Merge "Allow fsck to use bootstrap libs." into main
diff --git a/Android.bp b/Android.bp
index dc6761c..9aef25e 100644
--- a/Android.bp
+++ b/Android.bp
@@ -146,7 +146,7 @@
// policy and subsequent removal of CIL policy that should not be exported.
se_policy_conf {
name: "reqd_policy_mask.conf",
- defaults: ["se_policy_conf_public_flags_defaults"],
+ defaults: ["se_policy_conf_flags_defaults"],
srcs: reqd_mask_policy,
installable: false,
}
@@ -182,7 +182,7 @@
//
se_policy_conf {
name: "pub_policy.conf",
- defaults: ["se_policy_conf_public_flags_defaults"],
+ defaults: ["se_policy_conf_flags_defaults"],
srcs: plat_public_policy +
system_ext_public_policy +
product_public_policy +
@@ -202,7 +202,7 @@
se_policy_conf {
name: "system_ext_pub_policy.conf",
- defaults: ["se_policy_conf_public_flags_defaults"],
+ defaults: ["se_policy_conf_flags_defaults"],
srcs: plat_public_policy +
system_ext_public_policy +
reqd_mask_policy,
@@ -221,7 +221,7 @@
se_policy_conf {
name: "plat_pub_policy.conf",
- defaults: ["se_policy_conf_public_flags_defaults"],
+ defaults: ["se_policy_conf_flags_defaults"],
srcs: plat_public_policy +
reqd_mask_policy,
installable: false,
@@ -410,7 +410,7 @@
// policy and the platform public policy files in order to use checkpolicy.
se_policy_conf {
name: "vendor_sepolicy.conf",
- defaults: ["se_policy_conf_public_flags_defaults"],
+ defaults: ["se_policy_conf_flags_defaults"],
srcs: plat_public_policy +
system_ext_public_policy +
product_public_policy +
@@ -452,7 +452,7 @@
// policy and the platform public policy files in order to use checkpolicy.
se_policy_conf {
name: "odm_sepolicy.conf",
- defaults: ["se_policy_conf_public_flags_defaults"],
+ defaults: ["se_policy_conf_flags_defaults"],
srcs: plat_public_policy +
system_ext_public_policy +
product_public_policy +
@@ -793,7 +793,7 @@
se_policy_conf {
name: "base_plat_pub_policy.conf",
- defaults: ["se_policy_conf_public_flags_defaults"],
+ defaults: ["se_policy_conf_flags_defaults"],
srcs: plat_public_policy +
reqd_mask_policy,
build_variant: "user",
@@ -813,7 +813,7 @@
se_policy_conf {
name: "base_product_pub_policy.conf",
- defaults: ["se_policy_conf_public_flags_defaults"],
+ defaults: ["se_policy_conf_flags_defaults"],
srcs: plat_public_policy +
system_ext_public_policy +
product_public_policy +
diff --git a/Android.mk b/Android.mk
index dc62833..378102b 100644
--- a/Android.mk
+++ b/Android.mk
@@ -189,6 +189,11 @@
selinux_policy_nonsystem \
selinux_policy_system \
+# Runs checkfc against merged service_contexts files
+LOCAL_REQUIRED_MODULES += \
+ merged_service_contexts_test \
+ merged_hwservice_contexts_test
+
include $(BUILD_PHONY_PACKAGE)
# selinux_policy is a main goal and triggers lots of tests.
diff --git a/apex/Android.bp b/apex/Android.bp
index 5b2a75e..4daff80 100644
--- a/apex/Android.bp
+++ b/apex/Android.bp
@@ -293,3 +293,17 @@
"com.android.configinfrastructure-file_contexts",
],
}
+
+filegroup {
+ name: "com.android.biometrics.virtual.fingerprint-file_contexts",
+ srcs: [
+ "com.android.biometrics.virtual.fingerprint-file_contexts",
+ ],
+}
+
+filegroup {
+ name: "com.android.uprobestats-file_contexts",
+ srcs: [
+ "com.android.uprobestats-file_contexts",
+ ],
+}
diff --git a/apex/com.android.biometrics.virtual.fingerprint-file_contexts b/apex/com.android.biometrics.virtual.fingerprint-file_contexts
new file mode 100644
index 0000000..940934b
--- /dev/null
+++ b/apex/com.android.biometrics.virtual.fingerprint-file_contexts
@@ -0,0 +1,2 @@
+(/.*)? u:object_r:system_file:s0
+/bin/hw/android\.hardware\.biometrics\.fingerprint-service\.example u:object_r:virtual_fingerprint_exec:s0
diff --git a/apex/com.android.uprobestats-file_contexts b/apex/com.android.uprobestats-file_contexts
new file mode 100644
index 0000000..01de3e2
--- /dev/null
+++ b/apex/com.android.uprobestats-file_contexts
@@ -0,0 +1,3 @@
+(/.*)? u:object_r:system_file:s0
+/bin/uprobestats u:object_r:uprobestats_exec:s0
+
diff --git a/build/soong/policy.go b/build/soong/policy.go
index 4476f94..d490845 100644
--- a/build/soong/policy.go
+++ b/build/soong/policy.go
@@ -91,8 +91,8 @@
// Desired number of MLS categories. Defaults to 1024
Mls_cats *int64
- // Board api level of policy files. Set "vendor" for RELEASE_BOARD_API_LEVEL, "system" for
- // turning off the guard, or a direct version string (e.g. "202404"). Defaults to "system"
+ // Board api level of policy files. Set "current" for RELEASE_BOARD_API_LEVEL, or a direct
+ // version string (e.g. "202404"). Defaults to "current"
Board_api_level *string
}
@@ -225,17 +225,12 @@
}
func (c *policyConf) boardApiLevel(ctx android.ModuleContext) string {
- level := proptools.StringDefault(c.properties.Board_api_level, "system")
-
- if level == "system" {
- // aribtrary value greater than any other vendor API levels
- return "1000000"
- } else if level == "vendor" {
+ level := proptools.StringDefault(c.properties.Board_api_level, "current")
+ if level == "current" {
return ctx.Config().VendorApiLevel()
} else {
return level
}
-
}
func findPolicyConfOrder(name string) int {
diff --git a/build/soong/service_fuzzer_bindings.go b/build/soong/service_fuzzer_bindings.go
index 216a480..0c98d1b 100644
--- a/build/soong/service_fuzzer_bindings.go
+++ b/build/soong/service_fuzzer_bindings.go
@@ -47,6 +47,7 @@
"android.hardware.biometrics.face.IFace/virtual": EXCEPTION_NO_FUZZER,
"android.hardware.biometrics.fingerprint.IFingerprint/default": EXCEPTION_NO_FUZZER,
"android.hardware.biometrics.fingerprint.IFingerprint/virtual": EXCEPTION_NO_FUZZER,
+ "android.hardware.biometrics.fingerprint.virtualhal.IVirtualHal/virtual": EXCEPTION_NO_FUZZER,
"android.hardware.bluetooth.audio.IBluetoothAudioProviderFactory/default": EXCEPTION_NO_FUZZER,
"android.hardware.broadcastradio.IBroadcastRadio/amfm": []string{"android.hardware.broadcastradio-service.default_fuzzer"},
"android.hardware.broadcastradio.IBroadcastRadio/dab": []string{"android.hardware.broadcastradio-service.default_fuzzer"},
@@ -80,7 +81,7 @@
"android.hardware.media.c2.IComponentStore/software": []string{"libcodec2-aidl-fuzzer"},
"android.hardware.memtrack.IMemtrack/default": EXCEPTION_NO_FUZZER,
"android.hardware.net.nlinterceptor.IInterceptor/default": EXCEPTION_NO_FUZZER,
- "android.hardware.nfc.INfc/default": EXCEPTION_NO_FUZZER,
+ "android.hardware.nfc.INfc/default": []string{"nfc_service_fuzzer"},
"android.hardware.oemlock.IOemLock/default": EXCEPTION_NO_FUZZER,
"android.hardware.power.IPower/default": EXCEPTION_NO_FUZZER,
"android.hardware.power.stats.IPowerStats/default": EXCEPTION_NO_FUZZER,
@@ -184,6 +185,7 @@
"android.security.metrics": EXCEPTION_NO_FUZZER,
"android.service.gatekeeper.IGateKeeperService": []string{"gatekeeperd_service_fuzzer"},
"android.system.composd": EXCEPTION_NO_FUZZER,
+ "android.system.microfuchsiad": EXCEPTION_NO_FUZZER,
// TODO(b/294158658): add fuzzer
"android.hardware.security.keymint.IRemotelyProvisionedComponent/avf": EXCEPTION_NO_FUZZER,
"android.system.virtualizationservice": []string{"virtualizationmanager_fuzzer"},
@@ -193,6 +195,7 @@
"android.system.vmtethering.IVmTethering": EXCEPTION_NO_FUZZER,
"ambient_context": EXCEPTION_NO_FUZZER,
"app_binding": EXCEPTION_NO_FUZZER,
+ "app_function": EXCEPTION_NO_FUZZER,
"app_hibernation": EXCEPTION_NO_FUZZER,
"app_integrity": EXCEPTION_NO_FUZZER,
"app_prediction": EXCEPTION_NO_FUZZER,
@@ -390,7 +393,7 @@
"procstats": EXCEPTION_NO_FUZZER,
"profcollectd": EXCEPTION_NO_FUZZER,
"profiling_service": EXCEPTION_NO_FUZZER,
- "protolog": EXCEPTION_NO_FUZZER,
+ "protolog_configuration": EXCEPTION_NO_FUZZER,
"radio.phonesubinfo": EXCEPTION_NO_FUZZER,
"radio.phone": EXCEPTION_NO_FUZZER,
"radio.sms": EXCEPTION_NO_FUZZER,
@@ -447,6 +450,7 @@
"SurfaceFlingerAIDL": EXCEPTION_NO_FUZZER,
"suspend_control": []string{"suspend_service_fuzzer"},
"suspend_control_internal": []string{"suspend_service_internal_fuzzer"},
+ "supervision": EXCEPTION_NO_FUZZER,
"system_config": EXCEPTION_NO_FUZZER,
"system_server_dumper": EXCEPTION_NO_FUZZER,
"system_update": EXCEPTION_NO_FUZZER,
diff --git a/contexts/Android.bp b/contexts/Android.bp
index ca3cf57..850601f 100644
--- a/contexts/Android.bp
+++ b/contexts/Android.bp
@@ -206,6 +206,18 @@
device_specific: true,
}
+hwservice_contexts {
+ name: "merged_hwservice_contexts",
+ defaults: ["contexts_flags_defaults"],
+ srcs: [
+ ":plat_hwservice_contexts",
+ ":system_ext_hwservice_contexts",
+ ":product_hwservice_contexts",
+ ":vendor_hwservice_contexts",
+ ":odm_hwservice_contexts",
+ ],
+}
+
property_contexts {
name: "plat_property_contexts",
defaults: ["contexts_flags_defaults"],
@@ -308,6 +320,18 @@
recovery_available: true,
}
+service_contexts {
+ name: "merged_service_contexts",
+ defaults: ["contexts_flags_defaults"],
+ srcs: [
+ ":plat_service_contexts",
+ ":system_ext_service_contexts",
+ ":product_service_contexts",
+ ":vendor_service_contexts",
+ ":odm_service_contexts",
+ ],
+}
+
keystore2_key_contexts {
name: "plat_keystore2_key_contexts",
defaults: ["contexts_flags_defaults"],
@@ -490,6 +514,12 @@
sepolicy: ":precompiled_sepolicy",
}
+hwservice_contexts_test {
+ name: "merged_hwservice_contexts_test",
+ srcs: [":merged_hwservice_contexts"],
+ sepolicy: ":precompiled_sepolicy",
+}
+
property_contexts_test {
name: "plat_property_contexts_test",
srcs: [":plat_property_contexts"],
@@ -568,6 +598,12 @@
sepolicy: ":precompiled_sepolicy",
}
+service_contexts_test {
+ name: "merged_service_contexts_test",
+ srcs: [":merged_service_contexts"],
+ sepolicy: ":precompiled_sepolicy",
+}
+
vndservice_contexts_test {
name: "vndservice_contexts_test",
srcs: [":vndservice_contexts"],
diff --git a/contexts/plat_file_contexts_test b/contexts/plat_file_contexts_test
index 4c8f9cb..e88b955 100644
--- a/contexts/plat_file_contexts_test
+++ b/contexts/plat_file_contexts_test
@@ -3,7 +3,7 @@
# It can be passed to checkfc to confirm that the regular expressions in
# file_contexts are matching the intended paths.
/ rootfs
-/adb_keys adb_keys_file
+/adb_keys system_file
/build.prop rootfs
/default.prop rootfs
/fstab.persist rootfs
@@ -37,6 +37,7 @@
/sys sysfs
/apex apex_mnt_dir
/bootstrap-apex apex_mnt_dir
+/mnt/vm vm_data_file
/postinstall postinstall_mnt_dir
/postinstall/apex postinstall_apex_mnt_dir
@@ -723,6 +724,9 @@
/system/product/lib64 system_lib_file
/system/product/lib64/does_not_exist system_lib_file
+/product/etc/security/adb_keys adb_keys_file
+/system/product/etc/security/adb_keys adb_keys_file
+
/system_ext system_file
/system_ext/does_not_exist system_file
/system/system_ext system_file
@@ -1269,8 +1273,6 @@
/metadata/bootstat/test metadata_bootstat_file
/metadata/staged-install staged_install_file
/metadata/staged-install/test staged_install_file
-/metadata/userspacereboot userspace_reboot_metadata_file
-/metadata/userspacereboot/test userspace_reboot_metadata_file
/metadata/watchdog watchdog_metadata_file
/metadata/watchdog/test watchdog_metadata_file
/metadata/repair-mode repair_mode_metadata_file
@@ -1302,6 +1304,11 @@
/mnt/product mnt_product_file
/mnt/product/test mnt_product_file
+
+/mnt/scratch_ota_metadata_super ota_metadata_file
+/mnt/scratch_ota_metadata_super/ota ota_metadata_file
+/mnt/scratch_ota_metadata_super/ota/snapshots ota_metadata_file
+
/system/bin/check_dynamic_partitions postinstall_exec
/product/bin/check_dynamic_partitions postinstall_exec
/system/bin/otapreopt_script postinstall_exec
diff --git a/flagging/Android.bp b/flagging/Android.bp
index 5117fab..352310f 100644
--- a/flagging/Android.bp
+++ b/flagging/Android.bp
@@ -22,7 +22,9 @@
"RELEASE_AVF_ENABLE_DEVICE_ASSIGNMENT",
"RELEASE_AVF_ENABLE_LLPVM_CHANGES",
"RELEASE_AVF_ENABLE_NETWORK",
+ "RELEASE_AVF_ENABLE_MICROFUCHSIA",
"RELEASE_READ_FROM_NEW_STORAGE",
+ "RELEASE_SUPERVISION_SERVICE",
"RELEASE_HARDWARE_BLUETOOTH_RANGING_SERVICE",
"RELEASE_UNLOCKED_STORAGE_API",
],
@@ -40,13 +42,6 @@
build_flags: ["all_selinux_flags"],
}
-se_policy_conf_defaults {
- name: "se_policy_conf_public_flags_defaults",
- srcs: [":sepolicy_flagging_macros"],
- build_flags: ["all_selinux_flags"],
- board_api_level: "vendor",
-}
-
contexts_defaults {
name: "contexts_flags_defaults",
srcs: [":sepolicy_flagging_macros"],
diff --git a/flagging/flagging_macros b/flagging/flagging_macros
index baf26c3..44cd33a 100644
--- a/flagging/flagging_macros
+++ b/flagging/flagging_macros
@@ -9,16 +9,15 @@
define(`is_flag_disabled', `ifelse(target_flag_$1, `true', , `$2')')
####################################
-# starting_at_board_api(api_level, rules)
+# starting_at_board_api(api_level, rules_if_api_level)
#
-# This macro conditionally exposes SELinux rules within system/sepolicy/public,
-# ensuring they are available to vendors only when the board API level is at or
-# above the specified 'api_level'.
-#
-# * Platform sepolicy: Rules are always enabled, regardless of API level.
-# * Vendor sepolicy: Rules are enabled only when the board API level meets or
-# exceeds the value provided in 'api_level'.
-#
-# Apply this macro to public types and attributes (in system/sepolicy/public) to
-# restrict vendor access based on board API level.
+# This macro conditionally exposes SELinux rules ensuring they are available
+# only when the board API level is at or above the specified 'api_level'.
define(`starting_at_board_api', `ifelse(eval(target_board_api_level >= $1), 1, `$2')')
+
+####################################
+# until_board_api(api_level, rules_if_lower_api_level)
+#
+# This macro conditionally exposes SELinux rules ensuring they are available
+# only when the board API level is below the specified 'api_level'.
+define(`until_board_api', `ifelse(eval(target_board_api_level < $1), 1, `$2')')
diff --git a/private/adbd.te b/private/adbd.te
index c852038..154a04c 100644
--- a/private/adbd.te
+++ b/private/adbd.te
@@ -216,8 +216,7 @@
allow adbd shell:fd use;
# Allow pull /vendor/apex files for CTS tests
-allow adbd vendor_apex_file:dir search;
-allow adbd vendor_apex_file:file r_file_perms;
+r_dir_file(adbd, vendor_apex_file)
# Allow adb pull of updated apex files in /data/apex/active.
allow adbd apex_data_file:dir search;
diff --git a/private/app.te b/private/app.te
index 1dd7fda..c51ba8b 100644
--- a/private/app.te
+++ b/private/app.te
@@ -488,6 +488,8 @@
allow appdomain runas_exec:file getattr;
# Others are either allowed elsewhere or not desired.
+get_prop(appdomain, high_barometer_quality_prop)
+
# Connect to adbd and use a socket transferred from it.
# This is used for e.g. adb backup/restore.
allow appdomain adbd:unix_stream_socket connectto;
@@ -639,12 +641,6 @@
apk_tmp_file:dir_file_class_set
{ create write setattr relabelfrom relabelto append unlink link rename };
-neverallow { appdomain -untrusted_app_all -platform_app -priv_app -isolated_app_all }
- { apk_tmp_file apk_private_tmp_file }:dir_file_class_set *;
-
-neverallow { untrusted_app_all isolated_app_all } { apk_tmp_file apk_private_tmp_file }:{ devfile_class_set dir fifo_file lnk_file sock_file } *;
-neverallow { untrusted_app_all isolated_app_all } { apk_tmp_file apk_private_tmp_file }:file ~{ getattr read map };
-
# Access to factory files.
neverallow appdomain efs_file:dir_file_class_set write;
neverallow { appdomain -shell } efs_file:dir_file_class_set read;
diff --git a/private/app_neverallows.te b/private/app_neverallows.te
index bf723c5..0e2b01c 100644
--- a/private/app_neverallows.te
+++ b/private/app_neverallows.te
@@ -45,6 +45,10 @@
neverallow { all_untrusted_apps -mediaprovider } init:unix_stream_socket connectto;
neverallow { all_untrusted_apps -mediaprovider } property_type:property_service set;
+# Do not allow untrusted apps to modify temporarily staged APKs.
+neverallow all_untrusted_apps { apk_tmp_file apk_private_tmp_file }:{ devfile_class_set dir fifo_file lnk_file sock_file } *;
+neverallow all_untrusted_apps { apk_tmp_file apk_private_tmp_file }:file ~{ getattr read map };
+
# net.dns properties are not a public API. Disallow untrusted apps from reading this property.
neverallow { all_untrusted_apps } net_dns_prop:file read;
diff --git a/private/compat/202404/202404.cil b/private/compat/202404/202404.cil
index 869deb6..5dc8bc4 100644
--- a/private/compat/202404/202404.cil
+++ b/private/compat/202404/202404.cil
@@ -1,5 +1,6 @@
;; This type may or may not already exist in vendor policy. Re-define it here (duplicate
;; definitions in CIL will be ignored) - so we can reference it in 202404.cil.
+(type otapreopt_chroot)
(type vendor_hidraw_device)
(typeattributeset dev_type (vendor_hidraw_device))
diff --git a/private/compat/202404/202404.ignore.cil b/private/compat/202404/202404.ignore.cil
index 7fa517e..73058ef 100644
--- a/private/compat/202404/202404.ignore.cil
+++ b/private/compat/202404/202404.ignore.cil
@@ -6,13 +6,13 @@
(typeattributeset new_objects
( new_objects
profcollectd_etr_prop
- fs_bpf_lmkd_memevents_rb
- fs_bpf_lmkd_memevents_prog
fstype_prop
binderfs_logs_transactions
binderfs_logs_transaction_history
- proc_compaction_proactiveness
proc_cgroups
+ supervision_service
sysfs_udc
- protolog_service
+ app_function_service
+ virtual_fingerprint
+ virtual_fingerprint_exec
))
diff --git a/private/compat/34.0/34.0.ignore.cil b/private/compat/34.0/34.0.ignore.cil
index 455cbff..6c52dba 100644
--- a/private/compat/34.0/34.0.ignore.cil
+++ b/private/compat/34.0/34.0.ignore.cil
@@ -32,6 +32,7 @@
security_state_service
sensitive_content_protection_service
setupwizard_mode_prop
+ supervision_service
sysfs_sync_on_suspend
tv_ad_service
threadnetwork_service
diff --git a/private/crash_dump.te b/private/crash_dump.te
index 45d5722..b2d3bd5 100644
--- a/private/crash_dump.te
+++ b/private/crash_dump.te
@@ -106,8 +106,15 @@
core_data_file_type
vendor_file_type
}:dir search;
-dontaudit crash_dump system_data_file:{ lnk_file file } read;
-dontaudit crash_dump property_type:file read;
+# Crash dump might try to read files that are mapped into the crashed process's
+# memory space to extract useful binary information such as the ELF header. See
+# system/core/debuggerd/libdebuggerd/tombstone_proto.cpp:dump_mappings.
+# Ignore these accesses.
+dontaudit crash_dump {
+ app_data_file_type
+ property_type
+ system_data_file
+}:{ lnk_file file } { read open };
get_prop(crash_dump, misctrl_prop)
diff --git a/private/crosvm.te b/private/crosvm.te
index 0c2acb9..1031f0f 100644
--- a/private/crosvm.te
+++ b/private/crosvm.te
@@ -5,6 +5,10 @@
# Let crosvm open VM manager devices such as /dev/kvm.
allow crosvm vm_manager_device_type:chr_file rw_file_perms;
+# TODO(b/357025924): This is a temporary workaround to allow the KeyMint VM to use crosvm
+# directly. It should be removed once the KeyMint VM can be started with early_virtmgr
+is_flag_enabled(RELEASE_AVF_ENABLE_EARLY_VM, init_daemon_domain(crosvm))
+
# Most other domains shouldn't access /dev/kvm.
neverallow { domain -crosvm -ueventd -shell } kvm_device:chr_file getattr;
neverallow { domain -crosvm -ueventd } kvm_device:chr_file ~getattr;
@@ -20,10 +24,16 @@
tmpfs_domain(crosvm)
# Let crosvm receive file descriptors from VirtualizationService.
-allow crosvm virtualizationmanager:fd use;
+allow crosvm {
+ virtualizationmanager
+ is_flag_enabled(RELEASE_AVF_ENABLE_EARLY_VM, `early_virtmgr')
+}:fd use;
# Allow sending VirtualizationService the failure reason and console/log from the VM via pipe.
-allow crosvm virtualizationmanager:fifo_file write;
+allow crosvm {
+ virtualizationmanager
+ is_flag_enabled(RELEASE_AVF_ENABLE_EARLY_VM, `early_virtmgr')
+}:fifo_file write;
# Let crosvm read the composite disk images (virtualizationservice_data_file), APEXes
# (staging_data_file), APKs (apk_data_file and shell_data_file where the latter is for test apks in
@@ -40,10 +50,14 @@
apex_virt_data_file
shell_data_file
vendor_microdroid_file
+ is_flag_enabled(RELEASE_AVF_ENABLE_EARLY_VM, `vm_data_file')
}:file { getattr read ioctl lock };
# Allow searching the directory where the composite disk images are.
-allow crosvm virtualizationservice_data_file:dir search;
+allow crosvm {
+ virtualizationservice_data_file
+ is_flag_enabled(RELEASE_AVF_ENABLE_EARLY_VM, `vm_data_file')
+}:dir search;
# When running a VM as root we get spurious capability denials.
# Suppress them.
@@ -58,7 +72,10 @@
# read, write, getattr: listener socket polling
# accept: listener socket accepting new connection
# Note that the open permission is not given as the socket is passed by FD.
-allow crosvm virtualizationmanager:unix_stream_socket { accept read write getattr getopt };
+allow crosvm {
+ virtualizationmanager
+ is_flag_enabled(RELEASE_AVF_ENABLE_EARLY_VM, `early_virtmgr')
+}:unix_stream_socket { accept read write getattr getopt };
# Let crosvm open test artifacts under /data/local/tmp with file path. (e.g. custom pvmfw.img)
userdebug_or_eng(`
@@ -74,6 +91,7 @@
privapp_data_file
apex_compos_data_file
apex_virt_data_file
+ is_flag_enabled(RELEASE_AVF_ENABLE_EARLY_VM, `vm_data_file')
}:file write;
# Allow crosvm to pipe console log to shell or app which could be the owner of a VM.
@@ -116,7 +134,10 @@
# crosvm tries to read serial device, including the write-only pipe from virtualizationmanager (to
# forward console/log to the host logcat).
# crosvm only needs write permission, so dontaudit read
-dontaudit crosvm virtualizationmanager:fifo_file { read getattr };
+dontaudit crosvm {
+ virtualizationmanager
+ is_flag_enabled(RELEASE_AVF_ENABLE_EARLY_VM, `early_virtmgr')
+}:fifo_file { read getattr };
# Required for crosvm to start gdb-server to enable debugging of guest kernel.
allow crosvm self:tcp_socket { bind create read setopt write accept listen };
@@ -129,7 +150,6 @@
allow crosvm vfio_device:dir r_dir_perms;
# Allow crosvm to access VM DTBO via a file created by virtualizationmanager.
-allow crosvm virtualizationmanager:fd use;
allow crosvm virtualizationservice_data_file:file read;
is_flag_enabled(RELEASE_AVF_ENABLE_NETWORK, `
@@ -141,6 +161,9 @@
allow crosvm vmnic:fd use;
')
+# Early VMs may print messages to kmsg_debug_device.
+allow crosvm kmsg_debug_device:chr_file w_file_perms;
+
# Don't allow crosvm to open files that it doesn't own.
# This is important because a malicious application could try to start a VM with a composite disk
# image referring by name to files which it doesn't have permission to open, trying to get crosvm to
@@ -153,6 +176,7 @@
app_data_file
privapp_data_file
is_flag_enabled(RELEASE_UNLOCKED_STORAGE_API, `storage_area_content_file')
+ is_flag_enabled(RELEASE_AVF_ENABLE_EARLY_VM, `vm_data_file')
userdebug_or_eng(`-shell_data_file')
}:file open;
@@ -188,4 +212,9 @@
domain
-crosvm
-virtualizationmanager
+ # TODO(b/357025924): This is a temporary workaround to allow the KeyMint VM to use crosvm
+ # directly. It should be removed once the KeyMint VM can be started with early_virtmgr
+ is_flag_enabled(RELEASE_AVF_ENABLE_EARLY_VM, `-init')
+
+ is_flag_enabled(RELEASE_AVF_ENABLE_EARLY_VM, `-early_virtmgr')
} crosvm_exec:file no_x_file_perms;
diff --git a/private/dexopt_chroot_setup.te b/private/dexopt_chroot_setup.te
index 4a964fd..9e98bae 100644
--- a/private/dexopt_chroot_setup.te
+++ b/private/dexopt_chroot_setup.te
@@ -74,6 +74,7 @@
system_data_file
system_data_root_file
system_file
+ system_lib_file
tmpfs
vendor_file
}:dir mounton;
diff --git a/private/domain.te b/private/domain.te
index 94f96d9..e9cc7f5 100644
--- a/private/domain.te
+++ b/private/domain.te
@@ -84,6 +84,10 @@
# /dev/binder can be accessed by ... everyone! :)
allow { domain -hwservicemanager -vndservicemanager } binder_device:chr_file rw_file_perms;
get_prop({domain -hwservicemanager -vndservicemanager }, servicemanager_prop)
+# Checking for the existance of the hwservicemanager binary is done in the client API
+# isHwServiceManagerInstalled
+dontaudit domain hwservicemanager_exec:file r_file_perms;
+
# Restrict binder ioctls to an allowlist. Additional ioctl commands may be
# added to individual domains, but this sets safe defaults for all processes.
@@ -342,6 +346,10 @@
allow domain sysfs_pgsize_migration:dir search;
allow domain sysfs_pgsize_migration:file r_file_perms;
+# Linker is executed from the context of the process requesting the dynamic linking,
+# so this prop must be "world-readable".
+get_prop(domain, bionic_linker_16kb_app_compat_prop)
+
# Allow everyone to read media server-configurable flags, so that libstagefright can be
# configured using server-configurable flags
get_prop(domain, device_config_media_native_prop)
@@ -493,7 +501,7 @@
get_prop(domain, surfaceflinger_prop)
get_prop(domain, telephony_status_prop)
get_prop(domain, timezone_prop)
-get_prop({domain -untrusted_app_all -isolated_app_all -ephemeral_app }, userdebug_or_eng_prop)
+get_prop({domain -untrusted_app_all -isolated_app_all -ephemeral_app -app_zygote }, userdebug_or_eng_prop)
get_prop(domain, vendor_socket_hook_prop)
get_prop(domain, vndk_prop)
get_prop(domain, vold_status_prop)
diff --git a/private/dumpstate.te b/private/dumpstate.te
index 20341e4..13b7b9f 100644
--- a/private/dumpstate.te
+++ b/private/dumpstate.te
@@ -537,6 +537,7 @@
linkerconfig_file
mirror_data_file
mnt_user_file
+ vm_data_file
}:dir getattr;
# Allow dumpstate to talk to bufferhubd over binder
diff --git a/private/early_virtmgr.te b/private/early_virtmgr.te
index 4e332f6..e244be2 100644
--- a/private/early_virtmgr.te
+++ b/private/early_virtmgr.te
@@ -5,4 +5,71 @@
type early_virtmgr_exec, system_file_type, exec_type, file_type;
use_bootstrap_libs(early_virtmgr)
+
+ # Let early_virtmgr create files and directories inside /mnt/vm/early.
+ allow early_virtmgr vm_data_file:dir create_dir_perms;
+ allow early_virtmgr vm_data_file:file create_file_perms;
+ allow early_virtmgr vm_data_file:sock_file create_file_perms;
+
+ # Allow early_virtmgr to communicate use, read and write over the adb connection.
+ allow early_virtmgr adbd:fd use;
+ allow early_virtmgr adbd:unix_stream_socket { getattr read write };
+
+ # Allow writing VM logs to the shell console
+ allow early_virtmgr devpts:chr_file { read write getattr ioctl };
+
+ # Let the early_virtmgr domain use Binder.
+ binder_use(early_virtmgr)
+
+ # When early_virtmgr execs a file with the crosvm_exec label, run it in the crosvm domain.
+ domain_auto_trans(early_virtmgr, crosvm_exec, crosvm)
+
+ # Let early_virtmgr kill crosvm.
+ allow early_virtmgr crosvm:process sigkill;
+
+ # Allow early_virtmgr to read apex-info-list.xml and access the APEX files listed there.
+ allow early_virtmgr apex_info_file:file r_file_perms;
+ allow early_virtmgr apex_data_file:dir search;
+
+ # Ignore harmless denials on /proc/self/fd
+ dontaudit early_virtmgr self:dir write;
+
+ # Let early_virtmgr to accept vsock connection from the guest VMs
+ allow early_virtmgr self:vsock_socket { create_socket_perms_no_ioctl listen accept };
+
+ # Allow early_virtmgr to inspect all hypervisor capabilities.
+ get_prop(early_virtmgr, hypervisor_prop)
+ get_prop(early_virtmgr, hypervisor_pvmfw_prop)
+ get_prop(early_virtmgr, hypervisor_restricted_prop)
+ get_prop(early_virtmgr, hypervisor_virtualizationmanager_prop)
+
+ # Allow early_virtmgr to read file system DT for VM reference DT and AVF debug policy
+ r_dir_file(early_virtmgr, proc_dt_avf)
+ r_dir_file(early_virtmgr, sysfs_dt_avf)
+
+ # early_virtmgr to be client of secretkeeper HAL. It ferries SecretManagement messages from pVM
+ # to HAL.
+ hal_client_domain(early_virtmgr, hal_secretkeeper);
+
+ # Allow reading files under /proc/[crosvm pid]/, for collecting CPU & memory usage inside VM.
+ r_dir_file(early_virtmgr, crosvm);
+
+ # Allow early_virtmgr to:
+ # 1) bind to a vsock port less than 1024, because early VMs use static CIDs less than 1024
+ # 2) call RLIMIT_MEMLOCK for itself
+ allow early_virtmgr self:global_capability_class_set { net_bind_service ipc_lock sys_resource };
+
+ # early_virtmgr may print messages to kmsg_debug_device.
+ allow early_virtmgr kmsg_debug_device:chr_file w_file_perms;
+
+ ###
+ ### Neverallow rules
+ ###
+
+ # Only crosvm and early_virtmgr can access vm_data_file
+ neverallow { domain -crosvm -early_virtmgr -init } vm_data_file:dir no_w_dir_perms;
+ neverallow { domain -crosvm -early_virtmgr } vm_data_file:file no_rw_file_perms;
+
+ # No other domains can accept vsock connection from the guest VMs
+ neverallow { domain -early_virtmgr } early_virtmgr:vsock_socket { accept bind create connect listen };
')
diff --git a/private/file.te b/private/file.te
index d30465b..70b8523 100644
--- a/private/file.te
+++ b/private/file.te
@@ -9,6 +9,7 @@
type fs_bpf_netd_shared, fs_type, bpffs_type;
type fs_bpf_loader, fs_type, bpffs_type;
type fs_bpf_uprobestats, fs_type, bpffs_type;
+type fs_bpf_memevents, fs_type, bpffs_type;
# /data/misc/storaged
type storaged_data_file, file_type, data_file_type, core_data_file_type;
@@ -117,6 +118,9 @@
# virtualizationmanager, which runs at a more constrained MLS level.
type virtualizationservice_data_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
+# /mnt/vm
+type vm_data_file, file_type, core_data_file_type;
+
# /data/system/environ
type environ_system_data_file, file_type, data_file_type, core_data_file_type;
@@ -210,3 +214,30 @@
# /data/misc_ce/userId/storage_area_keys
type storage_area_key_file, file_type, data_file_type, core_data_file_type;
+
+
+# Types added in 202504 in public/file.te
+until_board_api(202504, `
+ type binderfs_logs_transactions, fs_type;
+ type binderfs_logs_transaction_history, fs_type;
+')
+
+until_board_api(202504, `
+ type proc_cgroups, fs_type, proc_type;
+')
+
+until_board_api(202504, `
+ type sysfs_udc, fs_type, sysfs_type;
+')
+
+until_board_api(202504, `
+ type fs_bpf_lmkd_memevents_rb, fs_type, bpffs_type;
+ type fs_bpf_lmkd_memevents_prog, fs_type, bpffs_type;
+')
+
+until_board_api(202504, `
+ # boot otas for 16KB developer option
+ type vendor_boot_ota_file, vendor_file_type, file_type;
+')
+## END Types added in 202504 in public/file.te
+
diff --git a/private/file_contexts b/private/file_contexts
index ce5ed96..25ed6e8 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -24,7 +24,7 @@
/ u:object_r:rootfs:s0
# Data files
-/adb_keys u:object_r:adb_keys_file:s0
+/adb_keys u:object_r:system_file:s0
/build\.prop u:object_r:rootfs:s0
/default\.prop u:object_r:rootfs:s0
/fstab\..* u:object_r:rootfs:s0
@@ -507,6 +507,8 @@
/(product|system/product)/lib(64)?(/.*)? u:object_r:system_lib_file:s0
+/(product|system/product)/etc/security/adb_keys u:object_r:adb_keys_file:s0
+
#############################
# SystemExt files
#
@@ -877,13 +879,18 @@
/metadata/ota(/.*)? u:object_r:ota_metadata_file:s0
/metadata/bootstat(/.*)? u:object_r:metadata_bootstat_file:s0
/metadata/staged-install(/.*)? u:object_r:staged_install_file:s0
-/metadata/userspacereboot(/.*)? u:object_r:userspace_reboot_metadata_file:s0
/metadata/watchdog(/.*)? u:object_r:watchdog_metadata_file:s0
/metadata/repair-mode(/.*)? u:object_r:repair_mode_metadata_file:s0
/metadata/aconfig(/.*)? u:object_r:aconfig_storage_metadata_file:s0
/metadata/aconfig/flags(/.*)? u:object_r:aconfig_storage_flags_metadata_file:s0
/metadata/aconfig_test_missions(/.*)? u:object_r:aconfig_test_mission_files:s0
+############################
+# mount point for ota metadata
+/mnt/scratch_ota_metadata_super(/.*)? u:object_r:ota_metadata_file:s0
+/mnt/scratch_ota_metadata_super/ota(/.*)? u:object_r:ota_metadata_file:s0
+/mnt/scratch_ota_metadata_super/ota/snapshots(/.*)? u:object_r:ota_metadata_file:s0
+
#############################
# asec containers
/mnt/asec(/.*)? u:object_r:asec_apk_file:s0
@@ -922,3 +929,7 @@
# dexopt_chroot_setup inside chroot, in addition to the files and directories
# matching the pattern below.
/mnt/pre_reboot_dexopt(/.*)? u:object_r:pre_reboot_dexopt_file:s0
+
+#############################
+# For early boot VM
+/mnt/vm u:object_r:vm_data_file:s0
diff --git a/private/genfs_contexts b/private/genfs_contexts
index de2b139..b8b7247 100644
--- a/private/genfs_contexts
+++ b/private/genfs_contexts
@@ -94,7 +94,6 @@
genfscon proc /sys/vm/watermark_boost_factor u:object_r:proc_watermark_boost_factor:s0
genfscon proc /sys/vm/watermark_scale_factor u:object_r:proc_watermark_scale_factor:s0
genfscon proc /sys/vm/percpu_pagelist_high_fraction u:object_r:proc_percpu_pagelist_high_fraction:s0
-genfscon proc /sys/vm/compaction_proactiveness u:object_r:proc_compaction_proactiveness:s0
genfscon proc /timer_list u:object_r:proc_timer:s0
genfscon proc /timer_stats u:object_r:proc_timer:s0
genfscon proc /tty/drivers u:object_r:proc_tty_drivers:s0
@@ -331,13 +330,11 @@
genfscon bpf / u:object_r:fs_bpf:s0
genfscon bpf /loader u:object_r:fs_bpf_loader:s0
-genfscon bpf /map_bpfMemEvents_lmkd_rb u:object_r:fs_bpf_lmkd_memevents_rb:s0
+genfscon bpf /memevents u:object_r:fs_bpf_memevents:s0
genfscon bpf /net_private u:object_r:fs_bpf_net_private:s0
genfscon bpf /net_shared u:object_r:fs_bpf_net_shared:s0
genfscon bpf /netd_readonly u:object_r:fs_bpf_netd_readonly:s0
genfscon bpf /netd_shared u:object_r:fs_bpf_netd_shared:s0
-genfscon bpf /prog_bpfMemEvents_tracepoint_vmscan_mm_vmscan_direct_reclaim_begin_lmkd u:object_r:fs_bpf_lmkd_memevents_prog:s0
-genfscon bpf /prog_bpfMemEvents_tracepoint_vmscan_mm_vmscan_direct_reclaim_end_lmkd u:object_r:fs_bpf_lmkd_memevents_prog:s0
genfscon bpf /tethering u:object_r:fs_bpf_tethering:s0
genfscon bpf /vendor u:object_r:fs_bpf_vendor:s0
genfscon bpf /uprobestats u:object_r:fs_bpf_uprobestats:s0
diff --git a/private/gmscore_app.te b/private/gmscore_app.te
index f938ad5..90194f9 100644
--- a/private/gmscore_app.te
+++ b/private/gmscore_app.te
@@ -112,11 +112,6 @@
allow gmscore_app recovery_service:service_manager find;
allow gmscore_app stats_service:service_manager find;
-# Used by Finsky / Android "Verify Apps" functionality when
-# running "adb install foo.apk".
-allow gmscore_app shell_data_file:file r_file_perms;
-allow gmscore_app shell_data_file:dir r_dir_perms;
-
# Write to /cache.
allow gmscore_app { cache_file cache_recovery_file }:dir create_dir_perms;
allow gmscore_app { cache_file cache_recovery_file }:file create_file_perms;
diff --git a/private/hal_fingerprint.te b/private/hal_fingerprint.te
index 29abe4f..3295cc7 100644
--- a/private/hal_fingerprint.te
+++ b/private/hal_fingerprint.te
@@ -10,11 +10,11 @@
# For memory allocation
allow hal_fingerprint ion_device:chr_file r_file_perms;
-allow hal_fingerprint fingerprint_vendor_data_file:file { create_file_perms };
-allow hal_fingerprint fingerprint_vendor_data_file:dir rw_dir_perms;
+allow { hal_fingerprint -coredomain } fingerprint_vendor_data_file:file { create_file_perms };
+allow { hal_fingerprint -coredomain } fingerprint_vendor_data_file:dir rw_dir_perms;
r_dir_file(hal_fingerprint, cgroup)
r_dir_file(hal_fingerprint, cgroup_v2)
-r_dir_file(hal_fingerprint, sysfs)
+r_dir_file({hal_fingerprint -coredomain}, sysfs)
diff --git a/private/hal_keymint.te b/private/hal_keymint.te
index ba29956..6c7b577 100644
--- a/private/hal_keymint.te
+++ b/private/hal_keymint.te
@@ -4,5 +4,5 @@
hal_attribute_service(hal_keymint, hal_remotelyprovisionedcomponent_service)
binder_call(hal_keymint_server, servicemanager)
-allow hal_keymint_server tee_device:chr_file rw_file_perms;
-allow hal_keymint_server ion_device:chr_file r_file_perms;
+allow { hal_keymint_server -coredomain } tee_device:chr_file rw_file_perms;
+allow { hal_keymint_server -coredomain } ion_device:chr_file r_file_perms;
diff --git a/private/init.te b/private/init.te
index e4bafd8..73ab049 100644
--- a/private/init.te
+++ b/private/init.te
@@ -82,6 +82,9 @@
set_prop(init, init_perf_lsm_hooks_prop)
set_prop(init, vts_status_prop)
+# Allow init to set 16kb app compatibility props
+set_prop(init, bionic_linker_16kb_app_compat_prop)
+
# Allow accessing /sys/kernel/tracing/instances/bootreceiver to set up tracing.
allow init debugfs_bootreceiver_tracing:file w_file_perms;
@@ -115,6 +118,8 @@
userdebug_or_eng(`
allow init kmsg_debug_device:chr_file { open write relabelto };
')
+# /mnt/vm, also permissions to mkdir / mount / chmod / chown
+allow init vm_data_file:dir { add_name create search write getattr setattr relabelto mounton };
# allow init to mount and unmount debugfs in debug builds
userdebug_or_eng(`
@@ -305,6 +310,7 @@
-storage_area_app_dir
-storage_area_content_file
')
+ -vm_data_file
-bpffs_type
-exec_type
-misc_logd_file
@@ -324,6 +330,7 @@
-storage_area_app_dir
-storage_area_content_file
')
+ -vm_data_file
-bpffs_type
-credstore_data_file
-exec_type
@@ -351,6 +358,7 @@
-storage_area_app_dir
-storage_area_content_file
')
+ -vm_data_file
-bpffs_type
-exec_type
-gsi_data_file
@@ -383,6 +391,7 @@
-storage_area_app_dir
-storage_area_content_file
')
+ -vm_data_file
-bpffs_type
-exec_type
-gsi_data_file
@@ -408,6 +417,7 @@
-storage_area_app_dir
-storage_area_content_file
')
+ -vm_data_file
-bpffs_type
-exec_type
-gsi_data_file
@@ -439,6 +449,7 @@
-storage_area_app_dir
-storage_area_content_file
')
+ -vm_data_file
-privapp_data_file
}:dir_file_class_set relabelto;
diff --git a/private/lmkd.te b/private/lmkd.te
index 5369c79..97dc398 100644
--- a/private/lmkd.te
+++ b/private/lmkd.te
@@ -19,9 +19,9 @@
allow lmkd fs_bpf:file read;
allow lmkd bpfloader:bpf { map_read map_write prog_run };
-# Needed for polling directly from the bpf ring buffer's fd
-allow lmkd fs_bpf_lmkd_memevents_rb:file { read write };
-allow lmkd fs_bpf_lmkd_memevents_prog:file read;
+# Needed to interact with memevents-eBPF and receive notifications for memory events
+allow lmkd fs_bpf_memevents:file { read write };
+allow lmkd fs_bpf_memevents:dir search;
allow lmkd self:global_capability_class_set { dac_override dac_read_search sys_resource kill };
@@ -86,9 +86,6 @@
# Allow lmkd to write to statsd.
unix_socket_send(lmkd, statsdw, statsd)
-# Allow lmkd to create io_uring
-allow lmkd self:anon_inode { create map read write };
-
### neverallow rules
# never honor LD_PRELOAD
diff --git a/private/microfuchsiad.te b/private/microfuchsiad.te
new file mode 100644
index 0000000..f02acaf
--- /dev/null
+++ b/private/microfuchsiad.te
@@ -0,0 +1,18 @@
+is_flag_enabled(RELEASE_AVF_ENABLE_MICROFUCHSIA, `
+ type microfuchsiad, domain, coredomain;
+ type microfuchsiad_exec, system_file_type, exec_type, file_type;
+
+ # Host dynamic AIDL services
+ init_daemon_domain(microfuchsiad)
+ binder_use(microfuchsiad)
+ add_service(microfuchsiad, microfuchsia_service)
+
+ # Call back into system server
+ binder_call(microfuchsiad, system_server)
+
+ # Start a VM
+ virtualizationservice_use(microfuchsiad)
+
+ # Create pty devices
+ allow microfuchsiad devpts:chr_file { read write open getattr ioctl };
+')
diff --git a/private/otapreopt_chroot.te b/private/otapreopt_chroot.te
index 73e170b..2aeab0b 100644
--- a/private/otapreopt_chroot.te
+++ b/private/otapreopt_chroot.te
@@ -1,4 +1,5 @@
# otapreopt_chroot executable
+starting_at_board_api(202504, `type otapreopt_chroot, domain;')
typeattribute otapreopt_chroot coredomain;
type otapreopt_chroot_exec, exec_type, file_type, system_file_type;
diff --git a/private/platform_app.te b/private/platform_app.te
index eb1a7c7..320624c 100644
--- a/private/platform_app.te
+++ b/private/platform_app.te
@@ -51,6 +51,7 @@
userdebug_or_eng(`
set_prop(platform_app, persist_sysui_ranking_update_prop)
')
+set_prop(platform_app, debug_tracing_desktop_mode_visible_tasks_prop)
# com.android.captiveportallogin reads /proc/vmstat
allow platform_app {
diff --git a/private/property.te b/private/property.te
index 7907dbc..402585e 100644
--- a/private/property.te
+++ b/private/property.te
@@ -3,6 +3,7 @@
system_internal_prop(apexd_payload_metadata_prop)
system_internal_prop(ctl_snapuserd_prop)
system_internal_prop(crashrecovery_prop)
+system_internal_prop(debug_tracing_desktop_mode_visible_tasks_prop)
system_internal_prop(device_config_core_experiments_team_internal_prop)
system_internal_prop(device_config_lmkd_native_prop)
system_internal_prop(device_config_mglru_native_prop)
@@ -67,9 +68,11 @@
system_internal_prop(hidl_memory_prop)
system_internal_prop(suspend_debug_prop)
system_internal_prop(system_service_enable_prop)
+system_internal_prop(ctl_artd_pre_reboot_prop)
# Properties which can't be written outside system
+system_restricted_prop(bionic_linker_16kb_app_compat_prop)
system_restricted_prop(device_config_virtualization_framework_native_prop)
system_restricted_prop(fstype_prop)
system_restricted_prop(log_file_logger_prop)
@@ -77,8 +80,15 @@
system_restricted_prop(persist_sysui_ranking_update_prop)
system_restricted_prop(page_size_prop)
+# These types will be public starting at board api 202504
+until_board_api(202504, `
+ system_restricted_prop(enable_16k_pages_prop)
+ system_restricted_prop(profcollectd_etr_prop)
+')
+
# Properties which should only be written by vendor_init
system_vendor_config_prop(avf_virtualizationservice_prop)
+system_vendor_config_prop(high_barometer_quality_prop)
typeattribute log_prop log_property_type;
typeattribute log_tag_prop log_property_type;
@@ -429,6 +439,14 @@
neverallow {
domain
-init
+ -vendor_init
+ } {
+ high_barometer_quality_prop
+ }:property_service set;
+
+ neverallow {
+ domain
+ -init
-dumpstate
userdebug_or_eng(`-system_suspend')
} {
@@ -752,7 +770,9 @@
neverallow {
domain
-init
+ -keystore
-shell
+ -system_server
-rkpdapp
} remote_prov_prop:property_service set;
@@ -822,3 +842,9 @@
-init
-vendor_init
} pm_archiving_enabled_prop:property_service set;
+
+neverallow {
+ domain
+ -init
+ userdebug_or_eng(`-su')
+} bionic_linker_16kb_app_compat_prop:property_service set;
diff --git a/private/property_contexts b/private/property_contexts
index 7e18be3..7e9f1ca 100644
--- a/private/property_contexts
+++ b/private/property_contexts
@@ -33,6 +33,7 @@
debug. u:object_r:debug_prop:s0
debug.db. u:object_r:debuggerd_prop:s0
+debug.tracing.desktop_mode_visible_tasks u:object_r:debug_tracing_desktop_mode_visible_tasks_prop:s0 exact uint
dumpstate. u:object_r:dumpstate_prop:s0
dumpstate.options u:object_r:dumpstate_options_prop:s0
init.svc_debug_pid. u:object_r:init_svc_debug_prop:s0
@@ -201,6 +202,11 @@
ctl.stop$snapuserd u:object_r:ctl_snapuserd_prop:s0
ctl.restart$snapuserd u:object_r:ctl_snapuserd_prop:s0
+# Restrict access to starting/stopping artd_pre_reboot.
+ctl.start$artd_pre_reboot u:object_r:ctl_artd_pre_reboot_prop:s0
+ctl.stop$artd_pre_reboot u:object_r:ctl_artd_pre_reboot_prop:s0
+ctl.restart$artd_pre_reboot u:object_r:ctl_artd_pre_reboot_prop:s0
+
# NFC properties
nfc. u:object_r:nfc_prop:s0
@@ -313,6 +319,7 @@
apexd.config.dm_create.timeout u:object_r:apexd_config_prop:s0 exact uint
apexd.config.loop_wait.attempts u:object_r:apexd_config_prop:s0 exact uint
apexd.config.boot_activation.threads u:object_r:apexd_config_prop:s0 exact uint
+apexd.config.loopback.readahead u:object_r:apexd_config_prop:s0 exact uint
persist.apexd. u:object_r:apexd_prop:s0
persist.vendor.apex. u:object_r:apexd_select_prop:s0
ro.boot.vendor.apex. u:object_r:apexd_select_prop:s0
@@ -408,6 +415,11 @@
audio.offload.video u:object_r:audio_config_prop:s0 exact bool
audio.offload.min.duration.secs u:object_r:audio_config_prop:s0 exact int
+# Timecheck configuration
+audio.timecheck.disabled u:object_r:audio_config_prop:s0 exact bool
+audio.timecheck.timeout_duration_ms u:object_r:audio_config_prop:s0 exact int
+audio.timecheck.second_chance_duration_ms u:object_r:audio_config_prop:s0 exact int
+
# spatializer tuning
audio.spatializer.priority u:object_r:audio_config_prop:s0 exact int
audio.spatializer.effect.affinity u:object_r:audio_config_prop:s0 exact int
@@ -1261,6 +1273,8 @@
ro.bionic.arch u:object_r:cpu_variant_prop:s0 exact string
ro.bionic.cpu_variant u:object_r:cpu_variant_prop:s0 exact string
+bionic.linker.16kb.app_compat.enabled u:object_r:bionic_linker_16kb_app_compat_prop:s0 exact bool
+
ro.board.platform u:object_r:exported_default_prop:s0 exact string
ro.boot.fake_battery u:object_r:exported_default_prop:s0 exact int
@@ -1596,6 +1610,7 @@
# bootanimation properties
ro.bootanim.quiescent.enabled u:object_r:bootanim_config_prop:s0 exact bool
+ro.product.bootanim.file u:object_r:bootanim_config_prop:s0 exact string
# dck properties
ro.gms.dck.eligible_wcc u:object_r:dck_prop:s0 exact int
@@ -1681,6 +1696,10 @@
# Properties for sensor service
sensors.aosp_low_power_sensor_fusion.maximum_rate u:object_r:sensors_config_prop:s0 exact uint
+# Whether the device has a high quality barometer as defined on the CDD.
+# Set by OEMs, read for xTS verifier tests
+sensor.barometer.high_quality.implemented u:object_r:high_barometer_quality_prop:s0 exact bool
+
# Properties for game manager service
persist.graphics.game_default_frame_rate.enabled u:object_r:game_manager_config_prop:s0 exact bool
diff --git a/private/seapp_contexts b/private/seapp_contexts
index 907861c..a34d7fb 100644
--- a/private/seapp_contexts
+++ b/private/seapp_contexts
@@ -223,4 +223,5 @@
user=_app fromRunAs=true domain=runas_app levelFrom=user
user=_app isPrivApp=true name=com.android.virtualization.vmlauncher domain=vmlauncher_app type=privapp_data_file levelFrom=all
user=_app isPrivApp=true name=com.google.android.virtualization.vmlauncher domain=vmlauncher_app type=privapp_data_file levelFrom=all
+user=_app isPrivApp=true name=com.android.virtualization.linuxinstaller domain=ferrochrome_app type=privapp_data_file levelFrom=all
user=_app isPrivApp=true name=com.android.virtualization.ferrochrome domain=ferrochrome_app type=privapp_data_file levelFrom=all
diff --git a/private/service.te b/private/service.te
index 6c55ed4..a4d00f3 100644
--- a/private/service.te
+++ b/private/service.te
@@ -1,26 +1,36 @@
-type adaptive_auth_service, system_server_service, service_manager_type;
-type ambient_context_service, app_api_service, system_server_service, service_manager_type;
-type attention_service, system_server_service, service_manager_type;
-type bg_install_control_service, system_api_service, system_server_service, service_manager_type;
-type compos_service, service_manager_type;
-type communal_service, app_api_service, system_server_service, service_manager_type;
-type dynamic_system_service, system_api_service, system_server_service, service_manager_type;
-type feature_flags_service, app_api_service, system_server_service, service_manager_type;
-type gsi_service, service_manager_type;
-type incidentcompanion_service, app_api_service, system_api_service, system_server_service, service_manager_type;
-type logcat_service, system_server_service, service_manager_type;
-type logd_service, service_manager_type;
-type mediatuner_service, app_api_service, service_manager_type;
+type adaptive_auth_service, system_server_service, service_manager_type;
+type ambient_context_service, app_api_service, system_server_service, service_manager_type;
+
+# These types will be public starting at board api 202504
+until_board_api(202504, `
+ type app_function_service, app_api_service, system_server_service, service_manager_type;
+')
+type attention_service, system_server_service, service_manager_type;
+type bg_install_control_service, system_api_service, system_server_service, service_manager_type;
+type compos_service, service_manager_type;
+type communal_service, app_api_service, system_server_service, service_manager_type;
+type dynamic_system_service, system_api_service, system_server_service, service_manager_type;
+type feature_flags_service, app_api_service, system_server_service, service_manager_type;
+type gsi_service, service_manager_type;
+type incidentcompanion_service, app_api_service, system_api_service, system_server_service, service_manager_type;
+type logcat_service, system_server_service, service_manager_type;
+type logd_service, service_manager_type;
+type mediatuner_service, app_api_service, service_manager_type;
type on_device_intelligence_service, app_api_service, system_server_service, service_manager_type, isolated_compute_allowed_service;
-type profcollectd_service, service_manager_type;
-type resolver_service, system_server_service, service_manager_type;
-type rkpd_registrar_service, service_manager_type;
-type rkpd_refresh_service, service_manager_type;
-type safety_center_service, app_api_service, system_api_service, system_server_service, service_manager_type;
-type stats_service, service_manager_type;
-type statsbootstrap_service, system_server_service, service_manager_type;
-type statscompanion_service, system_server_service, service_manager_type;
-type statsmanager_service, system_api_service, system_server_service, service_manager_type;
+type profcollectd_service, service_manager_type;
+type protolog_configuration_service, app_api_service, system_api_service, system_server_service, service_manager_type;
+type resolver_service, system_server_service, service_manager_type;
+type rkpd_registrar_service, service_manager_type;
+type rkpd_refresh_service, service_manager_type;
+type safety_center_service, app_api_service, system_api_service, system_server_service, service_manager_type;
+type stats_service, service_manager_type;
+type statsbootstrap_service, system_server_service, service_manager_type;
+type statscompanion_service, system_server_service, service_manager_type;
+type statsmanager_service, system_api_service, system_server_service, service_manager_type;
+
+is_flag_enabled(RELEASE_SUPERVISION_SERVICE, `
+ type supervision_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+')
type tracingproxy_service, system_server_service, service_manager_type;
type transparency_service, system_server_service, service_manager_type;
@@ -34,6 +44,9 @@
type vm_tethering_service, system_server_service, service_manager_type;
type vmnic_service, service_manager_type;
')
+is_flag_enabled(RELEASE_AVF_ENABLE_MICROFUCHSIA, `
+ type microfuchsia_service, service_manager_type;
+')
type uce_service, service_manager_type;
type wearable_sensing_service, app_api_service, system_server_service, service_manager_type;
diff --git a/private/service_contexts b/private/service_contexts
index 7f16043..5fdae3c 100644
--- a/private/service_contexts
+++ b/private/service_contexts
@@ -28,6 +28,7 @@
android.hardware.biometrics.face.IFace/virtual u:object_r:hal_face_service:s0
android.hardware.biometrics.fingerprint.IFingerprint/default u:object_r:hal_fingerprint_service:s0
android.hardware.biometrics.fingerprint.IFingerprint/virtual u:object_r:hal_fingerprint_service:s0
+android.hardware.biometrics.fingerprint.virtualhal.IVirtualHal/virtual u:object_r:hal_fingerprint_service:s0
android.hardware.bluetooth.IBluetoothHci/default u:object_r:hal_bluetooth_service:s0
android.hardware.bluetooth.finder.IBluetoothFinder/default u:object_r:hal_bluetooth_service:s0
is_flag_enabled(RELEASE_HARDWARE_BLUETOOTH_RANGING_SERVICE, `
@@ -174,8 +175,12 @@
android.system.virtualizationservice_internal.IVmnic u:object_r:vmnic_service:s0
android.system.vmtethering.IVmTethering u:object_r:vm_tethering_service:s0
')
+is_flag_enabled(RELEASE_AVF_ENABLE_MICROFUCHSIA, `
+ android.system.microfuchsiad u:object_r:microfuchsia_service:s0
+')
ambient_context u:object_r:ambient_context_service:s0
app_binding u:object_r:app_binding_service:s0
+app_function u:object_r:app_function_service:s0
app_hibernation u:object_r:app_hibernation_service:s0
app_integrity u:object_r:app_integrity_service:s0
app_prediction u:object_r:app_prediction_service:s0
@@ -369,7 +374,7 @@
powerstats u:object_r:powerstats_service:s0
power u:object_r:power_service:s0
profiling_service u:object_r:profiling_service:s0
-protolog u:object_r:protolog_service:s0
+protolog_configuration u:object_r:protolog_configuration_service:s0
print u:object_r:print_service:s0
processinfo u:object_r:processinfo_service:s0
procstats u:object_r:procstats_service:s0
@@ -427,6 +432,10 @@
storagestats u:object_r:storagestats_service:s0
# sdk_sandbox here refers to the service name, not the domain name.
sdk_sandbox u:object_r:sdk_sandbox_service:s0
+
+is_flag_enabled(RELEASE_SUPERVISION_SERVICE, `
+ supervision u:object_r:supervision_service:s0
+')
SurfaceFlinger u:object_r:surfaceflinger_service:s0
SurfaceFlingerAIDL u:object_r:surfaceflinger_service:s0
suspend_control u:object_r:system_suspend_control_service:s0
diff --git a/private/system_app.te b/private/system_app.te
index e0ed8c3..0b6ffe2 100644
--- a/private/system_app.te
+++ b/private/system_app.te
@@ -151,7 +151,7 @@
proc_version
}:file r_file_perms;
-# Settings app writes to /dev/stune/foreground/tasks.
+# Allow system apps to modify cgroup attributes and migrate processes
allow system_app cgroup:file w_file_perms;
allow system_app cgroup_v2:file w_file_perms;
allow system_app cgroup_v2:dir w_dir_perms;
diff --git a/private/system_server.te b/private/system_server.te
index 1c9f732..fc4faef 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -774,6 +774,7 @@
set_prop(system_server, ctl_default_prop)
set_prop(system_server, ctl_bugreport_prop)
set_prop(system_server, ctl_gsid_prop)
+set_prop(system_server, ctl_artd_pre_reboot_prop)
# cppreopt property
set_prop(system_server, cppreopt_prop)
@@ -1236,6 +1237,10 @@
# calls if (fd.isSocket$()) if (isLingerSocket(fd)) ...
dontaudit system_server self:key_socket getopt;
+# Needed to interact with memevents-eBPF and receive notifications for memory events
+allow system_server fs_bpf_memevents:dir search;
+allow system_server fs_bpf_memevents:file { read write };
+
# Allow system_server to start clatd in its own domain and kill it.
domain_auto_trans(system_server, clatd_exec, clatd)
allow system_server clatd:process { sigkill signal };
@@ -1561,10 +1566,6 @@
} password_slot_metadata_file:notdevfile_class_set ~{ relabelto getattr };
neverallow { domain -init -system_server } password_slot_metadata_file:notdevfile_class_set *;
-# Only system_server/init should access /metadata/userspacereboot.
-neverallow { domain -init -system_server } userspace_reboot_metadata_file:dir *;
-neverallow { domain -init -system_server } userspace_reboot_metadata_file:file no_rw_file_perms;
-
# Only system server should access /metadata/aconfig
neverallow { domain -init -system_server -aconfigd } aconfig_storage_flags_metadata_file:dir *;
neverallow { domain -init -system_server -aconfigd } aconfig_storage_flags_metadata_file:file no_rw_file_perms;
diff --git a/private/traced_probes.te b/private/traced_probes.te
index 003e992..6540420 100644
--- a/private/traced_probes.te
+++ b/private/traced_probes.te
@@ -111,6 +111,10 @@
binder_call(traced_probes, statsd)
allow traced_probes stats_service:service_manager find;
+# Allow reading the system property representing number of desktop windows to
+# set the initial value for the counter in traces.
+get_prop(traced_probes, debug_tracing_desktop_mode_visible_tasks_prop)
+
###
### Neverallow rules
###
diff --git a/private/update_engine_common.te b/private/update_engine_common.te
index 5bba84a..6de0292 100644
--- a/private/update_engine_common.te
+++ b/private/update_engine_common.te
@@ -107,5 +107,5 @@
# Allow to read/write/create OTA metadata files for snapshot status and COW file status.
allow update_engine_common metadata_file:dir search;
-allow update_engine_common ota_metadata_file:dir rw_dir_perms;
+allow update_engine_common ota_metadata_file:dir { rw_dir_perms rmdir };
allow update_engine_common ota_metadata_file:file create_file_perms;
diff --git a/private/vendor_init.te b/private/vendor_init.te
index 72157ad..84ec60e 100644
--- a/private/vendor_init.te
+++ b/private/vendor_init.te
@@ -221,9 +221,6 @@
# Write to /proc/sys/vm/page-cluster
allow vendor_init proc_page_cluster:file w_file_perms;
-# Write to /proc/sys/vm/compaction_proactiveness
-allow vendor_init proc_compaction_proactiveness:file w_file_perms;
-
# Write to sysfs nodes.
allow vendor_init sysfs_type:dir r_dir_perms;
allow vendor_init sysfs_type:lnk_file read;
diff --git a/private/virtual_camera.te b/private/virtual_camera.te
index 0faf0c5..fa8db43 100644
--- a/private/virtual_camera.te
+++ b/private/virtual_camera.te
@@ -41,7 +41,7 @@
# Allow virtual_camera to use GPU
allow virtual_camera gpu_device:chr_file rw_file_perms;
allow virtual_camera gpu_device:dir r_dir_perms;
-allow virtual_camera sysfs_gpu:file r_file_perms;
+r_dir_file(virtual_camera, sysfs_gpu)
# Allow virtual camera to use graphics composer fd-s (fences).
allow virtual_camera hal_graphics_composer:fd use;
diff --git a/private/virtual_fingerprint.te b/private/virtual_fingerprint.te
new file mode 100644
index 0000000..61bff28
--- /dev/null
+++ b/private/virtual_fingerprint.te
@@ -0,0 +1,7 @@
+# biometric virtual fingerprint sensor
+type virtual_fingerprint, domain;
+type virtual_fingerprint_exec, system_file_type, exec_type, file_type;
+hal_server_domain(virtual_fingerprint, hal_fingerprint)
+typeattribute virtual_fingerprint coredomain;
+init_daemon_domain(virtual_fingerprint)
+set_prop(virtual_fingerprint, virtual_fingerprint_hal_prop)
diff --git a/private/virtualizationmanager.te b/private/virtualizationmanager.te
index 9b3cfcf..023e3e9 100644
--- a/private/virtualizationmanager.te
+++ b/private/virtualizationmanager.te
@@ -70,12 +70,24 @@
# Allow virtualizationmanager to be read custom pvmfw.img configuration
userdebug_or_eng(`get_prop(virtualizationmanager, hypervisor_pvmfw_prop)')
dontaudit virtualizationmanager hypervisor_pvmfw_prop:file read;
-neverallow { domain -init -dumpstate userdebug_or_eng(`-virtualizationmanager') } hypervisor_pvmfw_prop:file no_rw_file_perms;
+neverallow {
+ domain
+ -init
+ -dumpstate
+ userdebug_or_eng(`-virtualizationmanager')
+ is_flag_enabled(RELEASE_AVF_ENABLE_EARLY_VM, -early_virtmgr)
+} hypervisor_pvmfw_prop:file no_rw_file_perms;
# Allow virtualizationmanager to be read custom virtualizationmanager configuration
userdebug_or_eng(`get_prop(virtualizationmanager, hypervisor_virtualizationmanager_prop)')
dontaudit virtualizationmanager hypervisor_virtualizationmanager_prop:file read;
-neverallow { domain -init -dumpstate userdebug_or_eng(`-virtualizationmanager') } hypervisor_virtualizationmanager_prop:file no_rw_file_perms;
+neverallow {
+ domain
+ -init
+ -dumpstate
+ userdebug_or_eng(`-virtualizationmanager')
+ is_flag_enabled(RELEASE_AVF_ENABLE_EARLY_VM, -early_virtmgr)
+} hypervisor_virtualizationmanager_prop:file no_rw_file_perms;
# Allow virtualizationmanager service to talk to tombstoned to push guest ramdumps
unix_socket_connect(virtualizationmanager, tombstoned_crash, tombstoned)
diff --git a/public/file.te b/public/file.te
index b28ca85..4f187ec 100644
--- a/public/file.te
+++ b/public/file.te
@@ -23,11 +23,6 @@
type proc_kpageflags, fs_type, proc_type;
type proc_watermark_boost_factor, fs_type, proc_type;
type proc_percpu_pagelist_high_fraction, fs_type, proc_type;
-
-starting_at_board_api(202504, `
- type proc_compaction_proactiveness, fs_type, proc_type;
-')
-
# proc, sysfs, or other nodes that permit configuration of kernel usermodehelpers.
type usermodehelper, fs_type, proc_type;
type sysfs_usermodehelper, fs_type, sysfs_type;
@@ -155,12 +150,6 @@
type fs_bpf_tethering, fs_type, bpffs_type;
type fs_bpf_vendor, fs_type, bpffs_type;
-starting_at_board_api(202504, `
- type fs_bpf_lmkd_memevents_rb, fs_type, bpffs_type;
- type fs_bpf_lmkd_memevents_prog, fs_type, bpffs_type;
-')
-
-
type configfs, fs_type;
# /sys/devices/cs_etm
type sysfs_devices_cs_etm, fs_type, sysfs_type;
diff --git a/public/otapreopt_chroot.te b/public/otapreopt_chroot.te
index 8a625f5..eb340c8 100644
--- a/public/otapreopt_chroot.te
+++ b/public/otapreopt_chroot.te
@@ -1,7 +1,7 @@
# otapreopt_chroot seclabel
# TODO: Only present to allow mediatek/wembley-sepolicy to see it for validation reasons.
-type otapreopt_chroot, domain;
+until_board_api(202504, `type otapreopt_chroot, domain;')
# system/sepolicy/public is for vendor-facing type and attribute definitions.
# DO NOT ADD allow, neverallow, or dontaudit statements here.
diff --git a/public/property.te b/public/property.te
index 47a1bde..4f1b369 100644
--- a/public/property.te
+++ b/public/property.te
@@ -276,7 +276,7 @@
vendor_internal_prop(virtual_face_hal_prop)
# Properties used in the default Fingerprint HAL implementations
-vendor_internal_prop(virtual_fingerprint_hal_prop)
+system_public_prop(virtual_fingerprint_hal_prop)
vendor_public_prop(persist_vendor_debug_wifi_prop)
diff --git a/public/service.te b/public/service.te
index 963e261..0982629 100644
--- a/public/service.te
+++ b/public/service.te
@@ -68,6 +68,9 @@
type adservices_manager_service, system_api_service, system_server_service, service_manager_type;
type alarm_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type app_binding_service, system_server_service, service_manager_type;
+starting_at_board_api(202504, `
+ type app_function_service, app_api_service, system_server_service, service_manager_type;
+')
type app_hibernation_service, app_api_service, system_api_service, system_server_service, service_manager_type;
type app_integrity_service, system_api_service, system_server_service, service_manager_type;
type app_prediction_service, app_api_service, system_server_service, service_manager_type;
@@ -202,7 +205,6 @@
type print_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type processinfo_service, system_server_service, service_manager_type;
type procstats_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type protolog_service, system_api_service, system_server_service, service_manager_type;
type reboot_readiness_service, app_api_service, system_server_service, service_manager_type;
type recovery_service, system_server_service, service_manager_type;
type registry_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
diff --git a/public/te_macros b/public/te_macros
index 6d7533a..e446f56 100644
--- a/public/te_macros
+++ b/public/te_macros
@@ -203,6 +203,34 @@
allow $1 virtualizationservice_data_file:file { getattr read };
')
+####################################
+# early_virtmgr_use(domain)
+# Allow domain to create and communicate with an early virtual machine using
+# early_virtmgr.
+define(`early_virtmgr_use', `
+# Transition to early_virtmgr when the client executes it.
+domain_auto_trans($1, early_virtmgr_exec, early_virtmgr)
+# Allow early_virtmgr to communicate over UDS with the client.
+allow { early_virtmgr crosvm } $1:unix_stream_socket { ioctl getattr read write };
+# Let the client pass file descriptors to early_virtmgr and on to crosvm.
+allow { early_virtmgr crosvm } $1:fd use;
+allow { early_virtmgr crosvm } $1_tmpfs:file rw_file_perms;
+# Let the client use file descriptors created by early_virtmgr.
+allow $1 early_virtmgr:fd use;
+# Allow piping console log to the client
+allow { early_virtmgr crosvm } $1:fifo_file { ioctl getattr read write };
+# Allow client to read/write vsock created by early_virtmgr to communicate with the VM
+# that it created. Notice that we do not grant permission to create a vsock;
+# the client can only connect to VMs that it owns.
+allow $1 early_virtmgr:vsock_socket { getattr getopt read write };
+# Allow client to inspect hypervisor capabilities
+get_prop($1, hypervisor_prop)
+# Allow early_virtmgr to read the path of the client using /proc/{PID}/exe
+allow early_virtmgr $1:dir search;
+allow early_virtmgr $1:file read;
+allow early_virtmgr $1:lnk_file read;
+')
+
#####################################
# app_domain(domain)
# Allow a base set of permissions required for all apps.
diff --git a/tests/sepolicy_freeze_test.py b/tests/sepolicy_freeze_test.py
index fa05eb1..b9b935c 100644
--- a/tests/sepolicy_freeze_test.py
+++ b/tests/sepolicy_freeze_test.py
@@ -48,6 +48,10 @@
removed_attributes = prebuilt_policy.typeattributes - current_policy.typeattributes
added_attributes = current_policy.typeattributes - prebuilt_policy.typeattributes
+ # TODO(b/330670954): remove this once all internal references are removed.
+ if "proc_compaction_proactiveness" in added_types:
+ added_types.remove("proc_compaction_proactiveness")
+
if removed_types:
results += "The following public types were removed:\n" + ", ".join(removed_types) + "\n"
diff --git a/tests/sepolicy_tests.py b/tests/sepolicy_tests.py
index af47938..bc3ed3d 100644
--- a/tests/sepolicy_tests.py
+++ b/tests/sepolicy_tests.py
@@ -44,6 +44,10 @@
"/system/product/vendor_overlay/",
"/system/system_ext/overlay/",
"/system_ext/overlay/",
+
+ # adb_keys_file hasn't been a system_file_type
+ "/product/etc/security/adb_keys",
+ "/system/product/etc/security/adb_keys",
]
return pol.AssertPathTypesHaveAttr(partitions, exceptions, "system_file_type")
diff --git a/tools/finalize-vintf-resources.sh b/tools/finalize-vintf-resources.sh
index 68ce0e5..cdf82f1 100755
--- a/tools/finalize-vintf-resources.sh
+++ b/tools/finalize-vintf-resources.sh
@@ -22,16 +22,20 @@
top=$1
ver=$2
-mkdir -p "$top/system/sepolicy/prebuilts/api/${ver}/"
-cp -r "$top/system/sepolicy/public/" "$top/system/sepolicy/prebuilts/api/${ver}/"
-cp -r "$top/system/sepolicy/private/" "$top/system/sepolicy/prebuilts/api/${ver}/"
+prebuilt_dir=$top/system/sepolicy/prebuilts/api/$ver
+mkdir -p "$prebuilt_dir"
+cp -r "$top/system/sepolicy/public/" "$prebuilt_dir"
+cp -r "$top/system/sepolicy/private/" "$prebuilt_dir"
-cat > "$top/system/sepolicy/prebuilts/api/${ver}/Android.bp" <<EOF
+cat > "$prebuilt_dir/Android.bp" <<EOF
// Automatically generated file, do not edit!
se_policy_conf {
name: "${ver}_plat_pub_policy.conf",
defaults: ["se_policy_conf_flags_defaults"],
- srcs: [":se_build_files{.plat_public_${ver}}", ":se_build_files{.reqd_mask}"],
+ srcs: [
+ ":se_build_files{.plat_public_${ver}}",
+ ":se_build_files{.reqd_mask}",
+ ],
installable: false,
build_variant: "user",
}
@@ -96,3 +100,26 @@
},
}
EOF
+
+# Build general_sepolicy.conf, plat_sepolicy.cil, and mapping file for CTS
+DIST_DIR=out/dist $top/build/soong/soong_ui.bash --make-mode dist sepolicy_finalize bpmodify
+
+cp "$top/out/dist/plat_sepolicy.cil" "$prebuilt_dir/${ver}_plat_sepolicy.cil"
+cp "$top/out/dist/general_sepolicy.conf" "$prebuilt_dir/${ver}_general_sepolicy.conf"
+cp "$top/out/dist/$ver.cil" "$prebuilt_dir/${ver}_mapping.cil"
+
+cat >> "$prebuilt_dir/Android.bp" <<EOF
+
+filegroup {
+ name: "${ver}_sepolicy_cts_data",
+ srcs: [
+ "${ver}_general_sepolicy.conf",
+ "${ver}_plat_sepolicy.cil",
+ "${ver}_mapping.cil",
+ ],
+}
+EOF
+
+bpmodify="$top/out/host/linux-x86/bin/bpmodify"
+$bpmodify -a ":${ver}_sepolicy_cts_data" -m prebuilt_sepolicy_cts_data -property srcs -w \
+ $top/system/sepolicy/tests/Android.bp
diff --git a/tools/fuzzer_bindings_check.py b/tools/fuzzer_bindings_check.py
index 55859ac..65b54de 100644
--- a/tools/fuzzer_bindings_check.py
+++ b/tools/fuzzer_bindings_check.py
@@ -50,8 +50,8 @@
if service_name not in bindings:
sys.exit("\nerror: Service '{0}' is being added, but we have no fuzzer on file for it. "
"Fuzzers are listed at $ANDROID_BUILD_TOP/system/sepolicy/build/soong/service_fuzzer_bindings.go \n\n"
- "NOTE: automatic service fuzzers are currently not supported in Java (b/232439254) "
- "and Rust (b/164122727). In this case, please ignore this for now and add an entry for your"
+ "NOTE: automatic service fuzzers are currently not supported in Java (b/287102710.)"
+ "In this case, please ignore this for now and add an entry for your"
"new service in service_fuzzer_bindings.go \n\n"
"If you are writing a new service, it may be subject to attack from other "
"potentially malicious processes. A fuzzer can be written automatically "
diff --git a/vendor/file_contexts b/vendor/file_contexts
index edd1c71..cd03ae1 100644
--- a/vendor/file_contexts
+++ b/vendor/file_contexts
@@ -26,7 +26,7 @@
/(vendor|system/vendor)/bin/hw/android\.hardware\.biometrics\.face-service\.example u:object_r:hal_face_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.biometrics\.fingerprint@2\.1-service u:object_r:hal_fingerprint_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.biometrics\.fingerprint@2\.2-service\.example u:object_r:hal_fingerprint_default_exec:s0
-/(vendor|system/vendor)/bin/hw/android\.hardware\.biometrics\.fingerprint-service\.example u:object_r:hal_fingerprint_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.biometrics\.fingerprint-service\.default u:object_r:hal_fingerprint_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.boot@1\.[0-9]+-service u:object_r:hal_bootctl_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.boot-service.default u:object_r:hal_bootctl_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.broadcastradio@\d+\.\d+-service u:object_r:hal_broadcastradio_default_exec:s0