Merge changes I9b32916e,I7c4771de into main
* changes:
Define new kernel security classes
Symlink microdroid access_vectors and security_classes
diff --git a/Android.bp b/Android.bp
index ae9c4a7..496de06 100644
--- a/Android.bp
+++ b/Android.bp
@@ -390,39 +390,6 @@
product_specific: true,
}
-// HACK to support vendor blobs using 1000000.0
-// TODO(b/314010177): remove after new ToT (202404) fully propagates
-se_versioned_policy {
- name: "plat_mapping_file_1000000.0",
- base: ":plat_pub_policy.cil",
- mapping: true,
- version: "1000000.0",
- relative_install_path: "mapping", // install to /system/etc/selinux/mapping
-}
-
-se_versioned_policy {
- name: "system_ext_mapping_file_1000000.0",
- base: ":system_ext_pub_policy.cil",
- mapping: true,
- version: "1000000.0",
- filter_out: [":plat_mapping_file"],
- relative_install_path: "mapping", // install to /system_ext/etc/selinux/mapping
- system_ext_specific: true,
-}
-
-se_versioned_policy {
- name: "product_mapping_file_1000000.0",
- base: ":pub_policy.cil",
- mapping: true,
- version: "1000000.0",
- filter_out: [
- ":plat_mapping_file",
- ":system_ext_mapping_file",
- ],
- relative_install_path: "mapping", // install to /product/etc/selinux/mapping
- product_specific: true,
-}
-
//////////////////////////////////
// vendor/odm sepolicy
//////////////////////////////////
diff --git a/Android.mk b/Android.mk
index 09e253a..6b30fb2 100644
--- a/Android.mk
+++ b/Android.mk
@@ -210,12 +210,6 @@
plat_sepolicy.cil \
secilc \
-# HACK to support vendor blobs using 1000000.0
-# TODO(b/314010177): remove after new ToT (202404) fully propagates
-ifneq (true,$(RELEASE_BOARD_API_LEVEL_FROZEN))
-LOCAL_REQUIRED_MODULES += plat_mapping_file_1000000.0
-endif
-
ifneq ($(PRODUCT_PRECOMPILED_SEPOLICY),false)
LOCAL_REQUIRED_MODULES += plat_sepolicy_and_mapping.sha256
endif
@@ -284,12 +278,6 @@
LOCAL_REQUIRED_MODULES += \
system_ext_mapping_file
-# HACK to support vendor blobs using 1000000.0
-# TODO(b/314010177): remove after new ToT (202404) fully propagates
-ifneq (true,$(RELEASE_BOARD_API_LEVEL_FROZEN))
-LOCAL_REQUIRED_MODULES += system_ext_mapping_file_1000000.0
-endif
-
system_ext_compat_files := $(call build_policy, $(sepolicy_compat_files), $(SYSTEM_EXT_PRIVATE_POLICY))
LOCAL_REQUIRED_MODULES += $(addprefix system_ext_, $(notdir $(system_ext_compat_files)))
@@ -338,12 +326,6 @@
LOCAL_REQUIRED_MODULES += \
product_mapping_file
-# HACK to support vendor blobs using 1000000.0
-# TODO(b/314010177): remove after new ToT (202404) fully propagates
-ifneq (true,$(RELEASE_BOARD_API_LEVEL_FROZEN))
-LOCAL_REQUIRED_MODULES += product_mapping_file_1000000.0
-endif
-
product_compat_files := $(call build_policy, $(sepolicy_compat_files), $(PRODUCT_PRIVATE_POLICY))
LOCAL_REQUIRED_MODULES += $(addprefix product_, $(notdir $(product_compat_files)))
diff --git a/apex/com.android.virt-file_contexts b/apex/com.android.virt-file_contexts
index 78720aa..d8fc8df 100644
--- a/apex/com.android.virt-file_contexts
+++ b/apex/com.android.virt-file_contexts
@@ -6,3 +6,6 @@
is_flag_enabled(RELEASE_AVF_ENABLE_DEVICE_ASSIGNMENT, `
/bin/vfio_handler u:object_r:vfio_handler_exec:s0
')
+is_flag_enabled(RELEASE_AVF_ENABLE_NETWORK, `
+ /bin/vmnic u:object_r:vmnic_exec:s0
+')
diff --git a/build/soong/service_fuzzer_bindings.go b/build/soong/service_fuzzer_bindings.go
index 139c2d5..bb832eb 100644
--- a/build/soong/service_fuzzer_bindings.go
+++ b/build/soong/service_fuzzer_bindings.go
@@ -188,6 +188,7 @@
"android.hardware.security.keymint.IRemotelyProvisionedComponent/avf": EXCEPTION_NO_FUZZER,
"android.system.virtualizationservice": EXCEPTION_NO_FUZZER,
"android.system.virtualizationservice_internal.IVfioHandler": EXCEPTION_NO_FUZZER,
+ "android.system.virtualizationservice_internal.IVmnic": EXCEPTION_NO_FUZZER,
"android.system.virtualizationmaintenance": EXCEPTION_NO_FUZZER,
"ambient_context": EXCEPTION_NO_FUZZER,
"app_binding": EXCEPTION_NO_FUZZER,
diff --git a/flagging/Android.bp b/flagging/Android.bp
index 41a2861..2d0bb68 100644
--- a/flagging/Android.bp
+++ b/flagging/Android.bp
@@ -20,6 +20,7 @@
"RELEASE_AVF_SUPPORT_CUSTOM_VM_WITH_PARAVIRTUALIZED_DEVICES",
"RELEASE_AVF_ENABLE_DEVICE_ASSIGNMENT",
"RELEASE_AVF_ENABLE_LLPVM_CHANGES",
+ "RELEASE_AVF_ENABLE_NETWORK",
"RELEASE_HARDWARE_BLUETOOTH_RANGING_SERVICE",
"RELEASE_UNLOCKED_STORAGE_API",
],
diff --git a/private/bpfloader.te b/private/bpfloader.te
index de7e8a4..33d3783 100644
--- a/private/bpfloader.te
+++ b/private/bpfloader.te
@@ -47,8 +47,8 @@
neverallow { domain -bpfloader } bpffs_type:lnk_file ~read;
neverallow { domain -bpfdomain } bpffs_type:lnk_file read;
-neverallow { domain -bpfloader } *:bpf { map_create prog_load };
-neverallow { domain -bpfdomain } *:bpf { map_read map_write prog_run };
+neverallow { domain -bpfloader } *:bpf prog_load;
+neverallow { domain -bpfdomain } *:bpf { map_create map_read map_write prog_run };
# 'fs_bpf_loader' is for internal use of the BpfLoader oneshot boot time process.
neverallow { domain -bpfloader } fs_bpf_loader:bpf *;
diff --git a/private/compos_verify.te b/private/compos_verify.te
index 5b3615e..99d645e 100644
--- a/private/compos_verify.te
+++ b/private/compos_verify.te
@@ -15,9 +15,10 @@
allow compos_verify apex_art_data_file:dir search;
allow compos_verify apex_art_data_file:file r_file_perms;
-# Allow odsign to redirect our stdout/stderr to log
-allow compos_verify odsign:fd use;
-allow compos_verify odsign_devpts:chr_file { read write };
+# odsign runs us with its console as our stdin/stdout/stderr.
+# But we never use them; logs go to logcat. Suppress the useless denials.
+dontaudit compos_verify odsign:fd use;
+dontaudit compos_verify odsign_devpts:chr_file { read write };
# Only odsign can enter the domain via exec
neverallow { domain -odsign } compos_verify:process transition;
diff --git a/private/dumpstate.te b/private/dumpstate.te
index bccbafd..2d7a1c9 100644
--- a/private/dumpstate.te
+++ b/private/dumpstate.te
@@ -195,7 +195,7 @@
allow dumpstate system_data_file:file r_file_perms;
# Allow dumpstate to append into apps' private files.
-allow dumpstate { privapp_data_file app_data_file }:file append;
+allow dumpstate app_data_file_type:file append;
# Read dmesg
allow dumpstate self:global_capability2_class_set syslog;
diff --git a/private/netd.te b/private/netd.te
index a466ef1..37581a6 100644
--- a/private/netd.te
+++ b/private/netd.te
@@ -10,12 +10,14 @@
allow netd { fs_bpf fs_bpf_netd_readonly fs_bpf_netd_shared fs_bpf_vendor }:file { getattr read };
allow netd { fs_bpf fs_bpf_netd_shared }:file write;
-# give netd permission to setup iptables rule with xt_bpf, attach program to cgroup, and read/write
-# the map created by bpfloader
-allow netd bpfloader:bpf { prog_run map_read map_write };
+# give netd permission to setup iptables rule with xt_bpf, attach program to cgroup,
+# create maps, and read/write maps created by bpfloader, itself and NS/SS mainline networking
+allow netd bpfloader:bpf prog_run;
+allow netd self:bpf map_create;
+allow netd { bpfloader netd network_stack system_server }:bpf { map_read map_write };
# in order to invoke side effect of close() on such a socket calling synchronize_rcu()
-# TODO: Remove this permission when 4.9 kernel is deprecated.
+# TODO: Still needed as of kernel 6.6-rc1 - see BpfUtils.h synchronizeKernelRCU()
# TODO: Remove this after we remove all bpf interactions from netd.
allow netd self:key_socket create;
diff --git a/private/network_stack.te b/private/network_stack.te
index 7587c1f..4450e02 100644
--- a/private/network_stack.te
+++ b/private/network_stack.te
@@ -45,6 +45,7 @@
binder_call(network_stack, netd);
# in order to invoke side effect of close() on such a socket calling synchronize_rcu()
+# TODO: Still needed as of kernel 6.6-rc1 - see BpfUtils.h synchronizeKernelRCU()
allow network_stack self:key_socket create;
# Java's Os.close() in libcore/luni/src/main/java/libcore/io/BlockGuardOs.java;l=100
# calls if (fd.isSocket$()) if (isLingerSocket(fd)) ...
@@ -63,7 +64,10 @@
# allow Tethering(network_stack process) to run/update/read the eBPF maps to offload tethering traffic by eBPF.
allow network_stack { fs_bpf_net_private fs_bpf_net_shared fs_bpf_netd_readonly fs_bpf_netd_shared fs_bpf_tethering }:dir search;
allow network_stack { fs_bpf_net_private fs_bpf_net_shared fs_bpf_netd_readonly fs_bpf_netd_shared fs_bpf_tethering }:file { getattr read write };
-allow network_stack bpfloader:bpf { map_read map_write prog_run };
+allow network_stack bpfloader:bpf prog_run;
+allow network_stack self:bpf map_create;
+allow network_stack { bpfloader netd network_stack system_server }:bpf { map_read map_write };
+
# allow Tethering(network_stack process) to read flag value in tethering_u_or_later_native namespace
get_prop(network_stack, device_config_tethering_u_or_later_native_prop)
diff --git a/private/property.te b/private/property.te
index 4ce2d54..a5a1d07 100644
--- a/private/property.te
+++ b/private/property.te
@@ -229,9 +229,10 @@
neverallow {
domain
-init
+ -crash_dump
-dumpstate
-misctrl
- -crash_dump
+ -statsd
userdebug_or_eng(`-su')
} misctrl_prop:file no_rw_file_perms;
neverallow {
diff --git a/private/property_contexts b/private/property_contexts
index 8ade1b7..81370c0 100644
--- a/private/property_contexts
+++ b/private/property_contexts
@@ -532,6 +532,7 @@
dalvik.vm.image-dex2oat-threads u:object_r:dalvik_dynamic_config_prop:s0 exact int
dalvik.vm.restore-dex2oat-cpu-set u:object_r:dalvik_dynamic_config_prop:s0 exact string
dalvik.vm.restore-dex2oat-threads u:object_r:dalvik_dynamic_config_prop:s0 exact int
+dalvik.vm.pre-reboot. u:object_r:dalvik_dynamic_config_prop:s0 prefix
persist.sys.dalvik.vm.lib.2 u:object_r:dalvik_runtime_prop:s0 exact string
diff --git a/private/service.te b/private/service.te
index d777e53..1fb4d1d 100644
--- a/private/service.te
+++ b/private/service.te
@@ -30,6 +30,9 @@
is_flag_enabled(RELEASE_AVF_ENABLE_LLPVM_CHANGES, `
type virtualization_maintenance_service, service_manager_type;
')
+is_flag_enabled(RELEASE_AVF_ENABLE_NETWORK, `
+ type vmnic_service, service_manager_type;
+')
type uce_service, service_manager_type;
type wearable_sensing_service, app_api_service, system_server_service, service_manager_type;
diff --git a/private/service_contexts b/private/service_contexts
index f4b331e..c7917f1 100644
--- a/private/service_contexts
+++ b/private/service_contexts
@@ -170,6 +170,9 @@
is_flag_enabled(RELEASE_AVF_ENABLE_LLPVM_CHANGES, `
android.system.virtualizationmaintenance u:object_r:virtualization_maintenance_service:s0
')
+is_flag_enabled(RELEASE_AVF_ENABLE_NETWORK, `
+ android.system.virtualizationservice_internal.IVmnic u:object_r:vmnic_service:s0
+')
ambient_context u:object_r:ambient_context_service:s0
app_binding u:object_r:app_binding_service:s0
app_hibernation u:object_r:app_hibernation_service:s0
diff --git a/private/statsd.te b/private/statsd.te
index 1e43160..5820d23 100644
--- a/private/statsd.te
+++ b/private/statsd.te
@@ -29,6 +29,9 @@
get_prop(statsd, device_config_statsd_native_prop)
get_prop(statsd, device_config_statsd_native_boot_prop)
+# Allow statsd to read misctl properties (for 16 KB)
+get_prop(statsd, misctrl_prop)
+
# Allow statsd to write uprobestats configs.
allow statsd uprobestats_configs_data_file:dir rw_dir_perms;
allow statsd uprobestats_configs_data_file:file create_file_perms;
diff --git a/private/system_server.te b/private/system_server.te
index 1ddb48a..d05798d 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -1224,7 +1224,9 @@
# time in state accounting
allow system_server { fs_bpf fs_bpf_net_shared fs_bpf_netd_readonly fs_bpf_netd_shared }:dir search;
allow system_server { fs_bpf fs_bpf_net_shared fs_bpf_netd_readonly fs_bpf_netd_shared }:file { getattr read write };
-allow system_server bpfloader:bpf { map_read map_write prog_run };
+allow system_server bpfloader:bpf prog_run;
+allow system_server self:bpf map_create;
+allow system_server { bpfloader netd network_stack system_server }:bpf { map_read map_write };
# in order to invoke side effect of close() on such a socket calling synchronize_rcu()
allow system_server self:key_socket create;
# Java's Os.close() in libcore/luni/src/main/java/libcore/io/BlockGuardOs.java;l=100
diff --git a/private/virtualizationservice.te b/private/virtualizationservice.te
index f096e89..a72f30f 100644
--- a/private/virtualizationservice.te
+++ b/private/virtualizationservice.te
@@ -24,6 +24,12 @@
binder_call(virtualizationservice, vfio_handler)
')
+is_flag_enabled(RELEASE_AVF_ENABLE_NETWORK, `
+ # Let virtualizationservice find and communicate with vmnic.
+ allow virtualizationservice vmnic_service:service_manager find;
+ binder_call(virtualizationservice, vmnic)
+')
+
# Allow the virtualizationservice domain to serve a remotely provisioned component for
# pVM remote attestation.
hal_server_domain(virtualizationservice, hal_remotelyprovisionedcomponent_avf)
@@ -33,7 +39,7 @@
allow virtualizationservice permission_service:service_manager find;
# Allow virtualizationservice to retrieve the remotely provisioned keys from rkpd.
-binder_call(virtualizationservice, remote_provisioning_service)
+binder_call(virtualizationservice, remote_provisioning_service_server)
allow virtualizationservice remote_provisioning_service:service_manager find;
# Allow virtualizationservice to manage VM secrets via Secretkeeper.
diff --git a/private/vmnic.te b/private/vmnic.te
new file mode 100644
index 0000000..bd4991d
--- /dev/null
+++ b/private/vmnic.te
@@ -0,0 +1,18 @@
+is_flag_enabled(RELEASE_AVF_ENABLE_NETWORK, `
+ # vmnic is a helper service for network tasks, like creating TAP network interface.
+ # vmnic is separated from virtualizationservice as vmnic requires more permission to do network related tasks.
+ type vmnic, domain, coredomain;
+ type vmnic_exec, system_file_type, exec_type, file_type;
+
+ # When init runs a file labelled with vmnic_exec, run it in the vmnic domain.
+ init_daemon_domain(vmnic)
+
+ # Let the vmnic domain register the vmnic_service with ServiceManager.
+ add_service(vmnic, vmnic_service)
+
+ # Let the vmnic domain use Binder.
+ binder_use(vmnic)
+
+ # Only virtualizationservice can communicate to vmnic
+ neverallow { domain -virtualizationservice -servicemanager } vmnic:binder call;
+') # is_flag_enabled(RELEASE_AVF_ENABLE_NETWORK)
diff --git a/tests/sepolicy_tests.py b/tests/sepolicy_tests.py
index 1df8231..af47938 100644
--- a/tests/sepolicy_tests.py
+++ b/tests/sepolicy_tests.py
@@ -299,24 +299,7 @@
else:
Option.take_action(self, action, dest, opt, value, values, parser)
-Tests = [
- "TestBpffsTypeViolations",
- "TestDataTypeViolators",
- "TestProcTypeViolations",
- "TestSysfsTypeViolations",
- "TestSystemTypeViolators",
- "TestDebugfsTypeViolations",
- "TestTracefsTypeViolations",
- "TestVendorTypeViolations",
- "TestCoreDataTypeViolations",
- "TestPropertyTypeViolations",
- "TestAppDataTypeViolations",
- "TestDmaHeapDevTypeViolations",
- "TestCoredomainViolations",
- "TestViolatorAttributes",
- "TestIsolatedAttributeConsistency",
- "TestDevTypeViolations",
-]
+TEST_NAMES = [ name for name in dir() if name.startswith('Test') ]
def do_main(libpath):
"""
@@ -330,7 +313,7 @@
metavar="FILE", action="extend", type="string")
parser.add_option("-p", "--policy", dest="policy", metavar="FILE")
parser.add_option("-t", "--test", dest="test", action="extend",
- help="Test options include "+str(Tests))
+ help="Test options include "+str(TEST_NAMES))
(options, args) = parser.parse_args()
diff --git a/vendor/ot_rcp.te b/vendor/ot_rcp.te
index b1f57a7..f630370 100644
--- a/vendor/ot_rcp.te
+++ b/vendor/ot_rcp.te
@@ -8,10 +8,12 @@
userdebug_or_eng(`
domain_auto_trans(hal_threadnetwork_default, ot_rcp_exec, ot_rcp)
allow hal_threadnetwork_default devpts:chr_file {open read write ioctl};
+allow hal_threadnetwork_default ot_rcp:process signal;
allow ot_rcp hal_threadnetwork_default:fd use;
allow ot_rcp hal_threadnetwork_default:fifo_file rw_file_perms;
allow ot_rcp devpts:chr_file {read write ioctl};
-allow ot_rcp self:udp_socket create_socket_perms_no_ioctl;
+allow ot_rcp self:udp_socket { bind create ioctl read setopt write };
allow ot_rcp node:udp_socket node_bind;
allow ot_rcp port:udp_socket name_bind;
+allow ot_rcp self:netlink_route_socket { nlmsg_read nlmsg_readpriv create read write };
')