Merge "Add selinux rules for android.hardware.usb.gadget.IUsbGadget AIDL migration"
diff --git a/Android.mk b/Android.mk
index bd2bd56..8220fd5 100644
--- a/Android.mk
+++ b/Android.mk
@@ -511,6 +511,8 @@
odm_seapp_contexts \
odm_property_contexts \
odm_property_contexts_test \
+ odm_service_contexts \
+ odm_service_contexts_test \
odm_hwservice_contexts \
odm_hwservice_contexts_test \
odm_mac_permissions.xml
diff --git a/build/soong/service_fuzzer_bindings.go b/build/soong/service_fuzzer_bindings.go
index 841b64a..60799cd 100644
--- a/build/soong/service_fuzzer_bindings.go
+++ b/build/soong/service_fuzzer_bindings.go
@@ -33,6 +33,7 @@
"android.hardware.broadcastradio.IBroadcastRadio/amfm": []string{},
"android.hardware.broadcastradio.IBroadcastRadio/dab": []string{},
"android.hardware.camera.provider.ICameraProvider/internal/0": []string{},
+ "android.hardware.cas.IMediaCasService/default": []string{},
"android.hardware.confirmationui.IConfirmationUI/default": []string{},
"android.hardware.contexthub.IContextHub/default": []string{},
"android.hardware.drm.IDrmFactory/clearkey": []string{},
@@ -96,6 +97,7 @@
"android.hardware.vibrator.IVibrator/default": []string{},
"android.hardware.vibrator.IVibratorManager/default": []string{"android.hardware.vibrator-service.example_fuzzer"},
"android.hardware.weaver.IWeaver/default": []string{},
+ "android.hardware.wifi.IWifi/default": []string{},
"android.hardware.wifi.hostapd.IHostapd/default": []string{},
"android.hardware.wifi.supplicant.ISupplicant/default": []string{},
"android.frameworks.stats.IStats/default": []string{},
diff --git a/contexts/Android.bp b/contexts/Android.bp
index 82f42ba..d5cd8ae 100644
--- a/contexts/Android.bp
+++ b/contexts/Android.bp
@@ -277,6 +277,15 @@
recovery_available: true,
}
+service_contexts {
+ name: "odm_service_contexts",
+ srcs: [
+ ":service_contexts_files{.odm}",
+ ],
+ device_specific: true,
+ recovery_available: true,
+}
+
keystore2_key_contexts {
name: "plat_keystore2_key_contexts",
srcs: [":keystore2_key_contexts_files{.plat_private}"],
@@ -515,6 +524,12 @@
sepolicy: ":precompiled_sepolicy",
}
+service_contexts_test {
+ name: "odm_service_contexts_test",
+ srcs: [":odm_service_contexts"],
+ sepolicy: ":precompiled_sepolicy",
+}
+
vndservice_contexts_test {
name: "vndservice_contexts_test",
srcs: [":vndservice_contexts"],
diff --git a/private/artd.te b/private/artd.te
index cb2b6c2..63045af 100644
--- a/private/artd.te
+++ b/private/artd.te
@@ -67,6 +67,12 @@
allow artd user_profile_data_file:dir rw_dir_perms;
allow artd user_profile_data_file:file create_file_perms;
+# Read/write access to secondary dex files, their profiles, and their
+# compilation artifacts
+# ({/data,/mnt/expand/<volume-uuid>}/{user,user_de}/<user-id>/<package-name>/...).
+allow artd app_data_file_type:dir { create_dir_perms relabelfrom relabelto };
+allow artd app_data_file_type:file { create_file_perms relabelfrom relabelto };
+
# Never allow running other binaries without a domain transition.
# The only exception is art_exec. It is allowed to use the artd domain because
# it is a thin wrapper that executes other binaries on behalf of artd.
diff --git a/private/compat/33.0/33.0.ignore.cil b/private/compat/33.0/33.0.ignore.cil
index 5d9a7cb..a5d5f98 100644
--- a/private/compat/33.0/33.0.ignore.cil
+++ b/private/compat/33.0/33.0.ignore.cil
@@ -12,12 +12,14 @@
device_config_vendor_system_native_prop
devicelock_service
hal_bootctl_service
+ hal_cas_service
hal_remoteaccess_service
hal_thermal_service
hal_usb_gadget_service
hal_tv_input_service
hal_tv_hdmi_service
hal_tv_hdmi_cec_service
+ hal_wifi_service
healthconnect_service
keystore_config_prop
permissive_mte_prop
diff --git a/private/domain.te b/private/domain.te
index 632b9f6..60303ff 100644
--- a/private/domain.te
+++ b/private/domain.te
@@ -181,6 +181,7 @@
neverallow {
domain
-appdomain
+ -artd # compile secondary dex files
-installd # creation of sandbox
} { privapp_data_file app_data_file }:dir_file_class_set { create unlink };
@@ -191,6 +192,7 @@
-adbd
-appdomain
-app_zygote
+ -artd # compile secondary dex files
-dexoptanalyzer
-installd
-profman
@@ -206,6 +208,7 @@
neverallow {
domain
-appdomain
+ -artd # compile secondary dex files
-installd
-rs # spawned by appdomain, so carryover the exception above
} { privapp_data_file app_data_file }:dir ~r_dir_perms;
@@ -214,6 +217,7 @@
domain
-appdomain
-app_zygote
+ -artd # compile secondary dex files
-installd
-rs # spawned by appdomain, so carryover the exception above
} { privapp_data_file app_data_file }:file_class_set open;
@@ -221,11 +225,13 @@
neverallow {
domain
-appdomain
+ -artd # compile secondary dex files
-installd # creation of sandbox
} { privapp_data_file app_data_file }:dir_file_class_set { create unlink };
neverallow {
domain
+ -artd # compile secondary dex files
-installd
} { privapp_data_file app_data_file }:dir_file_class_set { relabelfrom relabelto };
@@ -606,10 +612,14 @@
# untrustworthy, and non-allowed domains should not be trusting any content in
# those directories. We allow shell files to be passed around by file
# descriptor, but not directly opened.
+# artd doesn't need to access /data/local/tmp, but it needs to access
+# /data/{user,user_de}/<user-id>/com.android.shell/... for compiling secondary
+# dex files.
neverallow {
domain
-adbd
-appdomain
+ -artd
-dumpstate
-installd
userdebug_or_eng(`-uncrypt')
@@ -621,6 +631,7 @@
neverallow {
domain
-appdomain
+ -artd # compile secondary dex files
-system_server #populate com.android.providers.settings/databases/settings.db.
-installd # creation of app sandbox
-traced_probes # resolve inodes for i/o tracing.
diff --git a/private/file_contexts b/private/file_contexts
index 951c9b5..4deecf7 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -443,13 +443,14 @@
/odm/etc/selinux/precompiled_sepolicy u:object_r:sepolicy_file:s0
/odm/etc/selinux/precompiled_sepolicy\.plat_and_mapping\.sha256 u:object_r:sepolicy_file:s0
-/(odm|vendor/odm)/etc/selinux/odm_sepolicy\.cil u:object_r:sepolicy_file:s0
+/(odm|vendor/odm)/etc/selinux/odm_sepolicy\.cil u:object_r:sepolicy_file:s0
/(odm|vendor/odm)/etc/selinux/odm_file_contexts u:object_r:file_contexts_file:s0
/(odm|vendor/odm)/etc/selinux/odm_seapp_contexts u:object_r:seapp_contexts_file:s0
/(odm|vendor/odm)/etc/selinux/odm_property_contexts u:object_r:property_contexts_file:s0
+/(odm|vendor/odm)/etc/selinux/odm_service_contexts u:object_r:vendor_service_contexts_file:s0
/(odm|vendor/odm)/etc/selinux/odm_hwservice_contexts u:object_r:hwservice_contexts_file:s0
-/(odm|vendor/odm)/etc/selinux/odm_keystore2_key_contexts u:object_r:keystore2_key_contexts_file:s0
-/(odm|vendor/odm)/etc/selinux/odm_mac_permissions\.xml u:object_r:mac_perms_file:s0
+/(odm|vendor/odm)/etc/selinux/odm_keystore2_key_contexts u:object_r:keystore2_key_contexts_file:s0
+/(odm|vendor/odm)/etc/selinux/odm_mac_permissions\.xml u:object_r:mac_perms_file:s0
#############################
# Product files
diff --git a/private/mlstrustedsubject.te b/private/mlstrustedsubject.te
index 0aed4d3..67bd113 100644
--- a/private/mlstrustedsubject.te
+++ b/private/mlstrustedsubject.te
@@ -6,16 +6,19 @@
neverallow {
mlstrustedsubject
+ -artd # compile secondary dex files
-installd
} { app_data_file privapp_data_file }:file ~{ read write map getattr ioctl lock append };
neverallow {
mlstrustedsubject
+ -artd # compile secondary dex files
-installd
} { app_data_file privapp_data_file }:dir ~{ read getattr search };
neverallow {
mlstrustedsubject
+ -artd # compile secondary dex files
-installd
-system_server
-adbd
diff --git a/private/service_contexts b/private/service_contexts
index 7dc700a..2b9e88f 100644
--- a/private/service_contexts
+++ b/private/service_contexts
@@ -18,6 +18,7 @@
# The instance here is internal/0 following naming convention for ICameraProvider.
# It advertises internal camera devices.
android.hardware.camera.provider.ICameraProvider/internal/0 u:object_r:hal_camera_service:s0
+android.hardware.cas.IMediaCasService/default u:object_r:hal_cas_service:s0
android.hardware.confirmationui.IConfirmationUI/default u:object_r:hal_confirmationui_service:s0
android.hardware.contexthub.IContextHub/default u:object_r:hal_contexthub_service:s0
android.hardware.drm.IDrmFactory/clearkey u:object_r:hal_drm_service:s0
@@ -81,6 +82,7 @@
android.hardware.vibrator.IVibrator/default u:object_r:hal_vibrator_service:s0
android.hardware.vibrator.IVibratorManager/default u:object_r:hal_vibrator_service:s0
android.hardware.weaver.IWeaver/default u:object_r:hal_weaver_service:s0
+android.hardware.wifi.IWifi/default u:object_r:hal_wifi_service:s0
android.hardware.wifi.hostapd.IHostapd/default u:object_r:hal_wifi_hostapd_service:s0
android.hardware.wifi.supplicant.ISupplicant/default u:object_r:hal_wifi_supplicant_service:s0
android.se.omapi.ISecureElementService/default u:object_r:secure_element_service:s0
diff --git a/private/untrusted_app_all.te b/private/untrusted_app_all.te
index 0b4b919..8c7fe7a 100644
--- a/private/untrusted_app_all.te
+++ b/private/untrusted_app_all.te
@@ -153,9 +153,12 @@
# These have been disallowed since Android O.
# For P, we assume that apps are safely handling the denial.
-dontaudit untrusted_app_all proc_stat:file read;
-dontaudit untrusted_app_all proc_vmstat:file read;
-dontaudit untrusted_app_all proc_uptime:file read;
+dontaudit untrusted_app_all {
+ proc_stat
+ proc_uptime
+ proc_vmstat
+ proc_zoneinfo
+}:file read;
# Allow the allocation and use of ptys
# Used by: https://play.google.com/store/apps/details?id=jackpal.androidterm
diff --git a/public/domain.te b/public/domain.te
index dc467a6..f9e4c46 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -1155,9 +1155,13 @@
# write access to shell owned directories. The /data/local/tmp
# directory is untrustworthy, and non-allowed domains should
# not be trusting any content in those directories.
+# artd doesn't need to access /data/local/tmp, but it needs to access
+# /data/{user,user_de}/<user-id>/com.android.shell/... for compiling secondary
+# dex files.
neverallow {
domain
-adbd
+ -artd
-dumpstate
-installd
-init
@@ -1169,6 +1173,7 @@
domain
-adbd
-appdomain
+ -artd
-dumpstate
-init
-installd
diff --git a/public/hal_cas.te b/public/hal_cas.te
index e699a6b..056b4c9 100644
--- a/public/hal_cas.te
+++ b/public/hal_cas.te
@@ -5,6 +5,11 @@
hal_attribute_hwservice(hal_cas, hal_cas_hwservice)
allow hal_cas_server hidl_memory_hwservice:hwservice_manager find;
+hal_attribute_service(hal_cas, hal_cas_service)
+
+binder_call(hal_cas_server, servicemanager)
+binder_call(hal_cas_client, servicemanager)
+
# Permit reading device's serial number from system properties
get_prop(hal_cas_server, serialno_prop)
diff --git a/public/hal_wifi.te b/public/hal_wifi.te
index 2e4fa78..e4f1d21 100644
--- a/public/hal_wifi.te
+++ b/public/hal_wifi.te
@@ -3,6 +3,9 @@
binder_call(hal_wifi_server, hal_wifi_client)
hal_attribute_hwservice(hal_wifi, hal_wifi_hwservice)
+hal_attribute_service(hal_wifi, hal_wifi_service)
+
+binder_call(hal_wifi_server, servicemanager)
r_dir_file(hal_wifi, proc_net_type)
r_dir_file(hal_wifi, sysfs_type)
diff --git a/public/service.te b/public/service.te
index 705da33..db7c298 100644
--- a/public/service.te
+++ b/public/service.te
@@ -273,6 +273,7 @@
type hal_bootctl_service, protected_service, hal_service_type, service_manager_type;
type hal_broadcastradio_service, protected_service, hal_service_type, service_manager_type;
type hal_camera_service, protected_service, hal_service_type, service_manager_type;
+type hal_cas_service, hal_service_type, service_manager_type;
type hal_confirmationui_service, protected_service, hal_service_type, service_manager_type;
type hal_contexthub_service, protected_service, hal_service_type, service_manager_type;
type hal_dice_service, protected_service, hal_service_type, service_manager_type;
@@ -317,6 +318,7 @@
type hal_vibrator_service, protected_service, hal_service_type, service_manager_type;
type hal_weaver_service, protected_service, hal_service_type, service_manager_type;
type hal_nlinterceptor_service, protected_service, hal_service_type, service_manager_type;
+type hal_wifi_service, protected_service, hal_service_type, service_manager_type;
type hal_wifi_hostapd_service, protected_service, hal_service_type, service_manager_type;
type hal_wifi_supplicant_service, protected_service, hal_service_type, service_manager_type;
type hal_gatekeeper_service, protected_service, hal_service_type, service_manager_type;
diff --git a/public/te_macros b/public/te_macros
index 8a8b473..ab42534 100644
--- a/public/te_macros
+++ b/public/te_macros
@@ -194,7 +194,7 @@
# to crosvm
allow { virtualizationservice crosvm } $1:fd use;
# Allow piping console log to the client
-allow { virtualizationservice crosvm } $1:fifo_file write;
+allow { virtualizationservice crosvm } $1:fifo_file { getattr write};
# Allow client to read/write vsock created by virtualizationservice to
# communicate with the VM that it created. Notice that we do not grant
# permission to create a vsock; the client can only connect to VMs
diff --git a/vendor/file_contexts b/vendor/file_contexts
index ab47b83..5681054 100644
--- a/vendor/file_contexts
+++ b/vendor/file_contexts
@@ -40,6 +40,8 @@
/(vendor|system/vendor)/bin/hw/android\.hardware\.drm-service(-lazy)?\.clearkey u:object_r:hal_drm_clearkey_aidl_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.cas@1\.[0-2]-service u:object_r:hal_cas_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.cas@1\.[0-2]-service-lazy u:object_r:hal_cas_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.cas-service\.example u:object_r:hal_cas_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.cas-service\.example-lazy u:object_r:hal_cas_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.dumpstate@1\.[0-1]-service\.example u:object_r:hal_dumpstate_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.dumpstate-service\.example u:object_r:hal_dumpstate_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.gatekeeper@1\.0-service u:object_r:hal_gatekeeper_default_exec:s0