Merge "Remove deprecated ToMakePath calls"
diff --git a/Android.bp b/Android.bp
index 438b13f..df1e264 100644
--- a/Android.bp
+++ b/Android.bp
@@ -184,6 +184,11 @@
srcs: ["keystore2_key_contexts"],
}
+se_build_files {
+ name: "seapp_contexts_files",
+ srcs: ["seapp_contexts"],
+}
+
// For vts_treble_sys_prop_test
filegroup {
name: "private_property_contexts",
@@ -342,6 +347,21 @@
additional_cil_files: [":sepolicy_technical_debt{.plat_private}"],
}
+
+se_policy_conf {
+ name: "apex_sepolicy-33.conf",
+ srcs: plat_public_policy + plat_private_policy + ["com.android.sepolicy/33/*.te"],
+ installable: false,
+}
+
+se_policy_cil {
+ name: "apex_sepolicy-33.cil",
+ src: ":apex_sepolicy-33.conf",
+ filter_out: [":plat_sepolicy.cil"],
+ installable: false,
+ stem: "apex_sepolicy.cil",
+}
+
// userdebug_plat_policy.conf - the userdebug version plat_sepolicy.cil
se_policy_conf {
name: "userdebug_plat_sepolicy.conf",
@@ -659,6 +679,9 @@
// AND
// - product_sepolicy_and_mapping.sha256 equals
// precompiled_sepolicy.product_sepolicy_and_mapping.sha256
+// AND
+// - apex_sepolicy.sha256 equals
+// precompiled_sepolicy.apex_sepolicy.sha256
// See system/core/init/selinux.cpp for details.
//////////////////////////////////
genrule {
@@ -676,6 +699,20 @@
}
genrule {
+ name: "apex_sepolicy.sha256_gen",
+ srcs: [":apex_sepolicy-33.cil"],
+ out: ["apex_sepolicy.sha256"],
+ cmd: "cat $(in) | sha256sum | cut -d' ' -f1 > $(out)",
+}
+
+prebuilt_etc {
+ name: "apex_sepolicy.sha256",
+ filename: "apex_sepolicy.sha256",
+ src: ":apex_sepolicy.sha256_gen",
+ installable: false,
+}
+
+genrule {
name: "system_ext_sepolicy_and_mapping.sha256_gen",
srcs: [":system_ext_sepolicy.cil", ":system_ext_mapping_file"],
out: ["system_ext_sepolicy_and_mapping.sha256"],
@@ -744,6 +781,18 @@
}
//////////////////////////////////
+// SHA-256 digest of the apex_sepolicy.cil against which precompiled_policy
+// was built.
+//////////////////////////////////
+prebuilt_etc {
+ defaults: ["precompiled_sepolicy_prebuilts"],
+ name: "precompiled_sepolicy.apex_sepolicy.sha256",
+ filename: "precompiled_sepolicy.apex_sepolicy.sha256",
+ src: ":apex_sepolicy.sha256_gen",
+ relative_install_path: "selinux",
+}
+
+//////////////////////////////////
// SHA-256 digest of the system_ext_sepolicy.cil and system_ext_mapping_file against
// which precompiled_policy was built.
//////////////////////////////////
@@ -780,6 +829,7 @@
name: "precompiled_sepolicy",
srcs: [
":plat_sepolicy.cil",
+ ":apex_sepolicy-33.cil",
":plat_pub_versioned.cil",
":system_ext_sepolicy.cil",
":product_sepolicy.cil",
@@ -1044,17 +1094,3 @@
se_freeze_test {
name: "sepolicy_freeze_test",
}
-
-//////////////////////////////////
-// Makefile rules temporary imported to Soong
-// TODO(b/33691272): remove these after migrating seapp to Soong
-//////////////////////////////////
-makefile_goal {
- name: "plat_seapp_contexts_rule",
- product_out_path: "obj/ETC/plat_seapp_contexts_intermediates/plat_seapp_contexts",
-}
-
-makefile_goal {
- name: "plat_seapp_neverallows_rule",
- product_out_path: "obj/ETC/plat_seapp_neverallows_intermediates/plat_seapp_neverallows",
-}
diff --git a/Android.mk b/Android.mk
index e235bde..361c7c4 100644
--- a/Android.mk
+++ b/Android.mk
@@ -349,7 +349,7 @@
ifneq ($(SELINUX_IGNORE_NEVERALLOWS),true)
LOCAL_REQUIRED_MODULES += \
sepolicy_tests \
- $(addsuffix _compat_test,$(PLATFORM_SEPOLICY_COMPAT_VERSIONS)) \
+ sepolicy_compat_test \
ifeq ($(PRODUCT_SEPOLICY_SPLIT),true)
LOCAL_REQUIRED_MODULES += \
@@ -680,9 +680,6 @@
file_contexts.modules.tmp :=
##################################
-include $(LOCAL_PATH)/seapp_contexts.mk
-
-##################################
include $(LOCAL_PATH)/contexts_tests.mk
##################################
@@ -747,8 +744,7 @@
$(LOCAL_BUILT_MODULE): PRIVATE_SEPOLICY := $(built_sepolicy)
$(LOCAL_BUILT_MODULE): $(HOST_OUT_EXECUTABLES)/sepolicy_tests $(all_fc_files) $(built_sepolicy)
@mkdir -p $(dir $@)
- $(hide) $(HOST_OUT_EXECUTABLES)/sepolicy_tests -l $(HOST_OUT)/lib64/libsepolwrap.$(SHAREDLIB_EXT) \
- $(ALL_FC_ARGS) -p $(PRIVATE_SEPOLICY)
+ $(hide) $(HOST_OUT_EXECUTABLES)/sepolicy_tests $(ALL_FC_ARGS) -p $(PRIVATE_SEPOLICY)
$(hide) touch $@
##################################
@@ -770,11 +766,6 @@
)
endif # PRODUCT_SEPOLICY_SPLIT
-$(foreach v,$(PLATFORM_SEPOLICY_COMPAT_VERSIONS), \
- $(eval version_under_treble_tests := $(v)) \
- $(eval include $(LOCAL_PATH)/compat.mk) \
-)
-
built_plat_sepolicy :=
built_system_ext_sepolicy :=
built_product_sepolicy :=
diff --git a/OWNERS b/OWNERS
index c5b61ae..61eecb2 100644
--- a/OWNERS
+++ b/OWNERS
@@ -5,7 +5,6 @@
inseob@google.com
jbires@google.com
jeffv@google.com
-jgalenson@google.com
jiyong@google.com
smoreland@google.com
trong@google.com
diff --git a/apex/com.android.tethering-file_contexts b/apex/com.android.tethering-file_contexts
index 9398505..1b578ea 100644
--- a/apex/com.android.tethering-file_contexts
+++ b/apex/com.android.tethering-file_contexts
@@ -1 +1,2 @@
-(/.*)? u:object_r:system_file:s0
+(/.*)? u:object_r:system_file:s0
+/bin/for-system/clatd u:object_r:clatd_exec:s0
diff --git a/build/soong/build_files.go b/build/soong/build_files.go
index 865dbb4..0909f70 100644
--- a/build/soong/build_files.go
+++ b/build/soong/build_files.go
@@ -124,4 +124,9 @@
b.srcs[".product_public_for_vendor"] = b.findSrcsInDirs(ctx, ctx.DeviceConfig().BoardProductPublicPrebuiltDirs()...)
b.srcs[".product_private_for_vendor"] = b.findSrcsInDirs(ctx, ctx.DeviceConfig().BoardProductPrivatePrebuiltDirs()...)
}
+
+ for _, ver := range ctx.DeviceConfig().PlatformSepolicyCompatVersions() {
+ b.srcs[".plat_public_"+ver] = b.findSrcsInDirs(ctx, filepath.Join(ctx.ModuleDir(), "prebuilts", "api", ver, "public"))
+ b.srcs[".plat_private_"+ver] = b.findSrcsInDirs(ctx, filepath.Join(ctx.ModuleDir(), "prebuilts", "api", ver, "private"))
+ }
}
diff --git a/build/soong/compat_cil.go b/build/soong/compat_cil.go
index 4f8a5d9..6a1925d 100644
--- a/build/soong/compat_cil.go
+++ b/build/soong/compat_cil.go
@@ -15,13 +15,21 @@
package selinux
import (
+ "fmt"
+
"github.com/google/blueprint/proptools"
"android/soong/android"
)
+var (
+ compatTestDepTag = dependencyTag{name: "compat_test"}
+)
+
func init() {
- android.RegisterModuleType("se_compat_cil", compatCilFactory)
+ ctx := android.InitRegistrationContext
+ ctx.RegisterModuleType("se_compat_cil", compatCilFactory)
+ ctx.RegisterSingletonModuleType("se_compat_test", compatTestFactory)
}
// se_compat_cil collects and installs backwards compatibility cil files.
@@ -107,3 +115,154 @@
},
}}
}
+
+func (c *compatCil) OutputFiles(tag string) (android.Paths, error) {
+ switch tag {
+ case "":
+ return android.Paths{c.installSource}, nil
+ default:
+ return nil, fmt.Errorf("unsupported module reference tag %q", tag)
+ }
+}
+
+var _ android.OutputFileProducer = (*compatCil)(nil)
+
+// se_compat_test checks if compat files ({ver}.cil, {ver}.compat.cil) files are compatible with
+// current policy.
+func compatTestFactory() android.SingletonModule {
+ f := &compatTestModule{}
+ android.InitAndroidModule(f)
+ android.AddLoadHook(f, func(ctx android.LoadHookContext) {
+ f.loadHook(ctx)
+ })
+ return f
+}
+
+type compatTestModule struct {
+ android.SingletonModuleBase
+
+ compatTestTimestamp android.ModuleOutPath
+}
+
+func (f *compatTestModule) createPlatPubVersionedModule(ctx android.LoadHookContext, ver string) {
+ confName := fmt.Sprintf("pub_policy_%s.conf", ver)
+ cilName := fmt.Sprintf("pub_policy_%s.cil", ver)
+ platPubVersionedName := fmt.Sprintf("plat_pub_versioned_%s.cil", ver)
+
+ ctx.CreateModule(policyConfFactory, &nameProperties{
+ Name: proptools.StringPtr(confName),
+ }, &policyConfProperties{
+ Srcs: []string{
+ fmt.Sprintf(":se_build_files{.plat_public_%s}", ver),
+ ":se_build_files{.reqd_mask}",
+ },
+ Installable: proptools.BoolPtr(false),
+ })
+
+ ctx.CreateModule(policyCilFactory, &nameProperties{
+ Name: proptools.StringPtr(cilName),
+ }, &policyCilProperties{
+ Src: proptools.StringPtr(":" + confName),
+ Filter_out: []string{":reqd_policy_mask.cil"},
+ Secilc_check: proptools.BoolPtr(false),
+ Installable: proptools.BoolPtr(false),
+ })
+
+ ctx.CreateModule(versionedPolicyFactory, &nameProperties{
+ Name: proptools.StringPtr(platPubVersionedName),
+ }, &versionedPolicyProperties{
+ Base: proptools.StringPtr(":" + cilName),
+ Target_policy: proptools.StringPtr(":" + cilName),
+ Version: proptools.StringPtr(ver),
+ Installable: proptools.BoolPtr(false),
+ })
+}
+
+func (f *compatTestModule) createCompatTestModule(ctx android.LoadHookContext, ver string) {
+ srcs := []string{
+ ":plat_sepolicy.cil",
+ ":system_ext_sepolicy.cil",
+ ":product_sepolicy.cil",
+ fmt.Sprintf(":plat_%s.cil", ver),
+ fmt.Sprintf(":%s.compat.cil", ver),
+ fmt.Sprintf(":system_ext_%s.cil", ver),
+ fmt.Sprintf(":system_ext_%s.compat.cil", ver),
+ fmt.Sprintf(":product_%s.cil", ver),
+ }
+
+ if ver == ctx.DeviceConfig().BoardSepolicyVers() {
+ srcs = append(srcs,
+ ":plat_pub_versioned.cil",
+ ":vendor_sepolicy.cil",
+ ":odm_sepolicy.cil",
+ )
+ } else {
+ srcs = append(srcs, fmt.Sprintf(":plat_pub_versioned_%s.cil", ver))
+ }
+
+ compatTestName := fmt.Sprintf("%s_compat_test", ver)
+ ctx.CreateModule(policyBinaryFactory, &nameProperties{
+ Name: proptools.StringPtr(compatTestName),
+ }, &policyBinaryProperties{
+ Srcs: srcs,
+ Ignore_neverallow: proptools.BoolPtr(true),
+ Installable: proptools.BoolPtr(false),
+ })
+}
+
+func (f *compatTestModule) loadHook(ctx android.LoadHookContext) {
+ for _, ver := range ctx.DeviceConfig().PlatformSepolicyCompatVersions() {
+ f.createPlatPubVersionedModule(ctx, ver)
+ f.createCompatTestModule(ctx, ver)
+ }
+}
+
+func (f *compatTestModule) DepsMutator(ctx android.BottomUpMutatorContext) {
+ for _, ver := range ctx.DeviceConfig().PlatformSepolicyCompatVersions() {
+ ctx.AddDependency(f, compatTestDepTag, fmt.Sprintf("%s_compat_test", ver))
+ }
+}
+
+func (f *compatTestModule) GenerateSingletonBuildActions(ctx android.SingletonContext) {
+ // does nothing; se_compat_test is a singeton because two compat test modules don't make sense.
+}
+
+func (f *compatTestModule) GenerateAndroidBuildActions(ctx android.ModuleContext) {
+ var inputs android.Paths
+ ctx.VisitDirectDepsWithTag(compatTestDepTag, func(child android.Module) {
+ o, ok := child.(android.OutputFileProducer)
+ if !ok {
+ panic(fmt.Errorf("Module %q should be an OutputFileProducer but it isn't", ctx.OtherModuleName(child)))
+ }
+
+ outputs, err := o.OutputFiles("")
+ if err != nil {
+ panic(fmt.Errorf("Module %q error while producing output: %v", ctx.OtherModuleName(child), err))
+ }
+ if len(outputs) != 1 {
+ panic(fmt.Errorf("Module %q should produce exactly one output, but did %q", ctx.OtherModuleName(child), outputs.Strings()))
+ }
+
+ inputs = append(inputs, outputs[0])
+ })
+
+ f.compatTestTimestamp = android.PathForModuleOut(ctx, "timestamp")
+ rule := android.NewRuleBuilder(pctx, ctx)
+ rule.Command().Text("touch").Output(f.compatTestTimestamp).Implicits(inputs)
+ rule.Build("compat", "compat test timestamp for: "+f.Name())
+}
+
+func (f *compatTestModule) AndroidMkEntries() []android.AndroidMkEntries {
+ return []android.AndroidMkEntries{android.AndroidMkEntries{
+ Class: "FAKE",
+ // OutputFile is needed, even though BUILD_PHONY_PACKAGE doesn't use it.
+ // Without OutputFile this module won't be exported to Makefile.
+ OutputFile: android.OptionalPathForPath(f.compatTestTimestamp),
+ Include: "$(BUILD_PHONY_PACKAGE)",
+ ExtraEntries: []android.AndroidMkExtraEntriesFunc{
+ func(ctx android.AndroidMkExtraEntriesContext, entries *android.AndroidMkEntries) {
+ entries.SetString("LOCAL_ADDITIONAL_DEPENDENCIES", f.compatTestTimestamp.String())
+ },
+ },
+ }}
+}
diff --git a/build/soong/selinux_contexts.go b/build/soong/selinux_contexts.go
index 7e03b2d..b30f35e 100644
--- a/build/soong/selinux_contexts.go
+++ b/build/soong/selinux_contexts.go
@@ -17,6 +17,7 @@
import (
"fmt"
"io"
+ "os"
"strings"
"github.com/google/blueprint"
@@ -58,11 +59,20 @@
}
}
+type seappProperties struct {
+ // Files containing neverallow rules.
+ Neverallow_files []string `android:"path"`
+
+ // Precompiled sepolicy binary file which will be fed to checkseapp.
+ Sepolicy *string `android:"path"`
+}
+
type selinuxContextsModule struct {
android.ModuleBase
properties selinuxContextsProperties
fileContextsProperties fileContextsProperties
+ seappProperties seappProperties
build func(ctx android.ModuleContext, inputs android.Paths) android.Path
deps func(ctx android.BottomUpMutatorContext)
outputPath android.Path
@@ -82,6 +92,7 @@
android.RegisterModuleType("property_contexts", propertyFactory)
android.RegisterModuleType("service_contexts", serviceFactory)
android.RegisterModuleType("keystore2_key_contexts", keystoreKeyFactory)
+ android.RegisterModuleType("seapp_contexts", seappFactory)
}
func (m *selinuxContextsModule) InstallInRoot() bool {
@@ -147,6 +158,7 @@
m.AddProperties(
&m.properties,
&m.fileContextsProperties,
+ &m.seappProperties,
)
android.InitAndroidArchModule(m, android.DeviceSupported, android.MultilibCommon)
android.AddLoadHook(m, func(ctx android.LoadHookContext) {
@@ -422,6 +434,31 @@
return builtCtxFile
}
+func (m *selinuxContextsModule) buildSeappContexts(ctx android.ModuleContext, inputs android.Paths) android.Path {
+ neverallowFile := android.PathForModuleGen(ctx, "neverallow")
+ ret := android.PathForModuleGen(ctx, m.stem())
+
+ rule := android.NewRuleBuilder(pctx, ctx)
+ rule.Command().Text("(grep").
+ Flag("-ihe").
+ Text("'^neverallow'").
+ Inputs(android.PathsForModuleSrc(ctx, m.seappProperties.Neverallow_files)).
+ Text(os.DevNull). // to make grep happy even when Neverallow_files is empty
+ Text(">").
+ Output(neverallowFile).
+ Text("|| true)") // to make ninja happy even when result is empty
+
+ rule.Temporary(neverallowFile)
+ rule.Command().BuiltTool("checkseapp").
+ FlagWithInput("-p ", android.PathForModuleSrc(ctx, proptools.String(m.seappProperties.Sepolicy))).
+ FlagWithOutput("-o ", ret).
+ Inputs(inputs).
+ Input(neverallowFile)
+
+ rule.Build("seapp_contexts", "Building seapp_contexts: "+m.Name())
+ return ret
+}
+
func hwServiceFactory() android.Module {
m := newModule()
m.build = m.buildHwServiceContexts
@@ -447,6 +484,12 @@
return m
}
+func seappFactory() android.Module {
+ m := newModule()
+ m.build = m.buildSeappContexts
+ return m
+}
+
var _ android.OutputFileProducer = (*selinuxContextsModule)(nil)
// Implements android.OutputFileProducer
diff --git a/com.android.sepolicy/33/Android.bp b/com.android.sepolicy/33/Android.bp
new file mode 100644
index 0000000..f3387ac
--- /dev/null
+++ b/com.android.sepolicy/33/Android.bp
@@ -0,0 +1,56 @@
+// Copyright (C) 2021 The Android Open Source Project
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package {
+ // http://go/android-license-faq
+ // A large-scale-change added 'default_applicable_licenses' to import
+ // the below license kinds from "system_sepolicy_license":
+ // SPDX-license-identifier-Apache-2.0
+ default_applicable_licenses: ["system_sepolicy_license"],
+}
+
+genrule {
+ name: "apex_file_contexts-33.gen",
+ defaults: ["sepolicy_file_contexts_gen_default"],
+ srcs: ["file_contexts"],
+ out: ["apex_file_contexts-33"],
+}
+
+prebuilt_etc {
+ name: "apex_file_contexts-33",
+ filename: "apex_file_contexts",
+ src: ":apex_file_contexts-33.gen",
+ installable: false,
+}
+
+prebuilt_etc {
+ name: "apex_property_contexts-33",
+ filename: "apex_property_contexts",
+ src: "property_contexts",
+ installable: false,
+}
+
+prebuilt_etc {
+ name: "apex_service_contexts-33",
+ filename: "apex_service_contexts",
+ src: "service_contexts",
+ installable: false,
+}
+
+prebuilt_etc {
+ name: "apex_seapp_contexts-33",
+ filename: "apex_seapp_contexts",
+ src: "seapp_contexts",
+ installable: false,
+}
diff --git a/com.android.sepolicy/33/file_contexts b/com.android.sepolicy/33/file_contexts
new file mode 100644
index 0000000..14f99f9
--- /dev/null
+++ b/com.android.sepolicy/33/file_contexts
@@ -0,0 +1 @@
+/dev/selinux/apex_test u:object_r:sepolicy_test_file:s0
diff --git a/com.android.sepolicy/33/property_contexts b/com.android.sepolicy/33/property_contexts
new file mode 100644
index 0000000..e69de29
--- /dev/null
+++ b/com.android.sepolicy/33/property_contexts
diff --git a/com.android.sepolicy/33/seapp_contexts b/com.android.sepolicy/33/seapp_contexts
new file mode 100644
index 0000000..e69de29
--- /dev/null
+++ b/com.android.sepolicy/33/seapp_contexts
diff --git a/com.android.sepolicy/33/service_contexts b/com.android.sepolicy/33/service_contexts
new file mode 100644
index 0000000..e69de29
--- /dev/null
+++ b/com.android.sepolicy/33/service_contexts
diff --git a/com.android.sepolicy/33/shell.te b/com.android.sepolicy/33/shell.te
new file mode 100644
index 0000000..757328e
--- /dev/null
+++ b/com.android.sepolicy/33/shell.te
@@ -0,0 +1,2 @@
+allow shell sepolicy_test_file:file r_file_perms;
+
diff --git a/com.android.sepolicy/Android.bp b/com.android.sepolicy/Android.bp
new file mode 100644
index 0000000..1e042f3
--- /dev/null
+++ b/com.android.sepolicy/Android.bp
@@ -0,0 +1,28 @@
+// Copyright (C) 2021 The Android Open Source Project
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package {
+ // http://go/android-license-faq
+ // A large-scale-change added 'default_applicable_licenses' to import
+ // the below license kinds from "system_sepolicy_license":
+ // SPDX-license-identifier-Apache-2.0
+ default_applicable_licenses: ["system_sepolicy_license"],
+}
+
+genrule_defaults {
+ name: "sepolicy_file_contexts_gen_default",
+ tools: ["fc_sort"],
+ cmd: "sed -e 's/#.*$$//' -e '/^$$/d' $(in) > $(out).tmp && " +
+ "$(location fc_sort) -i $(out).tmp -o $(out)",
+}
diff --git a/compat.mk b/compat.mk
deleted file mode 100644
index 4aed864..0000000
--- a/compat.mk
+++ /dev/null
@@ -1,56 +0,0 @@
-version := $(version_under_treble_tests)
-
-include $(CLEAR_VARS)
-#################################
-# build this target to ensure the compat permissions files all build against the current policy
-#
-LOCAL_MODULE := $(version)_compat_test
-LOCAL_LICENSE_KINDS := SPDX-license-identifier-Apache-2.0 legacy_unencumbered
-LOCAL_LICENSE_CONDITIONS := notice unencumbered
-LOCAL_NOTICE_FILE := $(LOCAL_PATH)/NOTICE
-LOCAL_REQUIRED_MODULES := $(version).compat.cil
-LOCAL_MODULE_CLASS := FAKE
-LOCAL_MODULE_TAGS := optional
-
-include $(BUILD_SYSTEM)/base_rules.mk
-
-all_cil_files := \
- $(built_plat_cil) \
- $(built_plat_mapping_cil) \
- $(built_pub_vers_cil) \
- $(ALL_MODULES.$(version).compat.cil.BUILT) \
-
-ifdef HAS_SYSTEM_EXT_SEPOLICY
-all_cil_files += $(built_system_ext_cil)
-endif
-
-ifdef HAS_SYSTEM_EXT_PUBLIC_SEPOLICY
-all_cil_files += $(built_system_ext_mapping_cil)
-endif
-
-ifdef HAS_PRODUCT_SEPOLICY
-all_cil_files += $(built_product_cil)
-endif
-
-ifdef HAS_PRODUCT_PUBLIC_SEPOLICY
-all_cil_files += $(built_product_mapping_cil)
-endif
-
-ifneq ($(mixed_sepolicy_build),true)
-
-all_cil_files += $(built_vendor_cil)
-
-ifdef BOARD_ODM_SEPOLICY_DIRS
-all_cil_files += $(built_odm_cil)
-endif
-
-endif # ifneq ($(mixed_sepolicy_build),true)
-
-$(LOCAL_BUILT_MODULE): PRIVATE_CIL_FILES := $(all_cil_files)
-$(LOCAL_BUILT_MODULE): $(HOST_OUT_EXECUTABLES)/secilc $(HOST_OUT_EXECUTABLES)/sepolicy-analyze $(all_cil_files)
- @mkdir -p $(dir $@)
- $(hide) $< -m -N -M true -G -c $(POLICYVERS) $(PRIVATE_CIL_FILES) -o $@ -f /dev/null
-
-all_cil_files :=
-version :=
-version_under_treble_tests :=
diff --git a/compat/Android.bp b/compat/Android.bp
index fd1a864..bc8409a 100644
--- a/compat/Android.bp
+++ b/compat/Android.bp
@@ -269,3 +269,7 @@
stem: "32.0.compat.cil",
system_ext_specific: true,
}
+
+se_compat_test {
+ name: "sepolicy_compat_test",
+}
diff --git a/contexts/Android.bp b/contexts/Android.bp
index ed183ef..1dc710a 100644
--- a/contexts/Android.bp
+++ b/contexts/Android.bp
@@ -231,3 +231,70 @@
],
soc_specific: true,
}
+
+seapp_contexts {
+ name: "plat_seapp_contexts",
+ srcs: [":seapp_contexts_files{.plat_private}"],
+ sepolicy: ":precompiled_sepolicy",
+}
+
+seapp_contexts {
+ name: "system_ext_seapp_contexts",
+ srcs: [":seapp_contexts_files{.system_ext_private}"],
+ neverallow_files: [":seapp_contexts_files{.plat_private}"],
+ system_ext_specific: true,
+ sepolicy: ":precompiled_sepolicy",
+}
+
+seapp_contexts {
+ name: "product_seapp_contexts",
+ srcs: [":seapp_contexts_files{.product_private}"],
+ neverallow_files: [
+ ":seapp_contexts_files{.plat_private}",
+ ":seapp_contexts_files{.system_ext_private}",
+ ],
+ product_specific: true,
+ sepolicy: ":precompiled_sepolicy",
+}
+
+seapp_contexts {
+ name: "vendor_seapp_contexts",
+ srcs: [
+ ":seapp_contexts_files{.plat_vendor_for_vendor}",
+ ":seapp_contexts_files{.vendor}",
+ ":seapp_contexts_files{.reqd_mask_for_vendor}",
+ ],
+ neverallow_files: [
+ ":seapp_contexts_files{.plat_private_for_vendor}",
+ ":seapp_contexts_files{.system_ext_private_for_vendor}",
+ ":seapp_contexts_files{.product_private_for_vendor}",
+ ],
+ soc_specific: true,
+ sepolicy: ":precompiled_sepolicy",
+}
+
+seapp_contexts {
+ name: "odm_seapp_contexts",
+ srcs: [
+ ":seapp_contexts_files{.odm}",
+ ],
+ neverallow_files: [
+ ":seapp_contexts_files{.plat_private_for_vendor}",
+ ":seapp_contexts_files{.system_ext_private_for_vendor}",
+ ":seapp_contexts_files{.product_private_for_vendor}",
+ ],
+ device_specific: true,
+ sepolicy: ":precompiled_sepolicy",
+}
+
+// for CTS
+genrule {
+ name: "plat_seapp_neverallows",
+ srcs: [
+ ":seapp_contexts_files{.plat_private}",
+ ":seapp_contexts_files{.system_ext_private}",
+ ":seapp_contexts_files{.product_private}",
+ ],
+ out: ["plat_seapp_neverallows"],
+ cmd: "grep -ihe '^neverallow' $(in) > $(out) || true",
+}
diff --git a/microdroid/system/private/access_vectors b/microdroid/system/private/access_vectors
index 22f2ffa..477f78f 100644
--- a/microdroid/system/private/access_vectors
+++ b/microdroid/system/private/access_vectors
@@ -746,6 +746,16 @@
use_dev_id
}
+class diced
+{
+ demote
+ demote_self
+ derive
+ get_attestation_chain
+ use_seal
+ use_sign
+}
+
class drmservice {
consumeRights
setPlaybackStatus
diff --git a/microdroid/system/private/authfs.te b/microdroid/system/private/authfs.te
index 7bd39e4..23e881d 100644
--- a/microdroid/system/private/authfs.te
+++ b/microdroid/system/private/authfs.te
@@ -17,5 +17,9 @@
allow authfs authfs_fuse:filesystem { mount relabelfrom relabelto };
allow authfs authfs_data_file:dir { mounton search };
+# Allow authfs to access extra APK mount.
+allow authfs extra_apk_file:file r_file_perms;
+allow authfs extra_apk_file:dir search;
+
# TODO(195568812): Don't pass FD 0,1,2 unnecessarily.
allow authfs authfs_service:fd use;
diff --git a/microdroid/system/private/compos.te b/microdroid/system/private/compos.te
index 174eda3..41dd91a 100644
--- a/microdroid/system/private/compos.te
+++ b/microdroid/system/private/compos.te
@@ -2,13 +2,19 @@
type compos, domain, coredomain, microdroid_payload;
type compos_exec, exec_type, file_type, system_file_type;
+# Expose RPC Binder service over vsock
allow compos self:vsock_socket { create_socket_perms_no_ioctl listen accept };
-# Allow using keystore and authfs_service binder services
+# Allow using various binder services
binder_use(compos);
use_keystore(compos);
-allow compos authfs_binder_service:service_manager find;
+allow compos {
+ authfs_binder_service
+ dice_node_service
+}:service_manager find;
binder_call(compos, authfs_service);
+binder_call(compos, diced);
+allow compos diced:diced { get_attestation_chain use_sign };
# Allow payloads to use and manage their keys
allow compos vm_payload_key:keystore2_key {
diff --git a/microdroid/system/private/diced.te b/microdroid/system/private/diced.te
new file mode 100644
index 0000000..4c3a890
--- /dev/null
+++ b/microdroid/system/private/diced.te
@@ -0,0 +1,17 @@
+type diced, domain, coredomain;
+type diced_exec, system_file_type, exec_type, file_type;
+
+# diced can be started by init
+init_daemon_domain(diced)
+
+# diced can talk to dice HAL
+hal_client_domain(diced, hal_dice)
+
+# diced hosts AIDL services
+binder_use(diced)
+binder_service(diced)
+add_service(diced, dice_node_service)
+add_service(diced, dice_maintenance_service)
+
+# diced can check SELinux permissions.
+selinux_check_access(diced)
diff --git a/microdroid/system/private/file_contexts b/microdroid/system/private/file_contexts
index 933c63f..b6fb2ba 100644
--- a/microdroid/system/private/file_contexts
+++ b/microdroid/system/private/file_contexts
@@ -106,6 +106,7 @@
/system/bin/linkerconfig u:object_r:linkerconfig_exec:s0
/system/bin/bootstrap/linker(64)? u:object_r:system_linker_exec:s0
/system/bin/bootstrap/linkerconfig u:object_r:linkerconfig_exec:s0
+/system/bin/diced u:object_r:diced_exec:s0
/system/bin/servicemanager u:object_r:servicemanager_exec:s0
/system/bin/hwservicemanager u:object_r:hwservicemanager_exec:s0
/system/bin/init u:object_r:init_exec:s0
diff --git a/microdroid/system/private/microdroid_manager.te b/microdroid/system/private/microdroid_manager.te
index 36a5f53..736a135 100644
--- a/microdroid/system/private/microdroid_manager.te
+++ b/microdroid/system/private/microdroid_manager.te
@@ -46,13 +46,6 @@
allow microdroid_manager apex_mnt_dir:dir w_dir_perms;
allow microdroid_manager apex_mnt_dir:file create_file_perms;
-# Allow microdroid_manager to ioctl /dev/vsock.
-# TODO(b/199259751): remove the below rules
-allow microdroid_manager vsock_device:chr_file r_file_perms;
-allowxperm microdroid_manager vsock_device:chr_file ioctl {
- IOCTL_VM_SOCKETS_GET_LOCAL_CID
-};
-
# Allow microdroid_manager to start the services apexd-vm, apkdmverity and zipfuse
set_prop(microdroid_manager, ctl_apexd_vm_prop)
set_prop(microdroid_manager, ctl_apkdmverity_prop)
diff --git a/microdroid/system/private/microdroid_payload.te b/microdroid/system/private/microdroid_payload.te
index 2fa101f..fea0768 100644
--- a/microdroid/system/private/microdroid_payload.te
+++ b/microdroid/system/private/microdroid_payload.te
@@ -33,12 +33,5 @@
# Allow microdroid_payload to open binder servers via vsock.
allow microdroid_payload self:vsock_socket { create_socket_perms_no_ioctl listen accept };
-# Allow microdroid_payload to ioctl /dev/vsock.
-# TODO(b/199259751): remove the below rules
-allow microdroid_payload vsock_device:chr_file r_file_perms;
-allowxperm microdroid_payload vsock_device:chr_file ioctl {
- IOCTL_VM_SOCKETS_GET_LOCAL_CID
-};
-
# Payload can read extra apks
r_dir_file(microdroid_payload, extra_apk_file)
diff --git a/microdroid/system/private/security_classes b/microdroid/system/private/security_classes
index 200b030..0d3cc80 100644
--- a/microdroid/system/private/security_classes
+++ b/microdroid/system/private/security_classes
@@ -163,5 +163,8 @@
# Keystore 2.0 key permissions
class keystore2_key # userspace
+# Diced permissions
+class diced # userspace
+
class drmservice # userspace
# FLASK
diff --git a/microdroid/system/private/service_contexts b/microdroid/system/private/service_contexts
index 3489055..6499423 100644
--- a/microdroid/system/private/service_contexts
+++ b/microdroid/system/private/service_contexts
@@ -1,3 +1,4 @@
+android.hardware.security.dice.IDiceDevice/default u:object_r:hal_dice_service:s0
android.hardware.security.keymint.IKeyMintDevice/default u:object_r:hal_keymint_service:s0
android.hardware.security.keymint.IRemotelyProvisionedComponent/default u:object_r:hal_remotelyprovisionedcomponent_service:s0
android.hardware.security.secureclock.ISecureClock/default u:object_r:hal_secureclock_service:s0
@@ -8,6 +9,8 @@
android.security.apc u:object_r:apc_service:s0
android.security.authorization u:object_r:authorization_service:s0
android.security.compat u:object_r:keystore_compat_hal_service:s0
+android.security.dice.IDiceMaintenance u:object_r:dice_maintenance_service:s0
+android.security.dice.IDiceNode u:object_r:dice_node_service:s0
android.security.identity u:object_r:credstore_service:s0
android.security.keystore u:object_r:keystore_service:s0
android.security.legacykeystore u:object_r:legacykeystore_service:s0
diff --git a/microdroid/system/public/attributes b/microdroid/system/public/attributes
index 6479c55..e3258ae 100644
--- a/microdroid/system/public/attributes
+++ b/microdroid/system/public/attributes
@@ -298,6 +298,7 @@
hal_attribute(configstore);
hal_attribute(confirmationui);
hal_attribute(contexthub);
+hal_attribute(dice);
hal_attribute(drm);
hal_attribute(evs);
hal_attribute(face);
diff --git a/microdroid/system/public/hal_dice.te b/microdroid/system/public/hal_dice.te
new file mode 100644
index 0000000..92222c5
--- /dev/null
+++ b/microdroid/system/public/hal_dice.te
@@ -0,0 +1,4 @@
+binder_call(hal_dice_client, hal_dice_server)
+
+hal_attribute_service(hal_dice, hal_dice_service)
+binder_call(hal_dice_server, servicemanager)
diff --git a/microdroid/system/public/type.te b/microdroid/system/public/type.te
index 0ee9f89..6329656 100644
--- a/microdroid/system/public/type.te
+++ b/microdroid/system/public/type.te
@@ -6,6 +6,9 @@
type credstore_service, app_api_service, service_manager_type;
type default_android_hwservice, hwservice_manager_type, protected_hwservice;
type default_android_service, service_manager_type;
+type dice_maintenance_service, service_manager_type;
+type dice_node_service, service_manager_type;
+type hal_dice_service, protected_service, vendor_service, service_manager_type;
type hal_keymint_service, protected_service, vendor_service, service_manager_type;
type hal_remotelyprovisionedcomponent_service, protected_service, vendor_service, service_manager_type;
type hidl_allocator_hwservice, hwservice_manager_type, coredomain_hwservice;
diff --git a/microdroid/vendor/file_contexts b/microdroid/vendor/file_contexts
index 0aa85cf..2dee390 100644
--- a/microdroid/vendor/file_contexts
+++ b/microdroid/vendor/file_contexts
@@ -35,4 +35,5 @@
/bin/install-recovery\.sh u:object_r:vendor_install_recovery_exec:s0
+/bin/hw/android\.hardware\.security\.dice-service\.microdroid u:object_r:hal_dice_default_exec:s0
/bin/hw/android\.hardware\.security\.keymint-service\.microdroid u:object_r:hal_keymint_default_exec:s0
diff --git a/microdroid/vendor/hal_dice_default.te b/microdroid/vendor/hal_dice_default.te
new file mode 100644
index 0000000..832e717
--- /dev/null
+++ b/microdroid/vendor/hal_dice_default.te
@@ -0,0 +1,5 @@
+type hal_dice_default, domain;
+hal_server_domain(hal_dice_default, hal_dice)
+
+type hal_dice_default_exec, exec_type, vendor_file_type, file_type;
+init_daemon_domain(hal_dice_default)
diff --git a/private/app.te b/private/app.te
index 7177b92..856f483 100644
--- a/private/app.te
+++ b/private/app.te
@@ -87,6 +87,375 @@
allow appdomain tombstone_data_file:file { getattr read };
neverallow appdomain tombstone_data_file:file ~{ getattr read };
+# WebView and other application-specific JIT compilers
+allow appdomain self:process execmem;
+
+allow appdomain { ashmem_device ashmem_libcutils_device }:chr_file execute;
+
+# Receive and use open file descriptors inherited from zygote.
+allow appdomain zygote:fd use;
+
+# Receive and use open file descriptors inherited from app zygote.
+allow appdomain app_zygote:fd use;
+
+# gdbserver for ndk-gdb reads the zygote.
+# valgrind needs mmap exec for zygote
+allow appdomain zygote_exec:file rx_file_perms;
+
+# Notify zygote of death;
+allow appdomain zygote:process sigchld;
+
+# Read /data/dalvik-cache.
+allow appdomain dalvikcache_data_file:dir { search getattr };
+allow appdomain dalvikcache_data_file:file r_file_perms;
+
+# Read the /sdcard and /mnt/sdcard symlinks
+allow { appdomain -isolated_app } rootfs:lnk_file r_file_perms;
+allow { appdomain -isolated_app } tmpfs:lnk_file r_file_perms;
+
+# Search /storage/emulated tmpfs mount.
+allow appdomain tmpfs:dir r_dir_perms;
+
+# Notify zygote of the wrapped process PID when using --invoke-with.
+allow appdomain zygote:fifo_file write;
+
+userdebug_or_eng(`
+ # Allow apps to create and write method traces in /data/misc/trace.
+ allow appdomain method_trace_data_file:dir w_dir_perms;
+ allow appdomain method_trace_data_file:file { create w_file_perms };
+')
+
+# Notify shell and adbd of death when spawned via runas for ndk-gdb.
+allow appdomain shell:process sigchld;
+allow appdomain adbd:process sigchld;
+
+# child shell or gdbserver pty access for runas.
+allow appdomain devpts:chr_file { getattr read write ioctl };
+
+# Use pipes and sockets provided by system_server via binder or local socket.
+allow appdomain system_server:fd use;
+allow appdomain system_server:fifo_file rw_file_perms;
+allow appdomain system_server:unix_stream_socket { read write setopt getattr getopt shutdown };
+allow appdomain system_server:tcp_socket { read write getattr getopt shutdown };
+
+# For AppFuse.
+allow appdomain vold:fd use;
+
+# Communication with other apps via fifos
+allow appdomain appdomain:fifo_file rw_file_perms;
+
+# Communicate with surfaceflinger.
+allow appdomain surfaceflinger:unix_stream_socket { read write setopt getattr getopt shutdown };
+
+# App sandbox file accesses.
+allow { appdomain -isolated_app -mlstrustedsubject } { app_data_file privapp_data_file }:dir create_dir_perms;
+allow { appdomain -isolated_app -mlstrustedsubject } { app_data_file privapp_data_file }:file create_file_perms;
+
+# Access via already open fds is ok even for mlstrustedsubject.
+allow { appdomain -isolated_app } { app_data_file privapp_data_file system_app_data_file }:file { getattr map read write };
+
+# Traverse into expanded storage
+allow appdomain mnt_expand_file:dir r_dir_perms;
+
+# Keychain and user-trusted credentials
+r_dir_file(appdomain, keychain_data_file)
+allow appdomain misc_user_data_file:dir r_dir_perms;
+allow appdomain misc_user_data_file:file r_file_perms;
+
+# TextClassifier
+r_dir_file({ appdomain -isolated_app }, textclassifier_data_file)
+
+# Access to OEM provided data and apps
+allow appdomain oemfs:dir r_dir_perms;
+allow appdomain oemfs:file rx_file_perms;
+
+# Execute the shell or other system executables.
+allow { appdomain -ephemeral_app } shell_exec:file rx_file_perms;
+allow { appdomain -ephemeral_app } toolbox_exec:file rx_file_perms;
+allow appdomain system_file:file x_file_perms;
+not_full_treble(`allow { appdomain -ephemeral_app } vendor_file:file x_file_perms;')
+
+# Renderscript needs the ability to read directories on /system
+allow appdomain system_file:dir r_dir_perms;
+allow appdomain system_file:lnk_file { getattr open read };
+# Renderscript specific permissions to open /system/vendor/lib64.
+not_full_treble(`
+ allow appdomain vendor_file_type:dir r_dir_perms;
+ allow appdomain vendor_file_type:lnk_file { getattr open read };
+')
+
+full_treble_only(`
+ # For looking up Renderscript vendor drivers
+ allow { appdomain -isolated_app } vendor_file:dir { open read };
+')
+
+# Allow apps access to /vendor/app except for privileged
+# apps which cannot be in /vendor.
+r_dir_file({ appdomain -ephemeral_app }, vendor_app_file)
+allow { appdomain -ephemeral_app } vendor_app_file:file execute;
+
+# Allow apps access to /vendor/overlay
+r_dir_file(appdomain, vendor_overlay_file)
+
+# Allow apps access to /vendor/framework
+# for vendor provided libraries.
+r_dir_file(appdomain, vendor_framework_file)
+
+# Allow apps read / execute access to vendor public libraries.
+allow appdomain {vendor_public_framework_file vendor_public_lib_file}:dir r_dir_perms;
+allow appdomain {vendor_public_framework_file vendor_public_lib_file}:file { execute read open getattr map };
+
+# Read/write wallpaper file (opened by system).
+allow appdomain wallpaper_file:file { getattr read write map };
+
+# Read/write cached ringtones (opened by system).
+allow appdomain ringtone_file:file { getattr read write map };
+
+# Read ShortcutManager icon files (opened by system).
+allow appdomain shortcut_manager_icons:file { getattr read map };
+
+# Read icon file (opened by system).
+allow appdomain icon_file:file { getattr read map };
+
+# Old stack dumping scheme : append to a global trace file (/data/anr/traces.txt).
+#
+# TODO: All of these permissions except for anr_data_file:file append can be
+# withdrawn once we've switched to the new stack dumping mechanism, see b/32064548
+# and the rules below.
+allow appdomain anr_data_file:dir search;
+allow appdomain anr_data_file:file { open append };
+
+# New stack dumping scheme : request an output FD from tombstoned via a unix
+# domain socket.
+#
+# Allow apps to connect and write to the tombstoned java trace socket in
+# order to dump their traces. Also allow them to append traces to pipes
+# created by dumptrace. (Also see the rules below where they are given
+# additional permissions to dumpstate pipes for other aspects of bug report
+# creation).
+unix_socket_connect(appdomain, tombstoned_java_trace, tombstoned)
+allow appdomain tombstoned:fd use;
+allow appdomain dumpstate:fifo_file append;
+allow appdomain incidentd:fifo_file append;
+
+# Allow apps to send dump information to dumpstate
+allow appdomain dumpstate:fd use;
+allow appdomain dumpstate:unix_stream_socket { read write getopt getattr shutdown };
+allow appdomain dumpstate:fifo_file { write getattr };
+allow appdomain shell_data_file:file { write getattr };
+
+# Allow apps to send dump information to incidentd
+allow appdomain incidentd:fd use;
+allow appdomain incidentd:fifo_file { write getattr };
+
+# Allow apps to send information to statsd socket.
+unix_socket_send(appdomain, statsdw, statsd)
+
+# Write profiles /data/misc/profiles
+allow appdomain user_profile_root_file:dir search;
+allow appdomain user_profile_data_file:dir { search write add_name };
+allow appdomain user_profile_data_file:file create_file_perms;
+
+# Send heap dumps to system_server via an already open file descriptor
+# % adb shell am set-watch-heap com.android.systemui 1048576
+# % adb shell dumpsys procstats --start-testing
+# debuggable builds only.
+userdebug_or_eng(`
+ allow appdomain heapdump_data_file:file append;
+')
+
+# /proc/net access.
+# TODO(b/9496886) Audit access for removal.
+# proc_net access for the negated domains below is granted (or not) in their
+# individual .te files.
+r_dir_file({
+ appdomain
+ -ephemeral_app
+ -isolated_app
+ -platform_app
+ -priv_app
+ -shell
+ -system_app
+ -untrusted_app_all
+}, proc_net_type)
+# audit access for all these non-core app domains.
+userdebug_or_eng(`
+ auditallow {
+ appdomain
+ -ephemeral_app
+ -isolated_app
+ -platform_app
+ -priv_app
+ -shell
+ -su
+ -system_app
+ -untrusted_app_all
+ } proc_net_type:{ dir file lnk_file } { getattr open read };
+')
+
+# Grant GPU access to all processes started by Zygote.
+# They need that to render the standard UI.
+allow { appdomain -isolated_app } gpu_device:chr_file rw_file_perms;
+
+# Use the Binder.
+binder_use(appdomain)
+# Perform binder IPC to binder services.
+binder_call(appdomain, binderservicedomain)
+# Perform binder IPC to other apps.
+binder_call(appdomain, appdomain)
+# Perform binder IPC to ephemeral apps.
+binder_call(appdomain, ephemeral_app)
+# Perform binder IPC to gpuservice.
+binder_call({ appdomain -isolated_app }, gpuservice)
+
+# Talk with graphics composer fences
+allow appdomain hal_graphics_composer:fd use;
+
+# Already connected, unnamed sockets being passed over some other IPC
+# hence no sock_file or connectto permission. This appears to be how
+# Chrome works, may need to be updated as more apps using isolated services
+# are examined.
+allow appdomain appdomain:unix_stream_socket { getopt getattr read write shutdown };
+
+# Backup ability for every app. BMS opens and passes the fd
+# to any app that has backup ability. Hence, no open permissions here.
+allow appdomain backup_data_file:file { read write getattr map };
+allow appdomain cache_backup_file:file { read write getattr map };
+allow appdomain cache_backup_file:dir getattr;
+# Backup ability using 'adb backup'
+allow appdomain system_data_file:lnk_file r_file_perms;
+allow appdomain system_data_file:file { getattr read map };
+
+# Allow read/stat of /data/media files passed by Binder or local socket IPC.
+allow { appdomain -isolated_app } media_rw_data_file:file { read getattr };
+
+# Read and write /data/data/com.android.providers.telephony files passed over Binder.
+allow { appdomain -isolated_app } radio_data_file:file { read write getattr };
+
+# Allow access to external storage; we have several visible mount points under /storage
+# and symlinks to primary storage at places like /storage/sdcard0 and /mnt/user/0/primary
+allow { appdomain -isolated_app -ephemeral_app } storage_file:dir r_dir_perms;
+allow { appdomain -isolated_app -ephemeral_app } storage_file:lnk_file r_file_perms;
+allow { appdomain -isolated_app -ephemeral_app } mnt_user_file:dir r_dir_perms;
+allow { appdomain -isolated_app -ephemeral_app } mnt_user_file:lnk_file r_file_perms;
+
+# Read/write visible storage
+allow { appdomain -isolated_app -ephemeral_app } { sdcard_type fuse }:dir create_dir_perms;
+allow { appdomain -isolated_app -ephemeral_app } { sdcard_type fuse }:file create_file_perms;
+# This should be removed if sdcardfs is modified to alter the secontext for its
+# accesses to the underlying FS.
+allow { appdomain -isolated_app -ephemeral_app } media_rw_data_file:dir create_dir_perms;
+allow { appdomain -isolated_app -ephemeral_app } media_rw_data_file:file create_file_perms;
+
+# Allow apps to use the USB Accessory interface.
+# http://developer.android.com/guide/topics/connectivity/usb/accessory.html
+#
+# USB devices are first opened by the system server (USBDeviceManagerService)
+# and the file descriptor is passed to the right Activity via binder.
+allow { appdomain -isolated_app -ephemeral_app } usb_device:chr_file { read write getattr ioctl };
+allow { appdomain -isolated_app -ephemeral_app } usbaccessory_device:chr_file { read write getattr };
+
+# For art.
+allow appdomain dalvikcache_data_file:file execute;
+allow appdomain dalvikcache_data_file:lnk_file r_file_perms;
+
+# Allow any app to read shared RELRO files.
+allow appdomain shared_relro_file:dir search;
+allow appdomain shared_relro_file:file r_file_perms;
+
+# Allow apps to read/execute installed binaries
+allow appdomain apk_data_file:dir r_dir_perms;
+allow appdomain apk_data_file:file rx_file_perms;
+
+# /data/resource-cache
+allow appdomain resourcecache_data_file:file r_file_perms;
+allow appdomain resourcecache_data_file:dir r_dir_perms;
+
+# logd access
+read_logd(appdomain)
+control_logd({ appdomain -ephemeral_app })
+# application inherit logd write socket (urge is to deprecate this long term)
+allow appdomain zygote:unix_dgram_socket write;
+
+allow { appdomain -isolated_app -ephemeral_app } keystore:keystore_key { get_state get insert delete exist list sign verify };
+allow { appdomain -isolated_app -ephemeral_app } keystore:keystore2_key { delete use get_info rebind update };
+
+allow { appdomain -isolated_app -ephemeral_app } keystore_maintenance_service:service_manager find;
+allow { appdomain -isolated_app -ephemeral_app } keystore:keystore2 get_state;
+
+use_keystore({ appdomain -isolated_app -ephemeral_app })
+
+use_credstore({ appdomain -isolated_app -ephemeral_app })
+
+allow appdomain console_device:chr_file { read write };
+
+# only allow unprivileged socket ioctl commands
+allowxperm { appdomain -bluetooth } self:{ rawip_socket tcp_socket udp_socket }
+ ioctl { unpriv_sock_ioctls unpriv_tty_ioctls };
+
+allow { appdomain -isolated_app } ion_device:chr_file r_file_perms;
+allow { appdomain -isolated_app } dmabuf_system_heap_device:chr_file r_file_perms;
+allow { appdomain -isolated_app } dmabuf_system_secure_heap_device:chr_file r_file_perms;
+
+# Allow AAudio apps to use shared memory file descriptors from the HAL
+allow { appdomain -isolated_app } hal_audio:fd use;
+
+# Allow app to access shared memory created by camera HAL1
+allow { appdomain -isolated_app } hal_camera:fd use;
+
+# Allow apps to access shared memory file descriptor from the tuner HAL
+allow {appdomain -isolated_app} hal_tv_tuner_server:fd use;
+
+# RenderScript always-passthrough HAL
+allow { appdomain -isolated_app } hal_renderscript_hwservice:hwservice_manager find;
+allow appdomain same_process_hal_file:file { execute read open getattr map };
+
+# TODO: switch to meminfo service
+allow appdomain proc_meminfo:file r_file_perms;
+
+# For app fuse.
+allow appdomain app_fuse_file:file { getattr read append write map };
+
+pdx_client({ appdomain -isolated_app -ephemeral_app }, display_client)
+pdx_client({ appdomain -isolated_app -ephemeral_app }, display_manager)
+pdx_client({ appdomain -isolated_app -ephemeral_app }, display_vsync)
+pdx_client({ appdomain -isolated_app -ephemeral_app }, performance_client)
+# Apps do not directly open the IPC socket for bufferhubd.
+pdx_use({ appdomain -isolated_app -ephemeral_app }, bufferhub_client)
+
+###
+### CTS-specific rules
+###
+
+# For cts/tests/tests/permission/src/android/permission/cts/FileSystemPermissionTest.java.
+# testRunAsHasCorrectCapabilities
+allow appdomain runas_exec:file getattr;
+# Others are either allowed elsewhere or not desired.
+
+# Apps receive an open tun fd from the framework for
+# device traffic. Do not allow untrusted app to directly open tun_device
+allow { appdomain -isolated_app -ephemeral_app } tun_device:chr_file { read write getattr append ioctl };
+allowxperm { appdomain -isolated_app -ephemeral_app } tun_device:chr_file ioctl TUNGETIFF;
+
+# Connect to adbd and use a socket transferred from it.
+# This is used for e.g. adb backup/restore.
+allow appdomain adbd:unix_stream_socket connectto;
+allow appdomain adbd:fd use;
+allow appdomain adbd:unix_stream_socket { getattr getopt ioctl read write shutdown };
+
+allow appdomain cache_file:dir getattr;
+
+# Allow apps to run with asanwrapper.
+with_asan(`allow appdomain asanwrapper_exec:file rx_file_perms;')
+
+# Read access to FDs from the DropboxManagerService.
+allow appdomain dropbox_data_file:file { getattr read };
+
+# Read tmpfs types from these processes.
+allow appdomain audioserver_tmpfs:file { getattr map read write };
+allow appdomain system_server_tmpfs:file { getattr map read write };
+allow appdomain zygote_tmpfs:file { map read };
+
# Sensitive app domains are not allowed to execute from /data
# to prevent persistence attacks and ensure all code is executed
# from read-only locations.
diff --git a/private/compat/32.0/32.0.ignore.cil b/private/compat/32.0/32.0.ignore.cil
index cddf39b..43f8136 100644
--- a/private/compat/32.0/32.0.ignore.cil
+++ b/private/compat/32.0/32.0.ignore.cil
@@ -44,6 +44,7 @@
nearby_service
proc_watermark_boost_factor
proc_watermark_scale_factor
+ resources_manager_service
selection_toolbar_service
snapuserd_proxy_socket
supplemental_process_service
diff --git a/private/crosvm.te b/private/crosvm.te
index 5106f87..b3d96c8 100644
--- a/private/crosvm.te
+++ b/private/crosvm.te
@@ -10,6 +10,9 @@
neverallow { domain -crosvm -ueventd -virtualizationservice } kvm_device:chr_file ~getattr;
neverallowxperm { domain -crosvm } kvm_device:chr_file ioctl ~{ KVM_CHECK_EXTENSION };
+# Let crosvm mlock VM memory and page tables.
+allow crosvm self:capability ipc_lock;
+
# Let crosvm create temporary files.
tmpfs_domain(crosvm)
diff --git a/private/domain.te b/private/domain.te
index d12cbc7..ae5b0d7 100644
--- a/private/domain.te
+++ b/private/domain.te
@@ -569,6 +569,9 @@
}:file no_rw_file_perms;
')
+# Restrict write access to etm sysfs interface.
+neverallow { domain -ueventd -vendor_init } sysfs_devices_cs_etm:file no_w_file_perms;
+
# Restrict write access to shell owned files. The /data/local/tmp directory is
# untrustworthy, and non-allowed domains should not be trusting any content in
# those directories. We allow shell files to be passed around by file
diff --git a/private/genfs_contexts b/private/genfs_contexts
index a7cdeb8..cb28221 100644
--- a/private/genfs_contexts
+++ b/private/genfs_contexts
@@ -262,6 +262,7 @@
genfscon tracefs /events/power/clock_set_rate/ u:object_r:debugfs_tracing:s0
genfscon tracefs /events/power/cpu_frequency_limits/ u:object_r:debugfs_tracing:s0
genfscon tracefs /events/power/gpu_frequency/ u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/power/gpu_work_period/ u:object_r:debugfs_tracing:s0
genfscon tracefs /events/power/suspend_resume/ u:object_r:debugfs_tracing:s0
genfscon tracefs /events/cpufreq_interactive/ u:object_r:debugfs_tracing:s0
genfscon tracefs /events/vmscan/mm_vmscan_direct_reclaim_begin/ u:object_r:debugfs_tracing:s0
@@ -326,6 +327,7 @@
genfscon debugfs /tracing/events/power/clock_set_rate/ u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/events/power/cpu_frequency_limits/ u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/events/power/gpu_frequency/ u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/power/gpu_work_period/ u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/events/power/suspend_resume/ u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/events/cpufreq_interactive/ u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/events/vmscan/mm_vmscan_direct_reclaim_begin/ u:object_r:debugfs_tracing:s0
diff --git a/private/gpuservice.te b/private/gpuservice.te
index 2e4254c..f20d932 100644
--- a/private/gpuservice.te
+++ b/private/gpuservice.te
@@ -51,11 +51,12 @@
neverallow gpuservice self:perf_event ~{ cpu kernel open write };
# Needed for interact with bpf fs.
+# Write is needed to open read/write bpf maps.
allow gpuservice fs_bpf:dir search;
-allow gpuservice fs_bpf:file read;
+allow gpuservice fs_bpf:file { read write };
-# Needed for enable the bpf program and read the map.
-allow gpuservice bpfloader:bpf { map_read prog_run };
+# Needed for enabling bpf programs and accessing bpf maps (read-only and read/write).
+allow gpuservice bpfloader:bpf { map_read map_write prog_run };
# Needed for getting a prop to ensure bpf programs loaded.
get_prop(gpuservice, bpf_progs_loaded_prop)
diff --git a/private/logd.te b/private/logd.te
index 7112c4f..62d4196 100644
--- a/private/logd.te
+++ b/private/logd.te
@@ -10,6 +10,8 @@
neverallow logd {
file_type
-runtime_event_log_tags_file
+ # shell_data_file access is needed to dump bugreports
+ -shell_data_file
userdebug_or_eng(`-coredump_file -misc_logd_file')
with_native_coverage(`-method_trace_data_file')
}:file { create write append };
@@ -39,3 +41,11 @@
userdebug_or_eng(`-su')
-system_app
} runtime_event_log_tags_file:file no_rw_file_perms;
+
+# Only binder communication between logd and system_server is allowed
+binder_use(logd)
+binder_service(logd)
+binder_call(logd, system_server)
+
+add_service(logd, logd_service)
+allow logd logcat_service:service_manager find;
diff --git a/private/property.te b/private/property.te
index 5d5869c..f63beb9 100644
--- a/private/property.te
+++ b/private/property.te
@@ -411,10 +411,12 @@
# Allow the shell to set MTE props, so that non-root users with adb shell
# access can control the settings on their device.
+# Allow system apps to set MTE props, so Developer Options can set them.
neverallow {
domain
-init
-shell
+ -system_app
} {
arm64_memtag_prop
}:property_service set;
diff --git a/private/property_contexts b/private/property_contexts
index 3650a44..5a9f0e8 100644
--- a/private/property_contexts
+++ b/private/property_contexts
@@ -296,9 +296,11 @@
ro.virtual_ab.compression.enabled u:object_r:virtual_ab_prop:s0 exact bool
ro.virtual_ab.compression.xor.enabled u:object_r:virtual_ab_prop:s0 exact bool
ro.virtual_ab.userspace.snapshots.enabled u:object_r:virtual_ab_prop:s0 exact bool
+ro.virtual_ab.io_uring.enabled u:object_r:virtual_ab_prop:s0 exact bool
snapuserd.ready u:object_r:snapuserd_prop:s0 exact bool
snapuserd.proxy_ready u:object_r:snapuserd_prop:s0 exact bool
snapuserd.test.dm.snapshots u:object_r:snapuserd_prop:s0 exact bool
+snapuserd.test.io_uring.force_disable u:object_r:snapuserd_prop:s0 exact bool
ro.product.ab_ota_partitions u:object_r:ota_prop:s0 exact string
# Property to set/clear the warm reset flag after an OTA update.
diff --git a/private/service.te b/private/service.te
index 10461ec..7e33715 100644
--- a/private/service.te
+++ b/private/service.te
@@ -1,8 +1,11 @@
type attention_service, system_server_service, service_manager_type;
+type compos_internal_service, service_manager_type;
type compos_service, service_manager_type;
type dynamic_system_service, system_api_service, system_server_service, service_manager_type;
type gsi_service, service_manager_type;
type incidentcompanion_service, app_api_service, system_api_service, system_server_service, service_manager_type;
+type logcat_service, system_server_service, service_manager_type;
+type logd_service, service_manager_type;
type mediatuner_service, app_api_service, service_manager_type;
type profcollectd_service, service_manager_type;
type resolver_service, system_server_service, service_manager_type;
@@ -13,4 +16,3 @@
type statsmanager_service, system_api_service, system_server_service, service_manager_type;
type tracingproxy_service, system_server_service, service_manager_type;
type uce_service, service_manager_type;
-type compos_internal_service, service_manager_type;
diff --git a/private/service_contexts b/private/service_contexts
index 4bb1a5b..2e79abb 100644
--- a/private/service_contexts
+++ b/private/service_contexts
@@ -198,6 +198,8 @@
location u:object_r:location_service:s0
location_time_zone_manager u:object_r:location_time_zone_manager_service:s0
lock_settings u:object_r:lock_settings_service:s0
+logcat u:object_r:logcat_service:s0
+logd u:object_r:logd_service:s0
looper_stats u:object_r:looper_stats_service:s0
lpdump_service u:object_r:lpdump_service:s0
media.aaudio u:object_r:audioserver_service:s0
@@ -266,6 +268,7 @@
reboot_readiness u:object_r:reboot_readiness_service:s0
recovery u:object_r:recovery_service:s0
resolver u:object_r:resolver_service:s0
+resources u:object_r:resources_manager_service:s0
restrictions u:object_r:restrictions_service:s0
role u:object_r:role_service:s0
rollback u:object_r:rollback_service:s0
diff --git a/private/shell.te b/private/shell.te
index 709e0b7..63746f6 100644
--- a/private/shell.te
+++ b/private/shell.te
@@ -94,6 +94,9 @@
# userspace reboot
set_prop(shell, userspace_reboot_test_prop)
+# Allow shell to set this property to disable charging.
+set_prop(shell, power_debug_prop)
+
# Allow shell to set this property used for rollback tests
set_prop(shell, rollback_test_prop)
diff --git a/private/snapuserd.te b/private/snapuserd.te
index e3b43a1..2e2c473 100644
--- a/private/snapuserd.te
+++ b/private/snapuserd.te
@@ -8,6 +8,8 @@
allow snapuserd kmsg_device:chr_file rw_file_perms;
+allow snapuserd self:capability ipc_lock;
+
# Allow snapuserd to reach block devices in /dev/block.
allow snapuserd block_device:dir search;
diff --git a/private/system_app.te b/private/system_app.te
index ce76b69..460ad4b 100644
--- a/private/system_app.te
+++ b/private/system_app.te
@@ -34,6 +34,7 @@
allow system_app icon_file:file r_file_perms;
# Write to properties
+set_prop(system_app, arm64_memtag_prop)
set_prop(system_app, bluetooth_a2dp_offload_prop)
set_prop(system_app, bluetooth_audio_hal_prop)
set_prop(system_app, bluetooth_prop)
diff --git a/private/system_server.te b/private/system_server.te
index 68792e8..d3d731c 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -277,6 +277,7 @@
binder_call(system_server, storaged)
binder_call(system_server, update_engine)
binder_call(system_server, vold)
+binder_call(system_server, logd)
binder_call(system_server, wificond)
binder_call(system_server, wpantund)
binder_service(system_server)
@@ -881,6 +882,7 @@
allow system_server update_engine_service:service_manager find;
allow system_server vold_service:service_manager find;
allow system_server wifinl80211_service:service_manager find;
+allow system_server logd_service:service_manager find;
userdebug_or_eng(`
allow system_server profcollectd_service:service_manager find;
')
@@ -915,6 +917,7 @@
clear_ns
clear_uid
get_state
+ list
lock
migrate_any_key
pull_metrics
diff --git a/public/app.te b/public/app.te
index 7de9c00..09e30ca 100644
--- a/public/app.te
+++ b/public/app.te
@@ -8,375 +8,6 @@
###
type appdomain_tmpfs, file_type;
-# WebView and other application-specific JIT compilers
-allow appdomain self:process execmem;
-
-allow appdomain { ashmem_device ashmem_libcutils_device }:chr_file execute;
-
-# Receive and use open file descriptors inherited from zygote.
-allow appdomain zygote:fd use;
-
-# Receive and use open file descriptors inherited from app zygote.
-allow appdomain app_zygote:fd use;
-
-# gdbserver for ndk-gdb reads the zygote.
-# valgrind needs mmap exec for zygote
-allow appdomain zygote_exec:file rx_file_perms;
-
-# Notify zygote of death;
-allow appdomain zygote:process sigchld;
-
-# Read /data/dalvik-cache.
-allow appdomain dalvikcache_data_file:dir { search getattr };
-allow appdomain dalvikcache_data_file:file r_file_perms;
-
-# Read the /sdcard and /mnt/sdcard symlinks
-allow { appdomain -isolated_app } rootfs:lnk_file r_file_perms;
-allow { appdomain -isolated_app } tmpfs:lnk_file r_file_perms;
-
-# Search /storage/emulated tmpfs mount.
-allow appdomain tmpfs:dir r_dir_perms;
-
-# Notify zygote of the wrapped process PID when using --invoke-with.
-allow appdomain zygote:fifo_file write;
-
-userdebug_or_eng(`
- # Allow apps to create and write method traces in /data/misc/trace.
- allow appdomain method_trace_data_file:dir w_dir_perms;
- allow appdomain method_trace_data_file:file { create w_file_perms };
-')
-
-# Notify shell and adbd of death when spawned via runas for ndk-gdb.
-allow appdomain shell:process sigchld;
-allow appdomain adbd:process sigchld;
-
-# child shell or gdbserver pty access for runas.
-allow appdomain devpts:chr_file { getattr read write ioctl };
-
-# Use pipes and sockets provided by system_server via binder or local socket.
-allow appdomain system_server:fd use;
-allow appdomain system_server:fifo_file rw_file_perms;
-allow appdomain system_server:unix_stream_socket { read write setopt getattr getopt shutdown };
-allow appdomain system_server:tcp_socket { read write getattr getopt shutdown };
-
-# For AppFuse.
-allow appdomain vold:fd use;
-
-# Communication with other apps via fifos
-allow appdomain appdomain:fifo_file rw_file_perms;
-
-# Communicate with surfaceflinger.
-allow appdomain surfaceflinger:unix_stream_socket { read write setopt getattr getopt shutdown };
-
-# App sandbox file accesses.
-allow { appdomain -isolated_app -mlstrustedsubject } { app_data_file privapp_data_file }:dir create_dir_perms;
-allow { appdomain -isolated_app -mlstrustedsubject } { app_data_file privapp_data_file }:file create_file_perms;
-
-# Access via already open fds is ok even for mlstrustedsubject.
-allow { appdomain -isolated_app } { app_data_file privapp_data_file system_app_data_file }:file { getattr map read write };
-
-# Traverse into expanded storage
-allow appdomain mnt_expand_file:dir r_dir_perms;
-
-# Keychain and user-trusted credentials
-r_dir_file(appdomain, keychain_data_file)
-allow appdomain misc_user_data_file:dir r_dir_perms;
-allow appdomain misc_user_data_file:file r_file_perms;
-
-# TextClassifier
-r_dir_file({ appdomain -isolated_app }, textclassifier_data_file)
-
-# Access to OEM provided data and apps
-allow appdomain oemfs:dir r_dir_perms;
-allow appdomain oemfs:file rx_file_perms;
-
-# Execute the shell or other system executables.
-allow { appdomain -ephemeral_app } shell_exec:file rx_file_perms;
-allow { appdomain -ephemeral_app } toolbox_exec:file rx_file_perms;
-allow appdomain system_file:file x_file_perms;
-not_full_treble(`allow { appdomain -ephemeral_app } vendor_file:file x_file_perms;')
-
-# Renderscript needs the ability to read directories on /system
-allow appdomain system_file:dir r_dir_perms;
-allow appdomain system_file:lnk_file { getattr open read };
-# Renderscript specific permissions to open /system/vendor/lib64.
-not_full_treble(`
- allow appdomain vendor_file_type:dir r_dir_perms;
- allow appdomain vendor_file_type:lnk_file { getattr open read };
-')
-
-full_treble_only(`
- # For looking up Renderscript vendor drivers
- allow { appdomain -isolated_app } vendor_file:dir { open read };
-')
-
-# Allow apps access to /vendor/app except for privileged
-# apps which cannot be in /vendor.
-r_dir_file({ appdomain -ephemeral_app }, vendor_app_file)
-allow { appdomain -ephemeral_app } vendor_app_file:file execute;
-
-# Allow apps access to /vendor/overlay
-r_dir_file(appdomain, vendor_overlay_file)
-
-# Allow apps access to /vendor/framework
-# for vendor provided libraries.
-r_dir_file(appdomain, vendor_framework_file)
-
-# Allow apps read / execute access to vendor public libraries.
-allow appdomain {vendor_public_framework_file vendor_public_lib_file}:dir r_dir_perms;
-allow appdomain {vendor_public_framework_file vendor_public_lib_file}:file { execute read open getattr map };
-
-# Read/write wallpaper file (opened by system).
-allow appdomain wallpaper_file:file { getattr read write map };
-
-# Read/write cached ringtones (opened by system).
-allow appdomain ringtone_file:file { getattr read write map };
-
-# Read ShortcutManager icon files (opened by system).
-allow appdomain shortcut_manager_icons:file { getattr read map };
-
-# Read icon file (opened by system).
-allow appdomain icon_file:file { getattr read map };
-
-# Old stack dumping scheme : append to a global trace file (/data/anr/traces.txt).
-#
-# TODO: All of these permissions except for anr_data_file:file append can be
-# withdrawn once we've switched to the new stack dumping mechanism, see b/32064548
-# and the rules below.
-allow appdomain anr_data_file:dir search;
-allow appdomain anr_data_file:file { open append };
-
-# New stack dumping scheme : request an output FD from tombstoned via a unix
-# domain socket.
-#
-# Allow apps to connect and write to the tombstoned java trace socket in
-# order to dump their traces. Also allow them to append traces to pipes
-# created by dumptrace. (Also see the rules below where they are given
-# additional permissions to dumpstate pipes for other aspects of bug report
-# creation).
-unix_socket_connect(appdomain, tombstoned_java_trace, tombstoned)
-allow appdomain tombstoned:fd use;
-allow appdomain dumpstate:fifo_file append;
-allow appdomain incidentd:fifo_file append;
-
-# Allow apps to send dump information to dumpstate
-allow appdomain dumpstate:fd use;
-allow appdomain dumpstate:unix_stream_socket { read write getopt getattr shutdown };
-allow appdomain dumpstate:fifo_file { write getattr };
-allow appdomain shell_data_file:file { write getattr };
-
-# Allow apps to send dump information to incidentd
-allow appdomain incidentd:fd use;
-allow appdomain incidentd:fifo_file { write getattr };
-
-# Allow apps to send information to statsd socket.
-unix_socket_send(appdomain, statsdw, statsd)
-
-# Write profiles /data/misc/profiles
-allow appdomain user_profile_root_file:dir search;
-allow appdomain user_profile_data_file:dir { search write add_name };
-allow appdomain user_profile_data_file:file create_file_perms;
-
-# Send heap dumps to system_server via an already open file descriptor
-# % adb shell am set-watch-heap com.android.systemui 1048576
-# % adb shell dumpsys procstats --start-testing
-# debuggable builds only.
-userdebug_or_eng(`
- allow appdomain heapdump_data_file:file append;
-')
-
-# /proc/net access.
-# TODO(b/9496886) Audit access for removal.
-# proc_net access for the negated domains below is granted (or not) in their
-# individual .te files.
-r_dir_file({
- appdomain
- -ephemeral_app
- -isolated_app
- -platform_app
- -priv_app
- -shell
- -system_app
- -untrusted_app_all
-}, proc_net_type)
-# audit access for all these non-core app domains.
-userdebug_or_eng(`
- auditallow {
- appdomain
- -ephemeral_app
- -isolated_app
- -platform_app
- -priv_app
- -shell
- -su
- -system_app
- -untrusted_app_all
- } proc_net_type:{ dir file lnk_file } { getattr open read };
-')
-
-# Grant GPU access to all processes started by Zygote.
-# They need that to render the standard UI.
-allow { appdomain -isolated_app } gpu_device:chr_file rw_file_perms;
-
-# Use the Binder.
-binder_use(appdomain)
-# Perform binder IPC to binder services.
-binder_call(appdomain, binderservicedomain)
-# Perform binder IPC to other apps.
-binder_call(appdomain, appdomain)
-# Perform binder IPC to ephemeral apps.
-binder_call(appdomain, ephemeral_app)
-# Perform binder IPC to gpuservice.
-binder_call({ appdomain -isolated_app }, gpuservice)
-
-# Talk with graphics composer fences
-allow appdomain hal_graphics_composer:fd use;
-
-# Already connected, unnamed sockets being passed over some other IPC
-# hence no sock_file or connectto permission. This appears to be how
-# Chrome works, may need to be updated as more apps using isolated services
-# are examined.
-allow appdomain appdomain:unix_stream_socket { getopt getattr read write shutdown };
-
-# Backup ability for every app. BMS opens and passes the fd
-# to any app that has backup ability. Hence, no open permissions here.
-allow appdomain backup_data_file:file { read write getattr map };
-allow appdomain cache_backup_file:file { read write getattr map };
-allow appdomain cache_backup_file:dir getattr;
-# Backup ability using 'adb backup'
-allow appdomain system_data_file:lnk_file r_file_perms;
-allow appdomain system_data_file:file { getattr read map };
-
-# Allow read/stat of /data/media files passed by Binder or local socket IPC.
-allow { appdomain -isolated_app } media_rw_data_file:file { read getattr };
-
-# Read and write /data/data/com.android.providers.telephony files passed over Binder.
-allow { appdomain -isolated_app } radio_data_file:file { read write getattr };
-
-# Allow access to external storage; we have several visible mount points under /storage
-# and symlinks to primary storage at places like /storage/sdcard0 and /mnt/user/0/primary
-allow { appdomain -isolated_app -ephemeral_app } storage_file:dir r_dir_perms;
-allow { appdomain -isolated_app -ephemeral_app } storage_file:lnk_file r_file_perms;
-allow { appdomain -isolated_app -ephemeral_app } mnt_user_file:dir r_dir_perms;
-allow { appdomain -isolated_app -ephemeral_app } mnt_user_file:lnk_file r_file_perms;
-
-# Read/write visible storage
-allow { appdomain -isolated_app -ephemeral_app } { sdcard_type fuse }:dir create_dir_perms;
-allow { appdomain -isolated_app -ephemeral_app } { sdcard_type fuse }:file create_file_perms;
-# This should be removed if sdcardfs is modified to alter the secontext for its
-# accesses to the underlying FS.
-allow { appdomain -isolated_app -ephemeral_app } media_rw_data_file:dir create_dir_perms;
-allow { appdomain -isolated_app -ephemeral_app } media_rw_data_file:file create_file_perms;
-
-# Allow apps to use the USB Accessory interface.
-# http://developer.android.com/guide/topics/connectivity/usb/accessory.html
-#
-# USB devices are first opened by the system server (USBDeviceManagerService)
-# and the file descriptor is passed to the right Activity via binder.
-allow { appdomain -isolated_app -ephemeral_app } usb_device:chr_file { read write getattr ioctl };
-allow { appdomain -isolated_app -ephemeral_app } usbaccessory_device:chr_file { read write getattr };
-
-# For art.
-allow appdomain dalvikcache_data_file:file execute;
-allow appdomain dalvikcache_data_file:lnk_file r_file_perms;
-
-# Allow any app to read shared RELRO files.
-allow appdomain shared_relro_file:dir search;
-allow appdomain shared_relro_file:file r_file_perms;
-
-# Allow apps to read/execute installed binaries
-allow appdomain apk_data_file:dir r_dir_perms;
-allow appdomain apk_data_file:file rx_file_perms;
-
-# /data/resource-cache
-allow appdomain resourcecache_data_file:file r_file_perms;
-allow appdomain resourcecache_data_file:dir r_dir_perms;
-
-# logd access
-read_logd(appdomain)
-control_logd({ appdomain -ephemeral_app })
-# application inherit logd write socket (urge is to deprecate this long term)
-allow appdomain zygote:unix_dgram_socket write;
-
-allow { appdomain -isolated_app -ephemeral_app } keystore:keystore_key { get_state get insert delete exist list sign verify };
-allow { appdomain -isolated_app -ephemeral_app } keystore:keystore2_key { delete use get_info rebind update };
-
-allow { appdomain -isolated_app -ephemeral_app } keystore_maintenance_service:service_manager find;
-allow { appdomain -isolated_app -ephemeral_app } keystore:keystore2 get_state;
-
-use_keystore({ appdomain -isolated_app -ephemeral_app })
-
-use_credstore({ appdomain -isolated_app -ephemeral_app })
-
-allow appdomain console_device:chr_file { read write };
-
-# only allow unprivileged socket ioctl commands
-allowxperm { appdomain -bluetooth } self:{ rawip_socket tcp_socket udp_socket }
- ioctl { unpriv_sock_ioctls unpriv_tty_ioctls };
-
-allow { appdomain -isolated_app } ion_device:chr_file r_file_perms;
-allow { appdomain -isolated_app } dmabuf_system_heap_device:chr_file r_file_perms;
-allow { appdomain -isolated_app } dmabuf_system_secure_heap_device:chr_file r_file_perms;
-
-# Allow AAudio apps to use shared memory file descriptors from the HAL
-allow { appdomain -isolated_app } hal_audio:fd use;
-
-# Allow app to access shared memory created by camera HAL1
-allow { appdomain -isolated_app } hal_camera:fd use;
-
-# Allow apps to access shared memory file descriptor from the tuner HAL
-allow {appdomain -isolated_app} hal_tv_tuner_server:fd use;
-
-# RenderScript always-passthrough HAL
-allow { appdomain -isolated_app } hal_renderscript_hwservice:hwservice_manager find;
-allow appdomain same_process_hal_file:file { execute read open getattr map };
-
-# TODO: switch to meminfo service
-allow appdomain proc_meminfo:file r_file_perms;
-
-# For app fuse.
-allow appdomain app_fuse_file:file { getattr read append write map };
-
-pdx_client({ appdomain -isolated_app -ephemeral_app }, display_client)
-pdx_client({ appdomain -isolated_app -ephemeral_app }, display_manager)
-pdx_client({ appdomain -isolated_app -ephemeral_app }, display_vsync)
-pdx_client({ appdomain -isolated_app -ephemeral_app }, performance_client)
-# Apps do not directly open the IPC socket for bufferhubd.
-pdx_use({ appdomain -isolated_app -ephemeral_app }, bufferhub_client)
-
-###
-### CTS-specific rules
-###
-
-# For cts/tests/tests/permission/src/android/permission/cts/FileSystemPermissionTest.java.
-# testRunAsHasCorrectCapabilities
-allow appdomain runas_exec:file getattr;
-# Others are either allowed elsewhere or not desired.
-
-# Apps receive an open tun fd from the framework for
-# device traffic. Do not allow untrusted app to directly open tun_device
-allow { appdomain -isolated_app -ephemeral_app } tun_device:chr_file { read write getattr append ioctl };
-allowxperm { appdomain -isolated_app -ephemeral_app } tun_device:chr_file ioctl TUNGETIFF;
-
-# Connect to adbd and use a socket transferred from it.
-# This is used for e.g. adb backup/restore.
-allow appdomain adbd:unix_stream_socket connectto;
-allow appdomain adbd:fd use;
-allow appdomain adbd:unix_stream_socket { getattr getopt ioctl read write shutdown };
-
-allow appdomain cache_file:dir getattr;
-
-# Allow apps to run with asanwrapper.
-with_asan(`allow appdomain asanwrapper_exec:file rx_file_perms;')
-
-# Read access to FDs from the DropboxManagerService.
-allow appdomain dropbox_data_file:file { getattr read };
-
-# Read tmpfs types from these processes.
-allow appdomain audioserver_tmpfs:file { getattr map read write };
-allow appdomain system_server_tmpfs:file { getattr map read write };
-allow appdomain zygote_tmpfs:file { map read };
-
###
### Neverallow rules
###
diff --git a/public/dumpstate.te b/public/dumpstate.te
index b1f186c..7268166 100644
--- a/public/dumpstate.te
+++ b/public/dumpstate.te
@@ -253,6 +253,7 @@
-apex_service
-dumpstate_service
-gatekeeper_service
+ -hal_wifi_supplicant_service
-virtual_touchpad_service
-vold_service
-default_android_service
@@ -262,6 +263,7 @@
apex_service
dumpstate_service
gatekeeper_service
+ hal_wifi_supplicant_service
virtual_touchpad_service
vold_service
}:service_manager find;
diff --git a/public/hal_wifi_supplicant.te b/public/hal_wifi_supplicant.te
index b4ff7aa..b531a22 100644
--- a/public/hal_wifi_supplicant.te
+++ b/public/hal_wifi_supplicant.te
@@ -5,8 +5,6 @@
hal_attribute_hwservice(hal_wifi_supplicant, hal_wifi_supplicant_hwservice)
hal_attribute_service(hal_wifi_supplicant, hal_wifi_supplicant_service)
-binder_call(hal_wifi_supplicant_server, servicemanager)
-
# in addition to ioctls allowlisted for all domains, grant hal_wifi_supplicant priv_sock_ioctls.
allowxperm hal_wifi_supplicant self:udp_socket ioctl priv_sock_ioctls;
diff --git a/public/service.te b/public/service.te
index e519297..0e9488c 100644
--- a/public/service.te
+++ b/public/service.te
@@ -185,6 +185,7 @@
type reboot_readiness_service, app_api_service, system_server_service, service_manager_type;
type recovery_service, system_server_service, service_manager_type;
type registry_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type resources_manager_service, system_api_service, system_server_service, service_manager_type;
type restrictions_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type role_service, app_api_service, system_server_service, service_manager_type;
type rollback_service, app_api_service, system_server_service, service_manager_type;
@@ -237,7 +238,7 @@
type vcn_management_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type vibrator_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type vibrator_manager_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type virtual_device_service, system_api_service, system_server_service, service_manager_type;
+type virtual_device_service, app_api_service, system_server_service, service_manager_type;
type voiceinteraction_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type vpn_management_service, app_api_service, system_server_service, service_manager_type;
type vr_manager_service, system_server_service, service_manager_type;
diff --git a/public/system_server.te b/public/system_server.te
index edefadf..cb7f288 100644
--- a/public/system_server.te
+++ b/public/system_server.te
@@ -14,4 +14,5 @@
-init
-vendor_init
-system_server
+ -shell
} power_debug_prop:property_service set;
diff --git a/seapp_contexts.mk b/seapp_contexts.mk
deleted file mode 100644
index c0c3abb..0000000
--- a/seapp_contexts.mk
+++ /dev/null
@@ -1,142 +0,0 @@
-include $(CLEAR_VARS)
-LOCAL_MODULE := plat_seapp_contexts
-LOCAL_LICENSE_KINDS := SPDX-license-identifier-Apache-2.0 legacy_unencumbered
-LOCAL_LICENSE_CONDITIONS := notice unencumbered
-LOCAL_NOTICE_FILE := $(LOCAL_PATH)/NOTICE
-LOCAL_MODULE_CLASS := ETC
-LOCAL_MODULE_TAGS := optional
-LOCAL_MODULE_PATH := $(TARGET_OUT)/etc/selinux
-
-include $(BUILD_SYSTEM)/base_rules.mk
-
-plat_sc_files := $(call build_policy, seapp_contexts, $(PLAT_PRIVATE_POLICY))
-
-$(LOCAL_BUILT_MODULE): PRIVATE_SEPOLICY := $(built_sepolicy)
-$(LOCAL_BUILT_MODULE): PRIVATE_SC_FILES := $(plat_sc_files)
-$(LOCAL_BUILT_MODULE): $(built_sepolicy) $(plat_sc_files) $(HOST_OUT_EXECUTABLES)/checkseapp
- @mkdir -p $(dir $@)
- $(hide) $(HOST_OUT_EXECUTABLES)/checkseapp -p $(PRIVATE_SEPOLICY) -o $@ $(PRIVATE_SC_FILES)
-
-built_plat_sc := $(LOCAL_BUILT_MODULE)
-plat_sc_files :=
-
-##################################
-include $(CLEAR_VARS)
-LOCAL_MODULE := system_ext_seapp_contexts
-LOCAL_LICENSE_KINDS := SPDX-license-identifier-Apache-2.0 legacy_unencumbered
-LOCAL_LICENSE_CONDITIONS := notice unencumbered
-LOCAL_NOTICE_FILE := $(LOCAL_PATH)/NOTICE
-LOCAL_MODULE_CLASS := ETC
-LOCAL_MODULE_TAGS := optional
-LOCAL_MODULE_PATH := $(TARGET_OUT_SYSTEM_EXT)/etc/selinux
-
-include $(BUILD_SYSTEM)/base_rules.mk
-
-system_ext_sc_files := $(call build_policy, seapp_contexts, $(SYSTEM_EXT_PRIVATE_POLICY))
-plat_sc_neverallow_files := $(call build_policy, seapp_contexts, $(PLAT_PRIVATE_POLICY))
-
-$(LOCAL_BUILT_MODULE): PRIVATE_SEPOLICY := $(built_sepolicy)
-$(LOCAL_BUILT_MODULE): PRIVATE_SC_FILES := $(system_ext_sc_files)
-$(LOCAL_BUILT_MODULE): PRIVATE_SC_NEVERALLOW_FILES := $(plat_sc_neverallow_files)
-$(LOCAL_BUILT_MODULE): $(built_sepolicy) $(system_ext_sc_files) $(HOST_OUT_EXECUTABLES)/checkseapp $(plat_sc_neverallow_files)
- @mkdir -p $(dir $@)
- $(hide) grep -ihe '^neverallow' $(PRIVATE_SC_NEVERALLOW_FILES) > $@.tmp
- $(hide) $(HOST_OUT_EXECUTABLES)/checkseapp -p $(PRIVATE_SEPOLICY) -o $@ $(PRIVATE_SC_FILES) $@.tmp
-
-system_ext_sc_files :=
-plat_sc_neverallow_files :=
-
-##################################
-include $(CLEAR_VARS)
-LOCAL_MODULE := product_seapp_contexts
-LOCAL_LICENSE_KINDS := SPDX-license-identifier-Apache-2.0 legacy_unencumbered
-LOCAL_LICENSE_CONDITIONS := notice unencumbered
-LOCAL_NOTICE_FILE := $(LOCAL_PATH)/NOTICE
-LOCAL_MODULE_CLASS := ETC
-LOCAL_MODULE_TAGS := optional
-LOCAL_MODULE_PATH := $(TARGET_OUT_PRODUCT)/etc/selinux
-
-include $(BUILD_SYSTEM)/base_rules.mk
-
-product_sc_files := $(call build_policy, seapp_contexts, $(PRODUCT_PRIVATE_POLICY))
-plat_sc_neverallow_files := $(call build_policy, seapp_contexts, $(PLAT_PRIVATE_POLICY))
-
-$(LOCAL_BUILT_MODULE): PRIVATE_SEPOLICY := $(built_sepolicy)
-$(LOCAL_BUILT_MODULE): PRIVATE_SC_FILES := $(product_sc_files)
-$(LOCAL_BUILT_MODULE): PRIVATE_SC_NEVERALLOW_FILES := $(plat_sc_neverallow_files)
-$(LOCAL_BUILT_MODULE): $(built_sepolicy) $(product_sc_files) $(HOST_OUT_EXECUTABLES)/checkseapp $(plat_sc_neverallow_files)
- @mkdir -p $(dir $@)
- $(hide) grep -ihe '^neverallow' $(PRIVATE_SC_NEVERALLOW_FILES) > $@.tmp
- $(hide) $(HOST_OUT_EXECUTABLES)/checkseapp -p $(PRIVATE_SEPOLICY) -o $@ $(PRIVATE_SC_FILES) $@.tmp
-
-product_sc_files :=
-plat_sc_neverallow_files :=
-
-##################################
-include $(CLEAR_VARS)
-LOCAL_MODULE := vendor_seapp_contexts
-LOCAL_LICENSE_KINDS := SPDX-license-identifier-Apache-2.0 legacy_unencumbered
-LOCAL_LICENSE_CONDITIONS := notice unencumbered
-LOCAL_NOTICE_FILE := $(LOCAL_PATH)/NOTICE
-LOCAL_MODULE_CLASS := ETC
-LOCAL_MODULE_TAGS := optional
-LOCAL_MODULE_PATH := $(TARGET_OUT_VENDOR)/etc/selinux
-
-include $(BUILD_SYSTEM)/base_rules.mk
-
-vendor_sc_files := $(call build_policy, seapp_contexts, $(BOARD_PLAT_VENDOR_POLICY) $(BOARD_VENDOR_SEPOLICY_DIRS) $(BOARD_REQD_MASK_POLICY))
-plat_sc_neverallow_files := $(call build_policy, seapp_contexts, $(PLAT_PRIVATE_POLICY) $(SYSTEM_EXT_PRIVATE_POLICY) $(PRODUCT_PRIVATE_POLICY))
-
-$(LOCAL_BUILT_MODULE): PRIVATE_SEPOLICY := $(built_sepolicy)
-$(LOCAL_BUILT_MODULE): PRIVATE_SC_FILES := $(vendor_sc_files)
-$(LOCAL_BUILT_MODULE): PRIVATE_SC_NEVERALLOW_FILES := $(plat_sc_neverallow_files)
-$(LOCAL_BUILT_MODULE): $(built_sepolicy) $(vendor_sc_files) $(HOST_OUT_EXECUTABLES)/checkseapp $(plat_sc_neverallow_files)
- @mkdir -p $(dir $@)
- $(hide) grep -ihe '^neverallow' $(PRIVATE_SC_NEVERALLOW_FILES) > $@.tmp
- $(hide) $(HOST_OUT_EXECUTABLES)/checkseapp -p $(PRIVATE_SEPOLICY) -o $@ $(PRIVATE_SC_FILES) $@.tmp
-
-built_vendor_sc := $(LOCAL_BUILT_MODULE)
-vendor_sc_files :=
-
-##################################
-include $(CLEAR_VARS)
-LOCAL_MODULE := odm_seapp_contexts
-LOCAL_LICENSE_KINDS := SPDX-license-identifier-Apache-2.0 legacy_unencumbered
-LOCAL_LICENSE_CONDITIONS := notice unencumbered
-LOCAL_NOTICE_FILE := $(LOCAL_PATH)/NOTICE
-LOCAL_MODULE_CLASS := ETC
-LOCAL_MODULE_TAGS := optional
-LOCAL_MODULE_PATH := $(TARGET_OUT_ODM)/etc/selinux
-
-include $(BUILD_SYSTEM)/base_rules.mk
-
-odm_sc_files := $(call build_policy, seapp_contexts, $(BOARD_ODM_SEPOLICY_DIRS))
-plat_sc_neverallow_files := $(call build_policy, seapp_contexts, $(PLAT_PRIVATE_POLICY) $(SYSTEM_EXT_PRIVATE_POLICY) $(PRODUCT_PRIVATE_POLICY))
-
-$(LOCAL_BUILT_MODULE): PRIVATE_SEPOLICY := $(built_sepolicy)
-$(LOCAL_BUILT_MODULE): PRIVATE_SC_FILES := $(odm_sc_files)
-$(LOCAL_BUILT_MODULE): PRIVATE_SC_NEVERALLOW_FILES := $(plat_sc_neverallow_files)
-$(LOCAL_BUILT_MODULE): $(built_sepolicy) $(odm_sc_files) $(HOST_OUT_EXECUTABLES)/checkseapp $(plat_sc_neverallow_files)
- @mkdir -p $(dir $@)
- $(hide) grep -ihe '^neverallow' $(PRIVATE_SC_NEVERALLOW_FILES) > $@.tmp
- $(hide) $(HOST_OUT_EXECUTABLES)/checkseapp -p $(PRIVATE_SEPOLICY) -o $@ $(PRIVATE_SC_FILES) $@.tmp
-
-built_odm_sc := $(LOCAL_BUILT_MODULE)
-odm_sc_files :=
-
-##################################
-include $(CLEAR_VARS)
-LOCAL_MODULE := plat_seapp_neverallows
-LOCAL_LICENSE_KINDS := SPDX-license-identifier-Apache-2.0 legacy_unencumbered
-LOCAL_LICENSE_CONDITIONS := notice unencumbered
-LOCAL_NOTICE_FILE := $(LOCAL_PATH)/NOTICE
-LOCAL_MODULE_CLASS := ETC
-LOCAL_MODULE_TAGS := tests
-
-include $(BUILD_SYSTEM)/base_rules.mk
-
-$(LOCAL_BUILT_MODULE): $(plat_sc_neverallow_files)
- @mkdir -p $(dir $@)
- - $(hide) grep -ihe '^neverallow' $< > $@
-
-plat_sc_neverallow_files :=
diff --git a/tests/Android.bp b/tests/Android.bp
index 959a214..78a631f 100644
--- a/tests/Android.bp
+++ b/tests/Android.bp
@@ -11,6 +11,7 @@
srcs: ["sepol_wrap.cpp"],
cflags: ["-Wall", "-Werror",],
export_include_dirs: ["include"],
+ stl: "c++_static",
// libsepolwrap gets loaded from the system python, which does not have the
// ASAN runtime. So turn off sanitization for ourself, and use static
@@ -32,7 +33,7 @@
"policy.py",
"treble_sepolicy_tests.py",
],
- required: ["libsepolwrap"],
+ data: [":libsepolwrap"],
}
python_binary_host {
@@ -42,7 +43,7 @@
"policy.py",
"sepolicy_tests.py",
],
- required: ["libsepolwrap"],
+ data: [":libsepolwrap"],
}
python_binary_host {
diff --git a/tests/sepolicy_tests.py b/tests/sepolicy_tests.py
index a05d8f2..0a87a13 100644
--- a/tests/sepolicy_tests.py
+++ b/tests/sepolicy_tests.py
@@ -18,6 +18,7 @@
import policy
import re
import sys
+import distutils.ccompiler
#############################################################
# Tests
@@ -141,24 +142,21 @@
]
if __name__ == '__main__':
- usage = "sepolicy_tests -l $(ANDROID_HOST_OUT)/lib64/libsepolwrap.so "
- usage += "-f vendor_file_contexts -f "
+ usage = "sepolicy_tests -f vendor_file_contexts -f "
usage +="plat_file_contexts -p policy [--test test] [--help]"
parser = OptionParser(option_class=MultipleOption, usage=usage)
parser.add_option("-f", "--file_contexts", dest="file_contexts",
metavar="FILE", action="extend", type="string")
parser.add_option("-p", "--policy", dest="policy", metavar="FILE")
- parser.add_option("-l", "--library-path", dest="libpath", metavar="FILE")
parser.add_option("-t", "--test", dest="test", action="extend",
help="Test options include "+str(Tests))
(options, args) = parser.parse_args()
- if not options.libpath:
- sys.exit("Must specify path to libsepolwrap library\n" + parser.usage)
- if not os.path.exists(options.libpath):
- sys.exit("Error: library-path " + options.libpath + " does not exist\n"
- + parser.usage)
+ libpath = os.path.join(os.path.dirname(os.path.realpath(__file__)),
+ "libsepolwrap" + distutils.ccompiler.new_compiler().shared_lib_extension)
+ if not os.path.exists(libpath):
+ sys.exit("Error: libsepolwrap does not exist. Is this binary corrupted?\n")
if not options.policy:
sys.exit("Must specify monolithic policy file\n" + parser.usage)
@@ -173,7 +171,7 @@
sys.exit("Error: File_contexts file " + f + " does not exist\n" +
parser.usage)
- pol = policy.Policy(options.policy, options.file_contexts, options.libpath)
+ pol = policy.Policy(options.policy, options.file_contexts, libpath)
results = ""
# If an individual test is not specified, run all tests.
diff --git a/tests/treble_sepolicy_tests.py b/tests/treble_sepolicy_tests.py
index 1c5b8e2..a3bf661 100644
--- a/tests/treble_sepolicy_tests.py
+++ b/tests/treble_sepolicy_tests.py
@@ -20,6 +20,7 @@
from policy import MatchPathPrefix
import re
import sys
+import distutils.ccompiler
DEBUG=False
@@ -341,7 +342,7 @@
"ViolatorAttributes": TestViolatorAttributes}
if __name__ == '__main__':
- usage = "treble_sepolicy_tests -l $(ANDROID_HOST_OUT)/lib64/libsepolwrap.so "
+ usage = "treble_sepolicy_tests "
usage += "-f nonplat_file_contexts -f plat_file_contexts "
usage += "-p curr_policy -b base_policy -o old_policy "
usage +="-m mapping file [--test test] [--help]"
@@ -351,7 +352,6 @@
metavar="FILE")
parser.add_option("-f", "--file_contexts", dest="file_contexts",
metavar="FILE", action="extend", type="string")
- parser.add_option("-l", "--library-path", dest="libpath", metavar="FILE")
parser.add_option("-m", "--mapping", dest="mapping", metavar="FILE")
parser.add_option("-o", "--oldpolicy", dest="oldpolicy", metavar="FILE")
parser.add_option("-p", "--policy", dest="policy", metavar="FILE")
@@ -362,11 +362,6 @@
(options, args) = parser.parse_args()
- if not options.libpath:
- sys.exit("Must specify path to libsepolwrap library\n" + parser.usage)
- if not os.path.exists(options.libpath):
- sys.exit("Error: library-path " + options.libpath + " does not exist\n"
- + parser.usage)
if not options.policy:
sys.exit("Must specify current monolithic policy file\n" + parser.usage)
if not os.path.exists(options.policy):
@@ -379,6 +374,11 @@
sys.exit("Error: File_contexts file " + f + " does not exist\n" +
parser.usage)
+ libpath = os.path.join(os.path.dirname(os.path.realpath(__file__)),
+ "libsepolwrap" + distutils.ccompiler.new_compiler().shared_lib_extension)
+ if not os.path.exists(libpath):
+ sys.exit("Error: libsepolwrap does not exist. Is this binary corrupted?\n")
+
# Mapping files and public platform policy are only necessary for the
# TrebleCompatMapping test.
if options.tests is None or options.tests == "TrebleCompatMapping":
@@ -394,8 +394,8 @@
if not options.base_pub_policy:
sys.exit("Must specify the current platform-only public policy "
+ ".cil file\n" + parser.usage)
- basepol = policy.Policy(options.basepolicy, None, options.libpath)
- oldpol = policy.Policy(options.oldpolicy, None, options.libpath)
+ basepol = policy.Policy(options.basepolicy, None, libpath)
+ oldpol = policy.Policy(options.oldpolicy, None, libpath)
mapping = mini_parser.MiniCilParser(options.mapping)
pubpol = mini_parser.MiniCilParser(options.base_pub_policy)
compatSetup(basepol, oldpol, mapping, pubpol.types)
@@ -403,7 +403,7 @@
if options.faketreble:
FakeTreble = True
- pol = policy.Policy(options.policy, options.file_contexts, options.libpath)
+ pol = policy.Policy(options.policy, options.file_contexts, libpath)
setup(pol)
if DEBUG:
diff --git a/tools/Android.bp b/tools/Android.bp
index c480dc2..1ec129d 100644
--- a/tools/Android.bp
+++ b/tools/Android.bp
@@ -63,3 +63,8 @@
name: "insertkeys",
srcs: ["insertkeys.py"],
}
+
+python_binary_host {
+ name: "sepolicy_generate_compat",
+ srcs: ["sepolicy_generate_compat.py"],
+}
diff --git a/tools/sepolicy_generate_compat.py b/tools/sepolicy_generate_compat.py
new file mode 100644
index 0000000..ab9ed82
--- /dev/null
+++ b/tools/sepolicy_generate_compat.py
@@ -0,0 +1,138 @@
+#!/usr/bin/env python3
+
+# Copyright 2022 The Android Open Source Project
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+import argparse
+import glob
+import logging
+import os
+import shutil
+import subprocess
+import tempfile
+import zipfile
+"""This tool generates a mapping file for {ver} core sepolicy."""
+
+
+def check_run(cmd):
+ logging.debug('Running cmd: %s' % cmd)
+ subprocess.run(cmd, check=True)
+
+
+def check_output(cmd):
+ logging.debug('Running cmd: %s' % cmd)
+ return subprocess.run(cmd, check=True, stdout=subprocess.PIPE)
+
+
+def fetch_artifact(branch, build, pattern, destination='.'):
+ """Fetches build artifacts from Android Build server.
+
+ Args:
+ branch: string, branch to pull build artifacts from
+ build: string, build ID or "latest"
+ pattern: string, pattern of build artifact file name
+ destination: string, destination to pull build artifact to
+ """
+ fetch_artifact_path = '/google/data/ro/projects/android/fetch_artifact'
+ cmd = [
+ fetch_artifact_path, '--branch', branch, '--target',
+ 'aosp_arm64-userdebug'
+ ]
+ if build == 'latest':
+ cmd.append('--latest')
+ else:
+ cmd.extend(['--bid', build])
+ cmd.extend([pattern, destination])
+ check_run(cmd)
+
+
+def extract_mapping_file_from_img(img_path, ver, destination='.'):
+ """ Extracts system/etc/selinux/mapping/{ver}.cil from system.img file.
+
+ Args:
+ img_path: string, path to system.img file
+ ver: string, version of designated mapping file
+ destination: string, destination to pull the mapping file to
+ """
+
+ cmd = [
+ 'debugfs', '-R',
+ 'cat system/etc/selinux/mapping/%s.cil' % ver, img_path
+ ]
+ with open(os.path.join(destination, '%s.cil' % ver), 'wb') as f:
+ logging.debug('Extracting %s.cil to %s' % (ver, destination))
+ f.write(check_output(cmd).stdout)
+
+
+def download_mapping_file(branch, build, ver, destination='.'):
+ """ Downloads system/etc/selinux/mapping/{ver}.cil from Android Build server.
+
+ Args:
+ branch: string, branch to pull build artifacts from (e.g. "sc-v2-dev")
+ build: string, build ID or "latest"
+ ver: string, version of designated mapping file (e.g. "32.0")
+ destination: string, destination to pull build artifact to
+ """
+ temp_dir = tempfile.mkdtemp()
+
+ try:
+ artifact_pattern = 'aosp_arm64-img-*.zip'
+ fetch_artifact(branch, build, artifact_pattern, temp_dir)
+
+ # glob must succeed
+ zip_path = glob.glob(os.path.join(temp_dir, artifact_pattern))[0]
+ with zipfile.ZipFile(zip_path) as zip_file:
+ logging.debug('Extracting system.img to %s' % temp_dir)
+ zip_file.extract('system.img', temp_dir)
+
+ system_img_path = os.path.join(temp_dir, 'system.img')
+ extract_mapping_file_from_img(system_img_path, ver, destination)
+ finally:
+ logging.info('Deleting temporary dir: {}'.format(temp_dir))
+ shutil.rmtree(temp_dir)
+
+
+def get_args():
+ parser = argparse.ArgumentParser()
+ parser.add_argument(
+ '--branch',
+ required=True,
+ help='Branch to pull build from. e.g. "sc-v2-dev"')
+ parser.add_argument('--build', required=True, help='Build ID, or "latest"')
+ parser.add_argument(
+ '--version',
+ required=True,
+ help='Version of designated mapping file. e.g. "32.0"')
+ parser.add_argument(
+ '-v',
+ '--verbose',
+ action='count',
+ default=0,
+ help='Increase output verbosity, e.g. "-v", "-vv".')
+ return parser.parse_args()
+
+
+def main():
+ args = get_args()
+
+ verbosity = min(args.verbose, 2)
+ logging.basicConfig(
+ format='%(levelname)-8s [%(filename)s:%(lineno)d] %(message)s',
+ level=(logging.WARNING, logging.INFO, logging.DEBUG)[verbosity])
+
+ download_mapping_file(args.branch, args.build, args.version)
+
+
+if __name__ == '__main__':
+ main()
diff --git a/treble_sepolicy_tests_for_release.mk b/treble_sepolicy_tests_for_release.mk
index 77945b7..011001b 100644
--- a/treble_sepolicy_tests_for_release.mk
+++ b/treble_sepolicy_tests_for_release.mk
@@ -164,8 +164,7 @@
$(public_cil_files) \
$(built_$(version)_plat_sepolicy) $($(version)_compat) $($(version)_mapping.combined.cil)
@mkdir -p $(dir $@)
- $(hide) $(HOST_OUT_EXECUTABLES)/treble_sepolicy_tests -l \
- $(HOST_OUT)/lib64/libsepolwrap.$(SHAREDLIB_EXT) $(ALL_FC_ARGS) \
+ $(hide) $(HOST_OUT_EXECUTABLES)/treble_sepolicy_tests $(ALL_FC_ARGS) \
-b $(PRIVATE_PLAT_SEPOLICY) -m $(PRIVATE_COMBINED_MAPPING) \
-o $(PRIVATE_SEPOLICY_OLD) -p $(PRIVATE_SEPOLICY) \
-u $(PRIVATE_PLAT_PUB_SEPOLICY) \
diff --git a/vendor/file_contexts b/vendor/file_contexts
index 4fc0460..5cfda25 100644
--- a/vendor/file_contexts
+++ b/vendor/file_contexts
@@ -25,6 +25,7 @@
/(vendor|system/vendor)/bin/hw/android\.hardware\.camera\.provider@2\.[0-9]+-service-lazy_64 u:object_r:hal_camera_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.camera\.provider@2\.[0-9]+-service-lazy u:object_r:hal_camera_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.camera\.provider@2\.[0-9]+-external-service u:object_r:hal_camera_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.camera\.provider@2\.[0-9]+-external-service-lazy u:object_r:hal_camera_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.configstore@1\.[0-9]+-service u:object_r:hal_configstore_default_exec:s0
/(vendor|sustem/vendor)/bin/hw/android\.hardware\.confirmationui@1\.0-service u:object_r:hal_confirmationui_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.contexthub@1\.[0-9]+-service u:object_r:hal_contexthub_default_exec:s0