Merge "Add remote_provisioning.connect_timeout_millis as sysprop" into main
diff --git a/build/soong/cil_compat_map.go b/build/soong/cil_compat_map.go
index eb7cb06..dd883cc 100644
--- a/build/soong/cil_compat_map.go
+++ b/build/soong/cil_compat_map.go
@@ -103,6 +103,10 @@
return proptools.String(c.properties.Version) == ctx.DeviceConfig().PlatformSepolicyVersion()
}
+func (c *cilCompatMap) stem() string {
+ return proptools.StringDefault(c.properties.Stem, c.Name())
+}
+
func (c *cilCompatMap) GenerateAndroidBuildActions(ctx android.ModuleContext) {
if c.shouldSkipBuild(ctx) {
return
@@ -144,6 +148,7 @@
} else {
c.installSource = android.OptionalPathForPath(bottomHalf)
}
+ ctx.InstallFile(c.installPath, c.stem(), c.installSource.Path())
}
func (c *cilCompatMap) DepsMutator(ctx android.BottomUpMutatorContext) {
diff --git a/contexts/plat_file_contexts_test b/contexts/plat_file_contexts_test
index c76f030..8af0fda 100644
--- a/contexts/plat_file_contexts_test
+++ b/contexts/plat_file_contexts_test
@@ -483,6 +483,7 @@
/system/bin/android.automotive.evs.manager@1.0 evsmanagerd_exec
/system/bin/android.automotive.evs.manager@1.99 evsmanagerd_exec
/system/bin/uprobestats uprobestats_exec
+/system/bin/trace_redactor trace_redactor_exec
/vendor vendor_file
/vendor/does_not_exist vendor_file
diff --git a/flagging/Android.bp b/flagging/Android.bp
index bdd0481..b40a80a 100644
--- a/flagging/Android.bp
+++ b/flagging/Android.bp
@@ -17,6 +17,7 @@
se_flags {
name: "aosp_selinux_flags",
flags: [
+ "RELEASE_AVF_SUPPORT_CUSTOM_VM_WITH_PARAVIRTUALIZED_DEVICES",
"RELEASE_AVF_ENABLE_DEVICE_ASSIGNMENT",
"RELEASE_AVF_ENABLE_LLPVM_CHANGES",
"RELEASE_HARDWARE_BLUETOOTH_RANGING_SERVICE",
diff --git a/microdroid/system/private/file.te b/microdroid/system/private/file.te
index 62ca9b7..e250c35 100644
--- a/microdroid/system/private/file.te
+++ b/microdroid/system/private/file.te
@@ -20,6 +20,8 @@
type encryptedstore_file, file_type;
type encryptedstore_fs, fs_type, contextmount_type;
+type microdroid_resources_file, file_type;
+
# Filesystem entry for for PRNG seeder socket.
type prng_seeder_socket, file_type, coredomain_socket;
diff --git a/microdroid/system/private/file_contexts b/microdroid/system/private/file_contexts
index 03e9cba..6414f76 100644
--- a/microdroid/system/private/file_contexts
+++ b/microdroid/system/private/file_contexts
@@ -15,7 +15,7 @@
# Empty directories
/lost\+found u:object_r:rootfs:s0
/debug_ramdisk u:object_r:tmpfs:s0
-/microdroid_resources u:object_r:tmpfs:s0
+/microdroid_resources(/.*)? u:object_r:microdroid_resources_file:s0
/mnt u:object_r:tmpfs:s0
/proc u:object_r:rootfs:s0
/second_stage_resources u:object_r:tmpfs:s0
diff --git a/microdroid/system/private/kernel.te b/microdroid/system/private/kernel.te
index 1d03c4a..0b650d3 100644
--- a/microdroid/system/private/kernel.te
+++ b/microdroid/system/private/kernel.te
@@ -81,3 +81,10 @@
#-----------------------------------------
allow kernel apkdmverity:fd use;
+
+# We run restorecon_recursive /microdroid_resources during setup_selinux stage which runs in the
+# kernel domain. This is to avoid granting init weird capabilities like
+# `allow init tmpfs:file relabelfrom;`
+allow kernel microdroid_resources_file:dir { read open search relabelto};
+allow kernel microdroid_resources_file:file relabelto;
+allow kernel tmpfs:file { getattr relabelfrom };
diff --git a/microdroid/system/private/microdroid_manager.te b/microdroid/system/private/microdroid_manager.te
index d1a5c6f..75c89be 100644
--- a/microdroid/system/private/microdroid_manager.te
+++ b/microdroid/system/private/microdroid_manager.te
@@ -24,6 +24,19 @@
# Read config from the open-dice driver.
allow microdroid_manager open_dice_device:chr_file rw_file_perms;
+# In case Microdroid VM is started with microdroid vendor partition, the first_stage_init
+# will derive a microdroid vendor dice node, and write a resulting dice chain into file
+# with dice_chain_file type, microdroid_manager will need to read it to derive the next chain.
+allow microdroid_manager microdroid_resources_file:file { rw_file_perms unlink };
+# In case dice chain is stored in dice_chain_file microdroid_manager will delete it after deriving
+# the next dice chain.
+allow microdroid_manager microdroid_resources_file:dir { remove_name search write };
+
+# Microdroid manager unmounts /microdroid_resources before starting the payload.
+# This is a defence-in-depth measure to ensure that payload can't read the dice chain stored
+# on /microdroid_resources/dice_chain.raw
+allow microdroid_manager tmpfs:filesystem unmount;
+
# Block crash dumps to ensure the DICE secrets are not leaked.
typeattribute microdroid_manager no_crash_dump_domain;
diff --git a/private/compat/202404/202404.ignore.cil b/private/compat/202404/202404.ignore.cil
index d08e935..90f09e8 100644
--- a/private/compat/202404/202404.ignore.cil
+++ b/private/compat/202404/202404.ignore.cil
@@ -8,4 +8,5 @@
profcollectd_etr_prop
fs_bpf_lmkd_memevents_rb
fs_bpf_lmkd_memevents_prog
+ binderfs_logs_transactions
))
diff --git a/private/crosvm.te b/private/crosvm.te
index 6ad3727..fced92f 100644
--- a/private/crosvm.te
+++ b/private/crosvm.te
@@ -81,6 +81,24 @@
allow crosvm adbd:unix_stream_socket { read write };
allow crosvm devpts:chr_file { read write getattr ioctl };
+is_flag_enabled(RELEASE_AVF_SUPPORT_CUSTOM_VM_WITH_PARAVIRTUALIZED_DEVICES, `
+ # Allow crosvm to draw screen in the surface
+ allow crosvm device:dir { read open };
+ allow crosvm same_process_hal_file:file { read open getattr map execute };
+ allow crosvm gpu_device:chr_file { read write open ioctl map open getattr };
+ allow crosvm hal_graphics_allocator:fd use;
+ allow crosvm hal_graphics_allocator_server:binder call;
+ allow crosvm surfaceflinger:fd use;
+ hal_client_domain(crosvm, hal_graphics_allocator)
+
+ # To provide display service to an app to get surface.
+ # TODO(b/332677707): remove them when display service uses binder RPC.
+ allow crosvm vmlauncher_app:binder { transfer call };
+ allow crosvm servicemanager:binder { call transfer };
+ allow crosvm virtualization_service:service_manager find;
+ allow crosvm virtualizationservice:binder { call transfer };
+')
+
# crosvm tries to use netlink sockets as part its APCI implementation, but we don't need it for AVF (b/228077254)
dontaudit crosvm self:netlink_generic_socket create_socket_perms_no_ioctl;
@@ -136,6 +154,7 @@
-vendor_microdroid_file
-vndk_sp_file
-vendor_task_profiles_file
+ is_flag_enabled(RELEASE_AVF_SUPPORT_CUSTOM_VM_WITH_PARAVIRTUALIZED_DEVICES, `-same_process_hal_file')
}:file *;
')
diff --git a/private/domain.te b/private/domain.te
index 747ac3d..bac2a7e 100644
--- a/private/domain.te
+++ b/private/domain.te
@@ -500,6 +500,9 @@
get_prop(domain, binder_cache_system_server_prop)
get_prop(domain, binder_cache_telephony_server_prop)
+# Binderfs logs contain sensitive information about other processes.
+neverallow { domain -dumpstate -init -vendor_init -system_server } binderfs_logs_transactions:file no_rw_file_perms;
+
# Allow access to fsverity keyring.
allow domain kernel:key search;
# Allow access to keys in the fsverity keyring that were installed at boot.
@@ -1606,7 +1609,6 @@
-rs # spawned by appdomain, so carryover the exception above
-runas
-system_server
- -viewcompiler
-zygote
} { privapp_data_file app_data_file }:dir *;
diff --git a/private/dumpstate.te b/private/dumpstate.te
index 7f91651..bccbafd 100644
--- a/private/dumpstate.te
+++ b/private/dumpstate.te
@@ -128,6 +128,9 @@
set_prop(dumpstate, ctl_gsid_prop)
binder_call(dumpstate, gsid)
+#Allow access to /dev/binderfs/binder_logs
+allow dumpstate binderfs_logs_transactions:file r_file_perms;
+
r_dir_file(dumpstate, ota_metadata_file)
# For starting (and killing) perfetto --save-for-bugreport. If a labelled trace
diff --git a/private/file_contexts b/private/file_contexts
index 193c033..567f30d 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -339,6 +339,7 @@
/system/bin/traced u:object_r:traced_exec:s0
/system/bin/traced_perf u:object_r:traced_perf_exec:s0
/system/bin/traced_probes u:object_r:traced_probes_exec:s0
+/system/bin/trace_redactor u:object_r:trace_redactor_exec:s0
/system/bin/heapprofd u:object_r:heapprofd_exec:s0
/system/bin/uncrypt u:object_r:uncrypt_exec:s0
/system/bin/update_verifier u:object_r:update_verifier_exec:s0
@@ -347,7 +348,6 @@
/system/bin/cppreopts\.sh u:object_r:cppreopts_exec:s0
/system/bin/preloads_copy\.sh u:object_r:preloads_copy_exec:s0
/system/bin/preopt2cachename u:object_r:preopt2cachename_exec:s0
-/system/bin/viewcompiler u:object_r:viewcompiler_exec:s0
/system/bin/sgdisk u:object_r:sgdisk_exec:s0
/system/bin/blkid u:object_r:blkid_exec:s0
/system/bin/flags_health_check -- u:object_r:flags_health_check_exec:s0
diff --git a/private/genfs_contexts b/private/genfs_contexts
index 6bcd617..b6b18c0 100644
--- a/private/genfs_contexts
+++ b/private/genfs_contexts
@@ -305,6 +305,7 @@
genfscon binder /binder_logs u:object_r:binderfs_logs:s0
genfscon binder /binder_logs/proc u:object_r:binderfs_logs_proc:s0
genfscon binder /binder_logs/stats u:object_r:binderfs_logs_stats:s0
+genfscon binder /binder_logs/transactions u:object_r:binderfs_logs_transactions:s0
genfscon binder /features u:object_r:binderfs_features:s0
genfscon inotifyfs / u:object_r:inotify:s0
diff --git a/private/installd.te b/private/installd.te
index feb47f7..0a50285 100644
--- a/private/installd.te
+++ b/private/installd.te
@@ -12,9 +12,6 @@
# Run dexoptanalyzer in its own sandbox.
domain_auto_trans(installd, dexoptanalyzer_exec, dexoptanalyzer)
-# Run viewcompiler in its own sandbox.
-domain_auto_trans(installd, viewcompiler_exec, viewcompiler)
-
# Run profman in its own sandbox.
domain_auto_trans(installd, profman_exec, profman)
diff --git a/private/perfetto.te b/private/perfetto.te
index 616da39..07d4399 100644
--- a/private/perfetto.te
+++ b/private/perfetto.te
@@ -95,6 +95,7 @@
-incidentd # For receiving reported traces. TODO(lalitm): remove this.
-priv_app # For stating traces for bug-report UI.
-system_server # For accessing traces started by profiling apis.
+ -trace_redactor # For accessing traces to be redacted.
} perfetto_traces_data_file:dir *;
neverallow {
domain
@@ -104,6 +105,7 @@
-shell # For devepment purposes.
-traced # For write_into_file traces.
-incidentd # For receiving reported traces. TODO(lalitm): remove this.
+ -trace_redactor # For redacting trace files.
} perfetto_traces_data_file:file ~{ getattr read };
### perfetto should NEVER do any of the following
diff --git a/private/property_contexts b/private/property_contexts
index 960a321..6629169 100644
--- a/private/property_contexts
+++ b/private/property_contexts
@@ -762,6 +762,7 @@
ro.lmk.psi_partial_stall_ms u:object_r:lmkd_config_prop:s0 exact int
ro.lmk.psi_complete_stall_ms u:object_r:lmkd_config_prop:s0 exact int
ro.lmk.stall_limit_critical u:object_r:lmkd_config_prop:s0 exact int
+ro.lmk.swap_compression_ratio u:object_r:lmkd_config_prop:s0 exact int
ro.lmk.swap_free_low_percentage u:object_r:lmkd_config_prop:s0 exact int
ro.lmk.swap_util_max u:object_r:lmkd_config_prop:s0 exact int
ro.lmk.thrashing_limit u:object_r:lmkd_config_prop:s0 exact int
diff --git a/private/seapp_contexts b/private/seapp_contexts
index 2219631..8884a7a 100644
--- a/private/seapp_contexts
+++ b/private/seapp_contexts
@@ -75,7 +75,7 @@
# An unspecified isSdkSandboxAudit defaults to false.
#
# Precedence: entries are compared using the following rules, in the order shown
-# (see external/selinux/libselinux/src/android/android_platform.c,
+# (see external/selinux/libselinux/src/android/android_seapp.c,
# seapp_context_cmp()).
# (1) isSystemServer=true before isSystemServer=false.
# (2) Specified isEphemeralApp= before unspecified isEphemeralApp=
@@ -224,3 +224,4 @@
user=_app domain=untrusted_app_25 type=app_data_file levelFrom=user
user=_app minTargetSdkVersion=28 fromRunAs=true domain=runas_app levelFrom=all
user=_app fromRunAs=true domain=runas_app levelFrom=user
+user=_app isPrivApp=true name=com.android.virtualization.vmlauncher domain=vmlauncher_app type=privapp_data_file levelFrom=all
diff --git a/private/system_server.te b/private/system_server.te
index 9b3ddfd..f6ae092 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -333,6 +333,7 @@
hal_client_domain(system_server, hal_rebootescrow)
hal_client_domain(system_server, hal_remotelyprovisionedcomponent_avf)
hal_client_domain(system_server, hal_sensors)
+hal_client_domain(system_server, hal_secretkeeper)
hal_client_domain(system_server, hal_tetheroffload)
hal_client_domain(system_server, hal_thermal)
hal_client_domain(system_server, hal_threadnetwork)
@@ -586,9 +587,14 @@
# Allow system server to manage perfetto traces for ProfilingService.
allow system_server perfetto_traces_profiling_data_file:dir rw_dir_perms;
-allow system_server perfetto_traces_profiling_data_file:file { rw_file_perms unlink };
+allow system_server perfetto_traces_profiling_data_file:file create_file_perms;
allow system_server perfetto_traces_data_file:dir search;
+# Allow system server to exec the trace redactor cmdline client and kill the process for
+# ProfilingService.
+domain_auto_trans(system_server, trace_redactor_exec, trace_redactor);
+allow system_server trace_redactor:process signal;
+
# Allow system server to kill perfetto processes for ProfilingService.
allow system_server perfetto:process signal;
@@ -1319,7 +1325,8 @@
# Ensure that system_server doesn't perform any domain transitions other than
# transitioning to the crash_dump domain when a crash occurs or fork clatd.
-neverallow system_server { domain -clatd -crash_dump -perfetto }:process transition;
+# add perfetto and trace_redactor which are exec'd from system server for ProfilingService.
+neverallow system_server { domain -clatd -crash_dump -perfetto -trace_redactor }:process transition;
neverallow system_server *:process dyntransition;
# Ensure that system_server doesn't access anything but search in perfetto_traces_data_file:dir.
@@ -1601,6 +1608,8 @@
# Allow system server to read binderfs
allow system_server binderfs_logs:dir r_dir_perms;
allow system_server binderfs_logs_stats:file r_file_perms;
+# For ANRs
+allow system_server binderfs_logs_transactions:file r_file_perms;
# Allow GameManagerService to read and write persist.graphics.game_default_frame_rate.enabled
set_prop(system_server, game_manager_config_prop)
diff --git a/private/trace_redactor.te b/private/trace_redactor.te
new file mode 100644
index 0000000..fbca3fd
--- /dev/null
+++ b/private/trace_redactor.te
@@ -0,0 +1,13 @@
+# Trace Redactor command line
+type trace_redactor_exec, system_file_type, exec_type, file_type;
+type trace_redactor, domain, coredomain;
+
+# Use pipes provided by system_server
+allow trace_redactor system_server:fd use;
+allow trace_redactor system_server:fifo_file { read write getattr ioctl };
+
+# Allow trace_redactor to read output trace file and write to new redacted file.
+allow trace_redactor perfetto_traces_profiling_data_file:dir search;
+allow trace_redactor perfetto_traces_data_file:dir search;
+allow trace_redactor perfetto_traces_data_file:file { read getattr ioctl };
+allow trace_redactor perfetto_traces_profiling_data_file:file rw_file_perms;
diff --git a/private/viewcompiler.te b/private/viewcompiler.te
deleted file mode 100644
index d1f0964..0000000
--- a/private/viewcompiler.te
+++ /dev/null
@@ -1,25 +0,0 @@
-# viewcompiler
-type viewcompiler, domain, coredomain, mlstrustedsubject;
-type viewcompiler_exec, system_file_type, exec_type, file_type;
-type viewcompiler_tmpfs, file_type;
-
-# Reading an APK opens a ZipArchive, which unpack to tmpfs.
-# Use tmpfs_domain() which will give tmpfs files created by viewcompiler their
-# own label, which differs from other labels created by other processes.
-# This allows to distinguish in policy files created by viewcompiler vs other
-# processes.
-tmpfs_domain(viewcompiler)
-
-allow viewcompiler installd:fd use;
-
-# Include write permission for app data files so viewcompiler can generate
-# compiled layout dex files
-allow viewcompiler app_data_file:file { getattr write };
-
-# Allow the view compiler to read resources from the apps APK.
-allow viewcompiler apk_data_file:file { read map };
-
-# priv-apps are moving to a world where they can only execute
-# signed code. Make sure viewcompiler never can write to privapp
-# directories to avoid introducing unsigned executable code
-neverallow viewcompiler privapp_data_file:file no_w_file_perms;
diff --git a/private/virtualizationservice.te b/private/virtualizationservice.te
index ee288f2..f096e89 100644
--- a/private/virtualizationservice.te
+++ b/private/virtualizationservice.te
@@ -18,7 +18,7 @@
add_service(virtualizationservice, virtualization_maintenance_service)
')
-is_flag_enabled(RELEASE_AVF_ENABLE_DEVICE_ASSIGNMENT, `
+is_flag_enabled(RELEASE_AVF_SUPPORT_CUSTOM_VM_WITH_PARAVIRTUALIZED_DEVICES, `
# Let virtualizationservice find and communicate with vfio_handler.
allow virtualizationservice vfio_handler_service:service_manager find;
binder_call(virtualizationservice, vfio_handler)
@@ -44,6 +44,12 @@
allow virtualizationservice self:capability sys_resource;
allow virtualizationservice virtualizationmanager:process setrlimit;
+is_flag_enabled(RELEASE_AVF_SUPPORT_CUSTOM_VM_WITH_PARAVIRTUALIZED_DEVICES, `
+ # To provide display service to an app to get surface.
+ # TODO(b/332677707): remove them when display service uses binder RPC.
+ allow virtualizationservice vmlauncher_app:binder transfer;
+')
+
# Let virtualizationservice set the owner of a VM's temporary directory.
allow virtualizationservice self:capability chown;
@@ -112,6 +118,8 @@
domain
-virtualizationmanager
-virtualizationservice
+ # TODO(b/332677707): remove them when display service uses binder RPC.
+ is_flag_enabled(RELEASE_AVF_SUPPORT_CUSTOM_VM_WITH_PARAVIRTUALIZED_DEVICES, `-crosvm')
}:process setrlimit;
is_flag_enabled(RELEASE_AVF_ENABLE_DEVICE_ASSIGNMENT, `
diff --git a/private/vmlauncher_app.te b/private/vmlauncher_app.te
new file mode 100644
index 0000000..dcc4f55
--- /dev/null
+++ b/private/vmlauncher_app.te
@@ -0,0 +1,18 @@
+type vmlauncher_app, domain;
+typeattribute vmlauncher_app coredomain;
+
+app_domain(vmlauncher_app)
+
+allow vmlauncher_app app_api_service:service_manager find;
+allow vmlauncher_app system_api_service:service_manager find;
+
+allow vmlauncher_app shell_data_file:dir search;
+allow vmlauncher_app shell_data_file:file { read open write };
+virtualizationservice_use(vmlauncher_app)
+
+is_flag_enabled(RELEASE_AVF_SUPPORT_CUSTOM_VM_WITH_PARAVIRTUALIZED_DEVICES, `
+ # TODO(b/332677707): remove them when display service uses binder RPC.
+ allow vmlauncher_app virtualization_service:service_manager find;
+ allow vmlauncher_app virtualizationservice:binder call;
+ allow vmlauncher_app crosvm:binder { call transfer };
+')
diff --git a/public/file.te b/public/file.te
index cc9f286..b25175b 100644
--- a/public/file.te
+++ b/public/file.te
@@ -8,6 +8,7 @@
type binderfs_logs, fs_type;
type binderfs_logs_proc, fs_type;
type binderfs_logs_stats, fs_type;
+type binderfs_logs_transactions, fs_type;
type binderfs_features, fs_type;
# Security-sensitive proc nodes that should not be writable to most.
type proc_security, fs_type, proc_type;