Merge "Revert^2 "Allow anyone to read aconfig test mission file"" into main
diff --git a/Android.bp b/Android.bp
index 496de06..dc6761c 100644
--- a/Android.bp
+++ b/Android.bp
@@ -88,16 +88,7 @@
srcs: ["technical_debt.cil"],
}
-soong_config_module_type {
- name: "se_phony",
- module_type: "phony",
- config_namespace: "ANDROID",
- bool_variables: ["PRODUCT_PRECOMPILED_SEPOLICY"],
- list_variables: ["PLATFORM_SEPOLICY_COMPAT_VERSIONS"],
- properties: ["required"],
-}
-
-se_phony {
+phony {
// Currently used only for aosp_cf_system_x86_64
// TODO(b/329208946): migrate selinux_policy_system to Soong
name: "selinux_policy_system_soong",
@@ -113,18 +104,28 @@
"plat_sepolicy.cil",
"plat_service_contexts",
"secilc",
- ],
- soong_config_variables: {
- PLATFORM_SEPOLICY_COMPAT_VERSIONS: {
- required: [
- "plat_%s.cil",
- "%s.compat.cil",
- ],
- },
- PRODUCT_PRECOMPILED_SEPOLICY: {
- required: ["plat_sepolicy_and_mapping.sha256"],
- },
- },
+ "plat_29.0.cil",
+ "29.0.compat.cil",
+ "plat_30.0.cil",
+ "30.0.compat.cil",
+ "plat_31.0.cil",
+ "31.0.compat.cil",
+ "plat_32.0.cil",
+ "32.0.compat.cil",
+ "plat_33.0.cil",
+ "33.0.compat.cil",
+ "plat_34.0.cil",
+ "34.0.compat.cil",
+ ] + select(soong_config_variable("ANDROID", "PLATFORM_SEPOLICY_VERSION"), {
+ "202404": [],
+ default: [
+ "plat_202404.cil",
+ "202404.compat.cil",
+ ],
+ }) + select(soong_config_variable("ANDROID", "PRODUCT_PRECOMPILED_SEPOLICY"), {
+ true: ["plat_sepolicy_and_mapping.sha256"],
+ default: [],
+ }),
}
reqd_mask_policy = [":se_build_files{.reqd_mask}"]
diff --git a/OWNERS b/OWNERS
index 1f2ac9b..6a2b611 100644
--- a/OWNERS
+++ b/OWNERS
@@ -1,5 +1,4 @@
adamshih@google.com
-alanstokes@google.com
bowgotsai@google.com
inseob@google.com
jbires@google.com
@@ -7,3 +6,5 @@
jiyong@google.com
smoreland@google.com
tweek@google.com
+
+per-file service_fuzzer_bindings.go = waghpawan@google.com
diff --git a/build/soong/selinux_contexts.go b/build/soong/selinux_contexts.go
index a65de35..d4c81e8 100644
--- a/build/soong/selinux_contexts.go
+++ b/build/soong/selinux_contexts.go
@@ -231,6 +231,14 @@
}
}
+func (m *selinuxContextsModule) VendorVariantNeeded(ctx android.BaseModuleContext) bool {
+ return false
+}
+
+func (m *selinuxContextsModule) ProductVariantNeeded(ctx android.BaseModuleContext) bool {
+ return false
+}
+
func (m *selinuxContextsModule) CoreVariantNeeded(ctx android.BaseModuleContext) bool {
return !m.ModuleBase.InstallInRecovery()
}
@@ -706,6 +714,14 @@
func (m *contextsTestModule) ImageMutatorBegin(ctx android.BaseModuleContext) {
}
+func (m *contextsTestModule) VendorVariantNeeded(ctx android.BaseModuleContext) bool {
+ return false
+}
+
+func (m *contextsTestModule) ProductVariantNeeded(ctx android.BaseModuleContext) bool {
+ return false
+}
+
func (m *contextsTestModule) CoreVariantNeeded(ctx android.BaseModuleContext) bool {
return true
}
diff --git a/build/soong/service_fuzzer_bindings.go b/build/soong/service_fuzzer_bindings.go
index 6ea7679..b7364bd 100644
--- a/build/soong/service_fuzzer_bindings.go
+++ b/build/soong/service_fuzzer_bindings.go
@@ -190,6 +190,7 @@
"android.system.virtualizationservice_internal.IVfioHandler": EXCEPTION_NO_FUZZER,
"android.system.virtualizationservice_internal.IVmnic": EXCEPTION_NO_FUZZER,
"android.system.virtualizationmaintenance": EXCEPTION_NO_FUZZER,
+ "android.system.vmtethering.IVmTethering": EXCEPTION_NO_FUZZER,
"ambient_context": EXCEPTION_NO_FUZZER,
"app_binding": EXCEPTION_NO_FUZZER,
"app_hibernation": EXCEPTION_NO_FUZZER,
diff --git a/contexts/plat_file_contexts_test b/contexts/plat_file_contexts_test
index 0bd8e07..4c8f9cb 100644
--- a/contexts/plat_file_contexts_test
+++ b/contexts/plat_file_contexts_test
@@ -774,6 +774,9 @@
/system/system_ext/bin/canhalconfigurator canhalconfigurator_exec
/system/system_ext/bin/canhalconfigurator-aidl canhalconfigurator_exec
+/system_ext/bin/custom_vm_setup custom_vm_setup_exec
+/system/system_ext/bin/custom_vm_setup custom_vm_setup_exec
+
/system_ext/lib system_lib_file
/system_ext/lib/does_not_exist system_lib_file
/system_ext/lib64 system_lib_file
diff --git a/private/app.te b/private/app.te
index 30931e4..1dd7fda 100644
--- a/private/app.te
+++ b/private/app.te
@@ -643,7 +643,7 @@
{ apk_tmp_file apk_private_tmp_file }:dir_file_class_set *;
neverallow { untrusted_app_all isolated_app_all } { apk_tmp_file apk_private_tmp_file }:{ devfile_class_set dir fifo_file lnk_file sock_file } *;
-neverallow { untrusted_app_all isolated_app_all } { apk_tmp_file apk_private_tmp_file }:file ~{ getattr read };
+neverallow { untrusted_app_all isolated_app_all } { apk_tmp_file apk_private_tmp_file }:file ~{ getattr read map };
# Access to factory files.
neverallow appdomain efs_file:dir_file_class_set write;
diff --git a/private/custom_vm_setup.te b/private/custom_vm_setup.te
new file mode 100644
index 0000000..c14f5e0
--- /dev/null
+++ b/private/custom_vm_setup.te
@@ -0,0 +1,6 @@
+type custom_vm_setup, domain, coredomain;
+type custom_vm_setup_exec, system_file_type, exec_type, file_type;
+
+is_flag_enabled(RELEASE_AVF_SUPPORT_CUSTOM_VM_WITH_PARAVIRTUALIZED_DEVICES, `
+ init_daemon_domain(custom_vm_setup)
+')
diff --git a/private/dexopt_chroot_setup.te b/private/dexopt_chroot_setup.te
index 4267d09..4a964fd 100644
--- a/private/dexopt_chroot_setup.te
+++ b/private/dexopt_chroot_setup.te
@@ -52,6 +52,7 @@
apex_mnt_dir
apk_data_file
binderfs
+ binfmt_miscfs
cgroup
cgroup_v2
userdebug_or_eng(debugfs)
@@ -81,6 +82,7 @@
allow dexopt_chroot_setup {
binderfs
+ binfmt_miscfs
cgroup
cgroup_v2
userdebug_or_eng(debugfs)
diff --git a/private/domain.te b/private/domain.te
index 67ff430..4cf9138 100644
--- a/private/domain.te
+++ b/private/domain.te
@@ -2237,3 +2237,6 @@
# Only init/vendor are allowed to write sysfs_pgsize_migration;
# ueventd needs write access to all sysfs files.
neverallow { domain -init -vendor_init -ueventd } sysfs_pgsize_migration:file no_w_file_perms;
+
+# We need to be able to rely on vsock labels, so disallow changing them.
+neverallow domain *:vsock_socket { relabelfrom relabelto };
diff --git a/private/file_contexts b/private/file_contexts
index f0832f3..76f412a 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -530,6 +530,7 @@
/(system_ext|system/system_ext)/bin/hwservicemanager u:object_r:hwservicemanager_exec:s0
/(system_ext|system/system_ext)/bin/hw/android\.hidl\.allocator@1\.0-service u:object_r:hal_allocator_default_exec:s0
+/(system_ext|system/system_ext)/bin/custom_vm_setup u:object_r:custom_vm_setup_exec:s0
/(system_ext|system/system_ext)/bin/canhalconfigurator(-aidl)? u:object_r:canhalconfigurator_exec:s0
diff --git a/private/isolated_app_all.te b/private/isolated_app_all.te
index 8c1fdcb..12b1794 100644
--- a/private/isolated_app_all.te
+++ b/private/isolated_app_all.te
@@ -32,8 +32,8 @@
# suppress denials to /data/local/tmp
dontaudit isolated_app_all shell_data_file:dir search;
-# Allow to read (but not open) staged apks.
-allow isolated_app_all { apk_tmp_file apk_private_tmp_file }:file { read getattr };
+# Allow to read, map (but not open) staged apks.
+allow isolated_app_all { apk_tmp_file apk_private_tmp_file }:file { read getattr map };
#####
##### Neverallow
diff --git a/private/property.te b/private/property.te
index 19513d9..77fd497 100644
--- a/private/property.te
+++ b/private/property.te
@@ -66,6 +66,7 @@
system_internal_prop(game_manager_config_prop)
system_internal_prop(hidl_memory_prop)
system_internal_prop(suspend_debug_prop)
+system_internal_prop(system_service_enable_prop)
# Properties which can't be written outside system
system_restricted_prop(device_config_virtualization_framework_native_prop)
diff --git a/private/property_contexts b/private/property_contexts
index 9b48082..601dc99 100644
--- a/private/property_contexts
+++ b/private/property_contexts
@@ -1695,3 +1695,7 @@
# Properties for controlling snapshotctl.
sys.snapshotctl.map u:object_r:snapshotctl_prop:s0 exact string
sys.snapshotctl.unmap u:object_r:snapshotctl_prop:s0 exact string
+
+# Properties for enabling/disabling system services
+ro.system_settings.service.odp_enabled u:object_r:system_service_enable_prop:s0 exact bool
+ro.system_settings.service.backgound_install_control_enabled u:object_r:system_service_enable_prop:s0 exact bool
diff --git a/private/seapp_contexts b/private/seapp_contexts
index a07d272..291e097 100644
--- a/private/seapp_contexts
+++ b/private/seapp_contexts
@@ -121,9 +121,6 @@
# levelFrom=app or levelFrom=all is only supported for _app UIDs.
# level may be used to specify a fixed level for any UID.
#
-# For backwards compatibility levelFromUid=true is equivalent to levelFrom=app
-# and levelFromUid=false is equivalent to levelFrom=none.
-#
#
# Neverallow Assertions
# Additional compile time assertion checks for the rules in this file can be
diff --git a/private/service.te b/private/service.te
index 1fb4d1d..6c55ed4 100644
--- a/private/service.te
+++ b/private/service.te
@@ -31,7 +31,8 @@
type virtualization_maintenance_service, service_manager_type;
')
is_flag_enabled(RELEASE_AVF_ENABLE_NETWORK, `
- type vmnic_service, service_manager_type;
+ type vm_tethering_service, system_server_service, service_manager_type;
+ type vmnic_service, service_manager_type;
')
type uce_service, service_manager_type;
diff --git a/private/service_contexts b/private/service_contexts
index c7917f1..d1eecd5 100644
--- a/private/service_contexts
+++ b/private/service_contexts
@@ -172,6 +172,7 @@
')
is_flag_enabled(RELEASE_AVF_ENABLE_NETWORK, `
android.system.virtualizationservice_internal.IVmnic u:object_r:vmnic_service:s0
+ android.system.vmtethering.IVmTethering u:object_r:vm_tethering_service:s0
')
ambient_context u:object_r:ambient_context_service:s0
app_binding u:object_r:app_binding_service:s0
diff --git a/private/servicemanager.te b/private/servicemanager.te
index 7a5bf51..6764b45 100644
--- a/private/servicemanager.te
+++ b/private/servicemanager.te
@@ -44,6 +44,8 @@
allow servicemanager kmsg_device:chr_file rw_file_perms;
+perfetto_producer(servicemanager)
+
recovery_only(`
# Read VINTF files.
r_dir_file(servicemanager, rootfs)
diff --git a/private/shell.te b/private/shell.te
index e421ec6..d613a94 100644
--- a/private/shell.te
+++ b/private/shell.te
@@ -468,6 +468,10 @@
# Allow shell to start up vendor shell
allow shell vendor_shell_exec:file rx_file_perms;
+is_flag_enabled(RELEASE_AVF_SUPPORT_CUSTOM_VM_WITH_PARAVIRTUALIZED_DEVICES, `
+ allow shell custom_vm_setup_exec:file { entrypoint r_file_perms };
+')
+
# Everything is labeled as rootfs in recovery mode. Allow shell to
# execute them.
recovery_only(`
diff --git a/private/system_server.te b/private/system_server.te
index e7ae9fc..1298bf7 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -900,6 +900,9 @@
# configuration properties
get_prop(system_server, sensors_config_prop)
+# Allow system server to determine if system services are enabled
+get_prop(system_server, system_service_enable_prop)
+
# Create a socket for connections from debuggerd.
allow system_server system_ndebug_socket:sock_file create_file_perms;
diff --git a/private/virtualizationservice.te b/private/virtualizationservice.te
index 3d0aac0..bc29e39 100644
--- a/private/virtualizationservice.te
+++ b/private/virtualizationservice.te
@@ -28,6 +28,7 @@
# Let virtualizationservice find and communicate with vmnic.
allow virtualizationservice vmnic_service:service_manager find;
binder_call(virtualizationservice, vmnic)
+ allow virtualizationservice vm_tethering_service:service_manager find;
')
# Allow the virtualizationservice domain to serve a remotely provisioned component for
@@ -84,10 +85,10 @@
allow virtualizationservice apex_virt_data_file:dir create_dir_perms;
allow virtualizationservice apex_virt_data_file:file create_file_perms;
-# Let virtualizationservice to accept vsock connection from the guest VMs to singleton services
+# Accept vsock connection from the guest VMs to singleton services
# such as the guest tombstone server.
-allow virtualizationservice self:vsock_socket { create_socket_perms_no_ioctl listen accept };
-neverallow { domain -virtualizationservice } virtualizationservice:vsock_socket { accept bind create connect listen };
+allow virtualizationservice self:vsock_socket { create read getattr write setattr lock append bind getopt setopt shutdown map listen accept };
+neverallow { domain -virtualizationservice -dumpstate } virtualizationservice:vsock_socket *;
# Allow virtualizationservice to read/write its own sysprop. Only the process can do so.
set_prop(virtualizationservice, virtualizationservice_prop)
diff --git a/tools/check_seapp.c b/tools/check_seapp.c
index 02882af..f19b0f1 100644
--- a/tools/check_seapp.c
+++ b/tools/check_seapp.c
@@ -233,7 +233,6 @@
/*Outputs*/
{ .name = "domain", .dir = dir_out, .fn_validate = validate_domain },
{ .name = "type", .dir = dir_out, .fn_validate = validate_type },
- { .name = "levelFromUid", .dir = dir_out, .fn_validate = validate_bool },
{ .name = "levelFrom", .dir = dir_out, .fn_validate = validate_levelFrom },
{ .name = "level", .dir = dir_out, .fn_validate = validate_selinux_level },
};