Merge "Add search in bpf directory for bpfdomains"
diff --git a/microdroid/system/private/domain.te b/microdroid/system/private/domain.te
index a7a53f1..d87df40 100644
--- a/microdroid/system/private/domain.te
+++ b/microdroid/system/private/domain.te
@@ -423,12 +423,6 @@
coredomain
} vendor_service:service_manager add;
-neverallow {
- domain
- -tombstoned
- -crash_dump
-} tombstoned_crash_socket:unix_stream_socket connectto;
-
# Never allow anyone to connect or write to
# the tombstoned intercept socket.
neverallow { domain } tombstoned_intercept_socket:sock_file write;
diff --git a/microdroid/system/private/init.te b/microdroid/system/private/init.te
index ff75f75..708d537 100644
--- a/microdroid/system/private/init.te
+++ b/microdroid/system/private/init.te
@@ -45,8 +45,9 @@
allow init runtime_event_log_tags_file:file { open write setattr relabelto create };
# /dev/socket
allow init { device socket_device dm_user_device }:dir relabelto;
-# Relabel /dev nodes created in first stage init, /dev/null, /dev/ptmx, /dev/random, /dev/urandom
-allow init { null_device ptmx_device random_device } : chr_file relabelto;
+# Relabel /dev nodes created in first stage init: /dev/console, /dev/null, /dev/ptmx, /dev/random
+# and /dev/urandom
+allow init { console_device null_device ptmx_device random_device } : chr_file relabelto;
# /dev/device-mapper, /dev/block(/.*)?
allow init tmpfs:{ chr_file blk_file } relabelfrom;
allow init tmpfs:blk_file getattr;
diff --git a/microdroid/system/private/logd.te b/microdroid/system/private/logd.te
index 06d4fa6..46cdb7d 100644
--- a/microdroid/system/private/logd.te
+++ b/microdroid/system/private/logd.te
@@ -40,3 +40,5 @@
# Logd sets defaults if certain properties are empty.
set_prop(logd, logd_prop)
+
+dontaudit domain runtime_event_log_tags_file:file { map open read };
diff --git a/microdroid/system/private/odrefresh.te b/microdroid/system/private/odrefresh.te
index be11b69..c083547 100644
--- a/microdroid/system/private/odrefresh.te
+++ b/microdroid/system/private/odrefresh.te
@@ -8,6 +8,14 @@
# Allow odrefresh to kill dex2oat if compilation times out.
allow odrefresh dex2oat:process sigkill;
+userfaultfd_use(odrefresh)
+
+# Allow odrefresh to read /apex/apex-info-list.xml to gather information of
+# the current APEXes.
+allow odrefresh apex_info_file:file r_file_perms;
+
+# The policies above are mirrored from Android's, while the below are tailored for using in CompOS.
+
# Allow odrefresh to read/write/lookup files/directories on authfs.
allow odrefresh authfs_fuse:file create_file_perms;
allow odrefresh authfs_fuse:dir create_dir_perms;
@@ -15,10 +23,6 @@
# Allow odrefresh to check the parent directory exists.
allow odrefresh authfs_data_file:dir { search getattr };
-# Allow odrefresh to read /apex/apex-info-list.xml to gather information of
-# the current APEXes.
-allow odrefresh apex_info_file:file r_file_perms;
-
# Minijail uses pipe for the parent process to signal the child (as a fallback
# mechanism, since Android does not support minijail's preload).
# TODO(196109647): We can probably remove this once the minijail preload is
diff --git a/microdroid/system/private/ueventd.te b/microdroid/system/private/ueventd.te
index c7d9fd6..a855509 100644
--- a/microdroid/system/private/ueventd.te
+++ b/microdroid/system/private/ueventd.te
@@ -49,8 +49,5 @@
# ueventd is using bootstrap bionic
use_bootstrap_libs(ueventd)
-# TODO(b/193118220): find out why this happens.
-dontaudit ueventd tmpfs:chr_file { relabelfrom setattr };
-
# ueventd sets ro.cold_boot_done to signal to init that cold boot has completed.
set_prop(ueventd, cold_boot_done_prop)
diff --git a/private/compat/32.0/32.0.ignore.cil b/private/compat/32.0/32.0.ignore.cil
index 8c77cd5..3547ebb 100644
--- a/private/compat/32.0/32.0.ignore.cil
+++ b/private/compat/32.0/32.0.ignore.cil
@@ -59,6 +59,7 @@
rootdisk_sysdev
sdk_sandbox_service
selection_toolbar_service
+ smart_idle_maint_enabled_prop
snapuserd_proxy_socket
sysfs_fs_fuse_bpf
system_dlkm_file
diff --git a/private/gsid.te b/private/gsid.te
index fa76da0..e795cea 100644
--- a/private/gsid.te
+++ b/private/gsid.te
@@ -48,7 +48,7 @@
# Needed to read fstab, which is used to validate that system verity does not
# use check_once_at_most for sdcard installs. (Note: proc_cmdline is needed
# to get the A/B slot suffix).
-allow gsid proc_cmdline:file r_file_perms;
+read_fstab(gsid)
allow gsid sysfs_dt_firmware_android:dir r_dir_perms;
allow gsid sysfs_dt_firmware_android:file r_file_perms;
diff --git a/private/isolated_app.te b/private/isolated_app.te
index 0d90756..828ffb1 100644
--- a/private/isolated_app.te
+++ b/private/isolated_app.te
@@ -11,7 +11,7 @@
app_domain(isolated_app)
# Access already open app data files received over Binder or local socket IPC.
-allow isolated_app { app_data_file privapp_data_file }:file { append read write getattr lock map };
+allow isolated_app { app_data_file privapp_data_file sdk_sandbox_data_file}:file { append read write getattr lock map };
# Allow access to network sockets received over IPC. New socket creation is not
# permitted.
@@ -72,7 +72,7 @@
#####
# Isolated apps should not directly open app data files themselves.
-neverallow isolated_app { app_data_file privapp_data_file }:file open;
+neverallow isolated_app { app_data_file privapp_data_file sdk_sandbox_data_file}:file open;
# Only allow appending to /data/anr/traces.txt (b/27853304, b/18340553)
# TODO: are there situations where isolated_apps write to this file?
diff --git a/private/property_contexts b/private/property_contexts
index f92e558..04e77e4 100644
--- a/private/property_contexts
+++ b/private/property_contexts
@@ -73,6 +73,7 @@
persist.sys.tap_gesture u:object_r:gesture_prop:s0
persist.sys.theme u:object_r:theme_prop:s0
persist.sys.fflag.override.settings_dynamic_system u:object_r:dynamic_system_prop:s0
+dynamic_system.data_transfer.shared_memory.size u:object_r:dynamic_system_prop:s0 exact uint
ro.sys.safemode u:object_r:safemode_prop:s0
persist.sys.audit_safemode u:object_r:safemode_prop:s0
persist.sys.dalvik.jvmtiagent u:object_r:system_jvmti_agent_prop:s0
@@ -257,6 +258,9 @@
persist.device_config.virtualization_framework_native. u:object_r:device_config_virtualization_framework_native_prop:s0
persist.device_config.window_manager_native_boot. u:object_r:device_config_window_manager_native_boot_prop:s0
+# F2FS smart idle maint prop
+persist.device_config.storage_native_boot.smart_idle_maint_enabled u:object_r:smart_idle_maint_enabled_prop:s0 exact bool
+
# MM Events config props
persist.mm_events.enabled u:object_r:mm_events_config_prop:s0 exact bool
@@ -511,6 +515,7 @@
persist.nfc.debug_enabled u:object_r:nfc_prop:s0 exact bool
persist.radio.multisim.config u:object_r:radio_control_prop:s0 exact string
+persist.radio.allow_mock_modem u:object_r:radio_control_prop:s0 exact bool
persist.sys.hdmi.keep_awake u:object_r:hdmi_config_prop:s0 exact bool
ro.hdmi.cec_device_types u:object_r:hdmi_config_prop:s0 exact string
@@ -579,6 +584,7 @@
external_storage.casefold.enabled u:object_r:storage_config_prop:s0 exact bool
external_storage.sdcardfs.enabled u:object_r:storage_config_prop:s0 exact bool
external_storage.cross_user.enabled u:object_r:storage_config_prop:s0 exact bool
+ro.fuse.bpf.enabled u:object_r:storage_config_prop:s0 exact bool
ro.config.per_app_memcg u:object_r:lmkd_config_prop:s0 exact bool
ro.lmk.critical u:object_r:lmkd_config_prop:s0 exact int
diff --git a/private/sdk_sandbox.te b/private/sdk_sandbox.te
index 782bb46..b18b7dd 100644
--- a/private/sdk_sandbox.te
+++ b/private/sdk_sandbox.te
@@ -21,6 +21,7 @@
auditallow sdk_sandbox audio_service:service_manager find;
allow sdk_sandbox hint_service:service_manager find;
allow sdk_sandbox surfaceflinger_service:service_manager find;
+allow sdk_sandbox thermal_service:service_manager find;
allow sdk_sandbox trust_service:service_manager find;
allow sdk_sandbox uimode_service:service_manager find;
allow sdk_sandbox webviewupdate_service:service_manager find;
@@ -85,3 +86,5 @@
neverallow sdk_sandbox { media_rw_data_file }:file no_rw_file_perms;
neverallow { sdk_sandbox } tmpfs:dir no_rw_file_perms;
+
+neverallow sdk_sandbox hal_drm_service:service_manager find;
diff --git a/private/system_server.te b/private/system_server.te
index 3e35b7e..d2bc3ae 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -736,6 +736,7 @@
set_prop(system_server, device_config_connectivity_prop)
set_prop(system_server, device_config_surface_flinger_native_boot_prop)
set_prop(system_server, device_config_virtualization_framework_native_prop)
+set_prop(system_server, smart_idle_maint_enabled_prop)
# Allow query ART device config properties
get_prop(system_server, device_config_runtime_native_boot_prop)
diff --git a/private/technical_debt.cil b/private/technical_debt.cil
index 4c746fb..fcd4fe7 100644
--- a/private/technical_debt.cil
+++ b/private/technical_debt.cil
@@ -20,9 +20,9 @@
; Unfortunately, we can't currently express this in module policy language:
(typeattributeset hal_codec2_client ((and (appdomain) ((not (isolated_app))))))
-; Apps, except isolated apps, are clients of Drm-related services
+; Apps, except isolated apps and SDK sandboxes, are clients of Drm-related services
; Unfortunately, we can't currently express this in module policy language:
-(typeattributeset hal_drm_client ((and (appdomain) ((not (isolated_app))))))
+(typeattributeset hal_drm_client ((and (appdomain) ((not (or (isolated_app) (sdk_sandbox)))))))
; Apps, except isolated apps, are clients of Configstore HAL
; Unfortunately, we can't currently express this in module policy language:
diff --git a/public/app.te b/public/app.te
index 09e30ca..da24012 100644
--- a/public/app.te
+++ b/public/app.te
@@ -203,6 +203,9 @@
# allow system_app to access Nfc-related system properties.
set_prop(system_app, nfc_prop)
+# allow system_app to access radio_config system properties.
+set_prop(system_app, radio_control_prop)
+
# Apps cannot access proc_uid_time_in_state
neverallow appdomain proc_uid_time_in_state:file *;
diff --git a/public/domain.te b/public/domain.te
index a98e369..0edd887 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -1029,19 +1029,7 @@
neverallow { domain -system_server } webview_zygote:sock_file write;
neverallow { domain -system_server } app_zygote:sock_file write;
-neverallow {
- domain
- -tombstoned
- -crash_dump
- -dumpstate
- -incidentd
- -system_server
-
- # Processes that can't exec crash_dump
- -hal_codec2_server
- -hal_omx_server
- -mediaextractor
-} tombstoned_crash_socket:unix_stream_socket connectto;
+neverallow domain tombstoned_crash_socket:unix_stream_socket connectto;
# Never allow anyone except dumpstate, incidentd, or the system server to connect or write to
# the tombstoned intercept socket.
diff --git a/public/init.te b/public/init.te
index d1f7d90..5139038 100644
--- a/public/init.te
+++ b/public/init.te
@@ -36,8 +36,9 @@
allow init { device socket_device dm_user_device }:dir relabelto;
# allow init to establish connection and communicate with lmkd
unix_socket_connect(init, lmkd, lmkd)
-# Relabel /dev nodes created in first stage init, /dev/null, /dev/ptmx, /dev/random, /dev/urandom
-allow init { null_device ptmx_device random_device } : chr_file relabelto;
+# Relabel /dev nodes created in first stage init: /dev/console, /dev/null, /dev/ptmx, /dev/random
+# and /dev/urandom
+allow init { console_device null_device ptmx_device random_device } : chr_file relabelto;
# /dev/device-mapper, /dev/block(/.*)?
allow init tmpfs:{ chr_file blk_file } relabelfrom;
allow init tmpfs:blk_file getattr;
diff --git a/public/installd.te b/public/installd.te
index b0b2815..84ef1fd 100644
--- a/public/installd.te
+++ b/public/installd.te
@@ -115,9 +115,10 @@
allow installd app_data_file_type:dir { create_dir_perms relabelfrom relabelto };
allow installd app_data_file_type:notdevfile_class_set { create_file_perms relabelfrom relabelto };
-# Allow setting extended attributes (for project quota IDs) on dirs
+# Allow setting extended attributes (for project quota IDs) on dirs and files
# and to enable project ID inheritance through FS_IOC_SETFLAGS
-allowxperm installd { app_data_file_type system_data_file }:{ dir file } ioctl {
+# Added install_data_file to be able to create file under /data/misc/installd/ioctl_check
+allowxperm installd { app_data_file_type system_data_file install_data_file}:{ dir file } ioctl {
FS_IOC_FSGETXATTR
FS_IOC_FSSETXATTR
FS_IOC_GETFLAGS
diff --git a/public/property.te b/public/property.te
index 46d6776..55d94b8 100644
--- a/public/property.te
+++ b/public/property.te
@@ -80,6 +80,7 @@
system_restricted_prop(provisioned_prop)
system_restricted_prop(restorecon_prop)
system_restricted_prop(retaildemo_prop)
+system_restricted_prop(smart_idle_maint_enabled_prop)
system_restricted_prop(socket_hook_prop)
system_restricted_prop(sqlite_log_prop)
system_restricted_prop(surfaceflinger_display_prop)
diff --git a/public/su.te b/public/su.te
index be02672..8328140 100644
--- a/public/su.te
+++ b/public/su.te
@@ -22,6 +22,7 @@
dontaudit su kernel:security *;
dontaudit su { kernel file_type }:system *;
dontaudit su self:memprotect *;
+ dontaudit su domain:anon_inode *;
dontaudit su domain:{ process process2 } *;
dontaudit su domain:fd *;
dontaudit su domain:dir *;
diff --git a/public/te_macros b/public/te_macros
index 06d292c..e70c5d3 100644
--- a/public/te_macros
+++ b/public/te_macros
@@ -1023,7 +1023,7 @@
define(`read_fstab', `
allow $1 { metadata_file gsi_metadata_file_type }:dir search;
allow $1 gsi_public_metadata_file:file r_file_perms;
- allow $1 proc_bootconfig:file r_file_perms;
+ allow $1 { proc_bootconfig proc_cmdline }:file r_file_perms;
')
######################################