Merge "sepolicy: Grant hal_bluetooth_server to access udp_socket" into android14-tests-dev
diff --git a/prebuilts/api/33.0/private/untrusted_app_all.te b/prebuilts/api/33.0/private/untrusted_app_all.te
index ceee544..edcde7e 100644
--- a/prebuilts/api/33.0/private/untrusted_app_all.te
+++ b/prebuilts/api/33.0/private/untrusted_app_all.te
@@ -166,9 +166,6 @@
userdebug_or_eng(`
allow untrusted_app_all debugfs_kcov:file rw_file_perms;
allowxperm untrusted_app_all debugfs_kcov:file ioctl { KCOV_INIT_TRACE KCOV_ENABLE KCOV_DISABLE };
- # The use of debugfs kcov is considered a breach of the kernel integrity
- # according to the heuristic of lockdown.
- allow untrusted_app_all self:lockdown integrity;
')
# Allow running a VM for test/demo purposes. Note that access the service is
diff --git a/prebuilts/api/33.0/public/domain.te b/prebuilts/api/33.0/public/domain.te
index f491f15..ca8bd68 100644
--- a/prebuilts/api/33.0/public/domain.te
+++ b/prebuilts/api/33.0/public/domain.te
@@ -281,13 +281,14 @@
allow domain debugfs_tracing_debug:dir search;
allow domain debugfs_trace_marker:file w_file_perms;
-# Linux lockdown mode offers coarse-grained definitions for access controls.
-# The "confidentiality" level detects access to tracefs or the perf subsystem.
-# This overlaps with more precise declarations in Android's policy. The
-# debugfs_trace_marker above is an example in which all processes should have
-# some access to tracefs. Therefore, allow all domains to access this level.
-# The "integrity" level is however enforced.
-allow domain self:lockdown confidentiality;
+# Linux lockdown mode offered coarse-grained definitions for access controls. In
+# previous versions of the policy, the integrity permission was neverallowed.
+# It was found that this permission mainly duplicates pre-existing rules in
+# the policy (see b/285443587). Additionally, some access were found to be
+# required (b/269377822). The access vector was removed from kernel 5.16
+# onwards. Grant unconditional access, these rules should be removed from the
+# policy once no kernel <5.16 are supported.
+allow domain self:lockdown { confidentiality integrity };
# Filesystem access.
allow domain fs_type:filesystem getattr;
@@ -1349,6 +1350,3 @@
} ashmem_device:chr_file open;
neverallow { domain -traced_probes -init -vendor_init } debugfs_tracing_printk_formats:file *;
-
-# Linux lockdown "integrity" level is enforced for user builds.
-neverallow { domain userdebug_or_eng(`-domain') } self:lockdown integrity;
diff --git a/prebuilts/api/34.0/private/untrusted_app_all.te b/prebuilts/api/34.0/private/untrusted_app_all.te
index f666cc8..c646137 100644
--- a/prebuilts/api/34.0/private/untrusted_app_all.te
+++ b/prebuilts/api/34.0/private/untrusted_app_all.te
@@ -161,9 +161,6 @@
userdebug_or_eng(`
allow untrusted_app_all debugfs_kcov:file rw_file_perms;
allowxperm untrusted_app_all debugfs_kcov:file ioctl { KCOV_INIT_TRACE KCOV_ENABLE KCOV_DISABLE };
- # The use of debugfs kcov is considered a breach of the kernel integrity
- # according to the heuristic of lockdown.
- allow untrusted_app_all self:lockdown integrity;
')
# Allow running a VM for test/demo purposes. Note that access to the
diff --git a/prebuilts/api/34.0/public/domain.te b/prebuilts/api/34.0/public/domain.te
index 1da3f51..ff80e58 100644
--- a/prebuilts/api/34.0/public/domain.te
+++ b/prebuilts/api/34.0/public/domain.te
@@ -256,13 +256,14 @@
allow domain debugfs_tracing_debug:dir search;
allow domain debugfs_trace_marker:file w_file_perms;
-# Linux lockdown mode offers coarse-grained definitions for access controls.
-# The "confidentiality" level detects access to tracefs or the perf subsystem.
-# This overlaps with more precise declarations in Android's policy. The
-# debugfs_trace_marker above is an example in which all processes should have
-# some access to tracefs. Therefore, allow all domains to access this level.
-# The "integrity" level is however enforced.
-allow domain self:lockdown confidentiality;
+# Linux lockdown mode offered coarse-grained definitions for access controls. In
+# previous versions of the policy, the integrity permission was neverallowed.
+# It was found that this permission mainly duplicates pre-existing rules in
+# the policy (see b/285443587). Additionally, some access were found to be
+# required (b/269377822). The access vector was removed from kernel 5.16
+# onwards. Grant unconditional access, these rules should be removed from the
+# policy once no kernel <5.16 are supported.
+allow domain self:lockdown { confidentiality integrity };
# Filesystem access.
allow domain fs_type:filesystem getattr;
@@ -903,6 +904,9 @@
-crash_dump_exec
-netutils_wrapper_exec
userdebug_or_eng(`-tcpdump_exec')
+ # Vendor components still can invoke shell commands via /system/bin/sh
+ -shell_exec
+ -toolbox_exec
}:file { entrypoint execute execute_no_trans };
')
@@ -983,6 +987,9 @@
-task_profiles_api_file
-task_profiles_file
userdebug_or_eng(`-tcpdump_exec')
+ # Vendor components still can invoke shell commands via /system/bin/sh
+ -shell_exec
+ -toolbox_exec
}:file *;
')
@@ -1283,9 +1290,6 @@
neverallow { domain -traced_probes -init -vendor_init } debugfs_tracing_printk_formats:file *;
-# Linux lockdown "integrity" level is enforced for user builds.
-neverallow { domain userdebug_or_eng(`-domain') } self:lockdown integrity;
-
# Allow everyone to read media server-configurable flags, so that libstagefright can be
# configured using server-configurable flags
get_prop(domain, device_config_media_native_prop)
diff --git a/prebuilts/api/34.0/public/hal_neverallows.te b/prebuilts/api/34.0/public/hal_neverallows.te
index e77ea9d..1aae9ee 100644
--- a/prebuilts/api/34.0/public/hal_neverallows.te
+++ b/prebuilts/api/34.0/public/hal_neverallows.te
@@ -83,7 +83,13 @@
halserverdomain
-hal_dumpstate_server
-hal_telephony_server
-} { file_type fs_type }:file execute_no_trans;
+} {
+ file_type
+ fs_type
+ # May invoke shell commands via /system/bin/sh
+ -shell_exec
+ -toolbox_exec
+}:file execute_no_trans;
# Do not allow a process other than init to transition into a HAL domain.
neverallow { domain -init } halserverdomain:process transition;
# Only allow transitioning to a domain by running its executable. Do not
diff --git a/private/untrusted_app_all.te b/private/untrusted_app_all.te
index f666cc8..c646137 100644
--- a/private/untrusted_app_all.te
+++ b/private/untrusted_app_all.te
@@ -161,9 +161,6 @@
userdebug_or_eng(`
allow untrusted_app_all debugfs_kcov:file rw_file_perms;
allowxperm untrusted_app_all debugfs_kcov:file ioctl { KCOV_INIT_TRACE KCOV_ENABLE KCOV_DISABLE };
- # The use of debugfs kcov is considered a breach of the kernel integrity
- # according to the heuristic of lockdown.
- allow untrusted_app_all self:lockdown integrity;
')
# Allow running a VM for test/demo purposes. Note that access to the
diff --git a/public/domain.te b/public/domain.te
index 0b06421..8606c41 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -256,13 +256,14 @@
allow domain debugfs_tracing_debug:dir search;
allow domain debugfs_trace_marker:file w_file_perms;
-# Linux lockdown mode offers coarse-grained definitions for access controls.
-# The "confidentiality" level detects access to tracefs or the perf subsystem.
-# This overlaps with more precise declarations in Android's policy. The
-# debugfs_trace_marker above is an example in which all processes should have
-# some access to tracefs. Therefore, allow all domains to access this level.
-# The "integrity" level is however enforced.
-allow domain self:lockdown confidentiality;
+# Linux lockdown mode offered coarse-grained definitions for access controls. In
+# previous versions of the policy, the integrity permission was neverallowed.
+# It was found that this permission mainly duplicates pre-existing rules in
+# the policy (see b/285443587). Additionally, some access were found to be
+# required (b/269377822). The access vector was removed from kernel 5.16
+# onwards. Grant unconditional access, these rules should be removed from the
+# policy once no kernel <5.16 are supported.
+allow domain self:lockdown { confidentiality integrity };
# Filesystem access.
allow domain fs_type:filesystem getattr;
@@ -907,6 +908,9 @@
-crash_dump_exec
-netutils_wrapper_exec
userdebug_or_eng(`-tcpdump_exec')
+ # Vendor components still can invoke shell commands via /system/bin/sh
+ -shell_exec
+ -toolbox_exec
}:file { entrypoint execute execute_no_trans };
')
@@ -987,6 +991,9 @@
-task_profiles_api_file
-task_profiles_file
userdebug_or_eng(`-tcpdump_exec')
+ # Vendor components still can invoke shell commands via /system/bin/sh
+ -shell_exec
+ -toolbox_exec
}:file *;
')
@@ -1287,9 +1294,6 @@
neverallow { domain -traced_probes -init -vendor_init } debugfs_tracing_printk_formats:file *;
-# Linux lockdown "integrity" level is enforced for user builds.
-neverallow { domain userdebug_or_eng(`-domain') } self:lockdown integrity;
-
# Allow everyone to read media server-configurable flags, so that libstagefright can be
# configured using server-configurable flags
get_prop(domain, device_config_media_native_prop)
diff --git a/public/hal_neverallows.te b/public/hal_neverallows.te
index 59721b8..bcd8289 100644
--- a/public/hal_neverallows.te
+++ b/public/hal_neverallows.te
@@ -84,7 +84,13 @@
halserverdomain
-hal_dumpstate_server
-hal_telephony_server
-} { file_type fs_type }:file execute_no_trans;
+} {
+ file_type
+ fs_type
+ # May invoke shell commands via /system/bin/sh
+ -shell_exec
+ -toolbox_exec
+}:file execute_no_trans;
# Do not allow a process other than init to transition into a HAL domain.
neverallow { domain -init } halserverdomain:process transition;
# Only allow transitioning to a domain by running its executable. Do not