Merge "microdroid: Allow microdroid_manager to get local CID"
diff --git a/build/soong/service_fuzzer_bindings.go b/build/soong/service_fuzzer_bindings.go
index b02a9bf..1bb6eb6 100644
--- a/build/soong/service_fuzzer_bindings.go
+++ b/build/soong/service_fuzzer_bindings.go
@@ -108,6 +108,7 @@
"android.hardware.wifi.IWifi/default": EXCEPTION_NO_FUZZER,
"android.hardware.wifi.hostapd.IHostapd/default": EXCEPTION_NO_FUZZER,
"android.hardware.wifi.supplicant.ISupplicant/default": EXCEPTION_NO_FUZZER,
+ "android.frameworks.sensorservice.ISensorManager/default": []string{"libsensorserviceaidl_fuzzer"},
"android.frameworks.stats.IStats/default": EXCEPTION_NO_FUZZER,
"android.se.omapi.ISecureElementService/default": EXCEPTION_NO_FUZZER,
"android.system.keystore2.IKeystoreService/default": EXCEPTION_NO_FUZZER,
diff --git a/microdroid/system/private/apkdmverity.te b/microdroid/system/private/apkdmverity.te
index 0545744..ce29abc 100644
--- a/microdroid/system/private/apkdmverity.te
+++ b/microdroid/system/private/apkdmverity.te
@@ -32,6 +32,9 @@
# allow apkdmverity to log to the kernel
allow apkdmverity kmsg_device:chr_file w_file_perms;
+# allow apkdmverity to write kmsg_debug (stdio_to_kmsg) inherited from microdroid_manager.
+allow apkdmverity kmsg_debug_device:chr_file w_file_perms;
+
# apkdmverity is forked from microdroid_manager
allow apkdmverity microdroid_manager:fd use;
diff --git a/microdroid/system/private/authfs_service.te b/microdroid/system/private/authfs_service.te
index e7e9ef0..05dea40 100644
--- a/microdroid/system/private/authfs_service.te
+++ b/microdroid/system/private/authfs_service.te
@@ -9,10 +9,6 @@
# Allow domain transition from init.
init_daemon_domain(authfs_service)
-# Allow running as a binder service.
-binder_call(authfs_service, servicemanager)
-add_service(authfs_service, authfs_binder_service)
-
# Allow domain transition into authfs.
domain_auto_trans(authfs_service, authfs_exec, authfs)
diff --git a/microdroid/system/private/compos_key_helper.te b/microdroid/system/private/compos_key_helper.te
index 8ec131c..0d617fb 100644
--- a/microdroid/system/private/compos_key_helper.te
+++ b/microdroid/system/private/compos_key_helper.te
@@ -6,14 +6,12 @@
# Block crash dumps to ensure the secrets are not leaked.
typeattribute compos_key_helper no_crash_dump_domain;
-# Allow use of vm_payload_binder_service
-binder_use(compos_key_helper);
-allow compos_key_helper vm_payload_binder_service:service_manager find;
-binder_call(compos_key_helper, microdroid_manager);
-
# Communicate with compos via stdin/stdout pipes
allow compos_key_helper compos:fd use;
allow compos_key_helper compos:fifo_file { getattr read write };
# Write to /dev/kmsg.
allow compos_key_helper kmsg_device:chr_file rw_file_perms;
+
+# Communicate with microdroid manager to get DICE information
+unix_socket_connect(compos_key_helper, vm_payload_service, microdroid_manager)
diff --git a/microdroid/system/private/domain.te b/microdroid/system/private/domain.te
index c3156fb..a27c3f5 100644
--- a/microdroid/system/private/domain.te
+++ b/microdroid/system/private/domain.te
@@ -48,17 +48,11 @@
# /dev/binder can be accessed by ... everyone! :)
allow domain binder_device:chr_file rw_file_perms;
-get_prop(domain, servicemanager_prop)
# Restrict binder ioctls to an allowlist. Additional ioctl commands may be
# added to individual domains, but this sets safe defaults for all processes.
allowxperm domain binder_device:chr_file ioctl { unpriv_binder_ioctls };
-# /dev/binderfs needs to be accessed by everyone too!
-allow domain binderfs:dir { getattr search };
-allow domain binderfs_logs_proc:dir search;
-
-allow { domain -servicemanager } hwbinder_device:chr_file rw_file_perms;
allow domain ptmx_device:chr_file rw_file_perms;
allow domain random_device:chr_file rw_file_perms;
allow domain proc_random:dir r_dir_perms;
@@ -411,11 +405,6 @@
neverallow { domain -init } build_prop:property_service set;
-# Only (hw|vnd|)servicemanager should be able to register with binder as the context manager
-# The service managers are only allowed to access their own device node
-neverallow servicemanager hwbinder_device:chr_file no_rw_file_perms;
-neverallow servicemanager vndbinder_device:chr_file no_rw_file_perms;
-
# Never allow anyone to connect or write to
# the tombstoned intercept socket.
neverallow { domain } tombstoned_intercept_socket:sock_file write;
@@ -512,15 +501,6 @@
-shell
} shell_data_file:dir { open search };
-# servicemanager is the only process which handles the
-# service_manager list request
-neverallow * ~{
- servicemanager
- }:service_manager list;
-
-# only service_manager_types can be added to service_manager
-# TODO - rework this: neverallow * ~service_manager_type:service_manager { add find };
-
# Prevent assigning non property types to properties
# TODO - rework this: neverallow * ~property_type:property_service set;
diff --git a/microdroid/system/private/encryptedstore.te b/microdroid/system/private/encryptedstore.te
new file mode 100644
index 0000000..522f090
--- /dev/null
+++ b/microdroid/system/private/encryptedstore.te
@@ -0,0 +1,47 @@
+# encryptedstore is a program that provides (encrypted) storage solution in a VM based on dm-crypt
+
+type encryptedstore, domain, coredomain;
+type encryptedstore_exec, exec_type, file_type, system_file_type;
+
+# encryptedstore is using bootstrap bionic
+use_bootstrap_libs(encryptedstore)
+
+# encryptedstore require access to block device directory to map dm-crypt
+r_dir_file(encryptedstore, block_device)
+
+# encryptedstore accesses /dev/vd* block device file.
+allow encryptedstore vd_device:blk_file rw_file_perms;
+
+# allow encryptedstore to create dm-crypt devices
+allow encryptedstore dm_device:{ chr_file blk_file } rw_file_perms;
+
+# sys_admin is required to access the device-mapper and mount
+allow encryptedstore self:global_capability_class_set sys_admin;
+
+# encryptedstore is forked from microdroid_manager
+allow encryptedstore microdroid_manager:fd use;
+
+# For formatting encrypted storage device
+allow encryptedstore e2fs_exec:file { rx_file_perms };
+allowxperm encryptedstore dm_device:blk_file ioctl {
+ BLKPBSZGET BLKDISCARDZEROES BLKROGET BLKDISCARD
+};
+
+# access /sys/fs/ext4/features - required because encryptedstore runs mkfs.ext4 in its own domain
+allow encryptedstore sysfs_fs_ext4_features:dir search;
+allow encryptedstore sysfs_fs_ext4_features:file r_file_perms;
+
+# encryptedstore to mount on /mnt/ directory
+allow encryptedstore tmpfs:dir { add_name create mounton write };
+
+# Unmount and mount filesystem
+allow encryptedstore labeledfs:filesystem { mount unmount };
+
+# allow encryptedstore to log to the kernel
+allow encryptedstore kmsg_device:chr_file w_file_perms;
+
+# Allow encryptedstore to write kmsg_debug (stdio_to_kmsg).
+allow encryptedstore kmsg_debug_device:chr_file w_file_perms;
+
+# Only microdroid_manager can run encryptedstore
+neverallow { domain -microdroid_manager } encryptedstore:process { transition dyntransition };
diff --git a/microdroid/system/private/file.te b/microdroid/system/private/file.te
index d15f9ba..b94571d 100644
--- a/microdroid/system/private/file.te
+++ b/microdroid/system/private/file.te
@@ -17,3 +17,6 @@
# /dev/selinux/test - used to verify that apex sepolicy is loaded and
# property labeled.
type sepolicy_test_file, file_type;
+
+# /system/bin/mke2fs - used to format encryptedstore block device
+type e2fs_exec, system_file_type, exec_type, file_type;
diff --git a/microdroid/system/private/file_contexts b/microdroid/system/private/file_contexts
index 7968ff3..60becf8 100644
--- a/microdroid/system/private/file_contexts
+++ b/microdroid/system/private/file_contexts
@@ -73,6 +73,8 @@
/dev/socket/tombstoned_crash u:object_r:tombstoned_crash_socket:s0
/dev/socket/tombstoned_java_trace u:object_r:tombstoned_java_trace_socket:s0
/dev/socket/tombstoned_intercept u:object_r:tombstoned_intercept_socket:s0
+/dev/socket/authfs_service u:object_r:authfs_service_socket:s0
+/dev/socket/vm_payload_service u:object_r:vm_payload_service_socket:s0
/dev/sys/block/by-name/userdata(/.*)? u:object_r:userdata_sysdev:s0
/dev/sys/fs/by-name/userdata(/.*)? u:object_r:userdata_sysdev:s0
/dev/tty u:object_r:owntty_device:s0
@@ -105,7 +107,6 @@
/system/bin/linkerconfig u:object_r:linkerconfig_exec:s0
/system/bin/bootstrap/linker(64)? u:object_r:system_linker_exec:s0
/system/bin/bootstrap/linkerconfig u:object_r:linkerconfig_exec:s0
-/system/bin/servicemanager.microdroid u:object_r:servicemanager_exec:s0
/system/bin/init u:object_r:init_exec:s0
/system/bin/logcat -- u:object_r:logcat_exec:s0
/system/bin/logd u:object_r:logd_exec:s0
@@ -119,6 +120,8 @@
/system/bin/apkdmverity u:object_r:apkdmverity_exec:s0
/system/bin/authfs u:object_r:authfs_exec:s0
/system/bin/authfs_service u:object_r:authfs_service_exec:s0
+/system/bin/encryptedstore u:object_r:encryptedstore_exec:s0
+/system/bin/mke2fs u:object_r:e2fs_exec:s0
/system/bin/kexec_load u:object_r:kexec_exec:s0
/system/etc/cgroups\.json u:object_r:cgroup_desc_file:s0
/system/etc/task_profiles/cgroups_[0-9]+\.json u:object_r:cgroup_desc_api_file:s0
diff --git a/microdroid/system/private/genfs_contexts b/microdroid/system/private/genfs_contexts
index 254dbe8..14dbb90 100644
--- a/microdroid/system/private/genfs_contexts
+++ b/microdroid/system/private/genfs_contexts
@@ -360,12 +360,9 @@
genfscon binder /binder u:object_r:binder_device:s0
genfscon binder /hwbinder u:object_r:hwbinder_device:s0
genfscon binder /vndbinder u:object_r:vndbinder_device:s0
-genfscon binder /binder_logs u:object_r:binderfs_logs:s0
-genfscon binder /binder_logs/proc u:object_r:binderfs_logs_proc:s0
genfscon inotifyfs / u:object_r:inotify:s0
genfscon vfat / u:object_r:vfat:s0
-genfscon binder / u:object_r:binderfs:s0
genfscon exfat / u:object_r:exfat:s0
genfscon debugfs / u:object_r:debugfs:s0
genfscon fuse / u:object_r:fuse:s0
diff --git a/microdroid/system/private/kexec.te b/microdroid/system/private/kexec.te
index c0ab735..8d40986 100644
--- a/microdroid/system/private/kexec.te
+++ b/microdroid/system/private/kexec.te
@@ -10,3 +10,6 @@
# allow kexec to have SYS_BOOT
allow kexec self:capability sys_boot;
+
+# allow kexec to write kmsg_debug
+allow kexec kmsg_debug_device:chr_file w_file_perms;
diff --git a/microdroid/system/private/microdroid_manager.te b/microdroid/system/private/microdroid_manager.te
index 4b9a53f..8765f75 100644
--- a/microdroid/system/private/microdroid_manager.te
+++ b/microdroid/system/private/microdroid_manager.te
@@ -39,6 +39,9 @@
domain_auto_trans(microdroid_manager, apkdmverity_exec, apkdmverity)
domain_auto_trans(microdroid_manager, zipfuse_exec, zipfuse)
+# Allow microdroid_manager to start encryptedstore binary
+domain_auto_trans(microdroid_manager, encryptedstore_exec, encryptedstore)
+
# Allow microdroid_manager to run kexec to load crashkernel
domain_auto_trans(microdroid_manager, kexec_exec, kexec)
@@ -54,12 +57,6 @@
# microdroid_manager is using bootstrap bionic
use_bootstrap_libs(microdroid_manager)
-# microdroid_manager hosts binder services.
-binder_use(microdroid_manager)
-
-# microdroid_manager can add virtual_machine_payload_service
-add_service(microdroid_manager, vm_payload_binder_service)
-
# microdroid_manager create /apex/vm-payload-metadata for apexd
# TODO(b/199371341) create a new label for the file so that only microdroid_manager can create it.
allow microdroid_manager apex_mnt_dir:dir w_dir_perms;
@@ -114,6 +111,9 @@
# Allow microdroid_manager to handle extra_apks
allow microdroid_manager extra_apk_file:dir create_dir_perms;
+# Allow microdroid_manager to write kmsg_debug (stdio_to_kmsg).
+allow microdroid_manager kmsg_debug_device:chr_file w_file_perms;
+
# Domains other than microdroid can't write extra_apks
neverallow { domain -microdroid_manager -init -vendor_init } extra_apk_file:file no_w_file_perms;
neverallow { domain -microdroid_manager -init -vendor_init } extra_apk_file:dir no_w_dir_perms;
@@ -126,6 +126,7 @@
-crash_dump
-microdroid_payload
-apkdmverity
+ -encryptedstore
-zipfuse
-kexec
}:process transition;
diff --git a/microdroid/system/private/microdroid_payload.te b/microdroid/system/private/microdroid_payload.te
index 1375442..309210c 100644
--- a/microdroid/system/private/microdroid_payload.te
+++ b/microdroid/system/private/microdroid_payload.te
@@ -44,10 +44,8 @@
# Payload can read /proc/meminfo.
allow microdroid_payload proc_meminfo:file r_file_perms;
-# Allow use of authfs.
-binder_use(microdroid_payload);
-allow microdroid_payload authfs_binder_service:service_manager find;
-binder_call(microdroid_payload, authfs_service);
+# Allow payload to communicate with authfs_service
+unix_socket_connect(microdroid_payload, authfs_service, authfs_service)
# Allow locating the authfs mount directory.
allow microdroid_payload authfs_data_file:dir search;
@@ -56,6 +54,5 @@
allow microdroid_payload authfs_fuse:dir rw_dir_perms;
allow microdroid_payload authfs_fuse:file create_file_perms;
-# Allow use of virtual_machine_payload_service.
-allow microdroid_payload vm_payload_binder_service:service_manager find;
-binder_call(microdroid_payload, microdroid_manager)
+# Allow payload to communicate with microdroid manager
+unix_socket_connect(microdroid_payload, vm_payload_service, microdroid_manager)
diff --git a/microdroid/system/private/property_contexts b/microdroid/system/private/property_contexts
index ff15f5d..c8d3c01 100644
--- a/microdroid/system/private/property_contexts
+++ b/microdroid/system/private/property_contexts
@@ -55,7 +55,6 @@
ro.boottime.init.modules u:object_r:boottime_prop:s0 exact int
ro.boottime.init.selinux u:object_r:boottime_prop:s0 exact int
ro.boottime.microdroid_manager u:object_r:boottime_prop:s0 exact int
-ro.boottime.servicemanager u:object_r:boottime_prop:s0 exact int
ro.boottime.tombstoned u:object_r:boottime_prop:s0 exact int
ro.boottime.ueventd u:object_r:boottime_prop:s0 exact int
ro.boottime.zipfuse u:object_r:boottime_prop:s0 exact int
@@ -74,7 +73,6 @@
init.svc.apkdmverity u:object_r:init_service_status_private_prop:s0 exact string
init.svc.authfs_service u:object_r:init_service_status_private_prop:s0 exact string
init.svc.microdroid_manager u:object_r:init_service_status_private_prop:s0 exact string
-init.svc.servicemanager u:object_r:init_service_status_private_prop:s0 exact string
init.svc.ueventd u:object_r:init_service_status_private_prop:s0 exact string
init.svc.zipfuse u:object_r:init_service_status_private_prop:s0 exact string
@@ -152,8 +150,6 @@
heapprofd.enable u:object_r:heapprofd_prop:s0 exact bool
-servicemanager.ready u:object_r:servicemanager_prop:s0 exact bool
-
# ART properties for CompOS
dalvik.vm. u:object_r:dalvik_config_prop:s0 prefix
ro.dalvik.vm. u:object_r:dalvik_config_prop:s0 prefix
diff --git a/microdroid/system/private/service_contexts b/microdroid/system/private/service_contexts
index 2abd7e3..837a28f 100644
--- a/microdroid/system/private/service_contexts
+++ b/microdroid/system/private/service_contexts
@@ -1,6 +1,3 @@
adb u:object_r:adb_service:s0
-virtual_machine_payload_service u:object_r:vm_payload_binder_service:s0
-apexservice u:object_r:apex_service:s0
-authfs_service u:object_r:authfs_binder_service:s0
manager u:object_r:service_manager_service:s0
* u:object_r:default_android_service:s0
diff --git a/microdroid/system/private/servicemanager.te b/microdroid/system/private/servicemanager.te
deleted file mode 100644
index a9d025c..0000000
--- a/microdroid/system/private/servicemanager.te
+++ /dev/null
@@ -1,33 +0,0 @@
-typeattribute servicemanager coredomain;
-
-init_daemon_domain(servicemanager)
-
-selinux_check_access(servicemanager)
-
-# Note that we do not use the binder_* macros here.
-# servicemanager is unique in that it only provides
-# name service (aka context manager) for Binder.
-# As such, it only ever receives and transfers other references
-# created by other domains. It never passes its own references
-# or initiates a Binder IPC.
-allow servicemanager self:binder set_context_mgr;
-allow servicemanager {
- domain
- -init
- -vendor_init
-}:binder transfer;
-
-allow servicemanager service_contexts_file:file r_file_perms;
-
-allow servicemanager vendor_service_contexts_file:file r_file_perms;
-
-add_service(servicemanager, service_manager_service)
-
-set_prop(servicemanager, ctl_interface_start_prop)
-set_prop(servicemanager, servicemanager_prop)
-
-# servicemanager is using bootstrap bionic
-use_bootstrap_libs(servicemanager)
-
-# servicemanager is using apex_info via libvintf
-use_apex_info(servicemanager)
diff --git a/microdroid/system/private/zipfuse.te b/microdroid/system/private/zipfuse.te
index 6e0472d..0cb6daf 100644
--- a/microdroid/system/private/zipfuse.te
+++ b/microdroid/system/private/zipfuse.te
@@ -36,6 +36,9 @@
# allow zipfuse to log to the kernel
allow zipfuse kmsg_device:chr_file w_file_perms;
+# allow zipfuse to write kmsg_debug (stdio_to_kmsg) inherited from microdroid_manager.
+allow zipfuse kmsg_debug_device:chr_file w_file_perms;
+
# allow zipfuse to handle extra apks
r_dir_file(zipfuse, extra_apk_file)
allow zipfuse extra_apk_file:dir mounton;
diff --git a/microdroid/system/public/apexd.te b/microdroid/system/public/apexd.te
index f80c1da..d14da93 100644
--- a/microdroid/system/public/apexd.te
+++ b/microdroid/system/public/apexd.te
@@ -1,5 +1,2 @@
type apexd, domain, coredomain;
type apexd_exec, file_type, exec_type, system_file_type;
-
-binder_use(apexd)
-add_service(apexd, apex_service)
diff --git a/microdroid/system/public/file.te b/microdroid/system/public/file.te
index 47d29aa..5616160 100644
--- a/microdroid/system/public/file.te
+++ b/microdroid/system/public/file.te
@@ -5,6 +5,7 @@
type apex_info_file, file_type;
type apex_mnt_dir, file_type;
type authfs_data_file, file_type, data_file_type, core_data_file_type;
+type authfs_service_socket, file_type, coredomain_socket;
type cgroup_desc_api_file, file_type, system_file_type;
type cgroup_desc_file, file_type, system_file_type;
type cgroup_rc_file, file_type;
@@ -43,11 +44,9 @@
type vendor_data_file, file_type, data_file_type;
type vendor_file, file_type, vendor_file_type;
type vendor_service_contexts_file, vendor_file_type, file_type;
+type vm_payload_service_socket, file_type, coredomain_socket;
# file system types
-type binderfs, fs_type;
-type binderfs_logs, fs_type;
-type binderfs_logs_proc, fs_type;
type binfmt_miscfs, fs_type;
type cgroup, fs_type;
type cgroup_v2, fs_type;
diff --git a/microdroid/system/public/property.te b/microdroid/system/public/property.te
index 9ec022b..5008bc7 100644
--- a/microdroid/system/public/property.te
+++ b/microdroid/system/public/property.te
@@ -25,7 +25,6 @@
type ctl_stop_prop, property_type;
type ctl_tombstone_transmit_prop, property_type;
type ctl_zipfuse_prop, property_type;
-type servicemanager_prop, property_type;
type debug_prop, property_type;
type default_prop, property_type;
type dev_mnt_prop, property_type;
diff --git a/microdroid/system/public/servicemanager.te b/microdroid/system/public/servicemanager.te
deleted file mode 100644
index 41a1096..0000000
--- a/microdroid/system/public/servicemanager.te
+++ /dev/null
@@ -1,2 +0,0 @@
-type servicemanager, domain;
-type servicemanager_exec, file_type, exec_type, system_file_type;
diff --git a/microdroid/system/public/statsd.te b/microdroid/system/public/statsd.te
index 495d3f4..0807126 100644
--- a/microdroid/system/public/statsd.te
+++ b/microdroid/system/public/statsd.te
@@ -1,7 +1,6 @@
type statsd, domain;
type statsd_exec, system_file_type, exec_type, file_type;
-binder_use(statsd)
# Allow statsd to scan through /proc/pid for all processes.
r_dir_file(statsd, domain)
diff --git a/microdroid/system/public/su.te b/microdroid/system/public/su.te
index aded9ae..dbb3158 100644
--- a/microdroid/system/public/su.te
+++ b/microdroid/system/public/su.te
@@ -36,8 +36,6 @@
dontaudit su domain:binder *;
dontaudit su property_type:property_service *;
dontaudit su property_type:file *;
- dontaudit su service_manager_type:service_manager *;
- dontaudit su servicemanager:service_manager list;
dontaudit su domain:drmservice *;
dontaudit su unlabeled:filesystem *;
dontaudit su domain:bpf *;
diff --git a/microdroid/system/public/type.te b/microdroid/system/public/type.te
index dbdafaf..5b411b6 100644
--- a/microdroid/system/public/type.te
+++ b/microdroid/system/public/type.te
@@ -1,9 +1,6 @@
# Miscellaneous types
type adb_service, service_manager_type;
-type apex_service, service_manager_type;
-type authfs_binder_service, service_manager_type;
type default_android_service, service_manager_type;
-type vm_payload_binder_service, service_manager_type;
type service_manager_service, service_manager_type;
type system_linker;
type vm_payload_key;
diff --git a/private/app_neverallows.te b/private/app_neverallows.te
index c2e0b10..6231623 100644
--- a/private/app_neverallows.te
+++ b/private/app_neverallows.te
@@ -261,5 +261,7 @@
# due to the specific logging use cases.
# Context: b/193912100
neverallow {
- untrusted_app_all
+ all_untrusted_apps
+ -mediaprovider
+ -mediaprovider_app
} { userdebug_or_eng_prop }:file read;
diff --git a/private/compat/33.0/33.0.ignore.cil b/private/compat/33.0/33.0.ignore.cil
index 444c89c..48c8eb4 100644
--- a/private/compat/33.0/33.0.ignore.cil
+++ b/private/compat/33.0/33.0.ignore.cil
@@ -5,12 +5,14 @@
(typeattribute new_objects)
(typeattributeset new_objects
( new_objects
+ adaptive_haptics_prop
apex_ready_prop
artd
credential_service
device_config_memory_safety_native_prop
device_config_vendor_system_native_prop
devicelock_service
+ fwk_sensor_service
hal_bootctl_service
hal_cas_service
hal_remoteaccess_service
@@ -25,6 +27,7 @@
ntfs
permissive_mte_prop
prng_seeder
+ rkpdapp
servicemanager_prop
system_net_netd_service
timezone_metadata_prop
diff --git a/private/domain.te b/private/domain.te
index 60303ff..9de23ba 100644
--- a/private/domain.te
+++ b/private/domain.te
@@ -101,6 +101,48 @@
get_prop({domain -coredomain -appdomain}, vendor_default_prop)
')
+# Public readable properties
+get_prop(domain, aaudio_config_prop)
+get_prop(domain, apexd_select_prop)
+get_prop(domain, arm64_memtag_prop)
+get_prop(domain, bluetooth_config_prop)
+get_prop(domain, bootloader_prop)
+get_prop(domain, build_odm_prop)
+get_prop(domain, build_prop)
+get_prop(domain, build_vendor_prop)
+get_prop(domain, debug_prop)
+get_prop(domain, exported_config_prop)
+get_prop(domain, exported_default_prop)
+get_prop(domain, exported_dumpstate_prop)
+get_prop(domain, exported_secure_prop)
+get_prop(domain, exported_system_prop)
+get_prop(domain, fingerprint_prop)
+get_prop(domain, framework_status_prop)
+get_prop(domain, gwp_asan_prop)
+get_prop(domain, hal_instrumentation_prop)
+get_prop(domain, hw_timeout_multiplier_prop)
+get_prop(domain, init_service_status_prop)
+get_prop(domain, libc_debug_prop)
+get_prop(domain, locale_prop)
+get_prop(domain, logd_prop)
+get_prop(domain, mediadrm_config_prop)
+get_prop(domain, property_service_version_prop)
+get_prop(domain, soc_prop)
+get_prop(domain, socket_hook_prop)
+get_prop(domain, surfaceflinger_prop)
+get_prop(domain, telephony_status_prop)
+get_prop(domain, timezone_prop)
+get_prop({domain -untrusted_app_all -isolated_app -ephemeral_app }, userdebug_or_eng_prop)
+get_prop(domain, vendor_socket_hook_prop)
+get_prop(domain, vndk_prop)
+get_prop(domain, vold_status_prop)
+get_prop(domain, vts_config_prop)
+
+# Binder cache properties are world-readable
+get_prop(domain, binder_cache_bluetooth_server_prop)
+get_prop(domain, binder_cache_system_server_prop)
+get_prop(domain, binder_cache_telephony_server_prop)
+
# Allow access to fsverity keyring.
allow domain kernel:key search;
# Allow access to keys in the fsverity keyring that were installed at boot.
diff --git a/private/priv_app.te b/private/priv_app.te
index 4dcd1fb..8c965fc 100644
--- a/private/priv_app.te
+++ b/private/priv_app.te
@@ -190,6 +190,11 @@
# Required for Phonesky to be able to read staged files under /data/app-staging.
allow priv_app staging_data_file:dir r_dir_perms;
+# Allow com.android.vending to access files under vendor/apex as well as system apex files.
+# This is required for com.android.vending to handle APEXes for e.g. delta patch optimization.
+allow priv_app vendor_apex_file:dir r_dir_perms;
+allow priv_app vendor_apex_file:file r_file_perms;
+
# allow priv app to access the system app data files for ContentProvider case.
allow priv_app system_app_data_file:file { read getattr };
diff --git a/private/property_contexts b/private/property_contexts
index 48eed1c..b8503bd 100644
--- a/private/property_contexts
+++ b/private/property_contexts
@@ -1438,19 +1438,34 @@
# properties for the virtual Fingerprint HAL
persist.vendor.fingerprint.virtual.type u:object_r:virtual_fingerprint_hal_prop:s0 exact string
persist.vendor.fingerprint.virtual.enrollments u:object_r:virtual_fingerprint_hal_prop:s0 exact string
+persist.vendor.fingerprint.virtual.lockout u:object_r:virtual_fingerprint_hal_prop:s0 exact bool
+persist.vendor.fingerprint.virtual.authenticator_id u:object_r:virtual_fingerprint_hal_prop:s0 exact int
+persist.vendor.fingerprint.virtual.sensor_location u:object_r:virtual_fingerprint_hal_prop:s0 exact string
+persist.vendor.fingerprint.virtual.sensor_id u:object_r:virtual_fingerprint_hal_prop:s0 exact int
+persist.vendor.fingerprint.virtual.sensor_strength u:object_r:virtual_fingerprint_hal_prop:s0 exact int
+persist.vendor.fingerprint.virtual.max_enrollments u:object_r:virtual_fingerprint_hal_prop:s0 exact int
+persist.vendor.fingerprint.virtual.navigation_guesture u:object_r:virtual_fingerprint_hal_prop:s0 exact bool
+persist.vendor.fingerprint.virtual.detect_interaction u:object_r:virtual_fingerprint_hal_prop:s0 exact bool
+persist.vendor.fingerprint.virtual.udfps.display_touch u:object_r:virtual_fingerprint_hal_prop:s0 exact bool
+persist.vendor.fingerprint.virtual.udfps.control_illumination u:object_r:virtual_fingerprint_hal_prop:s0 exact bool
+persist.vendor.fingerprint.virtual.lockout_enable u:object_r:virtual_fingerprint_hal_prop:s0 exact bool
+persist.vendor.fingerprint.virtual.lockout_timed_threshold u:object_r:virtual_fingerprint_hal_prop:s0 exact int
+persist.vendor.fingerprint.virtual.lockout_timed_duration u:object_r:virtual_fingerprint_hal_prop:s0 exact int
+persist.vendor.fingerprint.virtual.lockout_permanent_threshold u:object_r:virtual_fingerprint_hal_prop:s0 exact int
vendor.fingerprint.virtual.enrollment_hit u:object_r:virtual_fingerprint_hal_prop:s0 exact int
vendor.fingerprint.virtual.next_enrollment u:object_r:virtual_fingerprint_hal_prop:s0 exact string
-vendor.fingerprint.virtual.authenticator_id u:object_r:virtual_fingerprint_hal_prop:s0 exact int
vendor.fingerprint.virtual.challenge u:object_r:virtual_fingerprint_hal_prop:s0 exact int
-vendor.fingerprint.virtual.lockout u:object_r:virtual_fingerprint_hal_prop:s0 exact bool
vendor.fingerprint.virtual.operation_authenticate_fails u:object_r:virtual_fingerprint_hal_prop:s0 exact bool
vendor.fingerprint.virtual.operation_detect_interaction_fails u:object_r:virtual_fingerprint_hal_prop:s0 exact bool
vendor.fingerprint.virtual.operation_enroll_fails u:object_r:virtual_fingerprint_hal_prop:s0 exact bool
-vendor.fingerprint.virtual.operation_authenticate_latency u:object_r:virtual_fingerprint_hal_prop:s0 exact int
-vendor.fingerprint.virtual.operation_detect_interaction_latency u:object_r:virtual_fingerprint_hal_prop:s0 exact int
-vendor.fingerprint.virtual.operation_enroll_latency u:object_r:virtual_fingerprint_hal_prop:s0 exact int
+vendor.fingerprint.virtual.operation_authenticate_latency u:object_r:virtual_fingerprint_hal_prop:s0 exact string
+vendor.fingerprint.virtual.operation_detect_interaction_latency u:object_r:virtual_fingerprint_hal_prop:s0 exact string
+vendor.fingerprint.virtual.operation_enroll_latency u:object_r:virtual_fingerprint_hal_prop:s0 exact string
vendor.fingerprint.virtual.operation_authenticate_duration u:object_r:virtual_fingerprint_hal_prop:s0 exact int
# properties for tuner
ro.tuner.lazyhal u:object_r:tuner_config_prop:s0 exact bool
tuner.server.enable u:object_r:tuner_server_ctl_prop:s0 exact bool
+
+# Adaptive haptics settings property
+vibrator.adaptive_haptics.enabled u:object_r:adaptive_haptics_prop:s0 exact string
diff --git a/private/rkpd_app.te b/private/rkpd_app.te
new file mode 100644
index 0000000..535f324
--- /dev/null
+++ b/private/rkpd_app.te
@@ -0,0 +1,20 @@
+###
+### A domain for sandboxing the remote key provisioning daemon
+### app that is shipped via mainline.
+###
+typeattribute rkpdapp coredomain;
+
+app_domain(rkpdapp)
+
+# RKPD needs to be able to call the remote provisioning HALs
+hal_client_domain(rkpdapp, hal_keymint)
+
+# Grant access to certain system properties related to RKP
+get_prop(rkpdapp, device_config_remote_key_provisioning_native_prop)
+
+# Grant access to the normal services that are available to all apps
+allow rkpdapp app_api_service:service_manager find;
+
+# Grant access to statsd
+allow rkpdapp statsmanager_service:service_manager find;
+binder_call(rkpdapp, statsd)
diff --git a/private/seapp_contexts b/private/seapp_contexts
index b26d977..81563a5 100644
--- a/private/seapp_contexts
+++ b/private/seapp_contexts
@@ -164,6 +164,7 @@
user=_app isPrivApp=true name=com.google.android.providers.media.module domain=mediaprovider_app type=privapp_data_file levelFrom=all
user=_app seinfo=platform isPrivApp=true name=com.android.permissioncontroller domain=permissioncontroller_app type=privapp_data_file levelFrom=all
user=_app isPrivApp=true name=com.android.vzwomatrigger domain=vzwomatrigger_app type=privapp_data_file levelFrom=all
+user=_app isPrivApp=true name=com.android.rkpdapp domain=rkpdapp type=privapp_data_file levelFrom=user
user=_app isPrivApp=true name=com.google.android.gms domain=gmscore_app type=privapp_data_file levelFrom=user
user=_app isPrivApp=true name=com.google.android.gms.* domain=gmscore_app type=privapp_data_file levelFrom=user
user=_app isPrivApp=true name=com.google.android.gms:* domain=gmscore_app type=privapp_data_file levelFrom=user
diff --git a/private/service_contexts b/private/service_contexts
index f2023f3..562e3d4 100644
--- a/private/service_contexts
+++ b/private/service_contexts
@@ -1,4 +1,5 @@
android.frameworks.stats.IStats/default u:object_r:fwk_stats_service:s0
+android.frameworks.sensorservice.ISensorManager/default u:object_r:fwk_sensor_service:s0
android.hardware.audio.core.IConfig/default u:object_r:hal_audio_service:s0
android.hardware.audio.core.IModule/default u:object_r:hal_audio_service:s0
android.hardware.audio.effect.IFactory/default u:object_r:hal_audio_service:s0
diff --git a/private/shell.te b/private/shell.te
index 6a7c629..02105a9 100644
--- a/private/shell.te
+++ b/private/shell.te
@@ -184,6 +184,9 @@
get_prop(shell, last_boot_reason_prop)
get_prop(shell, system_boot_reason_prop)
+# Allow shell to execute the remote key provisioning factory tool
+binder_call(shell, hal_keymint)
+
# Allow reading the outcome of perf_event_open LSM support test for CTS.
get_prop(shell, init_perf_lsm_hooks_prop)
diff --git a/private/stats.te b/private/stats.te
index db29072..c784145 100644
--- a/private/stats.te
+++ b/private/stats.te
@@ -47,6 +47,7 @@
-mediametrics
-platform_app
-priv_app
+ -rkpdapp
-shell
-stats
-statsd
diff --git a/private/system_app.te b/private/system_app.te
index 61d3b5d..3b92c0f 100644
--- a/private/system_app.te
+++ b/private/system_app.te
@@ -34,6 +34,7 @@
allow system_app icon_file:file r_file_perms;
# Write to properties
+set_prop(system_app, adaptive_haptics_prop)
set_prop(system_app, arm64_memtag_prop)
set_prop(system_app, bluetooth_a2dp_offload_prop)
set_prop(system_app, bluetooth_audio_hal_prop)
@@ -192,3 +193,6 @@
# bug reports, but not reads.
neverallow system_app shell_data_file:dir { no_w_dir_perms open search read };
neverallow system_app shell_data_file:file { open read ioctl lock };
+
+# system_app should be the only domain writing the adaptive haptics prop
+neverallow { domain -init -system_app } adaptive_haptics_prop:property_service set;
diff --git a/private/system_server.te b/private/system_server.te
index 9d1f97f..3a7dd8a 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -693,6 +693,7 @@
# Property Service write
set_prop(system_server, system_prop)
set_prop(system_server, bootanim_system_prop)
+set_prop(system_server, bluetooth_prop)
set_prop(system_server, exported_system_prop)
set_prop(system_server, exported3_system_prop)
set_prop(system_server, safemode_prop)
diff --git a/private/virtualizationservice.te b/private/virtualizationservice.te
index f41e7cc..46871b7 100644
--- a/private/virtualizationservice.te
+++ b/private/virtualizationservice.te
@@ -84,6 +84,9 @@
allow virtualizationservice tombstone_data_file:file { append getattr };
allow virtualizationservice tombstoned:fd use;
+# Allow reading files under /proc/[crosvm pid]/, for collecting CPU & memory usage inside VM.
+r_dir_file(virtualizationservice, crosvm);
+
neverallow {
domain
-init
diff --git a/public/domain.te b/public/domain.te
index f9e4c46..217738d 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -101,48 +101,6 @@
allow domain properties_serial:file r_file_perms;
allow domain property_info:file r_file_perms;
-# Public readable properties
-get_prop(domain, aaudio_config_prop)
-get_prop(domain, apexd_select_prop)
-get_prop(domain, arm64_memtag_prop)
-get_prop(domain, bluetooth_config_prop)
-get_prop(domain, bootloader_prop)
-get_prop(domain, build_odm_prop)
-get_prop(domain, build_prop)
-get_prop(domain, build_vendor_prop)
-get_prop(domain, debug_prop)
-get_prop(domain, exported_config_prop)
-get_prop(domain, exported_default_prop)
-get_prop(domain, exported_dumpstate_prop)
-get_prop(domain, exported_secure_prop)
-get_prop(domain, exported_system_prop)
-get_prop(domain, fingerprint_prop)
-get_prop(domain, framework_status_prop)
-get_prop(domain, gwp_asan_prop)
-get_prop(domain, hal_instrumentation_prop)
-get_prop(domain, hw_timeout_multiplier_prop)
-get_prop(domain, init_service_status_prop)
-get_prop(domain, libc_debug_prop)
-get_prop(domain, locale_prop)
-get_prop(domain, logd_prop)
-get_prop(domain, mediadrm_config_prop)
-get_prop(domain, property_service_version_prop)
-get_prop(domain, soc_prop)
-get_prop(domain, socket_hook_prop)
-get_prop(domain, surfaceflinger_prop)
-get_prop(domain, telephony_status_prop)
-get_prop(domain, timezone_prop)
-get_prop({domain - untrusted_app_all }, userdebug_or_eng_prop)
-get_prop(domain, vendor_socket_hook_prop)
-get_prop(domain, vndk_prop)
-get_prop(domain, vold_status_prop)
-get_prop(domain, vts_config_prop)
-
-# Binder cache properties are world-readable
-get_prop(domain, binder_cache_bluetooth_server_prop)
-get_prop(domain, binder_cache_system_server_prop)
-get_prop(domain, binder_cache_telephony_server_prop)
-
# Let everyone read log properties, so that liblog can avoid sending unloggable
# messages to logd.
get_prop(domain, log_property_type)
@@ -593,6 +551,7 @@
-hal_camera_server
-hal_cas_server
-hal_drm_server
+ -hal_keymint_server
userdebug_or_eng(`-incidentd')
-init
-mediadrmserver
diff --git a/public/dumpstate.te b/public/dumpstate.te
index 2a3c19c..c0af235 100644
--- a/public/dumpstate.te
+++ b/public/dumpstate.te
@@ -365,7 +365,7 @@
allow dumpstate binderfs_logs:file r_file_perms;
allow dumpstate binderfs_logs_proc:file r_file_perms;
-allow dumpstate apex_info_file:file getattr;
+use_apex_info(dumpstate)
###
### neverallow rules
diff --git a/public/mediaserver.te b/public/mediaserver.te
index 621b6d7..65cd4a1 100644
--- a/public/mediaserver.te
+++ b/public/mediaserver.te
@@ -77,6 +77,7 @@
allow mediaserver mediaextractor_service:service_manager find;
allow mediaserver mediametrics_service:service_manager find;
allow mediaserver media_session_service:service_manager find;
+allow mediaserver package_native_service:service_manager find;
allow mediaserver permission_service:service_manager find;
allow mediaserver permission_checker_service:service_manager find;
allow mediaserver power_service:service_manager find;
diff --git a/public/property.te b/public/property.te
index a9e61b5..14abd0f 100644
--- a/public/property.te
+++ b/public/property.te
@@ -52,6 +52,7 @@
# Properties which can't be written outside system
system_restricted_prop(aac_drc_prop)
+system_restricted_prop(adaptive_haptics_prop)
system_restricted_prop(apex_ready_prop)
system_restricted_prop(arm64_memtag_prop)
system_restricted_prop(binder_cache_bluetooth_server_prop)
diff --git a/public/rkpd_app.te b/public/rkpd_app.te
new file mode 100644
index 0000000..2aaf3b8
--- /dev/null
+++ b/public/rkpd_app.te
@@ -0,0 +1,6 @@
+###
+### A domain for sandboxing the remote key provisioning daemon
+### app that is shipped via mainline.
+###
+
+type rkpdapp, domain;
diff --git a/public/service.te b/public/service.te
index 8c8a430..1ff3668 100644
--- a/public/service.te
+++ b/public/service.te
@@ -131,6 +131,7 @@
type face_service, app_api_service, system_server_service, service_manager_type;
type fingerprint_service, app_api_service, system_server_service, service_manager_type;
type fwk_stats_service, app_api_service, system_server_service, service_manager_type;
+type fwk_sensor_service, system_server_service, service_manager_type;
type game_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type gfxinfo_service, system_api_service, system_server_service, service_manager_type;
type gnss_time_update_service, system_server_service, service_manager_type;
diff --git a/public/shell.te b/public/shell.te
index 496061c..6c67cea 100644
--- a/public/shell.te
+++ b/public/shell.te
@@ -81,6 +81,9 @@
-apex_service
-dnsresolver_service
-gatekeeper_service
+ -hal_keymint_service
+ -hal_secureclock_service
+ -hal_sharedsecret_service
-incident_service
-installd_service
-mdns_service
@@ -196,6 +199,14 @@
### Neverallow rules
###
+# Do not allow shell to talk directly to security HAL services other than
+# hal_remotelyprovisionedcomponent_service
+neverallow shell {
+ hal_keymint_service
+ hal_secureclock_service
+ hal_sharedsecret_service
+}:service_manager find;
+
# Do not allow shell to hard link to any files.
# In particular, if shell hard links to app data
# files, installd will not be able to guarantee the deletion
diff --git a/vendor/file_contexts b/vendor/file_contexts
index 5681054..c69b451 100644
--- a/vendor/file_contexts
+++ b/vendor/file_contexts
@@ -51,6 +51,7 @@
/(vendor|system/vendor)/bin/hw/android\.hardware\.graphics\.allocator@3\.0-service u:object_r:hal_graphics_allocator_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.graphics\.allocator@4\.0-service u:object_r:hal_graphics_allocator_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.graphics\.allocator-V1-service u:object_r:hal_graphics_allocator_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.graphics\.allocator-service u:object_r:hal_graphics_allocator_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.graphics\.composer@[0-9]\.[0-9]-service u:object_r:hal_graphics_composer_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.graphics\.composer3-service\.example u:object_r:hal_graphics_composer_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.health@1\.0-service u:object_r:hal_health_default_exec:s0