Merge "Add rules for virtualizationservice and crosvm"
diff --git a/apex/com.android.compos-file_contexts b/apex/com.android.compos-file_contexts
index 83b4b58..f404a07 100644
--- a/apex/com.android.compos-file_contexts
+++ b/apex/com.android.compos-file_contexts
@@ -1 +1,5 @@
(/.*)? u:object_r:system_file:s0
+/bin/compos_key_cmd u:object_r:compos_key_cmd_exec:s0
+/bin/compos_key_main u:object_r:compos_exec:s0
+/bin/compsvc u:object_r:compos_exec:s0
+/bin/compsvc_worker u:object_r:compos_exec:s0
diff --git a/microdroid/system/private/compos.te b/microdroid/system/private/compos.te
new file mode 100644
index 0000000..ecb5dad
--- /dev/null
+++ b/microdroid/system/private/compos.te
@@ -0,0 +1,15 @@
+# TODO(b/193504816): move this to compos APEX
+type compos, domain, coredomain;
+type compos_exec, exec_type, file_type, system_file_type;
+
+type compos_key_cmd, domain, coredomain;
+type compos_key_cmd_exec, exec_type, file_type, system_file_type;
+
+binder_use(compos)
+use_keystore(compos)
+
+allow compos self:vsock_socket { create_socket_perms_no_ioctl listen accept };
+
+allow compos microdroid_manager:fd use;
+
+allow compos kmsg_device:chr_file w_file_perms;
diff --git a/microdroid/system/private/dex2oat.te b/microdroid/system/private/dex2oat.te
new file mode 100644
index 0000000..6bfd05e
--- /dev/null
+++ b/microdroid/system/private/dex2oat.te
@@ -0,0 +1,5 @@
+# dex2oat
+type dex2oat, domain, coredomain;
+type dex2oat_exec, system_file_type, exec_type, file_type;
+
+allow dex2oat tmpfs:file { read getattr map };
diff --git a/microdroid/system/private/domain.te b/microdroid/system/private/domain.te
index fe4d072..a3dfb27 100644
--- a/microdroid/system/private/domain.te
+++ b/microdroid/system/private/domain.te
@@ -242,6 +242,15 @@
allow domain task_profiles_file:file r_file_perms;
allow domain task_profiles_api_file:file r_file_perms;
+# cgroupfs directories can be created, but not files within them.
+neverallow domain cgroup:file create;
+neverallow domain cgroup_v2:file create;
+
+dontaudit domain proc_type:dir write;
+dontaudit domain sysfs_type:dir write;
+dontaudit domain cgroup:file create;
+dontaudit domain cgroup_v2:file create;
+
#-----------------------------------------
# Allow access to fsverity keyring.
allow domain kernel:key search;
diff --git a/microdroid/system/private/microdroid_manager.te b/microdroid/system/private/microdroid_manager.te
index 074024f..ac81c90 100644
--- a/microdroid/system/private/microdroid_manager.te
+++ b/microdroid/system/private/microdroid_manager.te
@@ -11,14 +11,9 @@
allow microdroid_manager block_device:lnk_file r_file_perms;
allow microdroid_manager vd_device:blk_file r_file_perms;
-# microdroid_manager start payload task via microdroid_launcher
-domain_auto_trans(microdroid_manager, microdroid_app_exec, microdroid_app);
-
-# Let microdroid_manager exec other files (e.g. payload command) in the same domain.
-# TODO(b/189706019) we need to a domain for the app process.
-allow microdroid_manager system_file:file execute_no_trans;
-# Until then, allow microdroid_manager to execute the shell or other system executables.
-allow microdroid_manager {shell_exec toolbox_exec}:file rx_file_perms;
+# Allow microdroid_manager to start payload tasks
+domain_auto_trans(microdroid_manager, microdroid_app_exec, microdroid_app)
+domain_auto_trans(microdroid_manager, compos_exec, compos)
# Let microdroid_manager kernel-log.
allow microdroid_manager kmsg_device:chr_file w_file_perms;
@@ -27,11 +22,12 @@
set_prop(microdroid_manager, vmsecret_keymint_prop);
# Let microdroid_manager read a config file from /mnt/apk (fusefs)
-# TODO(b/188400186) remove the below two rules
+# TODO(b/188400186) remove the below rule
userdebug_or_eng(`
- allow microdroid_manager fuse:dir r_dir_perms;
- allow microdroid_manager fuse:file rx_file_perms;
+ r_dir_file(microdroid_manager, fuse)
')
# Let microdroid_manager to create a vsock connection back to the host VM
allow microdroid_manager self:vsock_socket { create_socket_perms_no_ioctl };
+
+neverallow microdroid_manager { file_type fs_type }:file execute_no_trans;
diff --git a/prebuilts/api/31.0/private/bug_map b/prebuilts/api/31.0/private/bug_map
index 5b042ae..de7a4b5 100644
--- a/prebuilts/api/31.0/private/bug_map
+++ b/prebuilts/api/31.0/private/bug_map
@@ -25,6 +25,7 @@
netd untrusted_app_27 unix_stream_socket b/77870037
netd untrusted_app_29 unix_stream_socket b/77870037
platform_app nfc_data_file dir b/74331887
+system_server apex_art_data_file file b/194054685
system_server crash_dump process b/73128755
system_server overlayfs_file file b/142390309
system_server sdcardfs file b/77856826
diff --git a/private/bug_map b/private/bug_map
index 5b042ae..de7a4b5 100644
--- a/private/bug_map
+++ b/private/bug_map
@@ -25,6 +25,7 @@
netd untrusted_app_27 unix_stream_socket b/77870037
netd untrusted_app_29 unix_stream_socket b/77870037
platform_app nfc_data_file dir b/74331887
+system_server apex_art_data_file file b/194054685
system_server crash_dump process b/73128755
system_server overlayfs_file file b/142390309
system_server sdcardfs file b/77856826
diff --git a/private/compat/31.0/31.0.ignore.cil b/private/compat/31.0/31.0.ignore.cil
index c2ffde0..5cb57f5 100644
--- a/private/compat/31.0/31.0.ignore.cil
+++ b/private/compat/31.0/31.0.ignore.cil
@@ -7,6 +7,7 @@
( new_objects
artd_service
camera2_extensions_prop
+ hal_system_suspend_service
power_stats_service
tare_service
transformer_service
diff --git a/private/compos.te b/private/compos.te
new file mode 100644
index 0000000..a86fd38
--- /dev/null
+++ b/private/compos.te
@@ -0,0 +1,6 @@
+# TODO(b/193504816): move this to compos APEX
+type compos, domain, coredomain;
+type compos_exec, exec_type, file_type, system_file_type;
+
+type compos_key_cmd, domain, coredomain;
+type compos_key_cmd_exec, exec_type, file_type, system_file_type;
diff --git a/private/service_contexts b/private/service_contexts
index 595eef2..80488d3 100644
--- a/private/service_contexts
+++ b/private/service_contexts
@@ -21,6 +21,7 @@
android.hardware.weaver.IWeaver/default u:object_r:hal_weaver_service:s0
android.frameworks.stats.IStats/default u:object_r:fwk_stats_service:s0
android.system.keystore2.IKeystoreService/default u:object_r:keystore_service:s0
+android.system.suspend.ISystemSuspend/default u:object_r:hal_system_suspend_service:s0
accessibility u:object_r:accessibility_service:s0
account u:object_r:account_service:s0
diff --git a/private/system_suspend.te b/private/system_suspend.te
index caf8955..d924187 100644
--- a/private/system_suspend.te
+++ b/private/system_suspend.te
@@ -7,6 +7,8 @@
binder_use(system_suspend)
add_service(system_suspend, system_suspend_control_service)
+add_service(system_suspend, hal_system_suspend_service)
+
# Access to /sys/power/{ wakeup_count, state } suspend interface.
allow system_suspend sysfs_power:file rw_file_perms;
diff --git a/public/ioctl_defines b/public/ioctl_defines
index 3585d90..fa96726 100644
--- a/public/ioctl_defines
+++ b/public/ioctl_defines
@@ -841,12 +841,12 @@
define(`FSL_HV_IOCTL_PARTITION_STOP', `0xc008af04')
define(`FSL_HV_IOCTL_SETPROP', `0xc028af08')
define(`FUNCTIONFS_CLEAR_HALT', `0x00006703')
+define(`FUNCTIONFS_ENDPOINT_ALLOC', `0x000067e7')
define(`FUNCTIONFS_ENDPOINT_DESC', `0x80096782')
define(`FUNCTIONFS_ENDPOINT_REVMAP', `0x00006781')
define(`FUNCTIONFS_FIFO_FLUSH', `0x00006702')
define(`FUNCTIONFS_FIFO_STATUS', `0x00006701')
define(`FUNCTIONFS_INTERFACE_REVMAP', `0x00006780')
-define(`FUNCTIONFS_ENDPOINT_ALLOC', `0x000067e7')
define(`FW_CDEV_IOC_ADD_DESCRIPTOR', `0xc0182306')
define(`FW_CDEV_IOC_ALLOCATE', `0xc0202302')
define(`FW_CDEV_IOC_ALLOCATE_ISO_RESOURCE', `0xc018230d')
diff --git a/public/service.te b/public/service.te
index 6a80c8d..917cbeb 100644
--- a/public/service.te
+++ b/public/service.te
@@ -267,6 +267,7 @@
type hal_remotelyprovisionedcomponent_service, vendor_service, protected_service, service_manager_type;
type hal_secureclock_service, vendor_service, protected_service, service_manager_type;
type hal_sharedsecret_service, vendor_service, protected_service, service_manager_type;
+type hal_system_suspend_service, protected_service, service_manager_type;
type hal_vibrator_service, vendor_service, protected_service, service_manager_type;
type hal_weaver_service, vendor_service, protected_service, service_manager_type;
diff --git a/public/te_macros b/public/te_macros
index 200b2e3..1bdf039 100644
--- a/public/te_macros
+++ b/public/te_macros
@@ -431,6 +431,9 @@
hwbinder_use($1)
get_prop($1, hwservicemanager_prop)
allow $1 hidl_manager_hwservice:hwservice_manager find;
+# AIDL suspend hal permissions
+allow $1 hal_system_suspend_service:service_manager find;
+binder_use($1)
')
#####################################