Snap for 13235988 from 56a7e4c7fd0a3911c890e85b9856f309e0eff949 to 25Q2-release
Change-Id: I5b3d51f8442bd58fe4d8393e5a33bd72fc8cd746
diff --git a/Android.bp b/Android.bp
index 44f064e..15d1596 100644
--- a/Android.bp
+++ b/Android.bp
@@ -335,7 +335,6 @@
src: ":system_ext_sepolicy.conf",
system_ext_specific: true,
filter_out: [":plat_sepolicy.cil"],
- remove_line_marker: true,
}
// product_policy.conf - A combination of the private and public product policy
@@ -361,7 +360,6 @@
":plat_sepolicy.cil",
":system_ext_sepolicy.cil",
],
- remove_line_marker: true,
}
// policy mapping files
@@ -477,7 +475,7 @@
src: ":odm_sepolicy.conf",
filter_out: [
":reqd_policy_mask.cil",
- ":vendor_sepolicy.cil",
+ ":vendor_sepolicy.cil.raw",
],
secilc_check: false, // will be done in se_versioned_policy module
device_specific: true,
@@ -497,10 +495,7 @@
":plat_mapping_file",
":vendor_sepolicy.cil",
],
- filter_out: [
- ":plat_pub_versioned.cil",
- ":vendor_sepolicy.cil",
- ],
+ filter_out: [":plat_pub_versioned.cil"],
device_specific: true,
}
diff --git a/build/Android.bp b/build/Android.bp
index dbe17c8..ef898e8 100644
--- a/build/Android.bp
+++ b/build/Android.bp
@@ -32,3 +32,15 @@
"version_policy",
],
}
+
+python_test_host {
+ name: "sepolicy_file_utils_test",
+ srcs: [
+ "file_utils.py",
+ "file_utils_test.py",
+ ],
+ main: "file_utils_test.py",
+ test_options: {
+ unit_test: true,
+ },
+}
diff --git a/build/file_utils.py b/build/file_utils.py
index e3210ed..5023fd0 100644
--- a/build/file_utils.py
+++ b/build/file_utils.py
@@ -30,19 +30,72 @@
os.makedirs(parent_dir)
+def remove_redundant_line_markers(lines):
+ """
+ Removes any redundant line markers.
+
+ Line markers are to support better error reporting for neverallow rules.
+ Line markers, possibly nested, look like:
+
+ ;;* lm(s|x) LINENO FILENAME
+ (CIL STATEMENTS)
+ ;;* lme
+
+ * lms is used when each of the following CIL statements corresponds to a line
+ in the original file.
+
+ * lmx is used when the following CIL statements are all expanded from a
+ single high-level language line.
+
+ * lme ends a line mark block.
+
+ Redundant line markers are markers without any statements inside. Normally
+ there are no such redundant line markers, but CIL files filtered out by
+ filter_out function below may contain those. remove_redundant_line_markers
+ find all such redundant line markers and removes all of them. See
+ file_utils_test.py for an example.
+ """
+
+ marker_stk = []
+ valid = [False] * len(lines)
+
+ for idx in range(len(lines)):
+ line = lines[idx]
+ if line.startswith(";;* lmx") or line.startswith(";;* lms"):
+ # line start marker
+ marker_stk.append(idx)
+ elif line.startswith(";;* lme"): # line end marker
+ if valid[marker_stk[-1]]:
+ valid[idx] = True
+ # propagate valid to parent markers
+ if len(marker_stk) >= 2:
+ valid[marker_stk[-2]] = True
+ marker_stk.pop()
+ else:
+ # any other expressions
+ valid[idx] = True
+ # set the current marker as valid
+ if marker_stk:
+ valid[marker_stk[-1]] = True
+
+ return [lines[idx] for idx in range(len(lines)) if valid[idx]]
+
def filter_out(pattern_files, input_file):
""""Removes lines in input_file that match any line in pattern_files."""
# Prepares patterns.
patterns = []
for f in pattern_files:
- patterns.extend(open(f).readlines())
+ patterns.extend([x for x in open(f).readlines() if not x.startswith(";;*")])
# Copy lines that are not in the pattern.
tmp_output = tempfile.NamedTemporaryFile(mode='w+')
with open(input_file, 'r') as in_file:
- tmp_output.writelines(line for line in in_file.readlines()
- if line not in patterns)
+ lines = [line for line in in_file.readlines()
+ if line not in patterns and line.strip()]
+ lines = remove_redundant_line_markers(lines)
+ tmp_output.writelines(lines)
+
# Append empty line because a completely empty file
# will trip up secilc later on:
tmp_output.write("\n")
diff --git a/build/file_utils_test.py b/build/file_utils_test.py
new file mode 100644
index 0000000..91ae498
--- /dev/null
+++ b/build/file_utils_test.py
@@ -0,0 +1,59 @@
+# Copyright 2025 The Android Open Source Project
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+"""Tests for file_utils"""
+
+import file_utils
+import unittest
+
+
+# pylint: disable=missing-docstring
+class FileUtilsTest(unittest.TestCase):
+
+ # tests
+
+ def test_removing_markers(self):
+ lines = [
+ ";;* lms 1 test_sepolicy.cil",
+ "(type foo)",
+ ";;* lmx 1 foo.te",
+ ";;* lme",
+ ";;* lmx 1 bar.te",
+ ";;* lmx 2 bar.te",
+ ";;* lme",
+ ";;* lme",
+ ";;* lmx 3 bar.te",
+ "(allow foo self (file (read)))",
+ "(neverallow foo self (file (write)))",
+ ";;* lme",
+ ";;* lme", # lms 1 test_sepolicy.cil
+ ]
+
+ expected = [
+ ";;* lms 1 test_sepolicy.cil",
+ "(type foo)",
+ ";;* lmx 3 bar.te",
+ "(allow foo self (file (read)))",
+ "(neverallow foo self (file (write)))",
+ ";;* lme",
+ ";;* lme", # lms 1 test_sepolicy.cil
+ ]
+
+ actual = file_utils.remove_redundant_line_markers(lines)
+
+ # Line markers without any statements must be removed
+ self.assertEqual(actual, expected)
+
+
+if __name__ == '__main__':
+ unittest.main(verbosity=2)
diff --git a/build/soong/policy.go b/build/soong/policy.go
index 8bdf01b..9d71d87 100644
--- a/build/soong/policy.go
+++ b/build/soong/policy.go
@@ -324,9 +324,6 @@
// exported policies
Filter_out []string `android:"path"`
- // Whether to remove line markers (denoted by ;;) out of compiled cil files. Defaults to false
- Remove_line_marker *bool
-
// Whether to run secilc to check compiled policy or not. Defaults to true
Secilc_check *bool
@@ -392,17 +389,6 @@
Text(">> ").Output(cil)
}
- if proptools.Bool(c.properties.Remove_line_marker) {
- rule.Command().Text("grep -v").
- Text(proptools.ShellEscape(";;")).
- Text(cil.String()).
- Text(">").
- Text(cil.String() + ".tmp").
- Text("&& mv").
- Text(cil.String() + ".tmp").
- Text(cil.String())
- }
-
if proptools.BoolDefault(c.properties.Secilc_check, true) {
secilcCmd := rule.Command().BuiltTool("secilc").
Flag("-m"). // Multiple decls
diff --git a/contexts/plat_file_contexts_test b/contexts/plat_file_contexts_test
index bff3c87..a3e010f 100644
--- a/contexts/plat_file_contexts_test
+++ b/contexts/plat_file_contexts_test
@@ -858,6 +858,7 @@
/data/system/unsolzygotesocket system_unsolzygote_socket
/data/drm drm_data_file
/data/drm/test drm_data_file
+/data/system/mediadrm mediadrm_system_data_file
/data/resource-cache resourcecache_data_file
/data/resource-cache/test resourcecache_data_file
/data/dalvik-cache dalvikcache_data_file
diff --git a/flagging/Android.bp b/flagging/Android.bp
index c92991f..b9cef64 100644
--- a/flagging/Android.bp
+++ b/flagging/Android.bp
@@ -31,6 +31,7 @@
"RELEASE_HARDWARE_BLUETOOTH_RANGING_SERVICE",
"RELEASE_UNLOCKED_STORAGE_API",
"RELEASE_BLUETOOTH_SOCKET_SERVICE",
+ "RELEASE_SEPOLICY_RESTRICT_KERNEL_KEYRING_SEARCH",
],
export_to: ["all_selinux_flags"],
}
diff --git a/private/app.te b/private/app.te
index a32cdb2..3219fbe 100644
--- a/private/app.te
+++ b/private/app.te
@@ -609,6 +609,8 @@
{ create write setattr relabelfrom relabelto append unlink link rename };
# Write to various other parts of /data.
+neverallow appdomain mediadrm_system_data_file:dir_file_class_set
+ { create write setattr relabelfrom relabelto append unlink link rename };
neverallow appdomain drm_data_file:dir_file_class_set
{ create write setattr relabelfrom relabelto append unlink link rename };
neverallow { appdomain -platform_app }
diff --git a/private/artd.te b/private/artd.te
index 15d7969..b3f1e5a 100644
--- a/private/artd.te
+++ b/private/artd.te
@@ -37,11 +37,12 @@
# Read access to primary dex'es on writable partitions
# ({/data,/mnt/expand/<volume-uuid>}/app/...).
# Also allow creating the "oat" directory before restorecon.
+# Also allow deleting .sdm files.
allow artd mnt_expand_file:dir { getattr search };
allow artd apk_data_file:dir { rw_dir_perms create setattr relabelfrom };
-allow artd apk_data_file:file r_file_perms;
+allow artd apk_data_file:file { r_file_perms unlink };
allow artd apk_tmp_file:dir { rw_dir_perms create setattr relabelfrom };
-allow artd apk_tmp_file:file r_file_perms;
+allow artd apk_tmp_file:file { r_file_perms unlink };
# Read access to vendor APKs ({/vendor,/odm}/{app,priv-app}/...).
r_dir_file(artd, vendor_app_file)
diff --git a/private/domain.te b/private/domain.te
index b912aae..6999586 100644
--- a/private/domain.te
+++ b/private/domain.te
@@ -530,7 +530,9 @@
# Needed for loading kernel modules.
# TODO(384942085): Reduce the scope.
+is_flag_disabled(RELEASE_SEPOLICY_RESTRICT_KERNEL_KEYRING_SEARCH, `
allow domain kernel:key search;
+')
# Allow access to linkerconfig file
allow domain linkerconfig_file:dir search;
diff --git a/private/dumpstate.te b/private/dumpstate.te
index d960ff6..b92ca6f 100644
--- a/private/dumpstate.te
+++ b/private/dumpstate.te
@@ -67,6 +67,9 @@
# Allow dumpstate to talk to ot_daemon service over binder
binder_call(dumpstate, ot_daemon)
+# Allow dumpstate to talk to mmd service over binder
+binder_call(dumpstate, mmd)
+
# Collect metrics on boot time created by init
get_prop(dumpstate, boottime_prop)
diff --git a/private/file.te b/private/file.te
index 6bdcc39..6de346a 100644
--- a/private/file.te
+++ b/private/file.te
@@ -14,6 +14,9 @@
type fs_bpf_uprobestats, fs_type, bpffs_type;
type fs_bpf_memevents, fs_type, bpffs_type;
+# /data/system/mediadrm
+type mediadrm_system_data_file, file_type, data_file_type, core_data_file_type;
+
# /data/misc/storaged
type storaged_data_file, file_type, data_file_type, core_data_file_type;
diff --git a/private/file_contexts b/private/file_contexts
index 23a895e..2bed8ed 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -596,6 +596,7 @@
/data/system/ndebugsocket u:object_r:system_ndebug_socket:s0
/data/system/unsolzygotesocket u:object_r:system_unsolzygote_socket:s0
/data/drm(/.*)? u:object_r:drm_data_file:s0
+/data/system/mediadrm(/.*)? u:object_r:mediadrm_system_data_file:s0
/data/resource-cache(/.*)? u:object_r:resourcecache_data_file:s0
/data/dalvik-cache(/.*)? u:object_r:dalvikcache_data_file:s0
/data/ota(/.*)? u:object_r:ota_data_file:s0
diff --git a/private/hal_widevine_system.te b/private/hal_widevine_system.te
index 2623249..a9cae31 100644
--- a/private/hal_widevine_system.te
+++ b/private/hal_widevine_system.te
@@ -8,3 +8,7 @@
get_prop(hal_widevine_system, drm_config_prop)
get_prop(hal_widevine_system, trusty_widevine_vm_sys_prop)
+
+allow hal_widevine_system mediadrm_system_data_file:dir { create search add_name rw_dir_perms };
+allow hal_widevine_system mediadrm_system_data_file:file { getattr create open read write };
+
diff --git a/private/property_contexts b/private/property_contexts
index bcd145e..d089049 100644
--- a/private/property_contexts
+++ b/private/property_contexts
@@ -399,6 +399,7 @@
ro.virtual_ab.cow_op_merge_size u:object_r:virtual_ab_prop:s0 exact int
ro.virtual_ab.verify_threshold_size u:object_r:virtual_ab_prop:s0 exact int
ro.virtual_ab.verify_block_size u:object_r:virtual_ab_prop:s0 exact int
+ro.virtual_ab.skip_verification u:object_r:virtual_ab_prop:s0 exact bool
# OEMs can set this prop at build time to configure how many seconds to delay
# merge after installing a Virtual AB OTA. The default behavior is to start
diff --git a/private/system_server.te b/private/system_server.te
index dce1aa9..c0c1c4b 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -284,6 +284,10 @@
# Communicate over a socket created by app_zygote.
allow system_server app_zygote:unix_stream_socket { read write connectto setopt };
+# Communicate with a virtual machine (b/396144272)
+allow system_server virtualizationmanager:fd use;
+allow system_server virtualizationmanager:vsock_socket { getopt read write };
+
# Perform Binder IPC.
binder_use(system_server)
binder_call(system_server, appdomain)
diff --git a/private/wifi_mainline_supplicant.te b/private/wifi_mainline_supplicant.te
index c18cef6..dce5a07 100644
--- a/private/wifi_mainline_supplicant.te
+++ b/private/wifi_mainline_supplicant.te
@@ -2,6 +2,7 @@
type wifi_mainline_supplicant_exec, system_file_type, exec_type, file_type;
binder_use(wifi_mainline_supplicant)
+binder_call(wifi_mainline_supplicant, system_server)
init_daemon_domain(wifi_mainline_supplicant)
add_service(wifi_mainline_supplicant, wifi_mainline_supplicant_service)
@@ -29,3 +30,7 @@
allow wifi_mainline_supplicant self:netlink_route_socket { bind create read write nlmsg_readpriv nlmsg_write };
allow wifi_mainline_supplicant self:netlink_socket create_socket_perms_no_ioctl;
allow wifi_mainline_supplicant self:netlink_generic_socket create_socket_perms_no_ioctl;
+
+# Dumpstate support
+allow wifi_mainline_supplicant dumpstate:fd use;
+allow wifi_mainline_supplicant dumpstate:fifo_file write;