:s0
+android.hardware.radio.modem.IRadioModem/slot1 u:object_r:hal_radio_service:s0
+android.hardware.radio.modem.IRadioModem/slot2 u:object_r:hal_radio_service:s0
+android.hardware.radio.modem.IRadioModem/slot3 u:object_r:hal_radio_service:s0
+android.hardware.radio.network.IRadioNetwork/slot1 u:object_r:hal_radio_service:s0
+android.hardware.radio.network.IRadioNetwork/slot2 u:object_r:hal_radio_service:s0
+android.hardware.radio.network.IRadioNetwork/slot3 u:object_r:hal_radio_service:s0
+android.hardware.radio.sim.IRadioSim/slot1 u:object_r:hal_radio_service:s0
+android.hardware.radio.sim.IRadioSim/slot2 u:object_r:hal_radio_service:s0
+android.hardware.radio.sim.IRadioSim/slot3 u:object_r:hal_radio_service:s0
+android.hardware.radio.voice.IRadioVoice/slot1 u:object_r:hal_radio_service:s0
+android.hardware.radio.voice.IRadioVoice/slot2 u:object_r:hal_radio_service:s0
+android.hardware.radio.voice.IRadioVoice/slot3 u:object_r:hal_radio_service:s0
android.hardware.rebootescrow.IRebootEscrow/default u:object_r:hal_rebootescrow_service:s0
android.hardware.security.dice.IDiceDevice/default u:object_r:hal_dice_service:s0
android.hardware.security.keymint.IKeyMintDevice/default u:object_r:hal_keymint_service:s0
@@ -45,6 +51,7 @@
android.hardware.sensors.ISensors/default u:object_r:hal_sensors_service:s0
android.hardware.soundtrigger3.ISoundTriggerHw/default u:object_r:hal_audio_service:s0
android.hardware.tv.tuner.ITuner/default u:object_r:hal_tv_tuner_service:s0
+android.hardware.usb.IUsb/default u:object_r:hal_usb_service:s0
android.hardware.uwb.IUwb/default u:object_r:hal_uwb_service:s0
android.hardware.vibrator.IVibrator/default u:object_r:hal_vibrator_service:s0
android.hardware.vibrator.IVibratorManager/default u:object_r:hal_vibrator_service:s0
@@ -80,8 +87,8 @@
android.security.remoteprovisioning u:object_r:remoteprovisioning_service:s0
android.service.gatekeeper.IGateKeeperService u:object_r:gatekeeper_service:s0
android.system.composd u:object_r:compos_service:s0
-android.system.composd.internal u:object_r:compos_internal_service:s0
android.system.virtualizationservice u:object_r:virtualization_service:s0
+ambient_context u:object_r:ambient_context_service:s0
app_binding u:object_r:app_binding_service:s0
app_hibernation u:object_r:app_hibernation_service:s0
app_integrity u:object_r:app_integrity_service:s0
@@ -112,6 +119,7 @@
cacheinfo u:object_r:cacheinfo_service:s0
carrier_config u:object_r:radio_service:s0
clipboard u:object_r:clipboard_service:s0
+cloudsearch u:object_r:cloudsearch_service:s0
cloudsearch_service u:object_r:cloudsearch_service:s0
com.android.net.IProxyService u:object_r:IProxyService_service:s0
companiondevice u:object_r:companion_device_service:s0
@@ -198,8 +206,11 @@
location u:object_r:location_service:s0
location_time_zone_manager u:object_r:location_time_zone_manager_service:s0
lock_settings u:object_r:lock_settings_service:s0
+logcat u:object_r:logcat_service:s0
+logd u:object_r:logd_service:s0
looper_stats u:object_r:looper_stats_service:s0
lpdump_service u:object_r:lpdump_service:s0
+mdns u:object_r:mdns_service:s0
media.aaudio u:object_r:audioserver_service:s0
media.audio_flinger u:object_r:audioserver_service:s0
media.audio_policy u:object_r:audioserver_service:s0
@@ -266,6 +277,7 @@
reboot_readiness u:object_r:reboot_readiness_service:s0
recovery u:object_r:recovery_service:s0
resolver u:object_r:resolver_service:s0
+resources u:object_r:resources_manager_service:s0
restrictions u:object_r:restrictions_service:s0
role u:object_r:role_service:s0
rollback u:object_r:rollback_service:s0
@@ -304,6 +316,7 @@
storaged_pri u:object_r:storaged_service:s0
storagestats u:object_r:storagestats_service:s0
SurfaceFlinger u:object_r:surfaceflinger_service:s0
+SurfaceFlingerAIDL u:object_r:surfaceflinger_service:s0
suspend_control u:object_r:system_suspend_control_service:s0
suspend_control_internal u:object_r:system_suspend_control_internal_service:s0
system_config u:object_r:system_config_service:s0
@@ -324,7 +337,8 @@
timezone u:object_r:timezone_service:s0
thermalservice u:object_r:thermal_service:s0
tracing.proxy u:object_r:tracingproxy_service:s0
-translation u:object_r:translation_service:s0
+translation u:object_r:translation_service:s0
+transparency u:object_r:transparency_service:s0
trust u:object_r:trust_service:s0
tv_iapp u:object_r:tv_iapp_service:s0
tv_input u:object_r:tv_input_service:s0
@@ -347,6 +361,7 @@
vpn_management u:object_r:vpn_management_service:s0
vrmanager u:object_r:vr_manager_service:s0
wallpaper u:object_r:wallpaper_service:s0
+wallpaper_effects_generation u:object_r:wallpaper_effects_generation_service:s0
webviewupdate u:object_r:webviewupdate_service:s0
wifip2p u:object_r:wifip2p_service:s0
wifiscanner u:object_r:wifiscanner_service:s0
diff --git a/private/shell.te b/private/shell.te
index 709e0b7..63746f6 100644
--- a/private/shell.te
+++ b/private/shell.te
@@ -94,6 +94,9 @@
# userspace reboot
set_prop(shell, userspace_reboot_test_prop)
+# Allow shell to set this property to disable charging.
+set_prop(shell, power_debug_prop)
+
# Allow shell to set this property used for rollback tests
set_prop(shell, rollback_test_prop)
diff --git a/private/simpleperf_boot.te b/private/simpleperf_boot.te
new file mode 100644
index 0000000..e71c492
--- /dev/null
+++ b/private/simpleperf_boot.te
@@ -0,0 +1,59 @@
+# Domain used when running /system/bin/simpleperf to record boot-time profiles.
+# It is started by init process. It's only available on userdebug/eng build.
+
+type simpleperf_boot, domain, coredomain, mlstrustedsubject;
+
+# /data/simpleperf_boot_data, used to store boot-time profiles.
+type simpleperf_boot_data_file, file_type;
+
+userdebug_or_eng(`
+ domain_auto_trans(init, simpleperf_exec, simpleperf_boot)
+
+ # simpleperf_boot writes profile data to /data/simpleperf_boot_data.
+ allow simpleperf_boot simpleperf_boot_data_file:file create_file_perms;
+ allow simpleperf_boot simpleperf_boot_data_file:dir rw_dir_perms;
+
+ # Allow simpleperf_boot full use of perf_event_open(2), to enable system wide profiling.
+ allow simpleperf_boot self:perf_event { cpu kernel open read write };
+ allow simpleperf_boot self:global_capability2_class_set perfmon;
+
+ # Allow simpleperf_boot to scan through /proc/pid for all processes.
+ r_dir_file(simpleperf_boot, domain)
+
+ # Allow simpleperf_boot to read executable binaries.
+ allow simpleperf_boot system_file_type:file r_file_perms;
+ allow simpleperf_boot vendor_file_type:file r_file_perms;
+
+ # Allow simpleperf_boot to search for and read kernel modules.
+ allow simpleperf_boot vendor_file:dir r_dir_perms;
+ allow simpleperf_boot vendor_kernel_modules:file r_file_perms;
+
+ # Allow simpleperf_boot to read system bootstrap libs.
+ allow simpleperf_boot system_bootstrap_lib_file:dir search;
+ allow simpleperf_boot system_bootstrap_lib_file:file r_file_perms;
+
+ # Allow simpleperf_boot to access tracefs.
+ allow simpleperf_boot debugfs_tracing:dir r_dir_perms;
+ allow simpleperf_boot debugfs_tracing:file rw_file_perms;
+ allow simpleperf_boot debugfs_tracing_debug:dir r_dir_perms;
+ allow simpleperf_boot debugfs_tracing_debug:file rw_file_perms;
+
+ # Allow simpleperf_boot to write to perf_event_paranoid under /proc.
+ allow simpleperf_boot proc_perf:file write;
+
+ # Allow simpleperf_boot to read process maps.
+ allow simpleperf_boot self:global_capability_class_set sys_ptrace;
+ # Allow simpleperf_boot to read JIT debug info from system_server and zygote.
+ allow simpleperf_boot { system_server zygote }:process ptrace;
+
+ # Allow to temporarily lift the kptr_restrict setting and get kernel start address
+ # by reading /proc/kallsyms, get module start address by reading /proc/modules.
+ set_prop(simpleperf_boot, lower_kptr_restrict_prop)
+ allow simpleperf_boot proc_kallsyms:file r_file_perms;
+ allow simpleperf_boot proc_modules:file r_file_perms;
+
+ # Allow simpleperf_boot to read kernel build id.
+ allow simpleperf_boot sysfs_kernel_notes:file r_file_perms;
+
+ dontaudit simpleperf_boot shell_data_file:dir search;
+')
diff --git a/private/snapuserd.te b/private/snapuserd.te
index e3b43a1..2e2c473 100644
--- a/private/snapuserd.te
+++ b/private/snapuserd.te
@@ -8,6 +8,8 @@
allow snapuserd kmsg_device:chr_file rw_file_perms;
+allow snapuserd self:capability ipc_lock;
+
# Allow snapuserd to reach block devices in /dev/block.
allow snapuserd block_device:dir search;
diff --git a/private/system_app.te b/private/system_app.te
index ce76b69..8c1fdbf 100644
--- a/private/system_app.te
+++ b/private/system_app.te
@@ -34,6 +34,7 @@
allow system_app icon_file:file r_file_perms;
# Write to properties
+set_prop(system_app, arm64_memtag_prop)
set_prop(system_app, bluetooth_a2dp_offload_prop)
set_prop(system_app, bluetooth_audio_hal_prop)
set_prop(system_app, bluetooth_prop)
@@ -88,6 +89,7 @@
-installd_service
-iorapd_service
-lpdump_service
+ -mdns_service
-netd_service
-system_suspend_control_internal_service
-system_suspend_control_service
@@ -102,6 +104,7 @@
dumpstate_service
installd_service
iorapd_service
+ mdns_service
netd_service
virtual_touchpad_service
vold_service
diff --git a/private/system_server.te b/private/system_server.te
index 68792e8..7024c5a 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -97,7 +97,7 @@
crash_dump
webview_zygote
zygote
-}:process { sigkill signull };
+}:process { getpgid sigkill signull };
# Read /system/bin/app_process.
allow system_server zygote_exec:file r_file_perms;
@@ -277,6 +277,7 @@
binder_call(system_server, storaged)
binder_call(system_server, update_engine)
binder_call(system_server, vold)
+binder_call(system_server, logd)
binder_call(system_server, wificond)
binder_call(system_server, wpantund)
binder_service(system_server)
@@ -295,6 +296,7 @@
hal_client_domain(system_server, hal_graphics_allocator)
hal_client_domain(system_server, hal_health)
hal_client_domain(system_server, hal_input_classifier)
+hal_client_domain(system_server, hal_input_processor)
hal_client_domain(system_server, hal_ir)
hal_client_domain(system_server, hal_light)
hal_client_domain(system_server, hal_memtrack)
@@ -401,7 +403,7 @@
# Check SELinux permissions.
selinux_check_access(system_server)
-allow system_server sysfs_type:dir search;
+allow system_server sysfs_type:dir r_dir_perms;
r_dir_file(system_server, sysfs_android_usb)
allow system_server sysfs_android_usb:file w_file_perms;
@@ -524,9 +526,9 @@
allow system_server prereboot_data_file:dir rw_dir_perms;
allow system_server prereboot_data_file:file create_file_perms;
-# Allow dropbox to read /data/misc/perfetto-traces. Only the fd is sent over
+# Allow tracing proxy service to read traces. Only the fd is sent over
# binder.
-allow system_server perfetto_traces_data_file:file read;
+allow system_server perfetto_traces_data_file:file { read getattr };
allow system_server perfetto:fd use;
# Manage /data/backup.
@@ -867,6 +869,7 @@
allow system_server keystore_maintenance_service:service_manager find;
allow system_server keystore_metrics_service:service_manager find;
allow system_server keystore_service:service_manager find;
+allow system_server mdns_service:service_manager find;
allow system_server mediaserver_service:service_manager find;
allow system_server mediametrics_service:service_manager find;
allow system_server mediaextractor_service:service_manager find;
@@ -881,6 +884,7 @@
allow system_server update_engine_service:service_manager find;
allow system_server vold_service:service_manager find;
allow system_server wifinl80211_service:service_manager find;
+allow system_server logd_service:service_manager find;
userdebug_or_eng(`
allow system_server profcollectd_service:service_manager find;
')
@@ -915,6 +919,7 @@
clear_ns
clear_uid
get_state
+ list
lock
migrate_any_key
pull_metrics
@@ -1111,6 +1116,8 @@
allow system_server fs_bpf:dir search;
allow system_server fs_bpf:file { read write };
allow system_server bpfloader:bpf { map_read map_write prog_run };
+# in order to invoke side effect of close() on such a socket calling synchronize_rcu()
+allow system_server self:key_socket create;
# ART Profiles.
# Allow system_server to open profile snapshots for read.
diff --git a/private/traced.te b/private/traced.te
index fc9a245..a6e200e 100644
--- a/private/traced.te
+++ b/private/traced.te
@@ -118,4 +118,12 @@
neverallow * traced:process dyntransition;
# Limit the processes that can access tracingproxy_service.
-neverallow { domain -traced -dumpstate -traceur_app -shell -system_server } tracingproxy_service:service_manager find;
+neverallow {
+ domain
+ -traced
+ -dumpstate
+ -traceur_app
+ -shell
+ -system_server
+ -perfetto
+} tracingproxy_service:service_manager find;
diff --git a/private/virtualizationservice.te b/private/virtualizationservice.te
index d304ae6..c4f2cd9 100644
--- a/private/virtualizationservice.te
+++ b/private/virtualizationservice.te
@@ -55,17 +55,22 @@
# Run derive_classpath in our domain
allow virtualizationservice derive_classpath_exec:file rx_file_perms;
allow virtualizationservice apex_mnt_dir:dir r_dir_perms;
+# Ignore harmless denials on /proc/self/fd
+dontaudit virtualizationservice self:dir write;
# Let virtualizationservice to accept vsock connection from the guest VMs
allow virtualizationservice self:vsock_socket { create_socket_perms_no_ioctl listen accept };
# Allow virtualization to ioctl on dev/kvm only to check if protected VM is supported or not.
-allow virtualizationservice kvm_device:chr_file { open read write };
+allow virtualizationservice kvm_device:chr_file { open read write ioctl };
allowxperm virtualizationservice kvm_device:chr_file ioctl KVM_CHECK_EXTENSION;
# Allow virtualizationservice to read/write its own sysprop. Only the process can do so.
set_prop(virtualizationservice, virtualizationservice_prop)
+# Allow writing stats to statsd
+unix_socket_send(virtualizationservice, statsdw, statsd)
+
neverallow {
domain
-init
diff --git a/public/app.te b/public/app.te
index 7de9c00..09e30ca 100644
--- a/public/app.te
+++ b/public/app.te
@@ -8,375 +8,6 @@
###
type appdomain_tmpfs, file_type;
-# WebView and other application-specific JIT compilers
-allow appdomain self:process execmem;
-
-allow appdomain { ashmem_device ashmem_libcutils_device }:chr_file execute;
-
-# Receive and use open file descriptors inherited from zygote.
-allow appdomain zygote:fd use;
-
-# Receive and use open file descriptors inherited from app zygote.
-allow appdomain app_zygote:fd use;
-
-# gdbserver for ndk-gdb reads the zygote.
-# valgrind needs mmap exec for zygote
-allow appdomain zygote_exec:file rx_file_perms;
-
-# Notify zygote of death;
-allow appdomain zygote:process sigchld;
-
-# Read /data/dalvik-cache.
-allow appdomain dalvikcache_data_file:dir { search getattr };
-allow appdomain dalvikcache_data_file:file r_file_perms;
-
-# Read the /sdcard and /mnt/sdcard symlinks
-allow { appdomain -isolated_app } rootfs:lnk_file r_file_perms;
-allow { appdomain -isolated_app } tmpfs:lnk_file r_file_perms;
-
-# Search /storage/emulated tmpfs mount.
-allow appdomain tmpfs:dir r_dir_perms;
-
-# Notify zygote of the wrapped process PID when using --invoke-with.
-allow appdomain zygote:fifo_file write;
-
-userdebug_or_eng(`
- # Allow apps to create and write method traces in /data/misc/trace.
- allow appdomain method_trace_data_file:dir w_dir_perms;
- allow appdomain method_trace_data_file:file { create w_file_perms };
-')
-
-# Notify shell and adbd of death when spawned via runas for ndk-gdb.
-allow appdomain shell:process sigchld;
-allow appdomain adbd:process sigchld;
-
-# child shell or gdbserver pty access for runas.
-allow appdomain devpts:chr_file { getattr read write ioctl };
-
-# Use pipes and sockets provided by system_server via binder or local socket.
-allow appdomain system_server:fd use;
-allow appdomain system_server:fifo_file rw_file_perms;
-allow appdomain system_server:unix_stream_socket { read write setopt getattr getopt shutdown };
-allow appdomain system_server:tcp_socket { read write getattr getopt shutdown };
-
-# For AppFuse.
-allow appdomain vold:fd use;
-
-# Communication with other apps via fifos
-allow appdomain appdomain:fifo_file rw_file_perms;
-
-# Communicate with surfaceflinger.
-allow appdomain surfaceflinger:unix_stream_socket { read write setopt getattr getopt shutdown };
-
-# App sandbox file accesses.
-allow { appdomain -isolated_app -mlstrustedsubject } { app_data_file privapp_data_file }:dir create_dir_perms;
-allow { appdomain -isolated_app -mlstrustedsubject } { app_data_file privapp_data_file }:file create_file_perms;
-
-# Access via already open fds is ok even for mlstrustedsubject.
-allow { appdomain -isolated_app } { app_data_file privapp_data_file system_app_data_file }:file { getattr map read write };
-
-# Traverse into expanded storage
-allow appdomain mnt_expand_file:dir r_dir_perms;
-
-# Keychain and user-trusted credentials
-r_dir_file(appdomain, keychain_data_file)
-allow appdomain misc_user_data_file:dir r_dir_perms;
-allow appdomain misc_user_data_file:file r_file_perms;
-
-# TextClassifier
-r_dir_file({ appdomain -isolated_app }, textclassifier_data_file)
-
-# Access to OEM provided data and apps
-allow appdomain oemfs:dir r_dir_perms;
-allow appdomain oemfs:file rx_file_perms;
-
-# Execute the shell or other system executables.
-allow { appdomain -ephemeral_app } shell_exec:file rx_file_perms;
-allow { appdomain -ephemeral_app } toolbox_exec:file rx_file_perms;
-allow appdomain system_file:file x_file_perms;
-not_full_treble(`allow { appdomain -ephemeral_app } vendor_file:file x_file_perms;')
-
-# Renderscript needs the ability to read directories on /system
-allow appdomain system_file:dir r_dir_perms;
-allow appdomain system_file:lnk_file { getattr open read };
-# Renderscript specific permissions to open /system/vendor/lib64.
-not_full_treble(`
- allow appdomain vendor_file_type:dir r_dir_perms;
- allow appdomain vendor_file_type:lnk_file { getattr open read };
-')
-
-full_treble_only(`
- # For looking up Renderscript vendor drivers
- allow { appdomain -isolated_app } vendor_file:dir { open read };
-')
-
-# Allow apps access to /vendor/app except for privileged
-# apps which cannot be in /vendor.
-r_dir_file({ appdomain -ephemeral_app }, vendor_app_file)
-allow { appdomain -ephemeral_app } vendor_app_file:file execute;
-
-# Allow apps access to /vendor/overlay
-r_dir_file(appdomain, vendor_overlay_file)
-
-# Allow apps access to /vendor/framework
-# for vendor provided libraries.
-r_dir_file(appdomain, vendor_framework_file)
-
-# Allow apps read / execute access to vendor public libraries.
-allow appdomain {vendor_public_framework_file vendor_public_lib_file}:dir r_dir_perms;
-allow appdomain {vendor_public_framework_file vendor_public_lib_file}:file { execute read open getattr map };
-
-# Read/write wallpaper file (opened by system).
-allow appdomain wallpaper_file:file { getattr read write map };
-
-# Read/write cached ringtones (opened by system).
-allow appdomain ringtone_file:file { getattr read write map };
-
-# Read ShortcutManager icon files (opened by system).
-allow appdomain shortcut_manager_icons:file { getattr read map };
-
-# Read icon file (opened by system).
-allow appdomain icon_file:file { getattr read map };
-
-# Old stack dumping scheme : append to a global trace file (/data/anr/traces.txt).
-#
-# TODO: All of these permissions except for anr_data_file:file append can be
-# withdrawn once we've switched to the new stack dumping mechanism, see b/32064548
-# and the rules below.
-allow appdomain anr_data_file:dir search;
-allow appdomain anr_data_file:file { open append };
-
-# New stack dumping scheme : request an output FD from tombstoned via a unix
-# domain socket.
-#
-# Allow apps to connect and write to the tombstoned java trace socket in
-# order to dump their traces. Also allow them to append traces to pipes
-# created by dumptrace. (Also see the rules below where they are given
-# additional permissions to dumpstate pipes for other aspects of bug report
-# creation).
-unix_socket_connect(appdomain, tombstoned_java_trace, tombstoned)
-allow appdomain tombstoned:fd use;
-allow appdomain dumpstate:fifo_file append;
-allow appdomain incidentd:fifo_file append;
-
-# Allow apps to send dump information to dumpstate
-allow appdomain dumpstate:fd use;
-allow appdomain dumpstate:unix_stream_socket { read write getopt getattr shutdown };
-allow appdomain dumpstate:fifo_file { write getattr };
-allow appdomain shell_data_file:file { write getattr };
-
-# Allow apps to send dump information to incidentd
-allow appdomain incidentd:fd use;
-allow appdomain incidentd:fifo_file { write getattr };
-
-# Allow apps to send information to statsd socket.
-unix_socket_send(appdomain, statsdw, statsd)
-
-# Write profiles /data/misc/profiles
-allow appdomain user_profile_root_file:dir search;
-allow appdomain user_profile_data_file:dir { search write add_name };
-allow appdomain user_profile_data_file:file create_file_perms;
-
-# Send heap dumps to system_server via an already open file descriptor
-# % adb shell am set-watch-heap com.android.systemui 1048576
-# % adb shell dumpsys procstats --start-testing
-# debuggable builds only.
-userdebug_or_eng(`
- allow appdomain heapdump_data_file:file append;
-')
-
-# /proc/net access.
-# TODO(b/9496886) Audit access for removal.
-# proc_net access for the negated domains below is granted (or not) in their
-# individual .te files.
-r_dir_file({
- appdomain
- -ephemeral_app
- -isolated_app
- -platform_app
- -priv_app
- -shell
- -system_app
- -untrusted_app_all
-}, proc_net_type)
-# audit access for all these non-core app domains.
-userdebug_or_eng(`
- auditallow {
- appdomain
- -ephemeral_app
- -isolated_app
- -platform_app
- -priv_app
- -shell
- -su
- -system_app
- -untrusted_app_all
- } proc_net_type:{ dir file lnk_file } { getattr open read };
-')
-
-# Grant GPU access to all processes started by Zygote.
-# They need that to render the standard UI.
-allow { appdomain -isolated_app } gpu_device:chr_file rw_file_perms;
-
-# Use the Binder.
-binder_use(appdomain)
-# Perform binder IPC to binder services.
-binder_call(appdomain, binderservicedomain)
-# Perform binder IPC to other apps.
-binder_call(appdomain, appdomain)
-# Perform binder IPC to ephemeral apps.
-binder_call(appdomain, ephemeral_app)
-# Perform binder IPC to gpuservice.
-binder_call({ appdomain -isolated_app }, gpuservice)
-
-# Talk with graphics composer fences
-allow appdomain hal_graphics_composer:fd use;
-
-# Already connected, unnamed sockets being passed over some other IPC
-# hence no sock_file or connectto permission. This appears to be how
-# Chrome works, may need to be updated as more apps using isolated services
-# are examined.
-allow appdomain appdomain:unix_stream_socket { getopt getattr read write shutdown };
-
-# Backup ability for every app. BMS opens and passes the fd
-# to any app that has backup ability. Hence, no open permissions here.
-allow appdomain backup_data_file:file { read write getattr map };
-allow appdomain cache_backup_file:file { read write getattr map };
-allow appdomain cache_backup_file:dir getattr;
-# Backup ability using 'adb backup'
-allow appdomain system_data_file:lnk_file r_file_perms;
-allow appdomain system_data_file:file { getattr read map };
-
-# Allow read/stat of /data/media files passed by Binder or local socket IPC.
-allow { appdomain -isolated_app } media_rw_data_file:file { read getattr };
-
-# Read and write /data/data/com.android.providers.telephony files passed over Binder.
-allow { appdomain -isolated_app } radio_data_file:file { read write getattr };
-
-# Allow access to external storage; we have several visible mount points under /storage
-# and symlinks to primary storage at places like /storage/sdcard0 and /mnt/user/0/primary
-allow { appdomain -isolated_app -ephemeral_app } storage_file:dir r_dir_perms;
-allow { appdomain -isolated_app -ephemeral_app } storage_file:lnk_file r_file_perms;
-allow { appdomain -isolated_app -ephemeral_app } mnt_user_file:dir r_dir_perms;
-allow { appdomain -isolated_app -ephemeral_app } mnt_user_file:lnk_file r_file_perms;
-
-# Read/write visible storage
-allow { appdomain -isolated_app -ephemeral_app } { sdcard_type fuse }:dir create_dir_perms;
-allow { appdomain -isolated_app -ephemeral_app } { sdcard_type fuse }:file create_file_perms;
-# This should be removed if sdcardfs is modified to alter the secontext for its
-# accesses to the underlying FS.
-allow { appdomain -isolated_app -ephemeral_app } media_rw_data_file:dir create_dir_perms;
-allow { appdomain -isolated_app -ephemeral_app } media_rw_data_file:file create_file_perms;
-
-# Allow apps to use the USB Accessory interface.
-# http://developer.android.com/guide/topics/connectivity/usb/accessory.html
-#
-# USB devices are first opened by the system server (USBDeviceManagerService)
-# and the file descriptor is passed to the right Activity via binder.
-allow { appdomain -isolated_app -ephemeral_app } usb_device:chr_file { read write getattr ioctl };
-allow { appdomain -isolated_app -ephemeral_app } usbaccessory_device:chr_file { read write getattr };
-
-# For art.
-allow appdomain dalvikcache_data_file:file execute;
-allow appdomain dalvikcache_data_file:lnk_file r_file_perms;
-
-# Allow any app to read shared RELRO files.
-allow appdomain shared_relro_file:dir search;
-allow appdomain shared_relro_file:file r_file_perms;
-
-# Allow apps to read/execute installed binaries
-allow appdomain apk_data_file:dir r_dir_perms;
-allow appdomain apk_data_file:file rx_file_perms;
-
-# /data/resource-cache
-allow appdomain resourcecache_data_file:file r_file_perms;
-allow appdomain resourcecache_data_file:dir r_dir_perms;
-
-# logd access
-read_logd(appdomain)
-control_logd({ appdomain -ephemeral_app })
-# application inherit logd write socket (urge is to deprecate this long term)
-allow appdomain zygote:unix_dgram_socket write;
-
-allow { appdomain -isolated_app -ephemeral_app } keystore:keystore_key { get_state get insert delete exist list sign verify };
-allow { appdomain -isolated_app -ephemeral_app } keystore:keystore2_key { delete use get_info rebind update };
-
-allow { appdomain -isolated_app -ephemeral_app } keystore_maintenance_service:service_manager find;
-allow { appdomain -isolated_app -ephemeral_app } keystore:keystore2 get_state;
-
-use_keystore({ appdomain -isolated_app -ephemeral_app })
-
-use_credstore({ appdomain -isolated_app -ephemeral_app })
-
-allow appdomain console_device:chr_file { read write };
-
-# only allow unprivileged socket ioctl commands
-allowxperm { appdomain -bluetooth } self:{ rawip_socket tcp_socket udp_socket }
- ioctl { unpriv_sock_ioctls unpriv_tty_ioctls };
-
-allow { appdomain -isolated_app } ion_device:chr_file r_file_perms;
-allow { appdomain -isolated_app } dmabuf_system_heap_device:chr_file r_file_perms;
-allow { appdomain -isolated_app } dmabuf_system_secure_heap_device:chr_file r_file_perms;
-
-# Allow AAudio apps to use shared memory file descriptors from the HAL
-allow { appdomain -isolated_app } hal_audio:fd use;
-
-# Allow app to access shared memory created by camera HAL1
-allow { appdomain -isolated_app } hal_camera:fd use;
-
-# Allow apps to access shared memory file descriptor from the tuner HAL
-allow {appdomain -isolated_app} hal_tv_tuner_server:fd use;
-
-# RenderScript always-passthrough HAL
-allow { appdomain -isolated_app } hal_renderscript_hwservice:hwservice_manager find;
-allow appdomain same_process_hal_file:file { execute read open getattr map };
-
-# TODO: switch to meminfo service
-allow appdomain proc_meminfo:file r_file_perms;
-
-# For app fuse.
-allow appdomain app_fuse_file:file { getattr read append write map };
-
-pdx_client({ appdomain -isolated_app -ephemeral_app }, display_client)
-pdx_client({ appdomain -isolated_app -ephemeral_app }, display_manager)
-pdx_client({ appdomain -isolated_app -ephemeral_app }, display_vsync)
-pdx_client({ appdomain -isolated_app -ephemeral_app }, performance_client)
-# Apps do not directly open the IPC socket for bufferhubd.
-pdx_use({ appdomain -isolated_app -ephemeral_app }, bufferhub_client)
-
-###
-### CTS-specific rules
-###
-
-# For cts/tests/tests/permission/src/android/permission/cts/FileSystemPermissionTest.java.
-# testRunAsHasCorrectCapabilities
-allow appdomain runas_exec:file getattr;
-# Others are either allowed elsewhere or not desired.
-
-# Apps receive an open tun fd from the framework for
-# device traffic. Do not allow untrusted app to directly open tun_device
-allow { appdomain -isolated_app -ephemeral_app } tun_device:chr_file { read write getattr append ioctl };
-allowxperm { appdomain -isolated_app -ephemeral_app } tun_device:chr_file ioctl TUNGETIFF;
-
-# Connect to adbd and use a socket transferred from it.
-# This is used for e.g. adb backup/restore.
-allow appdomain adbd:unix_stream_socket connectto;
-allow appdomain adbd:fd use;
-allow appdomain adbd:unix_stream_socket { getattr getopt ioctl read write shutdown };
-
-allow appdomain cache_file:dir getattr;
-
-# Allow apps to run with asanwrapper.
-with_asan(`allow appdomain asanwrapper_exec:file rx_file_perms;')
-
-# Read access to FDs from the DropboxManagerService.
-allow appdomain dropbox_data_file:file { getattr read };
-
-# Read tmpfs types from these processes.
-allow appdomain audioserver_tmpfs:file { getattr map read write };
-allow appdomain system_server_tmpfs:file { getattr map read write };
-allow appdomain zygote_tmpfs:file { map read };
-
###
### Neverallow rules
###
diff --git a/public/attributes b/public/attributes
index 07eecfc..b97bffc 100644
--- a/public/attributes
+++ b/public/attributes
@@ -347,6 +347,7 @@
hal_attribute(health_storage);
hal_attribute(identity);
hal_attribute(input_classifier);
+hal_attribute(input_processor);
hal_attribute(ir);
hal_attribute(keymaster);
hal_attribute(keymint);
diff --git a/public/domain.te b/public/domain.te
index e7853ec..50503cd 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -101,6 +101,7 @@
# Public readable properties
get_prop(domain, aaudio_config_prop)
get_prop(domain, arm64_memtag_prop)
+get_prop(domain, bluetooth_config_prop)
get_prop(domain, bootloader_prop)
get_prop(domain, build_odm_prop)
get_prop(domain, build_prop)
@@ -610,25 +611,6 @@
-update_engine
} system_block_device:blk_file { write append };
-# No domains other than a select few can access the misc_block_device. This
-# block device is reserved for OTA use.
-# Do not assert this rule on userdebug/eng builds, due to some devices using
-# this partition for testing purposes.
-neverallow {
- domain
- userdebug_or_eng(`-domain') # exclude debuggable builds
- -fastbootd
- -hal_bootctl_server
- -init
- -uncrypt
- -update_engine
- -vendor_init
- -vendor_misc_writer
- -vold
- -recovery
- -ueventd
-} misc_block_device:blk_file { append link relabelfrom rename write open read ioctl lock };
-
# Only (hw|vnd|)servicemanager should be able to register with binder as the context manager
neverallow { domain -servicemanager -hwservicemanager -vndservicemanager } *:binder set_context_mgr;
# The service managers are only allowed to access their own device node
diff --git a/public/dumpstate.te b/public/dumpstate.te
index b1f186c..3f9a127 100644
--- a/public/dumpstate.te
+++ b/public/dumpstate.te
@@ -147,6 +147,7 @@
dump_hal(hal_graphics_allocator)
dump_hal(hal_light)
dump_hal(hal_neuralnetworks)
+dump_hal(hal_nfc)
dump_hal(hal_thermal)
dump_hal(hal_power)
dump_hal(hal_power_stats)
@@ -253,6 +254,7 @@
-apex_service
-dumpstate_service
-gatekeeper_service
+ -hal_wifi_supplicant_service
-virtual_touchpad_service
-vold_service
-default_android_service
@@ -262,6 +264,7 @@
apex_service
dumpstate_service
gatekeeper_service
+ hal_wifi_supplicant_service
virtual_touchpad_service
vold_service
}:service_manager find;
diff --git a/public/hal_drm.te b/public/hal_drm.te
index bb1bd91..72fa308 100644
--- a/public/hal_drm.te
+++ b/public/hal_drm.te
@@ -1,8 +1,10 @@
# HwBinder IPC from client to server, and callbacks
+binder_use(hal_drm_server)
binder_call(hal_drm_client, hal_drm_server)
binder_call(hal_drm_server, hal_drm_client)
hal_attribute_hwservice(hal_drm, hal_drm_hwservice)
+hal_attribute_service(hal_drm, hal_drm_service)
allow hal_drm hidl_memory_hwservice:hwservice_manager find;
diff --git a/public/hal_graphics_allocator.te b/public/hal_graphics_allocator.te
index 3ec6b96..b6d5d92 100644
--- a/public/hal_graphics_allocator.te
+++ b/public/hal_graphics_allocator.te
@@ -12,3 +12,8 @@
# allow to run with real-time scheduling policy
allow hal_graphics_allocator self:global_capability_class_set sys_nice;
+
+# IAllocator stable-aidl
+hal_attribute_service(hal_graphics_allocator, hal_graphics_allocator_service)
+binder_call(hal_graphics_allocator_server, servicemanager)
+binder_call(hal_graphics_allocator_client, servicemanager)
diff --git a/public/hal_input_processor.te b/public/hal_input_processor.te
new file mode 100644
index 0000000..77d1d70
--- /dev/null
+++ b/public/hal_input_processor.te
@@ -0,0 +1,5 @@
+# HwBinder IPC from client to server
+binder_call(hal_input_processor_client, hal_input_processor_server)
+binder_call(hal_input_processor_server, servicemanager)
+
+hal_attribute_service(hal_input_processor, hal_input_processor_service)
diff --git a/public/hal_nfc.te b/public/hal_nfc.te
index 7cef4a1..3d0202b 100644
--- a/public/hal_nfc.te
+++ b/public/hal_nfc.te
@@ -1,8 +1,10 @@
# HwBinder IPC from client to server, and callbacks
binder_call(hal_nfc_client, hal_nfc_server)
binder_call(hal_nfc_server, hal_nfc_client)
+binder_call(hal_nfc_server, servicemanager)
hal_attribute_hwservice(hal_nfc, hal_nfc_hwservice)
+hal_attribute_service(hal_nfc, hal_nfc_service)
# Set NFC properties (used by bcm2079x HAL).
set_prop(hal_nfc, nfc_prop)
diff --git a/public/hal_telephony.te b/public/hal_telephony.te
index 8a1fbe5..e21796a 100644
--- a/public/hal_telephony.te
+++ b/public/hal_telephony.te
@@ -3,13 +3,7 @@
binder_call(hal_telephony_server, hal_telephony_client)
hal_attribute_hwservice(hal_telephony, hal_telephony_hwservice)
-hal_attribute_service(hal_telephony, hal_radio_config_service)
-hal_attribute_service(hal_telephony, hal_radio_data_service)
-hal_attribute_service(hal_telephony, hal_radio_messaging_service)
-hal_attribute_service(hal_telephony, hal_radio_modem_service)
-hal_attribute_service(hal_telephony, hal_radio_network_service)
-hal_attribute_service(hal_telephony, hal_radio_sim_service)
-hal_attribute_service(hal_telephony, hal_radio_voice_service)
+hal_attribute_service(hal_telephony, hal_radio_service)
allowxperm hal_telephony_server self:udp_socket ioctl priv_sock_ioctls;
diff --git a/public/hal_usb.te b/public/hal_usb.te
index 38bc49a..45cafaa 100644
--- a/public/hal_usb.te
+++ b/public/hal_usb.te
@@ -2,6 +2,9 @@
binder_call(hal_usb_client, hal_usb_server)
binder_call(hal_usb_server, hal_usb_client)
+hal_attribute_service(hal_usb, hal_usb_service)
+binder_call(hal_usb_server, servicemanager)
+
hal_attribute_hwservice(hal_usb, hal_usb_hwservice)
allow hal_usb self:netlink_kobject_uevent_socket create;
diff --git a/public/hal_wifi_supplicant.te b/public/hal_wifi_supplicant.te
index b4ff7aa..b531a22 100644
--- a/public/hal_wifi_supplicant.te
+++ b/public/hal_wifi_supplicant.te
@@ -5,8 +5,6 @@
hal_attribute_hwservice(hal_wifi_supplicant, hal_wifi_supplicant_hwservice)
hal_attribute_service(hal_wifi_supplicant, hal_wifi_supplicant_service)
-binder_call(hal_wifi_supplicant_server, servicemanager)
-
# in addition to ioctls allowlisted for all domains, grant hal_wifi_supplicant priv_sock_ioctls.
allowxperm hal_wifi_supplicant self:udp_socket ioctl priv_sock_ioctls;
diff --git a/public/init.te b/public/init.te
index 5c3e4e7..54e3082 100644
--- a/public/init.te
+++ b/public/init.te
@@ -609,8 +609,7 @@
allow init proc_pressure_mem:file { rw_file_perms setattr };
# init is using bootstrap bionic
-allow init system_bootstrap_lib_file:dir r_dir_perms;
-allow init system_bootstrap_lib_file:file { execute read open getattr map };
+use_bootstrap_libs(init)
# stat the root dir of fuse filesystems (for the mount handler)
allow init fuse:dir { search getattr };
diff --git a/public/netd.te b/public/netd.te
index ff0bff6..899df88 100644
--- a/public/netd.te
+++ b/public/netd.te
@@ -87,6 +87,7 @@
binder_use(netd)
add_service(netd, netd_service)
add_service(netd, dnsresolver_service)
+add_service(netd, mdns_service)
allow netd dumpstate:fifo_file { getattr write };
# Allow netd to call into the system server so it can check permissions.
@@ -150,6 +151,16 @@
-netutils_wrapper
} dnsresolver_service:service_manager find;
+# only system_server, dumpstate and network stack app may find mdns service
+neverallow {
+ domain
+ -system_server
+ -dumpstate
+ -network_stack
+ -netd
+ -netutils_wrapper
+} mdns_service:service_manager find;
+
# apps may not interact with netd over binder.
neverallow { appdomain -network_stack } netd:binder call;
neverallow netd { appdomain -network_stack userdebug_or_eng(`-su') }:binder call;
diff --git a/public/property.te b/public/property.te
index 83dfc36..9f9d489 100644
--- a/public/property.te
+++ b/public/property.te
@@ -121,6 +121,7 @@
system_vendor_config_prop(apk_verity_prop)
system_vendor_config_prop(audio_config_prop)
system_vendor_config_prop(bootanim_config_prop)
+system_vendor_config_prop(bluetooth_config_prop)
system_vendor_config_prop(build_config_prop)
system_vendor_config_prop(build_odm_prop)
system_vendor_config_prop(build_vendor_prop)
diff --git a/public/service.te b/public/service.te
index e519297..297e47a 100644
--- a/public/service.te
+++ b/public/service.te
@@ -27,6 +27,7 @@
type keystore_service, service_manager_type;
type legacykeystore_service, service_manager_type;
type lpdump_service, service_manager_type;
+type mdns_service, service_manager_type;
type mediaserver_service, service_manager_type;
type mediametrics_service, service_manager_type;
type mediaextractor_service, service_manager_type;
@@ -157,7 +158,7 @@
type midi_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type mount_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type music_recognition_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type nearby_service, system_server_service, service_manager_type;
+type nearby_service, system_api_service, system_server_service, service_manager_type;
type netpolicy_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type netstats_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type network_management_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
@@ -185,6 +186,7 @@
type reboot_readiness_service, app_api_service, system_server_service, service_manager_type;
type recovery_service, system_server_service, service_manager_type;
type registry_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type resources_manager_service, system_api_service, system_server_service, service_manager_type;
type restrictions_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type role_service, app_api_service, system_server_service, service_manager_type;
type rollback_service, app_api_service, system_server_service, service_manager_type;
@@ -237,11 +239,12 @@
type vcn_management_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type vibrator_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type vibrator_manager_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type virtual_device_service, system_api_service, system_server_service, service_manager_type;
+type virtual_device_service, app_api_service, system_server_service, service_manager_type;
type voiceinteraction_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type vpn_management_service, app_api_service, system_server_service, service_manager_type;
type vr_manager_service, system_server_service, service_manager_type;
type wallpaper_service, app_api_service, system_server_service, service_manager_type;
+type wallpaper_effects_generation_service, app_api_service, system_server_service, service_manager_type;
type webviewupdate_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type wifip2p_service, app_api_service, system_server_service, service_manager_type;
type wifiscanner_service, system_api_service, system_server_service, service_manager_type;
@@ -265,29 +268,27 @@
type hal_authsecret_service, vendor_service, protected_service, service_manager_type;
type hal_contexthub_service, vendor_service, protected_service, service_manager_type;
type hal_dice_service, vendor_service, protected_service, service_manager_type;
+type hal_drm_service, vendor_service, service_manager_type;
type hal_dumpstate_service, vendor_service, protected_service, service_manager_type;
type hal_face_service, vendor_service, protected_service, service_manager_type;
type hal_fingerprint_service, vendor_service, protected_service, service_manager_type;
type hal_gnss_service, vendor_service, protected_service, service_manager_type;
+type hal_graphics_allocator_service, vendor_service, service_manager_type;
type hal_graphics_composer_service, vendor_service, protected_service, service_manager_type;
type hal_health_service, vendor_service, protected_service, service_manager_type;
type hal_health_storage_service, vendor_service, protected_service, service_manager_type;
type hal_identity_service, vendor_service, protected_service, service_manager_type;
+type hal_input_processor_service, vendor_service, protected_service, service_manager_type;
type hal_ir_service, vendor_service, protected_service, service_manager_type;
type hal_keymint_service, vendor_service, protected_service, service_manager_type;
type hal_light_service, vendor_service, protected_service, service_manager_type;
type hal_memtrack_service, vendor_service, protected_service, service_manager_type;
type hal_neuralnetworks_service, vendor_service, service_manager_type;
+type hal_nfc_service, vendor_service, protected_service, service_manager_type;
type hal_oemlock_service, vendor_service, protected_service, service_manager_type;
type hal_power_service, vendor_service, protected_service, service_manager_type;
type hal_power_stats_service, vendor_service, protected_service, service_manager_type;
-type hal_radio_config_service, vendor_service, protected_service, service_manager_type;
-type hal_radio_data_service, vendor_service, protected_service, service_manager_type;
-type hal_radio_messaging_service, vendor_service, protected_service, service_manager_type;
-type hal_radio_modem_service, vendor_service, protected_service, service_manager_type;
-type hal_radio_network_service, vendor_service, protected_service, service_manager_type;
-type hal_radio_sim_service, vendor_service, protected_service, service_manager_type;
-type hal_radio_voice_service, vendor_service, protected_service, service_manager_type;
+type hal_radio_service, vendor_service, protected_service, service_manager_type;
type hal_rebootescrow_service, vendor_service, protected_service, service_manager_type;
type hal_remotelyprovisionedcomponent_service, vendor_service, protected_service, service_manager_type;
type hal_sensors_service, vendor_service, protected_service, service_manager_type;
@@ -295,6 +296,7 @@
type hal_sharedsecret_service, vendor_service, protected_service, service_manager_type;
type hal_system_suspend_service, protected_service, service_manager_type;
type hal_tv_tuner_service, vendor_service, protected_service, service_manager_type;
+type hal_usb_service, vendor_service, protected_service, service_manager_type;
type hal_uwb_service, vendor_service, protected_service, service_manager_type;
type hal_vehicle_service, vendor_service, protected_service, service_manager_type;
type hal_vibrator_service, vendor_service, protected_service, service_manager_type;
diff --git a/public/shell.te b/public/shell.te
index 60e3521..4175c86 100644
--- a/public/shell.te
+++ b/public/shell.te
@@ -85,6 +85,7 @@
-incident_service
-installd_service
-iorapd_service
+ -mdns_service
-netd_service
-system_suspend_control_internal_service
-system_suspend_control_service
diff --git a/public/system_server.te b/public/system_server.te
index edefadf..cb7f288 100644
--- a/public/system_server.te
+++ b/public/system_server.te
@@ -14,4 +14,5 @@
-init
-vendor_init
-system_server
+ -shell
} power_debug_prop:property_service set;
diff --git a/public/te_macros b/public/te_macros
index c112cc1..032534f 100644
--- a/public/te_macros
+++ b/public/te_macros
@@ -1021,3 +1021,11 @@
allow $1 gsi_public_metadata_file:file r_file_perms;
allow $1 proc_bootconfig:file r_file_perms;
')
+
+######################################
+# use_bootstrap_libs(domain)
+# Allow domain to use bootstrap bionic libraries in system/lib[64]/bootstrap
+define(`use_bootstrap_libs', `
+ allow $1 system_bootstrap_lib_file:dir r_dir_perms;
+ allow $1 system_bootstrap_lib_file:file { execute read open getattr map };
+')
diff --git a/public/traceur_app.te b/public/traceur_app.te
index 03c4944..1ab150d 100644
--- a/public/traceur_app.te
+++ b/public/traceur_app.te
@@ -12,6 +12,7 @@
-installd_service
-iorapd_service
-lpdump_service
+ -mdns_service
-netd_service
-virtual_touchpad_service
-vold_service
diff --git a/public/ueventd.te b/public/ueventd.te
index d5d4301..4e3c7c2 100644
--- a/public/ueventd.te
+++ b/public/ueventd.te
@@ -60,8 +60,7 @@
allow ueventd kernel:key search;
# ueventd is using bootstrap bionic
-allow ueventd system_bootstrap_lib_file:dir r_dir_perms;
-allow ueventd system_bootstrap_lib_file:file { execute read open getattr map };
+use_bootstrap_libs(ueventd)
# Allow ueventd to run shell scripts from vendor
allow ueventd vendor_shell_exec:file execute;
diff --git a/public/vendor_init.te b/public/vendor_init.te
index c6e5e82..24d144a 100644
--- a/public/vendor_init.te
+++ b/public/vendor_init.te
@@ -191,8 +191,7 @@
allow vendor_init misc_block_device:blk_file w_file_perms;
# vendor_init is using bootstrap bionic
-allow vendor_init system_bootstrap_lib_file:dir r_dir_perms;
-allow vendor_init system_bootstrap_lib_file:file { execute read open getattr map };
+use_bootstrap_libs(vendor_init)
# allow filesystem tuning
allow vendor_init userdata_sysdev:file create_file_perms;
@@ -220,6 +219,7 @@
set_prop(vendor_init, apk_verity_prop)
set_prop(vendor_init, bluetooth_a2dp_offload_prop)
set_prop(vendor_init, bluetooth_audio_hal_prop)
+set_prop(vendor_init, bluetooth_config_prop)
set_prop(vendor_init, camera2_extensions_prop)
set_prop(vendor_init, camerax_extensions_prop)
set_prop(vendor_init, cpu_variant_prop)
diff --git a/seapp_contexts.mk b/seapp_contexts.mk
deleted file mode 100644
index c0c3abb..0000000
--- a/seapp_contexts.mk
+++ /dev/null
@@ -1,142 +0,0 @@
-include $(CLEAR_VARS)
-LOCAL_MODULE := plat_seapp_contexts
-LOCAL_LICENSE_KINDS := SPDX-license-identifier-Apache-2.0 legacy_unencumbered
-LOCAL_LICENSE_CONDITIONS := notice unencumbered
-LOCAL_NOTICE_FILE := $(LOCAL_PATH)/NOTICE
-LOCAL_MODULE_CLASS := ETC
-LOCAL_MODULE_TAGS := optional
-LOCAL_MODULE_PATH := $(TARGET_OUT)/etc/selinux
-
-include $(BUILD_SYSTEM)/base_rules.mk
-
-plat_sc_files := $(call build_policy, seapp_contexts, $(PLAT_PRIVATE_POLICY))
-
-$(LOCAL_BUILT_MODULE): PRIVATE_SEPOLICY := $(built_sepolicy)
-$(LOCAL_BUILT_MODULE): PRIVATE_SC_FILES := $(plat_sc_files)
-$(LOCAL_BUILT_MODULE): $(built_sepolicy) $(plat_sc_files) $(HOST_OUT_EXECUTABLES)/checkseapp
- @mkdir -p $(dir $@)
- $(hide) $(HOST_OUT_EXECUTABLES)/checkseapp -p $(PRIVATE_SEPOLICY) -o $@ $(PRIVATE_SC_FILES)
-
-built_plat_sc := $(LOCAL_BUILT_MODULE)
-plat_sc_files :=
-
-##################################
-include $(CLEAR_VARS)
-LOCAL_MODULE := system_ext_seapp_contexts
-LOCAL_LICENSE_KINDS := SPDX-license-identifier-Apache-2.0 legacy_unencumbered
-LOCAL_LICENSE_CONDITIONS := notice unencumbered
-LOCAL_NOTICE_FILE := $(LOCAL_PATH)/NOTICE
-LOCAL_MODULE_CLASS := ETC
-LOCAL_MODULE_TAGS := optional
-LOCAL_MODULE_PATH := $(TARGET_OUT_SYSTEM_EXT)/etc/selinux
-
-include $(BUILD_SYSTEM)/base_rules.mk
-
-system_ext_sc_files := $(call build_policy, seapp_contexts, $(SYSTEM_EXT_PRIVATE_POLICY))
-plat_sc_neverallow_files := $(call build_policy, seapp_contexts, $(PLAT_PRIVATE_POLICY))
-
-$(LOCAL_BUILT_MODULE): PRIVATE_SEPOLICY := $(built_sepolicy)
-$(LOCAL_BUILT_MODULE): PRIVATE_SC_FILES := $(system_ext_sc_files)
-$(LOCAL_BUILT_MODULE): PRIVATE_SC_NEVERALLOW_FILES := $(plat_sc_neverallow_files)
-$(LOCAL_BUILT_MODULE): $(built_sepolicy) $(system_ext_sc_files) $(HOST_OUT_EXECUTABLES)/checkseapp $(plat_sc_neverallow_files)
- @mkdir -p $(dir $@)
- $(hide) grep -ihe '^neverallow' $(PRIVATE_SC_NEVERALLOW_FILES) > $@.tmp
- $(hide) $(HOST_OUT_EXECUTABLES)/checkseapp -p $(PRIVATE_SEPOLICY) -o $@ $(PRIVATE_SC_FILES) $@.tmp
-
-system_ext_sc_files :=
-plat_sc_neverallow_files :=
-
-##################################
-include $(CLEAR_VARS)
-LOCAL_MODULE := product_seapp_contexts
-LOCAL_LICENSE_KINDS := SPDX-license-identifier-Apache-2.0 legacy_unencumbered
-LOCAL_LICENSE_CONDITIONS := notice unencumbered
-LOCAL_NOTICE_FILE := $(LOCAL_PATH)/NOTICE
-LOCAL_MODULE_CLASS := ETC
-LOCAL_MODULE_TAGS := optional
-LOCAL_MODULE_PATH := $(TARGET_OUT_PRODUCT)/etc/selinux
-
-include $(BUILD_SYSTEM)/base_rules.mk
-
-product_sc_files := $(call build_policy, seapp_contexts, $(PRODUCT_PRIVATE_POLICY))
-plat_sc_neverallow_files := $(call build_policy, seapp_contexts, $(PLAT_PRIVATE_POLICY))
-
-$(LOCAL_BUILT_MODULE): PRIVATE_SEPOLICY := $(built_sepolicy)
-$(LOCAL_BUILT_MODULE): PRIVATE_SC_FILES := $(product_sc_files)
-$(LOCAL_BUILT_MODULE): PRIVATE_SC_NEVERALLOW_FILES := $(plat_sc_neverallow_files)
-$(LOCAL_BUILT_MODULE): $(built_sepolicy) $(product_sc_files) $(HOST_OUT_EXECUTABLES)/checkseapp $(plat_sc_neverallow_files)
- @mkdir -p $(dir $@)
- $(hide) grep -ihe '^neverallow' $(PRIVATE_SC_NEVERALLOW_FILES) > $@.tmp
- $(hide) $(HOST_OUT_EXECUTABLES)/checkseapp -p $(PRIVATE_SEPOLICY) -o $@ $(PRIVATE_SC_FILES) $@.tmp
-
-product_sc_files :=
-plat_sc_neverallow_files :=
-
-##################################
-include $(CLEAR_VARS)
-LOCAL_MODULE := vendor_seapp_contexts
-LOCAL_LICENSE_KINDS := SPDX-license-identifier-Apache-2.0 legacy_unencumbered
-LOCAL_LICENSE_CONDITIONS := notice unencumbered
-LOCAL_NOTICE_FILE := $(LOCAL_PATH)/NOTICE
-LOCAL_MODULE_CLASS := ETC
-LOCAL_MODULE_TAGS := optional
-LOCAL_MODULE_PATH := $(TARGET_OUT_VENDOR)/etc/selinux
-
-include $(BUILD_SYSTEM)/base_rules.mk
-
-vendor_sc_files := $(call build_policy, seapp_contexts, $(BOARD_PLAT_VENDOR_POLICY) $(BOARD_VENDOR_SEPOLICY_DIRS) $(BOARD_REQD_MASK_POLICY))
-plat_sc_neverallow_files := $(call build_policy, seapp_contexts, $(PLAT_PRIVATE_POLICY) $(SYSTEM_EXT_PRIVATE_POLICY) $(PRODUCT_PRIVATE_POLICY))
-
-$(LOCAL_BUILT_MODULE): PRIVATE_SEPOLICY := $(built_sepolicy)
-$(LOCAL_BUILT_MODULE): PRIVATE_SC_FILES := $(vendor_sc_files)
-$(LOCAL_BUILT_MODULE): PRIVATE_SC_NEVERALLOW_FILES := $(plat_sc_neverallow_files)
-$(LOCAL_BUILT_MODULE): $(built_sepolicy) $(vendor_sc_files) $(HOST_OUT_EXECUTABLES)/checkseapp $(plat_sc_neverallow_files)
- @mkdir -p $(dir $@)
- $(hide) grep -ihe '^neverallow' $(PRIVATE_SC_NEVERALLOW_FILES) > $@.tmp
- $(hide) $(HOST_OUT_EXECUTABLES)/checkseapp -p $(PRIVATE_SEPOLICY) -o $@ $(PRIVATE_SC_FILES) $@.tmp
-
-built_vendor_sc := $(LOCAL_BUILT_MODULE)
-vendor_sc_files :=
-
-##################################
-include $(CLEAR_VARS)
-LOCAL_MODULE := odm_seapp_contexts
-LOCAL_LICENSE_KINDS := SPDX-license-identifier-Apache-2.0 legacy_unencumbered
-LOCAL_LICENSE_CONDITIONS := notice unencumbered
-LOCAL_NOTICE_FILE := $(LOCAL_PATH)/NOTICE
-LOCAL_MODULE_CLASS := ETC
-LOCAL_MODULE_TAGS := optional
-LOCAL_MODULE_PATH := $(TARGET_OUT_ODM)/etc/selinux
-
-include $(BUILD_SYSTEM)/base_rules.mk
-
-odm_sc_files := $(call build_policy, seapp_contexts, $(BOARD_ODM_SEPOLICY_DIRS))
-plat_sc_neverallow_files := $(call build_policy, seapp_contexts, $(PLAT_PRIVATE_POLICY) $(SYSTEM_EXT_PRIVATE_POLICY) $(PRODUCT_PRIVATE_POLICY))
-
-$(LOCAL_BUILT_MODULE): PRIVATE_SEPOLICY := $(built_sepolicy)
-$(LOCAL_BUILT_MODULE): PRIVATE_SC_FILES := $(odm_sc_files)
-$(LOCAL_BUILT_MODULE): PRIVATE_SC_NEVERALLOW_FILES := $(plat_sc_neverallow_files)
-$(LOCAL_BUILT_MODULE): $(built_sepolicy) $(odm_sc_files) $(HOST_OUT_EXECUTABLES)/checkseapp $(plat_sc_neverallow_files)
- @mkdir -p $(dir $@)
- $(hide) grep -ihe '^neverallow' $(PRIVATE_SC_NEVERALLOW_FILES) > $@.tmp
- $(hide) $(HOST_OUT_EXECUTABLES)/checkseapp -p $(PRIVATE_SEPOLICY) -o $@ $(PRIVATE_SC_FILES) $@.tmp
-
-built_odm_sc := $(LOCAL_BUILT_MODULE)
-odm_sc_files :=
-
-##################################
-include $(CLEAR_VARS)
-LOCAL_MODULE := plat_seapp_neverallows
-LOCAL_LICENSE_KINDS := SPDX-license-identifier-Apache-2.0 legacy_unencumbered
-LOCAL_LICENSE_CONDITIONS := notice unencumbered
-LOCAL_NOTICE_FILE := $(LOCAL_PATH)/NOTICE
-LOCAL_MODULE_CLASS := ETC
-LOCAL_MODULE_TAGS := tests
-
-include $(BUILD_SYSTEM)/base_rules.mk
-
-$(LOCAL_BUILT_MODULE): $(plat_sc_neverallow_files)
- @mkdir -p $(dir $@)
- - $(hide) grep -ihe '^neverallow' $< > $@
-
-plat_sc_neverallow_files :=
diff --git a/tests/Android.bp b/tests/Android.bp
index 959a214..8ca952d 100644
--- a/tests/Android.bp
+++ b/tests/Android.bp
@@ -11,6 +11,7 @@
srcs: ["sepol_wrap.cpp"],
cflags: ["-Wall", "-Werror",],
export_include_dirs: ["include"],
+ stl: "c++_static",
// libsepolwrap gets loaded from the system python, which does not have the
// ASAN runtime. So turn off sanitization for ourself, and use static
@@ -24,34 +25,46 @@
},
}
+python_library_host {
+ name: "mini_cil_parser",
+ srcs: ["mini_parser.py"],
+}
+
+python_library_host {
+ name: "pysepolwrap",
+ srcs: [
+ "fc_sort.py",
+ "policy.py",
+ ],
+}
+
python_binary_host {
name: "treble_sepolicy_tests",
srcs: [
- "fc_sort.py",
- "mini_parser.py",
- "policy.py",
"treble_sepolicy_tests.py",
],
- required: ["libsepolwrap"],
+ libs: [
+ "mini_cil_parser",
+ "pysepolwrap",
+ ],
+ data: [":libsepolwrap"],
}
python_binary_host {
name: "sepolicy_tests",
srcs: [
- "fc_sort.py",
- "policy.py",
"sepolicy_tests.py",
],
- required: ["libsepolwrap"],
+ libs: ["pysepolwrap"],
+ data: [":libsepolwrap"],
}
python_binary_host {
name: "searchpolicy",
srcs: [
- "fc_sort.py",
- "policy.py",
"searchpolicy.py",
],
+ libs: ["pysepolwrap"],
required: ["libsepolwrap"],
}
@@ -59,8 +72,8 @@
name: "combine_maps",
srcs: [
"combine_maps.py",
- "mini_parser.py",
],
+ libs: ["mini_cil_parser"],
}
python_binary_host {
diff --git a/tests/sepolicy_tests.py b/tests/sepolicy_tests.py
index a05d8f2..0a87a13 100644
--- a/tests/sepolicy_tests.py
+++ b/tests/sepolicy_tests.py
@@ -18,6 +18,7 @@
import policy
import re
import sys
+import distutils.ccompiler
#############################################################
# Tests
@@ -141,24 +142,21 @@
]
if __name__ == '__main__':
- usage = "sepolicy_tests -l $(ANDROID_HOST_OUT)/lib64/libsepolwrap.so "
- usage += "-f vendor_file_contexts -f "
+ usage = "sepolicy_tests -f vendor_file_contexts -f "
usage +="plat_file_contexts -p policy [--test test] [--help]"
parser = OptionParser(option_class=MultipleOption, usage=usage)
parser.add_option("-f", "--file_contexts", dest="file_contexts",
metavar="FILE", action="extend", type="string")
parser.add_option("-p", "--policy", dest="policy", metavar="FILE")
- parser.add_option("-l", "--library-path", dest="libpath", metavar="FILE")
parser.add_option("-t", "--test", dest="test", action="extend",
help="Test options include "+str(Tests))
(options, args) = parser.parse_args()
- if not options.libpath:
- sys.exit("Must specify path to libsepolwrap library\n" + parser.usage)
- if not os.path.exists(options.libpath):
- sys.exit("Error: library-path " + options.libpath + " does not exist\n"
- + parser.usage)
+ libpath = os.path.join(os.path.dirname(os.path.realpath(__file__)),
+ "libsepolwrap" + distutils.ccompiler.new_compiler().shared_lib_extension)
+ if not os.path.exists(libpath):
+ sys.exit("Error: libsepolwrap does not exist. Is this binary corrupted?\n")
if not options.policy:
sys.exit("Must specify monolithic policy file\n" + parser.usage)
@@ -173,7 +171,7 @@
sys.exit("Error: File_contexts file " + f + " does not exist\n" +
parser.usage)
- pol = policy.Policy(options.policy, options.file_contexts, options.libpath)
+ pol = policy.Policy(options.policy, options.file_contexts, libpath)
results = ""
# If an individual test is not specified, run all tests.
diff --git a/tests/treble_sepolicy_tests.py b/tests/treble_sepolicy_tests.py
index 1c5b8e2..a3bf661 100644
--- a/tests/treble_sepolicy_tests.py
+++ b/tests/treble_sepolicy_tests.py
@@ -20,6 +20,7 @@
from policy import MatchPathPrefix
import re
import sys
+import distutils.ccompiler
DEBUG=False
@@ -341,7 +342,7 @@
"ViolatorAttributes": TestViolatorAttributes}
if __name__ == '__main__':
- usage = "treble_sepolicy_tests -l $(ANDROID_HOST_OUT)/lib64/libsepolwrap.so "
+ usage = "treble_sepolicy_tests "
usage += "-f nonplat_file_contexts -f plat_file_contexts "
usage += "-p curr_policy -b base_policy -o old_policy "
usage +="-m mapping file [--test test] [--help]"
@@ -351,7 +352,6 @@
metavar="FILE")
parser.add_option("-f", "--file_contexts", dest="file_contexts",
metavar="FILE", action="extend", type="string")
- parser.add_option("-l", "--library-path", dest="libpath", metavar="FILE")
parser.add_option("-m", "--mapping", dest="mapping", metavar="FILE")
parser.add_option("-o", "--oldpolicy", dest="oldpolicy", metavar="FILE")
parser.add_option("-p", "--policy", dest="policy", metavar="FILE")
@@ -362,11 +362,6 @@
(options, args) = parser.parse_args()
- if not options.libpath:
- sys.exit("Must specify path to libsepolwrap library\n" + parser.usage)
- if not os.path.exists(options.libpath):
- sys.exit("Error: library-path " + options.libpath + " does not exist\n"
- + parser.usage)
if not options.policy:
sys.exit("Must specify current monolithic policy file\n" + parser.usage)
if not os.path.exists(options.policy):
@@ -379,6 +374,11 @@
sys.exit("Error: File_contexts file " + f + " does not exist\n" +
parser.usage)
+ libpath = os.path.join(os.path.dirname(os.path.realpath(__file__)),
+ "libsepolwrap" + distutils.ccompiler.new_compiler().shared_lib_extension)
+ if not os.path.exists(libpath):
+ sys.exit("Error: libsepolwrap does not exist. Is this binary corrupted?\n")
+
# Mapping files and public platform policy are only necessary for the
# TrebleCompatMapping test.
if options.tests is None or options.tests == "TrebleCompatMapping":
@@ -394,8 +394,8 @@
if not options.base_pub_policy:
sys.exit("Must specify the current platform-only public policy "
+ ".cil file\n" + parser.usage)
- basepol = policy.Policy(options.basepolicy, None, options.libpath)
- oldpol = policy.Policy(options.oldpolicy, None, options.libpath)
+ basepol = policy.Policy(options.basepolicy, None, libpath)
+ oldpol = policy.Policy(options.oldpolicy, None, libpath)
mapping = mini_parser.MiniCilParser(options.mapping)
pubpol = mini_parser.MiniCilParser(options.base_pub_policy)
compatSetup(basepol, oldpol, mapping, pubpol.types)
@@ -403,7 +403,7 @@
if options.faketreble:
FakeTreble = True
- pol = policy.Policy(options.policy, options.file_contexts, options.libpath)
+ pol = policy.Policy(options.policy, options.file_contexts, libpath)
setup(pol)
if DEBUG:
diff --git a/tools/Android.bp b/tools/Android.bp
index c480dc2..fcf375d 100644
--- a/tools/Android.bp
+++ b/tools/Android.bp
@@ -63,3 +63,10 @@
name: "insertkeys",
srcs: ["insertkeys.py"],
}
+
+python_binary_host {
+ name: "sepolicy_generate_compat",
+ srcs: ["sepolicy_generate_compat.py"],
+ libs: ["mini_cil_parser", "pysepolwrap"],
+ data: [":libsepolwrap"],
+}
diff --git a/tools/sepolicy_generate_compat.py b/tools/sepolicy_generate_compat.py
new file mode 100644
index 0000000..317a00e
--- /dev/null
+++ b/tools/sepolicy_generate_compat.py
@@ -0,0 +1,241 @@
+#!/usr/bin/env python3
+
+# Copyright 2022 The Android Open Source Project
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+import argparse
+import distutils.ccompiler
+import glob
+import logging
+import mini_parser
+import os
+import policy
+import shutil
+import subprocess
+import tempfile
+import zipfile
+"""This tool generates a mapping file for {ver} core sepolicy."""
+
+temp_dir = ''
+
+
+def check_run(cmd, cwd=None):
+ if cwd:
+ logging.debug('Running cmd at %s: %s' % (cwd, cmd))
+ else:
+ logging.debug('Running cmd: %s' % cmd)
+ subprocess.run(cmd, cwd=cwd, check=True)
+
+
+def check_output(cmd):
+ logging.debug('Running cmd: %s' % cmd)
+ return subprocess.run(cmd, check=True, stdout=subprocess.PIPE)
+
+
+def get_android_build_top():
+ ANDROID_BUILD_TOP = os.getenv('ANDROID_BUILD_TOP')
+ if not ANDROID_BUILD_TOP:
+ sys.exit(
+ 'Error: Missing ANDROID_BUILD_TOP env variable. Please run '
+ '\'. build/envsetup.sh; lunch <build target>\'. Exiting script.')
+ return ANDROID_BUILD_TOP
+
+
+def fetch_artifact(branch, build, pattern, destination='.'):
+ """Fetches build artifacts from Android Build server.
+
+ Args:
+ branch: string, branch to pull build artifacts from
+ build: string, build ID or "latest"
+ pattern: string, pattern of build artifact file name
+ destination: string, destination to pull build artifact to
+ """
+ fetch_artifact_path = '/google/data/ro/projects/android/fetch_artifact'
+ cmd = [
+ fetch_artifact_path, '--branch', branch, '--target',
+ 'aosp_arm64-userdebug'
+ ]
+ if build == 'latest':
+ cmd.append('--latest')
+ else:
+ cmd.extend(['--bid', build])
+ cmd.extend([pattern, destination])
+ check_run(cmd)
+
+
+def extract_mapping_file_from_img(img_path, ver, destination='.'):
+ """ Extracts system/etc/selinux/mapping/{ver}.cil from system.img file.
+
+ Args:
+ img_path: string, path to system.img file
+ ver: string, version of designated mapping file
+ destination: string, destination to pull the mapping file to
+
+ Returns:
+ string, path to extracted mapping file
+ """
+
+ cmd = [
+ 'debugfs', '-R',
+ 'cat system/etc/selinux/mapping/%s.cil' % ver, img_path
+ ]
+ path = os.path.join(destination, '%s.cil' % ver)
+ with open(path, 'wb') as f:
+ logging.debug('Extracting %s.cil to %s' % (ver, destination))
+ f.write(check_output(cmd).stdout)
+ return path
+
+
+def download_mapping_file(branch, build, ver, destination='.'):
+ """ Downloads system/etc/selinux/mapping/{ver}.cil from Android Build server.
+
+ Args:
+ branch: string, branch to pull build artifacts from (e.g. "sc-v2-dev")
+ build: string, build ID or "latest"
+ ver: string, version of designated mapping file (e.g. "32.0")
+ destination: string, destination to pull build artifact to
+
+ Returns:
+ string, path to extracted mapping file
+ """
+ logging.info('Downloading %s mapping file from branch %s build %s...' %
+ (ver, branch, build))
+ artifact_pattern = 'aosp_arm64-img-*.zip'
+ fetch_artifact(branch, build, artifact_pattern, temp_dir)
+
+ # glob must succeed
+ zip_path = glob.glob(os.path.join(temp_dir, artifact_pattern))[0]
+ with zipfile.ZipFile(zip_path) as zip_file:
+ logging.debug('Extracting system.img to %s' % temp_dir)
+ zip_file.extract('system.img', temp_dir)
+
+ system_img_path = os.path.join(temp_dir, 'system.img')
+ return extract_mapping_file_from_img(system_img_path, ver, destination)
+
+
+def build_base_files(target_version):
+ """ Builds needed base policy files from the source code.
+
+ Args:
+ target_version: string, target version to gerenate the mapping file
+
+ Returns:
+ (string, string, string), paths to base policy, old policy, and pub policy
+ cil
+ """
+ logging.info('building base sepolicy files')
+ build_top = get_android_build_top()
+
+ cmd = [
+ 'build/soong/soong_ui.bash',
+ '--make-mode',
+ 'dist',
+ 'base-sepolicy-files-for-mapping',
+ 'TARGET_PRODUCT=aosp_arm64',
+ 'TARGET_BUILD_VARIANT=userdebug',
+ ]
+ check_run(cmd, cwd=build_top)
+
+ dist_dir = os.path.join(build_top, 'out', 'dist')
+ base_policy_path = os.path.join(dist_dir, 'base_plat_sepolicy')
+ old_policy_path = os.path.join(dist_dir,
+ '%s_plat_sepolicy' % target_version)
+ pub_policy_cil_path = os.path.join(dist_dir, 'base_plat_pub_policy.cil')
+
+ return base_policy_path, old_policy_path, pub_policy_cil_path
+
+
+def get_args():
+ parser = argparse.ArgumentParser()
+ parser.add_argument(
+ '--branch',
+ required=True,
+ help='Branch to pull build from. e.g. "sc-v2-dev"')
+ parser.add_argument('--build', required=True, help='Build ID, or "latest"')
+ parser.add_argument(
+ '--target-version',
+ required=True,
+ help='Target version of designated mapping file. e.g. "32.0"')
+ parser.add_argument(
+ '--latest-version',
+ required=True,
+ help='Latest version for mapping of newer types. e.g. "31.0"')
+ parser.add_argument(
+ '-v',
+ '--verbose',
+ action='count',
+ default=0,
+ help='Increase output verbosity, e.g. "-v", "-vv".')
+ return parser.parse_args()
+
+
+def main():
+ args = get_args()
+
+ verbosity = min(args.verbose, 2)
+ logging.basicConfig(
+ format='%(levelname)-8s [%(filename)s:%(lineno)d] %(message)s',
+ level=(logging.WARNING, logging.INFO, logging.DEBUG)[verbosity])
+
+ global temp_dir
+ temp_dir = tempfile.mkdtemp()
+
+ try:
+ libpath = os.path.join(
+ os.path.dirname(os.path.realpath(__file__)), 'libsepolwrap' +
+ distutils.ccompiler.new_compiler().shared_lib_extension)
+ if not os.path.exists(libpath):
+ sys.exit(
+ 'Error: libsepolwrap does not exist. Is this binary corrupted?\n'
+ )
+
+ build_top = get_android_build_top()
+ sepolicy_path = os.path.join(build_top, 'system', 'sepolicy')
+ target_compat_path = os.path.join(sepolicy_path, 'private', 'compat',
+ args.target_version)
+
+ # Step 1. Download system/etc/selinux/mapping/{ver}.cil, and remove types/typeattributes
+ mapping_file = download_mapping_file(args.branch, args.build,
+ args.target_version)
+ mapping_file_cil = mini_parser.MiniCilParser(mapping_file)
+ mapping_file_cil.types = set()
+ mapping_file_cil.typeattributes = set()
+
+ # Step 2. Build base policy files and parse latest mapping files
+ base_policy_path, old_policy_path, pub_policy_cil_path = build_base_files(
+ args.target_version)
+ base_policy = policy.Policy(base_policy_path, None, libpath)
+ old_policy = policy.Policy(old_policy_path, None, libpath)
+ pub_policy_cil = mini_parser.MiniCilParser(pub_policy_cil_path)
+
+ all_types = base_policy.GetAllTypes(False)
+ old_all_types = old_policy.GetAllTypes(False)
+ pub_types = pub_policy_cil.types
+
+ # Step 3. Find new types and removed types
+ new_types = pub_types & (all_types - old_all_types)
+ removed_types = (mapping_file_cil.pubtypes - mapping_file_cil.types) & (
+ old_all_types - all_types)
+
+ logging.info('new types: %s' % new_types)
+ logging.info('removed types: %s' % removed_types)
+
+ # TODO: Step 4. Map new types and removed types appropriately
+ finally:
+ logging.info('Deleting temporary dir: {}'.format(temp_dir))
+ shutil.rmtree(temp_dir)
+
+
+if __name__ == '__main__':
+ main()
diff --git a/treble_sepolicy_tests_for_release.mk b/treble_sepolicy_tests_for_release.mk
index 77945b7..6a56d58 100644
--- a/treble_sepolicy_tests_for_release.mk
+++ b/treble_sepolicy_tests_for_release.mk
@@ -85,6 +85,9 @@
$(hide) cat $(PRIVATE_ADDITIONAL_CIL_FILES) >> $@
$(hide) $(HOST_OUT_EXECUTABLES)/secilc -m -M true -G -c $(POLICYVERS) $(PRIVATE_NEVERALLOW_ARG) $@ -o $@ -f /dev/null
+# TODO(b/214336258): move to Soong
+$(call dist-for-goals,base-sepolicy-files-for-mapping,$(built_$(version)_plat_sepolicy):$(version)_plat_sepolicy)
+
$(version)_plat_policy.conf :=
# $(version)_compat - the current plat_sepolicy.cil built with the compatibility file
@@ -164,8 +167,7 @@
$(public_cil_files) \
$(built_$(version)_plat_sepolicy) $($(version)_compat) $($(version)_mapping.combined.cil)
@mkdir -p $(dir $@)
- $(hide) $(HOST_OUT_EXECUTABLES)/treble_sepolicy_tests -l \
- $(HOST_OUT)/lib64/libsepolwrap.$(SHAREDLIB_EXT) $(ALL_FC_ARGS) \
+ $(hide) $(HOST_OUT_EXECUTABLES)/treble_sepolicy_tests $(ALL_FC_ARGS) \
-b $(PRIVATE_PLAT_SEPOLICY) -m $(PRIVATE_COMBINED_MAPPING) \
-o $(PRIVATE_SEPOLICY_OLD) -p $(PRIVATE_SEPOLICY) \
-u $(PRIVATE_PLAT_PUB_SEPOLICY) \
diff --git a/vendor/file_contexts b/vendor/file_contexts
index 4fc0460..762cf20 100644
--- a/vendor/file_contexts
+++ b/vendor/file_contexts
@@ -10,7 +10,7 @@
/(vendor|system/vendor)/bin/hw/android\.hardware\.automotive\.can@1\.0-service u:object_r:hal_can_socketcan_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.automotive\.evs@1\.[0-9]-service u:object_r:hal_evs_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.automotive\.vehicle@2\.0-((default|emulator)-)*(service|protocan-service) u:object_r:hal_vehicle_default_exec:s0
-/(vendor|system/vendor)/bin/hw/android\.hardware\.automotive\.vehicle@V1-default-service u:object_r:hal_vehicle_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.automotive\.vehicle@V1-(default|emulator)-service u:object_r:hal_vehicle_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.bluetooth@1\.[0-9]+-service u:object_r:hal_bluetooth_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.bluetooth@1\.[0-9]+-service\.btlinux u:object_r:hal_bluetooth_btlinux_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.biometrics\.face@1\.[0-9]+-service\.example u:object_r:hal_face_default_exec:s0
@@ -25,12 +25,14 @@
/(vendor|system/vendor)/bin/hw/android\.hardware\.camera\.provider@2\.[0-9]+-service-lazy_64 u:object_r:hal_camera_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.camera\.provider@2\.[0-9]+-service-lazy u:object_r:hal_camera_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.camera\.provider@2\.[0-9]+-external-service u:object_r:hal_camera_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.camera\.provider@2\.[0-9]+-external-service-lazy u:object_r:hal_camera_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.configstore@1\.[0-9]+-service u:object_r:hal_configstore_default_exec:s0
/(vendor|sustem/vendor)/bin/hw/android\.hardware\.confirmationui@1\.0-service u:object_r:hal_confirmationui_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.contexthub@1\.[0-9]+-service u:object_r:hal_contexthub_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.contexthub-service\.example u:object_r:hal_contexthub_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.drm@1\.0-service u:object_r:hal_drm_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.drm@1\.0-service-lazy u:object_r:hal_drm_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.drm-service\.clearkey(-lazy)? u:object_r:hal_drm_clearkey_aidl_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.cas@1\.[0-2]-service u:object_r:hal_cas_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.cas@1\.[0-2]-service-lazy u:object_r:hal_cas_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.dumpstate@1\.[0-1]-service\.example u:object_r:hal_dumpstate_default_exec:s0
@@ -51,6 +53,7 @@
/(vendor|system/vendor)/bin/hw/android\.hardware\.health\.storage-service\.default u:object_r:hal_health_storage_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.identity-service.example u:object_r:hal_identity_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.input\.classifier@1\.0-service u:object_r:hal_input_classifier_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.input\.processor-service u:object_r:hal_input_processor_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.ir@1\.0-service u:object_r:hal_ir_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.ir-service\.example u:object_r:hal_ir_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.keymaster@3\.0-service u:object_r:hal_keymaster_default_exec:s0
@@ -87,6 +90,7 @@
/(vendor|system/vendor)/bin/hw/android\.hardware\.tv\.tuner@1\.[01]-service u:object_r:hal_tv_tuner_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.tv\.tuner-service\.example u:object_r:hal_tv_tuner_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.usb@1\.0-service u:object_r:hal_usb_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.usb-service\.example u:object_r:hal_usb_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.usb\.gadget@1\.1-service u:object_r:hal_usb_gadget_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.uwb-service u:object_r:hal_uwb_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.vibrator@1\.0-service u:object_r:hal_vibrator_default_exec:s0
diff --git a/vendor/hal_drm_clearkey.te b/vendor/hal_drm_clearkey.te
new file mode 100644
index 0000000..ab474d6
--- /dev/null
+++ b/vendor/hal_drm_clearkey.te
@@ -0,0 +1,6 @@
+type hal_drm_clearkey_aidl, domain;
+type hal_drm_clearkey_aidl_exec, exec_type, vendor_file_type, file_type;
+
+init_daemon_domain(hal_drm_clearkey_aidl)
+
+hal_server_domain(hal_drm_clearkey_aidl, hal_drm)
diff --git a/vendor/hal_identity_default.te b/vendor/hal_identity_default.te
index 7f84687..550db95 100644
--- a/vendor/hal_identity_default.te
+++ b/vendor/hal_identity_default.te
@@ -3,3 +3,8 @@
type hal_identity_default_exec, exec_type, vendor_file_type, file_type;
init_daemon_domain(hal_identity_default)
+
+# We need to get a handle to the IRemotelyProvisionedComponent, and it's hosted by
+# the keymint HAL.
+hal_client_domain(hal_identity_default, hal_keymint)
+
diff --git a/vendor/hal_input_processor_default.te b/vendor/hal_input_processor_default.te
new file mode 100644
index 0000000..33a5c41
--- /dev/null
+++ b/vendor/hal_input_processor_default.te
@@ -0,0 +1,5 @@
+type hal_input_processor_default, domain;
+hal_server_domain(hal_input_processor_default, hal_input_processor)
+
+type hal_input_processor_default_exec, exec_type, vendor_file_type, file_type;
+init_daemon_domain(hal_input_processor_default)