commit dbca625a9c7397d597791558495646b55e13c5cb
author Bart Sears <bsears@google.com> Sun Aug 04 23:06:24 2024 +0000
committer Gerrit Code Review <noreply-gerritcodereview@google.com> Sun Aug 04 23:06:24 2024 +0000
tree 98ef4f3e430709552cf7299d5e3076e8b0a00ff4
parent af08bd3aa81e801bb4dafa65a579183e2be685f4

Revert "sepolicy: remove all remaining qtaguid stuff."

This reverts commit af08bd3aa81e801bb4dafa65a579183e2be685f4.

Reason for revert: Broke <device>-next-userdebug builds

Bug: 357439147
Change-Id: I094353bde91e71c5d92777f6d152ad193f039277

contexts/plat_file_contexts_test

diff --git a/contexts/plat_file_contexts_test b/contexts/plat_file_contexts_test
index a1079c0..4c8f9cb 100644
--- a/contexts/plat_file_contexts_test
+++ b/contexts/plat_file_contexts_test
@@ -279,6 +279,7 @@
 /dev/video99                                                      video_device
 /dev/vndbinder                                                    vndbinder_device
 /dev/watchdog                                                     watchdog_device
+/dev/xt_qtaguid                                                   qtaguid_device
 /dev/zero                                                         zero_device
 /dev/__properties__                                               properties_device
 /dev/__properties__/property_info                                 property_info

microdroid/system/private/genfs_contexts

diff --git a/microdroid/system/private/genfs_contexts b/microdroid/system/private/genfs_contexts
index 2ba6a15..8938ef2 100644
--- a/microdroid/system/private/genfs_contexts
+++ b/microdroid/system/private/genfs_contexts
@@ -27,6 +27,8 @@
 genfscon proc /net u:object_r:proc_net:s0
 genfscon proc /net/tcp u:object_r:proc_net_tcp_udp:s0
 genfscon proc /net/udp u:object_r:proc_net_tcp_udp:s0
+genfscon proc /net/xt_qtaguid/ctrl u:object_r:proc_qtaguid_ctrl:s0
+genfscon proc /net/xt_qtaguid/ u:object_r:proc_qtaguid_stat:s0
 genfscon proc /cpuinfo u:object_r:proc_cpuinfo:s0
 genfscon proc /pagetypeinfo u:object_r:proc_pagetypeinfo:s0
 genfscon proc /pressure/cpu u:object_r:proc_pressure_cpu:s0

microdroid/system/private/init.te

diff --git a/microdroid/system/private/init.te b/microdroid/system/private/init.te
index 1a991f6..67af209 100644
--- a/microdroid/system/private/init.te
+++ b/microdroid/system/private/init.te
@@ -288,8 +288,10 @@
   proc_kmsg
   proc_net
   proc_pagetypeinfo
+  proc_qtaguid_stat
   proc_slabinfo
   proc_sysrq
+  proc_qtaguid_ctrl
   proc_vmallocinfo
 }:file setattr;
 

microdroid/system/public/attributes

diff --git a/microdroid/system/public/attributes b/microdroid/system/public/attributes
index 8580c0b..5b6f82e 100644
--- a/microdroid/system/public/attributes
+++ b/microdroid/system/public/attributes
@@ -44,7 +44,7 @@
 attribute proc_type;
 expandattribute proc_type false;
 
-# Types in /proc/net.
+# Types in /proc/net, excluding qtaguid types.
 # TODO(b/9496886) Lock down access to /proc/net.
 # This attribute is used to audit access to proc_net. it is temporary and will
 # be removed.

microdroid/system/public/file.te

diff --git a/microdroid/system/public/file.te b/microdroid/system/public/file.te
index 1a674ab..8d3f76a 100644
--- a/microdroid/system/public/file.te
+++ b/microdroid/system/public/file.te
@@ -116,6 +116,8 @@
 type proc_pressure_cpu, fs_type, proc_type;
 type proc_pressure_io, fs_type, proc_type;
 type proc_pressure_mem, fs_type, proc_type;
+type proc_qtaguid_ctrl, fs_type, proc_type;
+type proc_qtaguid_stat, fs_type, proc_type;
 type proc_random, fs_type, proc_type;
 type proc_sched, fs_type, proc_type;
 type proc_security, fs_type, proc_type;

private/compat/202404/202404.cil

diff --git a/private/compat/202404/202404.cil b/private/compat/202404/202404.cil
index b6caa7c..869deb6 100644
--- a/private/compat/202404/202404.cil
+++ b/private/compat/202404/202404.cil
@@ -1,9 +1,3 @@
-;; types removed from current policy
-;; (technically qtaguid is useless since Android S, api=31)
-(type proc_qtaguid_ctrl)
-(type proc_qtaguid_stat)
-(type qtaguid_device)
-
 ;; This type may or may not already exist in vendor policy. Re-define it here (duplicate
 ;; definitions in CIL will be ignored) - so we can reference it in 202404.cil.
 (type vendor_hidraw_device)

private/dumpstate.te

diff --git a/private/dumpstate.te b/private/dumpstate.te
index bdfd7a3..20341e4 100644
--- a/private/dumpstate.te
+++ b/private/dumpstate.te
@@ -403,6 +403,8 @@
   proc_net_type
   proc_pipe_conf
   proc_pagetypeinfo
+  proc_qtaguid_ctrl
+  proc_qtaguid_stat
   proc_slabinfo
   proc_version
   proc_vmallocinfo

private/file_contexts

diff --git a/private/file_contexts b/private/file_contexts
index 7a503eb..76f412a 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -219,6 +219,7 @@
 /dev/video[0-9]*	u:object_r:video_device:s0
 /dev/vndbinder		u:object_r:vndbinder_device:s0
 /dev/watchdog		u:object_r:watchdog_device:s0
+/dev/xt_qtaguid	u:object_r:qtaguid_device:s0
 /dev/zero		u:object_r:zero_device:s0
 /dev/__properties__ u:object_r:properties_device:s0
 /dev/__properties__/appcompat_override u:object_r:properties_device:s0

private/genfs_contexts

diff --git a/private/genfs_contexts b/private/genfs_contexts
index 5b2aaf8..de2b139 100644
--- a/private/genfs_contexts
+++ b/private/genfs_contexts
@@ -27,6 +27,8 @@
 genfscon proc /net u:object_r:proc_net:s0
 genfscon proc /net/tcp u:object_r:proc_net_tcp_udp:s0
 genfscon proc /net/udp u:object_r:proc_net_tcp_udp:s0
+genfscon proc /net/xt_qtaguid/ctrl u:object_r:proc_qtaguid_ctrl:s0
+genfscon proc /net/xt_qtaguid/ u:object_r:proc_qtaguid_stat:s0
 genfscon proc /cpuinfo u:object_r:proc_cpuinfo:s0
 genfscon proc /pagetypeinfo u:object_r:proc_pagetypeinfo:s0
 genfscon proc /pressure/cpu u:object_r:proc_pressure_cpu:s0

private/init.te

diff --git a/private/init.te b/private/init.te
index cca5900..e4bafd8 100644
--- a/private/init.te
+++ b/private/init.te
@@ -557,8 +557,10 @@
   proc_kmsg
   proc_net
   proc_pagetypeinfo
+  proc_qtaguid_stat
   proc_slabinfo
   proc_sysrq
+  proc_qtaguid_ctrl
   proc_vmallocinfo
 }:file setattr;
 

private/system_server.te

diff --git a/private/system_server.te b/private/system_server.te
index aff3cb6..1c9f732 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -1179,6 +1179,7 @@
 
 r_dir_file(system_server, proc_asound)
 r_dir_file(system_server, proc_net_type)
+r_dir_file(system_server, proc_qtaguid_stat)
 allow system_server {
   proc_cmdline
   proc_loadavg

public/attributes

diff --git a/public/attributes b/public/attributes
index e78eaa8..759b773 100644
--- a/public/attributes
+++ b/public/attributes
@@ -61,7 +61,7 @@
 attribute proc_type;
 expandattribute proc_type false;
 
-# Types in /proc/net.
+# Types in /proc/net, excluding qtaguid types.
 # TODO(b/9496886) Lock down access to /proc/net.
 # This attribute is used to audit access to proc_net. it is temporary and will
 # be removed.

public/device.te

diff --git a/public/device.te b/public/device.te
index 0a8d6e8..beafdf2 100644
--- a/public/device.te
+++ b/public/device.te
@@ -52,6 +52,7 @@
 type dmabuf_heap_device, dmabuf_heap_device_type, dev_type, mlstrustedobject;
 type dmabuf_system_heap_device, dmabuf_heap_device_type, dev_type, mlstrustedobject, isolated_compute_allowed_device;
 type dmabuf_system_secure_heap_device, dmabuf_heap_device_type, dev_type, mlstrustedobject;
+type qtaguid_device, dev_type;
 type watchdog_device, dev_type;
 type uhid_device, dev_type, mlstrustedobject;
 type uio_device, dev_type;

public/file.te

diff --git a/public/file.te b/public/file.te
index 067dda3..b28ca85 100644
--- a/public/file.te
+++ b/public/file.te
@@ -31,6 +31,8 @@
 # proc, sysfs, or other nodes that permit configuration of kernel usermodehelpers.
 type usermodehelper, fs_type, proc_type;
 type sysfs_usermodehelper, fs_type, sysfs_type;
+type proc_qtaguid_ctrl, fs_type, mlstrustedobject, proc_type;
+type proc_qtaguid_stat, fs_type, mlstrustedobject, proc_type;
 type proc_bluetooth_writable, fs_type, proc_type;
 type proc_abi, fs_type, proc_type;
 type proc_asound, fs_type, proc_type;