Merge "Added entries for audioflinger and audiopolicy aidl fuzzer" into main
diff --git a/Android.bp b/Android.bp
index cac0748..6c8fa2a 100644
--- a/Android.bp
+++ b/Android.bp
@@ -207,36 +207,6 @@
}
-se_policy_conf {
- name: "apex_sepolicy-33.conf",
- srcs: plat_public_policy + plat_private_policy + ["com.android.sepolicy/33/*.te"],
- installable: false,
-}
-
-se_policy_cil {
- name: "apex_sepolicy-33.cil",
- src: ":apex_sepolicy-33.conf",
- filter_out: [":plat_sepolicy.cil"],
- installable: false,
- stem: "apex_sepolicy.cil",
-}
-
-se_policy_cil {
- name: "decompiled_sepolicy-without_apex.cil",
- src: ":precompiled_sepolicy-without_apex",
- decompile_binary: true,
-}
-
-se_policy_cil {
- name: "apex_sepolicy-33.decompiled.cil",
- src: ":precompiled_sepolicy",
- decompile_binary: true,
- filter_out: [":decompiled_sepolicy-without_apex.cil"],
- additional_cil_files: ["com.android.sepolicy/33/definitions/definitions.cil"],
- secilc_check: false,
- stem: "apex_sepolicy.decompiled.cil",
-}
-
// userdebug_plat_policy.conf - the userdebug version plat_sepolicy.cil
se_policy_conf {
name: "userdebug_plat_sepolicy.conf",
@@ -359,116 +329,16 @@
product_specific: true,
}
+//////////////////////////////////
// vendor/odm sepolicy
-//
-// If BOARD_SEPOLICY_VERS is set to a value other than PLATFORM_SEPOLICY_VERSION,
-// policy files of platform (system, system_ext, product) can't be mixed with
-// policy files of vendor (vendor, odm). If it's the case, platform policies and
-// vendor policies are separately built. More specifically,
-//
-// - Platform policy files needed to build vendor policies, such as plat_policy,
-// plat_mapping_cil, plat_pub_policy, reqd_policy_mask, are built from the
-// prebuilts (copy of platform policy files of version BOARD_SEPOLICY_VERS).
-//
-// - sepolicy_neverallows only checks platform policies, and a new module
-// sepolicy_neverallows_vendor checks vendor policies.
-//
-// - neverallow checks are turned off while compiling precompiled_sepolicy
-// module and sepolicy module.
-//
-// - Vendor policies are not checked on the compat test (compat.mk).
-//
-// In such scenario, we can grab platform policy files from the prebuilts/api
-// directory. But we need more than that: prebuilts of system_ext, product,
-// system/sepolicy/reqd_mask, and system/sepolicy/vendor. The following
-// variables are introduced to specify such prebuilts.
-//
-// - BOARD_REQD_MASK_POLICY (prebuilt of system/sepolicy/reqd_mask)
-// - BOARD_PLAT_VENDOR_POLICY (prebuilt of system/sepolicy/vendor)
-// - BOARD_SYSTEM_EXT_PUBLIC_PREBUILT_DIRS (prebuilt of system_ext public)
-// - BOARD_SYSTEM_EXT_PRIVATE_PREBUILT_DIRS (prebuilt of system_ext private)
-// - BOARD_PRODUCT_PUBLIC_PREBUILT_DIRS (prebuilt of product public)
-// - BOARD_PRODUCT_PRIVATE_PREBUILT_DIRS (prebuilt of product private)
-//
-// Vendors are responsible for copying policy files from the old version of the
-// source tree as prebuilts, and for setting BOARD_*_POLICY variables so they
-// can be used to build vendor policies.
-//
-// To support both mixed build and normal build, platform policy files are
-// indirectly referred as {.(partition)_(scope)_for_vendor}. They will be equal
-// to {.(partition)_scope)} if BOARD_SEPOLICY_VERS == PLATFORM_SEPOLICY_VERSION.
-// Otherwise, they will be equal to the Makefile variables above.
-
-plat_public_policies_for_vendor = [
- ":se_build_files{.plat_public_for_vendor}",
- ":se_build_files{.system_ext_public_for_vendor}",
- ":se_build_files{.product_public_for_vendor}",
- ":se_build_files{.reqd_mask_for_vendor}",
-]
-
-plat_policies_for_vendor = [
- ":se_build_files{.plat_public_for_vendor}",
- ":se_build_files{.plat_private_for_vendor}",
- ":se_build_files{.system_ext_public_for_vendor}",
- ":se_build_files{.system_ext_private_for_vendor}",
- ":se_build_files{.product_public_for_vendor}",
- ":se_build_files{.product_private_for_vendor}",
-]
-
-se_policy_conf {
- name: "plat_policy_for_vendor.conf",
- srcs: plat_policies_for_vendor,
- installable: false,
-}
-
-se_policy_cil {
- name: "plat_policy_for_vendor.cil",
- src: ":plat_policy_for_vendor.conf",
- additional_cil_files: [":sepolicy_technical_debt{.plat_private_for_vendor}"],
- installable: false,
-}
-
-se_policy_conf {
- name: "reqd_policy_mask_for_vendor.conf",
- srcs: [":se_build_files{.reqd_mask_for_vendor}"],
- installable: false,
-}
-
-se_policy_cil {
- name: "reqd_policy_mask_for_vendor.cil",
- src: ":reqd_policy_mask_for_vendor.conf",
- secilc_check: false,
- installable: false,
-}
-
-se_policy_conf {
- name: "pub_policy_for_vendor.conf",
- srcs: plat_public_policies_for_vendor,
- installable: false,
-}
-
-se_policy_cil {
- name: "pub_policy_for_vendor.cil",
- src: ":pub_policy_for_vendor.conf",
- filter_out: [":reqd_policy_mask_for_vendor.cil"],
- secilc_check: false,
- installable: false,
-}
-
-se_versioned_policy {
- name: "plat_mapping_file_for_vendor",
- base: ":pub_policy_for_vendor.cil",
- mapping: true,
- version: "vendor",
- installable: false,
-}
+//////////////////////////////////
// plat_pub_versioned.cil - the exported platform policy associated with the version
// that non-platform policy targets.
se_versioned_policy {
name: "plat_pub_versioned.cil",
- base: ":pub_policy_for_vendor.cil",
- target_policy: ":pub_policy_for_vendor.cil",
+ base: ":pub_policy.cil",
+ target_policy: ":pub_policy.cil",
version: "vendor",
vendor: true,
}
@@ -478,8 +348,11 @@
// policy and the platform public policy files in order to use checkpolicy.
se_policy_conf {
name: "vendor_sepolicy.conf",
- srcs: plat_public_policies_for_vendor + [
- ":se_build_files{.plat_vendor_for_vendor}",
+ srcs: plat_public_policy +
+ system_ext_public_policy +
+ product_public_policy +
+ reqd_mask_policy + [
+ ":se_build_files{.plat_vendor}",
":se_build_files{.vendor}",
],
vendor: true,
@@ -489,7 +362,7 @@
se_policy_cil {
name: "vendor_sepolicy.cil.raw",
src: ":vendor_sepolicy.conf",
- filter_out: [":reqd_policy_mask_for_vendor.cil"],
+ filter_out: [":reqd_policy_mask.cil"],
secilc_check: false, // will be done in se_versioned_policy module
vendor: true,
installable: false,
@@ -497,13 +370,15 @@
se_versioned_policy {
name: "vendor_sepolicy.cil",
- base: ":pub_policy_for_vendor.cil",
+ base: ":pub_policy.cil",
target_policy: ":vendor_sepolicy.cil.raw",
version: "vendor",
dependent_cils: [
- ":plat_policy_for_vendor.cil",
+ ":plat_sepolicy.cil",
+ ":system_ext_sepolicy.cil",
+ ":product_sepolicy.cil",
":plat_pub_versioned.cil",
- ":plat_mapping_file_for_vendor",
+ ":plat_mapping_file",
],
filter_out: [":plat_pub_versioned.cil"],
vendor: true,
@@ -514,8 +389,11 @@
// policy and the platform public policy files in order to use checkpolicy.
se_policy_conf {
name: "odm_sepolicy.conf",
- srcs: plat_public_policies_for_vendor + [
- ":se_build_files{.plat_vendor_for_vendor}",
+ srcs: plat_public_policy +
+ system_ext_public_policy +
+ product_public_policy +
+ reqd_mask_policy + [
+ ":se_build_files{.plat_vendor}",
":se_build_files{.vendor}",
":se_build_files{.odm}",
],
@@ -527,7 +405,7 @@
name: "odm_sepolicy.cil.raw",
src: ":odm_sepolicy.conf",
filter_out: [
- ":reqd_policy_mask_for_vendor.cil",
+ ":reqd_policy_mask.cil",
":vendor_sepolicy.cil",
],
secilc_check: false, // will be done in se_versioned_policy module
@@ -537,13 +415,15 @@
se_versioned_policy {
name: "odm_sepolicy.cil",
- base: ":pub_policy_for_vendor.cil",
+ base: ":pub_policy.cil",
target_policy: ":odm_sepolicy.cil.raw",
version: "vendor",
dependent_cils: [
- ":plat_policy_for_vendor.cil",
+ ":plat_sepolicy.cil",
+ ":system_ext_sepolicy.cil",
+ ":product_sepolicy.cil",
":plat_pub_versioned.cil",
- ":plat_mapping_file_for_vendor",
+ ":plat_mapping_file",
":vendor_sepolicy.cil",
],
filter_out: [":plat_pub_versioned.cil", ":vendor_sepolicy.cil"],
@@ -560,9 +440,6 @@
// AND
// - product_sepolicy_and_mapping.sha256 equals
// precompiled_sepolicy.product_sepolicy_and_mapping.sha256
-// AND
-// - apex_sepolicy.sha256 equals
-// precompiled_sepolicy.apex_sepolicy.sha256
// See system/core/init/selinux.cpp for details.
//////////////////////////////////
genrule {
@@ -580,20 +457,6 @@
}
genrule {
- name: "apex_sepolicy.sha256_gen",
- srcs: [":apex_sepolicy-33.cil"],
- out: ["apex_sepolicy.sha256"],
- cmd: "cat $(in) | sha256sum | cut -d' ' -f1 > $(out)",
-}
-
-prebuilt_etc {
- name: "apex_sepolicy.sha256",
- filename: "apex_sepolicy.sha256",
- src: ":apex_sepolicy.sha256_gen",
- installable: false,
-}
-
-genrule {
name: "system_ext_sepolicy_and_mapping.sha256_gen",
srcs: [":system_ext_sepolicy.cil", ":system_ext_mapping_file"],
out: ["system_ext_sepolicy_and_mapping.sha256"],
@@ -662,18 +525,6 @@
}
//////////////////////////////////
-// SHA-256 digest of the apex_sepolicy.cil against which precompiled_policy
-// was built.
-//////////////////////////////////
-prebuilt_etc {
- defaults: ["precompiled_sepolicy_prebuilts"],
- name: "precompiled_sepolicy.apex_sepolicy.sha256",
- filename: "precompiled_sepolicy.apex_sepolicy.sha256",
- src: ":apex_sepolicy.sha256_gen",
- relative_install_path: "selinux",
-}
-
-//////////////////////////////////
// SHA-256 digest of the system_ext_sepolicy.cil and system_ext_mapping_file against
// which precompiled_policy was built.
//////////////////////////////////
@@ -701,21 +552,32 @@
name: "precompiled_se_policy_binary",
module_type: "se_policy_binary",
config_namespace: "ANDROID",
- bool_variables: ["BOARD_USES_ODMIMAGE", "IS_TARGET_MIXED_SEPOLICY"],
- value_variables: ["MIXED_SEPOLICY_VERSION"],
- properties: ["vendor", "device_specific", "srcs", "ignore_neverallow"],
+ bool_variables: ["BOARD_USES_ODMIMAGE"],
+ properties: ["vendor", "device_specific"],
+}
+
+filegroup {
+ name: "precompiled_sepolicy_srcs",
+ srcs: [
+ ":plat_sepolicy.cil",
+ ":plat_pub_versioned.cil",
+ ":system_ext_sepolicy.cil",
+ ":product_sepolicy.cil",
+ ":vendor_sepolicy.cil",
+ ":odm_sepolicy.cil",
+ ":plat_mapping_file",
+ ":system_ext_mapping_file",
+ ":product_mapping_file",
+ ],
+ // Make precompiled_sepolicy_srcs as public so that OEMs have access to them.
+ // Useful when some partitions need to be bind mounted across VM boundaries.
+ visibility: ["//visibility:public"],
}
precompiled_se_policy_binary {
name: "precompiled_sepolicy",
srcs: [
- ":plat_sepolicy.cil",
- ":apex_sepolicy-33.cil",
- ":plat_pub_versioned.cil",
- ":system_ext_sepolicy.cil",
- ":product_sepolicy.cil",
- ":vendor_sepolicy.cil",
- ":odm_sepolicy.cil",
+ ":precompiled_sepolicy_srcs",
],
soong_config_variables: {
BOARD_USES_ODMIMAGE: {
@@ -724,71 +586,9 @@
vendor: true,
},
},
- IS_TARGET_MIXED_SEPOLICY: {
- ignore_neverallow: true,
- },
- MIXED_SEPOLICY_VERSION: {
- srcs: [
- ":plat_%s.cil",
- ":system_ext_%s.cil",
- ":product_%s.cil",
- ],
- conditions_default: {
- srcs: [
- ":plat_mapping_file",
- ":system_ext_mapping_file",
- ":product_mapping_file",
- ],
- },
- },
},
required: [
"sepolicy_neverallows",
- "sepolicy_neverallows_vendor",
- ],
- dist: {
- targets: ["base-sepolicy-files-for-mapping"],
- },
-}
-
-precompiled_se_policy_binary {
- name: "precompiled_sepolicy-without_apex",
- srcs: [
- ":plat_sepolicy.cil",
- ":plat_pub_versioned.cil",
- ":system_ext_sepolicy.cil",
- ":product_sepolicy.cil",
- ":vendor_sepolicy.cil",
- ":odm_sepolicy.cil",
- ],
- soong_config_variables: {
- BOARD_USES_ODMIMAGE: {
- device_specific: true,
- conditions_default: {
- vendor: true,
- },
- },
- IS_TARGET_MIXED_SEPOLICY: {
- ignore_neverallow: true,
- },
- MIXED_SEPOLICY_VERSION: {
- srcs: [
- ":plat_%s.cil",
- ":system_ext_%s.cil",
- ":product_%s.cil",
- ],
- conditions_default: {
- srcs: [
- ":plat_mapping_file",
- ":system_ext_mapping_file",
- ":product_mapping_file",
- ],
- },
- },
- },
- required: [
- "sepolicy_neverallows",
- "sepolicy_neverallows_vendor",
],
dist: {
targets: ["base-sepolicy-files-for-mapping"],
@@ -798,8 +598,13 @@
// policy for recovery
se_policy_conf {
name: "recovery_sepolicy.conf",
- srcs: plat_policies_for_vendor + [
- ":se_build_files{.plat_vendor_for_vendor}",
+ srcs: plat_public_policy +
+ plat_private_policy +
+ system_ext_public_policy +
+ system_ext_private_policy +
+ product_public_policy +
+ product_private_policy + [
+ ":se_build_files{.plat_vendor}",
":se_build_files{.vendor}",
":se_build_files{.odm}",
],
@@ -869,33 +674,6 @@
}
se_policy_conf {
- name: "base_system_ext_sepolicy.conf",
- srcs: plat_public_policy +
- plat_private_policy +
- system_ext_public_policy +
- system_ext_private_policy,
- build_variant: "user",
- installable: false,
- system_ext_specific: true,
-}
-
-se_policy_cil {
- name: "base_system_ext_sepolicy.cil",
- src: ":base_system_ext_sepolicy.conf",
- additional_cil_files: ["private/technical_debt.cil"],
- system_ext_specific: true,
- installable: false,
- secilc_check: false, // done by se_policy_binary
-}
-
-se_policy_binary {
- name: "base_system_ext_sepolicy",
- srcs: [":base_system_ext_sepolicy.cil"],
- system_ext_specific: true,
- installable: false,
-}
-
-se_policy_conf {
name: "base_product_sepolicy.conf",
srcs: plat_public_policy +
plat_private_policy +
@@ -944,25 +722,6 @@
}
se_policy_conf {
- name: "base_system_ext_pub_policy.conf",
- srcs: plat_public_policy +
- system_ext_public_policy +
- reqd_mask_policy,
- build_variant: "user",
- installable: false,
- system_ext_specific: true,
-}
-
-se_policy_cil {
- name: "base_system_ext_pub_policy.cil",
- src: ":base_system_ext_pub_policy.conf",
- filter_out: [":reqd_policy_mask.cil"],
- secilc_check: false,
- installable: false,
- system_ext_specific: true,
-}
-
-se_policy_conf {
name: "base_product_pub_policy.conf",
srcs: plat_public_policy +
system_ext_public_policy +
@@ -1003,7 +762,7 @@
se_bug_map {
name: "vendor_bug_map",
- srcs: [":bug_map_files{.vendor}", ":bug_map_files{.plat_vendor_for_vendor}"],
+ srcs: [":bug_map_files{.vendor}", ":bug_map_files{.plat_vendor}"],
// Legacy file name of the vendor partition bug_map.
stem: "selinux_denial_metadata",
vendor: true,
@@ -1016,17 +775,11 @@
system_ext_public_policy +
system_ext_private_policy +
product_public_policy +
- product_private_policy,
-}
-
-se_neverallow_test {
- name: "sepolicy_neverallows_vendor",
- srcs: plat_policies_for_vendor + [
- ":se_build_files{.plat_vendor_for_vendor}",
+ product_private_policy + [
+ ":se_build_files{.plat_vendor}",
":se_build_files{.vendor}",
":se_build_files{.odm}",
],
- vendor: true,
}
//////////////////////////////////
@@ -1035,7 +788,7 @@
// SEPOLICY_FREEZE_TEST_EXTRA_DIRS and SEPOLICY_FREEZE_TEST_EXTRA_PREBUILT_DIRS.
//////////////////////////////////
se_freeze_test {
- name: "sepolicy_freeze_test",
+ name: "se_freeze_test",
}
//////////////////////////////////
diff --git a/Android.mk b/Android.mk
index d496f1d..384c416 100644
--- a/Android.mk
+++ b/Android.mk
@@ -1,13 +1,7 @@
LOCAL_PATH:= $(call my-dir)
-include $(LOCAL_PATH)/definitions.mk
-include $(LOCAL_PATH)/policy_version.mk
-
include $(CLEAR_VARS)
-MLS_SENS=1
-MLS_CATS=1024
-
ifdef BOARD_SEPOLICY_UNION
$(warning BOARD_SEPOLICY_UNION is no longer required - all files found in BOARD_SEPOLICY_DIRS are implicitly unioned; please remove from your BoardConfig.mk or other .mk file.)
endif
@@ -73,13 +67,6 @@
HAS_PRODUCT_SEPOLICY_DIR := true
endif
-ifneq ($(PLATFORM_SEPOLICY_VERSION),$(BOARD_SEPOLICY_VERS))
-mixed_sepolicy_build := true
-else
-mixed_sepolicy_build :=
-endif
-
-NEVERALLOW_ARG :=
ifeq ($(SELINUX_IGNORE_NEVERALLOWS),true)
ifeq ($(TARGET_BUILD_VARIANT),user)
$(error SELINUX_IGNORE_NEVERALLOWS := true cannot be used in user builds)
@@ -87,7 +74,6 @@
$(warning Be careful when using the SELINUX_IGNORE_NEVERALLOWS flag. \
It does not work in user builds and using it will \
not stop you from failing CTS.)
-NEVERALLOW_ARG := -N
endif
# BOARD_SEPOLICY_DIRS was used for vendor/odm sepolicy customization before.
@@ -98,21 +84,6 @@
BOARD_VENDOR_SEPOLICY_DIRS += $(BOARD_SEPOLICY_DIRS)
endif
-# Set default values for these prebuilt directories
-ifeq (,$(BOARD_REQD_MASK_POLICY))
-BOARD_REQD_MASK_POLICY := $(REQD_MASK_POLICY)
-endif
-
-ifeq (,$(BOARD_PLAT_VENDOR_POLICY))
-BOARD_PLAT_VENDOR_POLICY := $(PLAT_VENDOR_POLICY)
-endif
-
-$(foreach p,SYSTEM_EXT PRODUCT,$(foreach q,PUBLIC PRIVATE,$(eval \
- $(if $(BOARD_$(p)_$(q)_PREBUILT_DIRS),,\
- BOARD_$(p)_$(q)_PREBUILT_DIRS := $($(p)_$(q)_POLICY) \
- ) \
-)))
-
###########################################################
# Compute policy files to be used in policy build.
# $(1): files to include
@@ -123,13 +94,6 @@
$(strip $(foreach type, $(1), $(foreach file, $(addsuffix /$(type), $(2)), $(sort $(wildcard $(file))))))
endef
-# Builds paths for all policy files found in BOARD_VENDOR_SEPOLICY_DIRS.
-# $(1): the set of policy name paths to build
-build_vendor_policy = $(call build_policy, $(1), $(BOARD_PLAT_VENDOR_POLICY) $(BOARD_VENDOR_SEPOLICY_DIRS))
-
-# Builds paths for all policy files found in BOARD_ODM_SEPOLICY_DIRS.
-build_odm_policy = $(call build_policy, $(1), $(BOARD_ODM_SEPOLICY_DIRS))
-
sepolicy_build_files := security_classes \
initial_sids \
access_vectors \
@@ -191,36 +155,11 @@
endif
endif # ifdef HAS_PRODUCT_SEPOLICY_DIR
-# CIL files which contain workarounds for current limitation of human-readable
-# module policy language. These files are appended to the CIL files produced
-# from module language files.
-sepolicy_build_cil_workaround_files := technical_debt.cil
-
-my_target_arch := $(TARGET_ARCH)
-ifneq (,$(filter mips mips64,$(TARGET_ARCH)))
- my_target_arch := mips
-endif
-
-intermediates := $(TARGET_OUT_INTERMEDIATES)/ETC/sepolicy_intermediates
-
with_asan := false
ifneq (,$(filter address,$(SANITIZE_TARGET)))
with_asan := true
endif
-with_native_coverage := false
-ifeq ($(NATIVE_COVERAGE),true)
- with_native_coverage := true
-endif
-ifeq ($(CLANG_COVERAGE),true)
- with_native_coverage := true
-endif
-
-treble_sysprop_neverallow := true
-ifeq ($(BUILD_BROKEN_TREBLE_SYSPROP_NEVERALLOW),true)
- treble_sysprop_neverallow := false
-endif
-
ifeq ($(PRODUCT_SHIPPING_API_LEVEL),)
#$(warning no product shipping level defined)
else ifneq ($(call math_lt,29,$(PRODUCT_SHIPPING_API_LEVEL)),)
@@ -229,16 +168,6 @@
endif
endif
-enforce_sysprop_owner := true
-ifeq ($(BUILD_BROKEN_ENFORCE_SYSPROP_OWNER),true)
- enforce_sysprop_owner := false
-endif
-
-enforce_debugfs_restriction := false
-ifeq ($(PRODUCT_SET_DEBUGFS_RESTRICTIONS),true)
- enforce_debugfs_restriction := true
-endif
-
ifeq ($(PRODUCT_SHIPPING_API_LEVEL),)
#$(warning no product shipping level defined)
else ifneq ($(call math_lt,30,$(PRODUCT_SHIPPING_API_LEVEL)),)
@@ -247,13 +176,6 @@
endif
endif
-# Library extension for host-side tests
-ifeq ($(HOST_OS),darwin)
-SHAREDLIB_EXT=dylib
-else
-SHAREDLIB_EXT=so
-endif
-
#################################
include $(CLEAR_VARS)
@@ -327,7 +249,7 @@
ifneq ($(PLATFORM_SEPOLICY_VERSION),$(TOT_SEPOLICY_VERSION))
LOCAL_REQUIRED_MODULES += \
- sepolicy_freeze_test
+ se_freeze_test
endif # ($(PLATFORM_SEPOLICY_VERSION),$(TOT_SEPOLICY_VERSION))
include $(BUILD_PHONY_PACKAGE)
@@ -501,19 +423,8 @@
# Policy files are now built with Android.bp. Grab them from intermediate.
# See Android.bp for details of policy files.
#
-built_plat_cil := $(call intermediates-dir-for,ETC,plat_sepolicy.cil)/plat_sepolicy.cil
-
-ifdef HAS_SYSTEM_EXT_SEPOLICY
-built_system_ext_cil := $(call intermediates-dir-for,ETC,system_ext_sepolicy.cil)/system_ext_sepolicy.cil
-endif # ifdef HAS_SYSTEM_EXT_SEPOLICY
-
-ifdef HAS_PRODUCT_SEPOLICY
-built_product_cil := $(call intermediates-dir-for,ETC,product_sepolicy.cil)/product_sepolicy.cil
-endif # ifdef HAS_PRODUCT_SEPOLICY
-
built_sepolicy := $(call intermediates-dir-for,ETC,precompiled_sepolicy)/precompiled_sepolicy
built_sepolicy_neverallows := $(call intermediates-dir-for,ETC,sepolicy_neverallows)/sepolicy_neverallows
-built_sepolicy_neverallows += $(call intermediates-dir-for,ETC,sepolicy_neverallows_vendor)/sepolicy_neverallows_vendor
##################################
# TODO - remove this. Keep around until we get the filesystem creation stuff taken care of.
@@ -547,22 +458,32 @@
# Note: That a newline file is placed between each file_context file found to
# ensure a proper build when an fc file is missing an ending newline.
-local_fc_files := $(call build_policy, file_contexts, $(PLAT_PRIVATE_POLICY))
+local_fc_files := $(call intermediates-dir-for,ETC,plat_file_contexts)/plat_file_contexts
ifdef HAS_SYSTEM_EXT_SEPOLICY_DIR
-local_fc_files += $(call build_policy, file_contexts, $(SYSTEM_EXT_PRIVATE_POLICY))
+local_fc_files += $(call intermediates-dir-for,ETC,system_ext_file_contexts)/system_ext_file_contexts
endif
ifdef HAS_PRODUCT_SEPOLICY_DIR
-local_fc_files += $(call build_policy, file_contexts, $(PRODUCT_PRIVATE_POLICY))
+local_fc_files += $(call intermediates-dir-for,ETC,product_file_contexts)/product_file_contexts
endif
-ifneq ($(filter address,$(SANITIZE_TARGET)),)
- local_fc_files += $(wildcard $(addsuffix /file_contexts_asan, $(PLAT_PRIVATE_POLICY)))
-endif
-ifneq (,$(filter userdebug eng,$(TARGET_BUILD_VARIANT)))
- local_fc_files += $(wildcard $(addsuffix /file_contexts_overlayfs, $(PLAT_PRIVATE_POLICY)))
-endif
+###########################################################
+## Collect file_contexts files into a single tmp file with m4
+##
+## $(1): list of file_contexts files
+## $(2): filename into which file_contexts files are merged
+###########################################################
+
+define _merge-fc-files
+$(2): $(1) $(M4)
+ $(hide) mkdir -p $$(dir $$@)
+ $(hide) $(M4) --fatal-warnings -s $(1) > $$@
+endef
+
+define merge-fc-files
+$(eval $(call _merge-fc-files,$(1),$(2)))
+endef
file_contexts.local.tmp := $(intermediates)/file_contexts.local.tmp
$(call merge-fc-files,$(local_fc_files),$(file_contexts.local.tmp))
@@ -571,10 +492,10 @@
# it gathers LOCAL_FILE_CONTEXTS from product_MODULES
file_contexts.modules.tmp := $(intermediates)/file_contexts.modules.tmp
-device_fc_files := $(call build_vendor_policy, file_contexts)
+device_fc_files += $(call intermediates-dir-for,ETC,vendor_file_contexts)/vendor_file_contexts
ifdef BOARD_ODM_SEPOLICY_DIRS
-device_fc_files += $(call build_odm_policy, file_contexts)
+device_fc_files += $(call intermediates-dir-for,ETC,odm_file_contexts)/odm_file_contexts
endif
file_contexts.device.tmp := $(intermediates)/file_contexts.device.tmp
@@ -603,11 +524,8 @@
$(hide) $(HOST_OUT_EXECUTABLES)/checkfc $(PRIVATE_SEPOLICY) $<
$(hide) $(HOST_OUT_EXECUTABLES)/sefcontext_compile -o $@ $<
-built_fc := $(LOCAL_BUILT_MODULE)
local_fc_files :=
-local_fcfiles_with_nl :=
device_fc_files :=
-device_fcfiles_with_nl :=
file_contexts.concat.tmp :=
file_contexts.device.sorted.tmp :=
file_contexts.device.tmp :=
@@ -615,65 +533,34 @@
file_contexts.modules.tmp :=
##################################
-
-all_fc_files := $(TARGET_OUT)/etc/selinux/plat_file_contexts
-all_fc_files += $(TARGET_OUT_VENDOR)/etc/selinux/vendor_file_contexts
-ifdef HAS_SYSTEM_EXT_SEPOLICY_DIR
-all_fc_files += $(TARGET_OUT_SYSTEM_EXT)/etc/selinux/system_ext_file_contexts
-endif
-ifdef HAS_PRODUCT_SEPOLICY_DIR
-all_fc_files += $(TARGET_OUT_PRODUCT)/etc/selinux/product_file_contexts
-endif
-ifdef BOARD_ODM_SEPOLICY_DIRS
-all_fc_files += $(TARGET_OUT_ODM)/etc/selinux/odm_file_contexts
-endif
-all_fc_args := $(foreach file, $(all_fc_files), -f $(file))
-
-##################################
# Tests for Treble compatibility of current platform policy and vendor policy of
# given release version.
-built_plat_sepolicy := $(call intermediates-dir-for,ETC,base_plat_sepolicy)/base_plat_sepolicy
-built_system_ext_sepolicy := $(call intermediates-dir-for,ETC,base_system_ext_sepolicy)/base_system_ext_sepolicy
-built_product_sepolicy := $(call intermediates-dir-for,ETC,base_product_sepolicy)/base_product_sepolicy
-
-base_plat_pub_policy.cil := $(call intermediates-dir-for,ETC,base_plat_pub_policy.cil)/base_plat_pub_policy.cil
-base_system_ext_pub_polcy.cil := $(call intermediates-dir-for,ETC,base_system_ext_pub_polcy.cil)/base_system_ext_pub_polcy.cil
-base_product_pub_policy.cil := $(call intermediates-dir-for,ETC,base_product_pub_policy.cil)/base_product_pub_policy.cil
+ver := $(PLATFORM_SEPOLICY_VERSION)
+ifneq ($(wildcard $(LOCAL_PATH)/prebuilts/api/$(PLATFORM_SEPOLICY_VERSION)),)
+# If PLATFORM_SEPOLICY_VERSION is already frozen, use prebuilts for compat test
+base_plat_pub_policy.cil := $(call intermediates-dir-for,ETC,$(ver)_plat_pub_policy.cil)/$(ver)_plat_pub_policy.cil
+base_product_pub_policy.cil := $(call intermediates-dir-for,ETC,$(ver)_product_pub_policy.cil)/$(ver)_product_pub_policy.cil
+else
+# If not, use ToT for compat test
+base_plat_pub_policy.cil := $(call intermediates-dir-for,ETC,base_plat_pub_policy.cil)/base_plat_pub_policy.cil
+base_product_pub_policy.cil := $(call intermediates-dir-for,ETC,base_product_pub_policy.cil)/base_product_pub_policy.cil
+endif
+ver :=
$(foreach v,$(PLATFORM_SEPOLICY_COMPAT_VERSIONS), \
$(eval version_under_treble_tests := $(v)) \
$(eval include $(LOCAL_PATH)/treble_sepolicy_tests_for_release.mk) \
)
-built_plat_sepolicy :=
-built_system_ext_sepolicy :=
-built_product_sepolicy :=
base_plat_pub_policy.cil :=
-base_system_ext_pub_polcy.cil :=
base_product_pub_policy.cil :=
-all_fc_files :=
-all_fc_args :=
#################################
-build_vendor_policy :=
-build_odm_policy :=
build_policy :=
-built_plat_cil :=
-built_system_ext_cil :=
-built_product_cil :=
built_sepolicy :=
built_sepolicy_neverallows :=
-built_plat_svc :=
-built_vendor_svc :=
-treble_sysprop_neverallow :=
-enforce_sysprop_owner :=
-enforce_debugfs_restriction :=
-my_target_arch :=
sepolicy_build_files :=
-sepolicy_build_cil_workaround_files :=
with_asan :=
-
-include $(call all-makefiles-under,$(LOCAL_PATH))
diff --git a/TEST_MAPPING b/TEST_MAPPING
index 9aa510b..053e36a 100644
--- a/TEST_MAPPING
+++ b/TEST_MAPPING
@@ -11,9 +11,6 @@
},
{
"include-filter": "android.security.cts.SELinuxHostTest#testGMSCoreDomain"
- },
- {
- "include-filter": "android.security.cts.SeamendcHostTest"
}
]
}
diff --git a/apex/Android.bp b/apex/Android.bp
index 7203d9d..21054fc 100644
--- a/apex/Android.bp
+++ b/apex/Android.bp
@@ -38,13 +38,6 @@
}
filegroup {
- name: "com.android.threadnetwork-file_contexts",
- srcs: [
- "com.android.threadnetwork-file_contexts",
- ],
-}
-
-filegroup {
name: "com.android.sdkext-file_contexts",
srcs: [
"com.android.sdkext-file_contexts",
@@ -94,6 +87,13 @@
}
filegroup {
+ name: "com.android.crashrecovery-file_contexts",
+ srcs: [
+ "com.android.crashrecovery-file_contexts",
+ ],
+}
+
+filegroup {
name: "com.android.federatedcompute-file_contexts",
srcs: [
"com.android.federatedcompute-file_contexts",
@@ -192,13 +192,6 @@
}
filegroup {
- name: "com.android.sepolicy-file_contexts",
- srcs: [
- "com.android.sepolicy-file_contexts",
- ],
-}
-
-filegroup {
name: "com.android.tzdata-file_contexts",
srcs: [
"com.android.tzdata-file_contexts",
@@ -288,3 +281,10 @@
"com.android.devicelock-file_contexts",
],
}
+
+filegroup {
+ name: "com.android.telephonymodules-file_contexts",
+ srcs: [
+ "com.android.telephonymodules-file_contexts"
+ ],
+}
diff --git a/apex/com.android.crashrecovery-file_contexts b/apex/com.android.crashrecovery-file_contexts
new file mode 100644
index 0000000..f3a65d4
--- /dev/null
+++ b/apex/com.android.crashrecovery-file_contexts
@@ -0,0 +1 @@
+(/.*)? u:object_r:system_file:s0
diff --git a/apex/com.android.nfcservices-file_contexts b/apex/com.android.nfcservices-file_contexts
new file mode 100644
index 0000000..f6b21da
--- /dev/null
+++ b/apex/com.android.nfcservices-file_contexts
@@ -0,0 +1,2 @@
+(/.*)? u:object_r:system_file:s0
+/lib(64)?(/.*) u:object_r:system_lib_file:s0
diff --git a/apex/com.android.sepolicy-file_contexts b/apex/com.android.sepolicy-file_contexts
deleted file mode 100644
index 83b4b58..0000000
--- a/apex/com.android.sepolicy-file_contexts
+++ /dev/null
@@ -1 +0,0 @@
-(/.*)? u:object_r:system_file:s0
diff --git a/apex/com.android.telephonymodules-file_contexts b/apex/com.android.telephonymodules-file_contexts
new file mode 100644
index 0000000..4cee48b
--- /dev/null
+++ b/apex/com.android.telephonymodules-file_contexts
@@ -0,0 +1 @@
+(/.*)? u:object_r:system_file:s0
diff --git a/apex/com.android.tethering-file_contexts b/apex/com.android.tethering-file_contexts
index af366d8..473b0f2 100644
--- a/apex/com.android.tethering-file_contexts
+++ b/apex/com.android.tethering-file_contexts
@@ -1,3 +1,5 @@
(/.*)? u:object_r:system_file:s0
/bin/for-system/clatd u:object_r:clatd_exec:s0
+/bin/netbpfload u:object_r:bpfloader_exec:s0
+/bin/ot-daemon u:object_r:ot_daemon_exec:s0
/lib(64)?(/.*) u:object_r:system_lib_file:s0
diff --git a/apex/com.android.threadnetwork-file_contexts b/apex/com.android.threadnetwork-file_contexts
deleted file mode 100644
index 45d9bff..0000000
--- a/apex/com.android.threadnetwork-file_contexts
+++ /dev/null
@@ -1,3 +0,0 @@
-(/.*)? u:object_r:system_file:s0
-/bin/otbr-agent u:object_r:ot_daemon_exec:s0
-/bin/ot-ctl u:object_r:ot_ctl_exec:s0
diff --git a/apex/com.android.virt-file_contexts b/apex/com.android.virt-file_contexts
index 9c13bd5..afe9f51 100644
--- a/apex/com.android.virt-file_contexts
+++ b/apex/com.android.virt-file_contexts
@@ -3,3 +3,4 @@
/bin/fd_server u:object_r:fd_server_exec:s0
/bin/virtmgr u:object_r:virtualizationmanager_exec:s0
/bin/virtualizationservice u:object_r:virtualizationservice_exec:s0
+/bin/vfio_handler u:object_r:vfio_handler_exec:s0
diff --git a/build/soong/build_files.go b/build/soong/build_files.go
index ed92f1a..a15c65c 100644
--- a/build/soong/build_files.go
+++ b/build/soong/build_files.go
@@ -16,6 +16,7 @@
import (
"fmt"
+ "path"
"path/filepath"
"strings"
@@ -103,30 +104,15 @@
b.srcs[".vendor"] = b.findSrcsInDirs(ctx, ctx.DeviceConfig().VendorSepolicyDirs()...)
b.srcs[".odm"] = b.findSrcsInDirs(ctx, ctx.DeviceConfig().OdmSepolicyDirs()...)
- if ctx.DeviceConfig().PlatformSepolicyVersion() == ctx.DeviceConfig().BoardSepolicyVers() {
- // vendor uses the same source with plat policy
- b.srcs[".reqd_mask_for_vendor"] = b.srcs[".reqd_mask"]
- b.srcs[".plat_vendor_for_vendor"] = b.srcs[".plat_vendor"]
- b.srcs[".plat_public_for_vendor"] = b.srcs[".plat_public"]
- b.srcs[".plat_private_for_vendor"] = b.srcs[".plat_private"]
- b.srcs[".system_ext_public_for_vendor"] = b.srcs[".system_ext_public"]
- b.srcs[".system_ext_private_for_vendor"] = b.srcs[".system_ext_private"]
- b.srcs[".product_public_for_vendor"] = b.srcs[".product_public"]
- b.srcs[".product_private_for_vendor"] = b.srcs[".product_private"]
- } else {
- // use vendor-supplied plat prebuilts
- b.srcs[".reqd_mask_for_vendor"] = b.findSrcsInDirs(ctx, ctx.DeviceConfig().BoardReqdMaskPolicy()...)
- b.srcs[".plat_vendor_for_vendor"] = b.findSrcsInDirs(ctx, ctx.DeviceConfig().BoardPlatVendorPolicy()...)
- b.srcs[".plat_public_for_vendor"] = b.findSrcsInDirs(ctx, filepath.Join("system", "sepolicy", "prebuilts", "api", ctx.DeviceConfig().BoardSepolicyVers(), "public"))
- b.srcs[".plat_private_for_vendor"] = b.findSrcsInDirs(ctx, filepath.Join("system", "sepolicy", "prebuilts", "api", ctx.DeviceConfig().BoardSepolicyVers(), "private"))
- b.srcs[".system_ext_public_for_vendor"] = b.findSrcsInDirs(ctx, ctx.DeviceConfig().BoardSystemExtPublicPrebuiltDirs()...)
- b.srcs[".system_ext_private_for_vendor"] = b.findSrcsInDirs(ctx, ctx.DeviceConfig().BoardSystemExtPrivatePrebuiltDirs()...)
- b.srcs[".product_public_for_vendor"] = b.findSrcsInDirs(ctx, ctx.DeviceConfig().BoardProductPublicPrebuiltDirs()...)
- b.srcs[".product_private_for_vendor"] = b.findSrcsInDirs(ctx, ctx.DeviceConfig().BoardProductPrivatePrebuiltDirs()...)
+ prebuilt_directories, err := ctx.GlobWithDeps("system/sepolicy/prebuilts/api/*", nil)
+ if err != nil {
+ ctx.ModuleErrorf("error while globbing: %w", err)
+ return
}
// directories used for compat tests and Treble tests
- for _, ver := range ctx.DeviceConfig().PlatformSepolicyCompatVersions() {
+ for _, dir := range prebuilt_directories {
+ ver := path.Base(dir)
b.srcs[".plat_public_"+ver] = b.findSrcsInDirs(ctx, filepath.Join("system", "sepolicy", "prebuilts", "api", ver, "public"))
b.srcs[".plat_private_"+ver] = b.findSrcsInDirs(ctx, filepath.Join("system", "sepolicy", "prebuilts", "api", ver, "private"))
b.srcs[".system_ext_public_"+ver] = b.findSrcsInDirs(ctx, filepath.Join(ctx.DeviceConfig().SystemExtSepolicyPrebuiltApiDir(), "prebuilts", "api", ver, "public"))
diff --git a/build/soong/cil_compat_map.go b/build/soong/cil_compat_map.go
index c9daf7c..eb7cb06 100644
--- a/build/soong/cil_compat_map.go
+++ b/build/soong/cil_compat_map.go
@@ -20,7 +20,6 @@
import (
"android/soong/android"
"fmt"
- "io"
"github.com/google/blueprint"
"github.com/google/blueprint/proptools"
@@ -67,18 +66,21 @@
Bottom_half []string `android:"path"`
// name of the output
Stem *string
+ // Target version that this module supports. This module will be ignored if platform sepolicy
+ // version is same as this module's version.
+ Version *string
}
type cilCompatMap struct {
android.ModuleBase
properties cilCompatMapProperties
// (.intermediate) module output path as installation source.
- installSource android.Path
+ installSource android.OptionalPath
installPath android.InstallPath
}
type CilCompatMapGenerator interface {
- GeneratedMapFile() android.Path
+ GeneratedMapFile() android.OptionalPath
}
func expandTopHalf(ctx android.ModuleContext) android.OptionalPath {
@@ -87,7 +89,7 @@
depTag := ctx.OtherModuleDependencyTag(dep)
switch depTag {
case TopHalfDepTag:
- topHalf = android.OptionalPathForPath(dep.(CilCompatMapGenerator).GeneratedMapFile())
+ topHalf = dep.(CilCompatMapGenerator).GeneratedMapFile()
}
})
return topHalf
@@ -97,7 +99,15 @@
return android.PathsForModuleSrc(ctx, srcFiles)
}
+func (c *cilCompatMap) shouldSkipBuild(ctx android.ModuleContext) bool {
+ return proptools.String(c.properties.Version) == ctx.DeviceConfig().PlatformSepolicyVersion()
+}
+
func (c *cilCompatMap) GenerateAndroidBuildActions(ctx android.ModuleContext) {
+ if c.shouldSkipBuild(ctx) {
+ return
+ }
+
c.installPath = android.PathForModuleInstall(ctx, "etc", "selinux", "mapping")
srcFiles := expandSeSources(ctx, c.properties.Bottom_half)
@@ -130,9 +140,9 @@
"bottomHalf": bottomHalf.String(),
},
})
- c.installSource = out
+ c.installSource = android.OptionalPathForPath(out)
} else {
- c.installSource = bottomHalf
+ c.installSource = android.OptionalPathForPath(bottomHalf)
}
}
@@ -142,30 +152,38 @@
}
}
-func (c *cilCompatMap) AndroidMk() android.AndroidMkData {
- ret := android.AndroidMkData{
- OutputFile: android.OptionalPathForPath(c.installSource),
- Class: "ETC",
+func (c *cilCompatMap) AndroidMkEntries() []android.AndroidMkEntries {
+ if !c.installSource.Valid() {
+ return nil
}
- ret.Extra = append(ret.Extra, func(w io.Writer, outputFile android.Path) {
- fmt.Fprintln(w, "LOCAL_MODULE_PATH :=", c.installPath.String())
- if c.properties.Stem != nil {
- fmt.Fprintln(w, "LOCAL_INSTALLED_MODULE_STEM :=", String(c.properties.Stem))
- }
- })
- return ret
+ return []android.AndroidMkEntries{android.AndroidMkEntries{
+ Class: "ETC",
+ OutputFile: c.installSource,
+ ExtraEntries: []android.AndroidMkExtraEntriesFunc{
+ func(ctx android.AndroidMkExtraEntriesContext, entries *android.AndroidMkEntries) {
+ entries.SetPath("LOCAL_MODULE_PATH", c.installPath)
+ if c.properties.Stem != nil {
+ entries.SetString("LOCAL_INSTALLED_MODULE_STEM", String(c.properties.Stem))
+ }
+ },
+ },
+ }}
}
var _ CilCompatMapGenerator = (*cilCompatMap)(nil)
var _ android.OutputFileProducer = (*cilCompatMap)(nil)
-func (c *cilCompatMap) GeneratedMapFile() android.Path {
+func (c *cilCompatMap) GeneratedMapFile() android.OptionalPath {
return c.installSource
}
func (c *cilCompatMap) OutputFiles(tag string) (android.Paths, error) {
if tag == "" {
- return android.Paths{c.installSource}, nil
+ if c.installSource.Valid() {
+ return android.Paths{c.installSource.Path()}, nil
+ } else {
+ return nil, nil
+ }
}
return nil, fmt.Errorf("Unknown tag %q", tag)
}
diff --git a/build/soong/compat_cil.go b/build/soong/compat_cil.go
index 881f7da..1f7901b 100644
--- a/build/soong/compat_cil.go
+++ b/build/soong/compat_cil.go
@@ -43,7 +43,7 @@
type compatCil struct {
android.ModuleBase
properties compatCilProperties
- installSource android.Path
+ installSource android.OptionalPath
installPath android.InstallPath
}
@@ -53,6 +53,10 @@
// Output file name. Defaults to module name if unspecified.
Stem *string
+
+ // Target version that this module supports. This module will be ignored if platform sepolicy
+ // version is same as this module's version.
+ Version *string
}
func (c *compatCil) stem() string {
@@ -63,11 +67,19 @@
return android.PathsForModuleSrc(ctx, c.properties.Srcs)
}
+func (c *compatCil) shouldSkipBuild(ctx android.ModuleContext) bool {
+ return proptools.String(c.properties.Version) == ctx.DeviceConfig().PlatformSepolicyVersion()
+}
+
func (c *compatCil) GenerateAndroidBuildActions(ctx android.ModuleContext) {
if c.ProductSpecific() || c.SocSpecific() || c.DeviceSpecific() {
ctx.ModuleErrorf("Compat cil files only support system and system_ext partitions")
}
+ if c.shouldSkipBuild(ctx) {
+ return
+ }
+
srcPaths := c.expandSeSources(ctx)
out := android.PathForModuleGen(ctx, c.Name())
ctx.Build(pctx, android.BuildParams{
@@ -78,14 +90,17 @@
})
c.installPath = android.PathForModuleInstall(ctx, "etc", "selinux", "mapping")
- c.installSource = out
- ctx.InstallFile(c.installPath, c.stem(), c.installSource)
+ c.installSource = android.OptionalPathForPath(out)
+ ctx.InstallFile(c.installPath, c.stem(), out)
}
func (c *compatCil) AndroidMkEntries() []android.AndroidMkEntries {
+ if !c.installSource.Valid() {
+ return nil
+ }
return []android.AndroidMkEntries{android.AndroidMkEntries{
Class: "ETC",
- OutputFile: android.OptionalPathForPath(c.installSource),
+ OutputFile: c.installSource,
ExtraEntries: []android.AndroidMkExtraEntriesFunc{
func(ctx android.AndroidMkExtraEntriesContext, entries *android.AndroidMkEntries) {
entries.SetPath("LOCAL_MODULE_PATH", c.installPath)
@@ -98,7 +113,11 @@
func (c *compatCil) OutputFiles(tag string) (android.Paths, error) {
switch tag {
case "":
- return android.Paths{c.installSource}, nil
+ if c.installSource.Valid() {
+ return android.Paths{c.installSource.Path()}, nil
+ } else {
+ return nil, nil
+ }
default:
return nil, fmt.Errorf("unsupported module reference tag %q", tag)
}
diff --git a/build/soong/policy.go b/build/soong/policy.go
index d8c3ffb..0793e2a 100644
--- a/build/soong/policy.go
+++ b/build/soong/policy.go
@@ -27,7 +27,6 @@
)
const (
- // TODO: sync with Android.mk
MlsSens = 1
MlsCats = 1024
PolicyVers = 30
diff --git a/build/soong/selinux_contexts.go b/build/soong/selinux_contexts.go
index 2416dc9..de7355c 100644
--- a/build/soong/selinux_contexts.go
+++ b/build/soong/selinux_contexts.go
@@ -289,8 +289,8 @@
}
func (m *selinuxContextsModule) buildFileContexts(ctx android.ModuleContext, inputs android.Paths) android.Path {
- if m.properties.Fc_sort == nil {
- m.properties.Fc_sort = proptools.BoolPtr(true)
+ if m.properties.Remove_comment == nil {
+ m.properties.Remove_comment = proptools.BoolPtr(true)
}
return m.buildGeneralContexts(ctx, inputs)
}
@@ -419,6 +419,14 @@
return builtCtxFile
}
+func (m *selinuxContextsModule) shouldCheckCoredomain(ctx android.ModuleContext) bool {
+ if !ctx.SocSpecific() && !ctx.DeviceSpecific() {
+ return false
+ }
+
+ return ctx.DeviceConfig().CheckVendorSeappViolations()
+}
+
func (m *selinuxContextsModule) buildSeappContexts(ctx android.ModuleContext, inputs android.Paths) android.Path {
neverallowFile := pathForModuleOut(ctx, "neverallow")
ret := pathForModuleOut(ctx, m.stem())
@@ -434,12 +442,16 @@
Text("|| true)") // to make ninja happy even when result is empty
rule.Temporary(neverallowFile)
- rule.Command().BuiltTool("checkseapp").
+ checkCmd := rule.Command().BuiltTool("checkseapp").
FlagWithInput("-p ", android.PathForModuleSrc(ctx, proptools.String(m.seappProperties.Sepolicy))).
FlagWithOutput("-o ", ret).
Inputs(inputs).
Input(neverallowFile)
+ if m.shouldCheckCoredomain(ctx) {
+ checkCmd.Flag("-c") // check coredomain for vendor contexts
+ }
+
rule.Build("seapp_contexts", "Building seapp_contexts: "+m.Name())
return ret
}
@@ -505,19 +517,32 @@
Sepolicy *string `android:"path"`
}
+type fileContextsTestProperties struct {
+ // Test data. File passed to `checkfc -t` to validate how contexts are resolved.
+ Test_data *string `android:"path"`
+}
+
type contextsTestModule struct {
android.ModuleBase
- // Name of the test tool. "checkfc" or "property_info_checker"
- tool string
+ // The type of context.
+ context contextType
- // Additional flags to be passed to the tool.
- flags []string
-
- properties contextsTestProperties
- testTimestamp android.OutputPath
+ properties contextsTestProperties
+ fileProperties fileContextsTestProperties
+ testTimestamp android.OutputPath
}
+type contextType int
+
+const (
+ FileContext contextType = iota
+ PropertyContext
+ ServiceContext
+ HwServiceContext
+ VndServiceContext
+)
+
// checkfc parses a context file and checks for syntax errors.
// If -s is specified, the service backend is used to verify binder services.
// If -l is specified, the service backend is used to verify hwbinder services.
@@ -526,15 +551,16 @@
// file_contexts_test tests given file_contexts files with checkfc.
func fileContextsTestFactory() android.Module {
- m := &contextsTestModule{tool: "checkfc" /* no flags: file_contexts file check */}
+ m := &contextsTestModule{context: FileContext}
m.AddProperties(&m.properties)
+ m.AddProperties(&m.fileProperties)
android.InitAndroidArchModule(m, android.DeviceSupported, android.MultilibCommon)
return m
}
// property_contexts_test tests given property_contexts files with property_info_checker.
func propertyContextsTestFactory() android.Module {
- m := &contextsTestModule{tool: "property_info_checker"}
+ m := &contextsTestModule{context: PropertyContext}
m.AddProperties(&m.properties)
android.InitAndroidArchModule(m, android.DeviceSupported, android.MultilibCommon)
return m
@@ -542,7 +568,7 @@
// hwservice_contexts_test tests given hwservice_contexts files with checkfc.
func hwserviceContextsTestFactory() android.Module {
- m := &contextsTestModule{tool: "checkfc", flags: []string{"-e" /* allow empty */, "-l" /* hwbinder services */}}
+ m := &contextsTestModule{context: HwServiceContext}
m.AddProperties(&m.properties)
android.InitAndroidArchModule(m, android.DeviceSupported, android.MultilibCommon)
return m
@@ -551,7 +577,7 @@
// service_contexts_test tests given service_contexts files with checkfc.
func serviceContextsTestFactory() android.Module {
// checkfc -s: service_contexts test
- m := &contextsTestModule{tool: "checkfc", flags: []string{"-s" /* binder services */}}
+ m := &contextsTestModule{context: ServiceContext}
m.AddProperties(&m.properties)
android.InitAndroidArchModule(m, android.DeviceSupported, android.MultilibCommon)
return m
@@ -559,16 +585,16 @@
// vndservice_contexts_test tests given vndservice_contexts files with checkfc.
func vndServiceContextsTestFactory() android.Module {
- m := &contextsTestModule{tool: "checkfc", flags: []string{"-e" /* allow empty */, "-v" /* vnd service */}}
+ m := &contextsTestModule{context: VndServiceContext}
m.AddProperties(&m.properties)
android.InitAndroidArchModule(m, android.DeviceSupported, android.MultilibCommon)
return m
}
func (m *contextsTestModule) GenerateAndroidBuildActions(ctx android.ModuleContext) {
- tool := m.tool
- if tool != "checkfc" && tool != "property_info_checker" {
- panic(fmt.Errorf("%q: unknown tool name: %q", ctx.ModuleName(), tool))
+ tool := "checkfc"
+ if m.context == PropertyContext {
+ tool = "property_info_checker"
}
if len(m.properties.Srcs) == 0 {
@@ -576,19 +602,50 @@
return
}
+ validateWithPolicy := true
if proptools.String(m.properties.Sepolicy) == "" {
- ctx.PropertyErrorf("sepolicy", "can't be empty")
- return
+ if m.context == FileContext {
+ if proptools.String(m.fileProperties.Test_data) == "" {
+ ctx.PropertyErrorf("test_data", "Either test_data or sepolicy should be provided")
+ return
+ }
+ validateWithPolicy = false
+ } else {
+ ctx.PropertyErrorf("sepolicy", "can't be empty")
+ return
+ }
+ }
+
+ flags := []string(nil)
+ switch m.context {
+ case FileContext:
+ if !validateWithPolicy {
+ flags = []string{"-t"}
+ }
+ case ServiceContext:
+ flags = []string{"-s" /* binder services */}
+ case HwServiceContext:
+ flags = []string{"-e" /* allow empty */, "-l" /* hwbinder services */}
+ case VndServiceContext:
+ flags = []string{"-e" /* allow empty */, "-v" /* vnd service */}
}
srcs := android.PathsForModuleSrc(ctx, m.properties.Srcs)
- sepolicy := android.PathForModuleSrc(ctx, proptools.String(m.properties.Sepolicy))
-
rule := android.NewRuleBuilder(pctx, ctx)
- rule.Command().BuiltTool(tool).
- Flags(m.flags).
- Input(sepolicy).
- Inputs(srcs)
+
+ if validateWithPolicy {
+ sepolicy := android.PathForModuleSrc(ctx, proptools.String(m.properties.Sepolicy))
+ rule.Command().BuiltTool(tool).
+ Flags(flags).
+ Input(sepolicy).
+ Inputs(srcs)
+ } else {
+ test_data := android.PathForModuleSrc(ctx, proptools.String(m.fileProperties.Test_data))
+ rule.Command().BuiltTool(tool).
+ Flags(flags).
+ Inputs(srcs).
+ Input(test_data)
+ }
m.testTimestamp = pathForModuleOut(ctx, "timestamp")
rule.Command().Text("touch").Output(m.testTimestamp)
diff --git a/build/soong/sepolicy_freeze.go b/build/soong/sepolicy_freeze.go
index 9ae7826..385d6af 100644
--- a/build/soong/sepolicy_freeze.go
+++ b/build/soong/sepolicy_freeze.go
@@ -15,12 +15,14 @@
package selinux
import (
- "path/filepath"
"sort"
"android/soong/android"
)
+var currentCilTag = dependencyTag{name: "current_cil"}
+var prebuiltCilTag = dependencyTag{name: "prebuilt_cil"}
+
func init() {
ctx := android.InitRegistrationContext
ctx.RegisterParallelSingletonModuleType("se_freeze_test", freezeTestFactory)
@@ -32,6 +34,9 @@
func freezeTestFactory() android.SingletonModule {
f := &freezeTestModule{}
android.InitAndroidModule(f)
+ android.AddLoadHook(f, func(ctx android.LoadHookContext) {
+ f.loadHook(ctx)
+ })
return f
}
@@ -40,26 +45,23 @@
freezeTestTimestamp android.ModuleOutPath
}
-func (f *freezeTestModule) GenerateSingletonBuildActions(ctx android.SingletonContext) {
- // does nothing; se_freeze_test is a singeton because two freeze test modules don't make sense.
-}
-
-func (f *freezeTestModule) GenerateAndroidBuildActions(ctx android.ModuleContext) {
+func (f *freezeTestModule) shouldSkip(ctx android.EarlyModuleContext) bool {
platformVersion := ctx.DeviceConfig().PlatformSepolicyVersion()
totVersion := ctx.DeviceConfig().TotSepolicyVersion()
+ return platformVersion == totVersion
+}
+
+func (f *freezeTestModule) loadHook(ctx android.LoadHookContext) {
extraDirs := ctx.DeviceConfig().SepolicyFreezeTestExtraDirs()
extraPrebuiltDirs := ctx.DeviceConfig().SepolicyFreezeTestExtraPrebuiltDirs()
- f.freezeTestTimestamp = android.PathForModuleOut(ctx, "freeze_test")
- if platformVersion == totVersion {
+ if f.shouldSkip(ctx) {
if len(extraDirs) > 0 || len(extraPrebuiltDirs) > 0 {
ctx.ModuleErrorf("SEPOLICY_FREEZE_TEST_EXTRA_DIRS or SEPOLICY_FREEZE_TEST_EXTRA_PREBUILT_DIRS cannot be set before system/sepolicy freezes.")
return
}
- // we still build a rule to prevent possible regression
- android.WriteFileRule(ctx, f.freezeTestTimestamp, ";; no freeze tests needed before system/sepolicy freezes")
return
}
@@ -67,17 +69,80 @@
ctx.ModuleErrorf("SEPOLICY_FREEZE_TEST_EXTRA_DIRS and SEPOLICY_FREEZE_TEST_EXTRA_PREBUILT_DIRS must have the same number of directories.")
return
}
+}
- platPublic := filepath.Join(ctx.ModuleDir(), "public")
- platPrivate := filepath.Join(ctx.ModuleDir(), "private")
- prebuiltPublic := filepath.Join(ctx.ModuleDir(), "prebuilts", "api", platformVersion, "public")
- prebuiltPrivate := filepath.Join(ctx.ModuleDir(), "prebuilts", "api", platformVersion, "private")
+func (f *freezeTestModule) prebuiltCilModuleName(ctx android.EarlyModuleContext) string {
+ return ctx.DeviceConfig().PlatformSepolicyVersion() + "_plat_pub_policy.cil"
+}
- sourceDirs := append(extraDirs, platPublic, platPrivate)
- prebuiltDirs := append(extraPrebuiltDirs, prebuiltPublic, prebuiltPrivate)
+func (f *freezeTestModule) DepsMutator(ctx android.BottomUpMutatorContext) {
+ if f.shouldSkip(ctx) {
+ return
+ }
+
+ ctx.AddDependency(f, currentCilTag, "base_plat_pub_policy.cil")
+ ctx.AddDependency(f, prebuiltCilTag, f.prebuiltCilModuleName(ctx))
+}
+
+func (f *freezeTestModule) GenerateSingletonBuildActions(ctx android.SingletonContext) {
+ // does nothing; se_freeze_test is a singeton because two freeze test modules don't make sense.
+}
+
+func (f *freezeTestModule) outputFileOfDep(ctx android.ModuleContext, depTag dependencyTag) android.Path {
+ deps := ctx.GetDirectDepsWithTag(depTag)
+ if len(deps) != 1 {
+ ctx.ModuleErrorf("%d deps having tag %q; expected only one dep", len(deps), depTag)
+ return nil
+ }
+
+ dep := deps[0]
+ outputFileProducer, ok := dep.(android.OutputFileProducer)
+ if !ok {
+ ctx.ModuleErrorf("module %q is not an output file producer", dep.String())
+ return nil
+ }
+
+ output, err := outputFileProducer.OutputFiles("")
+ if err != nil {
+ ctx.ModuleErrorf("module %q failed to produce output: %w", dep.String(), err)
+ return nil
+ }
+ if len(output) != 1 {
+ ctx.ModuleErrorf("module %q produced %d outputs; expected only one output", dep.String(), len(output))
+ return nil
+ }
+
+ return output[0]
+}
+
+func (f *freezeTestModule) GenerateAndroidBuildActions(ctx android.ModuleContext) {
+ f.freezeTestTimestamp = android.PathForModuleOut(ctx, "freeze_test")
+
+ if f.shouldSkip(ctx) {
+ // we still build a rule to prevent possible regression
+ android.WriteFileRule(ctx, f.freezeTestTimestamp, ";; no freeze tests needed before system/sepolicy freezes")
+ return
+ }
+
+ // Freeze test 1: compare ToT sepolicy and prebuilt sepolicy
+ currentCil := f.outputFileOfDep(ctx, currentCilTag)
+ prebuiltCil := f.outputFileOfDep(ctx, prebuiltCilTag)
+ if ctx.Failed() {
+ return
+ }
+
+ rule := android.NewRuleBuilder(pctx, ctx)
+ rule.Command().BuiltTool("sepolicy_freeze_test").
+ FlagWithInput("-c ", currentCil).
+ FlagWithInput("-p ", prebuiltCil)
+
+ // Freeze test 2: compare extra directories
+ // We don't know the exact structure of extra directories, so just directly compare them
+ extraDirs := ctx.DeviceConfig().SepolicyFreezeTestExtraDirs()
+ extraPrebuiltDirs := ctx.DeviceConfig().SepolicyFreezeTestExtraPrebuiltDirs()
var implicits []string
- for _, dir := range append(sourceDirs, prebuiltDirs...) {
+ for _, dir := range append(extraDirs, extraPrebuiltDirs...) {
glob, err := ctx.GlobWithDeps(dir+"/**/*", []string{"bug_map"} /* exclude */)
if err != nil {
ctx.ModuleErrorf("failed to glob sepolicy dir %q: %s", dir, err.Error())
@@ -87,15 +152,13 @@
}
sort.Strings(implicits)
- rule := android.NewRuleBuilder(pctx, ctx)
-
- for idx, _ := range sourceDirs {
+ for idx, _ := range extraDirs {
rule.Command().Text("diff").
Flag("-r").
Flag("-q").
FlagWithArg("-x ", "bug_map"). // exclude
- Text(sourceDirs[idx]).
- Text(prebuiltDirs[idx])
+ Text(extraDirs[idx]).
+ Text(extraPrebuiltDirs[idx])
}
rule.Command().Text("touch").
diff --git a/build/soong/service_fuzzer_bindings.go b/build/soong/service_fuzzer_bindings.go
index c50c569..f336924 100644
--- a/build/soong/service_fuzzer_bindings.go
+++ b/build/soong/service_fuzzer_bindings.go
@@ -44,6 +44,7 @@
"android.hardware.automotive.vehicle.IVehicle/default": EXCEPTION_NO_FUZZER,
"android.hardware.automotive.audiocontrol.IAudioControl/default": EXCEPTION_NO_FUZZER,
"android.hardware.biometrics.face.IFace/default": EXCEPTION_NO_FUZZER,
+ "android.hardware.biometrics.face.IFace/virtual": EXCEPTION_NO_FUZZER,
"android.hardware.biometrics.fingerprint.IFingerprint/default": EXCEPTION_NO_FUZZER,
"android.hardware.biometrics.fingerprint.IFingerprint/virtual": EXCEPTION_NO_FUZZER,
"android.hardware.bluetooth.audio.IBluetoothAudioProviderFactory/default": EXCEPTION_NO_FUZZER,
@@ -51,6 +52,7 @@
"android.hardware.broadcastradio.IBroadcastRadio/dab": EXCEPTION_NO_FUZZER,
"android.hardware.bluetooth.IBluetoothHci/default": EXCEPTION_NO_FUZZER,
"android.hardware.camera.provider.ICameraProvider/internal/0": EXCEPTION_NO_FUZZER,
+ "android.hardware.camera.provider.ICameraProvider/virtual/0": EXCEPTION_NO_FUZZER,
"android.hardware.cas.IMediaCasService/default": EXCEPTION_NO_FUZZER,
"android.hardware.confirmationui.IConfirmationUI/default": []string{"android.hardware.confirmationui-service.trusty_fuzzer"},
"android.hardware.contexthub.IContextHub/default": EXCEPTION_NO_FUZZER,
@@ -68,6 +70,9 @@
"android.hardware.input.processor.IInputProcessor/default": EXCEPTION_NO_FUZZER,
"android.hardware.ir.IConsumerIr/default": EXCEPTION_NO_FUZZER,
"android.hardware.light.ILights/default": EXCEPTION_NO_FUZZER,
+ "android.hardware.macsec.IMacsecPskPlugin/default": EXCEPTION_NO_FUZZER,
+ "android.hardware.media.c2.IComponentStore/default": EXCEPTION_NO_FUZZER,
+ "android.hardware.media.c2.IComponentStore/software": []string{"libcodec2-aidl-fuzzer"},
"android.hardware.memtrack.IMemtrack/default": EXCEPTION_NO_FUZZER,
"android.hardware.net.nlinterceptor.IInterceptor/default": EXCEPTION_NO_FUZZER,
"android.hardware.nfc.INfc/default": EXCEPTION_NO_FUZZER,
@@ -110,6 +115,7 @@
"android.hardware.secure_element.ISecureElement/SIM1": EXCEPTION_NO_FUZZER,
"android.hardware.secure_element.ISecureElement/SIM2": EXCEPTION_NO_FUZZER,
"android.hardware.secure_element.ISecureElement/SIM3": EXCEPTION_NO_FUZZER,
+ "android.hardware.security.authgraph.IAuthGraphKeyExchange/nonsecure": EXCEPTION_NO_FUZZER,
"android.hardware.security.dice.IDiceDevice/default": EXCEPTION_NO_FUZZER,
"android.hardware.security.keymint.IKeyMintDevice/default": EXCEPTION_NO_FUZZER,
"android.hardware.security.keymint.IRemotelyProvisionedComponent/default": EXCEPTION_NO_FUZZER,
@@ -169,7 +175,9 @@
"android.security.metrics": EXCEPTION_NO_FUZZER,
"android.service.gatekeeper.IGateKeeperService": []string{"gatekeeperd_service_fuzzer"},
"android.system.composd": EXCEPTION_NO_FUZZER,
+ // TODO(b/294158658): add fuzzer
"android.system.virtualizationservice": EXCEPTION_NO_FUZZER,
+ "android.system.virtualizationservice_internal.IVfioHandler": EXCEPTION_NO_FUZZER,
"ambient_context": EXCEPTION_NO_FUZZER,
"app_binding": EXCEPTION_NO_FUZZER,
"app_hibernation": EXCEPTION_NO_FUZZER,
@@ -177,6 +185,7 @@
"app_prediction": EXCEPTION_NO_FUZZER,
"app_search": EXCEPTION_NO_FUZZER,
"apexservice": EXCEPTION_NO_FUZZER,
+ "archive": EXCEPTION_NO_FUZZER,
"attestation_verification": EXCEPTION_NO_FUZZER,
"blob_store": EXCEPTION_NO_FUZZER,
"gsiservice": EXCEPTION_NO_FUZZER,
@@ -340,6 +349,7 @@
"oem_lock": EXCEPTION_NO_FUZZER,
"ondevicepersonalization_system_service": EXCEPTION_NO_FUZZER,
"otadexopt": EXCEPTION_NO_FUZZER,
+ "ot_daemon": []string{"ot_daemon_service_fuzzer"},
"overlay": EXCEPTION_NO_FUZZER,
"pac_proxy": EXCEPTION_NO_FUZZER,
"package": EXCEPTION_NO_FUZZER,
@@ -367,6 +377,7 @@
"rcs": EXCEPTION_NO_FUZZER,
"reboot_readiness": EXCEPTION_NO_FUZZER,
"recovery": EXCEPTION_NO_FUZZER,
+ "remote_auth": EXCEPTION_NO_FUZZER,
"remote_provisioning": EXCEPTION_NO_FUZZER,
"resolver": EXCEPTION_NO_FUZZER,
"resources": EXCEPTION_NO_FUZZER,
@@ -383,6 +394,7 @@
"search": EXCEPTION_NO_FUZZER,
"search_ui": EXCEPTION_NO_FUZZER,
"secure_element": EXCEPTION_NO_FUZZER,
+ "security_state": EXCEPTION_NO_FUZZER,
"sec_key_att_app_id_provider": EXCEPTION_NO_FUZZER,
"selection_toolbar": EXCEPTION_NO_FUZZER,
"sensorservice": EXCEPTION_NO_FUZZER,
@@ -427,6 +439,7 @@
"textclassification": EXCEPTION_NO_FUZZER,
"textservices": EXCEPTION_NO_FUZZER,
"texttospeech": EXCEPTION_NO_FUZZER,
+ "thread_network": EXCEPTION_NO_FUZZER,
"time_detector": EXCEPTION_NO_FUZZER,
"time_zone_detector": EXCEPTION_NO_FUZZER,
"thermalservice": EXCEPTION_NO_FUZZER,
@@ -447,8 +460,11 @@
"uwb": EXCEPTION_NO_FUZZER,
"vcn_management": EXCEPTION_NO_FUZZER,
"vibrator": EXCEPTION_NO_FUZZER,
+ "vibrator_control": EXCEPTION_NO_FUZZER,
"vibrator_manager": EXCEPTION_NO_FUZZER,
"virtualdevice": EXCEPTION_NO_FUZZER,
+ "virtualdevice_native": EXCEPTION_NO_FUZZER,
+ "virtual_camera_service": EXCEPTION_NO_FUZZER,
"virtual_touchpad": EXCEPTION_NO_FUZZER,
"voiceinteraction": EXCEPTION_NO_FUZZER,
"vold": []string{"vold_native_service_fuzzer"},
@@ -456,6 +472,7 @@
"vrmanager": EXCEPTION_NO_FUZZER,
"wallpaper": EXCEPTION_NO_FUZZER,
"wallpaper_effects_generation": EXCEPTION_NO_FUZZER,
+ "wearable_sensing": EXCEPTION_NO_FUZZER,
"webviewupdate": EXCEPTION_NO_FUZZER,
"wifip2p": EXCEPTION_NO_FUZZER,
"wifiscanner": EXCEPTION_NO_FUZZER,
diff --git a/com.android.sepolicy/33/Android.bp b/com.android.sepolicy/33/Android.bp
deleted file mode 100644
index f3387ac..0000000
--- a/com.android.sepolicy/33/Android.bp
+++ /dev/null
@@ -1,56 +0,0 @@
-// Copyright (C) 2021 The Android Open Source Project
-//
-// Licensed under the Apache License, Version 2.0 (the "License");
-// you may not use this file except in compliance with the License.
-// You may obtain a copy of the License at
-//
-// http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS,
-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// See the License for the specific language governing permissions and
-// limitations under the License.
-
-package {
- // http://go/android-license-faq
- // A large-scale-change added 'default_applicable_licenses' to import
- // the below license kinds from "system_sepolicy_license":
- // SPDX-license-identifier-Apache-2.0
- default_applicable_licenses: ["system_sepolicy_license"],
-}
-
-genrule {
- name: "apex_file_contexts-33.gen",
- defaults: ["sepolicy_file_contexts_gen_default"],
- srcs: ["file_contexts"],
- out: ["apex_file_contexts-33"],
-}
-
-prebuilt_etc {
- name: "apex_file_contexts-33",
- filename: "apex_file_contexts",
- src: ":apex_file_contexts-33.gen",
- installable: false,
-}
-
-prebuilt_etc {
- name: "apex_property_contexts-33",
- filename: "apex_property_contexts",
- src: "property_contexts",
- installable: false,
-}
-
-prebuilt_etc {
- name: "apex_service_contexts-33",
- filename: "apex_service_contexts",
- src: "service_contexts",
- installable: false,
-}
-
-prebuilt_etc {
- name: "apex_seapp_contexts-33",
- filename: "apex_seapp_contexts",
- src: "seapp_contexts",
- installable: false,
-}
diff --git a/com.android.sepolicy/33/definitions/definitions.cil b/com.android.sepolicy/33/definitions/definitions.cil
deleted file mode 100644
index ffe4660..0000000
--- a/com.android.sepolicy/33/definitions/definitions.cil
+++ /dev/null
@@ -1,15 +0,0 @@
-; This file is required for sepolicy amend (go/seamendc).
-; The seamendc binary reads an amend SELinux policy as input in CIL format and applies its rules to
-; a binary SELinux policy. To parse the input correctly, we require the amend policy to be a valid
-; standalone policy. This file contains the preliminary statements(sid, sidorder, etc.) and
-; definitions (type, typeattribute, class, etc.) necessary to make the amend policy compile
-; successfully.
-(sid amend)
-(sidorder (amend))
-
-(classorder (file))
-
-;;;;;;;;;;;;;;;;;;;;;; shell.te ;;;;;;;;;;;;;;;;;;;;;;
-(type shell)
-(type sepolicy_test_file)
-(class file (ioctl read getattr lock map open watch watch_reads))
diff --git a/com.android.sepolicy/33/file_contexts b/com.android.sepolicy/33/file_contexts
deleted file mode 100644
index 14f99f9..0000000
--- a/com.android.sepolicy/33/file_contexts
+++ /dev/null
@@ -1 +0,0 @@
-/dev/selinux/apex_test u:object_r:sepolicy_test_file:s0
diff --git a/com.android.sepolicy/33/property_contexts b/com.android.sepolicy/33/property_contexts
deleted file mode 100644
index e69de29..0000000
--- a/com.android.sepolicy/33/property_contexts
+++ /dev/null
diff --git a/com.android.sepolicy/33/seapp_contexts b/com.android.sepolicy/33/seapp_contexts
deleted file mode 100644
index e69de29..0000000
--- a/com.android.sepolicy/33/seapp_contexts
+++ /dev/null
diff --git a/com.android.sepolicy/33/service_contexts b/com.android.sepolicy/33/service_contexts
deleted file mode 100644
index e69de29..0000000
--- a/com.android.sepolicy/33/service_contexts
+++ /dev/null
diff --git a/com.android.sepolicy/33/shell.te b/com.android.sepolicy/33/shell.te
deleted file mode 100644
index 757328e..0000000
--- a/com.android.sepolicy/33/shell.te
+++ /dev/null
@@ -1,2 +0,0 @@
-allow shell sepolicy_test_file:file r_file_perms;
-
diff --git a/com.android.sepolicy/Android.bp b/com.android.sepolicy/Android.bp
deleted file mode 100644
index 1e042f3..0000000
--- a/com.android.sepolicy/Android.bp
+++ /dev/null
@@ -1,28 +0,0 @@
-// Copyright (C) 2021 The Android Open Source Project
-//
-// Licensed under the Apache License, Version 2.0 (the "License");
-// you may not use this file except in compliance with the License.
-// You may obtain a copy of the License at
-//
-// http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS,
-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// See the License for the specific language governing permissions and
-// limitations under the License.
-
-package {
- // http://go/android-license-faq
- // A large-scale-change added 'default_applicable_licenses' to import
- // the below license kinds from "system_sepolicy_license":
- // SPDX-license-identifier-Apache-2.0
- default_applicable_licenses: ["system_sepolicy_license"],
-}
-
-genrule_defaults {
- name: "sepolicy_file_contexts_gen_default",
- tools: ["fc_sort"],
- cmd: "sed -e 's/#.*$$//' -e '/^$$/d' $(in) > $(out).tmp && " +
- "$(location fc_sort) -i $(out).tmp -o $(out)",
-}
diff --git a/compat/Android.bp b/compat/Android.bp
index 39da7fd..9768eb1 100644
--- a/compat/Android.bp
+++ b/compat/Android.bp
@@ -133,6 +133,7 @@
stem: "29.0.cil",
bottom_half: [":29.0.board.compat.map{.plat_private}"],
top_half: "plat_30.0.cil",
+ version: "29.0",
}
se_cil_compat_map {
@@ -140,6 +141,7 @@
stem: "30.0.cil",
bottom_half: [":30.0.board.compat.map{.plat_private}"],
top_half: "plat_31.0.cil",
+ version: "30.0",
}
se_cil_compat_map {
@@ -147,6 +149,7 @@
stem: "31.0.cil",
bottom_half: [":31.0.board.compat.map{.plat_private}"],
top_half: "plat_32.0.cil",
+ version: "31.0",
}
se_cil_compat_map {
@@ -154,6 +157,7 @@
stem: "32.0.cil",
bottom_half: [":32.0.board.compat.map{.plat_private}"],
top_half: "plat_33.0.cil",
+ version: "32.0",
}
se_cil_compat_map {
@@ -161,6 +165,7 @@
stem: "33.0.cil",
bottom_half: [":33.0.board.compat.map{.plat_private}"],
top_half: "plat_34.0.cil",
+ version: "33.0",
}
se_cil_compat_map {
@@ -169,6 +174,7 @@
bottom_half: [":29.0.board.compat.map{.system_ext_private}"],
top_half: "system_ext_30.0.cil",
system_ext_specific: true,
+ version: "29.0",
}
se_cil_compat_map {
@@ -177,6 +183,7 @@
bottom_half: [":30.0.board.compat.map{.system_ext_private}"],
top_half: "system_ext_31.0.cil",
system_ext_specific: true,
+ version: "30.0",
}
se_cil_compat_map {
@@ -185,6 +192,7 @@
bottom_half: [":31.0.board.compat.map{.system_ext_private}"],
top_half: "system_ext_32.0.cil",
system_ext_specific: true,
+ version: "31.0",
}
se_cil_compat_map {
@@ -193,6 +201,7 @@
bottom_half: [":32.0.board.compat.map{.system_ext_private}"],
top_half: "system_ext_33.0.cil",
system_ext_specific: true,
+ version: "32.0",
}
se_cil_compat_map {
@@ -201,6 +210,7 @@
bottom_half: [":33.0.board.compat.map{.system_ext_private}"],
system_ext_specific: true,
top_half: "system_ext_34.0.cil",
+ version: "33.0",
}
se_cil_compat_map {
@@ -209,6 +219,7 @@
bottom_half: [":29.0.board.compat.map{.product_private}"],
top_half: "product_30.0.cil",
product_specific: true,
+ version: "29.0",
}
se_cil_compat_map {
@@ -217,6 +228,7 @@
bottom_half: [":30.0.board.compat.map{.product_private}"],
top_half: "product_31.0.cil",
product_specific: true,
+ version: "30.0",
}
se_cil_compat_map {
@@ -225,6 +237,7 @@
bottom_half: [":31.0.board.compat.map{.product_private}"],
top_half: "product_32.0.cil",
product_specific: true,
+ version: "31.0",
}
se_cil_compat_map {
@@ -233,6 +246,7 @@
bottom_half: [":32.0.board.compat.map{.product_private}"],
top_half: "product_33.0.cil",
product_specific: true,
+ version: "32.0",
}
se_cil_compat_map {
@@ -241,36 +255,42 @@
bottom_half: [":33.0.board.compat.map{.product_private}"],
product_specific: true,
top_half: "product_34.0.cil",
+ version: "33.0",
}
se_cil_compat_map {
name: "29.0.ignore.cil",
bottom_half: [":29.0.board.ignore.map{.plat_private}"],
top_half: "30.0.ignore.cil",
+ version: "29.0",
}
se_cil_compat_map {
name: "30.0.ignore.cil",
bottom_half: [":30.0.board.ignore.map{.plat_private}"],
top_half: "31.0.ignore.cil",
+ version: "30.0",
}
se_cil_compat_map {
name: "31.0.ignore.cil",
bottom_half: [":31.0.board.ignore.map{.plat_private}"],
top_half: "32.0.ignore.cil",
+ version: "31.0",
}
se_cil_compat_map {
name: "32.0.ignore.cil",
bottom_half: [":32.0.board.ignore.map{.plat_private}"],
top_half: "33.0.ignore.cil",
+ version: "32.0",
}
se_cil_compat_map {
name: "33.0.ignore.cil",
bottom_half: [":33.0.board.ignore.map{.plat_private}"],
top_half: "34.0.ignore.cil",
+ version: "33.0",
}
se_cil_compat_map {
@@ -278,6 +298,7 @@
bottom_half: [":30.0.board.ignore.map{.system_ext_private}"],
top_half: "system_ext_31.0.ignore.cil",
system_ext_specific: true,
+ version: "30.0",
}
se_cil_compat_map {
@@ -285,6 +306,7 @@
bottom_half: [":31.0.board.ignore.map{.system_ext_private}"],
top_half: "system_ext_32.0.ignore.cil",
system_ext_specific: true,
+ version: "31.0",
}
se_cil_compat_map {
@@ -292,6 +314,7 @@
bottom_half: [":32.0.board.ignore.map{.system_ext_private}"],
top_half: "system_ext_33.0.ignore.cil",
system_ext_specific: true,
+ version: "32.0",
}
se_cil_compat_map {
@@ -299,6 +322,7 @@
bottom_half: [":33.0.board.ignore.map{.system_ext_private}"],
system_ext_specific: true,
top_half: "system_ext_34.0.ignore.cil",
+ version: "33.0",
}
se_cil_compat_map {
@@ -306,6 +330,7 @@
bottom_half: [":30.0.board.ignore.map{.product_private}"],
top_half: "product_31.0.ignore.cil",
product_specific: true,
+ version: "30.0",
}
se_cil_compat_map {
@@ -313,6 +338,7 @@
bottom_half: [":31.0.board.ignore.map{.product_private}"],
top_half: "product_32.0.ignore.cil",
product_specific: true,
+ version: "31.0",
}
se_cil_compat_map {
@@ -320,6 +346,7 @@
bottom_half: [":32.0.board.ignore.map{.product_private}"],
top_half: "product_33.0.ignore.cil",
product_specific: true,
+ version: "32.0",
}
se_cil_compat_map {
@@ -327,31 +354,37 @@
bottom_half: [":33.0.board.ignore.map{.product_private}"],
product_specific: true,
top_half: "product_34.0.ignore.cil",
+ version: "33.0",
}
se_compat_cil {
name: "29.0.compat.cil",
srcs: [":29.0.board.compat.cil{.plat_private}"],
+ version: "29.0",
}
se_compat_cil {
name: "30.0.compat.cil",
srcs: [":30.0.board.compat.cil{.plat_private}"],
+ version: "30.0",
}
se_compat_cil {
name: "31.0.compat.cil",
srcs: [":31.0.board.compat.cil{.plat_private}"],
+ version: "31.0",
}
se_compat_cil {
name: "32.0.compat.cil",
srcs: [":32.0.board.compat.cil{.plat_private}"],
+ version: "32.0",
}
se_compat_cil {
name: "33.0.compat.cil",
srcs: [":33.0.board.compat.cil{.plat_private}"],
+ version: "33.0",
}
se_compat_cil {
@@ -359,6 +392,7 @@
srcs: [":29.0.board.compat.cil{.system_ext_private}"],
stem: "29.0.compat.cil",
system_ext_specific: true,
+ version: "29.0",
}
se_compat_cil {
@@ -366,6 +400,7 @@
srcs: [":30.0.board.compat.cil{.system_ext_private}"],
stem: "30.0.compat.cil",
system_ext_specific: true,
+ version: "30.0",
}
se_compat_cil {
@@ -373,6 +408,7 @@
srcs: [":31.0.board.compat.cil{.system_ext_private}"],
stem: "31.0.compat.cil",
system_ext_specific: true,
+ version: "31.0",
}
se_compat_cil {
@@ -380,6 +416,7 @@
srcs: [":32.0.board.compat.cil{.system_ext_private}"],
stem: "32.0.compat.cil",
system_ext_specific: true,
+ version: "32.0",
}
se_compat_cil {
@@ -387,6 +424,7 @@
srcs: [":33.0.board.compat.cil{.system_ext_private}"],
stem: "33.0.compat.cil",
system_ext_specific: true,
+ version: "33.0",
}
se_compat_test {
@@ -412,6 +450,7 @@
name: "plat_34.0.cil",
stem: "34.0.cil",
bottom_half: [":34.0.board.compat.map{.plat_private}"],
+ version: "34.0",
}
se_cil_compat_map {
@@ -419,6 +458,7 @@
stem: "34.0.cil",
bottom_half: [":34.0.board.compat.map{.system_ext_private}"],
system_ext_specific: true,
+ version: "34.0",
}
se_cil_compat_map {
@@ -426,11 +466,13 @@
stem: "34.0.cil",
bottom_half: [":34.0.board.compat.map{.product_private}"],
product_specific: true,
+ version: "34.0",
}
se_cil_compat_map {
name: "34.0.ignore.cil",
bottom_half: [":34.0.board.ignore.map{.plat_private}"],
+ version: "34.0",
}
se_cil_compat_map {
@@ -438,6 +480,7 @@
stem: "34.0.ignore.cil",
bottom_half: [":34.0.board.ignore.map{.system_ext_private}"],
system_ext_specific: true,
+ version: "34.0",
}
se_cil_compat_map {
@@ -445,11 +488,13 @@
stem: "34.0.ignore.cil",
bottom_half: [":34.0.board.ignore.map{.product_private}"],
product_specific: true,
+ version: "34.0",
}
se_compat_cil {
name: "34.0.compat.cil",
srcs: [":34.0.board.compat.cil{.plat_private}"],
+ version: "34.0",
}
se_compat_cil {
@@ -457,4 +502,5 @@
stem: "34.0.compat.cil",
srcs: [":34.0.board.compat.cil{.system_ext_private}"],
system_ext_specific: true,
+ version: "34.0",
}
diff --git a/contexts/Android.bp b/contexts/Android.bp
index 5982ae6..914232a 100644
--- a/contexts/Android.bp
+++ b/contexts/Android.bp
@@ -99,20 +99,22 @@
file_contexts {
name: "vendor_file_contexts",
srcs: [
- ":file_contexts_files{.plat_vendor_for_vendor}",
+ ":file_contexts_files{.plat_vendor}",
":file_contexts_files{.vendor}",
],
soc_specific: true,
+ fc_sort: true,
}
file_contexts {
name: "vendor_file_contexts.recovery",
srcs: [
- ":file_contexts_files{.plat_vendor_for_vendor}",
+ ":file_contexts_files{.plat_vendor}",
":file_contexts_files{.vendor}",
],
stem: "vendor_file_contexts",
recovery: true,
+ fc_sort: true,
}
file_contexts {
@@ -145,6 +147,7 @@
name: "odm_file_contexts",
srcs: [":file_contexts_files{.odm}"],
device_specific: true,
+ fc_sort: true,
}
file_contexts {
@@ -152,6 +155,7 @@
srcs: [":file_contexts_files{.odm}"],
stem: "odm_file_contexts",
recovery: true,
+ fc_sort: true,
}
hwservice_contexts {
@@ -174,9 +178,9 @@
hwservice_contexts {
name: "vendor_hwservice_contexts",
srcs: [
- ":hwservice_contexts_files{.plat_vendor_for_vendor}",
+ ":hwservice_contexts_files{.plat_vendor}",
":hwservice_contexts_files{.vendor}",
- ":hwservice_contexts_files{.reqd_mask_for_vendor}",
+ ":hwservice_contexts_files{.reqd_mask}",
],
soc_specific: true,
}
@@ -216,9 +220,9 @@
property_contexts {
name: "vendor_property_contexts",
srcs: [
- ":property_contexts_files{.plat_vendor_for_vendor}",
+ ":property_contexts_files{.plat_vendor}",
":property_contexts_files{.vendor}",
- ":property_contexts_files{.reqd_mask_for_vendor}",
+ ":property_contexts_files{.reqd_mask}",
],
soc_specific: true,
recovery_available: true,
@@ -260,9 +264,9 @@
service_contexts {
name: "vendor_service_contexts",
srcs: [
- ":service_contexts_files{.plat_vendor_for_vendor}",
+ ":service_contexts_files{.plat_vendor}",
":service_contexts_files{.vendor}",
- ":service_contexts_files{.reqd_mask_for_vendor}",
+ ":service_contexts_files{.reqd_mask}",
],
soc_specific: true,
recovery_available: true,
@@ -297,9 +301,9 @@
keystore2_key_contexts {
name: "vendor_keystore2_key_contexts",
srcs: [
- ":keystore2_key_contexts_files{.plat_vendor_for_vendor}",
+ ":keystore2_key_contexts_files{.plat_vendor}",
":keystore2_key_contexts_files{.vendor}",
- ":keystore2_key_contexts_files{.reqd_mask_for_vendor}",
+ ":keystore2_key_contexts_files{.reqd_mask}",
],
soc_specific: true,
}
@@ -332,14 +336,14 @@
seapp_contexts {
name: "vendor_seapp_contexts",
srcs: [
- ":seapp_contexts_files{.plat_vendor_for_vendor}",
+ ":seapp_contexts_files{.plat_vendor}",
":seapp_contexts_files{.vendor}",
- ":seapp_contexts_files{.reqd_mask_for_vendor}",
+ ":seapp_contexts_files{.reqd_mask}",
],
neverallow_files: [
- ":seapp_contexts_files{.plat_private_for_vendor}",
- ":seapp_contexts_files{.system_ext_private_for_vendor}",
- ":seapp_contexts_files{.product_private_for_vendor}",
+ ":seapp_contexts_files{.plat_private}",
+ ":seapp_contexts_files{.system_ext_private}",
+ ":seapp_contexts_files{.product_private}",
],
soc_specific: true,
sepolicy: ":precompiled_sepolicy",
@@ -351,9 +355,9 @@
":seapp_contexts_files{.odm}",
],
neverallow_files: [
- ":seapp_contexts_files{.plat_private_for_vendor}",
- ":seapp_contexts_files{.system_ext_private_for_vendor}",
- ":seapp_contexts_files{.product_private_for_vendor}",
+ ":seapp_contexts_files{.plat_private}",
+ ":seapp_contexts_files{.system_ext_private}",
+ ":seapp_contexts_files{.product_private}",
],
device_specific: true,
sepolicy: ":precompiled_sepolicy",
@@ -362,9 +366,9 @@
vndservice_contexts {
name: "vndservice_contexts",
srcs: [
- ":vndservice_contexts_files{.plat_vendor_for_vendor}",
+ ":vndservice_contexts_files{.plat_vendor}",
":vndservice_contexts_files{.vendor}",
- ":vndservice_contexts_files{.reqd_mask_for_vendor}",
+ ":vndservice_contexts_files{.reqd_mask}",
],
soc_specific: true,
}
@@ -390,6 +394,12 @@
}
file_contexts_test {
+ name: "plat_file_contexts_data_test",
+ srcs: [":file_contexts_files{.plat_private}"],
+ test_data: "plat_file_contexts_test",
+}
+
+file_contexts_test {
name: "system_ext_file_contexts_test",
srcs: [":system_ext_file_contexts"],
sepolicy: ":precompiled_sepolicy",
diff --git a/contexts/plat_file_contexts_test b/contexts/plat_file_contexts_test
new file mode 100644
index 0000000..50d9de4
--- /dev/null
+++ b/contexts/plat_file_contexts_test
@@ -0,0 +1,1267 @@
+# Test data for private/file_contexts.
+#
+# It can be passed to checkfc to confirm that the regular expressions in
+# file_contexts are matching the intended paths.
+/ rootfs
+/adb_keys adb_keys_file
+/build.prop rootfs
+/default.prop rootfs
+/fstab.persist rootfs
+/fstab.postinstall rootfs
+/init.rc rootfs
+/init.environ.rc rootfs
+/res rootfs
+/res/test rootfs
+/selinux_version rootfs
+/ueventd.rc rootfs
+/ueventd.common.rc rootfs
+/verity_key rootfs
+
+/init init_exec
+/sbin rootfs
+/sbin/su rootfs
+
+/lib rootfs
+/lib/lib.so rootfs
+/system_dlkm system_dlkm_file
+/system_dlkm/lib/modules/modules.load system_dlkm_file
+
+/lost+found rootfs
+/acct cgroup
+/config rootfs
+/data_mirror mirror_data_file
+/debug_ramdisk tmpfs
+/mnt tmpfs
+/proc rootfs
+/second_stage_resources tmpfs
+/sys sysfs
+/apex apex_mnt_dir
+/bootstrap-apex apex_mnt_dir
+
+/postinstall postinstall_mnt_dir
+/postinstall/apex postinstall_apex_mnt_dir
+
+/apex/.bootstrap-apex-info-list.xml apex_info_file
+/apex/.default-apex-info-list.xml apex_info_file
+/apex/apex-info-list.xml apex_info_file
+
+/bin rootfs
+/bugreports rootfs
+/charger rootfs
+/d rootfs
+/etc rootfs
+/sdcard rootfs
+
+/vendor_file_contexts file_contexts_file
+/plat_file_contexts file_contexts_file
+/product_file_contexts file_contexts_file
+/mapping_sepolicy.cil sepolicy_file
+/plat_sepolicy.cil sepolicy_file
+/plat_property_contexts property_contexts_file
+/product_property_contexts property_contexts_file
+/vendor_property_contexts property_contexts_file
+/seapp_contexts seapp_contexts_file
+/vendor_seapp_contexts seapp_contexts_file
+/plat_seapp_contexts seapp_contexts_file
+/sepolicy sepolicy_file
+/plat_service_contexts service_contexts_file
+/plat_hwservice_contexts hwservice_contexts_file
+/plat_keystore2_key_contexts keystore2_key_contexts_file
+/vendor_service_contexts vendor_service_contexts_file
+/vendor_hwservice_contexts hwservice_contexts_file
+/vndservice_contexts vndservice_contexts_file
+
+/dev device
+/dev/does_not_exist device
+/dev/adf graphics_device
+/dev/adf0 graphics_device
+/dev/adf123 graphics_device
+/dev/adf-interface. graphics_device
+/dev/adf-interface0. graphics_device
+/dev/adf-interface.1 graphics_device
+/dev/adf-interface2.3 graphics_device
+/dev/adf-overlay-engine. graphics_device
+/dev/adf-overlay-engine0. graphics_device
+/dev/adf-overlay-engine.1 graphics_device
+/dev/adf-overlay-engine2.3 graphics_device
+/dev/ashmem ashmem_device
+/dev/ashmemtest ashmem_libcutils_device
+/dev/ashmem-test ashmem_libcutils_device
+/dev/ashmem/test ashmem_libcutils_device
+/dev/audio audio_device
+/dev/audiotest audio_device
+/dev/audio-test audio_device
+/dev/audio/test audio_device
+/dev/binder binder_device
+/dev/block block_device
+/dev/block/does_not_exist block_device
+/dev/block123 device
+/dev/block/by-name/zoned_device zoned_block_device
+/dev/block/dm-0 dm_device
+/dev/block/dm-123 dm_device
+/dev/block/dm block_device
+/dev/block/dm- block_device
+/dev/block/ublkb0 ublk_block_device
+/dev/block/ublkb123 ublk_block_device
+/dev/block/ublkb block_device
+/dev/block/loop0 loop_device
+/dev/block/loop10 loop_device
+/dev/block/loop loop_device
+/dev/block/vda vd_device
+/dev/block/vdb vd_device
+/dev/block/vda0 vd_device
+/dev/block/vda10 vd_device
+/dev/block/vd block_device
+/dev/block/vd1a block_device
+/dev/block/vold block_device
+/dev/block/vold/disk:253,32 vold_device
+/dev/block/ram ram_device
+/dev/block/ram0 ram_device
+/dev/block/ram10 ram_device
+/dev/block/zram ram_device
+/dev/block/zram0 ram_device
+/dev/block/zram10 ram_device
+/dev/boringssl/selftest boringssl_self_test_marker
+/dev/boringssl/selftest/test boringssl_self_test_marker
+/dev/bus/usb usb_device
+/dev/bus/usb/001 usb_device
+/dev/console console_device
+/dev/cpu_variant: dev_cpu_variant
+/dev/cpu_variant:test dev_cpu_variant
+/dev/dma_heap dmabuf_heap_device
+/dev/dma_heap/test dmabuf_heap_device
+/dev/dma_heap/system dmabuf_system_heap_device
+/dev/dma_heap/system-uncached dmabuf_system_heap_device
+/dev/dma_heap/system-secure dmabuf_system_secure_heap_device
+/dev/dma_heap/system-secure-test dmabuf_system_secure_heap_device
+/dev/dma_heap/system-secure/test dmabuf_system_secure_heap_device
+/dev/dm-user dm_user_device
+/dev/dm-user/test dm_user_device
+/dev/ublk-control ublk_control_device
+/dev/device-mapper dm_device
+/dev/eac audio_device
+/dev/event-log-tags runtime_event_log_tags_file
+/dev/cgroup_info cgroup_rc_file
+/dev/cgroup_info/cgroup.rc cgroup_rc_file
+/dev/fscklogs fscklogs
+/dev/fscklogs/fsck fscklogs
+/dev/fuse fuse_device
+/dev/gnss0 gnss_device
+/dev/gnss10 gnss_device
+/dev/graphics graphics_device
+/dev/graphics/test graphics_device
+/dev/hw_random hw_random_device
+/dev/hwbinder hwbinder_device
+/dev/input input_device
+/dev/input/event0 input_device
+/dev/iio:device0 iio_device
+/dev/iio:device1 iio_device
+/dev/ion ion_device
+/dev/keychord keychord_device
+/dev/loop-control loop_control_device
+/dev/modem radio_device
+/dev/modem0 radio_device
+/dev/modem-test radio_device
+/dev/modem/test radio_device
+/dev/mtp_usb mtp_device
+/dev/pmsg0 pmsg_device
+/dev/pn544 nfc_device
+/dev/port port_device
+/dev/ppp ppp_device
+/dev/ptmx ptmx_device
+/dev/pvrsrvkm gpu_device
+/dev/kmsg kmsg_device
+/dev/kmsg_debug kmsg_debug_device
+/dev/kvm kvm_device
+/dev/null null_device
+/dev/nvhdcp1 video_device
+/dev/random random_device
+/dev/rpmsg-omx0 rpmsg_device
+/dev/rpmsg-omx1 rpmsg_device
+/dev/rproc_user rpmsg_device
+/dev/rtc0 rtc_device
+/dev/rtc9 rtc_device
+/dev/snd audio_device
+/dev/snd/controlC0 audio_device
+/dev/snd/timer audio_device
+/dev/socket socket_device
+/dev/socket/does_not_exist socket_device
+/dev/socket/adbd adbd_socket
+/dev/socket/dnsproxyd dnsproxyd_socket
+/dev/socket/dumpstate dumpstate_socket
+/dev/socket/fwmarkd fwmarkd_socket
+/dev/socket/lmkd lmkd_socket
+/dev/socket/logd logd_socket
+/dev/socket/logdr logdr_socket
+/dev/socket/logdw logdw_socket
+/dev/socket/statsdw statsdw_socket
+/dev/socket/mdns mdns_socket
+/dev/socket/mdnsd mdnsd_socket
+/dev/socket/mtpd mtpd_socket
+/dev/socket/pdx/system/buffer_hub pdx_bufferhub_dir
+/dev/socket/pdx/system/buffer_hub/client pdx_bufferhub_client_endpoint_socket
+/dev/socket/pdx/system/performance pdx_performance_dir
+/dev/socket/pdx/system/performance/client pdx_performance_client_endpoint_socket
+/dev/socket/pdx/system/vr/display pdx_display_dir
+/dev/socket/pdx/system/vr/display/client pdx_display_client_endpoint_socket
+/dev/socket/pdx/system/vr/display/manager pdx_display_manager_endpoint_socket
+/dev/socket/pdx/system/vr/display/screenshot pdx_display_screenshot_endpoint_socket
+/dev/socket/pdx/system/vr/display/vsync pdx_display_vsync_endpoint_socket
+/dev/socket/prng_seeder prng_seeder_socket
+/dev/socket/property_service property_socket
+/dev/socket/property_service_for_system property_socket
+/dev/socket/racoon racoon_socket
+/dev/socket/recovery recovery_socket
+/dev/socket/rild rild_socket
+/dev/socket/rild-debug rild_debug_socket
+/dev/socket/snapuserd snapuserd_socket
+/dev/socket/snapuserd_proxy snapuserd_proxy_socket
+/dev/socket/tombstoned_crash tombstoned_crash_socket
+/dev/socket/tombstoned_java_trace tombstoned_java_trace_socket
+/dev/socket/tombstoned_intercept tombstoned_intercept_socket
+/dev/socket/traced_consumer traced_consumer_socket
+/dev/socket/traced_perf traced_perf_socket
+/dev/socket/traced_producer traced_producer_socket
+/dev/socket/heapprofd heapprofd_socket
+/dev/socket/uncrypt uncrypt_socket
+/dev/socket/wpa_eth0 wpa_socket
+/dev/socket/wpa_eth9 wpa_socket
+/dev/socket/wpa_wlan0 wpa_socket
+/dev/socket/wpa_wlan9 wpa_socket
+/dev/socket/zygote zygote_socket
+/dev/socket/zygote_secondary zygote_socket
+/dev/socket/usap_pool_primary zygote_socket
+/dev/socket/usap_pool_secondary zygote_socket
+/dev/spdif_out audio_device
+/dev/spdif_out-test audio_device
+/dev/spdif_out/test audio_device
+/dev/sys/block/by-name/rootdisk rootdisk_sysdev
+/dev/sys/block/by-name/rootdisk/test rootdisk_sysdev
+/dev/sys/block/by-name/rootdisk-test device
+/dev/sys/block/by-name/userdata userdata_sysdev
+/dev/sys/block/by-name/userdata/test userdata_sysdev
+/dev/sys/block/by-name/userdata-test device
+/dev/sys/fs/by-name/userdata userdata_sysdev
+/dev/sys/fs/by-name/userdata/test userdata_sysdev
+/dev/sys/fs/by-name/userdata-test device
+/dev/tty owntty_device
+/dev/tty0 tty_device
+/dev/tty1 tty_device
+/dev/ttyS serial_device
+/dev/ttyS0 serial_device
+/dev/ttyS99 serial_device
+/dev/ttyUSB usb_serial_device
+/dev/ttyUSB0 usb_serial_device
+/dev/ttyUSB99 usb_serial_device
+/dev/ttyACM usb_serial_device
+/dev/ttyACM0 usb_serial_device
+/dev/ttyACM99 usb_serial_device
+/dev/tun tun_device
+/dev/uhid uhid_device
+/dev/uinput uhid_device
+/dev/uio uio_device
+/dev/uio0 uio_device
+/dev/uio9 uio_device
+/dev/urandom random_device
+/dev/usb_accessory usbaccessory_device
+/dev/v4l-touch input_device
+/dev/v4l-touch0 input_device
+/dev/v4l-touch10 input_device
+/dev/vfio vfio_device
+/dev/vfio/test vfio_device
+/dev/vfio-test device
+/dev/vhost-vsock kvm_device
+/dev/video video_device
+/dev/video0 video_device
+/dev/video99 video_device
+/dev/vndbinder vndbinder_device
+/dev/watchdog watchdog_device
+/dev/xt_qtaguid qtaguid_device
+/dev/zero zero_device
+/dev/__properties__ properties_device
+/dev/__properties__/property_info property_info
+/dev/__properties__/appcompat_override properties_device
+/dev/__properties__/appcompat_override/property_info property_info
+
+/linkerconfig linkerconfig_file
+/linkerconfig/test linkerconfig_file
+
+/system system_file
+/system/does_not_exist system_file
+/system/apex/com.android.art art_apex_dir
+/system/lib system_lib_file
+/system/lib64 system_lib_file
+/system/lib/does_not_exist system_lib_file
+/system/lib64/does_not_exist system_lib_file
+/system/lib/bootstrap system_bootstrap_lib_file
+/system/lib64/bootstrap system_bootstrap_lib_file
+/system/lib/bootstrap/test system_bootstrap_lib_file
+/system/lib64/bootstrap/test system_bootstrap_lib_file
+/system/bin/mm_events mm_events_exec
+/system/bin/atrace atrace_exec
+/system/bin/auditctl auditctl_exec
+/system/bin/bcc rs_exec
+/system/bin/blank_screen blank_screen_exec
+/system/bin/boringssl_self_test32 boringssl_self_test_exec
+/system/bin/boringssl_self_test64 boringssl_self_test_exec
+/system/bin/boringssl_self_test31 system_file
+/system/bin/prng_seeder prng_seeder_exec
+/system/bin/charger charger_exec
+/system/bin/e2fsdroid e2fs_exec
+/system/bin/mke2fs e2fs_exec
+/system/bin/e2fsck fsck_exec
+/system/bin/extra_free_kbytes.sh extra_free_kbytes_exec
+/system/bin/fsck.exfat fsck_exec
+/system/bin/fsck.f2fs fsck_exec
+/system/bin/init init_exec
+/system/bin/mini-keyctl toolbox_exec
+/system/bin/fsverity_init fsverity_init_exec
+/system/bin/sload_f2fs e2fs_exec
+/system/bin/make_f2fs e2fs_exec
+/system/bin/fsck_msdos fsck_exec
+/system/bin/tcpdump tcpdump_exec
+/system/bin/tune2fs fsck_exec
+/system/bin/resize2fs fsck_exec
+/system/bin/toolbox toolbox_exec
+/system/bin/toybox toolbox_exec
+/system/bin/ld.mc rs_exec
+/system/bin/logcat logcat_exec
+/system/bin/logcatd logcat_exec
+/system/bin/sh shell_exec
+/system/bin/run-as runas_exec
+/system/bin/bootanimation bootanim_exec
+/system/bin/bootstat bootstat_exec
+/system/bin/app_process32 zygote_exec
+/system/bin/app_process64 zygote_exec
+/system/bin/servicemanager servicemanager_exec
+/system/bin/surfaceflinger surfaceflinger_exec
+/system/bin/gpuservice gpuservice_exec
+/system/bin/bufferhubd bufferhubd_exec
+/system/bin/performanced performanced_exec
+/system/bin/drmserver drmserver_exec
+/system/bin/drmserver32 drmserver_exec
+/system/bin/drmserver64 drmserver_exec
+/system/bin/dumpstate dumpstate_exec
+/system/bin/incident incident_exec
+/system/bin/incidentd incidentd_exec
+/system/bin/incident_helper incident_helper_exec
+/system/bin/iw iw_exec
+/system/bin/netutils-wrapper-1.0 netutils_wrapper_exec
+/system/bin/vold vold_exec
+/system/bin/netd netd_exec
+/system/bin/wificond wificond_exec
+/system/bin/audioserver audioserver_exec
+/system/bin/mediadrmserver mediadrmserver_exec
+/system/bin/mediaserver mediaserver_exec
+/system/bin/mediaserver32 mediaserver_exec
+/system/bin/mediaserver64 mediaserver_exec
+/system/bin/mediametrics mediametrics_exec
+/system/bin/cameraserver cameraserver_exec
+/system/bin/mediaextractor mediaextractor_exec
+/system/bin/mediaswcodec mediaswcodec_exec
+/system/bin/mediatranscoding mediatranscoding_exec
+/system/bin/mediatuner mediatuner_exec
+/system/bin/mdnsd mdnsd_exec
+/system/bin/installd installd_exec
+/system/bin/otapreopt_chroot otapreopt_chroot_exec
+/system/bin/otapreopt_slot otapreopt_slot_exec
+/system/bin/credstore credstore_exec
+/system/bin/keystore keystore_exec
+/system/bin/keystore2 keystore_exec
+/system/bin/fingerprintd fingerprintd_exec
+/system/bin/gatekeeperd gatekeeperd_exec
+/system/bin/tombstoned tombstoned_exec
+/system/bin/recovery-persist recovery_persist_exec
+/system/bin/recovery-refresh recovery_refresh_exec
+/system/bin/sdcard sdcardd_exec
+/system/bin/snapshotctl snapshotctl_exec
+/system/bin/remount remount_exec
+/system/bin/dhcpcd dhcp_exec
+/system/bin/dhcpcd-6.8.2 dhcp_exec
+/system/bin/dmesgd dmesgd_exec
+/system/bin/mtpd mtp_exec
+/system/bin/pppd ppp_exec
+/system/bin/racoon racoon_exec
+/system/xbin/su su_exec
+/system/bin/dnsmasq dnsmasq_exec
+/system/bin/linker system_linker_exec
+/system/bin/linker64 system_linker_exec
+/system/bin/linker63 system_file
+/system/bin/linkerconfig linkerconfig_exec
+/system/bin/bootstrap/linker system_linker_exec
+/system/bin/bootstrap/linker64 system_linker_exec
+/system/bin/bootstrap/linker63 system_file
+/system/bin/bootstrap/linkerconfig linkerconfig_exec
+/system/bin/llkd llkd_exec
+/system/bin/lmkd lmkd_exec
+/system/bin/usbd usbd_exec
+/system/bin/inputflinger inputflinger_exec
+/system/bin/logd logd_exec
+/system/bin/lpdumpd lpdumpd_exec
+/system/bin/rss_hwm_reset rss_hwm_reset_exec
+/system/bin/perfetto perfetto_exec
+/system/bin/mtectrl mtectrl_exec
+/system/bin/traced traced_exec
+/system/bin/traced_perf traced_perf_exec
+/system/bin/traced_probes traced_probes_exec
+/system/bin/heapprofd heapprofd_exec
+/system/bin/uncrypt uncrypt_exec
+/system/bin/update_verifier update_verifier_exec
+/system/bin/logwrapper system_file
+/system/bin/vdc vdc_exec
+/system/bin/cppreopts.sh cppreopts_exec
+/system/bin/preloads_copy.sh preloads_copy_exec
+/system/bin/preopt2cachename preopt2cachename_exec
+/system/bin/viewcompiler viewcompiler_exec
+/system/bin/sgdisk sgdisk_exec
+/system/bin/blkid blkid_exec
+/system/bin/flags_health_check flags_health_check_exec
+/system/bin/idmap2 idmap_exec
+/system/bin/idmap2d idmap_exec
+/system/bin/update_engine update_engine_exec
+/system/bin/profcollectd profcollectd_exec
+/system/bin/profcollectctl profcollectd_exec
+/system/bin/storaged storaged_exec
+/system/bin/virtual_camera virtual_camera_exec
+/system/bin/virtual_touchpad virtual_touchpad_exec
+/system/bin/hw/android.frameworks.bufferhub@1.0-service fwk_bufferhub_exec
+/system/bin/hw/android.system.suspend-service system_suspend_exec
+/system/etc/cgroups.json cgroup_desc_file
+/system/etc/task_profiles/cgroups_0.json cgroup_desc_api_file
+/system/etc/task_profiles/cgroups_999.json cgroup_desc_api_file
+/system/etc/event-log-tags system_event_log_tags_file
+/system/etc/font_fallback.xml system_font_fallback_file
+/system/etc/group system_group_file
+/system/etc/ld.config. system_linker_config_file
+/system/etc/ld.config.test system_linker_config_file
+/system/etc/passwd system_passwd_file
+/system/etc/seccomp_policy system_seccomp_policy_file
+/system/etc/seccomp_policy/crash_dump.x86.policy system_seccomp_policy_file
+/system/etc/security/cacerts system_security_cacerts_file
+/system/etc/security/cacerts/123 system_security_cacerts_file
+/system/etc/selinux/mapping/30.0.cil sepolicy_file
+#/system/etc/selinux/mapping/30.compat.0.cil sepolicy_file
+/system/etc/selinux/plat_mac_permissions.xml mac_perms_file
+/system/etc/selinux/plat_property_contexts property_contexts_file
+/system/etc/selinux/plat_service_contexts service_contexts_file
+/system/etc/selinux/plat_hwservice_contexts hwservice_contexts_file
+/system/etc/selinux/plat_keystore2_key_contexts keystore2_key_contexts_file
+/system/etc/selinux/plat_file_contexts file_contexts_file
+/system/etc/selinux/plat_seapp_contexts seapp_contexts_file
+/system/etc/selinux/plat_sepolicy.cil sepolicy_file
+/system/etc/selinux/plat_and_mapping_sepolicy.cil.sha256 sepolicy_file
+/system/etc/task_profiles.json task_profiles_file
+/system/etc/task_profiles/task_profiles_0.json task_profiles_api_file
+/system/etc/task_profiles/task_profiles_99.json task_profiles_api_file
+/system/usr/share/zoneinfo system_zoneinfo_file
+/system/usr/share/zoneinfo/0 system_zoneinfo_file
+/system/bin/adbd adbd_exec
+/system/bin/vold_prepare_subdirs vold_prepare_subdirs_exec
+/system/bin/stats stats_exec
+/system/bin/statsd statsd_exec
+/system/bin/bpfloader bpfloader_exec
+/system/bin/netbpfload bpfloader_exec
+/system/bin/watchdogd watchdogd_exec
+/system/bin/apexd apexd_exec
+/system/bin/gsid gsid_exec
+/system/bin/simpleperf simpleperf_exec
+/system/bin/simpleperf_app_runner simpleperf_app_runner_exec
+/system/bin/migrate_legacy_obb_data migrate_legacy_obb_data_exec
+/system/bin/android.frameworks.automotive.display@1.0-service automotive_display_service_exec
+/system/bin/snapuserd snapuserd_exec
+/system/bin/odsign odsign_exec
+/system/bin/vehicle_binding_util vehicle_binding_util_exec
+/system/bin/cardisplayproxyd automotive_display_service_exec
+/system/bin/evsmanagerd evsmanagerd_exec
+/system/bin/android.automotive.evs.manager@1.0 evsmanagerd_exec
+/system/bin/android.automotive.evs.manager@1.99 evsmanagerd_exec
+/system/bin/uprobestats uprobestats_exec
+
+/vendor vendor_file
+/vendor/does_not_exist vendor_file
+/system/vendor vendor_file
+/system/vendor/does_not_exist vendor_file
+/vendor/bin/sh vendor_shell_exec
+/system/vendor/bin/sh vendor_shell_exec
+/vendor/bin/toybox_vendor vendor_toolbox_exec
+/system/vendor/bin/toybox_vendor vendor_toolbox_exec
+/vendor/bin/toolbox vendor_toolbox_exec
+/system/vendor/bin/toolbox vendor_toolbox_exec
+/vendor/etc vendor_configs_file
+/vendor/etc/does_not_exist vendor_configs_file
+/system/vendor/etc vendor_configs_file
+/system/vendor/etc/does_not_exist vendor_configs_file
+/vendor/etc/cgroups.json vendor_cgroup_desc_file
+/system/vendor/etc/cgroups.json vendor_cgroup_desc_file
+/vendor/etc/task_profiles.json vendor_task_profiles_file
+/system/vendor/etc/task_profiles.json vendor_task_profiles_file
+
+/vendor/lib/egl same_process_hal_file
+/vendor/lib64/egl same_process_hal_file
+/vendor/lib/egl/test same_process_hal_file
+/vendor/lib64/egl/test same_process_hal_file
+/system/vendor/lib/egl same_process_hal_file
+/system/vendor/lib64/egl same_process_hal_file
+/system/vendor/lib/egl/test same_process_hal_file
+/system/vendor/lib64/egl/test same_process_hal_file
+
+/vendor/lib/vndk-sp vndk_sp_file
+/vendor/lib64/vndk-sp vndk_sp_file
+/vendor/lib/vndk-sp/test vndk_sp_file
+/vendor/lib64/vndk-sp/test vndk_sp_file
+/system/vendor/lib/vndk-sp vndk_sp_file
+/system/vendor/lib64/vndk-sp vndk_sp_file
+/system/vendor/lib/vndk-sp/test vndk_sp_file
+/system/vendor/lib64/vndk-sp/test vndk_sp_file
+
+/vendor/manifest.xml vendor_configs_file
+/system/vendor/manifest.xml vendor_configs_file
+/vendor/compatibility_matrix.xml vendor_configs_file
+/system/vendor/compatibility_matrix.xml vendor_configs_file
+/vendor/etc/vintf vendor_configs_file
+/vendor/etc/vintf/test vendor_configs_file
+/system/vendor/etc/vintf vendor_configs_file
+/system/vendor/etc/vintf/test vendor_configs_file
+/vendor/app vendor_app_file
+/vendor/app/test vendor_app_file
+/system/vendor/app vendor_app_file
+/system/vendor/app/test vendor_app_file
+/vendor/priv-app vendor_app_file
+/vendor/priv-app/test vendor_app_file
+/system/vendor/priv-app vendor_app_file
+/system/vendor/priv-app/test vendor_app_file
+/vendor/overlay vendor_overlay_file
+/vendor/overlay/test vendor_overlay_file
+/system/vendor/overlay vendor_overlay_file
+/system/vendor/overlay/test vendor_overlay_file
+/vendor/framework vendor_framework_file
+/vendor/framework/test vendor_framework_file
+/system/vendor/framework vendor_framework_file
+/system/vendor/framework/test vendor_framework_file
+
+/vendor/apex vendor_apex_file
+/vendor/apex/test vendor_apex_file
+/vendor/apex/test/test vendor_apex_file
+/vendor/apex/test/test/test vendor_file
+/system/vendor/apex vendor_apex_file
+/system/vendor/apex/test vendor_apex_file
+/system/vendor/apex/test/test vendor_apex_file
+/system/vendor/apex/test/test/test vendor_file
+/vendor/bin/misc_writer vendor_misc_writer_exec
+/system/vendor/bin/misc_writer vendor_misc_writer_exec
+/vendor/bin/boringssl_self_test32 vendor_boringssl_self_test_exec
+/vendor/bin/boringssl_self_test64 vendor_boringssl_self_test_exec
+/system/vendor/bin/boringssl_self_test32 vendor_boringssl_self_test_exec
+/system/vendor/bin/boringssl_self_test64 vendor_boringssl_self_test_exec
+
+/vendor/lib/hw vendor_hal_file
+/vendor/lib64/hw vendor_hal_file
+/system/vendor/lib/hw vendor_hal_file
+/system/vendor/lib64/hw vendor_hal_file
+
+/vendor/etc/selinux/vendor_service_contexts vendor_service_contexts_file
+/system/vendor/etc/selinux/vendor_service_contexts vendor_service_contexts_file
+
+/odm vendor_file
+/odm/does_not_exist vendor_file
+/vendor/odm vendor_file
+/vendor/does_not_exist vendor_file
+/odm/lib/egl same_process_hal_file
+/odm/lib64/egl same_process_hal_file
+/odm/lib/egl/test same_process_hal_file
+/odm/lib64/egl/test same_process_hal_file
+/vendor/odm/lib/egl same_process_hal_file
+/vendor/odm/lib64/egl same_process_hal_file
+/vendor/odm/lib/egl/test same_process_hal_file
+/vendor/odm/lib64/egl/test same_process_hal_file
+/odm/lib/hw vendor_hal_file
+/odm/lib64/hw vendor_hal_file
+/vendor/odm/lib/hw vendor_hal_file
+/vendor/odm/lib64/hw vendor_hal_file
+/odm/lib/vndk-sp vndk_sp_file
+/odm/lib64/vndk-sp vndk_sp_file
+/odm/lib/vndk-sp/test vndk_sp_file
+/odm/lib64/vndk-sp/test vndk_sp_file
+/vendor/odm/lib/vndk-sp vndk_sp_file
+/vendor/odm/lib64/vndk-sp vndk_sp_file
+/vendor/odm/lib/vndk-sp/test vndk_sp_file
+/vendor/odm/lib64/vndk-sp/test vndk_sp_file
+
+/odm/bin/sh vendor_shell_exec
+/vendor/odm/bin/sh vendor_shell_exec
+/odm/etc vendor_configs_file
+/odm/etc/test vendor_configs_file
+/vendor/odm/etc vendor_configs_file
+/vendor/odm/etc/test vendor_configs_file
+/odm/app vendor_app_file
+/odm/app/test vendor_app_file
+/vendor/odm/app vendor_app_file
+/vendor/odm/app/test vendor_app_file
+/odm/priv-app vendor_app_file
+/odm/priv-app/test vendor_app_file
+/vendor/odm/priv-app vendor_app_file
+/vendor/odm/priv-app/test vendor_app_file
+/odm/overlay vendor_overlay_file
+/odm/overlay/test vendor_overlay_file
+/vendor/odm/overlay vendor_overlay_file
+/vendor/odm/overlay/test vendor_overlay_file
+/odm/framework vendor_framework_file
+/odm/framework/test vendor_framework_file
+/vendor/odm/framework vendor_framework_file
+/vendor/odm/framework/test vendor_framework_file
+
+/odm/etc/hal_uuid_map_.xml vendor_uuid_mapping_config_file
+/odm/etc/hal_uuid_map_test.xml vendor_uuid_mapping_config_file
+/vendor/odm/etc/hal_uuid_map_.xml vendor_uuid_mapping_config_file
+/vendor/odm/etc/hal_uuid_map_test.xml vendor_uuid_mapping_config_file
+/vendor/etc/hal_uuid_map_.xml vendor_uuid_mapping_config_file
+/vendor/etc/hal_uuid_map_test.xml vendor_uuid_mapping_config_file
+/system/vendor/etc/hal_uuid_map_.xml vendor_uuid_mapping_config_file
+/system/vendor/etc/hal_uuid_map_test.xml vendor_uuid_mapping_config_file
+
+/odm/usr/keylayout.kl vendor_keylayout_file
+/odm/usr/keylayout/test.kl vendor_keylayout_file
+/vendor/odm/usr/keylayout.kl vendor_keylayout_file
+/vendor/odm/usr/keylayout/test.kl vendor_keylayout_file
+/vendor/usr/keylayout.kl vendor_keylayout_file
+/vendor/usr/keylayout/test.kl vendor_keylayout_file
+/system/vendor/usr/keylayout.kl vendor_keylayout_file
+/system/vendor/usr/keylayout/test.kl vendor_keylayout_file
+/odm/usr/keychars.kcm vendor_keychars_file
+/odm/usr/keychars/test.kcm vendor_keychars_file
+/vendor/odm/usr/keychars.kcm vendor_keychars_file
+/vendor/odm/usr/keychars/test.kcm vendor_keychars_file
+/vendor/usr/keychars.kcm vendor_keychars_file
+/vendor/usr/keychars/test.kcm vendor_keychars_file
+/system/vendor/usr/keychars.kcm vendor_keychars_file
+/system/vendor/usr/keychars/test.kcm vendor_keychars_file
+/odm/usr/idc.idc vendor_idc_file
+/odm/usr/idc/test.idc vendor_idc_file
+/vendor/odm/usr/idc.idc vendor_idc_file
+/vendor/odm/usr/idc/test.idc vendor_idc_file
+/vendor/usr/idc.idc vendor_idc_file
+/vendor/usr/idc/test.idc vendor_idc_file
+/system/vendor/usr/idc.idc vendor_idc_file
+/system/vendor/usr/idc/test.idc vendor_idc_file
+
+/oem oemfs
+/oem/does_not_exist oemfs
+/oem/overlay vendor_overlay_file
+/oem/overlay/does_not_exist vendor_overlay_file
+
+/odm/etc/selinux/precompiled_sepolicy sepolicy_file
+/odm/etc/selinux/precompiled_sepolicy.plat_and_mapping.sha256 sepolicy_file
+
+/odm/etc/selinux/odm_sepolicy.cil sepolicy_file
+/vendor/odm/etc/selinux/odm_sepolicy.cil sepolicy_file
+/odm/etc/selinux/odm_file_contexts file_contexts_file
+/vendor/odm/etc/selinux/odm_file_contexts file_contexts_file
+/odm/etc/selinux/odm_seapp_contexts seapp_contexts_file
+/vendor/odm/etc/selinux/odm_seapp_contexts seapp_contexts_file
+/odm/etc/selinux/odm_property_contexts property_contexts_file
+/vendor/odm/etc/selinux/odm_property_contexts property_contexts_file
+/odm/etc/selinux/odm_service_contexts vendor_service_contexts_file
+/vendor/odm/etc/selinux/odm_service_contexts vendor_service_contexts_file
+/odm/etc/selinux/odm_hwservice_contexts hwservice_contexts_file
+/vendor/odm/etc/selinux/odm_hwservice_contexts hwservice_contexts_file
+/odm/etc/selinux/odm_keystore2_key_contexts keystore2_key_contexts_file
+/vendor/odm/etc/selinux/odm_keystore2_key_contexts keystore2_key_contexts_file
+/odm/etc/selinux/odm_mac_permissions.xml mac_perms_file
+/vendor/odm/etc/selinux/odm_mac_permissions.xml mac_perms_file
+
+/product system_file
+/product/does_not_exist system_file
+/system/product system_file
+/system/product/does_not_exist system_file
+/product/etc/group system_group_file
+/system/product/etc/group system_group_file
+/product/etc/passwd system_passwd_file
+/system/product/etc/passwd system_passwd_file
+/product/overlay system_file
+/product/overlay/does_not_exist system_file
+/system/product/overlay system_file
+/system/product/overlay/does_not_exist system_file
+
+/product/etc/selinux/product_file_contexts file_contexts_file
+/system/product/etc/selinux/product_file_contexts file_contexts_file
+/product/etc/selinux/product_hwservice_contexts hwservice_contexts_file
+/system/product/etc/selinux/product_hwservice_contexts hwservice_contexts_file
+/product/etc/selinux/product_keystore2_key_contexts keystore2_key_contexts_file
+/system/product/etc/selinux/product_keystore2_key_contexts keystore2_key_contexts_file
+/product/etc/selinux/product_property_contexts property_contexts_file
+/system/product/etc/selinux/product_property_contexts property_contexts_file
+/product/etc/selinux/product_seapp_contexts seapp_contexts_file
+/system/product/etc/selinux/product_seapp_contexts seapp_contexts_file
+/product/etc/selinux/product_service_contexts service_contexts_file
+/system/product/etc/selinux/product_service_contexts service_contexts_file
+/product/etc/selinux/product_mac_permissions.xml mac_perms_file
+/system/product/etc/selinux/product_mac_permissions.xml mac_perms_file
+
+/product/lib system_lib_file
+/product/lib/does_not_exist system_lib_file
+/product/lib64 system_lib_file
+/product/lib64/does_not_exist system_lib_file
+/system/product/lib system_lib_file
+/system/product/lib/does_not_exist system_lib_file
+/system/product/lib64 system_lib_file
+/system/product/lib64/does_not_exist system_lib_file
+
+/system_ext system_file
+/system_ext/does_not_exist system_file
+/system/system_ext system_file
+/system/system_ext/does_not_exist system_file
+/system_ext/etc/group system_group_file
+/system/system_ext/etc/group system_group_file
+/system_ext/etc/passwd system_passwd_file
+/system/system_ext/etc/passwd system_passwd_file
+/system_ext/overlay vendor_overlay_file
+/system_ext/overlay/does_not_exist vendor_overlay_file
+/system/system_ext/overlay vendor_overlay_file
+/system/system_ext/overlay/does_not_exist vendor_overlay_file
+
+/system_ext/etc/selinux/system_ext_file_contexts file_contexts_file
+/system/system_ext/etc/selinux/system_ext_file_contexts file_contexts_file
+/system_ext/etc/selinux/system_ext_hwservice_contexts hwservice_contexts_file
+/system/system_ext/etc/selinux/system_ext_hwservice_contexts hwservice_contexts_file
+/system_ext/etc/selinux/system_ext_keystore2_key_contexts keystore2_key_contexts_file
+/system/system_ext/etc/selinux/system_ext_keystore2_key_contexts keystore2_key_contexts_file
+/system_ext/etc/selinux/system_ext_property_contexts property_contexts_file
+/system/system_ext/etc/selinux/system_ext_property_contexts property_contexts_file
+/system_ext/etc/selinux/system_ext_seapp_contexts seapp_contexts_file
+/system/system_ext/etc/selinux/system_ext_seapp_contexts seapp_contexts_file
+/system_ext/etc/selinux/system_ext_service_contexts service_contexts_file
+/system/system_ext/etc/selinux/system_ext_service_contexts service_contexts_file
+/system_ext/etc/selinux/system_ext_mac_permissions.xml mac_perms_file
+/system/system_ext/etc/selinux/system_ext_mac_permissions.xml mac_perms_file
+/system_ext/etc/selinux/userdebug_plat_sepolicy.cil sepolicy_file
+/system/system_ext/etc/selinux/userdebug_plat_sepolicy.cil sepolicy_file
+
+/system_ext/bin/aidl_lazy_test_server aidl_lazy_test_server_exec
+/system/system_ext/bin/aidl_lazy_test_server aidl_lazy_test_server_exec
+/system_ext/bin/aidl_lazy_cb_test_server aidl_lazy_test_server_exec
+/system/system_ext/bin/aidl_lazy_cb_test_server aidl_lazy_test_server_exec
+/system_ext/bin/hidl_lazy_test_server hidl_lazy_test_server_exec
+/system/system_ext/bin/hidl_lazy_test_server hidl_lazy_test_server_exec
+/system_ext/bin/hidl_lazy_cb_test_server hidl_lazy_test_server_exec
+/system/system_ext/bin/hidl_lazy_cb_test_server hidl_lazy_test_server_exec
+/system_ext/bin/hwservicemanager hwservicemanager_exec
+/system/system_ext/bin/hwservicemanager hwservicemanager_exec
+/system_ext/bin/hw/android.hidl.allocator@1.0-service hal_allocator_default_exec
+/system/system_ext/bin/hw/android.hidl.allocator@1.0-service hal_allocator_default_exec
+
+
+/system_ext/bin/canhalconfigurator canhalconfigurator_exec
+/system_ext/bin/canhalconfigurator-aidl canhalconfigurator_exec
+/system/system_ext/bin/canhalconfigurator canhalconfigurator_exec
+/system/system_ext/bin/canhalconfigurator-aidl canhalconfigurator_exec
+
+/system_ext/lib system_lib_file
+/system_ext/lib/does_not_exist system_lib_file
+/system_ext/lib64 system_lib_file
+/system_ext/lib64/does_not_exist system_lib_file
+/system/system_ext/lib system_lib_file
+/system/system_ext/lib/does_not_exist system_lib_file
+/system/system_ext/lib64 system_lib_file
+/system/system_ext/lib64/does_not_exist system_lib_file
+
+/vendor_dlkm vendor_file
+/vendor_dlkm/does_not_exist vendor_file
+/vendor/vendor_dlkm vendor_file
+/vendor/vendor_dlkm/does_not_exist vendor_file
+/system/vendor/vendor_dlkm vendor_file
+/system/vendor/vendor_dlkm/does_not_exist vendor_file
+/vendor_dlkm/etc vendor_configs_file
+/vendor_dlkm/etc/does_not_exist vendor_configs_file
+/vendor/vendor_dlkm/etc vendor_configs_file
+/vendor/vendor_dlkm/etc/does_not_exist vendor_configs_file
+/system/vendor/vendor_dlkm/etc vendor_configs_file
+/system/vendor/vendor_dlkm/etc/does_not_exist vendor_configs_file
+
+/odm_dlkm vendor_file
+/odm_dlkm/does_not_exist vendor_file
+/vendor/odm_dlkm vendor_file
+/vendor/odm_dlkm/does_not_exist vendor_file
+/system/vendor/odm_dlkm vendor_file
+/system/vendor/odm_dlkm/does_not_exist vendor_file
+/odm_dlkm/etc vendor_configs_file
+/odm_dlkm/etc/does_not_exist vendor_configs_file
+/vendor/odm_dlkm/etc vendor_configs_file
+/vendor/odm_dlkm/etc/does_not_exist vendor_configs_file
+/system/vendor/odm_dlkm/etc vendor_configs_file
+/system/vendor/odm_dlkm/etc/does_not_exist vendor_configs_file
+
+/product/vendor_overlay/0/test vendor_file
+/product/vendor_overlay/1/test vendor_file
+/system/product/vendor_overlay/0/test vendor_file
+/system/product/vendor_overlay/1/test vendor_file
+
+/data system_data_root_file
+/data/does_not_exist system_data_file
+/data/system/environ environ_system_data_file
+/data/system/environ/test environ_system_data_file
+/data/system/packages.list packages_list_file
+/data/system/game_mode_intervention.list game_mode_intervention_list_file
+/data/unencrypted unencrypted_data_file
+/data/unencrypted/test unencrypted_data_file
+/data/backup backup_data_file
+/data/backup/test backup_data_file
+/data/secure/backup backup_data_file
+/data/secure/backup/test backup_data_file
+/data/system/ndebugsocket system_ndebug_socket
+/data/system/unsolzygotesocket system_unsolzygote_socket
+/data/drm drm_data_file
+/data/drm/test drm_data_file
+/data/resource-cache resourcecache_data_file
+/data/resource-cache/test resourcecache_data_file
+/data/dalvik-cache dalvikcache_data_file
+/data/dalvik-cache/test dalvikcache_data_file
+/data/ota ota_data_file
+/data/ota/test ota_data_file
+/data/ota_package ota_package_file
+/data/ota_package/test ota_package_file
+/data/adb adb_data_file
+/data/adb/test adb_data_file
+/data/anr anr_data_file
+/data/anr/test anr_data_file
+/data/apex apex_data_file
+/data/apex/test apex_data_file
+/data/apex/active/test staging_data_file
+/data/apex/backup/test staging_data_file
+/data/apex/decompressed/test staging_data_file
+/data/apex/ota_reserved apex_ota_reserved_file
+/data/apex/ota_reserved/test apex_ota_reserved_file
+/data/app apk_data_file
+/data/app/test apk_data_file
+/data/app/test01/oat dalvikcache_data_file
+/data/app/test01/oat/test dalvikcache_data_file
+/data/app/test01/test02/oat dalvikcache_data_file
+/data/app/test01/test02/oat/test dalvikcache_data_file
+/data/app/vmdltest01.tmp apk_tmp_file
+/data/app/vmdltest01.tmp/test apk_tmp_file
+/data/app/vmdltest02.tmp/oat dalvikcache_data_file
+/data/app/vmdltest02.tmp/oat/test dalvikcache_data_file
+/data/app-private apk_private_data_file
+/data/app-private/test apk_private_data_file
+/data/app-private/vmdltest.tmp apk_private_tmp_file
+/data/app-private/vmdltest/does_not_exist.tmp apk_private_tmp_file
+/data/app-private/vmdltest.tmp/test apk_private_tmp_file
+/data/gsi gsi_data_file
+/data/gsi/test gsi_data_file
+/data/gsi_persistent_data gsi_persistent_data_file
+/data/gsi/ota ota_image_data_file
+/data/gsi/ota/test ota_image_data_file
+/data/tombstones tombstone_data_file
+/data/tombstones/test tombstone_data_file
+/data/vendor/tombstones/wifi tombstone_wifi_data_file
+/data/vendor/tombstones/wifi/test tombstone_wifi_data_file
+/data/local/tests shell_test_data_file
+/data/local/tests/test shell_test_data_file
+/data/local/tmp shell_data_file
+/data/local/tmp/test shell_data_file
+/data/local/tmp/ltp nativetest_data_file
+/data/local/tmp/ltp/test nativetest_data_file
+/data/local/traces trace_data_file
+/data/local/traces/test trace_data_file
+/data/media media_userdir_file
+/data/media/test media_rw_data_file
+/data/mediadrm media_data_file
+/data/mediadrm/test media_data_file
+/data/nativetest nativetest_data_file
+/data/nativetest/test nativetest_data_file
+/data/nativetest64 nativetest_data_file
+/data/nativetest64/test nativetest_data_file
+/data/pkg_staging staging_data_file
+/data/pkg_staging/test staging_data_file
+/data/property property_data_file
+/data/property/test property_data_file
+/data/preloads preloads_data_file
+/data/preloads/test preloads_data_file
+/data/preloads/media preloads_media_file
+/data/preloads/media/test preloads_media_file
+/data/preloads/demo preloads_media_file
+/data/preloads/demo/test preloads_media_file
+/data/server_configurable_flags server_configurable_flags_data_file
+/data/server_configurable_flags/test server_configurable_flags_data_file
+/data/app-staging staging_data_file
+/data/app-staging/test staging_data_file
+/data/rollback/0/test/test.apk apk_data_file
+/data/rollback/999/test/test.apex staging_data_file
+/data/fonts/files font_data_file
+/data/fonts/files/test font_data_file
+/data/misc_ce system_userdir_file
+/data/misc_de system_userdir_file
+/data/system_ce system_userdir_file
+/data/system_de system_userdir_file
+/data/user system_userdir_file
+/data/user_de system_userdir_file
+
+/data/misc/adb adb_keys_file
+/data/misc/adb/test adb_keys_file
+/data/misc/a11ytrace accessibility_trace_data_file
+/data/misc/a11ytrace/test accessibility_trace_data_file
+/data/misc/apexdata apex_module_data_file
+/data/misc/apexdata/test apex_module_data_file
+/data/misc/apexdata/com.android.art apex_art_data_file
+/data/misc/apexdata/com.android.art/test apex_art_data_file
+/data/misc/apexdata/com.android.compos apex_compos_data_file
+/data/misc/apexdata/com.android.compos/test apex_compos_data_file
+/data/misc/apexdata/com.android.virt apex_virt_data_file
+/data/misc/apexdata/com.android.virt/test apex_virt_data_file
+/data/misc/apexdata/com.android.permission apex_system_server_data_file
+/data/misc/apexdata/com.android.permission/test apex_system_server_data_file
+/data/misc/apexdata/com.android.scheduling apex_system_server_data_file
+/data/misc/apexdata/com.android.scheduling/test apex_system_server_data_file
+/data/misc/apexdata/com.android.tethering apex_system_server_data_file
+/data/misc/apexdata/com.android.tethering/test apex_system_server_data_file
+/data/misc/apexdata/com.android.uwb apex_system_server_data_file
+/data/misc/apexdata/com.android.uwb/test apex_system_server_data_file
+/data/misc/apexdata/com.android.wifi apex_system_server_data_file
+/data/misc/apexdata/com.android.wifi/test apex_system_server_data_file
+/data/misc/apexrollback apex_rollback_data_file
+/data/misc/apexrollback/test apex_rollback_data_file
+/data/misc/apns radio_data_file
+/data/misc/apns/test radio_data_file
+/data/misc/appcompat appcompat_data_file
+/data/misc/appcompat/test appcompat_data_file
+/data/misc/audio audio_data_file
+/data/misc/audio/test audio_data_file
+/data/misc/audioserver audioserver_data_file
+/data/misc/audioserver/test audioserver_data_file
+/data/misc/audiohal audiohal_data_file
+/data/misc/audiohal/test audiohal_data_file
+/data/misc/bootstat bootstat_data_file
+/data/misc/bootstat/test bootstat_data_file
+/data/misc/boottrace boottrace_data_file
+/data/misc/boottrace/test boottrace_data_file
+/data/misc/bluetooth bluetooth_data_file
+/data/misc/bluetooth/test bluetooth_data_file
+/data/misc/bluetooth/logs bluetooth_logs_data_file
+/data/misc/bluetooth/logs/test bluetooth_logs_data_file
+/data/misc/bluedroid bluetooth_data_file
+/data/misc/bluedroid/test bluetooth_data_file
+/data/misc/bluedroid/.a2dp_ctrl bluetooth_socket
+/data/misc/bluedroid/.a2dp_data bluetooth_socket
+/data/misc/camera camera_data_file
+/data/misc/camera/test camera_data_file
+/data/misc/carrierid radio_data_file
+/data/misc/carrierid/test radio_data_file
+/data/misc/dhcp dhcp_data_file
+/data/misc/dhcp/test dhcp_data_file
+/data/misc/dhcp-6.8.2 dhcp_data_file
+/data/misc/dhcp-6.8.2/test dhcp_data_file
+/data/misc/dmesgd dmesgd_data_file
+/data/misc/dmesgd/test dmesgd_data_file
+/data/misc/emergencynumberdb emergency_data_file
+/data/misc/emergencynumberdb/test emergency_data_file
+/data/misc/gatekeeper gatekeeper_data_file
+/data/misc/gatekeeper/test gatekeeper_data_file
+/data/misc/incidents incident_data_file
+/data/misc/incidents/test incident_data_file
+/data/misc/installd install_data_file
+/data/misc/installd/test install_data_file
+/data/misc/keychain keychain_data_file
+/data/misc/keychain/test keychain_data_file
+/data/misc/credstore credstore_data_file
+/data/misc/credstore/test credstore_data_file
+/data/misc/keystore keystore_data_file
+/data/misc/keystore/test keystore_data_file
+/data/misc/logd misc_logd_file
+/data/misc/logd/test misc_logd_file
+/data/misc/media media_data_file
+/data/misc/media/test media_data_file
+/data/misc/net net_data_file
+/data/misc/net/test net_data_file
+/data/misc/network_watchlist network_watchlist_data_file
+/data/misc/network_watchlist/test network_watchlist_data_file
+/data/misc/nfc/logs nfc_logs_data_file
+/data/misc/nfc/logs/test nfc_logs_data_file
+/data/misc/odrefresh odrefresh_data_file
+/data/misc/odrefresh/test odrefresh_data_file
+/data/misc/odsign odsign_data_file
+/data/misc/odsign/test odsign_data_file
+/data/misc/odsign/metrics odsign_metrics_file
+/data/misc/odsign/metrics/test odsign_metrics_file
+/data/misc/perfetto-traces/bugreport perfetto_traces_bugreport_data_file
+/data/misc/perfetto-traces/bugreport/test perfetto_traces_bugreport_data_file
+/data/misc/perfetto-traces perfetto_traces_data_file
+/data/misc/perfetto-traces/test perfetto_traces_data_file
+/data/misc/perfetto-configs perfetto_configs_data_file
+/data/misc/perfetto-configs/test perfetto_configs_data_file
+/data/misc/prereboot prereboot_data_file
+/data/misc/prereboot/test prereboot_data_file
+/data/misc/profcollectd profcollectd_data_file
+/data/misc/profcollectd/test profcollectd_data_file
+/data/misc/radio radio_core_data_file
+/data/misc/radio/test radio_core_data_file
+/data/misc/recovery recovery_data_file
+/data/misc/recovery/test recovery_data_file
+/data/misc/shared_relro shared_relro_file
+/data/misc/shared_relro/test shared_relro_file
+/data/misc/sms radio_data_file
+/data/misc/sms/test radio_data_file
+/data/misc/snapshotctl_log snapshotctl_log_data_file
+/data/misc/snapshotctl_log/test snapshotctl_log_data_file
+/data/misc/stats-active-metric stats_data_file
+/data/misc/stats-active-metric/test stats_data_file
+/data/misc/stats-data stats_data_file
+/data/misc/stats-data/test stats_data_file
+/data/misc/stats-service stats_config_data_file
+/data/misc/stats-service/test stats_config_data_file
+/data/misc/stats-metadata stats_data_file
+/data/misc/stats-metadata/test stats_data_file
+/data/misc/systemkeys systemkeys_data_file
+/data/misc/systemkeys/test systemkeys_data_file
+/data/misc/textclassifier textclassifier_data_file
+/data/misc/textclassifier/test textclassifier_data_file
+/data/misc/threadnetwork threadnetwork_data_file
+/data/misc/threadnetwork/test threadnetwork_data_file
+/data/misc/train-info stats_data_file
+/data/misc/train-info/test stats_data_file
+/data/misc/user misc_user_data_file
+/data/misc/user/test misc_user_data_file
+/data/misc/virtualizationservice virtualizationservice_data_file
+/data/misc/virtualizationservice/test virtualizationservice_data_file
+/data/misc/vpn vpn_data_file
+/data/misc/vpn/test vpn_data_file
+/data/misc/wifi wifi_data_file
+/data/misc/wifi/test wifi_data_file
+/data/misc_ce/0/wifi wifi_data_file
+/data/misc_ce/99/wifi/test wifi_data_file
+/data/misc/wifi/sockets wpa_socket
+/data/misc/wifi/sockets/test wpa_socket
+/data/misc/wifi/sockets/wpa_ctrl_test system_wpa_socket
+/data/misc/wifi/sockets/wpa_ctrl.rc system_wpa_socket
+/data/misc/vold vold_data_file
+/data/misc/vold/test vold_data_file
+/data/misc/update_engine update_engine_data_file
+/data/misc/update_engine/test update_engine_data_file
+/data/misc/update_engine_log update_engine_log_data_file
+/data/misc/update_engine_log/test update_engine_log_data_file
+/data/misc/snapuserd_log snapuserd_log_data_file
+/data/misc/snapuserd_log/test snapuserd_log_data_file
+/data/system/dropbox dropbox_data_file
+/data/system/dropbox/test dropbox_data_file
+/data/system/heapdump heapdump_data_file
+/data/system/heapdump/test heapdump_data_file
+/data/misc/trace method_trace_data_file
+/data/misc/trace/test method_trace_data_file
+/data/misc/wmtrace wm_trace_data_file
+/data/misc/wmtrace/test wm_trace_data_file
+/data/misc/profiles/cur/0 user_profile_root_file
+/data/misc/profiles/cur/9 user_profile_root_file
+/data/misc/profiles/cur/0/test user_profile_data_file
+/data/misc/profiles/ref user_profile_data_file
+/data/misc/profiles/ref/test user_profile_data_file
+/data/misc/profman profman_dump_data_file
+/data/misc/profman/test profman_dump_data_file
+/data/vendor vendor_data_file
+/data/vendor/test vendor_data_file
+/data/vendor_ce vendor_userdir_file
+/data/vendor_ce/test vendor_data_file
+/data/vendor_de vendor_userdir_file
+/data/vendor_de/test vendor_data_file
+
+/data/misc_de/0/storaged storaged_data_file
+/data/misc_de/99/storaged/test storaged_data_file
+/data/misc_ce/0/storaged storaged_data_file
+/data/misc_ce/99/storaged/test storaged_data_file
+
+/data/misc_ce/0/checkin checkin_data_file
+/data/misc_ce/99/checkin/test checkin_data_file
+
+/data/system/users/0/fpdata fingerprintd_data_file
+/data/system/users/99/fpdata/test fingerprintd_data_file
+/data/vendor_de/0/fpdata fingerprint_vendor_data_file
+/data/vendor_de/99/fpdata/test fingerprint_vendor_data_file
+/data/vendor_de/0/facedata face_vendor_data_file
+/data/vendor_de/99/facedata/test face_vendor_data_file
+/data/vendor_ce/0/facedata face_vendor_data_file
+/data/vendor_ce/99/facedata/test face_vendor_data_file
+/data/vendor_de/0/irisdata iris_vendor_data_file
+/data/vendor_de/99/irisdata/test iris_vendor_data_file
+
+/data/bootchart bootchart_data_file
+/data/bootchart/test bootchart_data_file
+
+/data/misc_de/0/sdksandbox sdk_sandbox_system_data_file
+/data/misc_de/99/sdksandbox sdk_sandbox_system_data_file
+/data/misc_ce/0/sdksandbox sdk_sandbox_system_data_file
+/data/misc_ce/99/sdksandbox sdk_sandbox_system_data_file
+
+/data/misc_de/0/rollback rollback_data_file
+/data/misc_de/99/rollback/test rollback_data_file
+/data/misc_ce/0/rollback rollback_data_file
+/data/misc_ce/99/rollback/test rollback_data_file
+
+/data/misc_de/0/apexdata apex_module_data_file
+/data/misc_de/99/apexdata/test apex_module_data_file
+/data/misc_ce/0/apexdata apex_module_data_file
+/data/misc_ce/99/apexdata/test apex_module_data_file
+/data/misc_ce/0/apexdata/com.android.appsearch apex_system_server_data_file
+/data/misc_ce/99/apexdata/com.android.appsearch/test apex_system_server_data_file
+/data/misc_de/0/apexdata/com.android.permission apex_system_server_data_file
+/data/misc_de/99/apexdata/com.android.permission/test apex_system_server_data_file
+/data/misc_ce/0/apexdata/com.android.permission apex_system_server_data_file
+/data/misc_ce/99/apexdata/com.android.permission/test apex_system_server_data_file
+/data/misc_de/0/apexdata/com.android.wifi apex_system_server_data_file
+/data/misc_de/99/apexdata/com.android.wifi/test apex_system_server_data_file
+/data/misc_ce/0/apexdata/com.android.wifi apex_system_server_data_file
+/data/misc_ce/99/apexdata/com.android.wifi/test apex_system_server_data_file
+/data/misc_de/0/apexdata/com.android.uwb apex_system_server_data_file
+/data/misc_de/99/apexdata/com.android.uwb/test apex_system_server_data_file
+/data/misc_ce/0/apexdata/com.android.uwb apex_system_server_data_file
+/data/misc_ce/99/apexdata/com.android.uwb/test apex_system_server_data_file
+
+/data/misc_de/0/apexrollback apex_rollback_data_file
+/data/misc_de/99/apexrollback/test apex_rollback_data_file
+/data/misc_ce/0/apexrollback apex_rollback_data_file
+/data/misc_ce/99/apexrollback/test apex_rollback_data_file
+
+/data/incremental apk_data_file
+/data/incremental/test apk_data_file
+/data/incremental/MT_test/mount/.pending_reads incremental_control_file
+/data/incremental/MT_test/mount/.log incremental_control_file
+/data/incremental/MT_test/mount/.blocks_written incremental_control_file
+
+/data/misc/bootanim bootanim_data_file
+/data/misc/bootanim/test bootanim_data_file
+/mnt/expand mnt_expand_file
+/mnt/expand/does_not_exist system_data_file
+/mnt/expand/test/test system_data_file
+/mnt/expand/test/app apk_data_file
+/mnt/expand/test/app/test apk_data_file
+/mnt/expand/test/app/test/oat dalvikcache_data_file
+/mnt/expand/test/app/test/oat/test dalvikcache_data_file
+/mnt/expand/test/app/test/test/oat dalvikcache_data_file
+/mnt/expand/test/app/test/test/oat/test dalvikcache_data_file
+/mnt/expand/test/app/vmdltest.tmp apk_tmp_file
+/mnt/expand/test/app/vmdltest.tmp/test apk_tmp_file
+/mnt/expand/test/app/vmdltest.tmp/oat dalvikcache_data_file
+/mnt/expand/test/app/vmdltest.tmp/oat/test dalvikcache_data_file
+/mnt/expand/test/local/tmp shell_data_file
+/mnt/expand/test/local/tmp/test shell_data_file
+/mnt/expand/test/media media_userdir_file
+/mnt/expand/test/media/test media_rw_data_file
+/mnt/expand/test/misc/vold vold_data_file
+/mnt/expand/test/misc/vold/test vold_data_file
+/mnt/expand/test/misc_ce system_userdir_file
+/mnt/expand/test/misc_de system_userdir_file
+/mnt/expand/test/user system_userdir_file
+/mnt/expand/test/user_de system_userdir_file
+
+/cores coredump_file
+/cores/test coredump_file
+
+/data/system/users/0/wallpaper_lock_orig wallpaper_file
+/data/system/users/99/wallpaper_lock wallpaper_file
+/data/system/users/0/wallpaper_orig wallpaper_file
+/data/system/users/10/wallpaper wallpaper_file
+
+/data/system_de/0/ringtones ringtone_file
+/data/system_de/0/ringtones/test ringtone_file
+
+/data/system_ce/0/shortcut_service/bitmaps shortcut_manager_icons
+/data/system_ce/9/shortcut_service/bitmaps/test shortcut_manager_icons
+
+/data/system/users/10/photo.png icon_file
+
+/data/system/shutdown-checkpoints shutdown_checkpoints_system_data_file
+/data/system/shutdown-checkpoints/test shutdown_checkpoints_system_data_file
+
+/data/misc_de/0/vold vold_data_file
+/data/misc_de/99/vold/test vold_data_file
+/data/misc_ce/0/vold vold_data_file
+/data/misc_ce/99/vold/test vold_data_file
+
+/data/system_ce/0/backup backup_data_file
+/data/system_ce/99/backup/test backup_data_file
+/data/system_ce/0/backup_stage backup_data_file
+/data/system_ce/99/backup_stage/test backup_data_file
+
+/efs efs_file
+/efs/test efs_file
+
+/cache cache_file
+/cache/test cache_file
+/cache/recovery cache_recovery_file
+/cache/recovery/test cache_recovery_file
+/cache/backup_stage cache_backup_file
+/cache/backup_stage/test cache_backup_file
+/cache/backup cache_private_backup_file
+/cache/backup/test cache_private_backup_file
+
+/cache/overlay overlayfs_file
+/cache/overlay/test overlayfs_file
+/mnt/scratch overlayfs_file
+/mnt/scratch/test overlayfs_file
+
+/data/cache cache_file
+/data/cache/test cache_file
+/data/cache/recovery cache_recovery_file
+/data/cache/recovery/test cache_recovery_file
+/data/cache/backup_stage cache_backup_file
+/data/cache/backup_stage/test cache_backup_file
+/data/cache/backup cache_private_backup_file
+/data/cache/backup/test cache_private_backup_file
+
+/metadata metadata_file
+/metadata/test metadata_file
+/metadata/apex apex_metadata_file
+/metadata/apex/test apex_metadata_file
+/metadata/vold vold_metadata_file
+/metadata/vold/test vold_metadata_file
+/metadata/gsi gsi_metadata_file
+/metadata/gsi/test gsi_metadata_file
+/metadata/gsi/dsu/active gsi_public_metadata_file
+/metadata/gsi/dsu/booted gsi_public_metadata_file
+/metadata/gsi/dsu/lp_names gsi_public_metadata_file
+/metadata/gsi/dsu/test/metadata_encryption_dir gsi_public_metadata_file
+/metadata/gsi/ota ota_metadata_file
+/metadata/gsi/ota/test ota_metadata_file
+/metadata/password_slots password_slot_metadata_file
+/metadata/password_slots/test password_slot_metadata_file
+/metadata/ota ota_metadata_file
+/metadata/ota/test ota_metadata_file
+/metadata/bootstat metadata_bootstat_file
+/metadata/bootstat/test metadata_bootstat_file
+/metadata/staged-install staged_install_file
+/metadata/staged-install/test staged_install_file
+/metadata/userspacereboot userspace_reboot_metadata_file
+/metadata/userspacereboot/test userspace_reboot_metadata_file
+/metadata/watchdog watchdog_metadata_file
+/metadata/watchdog/test watchdog_metadata_file
+/metadata/repair-mode repair_mode_metadata_file
+/metadata/repair-mode/test repair_mode_metadata_file
+
+/mnt/asec asec_apk_file
+/mnt/asec/test asec_apk_file
+/mnt/asec/test/test.zip asec_public_file
+/mnt/asec/test/lib asec_public_file
+/mnt/asec/test/lib/test asec_public_file
+/data/app-asec asec_image_file
+/data/app-asec/test asec_image_file
+
+/mnt/media_rw mnt_media_rw_file
+/mnt/media_rw/test mnt_media_rw_file
+/mnt/user mnt_user_file
+/mnt/user/test mnt_user_file
+/mnt/pass_through mnt_pass_through_file
+/mnt/pass_through/test mnt_pass_through_file
+/mnt/sdcard mnt_sdcard_file
+/mnt/runtime storage_file
+/mnt/runtime/test storage_file
+/storage storage_file
+/storage/test storage_file
+
+/mnt/vendor mnt_vendor_file
+/mnt/vendor/test mnt_vendor_file
+
+/mnt/product mnt_product_file
+/mnt/product/test mnt_product_file
+
+/system/bin/check_dynamic_partitions postinstall_exec
+/product/bin/check_dynamic_partitions postinstall_exec
+/system/bin/otapreopt_script postinstall_exec
+/product/bin/otapreopt_script postinstall_exec
+/system/bin/otapreopt postinstall_dexopt_exec
+/product/bin/otapreopt postinstall_dexopt_exec
diff --git a/definitions.mk b/definitions.mk
deleted file mode 100644
index 63c4d94..0000000
--- a/definitions.mk
+++ /dev/null
@@ -1,39 +0,0 @@
-# Command to turn collection of policy files into a policy.conf file to be
-# processed by checkpolicy
-define transform-policy-to-conf
-@mkdir -p $(dir $@)
-$(hide) $(M4) --fatal-warnings $(PRIVATE_ADDITIONAL_M4DEFS) \
- -D mls_num_sens=$(PRIVATE_MLS_SENS) -D mls_num_cats=$(PRIVATE_MLS_CATS) \
- -D target_build_variant=$(PRIVATE_TARGET_BUILD_VARIANT) \
- -D target_with_dexpreopt=$(WITH_DEXPREOPT) \
- -D target_arch=$(PRIVATE_TGT_ARCH) \
- -D target_with_asan=$(PRIVATE_TGT_WITH_ASAN) \
- -D target_with_native_coverage=$(PRIVATE_TGT_WITH_NATIVE_COVERAGE) \
- -D target_full_treble=$(PRIVATE_SEPOLICY_SPLIT) \
- -D target_compatible_property=$(PRIVATE_COMPATIBLE_PROPERTY) \
- -D target_treble_sysprop_neverallow=$(PRIVATE_TREBLE_SYSPROP_NEVERALLOW) \
- -D target_enforce_sysprop_owner=$(PRIVATE_ENFORCE_SYSPROP_OWNER) \
- -D target_exclude_build_test=$(PRIVATE_EXCLUDE_BUILD_TEST) \
- -D target_requires_insecure_execmem_for_swiftshader=$(PRODUCT_REQUIRES_INSECURE_EXECMEM_FOR_SWIFTSHADER) \
- -D target_enforce_debugfs_restriction=$(PRIVATE_ENFORCE_DEBUGFS_RESTRICTION) \
- $(PRIVATE_TGT_RECOVERY) \
- -s $(PRIVATE_POLICY_FILES) > $@
-endef
-.KATI_READONLY := transform-policy-to-conf
-
-###########################################################
-## Collect file_contexts files into a single tmp file with m4
-##
-## $(1): list of file_contexts files
-## $(2): filename into which file_contexts files are merged
-###########################################################
-
-define _merge-fc-files
-$(2): $(1) $(M4)
- $(hide) mkdir -p $$(dir $$@)
- $(hide) $(M4) --fatal-warnings -s $(1) > $$@
-endef
-
-define merge-fc-files
-$(eval $(call _merge-fc-files,$(1),$(2)))
-endef
diff --git a/mac_permissions/Android.bp b/mac_permissions/Android.bp
index 401f78c..16132c6 100644
--- a/mac_permissions/Android.bp
+++ b/mac_permissions/Android.bp
@@ -72,14 +72,14 @@
mac_permissions {
name: "vendor_mac_permissions.xml",
keys: [
- ":keys.conf{.plat_vendor_for_vendor}",
+ ":keys.conf{.plat_vendor}",
":keys.conf{.vendor}",
- ":keys.conf{.reqd_mask_for_vendor}",
+ ":keys.conf{.reqd_mask}",
],
srcs: [
- ":mac_permissions.xml{.plat_vendor_for_vendor}",
+ ":mac_permissions.xml{.plat_vendor}",
":mac_permissions.xml{.vendor}",
- ":mac_permissions.xml{.reqd_mask_for_vendor}",
+ ":mac_permissions.xml{.reqd_mask}",
],
vendor: true,
}
@@ -88,11 +88,11 @@
name: "odm_mac_permissions.xml",
keys: [
":keys.conf{.odm}",
- ":keys.conf{.reqd_mask_for_vendor}",
+ ":keys.conf{.reqd_mask}",
],
srcs: [
":mac_permissions.xml{.odm}",
- ":mac_permissions.xml{.reqd_mask_for_vendor}",
+ ":mac_permissions.xml{.reqd_mask}",
],
device_specific: true,
}
diff --git a/microdroid/system/private/encryptedstore.te b/microdroid/system/private/encryptedstore.te
index 5fa2e3a..61c89a1 100644
--- a/microdroid/system/private/encryptedstore.te
+++ b/microdroid/system/private/encryptedstore.te
@@ -34,10 +34,13 @@
# encryptedstore to mount on tmpfs bases directory (/mnt/)
allow encryptedstore tmpfs:dir { add_name create mounton write };
-# encryptedstore relabels the labeledfs to encryptedstore_fs, then mounts on the later
+# encryptedstore relabels the labeledfs to encryptedstore_fs, then mounts on the latter
allow encryptedstore labeledfs:filesystem { relabelfrom };
allow encryptedstore encryptedstore_fs:filesystem { mount unmount relabelto relabelfrom };
+# chmod the root directory
+allow encryptedstore encryptedstore_file:dir setattr;
+
# allow encryptedstore to log to the kernel
allow encryptedstore kmsg_device:chr_file w_file_perms;
diff --git a/microdroid/system/private/file.te b/microdroid/system/private/file.te
index c6ed654..62ca9b7 100644
--- a/microdroid/system/private/file.te
+++ b/microdroid/system/private/file.te
@@ -14,10 +14,6 @@
type authfs_fuse, fs_type, contextmount_type;
-# /dev/selinux/test - used to verify that apex sepolicy is loaded and
-# property labeled.
-type sepolicy_test_file, file_type;
-
# /system/bin/mke2fs - used to format encryptedstore block device
type e2fs_exec, system_file_type, exec_type, file_type;
diff --git a/microdroid/system/private/file_contexts b/microdroid/system/private/file_contexts
index 3498680..046f20f 100644
--- a/microdroid/system/private/file_contexts
+++ b/microdroid/system/private/file_contexts
@@ -59,6 +59,7 @@
/dev/socket/adbd u:object_r:adbd_socket:s0
/dev/socket/prng_seeder u:object_r:prng_seeder_socket:s0
/dev/socket/property_service u:object_r:property_socket:s0
+/dev/socket/property_service_for_system u:object_r:property_socket:s0
/dev/socket/statsdw u:object_r:statsdw_socket:s0
/dev/socket/authfs_service u:object_r:authfs_service_socket:s0
/dev/socket/vm_payload_service u:object_r:vm_payload_service_socket:s0
@@ -71,7 +72,9 @@
/dev/vsock u:object_r:vsock_device:s0
/dev/zero u:object_r:zero_device:s0
/dev/__properties__ u:object_r:properties_device:s0
+/dev/__properties__/appcompat_override u:object_r:properties_device:s0
/dev/__properties__/property_info u:object_r:property_info:s0
+/dev/__properties__/appcompat_override/property_info u:object_r:property_info:s0
#############################
# Linker configuration
#
diff --git a/microdroid/system/private/init.te b/microdroid/system/private/init.te
index 408418c..896590d 100644
--- a/microdroid/system/private/init.te
+++ b/microdroid/system/private/init.te
@@ -32,11 +32,11 @@
# /dev/__null__ node created by init.
allow init tmpfs:chr_file { create setattr unlink rw_file_perms };
-# /dev/__properties__
+# /dev/__properties__ and /dev/__properties__/appcompat_override
allow init properties_device:dir relabelto;
allow init properties_serial:file { write relabelto };
allow init property_type:file { append create getattr map open read relabelto rename setattr unlink write };
-# /dev/__properties__/property_info
+# /dev/__properties__/property_info and /dev/__properties__/appcompat_override/property_info
allow init properties_device:file create_file_perms;
allow init property_info:file relabelto;
# /dev/socket
@@ -57,6 +57,9 @@
# setrlimit
allow init self:global_capability_class_set sys_resource;
+# Set usermodehelpers.
+allow init { usermodehelper sysfs_usermodehelper }:file rw_file_perms;
+
# Remove /dev/.booting and load /debug_ramdisk/* files
allow init tmpfs:file { getattr unlink };
diff --git a/microdroid/system/private/kernel.te b/microdroid/system/private/kernel.te
index e81173d..1d03c4a 100644
--- a/microdroid/system/private/kernel.te
+++ b/microdroid/system/private/kernel.te
@@ -81,16 +81,3 @@
#-----------------------------------------
allow kernel apkdmverity:fd use;
-
-# Some contexts are changed before the device is flipped into enforcing mode
-# during the setup of Apex sepolicy. These denials can be suppressed since
-# the permissions should not be allowed after the device is flipped into
-# enforcing mode.
-dontaudit kernel device:dir { open read relabelto };
-dontaudit kernel tmpfs:file { getattr open read relabelfrom };
-dontaudit kernel {
- file_contexts_file
- property_contexts_file
- sepolicy_test_file
- service_contexts_file
-}:file relabelto;
diff --git a/microdroid/system/private/microdroid_manager.te b/microdroid/system/private/microdroid_manager.te
index 23b5033..2aed367 100644
--- a/microdroid/system/private/microdroid_manager.te
+++ b/microdroid/system/private/microdroid_manager.te
@@ -34,9 +34,10 @@
# Allow microdroid_manager to remove capabilities from it's capability bounding set.
allow microdroid_manager self:global_capability_class_set setpcap;
-# Allow microdroid_manager to start payload tasks
+# Allow microdroid_manager to start payload tasks in a different uid/gid.
domain_auto_trans(microdroid_manager, microdroid_app_exec, microdroid_app)
domain_auto_trans(microdroid_manager, compos_exec, compos)
+allow microdroid_manager self:global_capability_class_set { setuid setgid };
# Allow microdroid_manager to start apk verity binaries
domain_auto_trans(microdroid_manager, apkdmverity_exec, apkdmverity)
diff --git a/microdroid/system/private/microdroid_payload.te b/microdroid/system/private/microdroid_payload.te
index 239360f..5d4a73c 100644
--- a/microdroid/system/private/microdroid_payload.te
+++ b/microdroid/system/private/microdroid_payload.te
@@ -8,13 +8,6 @@
# microdroid_launcher is launched by microdroid_manager with fork/execvp.
allow microdroid_payload microdroid_manager:fd use;
-# Allow to use FDs inherited from the shell. This includes the FD opened for
-# the microdroid_launcher executable itself and the FD for adb connection.
-# TODO(b/186396070) remove this when this is executed from microdroid_manager
-userdebug_or_eng(`
- allow microdroid_payload shell:fd use;
-')
-
# Allow to use terminal
allow microdroid_payload devpts:chr_file rw_file_perms;
@@ -66,3 +59,18 @@
# Never allow microdroid_payload to connect to vsock
neverallow microdroid_payload self:vsock_socket connect;
+
+# Nothing else should be accessing the payload's storage
+neverallow { domain
+ -microdroid_payload
+ -microdroid_manager
+ -encryptedstore
+ -init
+ -vendor_init
+} encryptedstore_file:dir { read write };
+neverallow { domain
+ -microdroid_payload
+ -microdroid_manager
+ -init
+ -vendor_init
+} encryptedstore_file:file no_rw_file_perms;
diff --git a/microdroid/system/private/shell.te b/microdroid/system/private/shell.te
index 038be00..5267348 100644
--- a/microdroid/system/private/shell.te
+++ b/microdroid/system/private/shell.te
@@ -7,11 +7,6 @@
# Allow shell to run adb shell cmd stats commands. Needed for CTS.
binder_call(shell, statsd);
-# Allow shell to launch microdroid_launcher in its own domain
-# TODO(b/186396070) remove this when microdroid_manager can do this
-domain_auto_trans(shell, microdroid_app_exec, microdroid_app)
-domain_auto_trans(shell, microdroid_manager_exec, microdroid_manager)
-
# Connect to adbd and use a socket transferred from it.
# This is used for e.g. adb backup/restore.
allow shell adbd:unix_stream_socket connectto;
diff --git a/policy_version.mk b/policy_version.mk
deleted file mode 100644
index e6bb747..0000000
--- a/policy_version.mk
+++ /dev/null
@@ -1,4 +0,0 @@
-# SELinux policy version.
-# Must be <= /sys/fs/selinux/policyvers reported by the Android kernel.
-# Must be within the compatibility range reported by checkpolicy -V.
-POLICYVERS ?= 30
diff --git a/prebuilts/api/29.0/Android.bp b/prebuilts/api/29.0/Android.bp
new file mode 100644
index 0000000..fd2099f
--- /dev/null
+++ b/prebuilts/api/29.0/Android.bp
@@ -0,0 +1,78 @@
+// Copyright (C) 2023 The Android Open Source Project
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+se_policy_conf {
+ name: "29.0_plat_pub_policy.conf",
+ srcs: [":se_build_files{.plat_public_29.0}", ":se_build_files{.reqd_mask}"],
+ installable: false,
+ build_variant: "user",
+}
+
+se_policy_cil {
+ name: "29.0_plat_pub_policy.cil",
+ src: ":29.0_plat_pub_policy.conf",
+ filter_out: [":reqd_policy_mask.cil"],
+ secilc_check: false,
+ installable: false,
+}
+
+se_policy_conf {
+ name: "29.0_product_pub_policy.conf",
+ srcs: [
+ ":se_build_files{.plat_public_29.0}",
+ ":se_build_files{.system_ext_public_29.0}",
+ ":se_build_files{.product_public_29.0}",
+ ":se_build_files{.reqd_mask}",
+ ],
+ installable: false,
+ build_variant: "user",
+}
+
+se_policy_cil {
+ name: "29.0_product_pub_policy.cil",
+ src: ":29.0_product_pub_policy.conf",
+ filter_out: [":reqd_policy_mask.cil"],
+ secilc_check: false,
+ installable: false,
+}
+
+se_policy_conf {
+ name: "29.0_plat_policy.conf",
+ srcs: [
+ ":se_build_files{.plat_public_29.0}",
+ ":se_build_files{.plat_private_29.0}",
+ ":se_build_files{.system_ext_public_29.0}",
+ ":se_build_files{.system_ext_private_29.0}",
+ ":se_build_files{.product_public_29.0}",
+ ":se_build_files{.product_private_29.0}",
+ ],
+ installable: false,
+ build_variant: "user",
+}
+
+se_policy_cil {
+ name: "29.0_plat_policy.cil",
+ src: ":29.0_plat_policy.conf",
+ additional_cil_files: [":sepolicy_technical_debt{.plat_private_29.0}"],
+ installable: false,
+}
+
+se_policy_binary {
+ name: "29.0_plat_policy",
+ srcs: [":29.0_plat_policy.cil"],
+ installable: false,
+ dist: {
+ targets: ["base-sepolicy-files-for-mapping"],
+ },
+}
diff --git a/prebuilts/api/30.0/Android.bp b/prebuilts/api/30.0/Android.bp
new file mode 100644
index 0000000..b958de0
--- /dev/null
+++ b/prebuilts/api/30.0/Android.bp
@@ -0,0 +1,78 @@
+// Copyright (C) 2023 The Android Open Source Project
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+se_policy_conf {
+ name: "30.0_plat_pub_policy.conf",
+ srcs: [":se_build_files{.plat_public_30.0}", ":se_build_files{.reqd_mask}"],
+ installable: false,
+ build_variant: "user",
+}
+
+se_policy_cil {
+ name: "30.0_plat_pub_policy.cil",
+ src: ":30.0_plat_pub_policy.conf",
+ filter_out: [":reqd_policy_mask.cil"],
+ secilc_check: false,
+ installable: false,
+}
+
+se_policy_conf {
+ name: "30.0_product_pub_policy.conf",
+ srcs: [
+ ":se_build_files{.plat_public_30.0}",
+ ":se_build_files{.system_ext_public_30.0}",
+ ":se_build_files{.product_public_30.0}",
+ ":se_build_files{.reqd_mask}",
+ ],
+ installable: false,
+ build_variant: "user",
+}
+
+se_policy_cil {
+ name: "30.0_product_pub_policy.cil",
+ src: ":30.0_product_pub_policy.conf",
+ filter_out: [":reqd_policy_mask.cil"],
+ secilc_check: false,
+ installable: false,
+}
+
+se_policy_conf {
+ name: "30.0_plat_policy.conf",
+ srcs: [
+ ":se_build_files{.plat_public_30.0}",
+ ":se_build_files{.plat_private_30.0}",
+ ":se_build_files{.system_ext_public_30.0}",
+ ":se_build_files{.system_ext_private_30.0}",
+ ":se_build_files{.product_public_30.0}",
+ ":se_build_files{.product_private_30.0}",
+ ],
+ installable: false,
+ build_variant: "user",
+}
+
+se_policy_cil {
+ name: "30.0_plat_policy.cil",
+ src: ":30.0_plat_policy.conf",
+ additional_cil_files: [":sepolicy_technical_debt{.plat_private_30.0}"],
+ installable: false,
+}
+
+se_policy_binary {
+ name: "30.0_plat_policy",
+ srcs: [":30.0_plat_policy.cil"],
+ installable: false,
+ dist: {
+ targets: ["base-sepolicy-files-for-mapping"],
+ },
+}
diff --git a/prebuilts/api/31.0/Android.bp b/prebuilts/api/31.0/Android.bp
new file mode 100644
index 0000000..dbb07b4
--- /dev/null
+++ b/prebuilts/api/31.0/Android.bp
@@ -0,0 +1,78 @@
+// Copyright (C) 2023 The Android Open Source Project
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+se_policy_conf {
+ name: "31.0_plat_pub_policy.conf",
+ srcs: [":se_build_files{.plat_public_31.0}", ":se_build_files{.reqd_mask}"],
+ installable: false,
+ build_variant: "user",
+}
+
+se_policy_cil {
+ name: "31.0_plat_pub_policy.cil",
+ src: ":31.0_plat_pub_policy.conf",
+ filter_out: [":reqd_policy_mask.cil"],
+ secilc_check: false,
+ installable: false,
+}
+
+se_policy_conf {
+ name: "31.0_product_pub_policy.conf",
+ srcs: [
+ ":se_build_files{.plat_public_31.0}",
+ ":se_build_files{.system_ext_public_31.0}",
+ ":se_build_files{.product_public_31.0}",
+ ":se_build_files{.reqd_mask}",
+ ],
+ installable: false,
+ build_variant: "user",
+}
+
+se_policy_cil {
+ name: "31.0_product_pub_policy.cil",
+ src: ":31.0_product_pub_policy.conf",
+ filter_out: [":reqd_policy_mask.cil"],
+ secilc_check: false,
+ installable: false,
+}
+
+se_policy_conf {
+ name: "31.0_plat_policy.conf",
+ srcs: [
+ ":se_build_files{.plat_public_31.0}",
+ ":se_build_files{.plat_private_31.0}",
+ ":se_build_files{.system_ext_public_31.0}",
+ ":se_build_files{.system_ext_private_31.0}",
+ ":se_build_files{.product_public_31.0}",
+ ":se_build_files{.product_private_31.0}",
+ ],
+ installable: false,
+ build_variant: "user",
+}
+
+se_policy_cil {
+ name: "31.0_plat_policy.cil",
+ src: ":31.0_plat_policy.conf",
+ additional_cil_files: [":sepolicy_technical_debt{.plat_private_31.0}"],
+ installable: false,
+}
+
+se_policy_binary {
+ name: "31.0_plat_policy",
+ srcs: [":31.0_plat_policy.cil"],
+ installable: false,
+ dist: {
+ targets: ["base-sepolicy-files-for-mapping"],
+ },
+}
diff --git a/prebuilts/api/32.0/Android.bp b/prebuilts/api/32.0/Android.bp
new file mode 100644
index 0000000..39722b4
--- /dev/null
+++ b/prebuilts/api/32.0/Android.bp
@@ -0,0 +1,78 @@
+// Copyright (C) 2023 The Android Open Source Project
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+se_policy_conf {
+ name: "32.0_plat_pub_policy.conf",
+ srcs: [":se_build_files{.plat_public_32.0}", ":se_build_files{.reqd_mask}"],
+ installable: false,
+ build_variant: "user",
+}
+
+se_policy_cil {
+ name: "32.0_plat_pub_policy.cil",
+ src: ":32.0_plat_pub_policy.conf",
+ filter_out: [":reqd_policy_mask.cil"],
+ secilc_check: false,
+ installable: false,
+}
+
+se_policy_conf {
+ name: "32.0_product_pub_policy.conf",
+ srcs: [
+ ":se_build_files{.plat_public_32.0}",
+ ":se_build_files{.system_ext_public_32.0}",
+ ":se_build_files{.product_public_32.0}",
+ ":se_build_files{.reqd_mask}",
+ ],
+ installable: false,
+ build_variant: "user",
+}
+
+se_policy_cil {
+ name: "32.0_product_pub_policy.cil",
+ src: ":32.0_product_pub_policy.conf",
+ filter_out: [":reqd_policy_mask.cil"],
+ secilc_check: false,
+ installable: false,
+}
+
+se_policy_conf {
+ name: "32.0_plat_policy.conf",
+ srcs: [
+ ":se_build_files{.plat_public_32.0}",
+ ":se_build_files{.plat_private_32.0}",
+ ":se_build_files{.system_ext_public_32.0}",
+ ":se_build_files{.system_ext_private_32.0}",
+ ":se_build_files{.product_public_32.0}",
+ ":se_build_files{.product_private_32.0}",
+ ],
+ installable: false,
+ build_variant: "user",
+}
+
+se_policy_cil {
+ name: "32.0_plat_policy.cil",
+ src: ":32.0_plat_policy.conf",
+ additional_cil_files: [":sepolicy_technical_debt{.plat_private_32.0}"],
+ installable: false,
+}
+
+se_policy_binary {
+ name: "32.0_plat_policy",
+ srcs: [":32.0_plat_policy.cil"],
+ installable: false,
+ dist: {
+ targets: ["base-sepolicy-files-for-mapping"],
+ },
+}
diff --git a/prebuilts/api/33.0/Android.bp b/prebuilts/api/33.0/Android.bp
new file mode 100644
index 0000000..9bc68c6
--- /dev/null
+++ b/prebuilts/api/33.0/Android.bp
@@ -0,0 +1,78 @@
+// Copyright (C) 2023 The Android Open Source Project
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+se_policy_conf {
+ name: "33.0_plat_pub_policy.conf",
+ srcs: [":se_build_files{.plat_public_33.0}", ":se_build_files{.reqd_mask}"],
+ installable: false,
+ build_variant: "user",
+}
+
+se_policy_cil {
+ name: "33.0_plat_pub_policy.cil",
+ src: ":33.0_plat_pub_policy.conf",
+ filter_out: [":reqd_policy_mask.cil"],
+ secilc_check: false,
+ installable: false,
+}
+
+se_policy_conf {
+ name: "33.0_product_pub_policy.conf",
+ srcs: [
+ ":se_build_files{.plat_public_33.0}",
+ ":se_build_files{.system_ext_public_33.0}",
+ ":se_build_files{.product_public_33.0}",
+ ":se_build_files{.reqd_mask}",
+ ],
+ installable: false,
+ build_variant: "user",
+}
+
+se_policy_cil {
+ name: "33.0_product_pub_policy.cil",
+ src: ":33.0_product_pub_policy.conf",
+ filter_out: [":reqd_policy_mask.cil"],
+ secilc_check: false,
+ installable: false,
+}
+
+se_policy_conf {
+ name: "33.0_plat_policy.conf",
+ srcs: [
+ ":se_build_files{.plat_public_33.0}",
+ ":se_build_files{.plat_private_33.0}",
+ ":se_build_files{.system_ext_public_33.0}",
+ ":se_build_files{.system_ext_private_33.0}",
+ ":se_build_files{.product_public_33.0}",
+ ":se_build_files{.product_private_33.0}",
+ ],
+ installable: false,
+ build_variant: "user",
+}
+
+se_policy_cil {
+ name: "33.0_plat_policy.cil",
+ src: ":33.0_plat_policy.conf",
+ additional_cil_files: [":sepolicy_technical_debt{.plat_private_33.0}"],
+ installable: false,
+}
+
+se_policy_binary {
+ name: "33.0_plat_policy",
+ srcs: [":33.0_plat_policy.cil"],
+ installable: false,
+ dist: {
+ targets: ["base-sepolicy-files-for-mapping"],
+ },
+}
diff --git a/prebuilts/api/34.0/Android.bp b/prebuilts/api/34.0/Android.bp
new file mode 100644
index 0000000..499a342
--- /dev/null
+++ b/prebuilts/api/34.0/Android.bp
@@ -0,0 +1,78 @@
+// Copyright (C) 2023 The Android Open Source Project
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+se_policy_conf {
+ name: "34.0_plat_pub_policy.conf",
+ srcs: [":se_build_files{.plat_public_34.0}", ":se_build_files{.reqd_mask}"],
+ installable: false,
+ build_variant: "user",
+}
+
+se_policy_cil {
+ name: "34.0_plat_pub_policy.cil",
+ src: ":34.0_plat_pub_policy.conf",
+ filter_out: [":reqd_policy_mask.cil"],
+ secilc_check: false,
+ installable: false,
+}
+
+se_policy_conf {
+ name: "34.0_product_pub_policy.conf",
+ srcs: [
+ ":se_build_files{.plat_public_34.0}",
+ ":se_build_files{.system_ext_public_34.0}",
+ ":se_build_files{.product_public_34.0}",
+ ":se_build_files{.reqd_mask}",
+ ],
+ installable: false,
+ build_variant: "user",
+}
+
+se_policy_cil {
+ name: "34.0_product_pub_policy.cil",
+ src: ":34.0_product_pub_policy.conf",
+ filter_out: [":reqd_policy_mask.cil"],
+ secilc_check: false,
+ installable: false,
+}
+
+se_policy_conf {
+ name: "34.0_plat_policy.conf",
+ srcs: [
+ ":se_build_files{.plat_public_34.0}",
+ ":se_build_files{.plat_private_34.0}",
+ ":se_build_files{.system_ext_public_34.0}",
+ ":se_build_files{.system_ext_private_34.0}",
+ ":se_build_files{.product_public_34.0}",
+ ":se_build_files{.product_private_34.0}",
+ ],
+ installable: false,
+ build_variant: "user",
+}
+
+se_policy_cil {
+ name: "34.0_plat_policy.cil",
+ src: ":34.0_plat_policy.conf",
+ additional_cil_files: [":sepolicy_technical_debt{.plat_private_34.0}"],
+ installable: false,
+}
+
+se_policy_binary {
+ name: "34.0_plat_policy",
+ srcs: [":34.0_plat_policy.cil"],
+ installable: false,
+ dist: {
+ targets: ["base-sepolicy-files-for-mapping"],
+ },
+}
diff --git a/prebuilts/api/34.0/private/compat/33.0/33.0.ignore.cil b/prebuilts/api/34.0/private/compat/33.0/33.0.ignore.cil
index 13dd259..069d06a 100644
--- a/prebuilts/api/34.0/private/compat/33.0/33.0.ignore.cil
+++ b/prebuilts/api/34.0/private/compat/33.0/33.0.ignore.cil
@@ -47,7 +47,6 @@
hypervisor_restricted_prop
isolated_compute_app
keystore_config_prop
- ntfs
ondevicepersonalization_system_service
fuseblk
fuseblkd_untrusted
@@ -60,6 +59,7 @@
quick_start_prop
recovery_usb_config_prop
remote_provisioning_service
+ repair_mode_metadata_file
rkpdapp
servicemanager_prop
shutdown_checkpoints_system_data_file
diff --git a/prebuilts/api/34.0/private/file_contexts b/prebuilts/api/34.0/private/file_contexts
index 258c6b4..0caddf2 100644
--- a/prebuilts/api/34.0/private/file_contexts
+++ b/prebuilts/api/34.0/private/file_contexts
@@ -233,9 +233,6 @@
/system/bin/extra_free_kbytes\.sh u:object_r:extra_free_kbytes_exec:s0
/system/bin/fsck\.exfat -- u:object_r:fsck_exec:s0
/system/bin/fsck\.f2fs -- u:object_r:fsck_exec:s0
-/system/bin/ntfsfix -- u:object_r:fsck_exec:s0
-/system/bin/ntfs-3g -- u:object_r:fuseblkd_untrusted_exec:s0
-/system/bin/ntfs-3g-compart -- u:object_r:fuseblkd_exec:s0
/system/bin/init u:object_r:init_exec:s0
# TODO(/123600489): merge mini-keyctl into toybox
/system/bin/mini-keyctl -- u:object_r:toolbox_exec:s0
@@ -844,6 +841,7 @@
/metadata/staged-install(/.*)? u:object_r:staged_install_file:s0
/metadata/userspacereboot(/.*)? u:object_r:userspace_reboot_metadata_file:s0
/metadata/watchdog(/.*)? u:object_r:watchdog_metadata_file:s0
+/metadata/repair-mode(/.*)? u:object_r:repair_mode_metadata_file:s0
#############################
# asec containers
diff --git a/prebuilts/api/34.0/private/property_contexts b/prebuilts/api/34.0/private/property_contexts
index d7818ee..2c7557f 100644
--- a/prebuilts/api/34.0/private/property_contexts
+++ b/prebuilts/api/34.0/private/property_contexts
@@ -1111,6 +1111,8 @@
ro.product.brand_for_attestation u:object_r:build_attestation_prop:s0 exact string
ro.product.model_for_attestation u:object_r:build_attestation_prop:s0 exact string
ro.product.name_for_attestation u:object_r:build_attestation_prop:s0 exact string
+ro.product.device_for_attestation u:object_r:build_attestation_prop:s0 exact string
+ro.product.manufacturer_for_attestation u:object_r:build_attestation_prop:s0 exact string
# GRF property for the first api level of the vendor partition
ro.board.first_api_level u:object_r:build_vendor_prop:s0 exact int
@@ -1324,6 +1326,7 @@
ro.surface_flinger.display_update_imminent_timeout_ms u:object_r:surfaceflinger_prop:s0 exact int
ro.surface_flinger.uclamp.min u:object_r:surfaceflinger_prop:s0 exact int
ro.surface_flinger.ignore_hdr_camera_layers u:object_r:surfaceflinger_prop:s0 exact bool
+ro.surface_flinger.clear_slots_with_set_layer_buffer u:object_r:surfaceflinger_prop:s0 exact bool
ro.sf.disable_triple_buffer u:object_r:surfaceflinger_prop:s0 exact bool
ro.sf.lcd_density u:object_r:surfaceflinger_prop:s0 exact int
diff --git a/prebuilts/api/34.0/private/system_server.te b/prebuilts/api/34.0/private/system_server.te
index 98d859c..aff4a0a 100644
--- a/prebuilts/api/34.0/private/system_server.te
+++ b/prebuilts/api/34.0/private/system_server.te
@@ -1441,6 +1441,9 @@
allow system_server watchdog_metadata_file:dir rw_dir_perms;
allow system_server watchdog_metadata_file:file create_file_perms;
+allow system_server repair_mode_metadata_file:dir rw_dir_perms;
+allow system_server repair_mode_metadata_file:file create_file_perms;
+
allow system_server gsi_persistent_data_file:dir rw_dir_perms;
allow system_server gsi_persistent_data_file:file create_file_perms;
diff --git a/prebuilts/api/34.0/public/file.te b/prebuilts/api/34.0/public/file.te
index da76aee..7cfd8ad 100644
--- a/prebuilts/api/34.0/public/file.te
+++ b/prebuilts/api/34.0/public/file.te
@@ -287,6 +287,8 @@
type staged_install_file, file_type;
# Metadata information within /metadata/watchdog
type watchdog_metadata_file, file_type;
+# Repair mode files within /metadata/repair-mode
+type repair_mode_metadata_file, file_type;
# Type for /dev/cpu_variant:.*.
type dev_cpu_variant, file_type;
diff --git a/private/access_vectors b/private/access_vectors
index adb3a61..32d73dd 100644
--- a/private/access_vectors
+++ b/private/access_vectors
@@ -726,6 +726,7 @@
early_boot_ended
get_attestation_key
get_auth_token
+ get_last_auth_time
get_state
list
lock
diff --git a/private/apexd.te b/private/apexd.te
index f158ef6..b62e6e6 100644
--- a/private/apexd.te
+++ b/private/apexd.te
@@ -13,14 +13,6 @@
allow apexd apex_metadata_file:dir create_dir_perms;
allow apexd apex_metadata_file:file create_file_perms;
-# Allow creating and writing APEX files/dirs in the SEPolicy metadata dir
-allow apexd sepolicy_metadata_file:dir create_dir_perms;
-allow apexd sepolicy_metadata_file:file create_file_perms;
-# Allow apexd to setup fs-verity for SEPolicy files in metadata
-allowxperm apexd sepolicy_metadata_file:file ioctl {
- FS_IOC_ENABLE_VERITY FS_IOC_MEASURE_VERITY
-};
-
# Allow reserving space on /data/apex/ota_reserved for apex decompression
allow apexd apex_ota_reserved_file:dir create_dir_perms;
allow apexd apex_ota_reserved_file:file create_file_perms;
diff --git a/private/app.te b/private/app.te
index 3f8560a..19cb2e0 100644
--- a/private/app.te
+++ b/private/app.te
@@ -102,6 +102,10 @@
# Don't allow regular apps access to storage configuration properties.
neverallow { appdomain -mediaprovider_app } storage_config_prop:file no_rw_file_perms;
+# Don't allow apps reading /system/etc/font_fallback.xml
+dontaudit appdomain system_font_fallback_file:file no_rw_file_perms;
+neverallow appdomain system_font_fallback_file:file no_rw_file_perms;
+
# Allow to read sendbug.preferred.domain
get_prop(appdomain, sendbug_config_prop)
@@ -172,11 +176,9 @@
control_logd({ appdomain -isolated_app_all -ephemeral_app -sdk_sandbox_all })
# application inherit logd write socket (urge is to deprecate this long term)
-allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox_all } keystore:keystore_key { get_state get insert delete exist list sign verify };
allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox_all } keystore:keystore2_key { delete use get_info rebind update };
allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox_all } keystore_maintenance_service:service_manager find;
-allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox_all } keystore:keystore2 get_state;
use_keystore({ appdomain -isolated_app_all -ephemeral_app -sdk_sandbox_all })
@@ -259,6 +261,7 @@
# App sandbox file accesses.
allow { appdomain -isolated_app_all -mlstrustedsubject -sdk_sandbox_all } { app_data_file privapp_data_file }:dir create_dir_perms;
allow { appdomain -isolated_app_all -mlstrustedsubject -sdk_sandbox_all } { app_data_file privapp_data_file }:file create_file_perms;
+allowxperm { appdomain -isolated_app_all -mlstrustedsubject -sdk_sandbox_all } { app_data_file privapp_data_file }:file ioctl FS_IOC_MEASURE_VERITY;
# Access via already open fds is ok even for mlstrustedsubject.
allow { appdomain -isolated_app_all -sdk_sandbox_all } { app_data_file privapp_data_file system_app_data_file }:file { getattr map read write };
@@ -424,8 +427,8 @@
allow appdomain shared_relro_file:file r_file_perms;
# Allow apps to read/execute installed binaries
-allow appdomain apk_data_file:dir r_dir_perms;
-allow appdomain apk_data_file:file rx_file_perms;
+allow appdomain apk_data_file:dir { open getattr read search ioctl lock };
+allow appdomain apk_data_file:file { getattr open read ioctl lock map x_file_perms };
# /data/resource-cache
allow appdomain resourcecache_data_file:file r_file_perms;
@@ -527,3 +530,23 @@
appdomain
-device_as_webcam
} video_device:chr_file { read write };
+
+# Prevent calling inotify on APKs. This can be used as a side channel
+# to observer app launches, so it must be disallowed. b/231587164
+# Gate by targetSdkVersion to avoid breaking existing apps.
+neverallow {
+ appdomain
+ -untrusted_app_25
+ -untrusted_app_27
+ -untrusted_app_29
+ -untrusted_app_30
+ -untrusted_app_32
+} apk_data_file:dir { watch watch_reads };
+neverallow {
+ appdomain
+ -untrusted_app_25
+ -untrusted_app_27
+ -untrusted_app_29
+ -untrusted_app_30
+ -untrusted_app_32
+} apk_data_file:file { watch watch_reads };
diff --git a/private/app_zygote.te b/private/app_zygote.te
index e3869cd..46cea8e 100644
--- a/private/app_zygote.te
+++ b/private/app_zygote.te
@@ -34,6 +34,8 @@
# Interaction between the app_zygote and its children.
allow app_zygote isolated_app:process setpgid;
+allow app_zygote properties_device:dir mounton;
+
# TODO (b/63631799) fix this access
dontaudit app_zygote mnt_expand_file:dir getattr;
diff --git a/private/artd.te b/private/artd.te
index 5fcd43a..acab397 100644
--- a/private/artd.te
+++ b/private/artd.te
@@ -7,7 +7,8 @@
# Allow artd to publish a binder service and make binder calls.
binder_use(artd)
add_service(artd, artd_service)
-allow artd dumpstate:fifo_file { getattr write };
+allow artd dumpstate:fifo_file { getattr write };
+allow artd dumpstate:fd use;
init_daemon_domain(artd)
@@ -136,3 +137,8 @@
# This is needed for getting CPU time and wall time spent on subprocesses.
r_dir_file(artd, profman);
r_dir_file(artd, dex2oat);
+
+# Allow artd to reopen its own memfd.
+# artd needs to reopen a memfd with readonly in order to pass it to subprocesses
+# that don't have write permissions on memfds.
+allow artd artd_tmpfs:file open;
diff --git a/private/attributes b/private/attributes
index 77143a3..fe50b0d 100644
--- a/private/attributes
+++ b/private/attributes
@@ -13,4 +13,5 @@
# All SDK sandbox domains
attribute sdk_sandbox_all;
-
+# The SDK sandbox domains for the current SDK level.
+attribute sdk_sandbox_current;
diff --git a/private/binderservicedomain.te b/private/binderservicedomain.te
index fa9dd7d..b8ae9f4 100644
--- a/private/binderservicedomain.te
+++ b/private/binderservicedomain.te
@@ -1,4 +1,5 @@
-# Rules common to all binder service domains
+# Rules common to some specific binder service domains.
+# Deprecated. Consider granting the exact permissions required by your service.
# Allow dumpstate and incidentd to collect information from binder services
allow binderservicedomain { dumpstate incidentd }:fd use;
@@ -17,8 +18,6 @@
# allow all services to run permission checks
allow binderservicedomain permission_service:service_manager find;
-allow binderservicedomain keystore:keystore_key { get_state get insert delete exist list sign verify };
-allow binderservicedomain keystore:keystore2 { get_state };
allow binderservicedomain keystore:keystore2_key { delete get_info rebind use };
use_keystore(binderservicedomain)
diff --git a/private/bootanim.te b/private/bootanim.te
index f4fb0bc..f63a230 100644
--- a/private/bootanim.te
+++ b/private/bootanim.te
@@ -16,5 +16,8 @@
# Allow updating boot animation status.
set_prop(bootanim, bootanim_system_prop)
-# Allow accessing /data/bootanim
+# Allow accessing /data/misc/bootanim
r_dir_file(bootanim, bootanim_data_file)
+
+# Allow accessing vendor apex for EGL/GLES
+allow bootanim vendor_apex_metadata_file:dir r_dir_perms;
diff --git a/private/bootstat.te b/private/bootstat.te
index 016292e..99d8c6d 100644
--- a/private/bootstat.te
+++ b/private/bootstat.te
@@ -17,6 +17,7 @@
-dumpstate
userdebug_or_eng(`-incidentd')
-init
+ -platform_app
-recovery
-shell
-system_server
diff --git a/private/bpfloader.te b/private/bpfloader.te
index eecda30..0ad2c6b 100644
--- a/private/bpfloader.te
+++ b/private/bpfloader.te
@@ -41,7 +41,8 @@
neverallow { domain -bpfloader -netd -network_stack -system_server } fs_bpf_netd_readonly:file { getattr read };
neverallow { domain -bpfloader -netd -netutils_wrapper -network_stack -system_server } fs_bpf_netd_shared:file { getattr read };
neverallow { domain -bpfloader -network_stack } fs_bpf_tethering:file { getattr read };
-neverallow { domain -bpfloader -gpuservice -netd -netutils_wrapper -network_stack -system_server } { bpffs_type -fs_bpf_vendor }:file write;
+neverallow { domain -bpfloader -uprobestats } fs_bpf_uprobe_private:file { getattr read };
+neverallow { domain -bpfloader -gpuservice -netd -netutils_wrapper -network_stack -system_server -uprobestats } { bpffs_type -fs_bpf_vendor }:file write;
neverallow { domain -bpfloader } bpffs_type:lnk_file ~read;
neverallow { domain -bpfdomain } bpffs_type:lnk_file read;
@@ -62,8 +63,9 @@
-netutils_wrapper
-network_stack
-system_server
+ -uprobestats
} *:bpf prog_run;
-neverallow { domain -bpfloader -gpuservice -lmkd -mediaprovider_app -netd -network_stack -system_server } *:bpf { map_read map_write };
+neverallow { domain -bpfloader -gpuservice -lmkd -mediaprovider_app -netd -network_stack -system_server -uprobestats } *:bpf { map_read map_write };
neverallow { domain -bpfloader -init } bpfloader_exec:file { execute execute_no_trans };
neverallow { coredomain -bpfloader } fs_bpf_vendor:file *;
diff --git a/private/bug_map b/private/bug_map
index 0a1d741..3a78a40 100644
--- a/private/bug_map
+++ b/private/bug_map
@@ -1,6 +1,7 @@
dnsmasq netd fifo_file b/77868789
dnsmasq netd unix_stream_socket b/77868789
gmscore_app system_data_file dir b/146166941
+gmscore_app kernel security b/303319090
init app_data_file file b/77873135
init cache_file blk_file b/77873135
init logpersist file b/77873135
@@ -18,8 +19,12 @@
mediaprovider cache_file blk_file b/77925342
mediaprovider mnt_media_rw_file dir b/77925342
mediaprovider shell_data_file dir b/77925342
+mediaprovider_app device_config_media_native_prop file b/308043377
mediaswcodec ashmem_device chr_file b/142679232
+nfc device_config_media_native_prop file b/308043377
+platform_app device_config_media_native_prop file b/308043377
platform_app nfc_data_file dir b/74331887
+platform_app system_data_file dir b/306090533
system_server overlayfs_file file b/142390309
system_server sdcardfs file b/77856826
system_server system_server capability b/228030183
@@ -28,4 +33,4 @@
untrusted_app untrusted_app netlink_route_socket b/155595000
vold system_data_file file b/124108085
zygote untrusted_app_25 process b/77925912
-zygote labeledfs filesystem b/170748799
+zygote labeledfs filesystem b/170748799
\ No newline at end of file
diff --git a/private/cameraserver.te b/private/cameraserver.te
index 96d7dbd..76ffba6 100644
--- a/private/cameraserver.te
+++ b/private/cameraserver.te
@@ -7,3 +7,4 @@
allow cameraserver gpu_device:chr_file rw_file_perms;
allow cameraserver gpu_device:dir r_dir_perms;
+allow cameraserver virtual_camera:binder call;
diff --git a/private/compat/29.0/29.0.cil b/private/compat/29.0/29.0.cil
index 7315687..408cf33 100644
--- a/private/compat/29.0/29.0.cil
+++ b/private/compat/29.0/29.0.cil
@@ -1,13 +1,15 @@
;; types removed from current policy
(type ashmemd)
+(type clatd_exec)
+(type clatd)
(type exported_audio_prop)
(type exported_dalvik_prop)
(type exported_vold_prop)
(type exported2_config_prop)
(type exported2_vold_prop)
(type hal_wifi_offload_hwservice)
-(type install_recovery)
(type install_recovery_exec)
+(type install_recovery)
(type mediacodec_service)
(type perfprofd_data_file)
(type perfprofd_service)
diff --git a/private/compat/30.0/30.0.cil b/private/compat/30.0/30.0.cil
index 83d83ff..f95488c 100644
--- a/private/compat/30.0/30.0.cil
+++ b/private/compat/30.0/30.0.cil
@@ -1,11 +1,16 @@
;; types removed from current policy
+(type adbd_prop)
(type cgroup_bpf)
+(type device_config_configuration_prop)
+(type device_config_storage_native_boot_prop)
+(type device_config_sys_traced_prop)
+(type device_config_window_manager_native_boot_prop)
(type exported_audio_prop)
(type exported_dalvik_prop)
(type exported_ffs_prop)
(type exported_fingerprint_prop)
-(type exported_system_radio_prop)
(type exported_radio_prop)
+(type exported_system_radio_prop)
(type exported_vold_prop)
(type exported_wifi_prop)
(type exported2_config_prop)
@@ -16,8 +21,19 @@
(type exported3_default_prop)
(type exported3_radio_prop)
(type ffs_prop)
+(type gsid_prop)
+(type init_perf_lsm_hooks_prop)
+(type init_svc_debug_prop)
+(type last_boot_reason_prop)
+(type mediatranscoding_exec)
+(type netd_stable_secret_prop)
+(type pm_prop)
+(type system_adbd_prop)
(type system_radio_prop)
(type thermalcallback_hwservice)
+(type traced_perf_enabled_prop)
+(type userspace_reboot_log_prop)
+(type userspace_reboot_test_prop)
(typeattribute binder_in_vendor_violators)
diff --git a/private/compat/33.0/33.0.ignore.cil b/private/compat/33.0/33.0.ignore.cil
index 7a5ca9a..ea4ed5d 100644
--- a/private/compat/33.0/33.0.ignore.cil
+++ b/private/compat/33.0/33.0.ignore.cil
@@ -18,15 +18,18 @@
credential_service
device_as_webcam
device_config_camera_native_prop
+ device_config_core_experiments_team_internal_prop
device_config_edgetpu_native_prop
device_config_memory_safety_native_boot_prop
device_config_memory_safety_native_prop
device_config_updatable_service
device_config_vendor_system_native_prop
+ device_config_aconfig_flags_prop
devicelock_service
fwk_altitude_service
fwk_camera_service
fwk_sensor_service
+ game_manager_config_prop
grammatical_inflection_service
graphics_config_writable_prop
hal_bluetooth_service
@@ -47,7 +50,6 @@
hypervisor_restricted_prop
isolated_compute_app
keystore_config_prop
- ntfs
ondevicepersonalization_system_service
fuseblk
fuseblkd_untrusted
@@ -62,6 +64,7 @@
quick_start_prop
recovery_usb_config_prop
remote_provisioning_service
+ repair_mode_metadata_file
rkpdapp
servicemanager_prop
shutdown_checkpoints_system_data_file
diff --git a/private/compat/34.0/34.0.cil b/private/compat/34.0/34.0.cil
index 80d48da..aa8a56c 100644
--- a/private/compat/34.0/34.0.cil
+++ b/private/compat/34.0/34.0.cil
@@ -1604,7 +1604,7 @@
(typeattributeset default_android_vndservice_34_0 (default_android_vndservice))
(typeattributeset default_prop_34_0 (default_prop))
(typeattributeset dev_cpu_variant_34_0 (dev_cpu_variant))
-(typeattributeset device_34_0 (device))
+(typeattributeset device_34_0 (device vfio_device))
(typeattributeset device_config_activity_manager_native_boot_prop_34_0 (device_config_activity_manager_native_boot_prop))
(typeattributeset device_config_boot_count_prop_34_0 (device_config_boot_count_prop))
(typeattributeset device_config_camera_native_prop_34_0 (device_config_camera_native_prop))
diff --git a/private/compat/34.0/34.0.ignore.cil b/private/compat/34.0/34.0.ignore.cil
index aae1ac1..ddaa7e2 100644
--- a/private/compat/34.0/34.0.ignore.cil
+++ b/private/compat/34.0/34.0.ignore.cil
@@ -5,7 +5,26 @@
(typeattribute new_objects)
(typeattributeset new_objects
( new_objects
+ archive_service
+ dtbo_block_device
ota_build_prop
snapuserd_log_data_file
+ hal_authgraph_service
+ vibrator_control_service
+ hal_codec2_service
+ hal_macsec_service
hal_threadnetwork_service
+ virtual_camera_service
+ ot_daemon_service
+ remote_auth_service
+ security_state_service
+ sysfs_sync_on_suspend
+ threadnetwork_service
+ device_config_aconfig_flags_prop
+ proc_memhealth
+ virtual_device_native_service
+ next_boot_prop
+ binderfs_logs_stats
+ drm_forcel3_prop
+ proc_percpu_pagelist_high_fraction
))
diff --git a/private/coredomain.te b/private/coredomain.te
index 83930a5..f9b47df 100644
--- a/private/coredomain.te
+++ b/private/coredomain.te
@@ -150,6 +150,7 @@
-apexd
-init
-ueventd
+ -vfio_handler
-vold
} sysfs:file no_rw_file_perms;
diff --git a/private/crash_dump.te b/private/crash_dump.te
index 60962cb..6cc1828 100644
--- a/private/crash_dump.te
+++ b/private/crash_dump.te
@@ -32,6 +32,9 @@
allow crash_dump apex_art_data_file:dir { getattr search };
allow crash_dump apex_art_data_file:file r_file_perms;
+# Read Vendor APEX directories
+allow crash_dump vendor_apex_metadata_file:dir { getattr search };
+
###
### neverallow assertions
###
diff --git a/private/crosvm.te b/private/crosvm.te
index 8a6bd24..afcaa3d 100644
--- a/private/crosvm.te
+++ b/private/crosvm.te
@@ -27,8 +27,9 @@
# Let crosvm read the composite disk images (virtualizationservice_data_file), APEXes
# (staging_data_file), APKs (apk_data_file and shell_data_file where the latter is for test apks in
-# /data/local/tmp), and instance.img (app_data_file). Note that the open permission is not given as
-# the files are passed as file descriptors.
+# /data/local/tmp), and instance.img (app_data_file).
+# Allow crosvm to read the instance image of the service VM saved in apex_virt_data_file.
+# Note that the open permission is not given as the files are passed as file descriptors.
allow crosvm {
virtualizationservice_data_file
staging_data_file
@@ -36,6 +37,7 @@
app_data_file
privapp_data_file
apex_compos_data_file
+ apex_virt_data_file
shell_data_file
}:file { getattr read ioctl lock };
@@ -64,6 +66,7 @@
app_data_file
privapp_data_file
apex_compos_data_file
+ apex_virt_data_file
}:file write;
# Allow crosvm to pipe console log to shell or app which could be the owner of a VM.
@@ -84,7 +87,7 @@
# crosvm tries to read serial device, including the write-only pipe from virtualizationmanager (to
# forward console/log to the host logcat).
# crosvm only needs write permission, so dontaudit read
-dontaudit crosvm virtualizationmanager:fifo_file read;
+dontaudit crosvm virtualizationmanager:fifo_file { read getattr };
# Required for crosvm to start gdb-server to enable debugging of guest kernel.
allow crosvm self:tcp_socket { bind create read setopt write accept listen };
@@ -92,6 +95,14 @@
allow crosvm adbd:unix_stream_socket ioctl;
allow crosvm node:tcp_socket node_bind;
+# Allow crosvm to interact to VFIO device
+allow crosvm vfio_device:chr_file rw_file_perms;
+allow crosvm vfio_device:dir r_dir_perms;
+
+# Allow crosvm to access VM DTBO via a file created by virtualizationmanager.
+allow crosvm virtualizationmanager:fd use;
+allow crosvm virtualizationservice_data_file:file read;
+
# Don't allow crosvm to open files that it doesn't own.
# This is important because a malicious application could try to start a VM with a composite disk
# image referring by name to files which it doesn't have permission to open, trying to get crosvm to
diff --git a/private/dex2oat.te b/private/dex2oat.te
index 379e32c..18600d8 100644
--- a/private/dex2oat.te
+++ b/private/dex2oat.te
@@ -84,7 +84,7 @@
# Allow dex2oat access to /postinstall/apex.
allow dex2oat postinstall_apex_mnt_dir:dir { getattr search };
-allow dex2oat postinstall_apex_mnt_dir:file r_file_perms;
+allow dex2oat postinstall_apex_mnt_dir:{ file lnk_file } r_file_perms;
# Allow dex2oat access to files in /data/ota.
allow dex2oat ota_data_file:dir ra_dir_perms;
diff --git a/private/domain.te b/private/domain.te
index 692c962..0861fa5 100644
--- a/private/domain.te
+++ b/private/domain.te
@@ -214,7 +214,6 @@
} self:global_capability_class_set sys_ptrace;
# Limit ability to generate hardware unique device ID attestations to priv_apps
-neverallow { domain -priv_app -gmscore_app } *:keystore_key gen_unique_id;
neverallow { domain -priv_app -gmscore_app } *:keystore2_key gen_unique_id;
neverallow { domain -system_server } *:keystore2_key use_dev_id;
neverallow { domain -system_server } keystore:keystore2 { clear_ns lock reset unlock };
@@ -668,6 +667,7 @@
userdebug_or_eng(`
-init
-hal_dumpstate
+ -incidentd
')
} { debugfs_type
userdebug_or_eng(`-debugfs_kcov')
@@ -678,6 +678,16 @@
# Restrict write access to etm sysfs interface.
neverallow { domain -ueventd -vendor_init } sysfs_devices_cs_etm:file no_w_file_perms;
+# Restrict CAP_PERFMON.
+neverallow {
+ domain
+ -init
+ -vendor_modprobe
+ userdebug_or_eng(`-simpleperf_boot')
+ -kernel
+ -uprobestats
+} self:capability2 perfmon;
+
# Restrict direct access to shell owned files. The /data/local/tmp directory is
# untrustworthy, and non-allowed domains should not be trusting any content in
# those directories. We allow shell files to be passed around by file
diff --git a/private/dumpstate.te b/private/dumpstate.te
index b369797..18924ca 100644
--- a/private/dumpstate.te
+++ b/private/dumpstate.te
@@ -56,6 +56,9 @@
binder_call(dumpstate, profcollectd)
')
+# Allow dumpstate to talk to automotive_display_service over binder
+binder_call(dumpstate, automotive_display_service)
+
# Collect metrics on boot time created by init
get_prop(dumpstate, boottime_prop)
diff --git a/private/file.te b/private/file.te
index e48fc4c..f4c3e2d 100644
--- a/private/file.te
+++ b/private/file.te
@@ -8,6 +8,7 @@
type fs_bpf_netd_readonly, fs_type, bpffs_type;
type fs_bpf_netd_shared, fs_type, bpffs_type;
type fs_bpf_loader, fs_type, bpffs_type;
+type fs_bpf_uprobe_private, fs_type, bpffs_type;
# /data/misc/storaged
type storaged_data_file, file_type, data_file_type, core_data_file_type;
@@ -67,6 +68,9 @@
# /data/misc/apexdata/com.android.compos
type apex_compos_data_file, file_type, data_file_type, core_data_file_type, apex_data_file_type;
+# /data/misc/apexdata/com.android.virt
+type apex_virt_data_file, file_type, data_file_type, core_data_file_type, apex_data_file_type;
+
# legacy labels for various /data/misc[_ce|_de]/*/apexdata directories - retained
# for backward compatibility b/217581286
type apex_appsearch_data_file, file_type, data_file_type, core_data_file_type, apex_data_file_type;
@@ -98,7 +102,7 @@
# /data/system/environ
type environ_system_data_file, file_type, data_file_type, core_data_file_type;
-# /data/bootanim
+# /data/misc/bootanim
type bootanim_data_file, file_type, data_file_type, core_data_file_type;
# /dev/kvm
@@ -114,13 +118,6 @@
# /apex/com.android.compos/bin/compos_key_helper
type compos_key_helper_exec, exec_type, file_type, system_file_type;
-# /metadata/sepolicy
-type sepolicy_metadata_file, file_type;
-
-# /dev/selinux/test - used to verify that apex sepolicy is loaded and
-# property labeled.
-type sepolicy_test_file, file_type;
-
# /apex/com.android.art/bin/art_exec
# This executable does not have its own domain because it is executed in the caller's domain. For
# example, it is executed in the `artd` domain when artd calls it.
@@ -136,3 +133,9 @@
# /sys/firmware/devicetree/base/avf
type sysfs_dt_avf, fs_type, sysfs_type;
+
+# Type for /system/fonts/font_fallback.xm
+type system_font_fallback_file, system_file_type, file_type;
+
+# Type for /sys/devices/uprobe.
+type sysfs_uprobe, fs_type, sysfs_type;
diff --git a/private/file_contexts b/private/file_contexts
index 123e4ed..2481c07 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -32,6 +32,7 @@
/second_stage_resources u:object_r:tmpfs:s0
/sys u:object_r:sysfs:s0
/apex u:object_r:apex_mnt_dir:s0
+/bootstrap-apex u:object_r:apex_mnt_dir:s0
# Postinstall directories
/postinstall u:object_r:postinstall_mnt_dir:s0
@@ -154,6 +155,7 @@
/dev/socket/pdx/system/vr/display/vsync u:object_r:pdx_display_vsync_endpoint_socket:s0
/dev/socket/prng_seeder u:object_r:prng_seeder_socket:s0
/dev/socket/property_service u:object_r:property_socket:s0
+/dev/socket/property_service_for_system u:object_r:property_socket:s0
/dev/socket/racoon u:object_r:racoon_socket:s0
/dev/socket/recovery u:object_r:recovery_socket:s0
/dev/socket/rild u:object_r:rild_socket:s0
@@ -190,6 +192,7 @@
/dev/urandom u:object_r:random_device:s0
/dev/usb_accessory u:object_r:usbaccessory_device:s0
/dev/v4l-touch[0-9]* u:object_r:input_device:s0
+/dev/vfio(/.*)? u:object_r:vfio_device:s0
/dev/vhost-vsock u:object_r:kvm_device:s0
/dev/video[0-9]* u:object_r:video_device:s0
/dev/vndbinder u:object_r:vndbinder_device:s0
@@ -197,20 +200,14 @@
/dev/xt_qtaguid u:object_r:qtaguid_device:s0
/dev/zero u:object_r:zero_device:s0
/dev/__properties__ u:object_r:properties_device:s0
+/dev/__properties__/appcompat_override u:object_r:properties_device:s0
/dev/__properties__/property_info u:object_r:property_info:s0
+/dev/__properties__/appcompat_override/property_info u:object_r:property_info:s0
#############################
# Linker configuration
#
/linkerconfig(/.*)? u:object_r:linkerconfig_file:s0
-# Apex sepoolicy files.
-/dev/selinux/apex_file_contexts u:object_r:file_contexts_file:s0
-/dev/selinux/apex_seapp_contexts u:object_r:seapp_contexts_file:s0
-/dev/selinux/apex_service_contexts u:object_r:service_contexts_file:s0
-/dev/selinux/apex_property_contexts u:object_r:property_contexts_file:s0
-/dev/selinux/apex_hwservice_contexts u:object_r:hwservice_contexts_file:s0
-/dev/selinux/apex_mac_permissions\.xml u:object_r:mac_perms_file:s0
-
#############################
# System files
#
@@ -232,9 +229,6 @@
/system/bin/extra_free_kbytes\.sh u:object_r:extra_free_kbytes_exec:s0
/system/bin/fsck\.exfat -- u:object_r:fsck_exec:s0
/system/bin/fsck\.f2fs -- u:object_r:fsck_exec:s0
-/system/bin/ntfsfix -- u:object_r:fsck_exec:s0
-/system/bin/ntfs-3g -- u:object_r:fuseblkd_untrusted_exec:s0
-/system/bin/ntfs-3g-compart -- u:object_r:fuseblkd_exec:s0
/system/bin/init u:object_r:init_exec:s0
# TODO(/123600489): merge mini-keyctl into toybox
/system/bin/mini-keyctl -- u:object_r:toolbox_exec:s0
@@ -257,7 +251,6 @@
/system/bin/app_process32 u:object_r:zygote_exec:s0
/system/bin/app_process64 u:object_r:zygote_exec:s0
/system/bin/servicemanager u:object_r:servicemanager_exec:s0
-/system/bin/hwservicemanager u:object_r:hwservicemanager_exec:s0
/system/bin/surfaceflinger u:object_r:surfaceflinger_exec:s0
/system/bin/gpuservice u:object_r:gpuservice_exec:s0
/system/bin/bufferhubd u:object_r:bufferhubd_exec:s0
@@ -342,18 +335,19 @@
/system/bin/profcollectctl u:object_r:profcollectd_exec:s0
/system/bin/storaged u:object_r:storaged_exec:s0
/system/bin/virtual_touchpad u:object_r:virtual_touchpad_exec:s0
+/system/bin/virtual_camera u:object_r:virtual_camera_exec:s0
/system/bin/hw/android\.frameworks\.bufferhub@1\.0-service u:object_r:fwk_bufferhub_exec:s0
-/system/bin/hw/android\.hidl\.allocator@1\.0-service u:object_r:hal_allocator_default_exec:s0
/system/bin/hw/android\.system\.suspend-service u:object_r:system_suspend_exec:s0
/system/etc/cgroups\.json u:object_r:cgroup_desc_file:s0
/system/etc/task_profiles/cgroups_[0-9]+\.json u:object_r:cgroup_desc_api_file:s0
/system/etc/event-log-tags u:object_r:system_event_log_tags_file:s0
+/system/etc/font_fallback.xml u:object_r:system_font_fallback_file:s0
/system/etc/group u:object_r:system_group_file:s0
/system/etc/ld\.config.* u:object_r:system_linker_config_file:s0
/system/etc/passwd u:object_r:system_passwd_file:s0
/system/etc/seccomp_policy(/.*)? u:object_r:system_seccomp_policy_file:s0
/system/etc/security/cacerts(/.*)? u:object_r:system_security_cacerts_file:s0
-/system/etc/selinux/mapping/[0-9]+\.[0-9]+\.cil u:object_r:sepolicy_file:s0
+/system/etc/selinux/mapping/[0-9]+\.[0-9]+(\.compat)?\.cil u:object_r:sepolicy_file:s0
/system/etc/selinux/plat_mac_permissions\.xml u:object_r:mac_perms_file:s0
/system/etc/selinux/plat_property_contexts u:object_r:property_contexts_file:s0
/system/etc/selinux/plat_service_contexts u:object_r:service_contexts_file:s0
@@ -371,7 +365,7 @@
/system/bin/stats u:object_r:stats_exec:s0
/system/bin/statsd u:object_r:statsd_exec:s0
/system/bin/bpfloader u:object_r:bpfloader_exec:s0
-/system/bin/btfloader u:object_r:bpfloader_exec:s0
+/system/bin/netbpfload u:object_r:bpfloader_exec:s0
/system/bin/watchdogd u:object_r:watchdogd_exec:s0
/system/bin/apexd u:object_r:apexd_exec:s0
/system/bin/gsid u:object_r:gsid_exec:s0
@@ -385,6 +379,7 @@
/system/bin/cardisplayproxyd u:object_r:automotive_display_service_exec:s0
/system/bin/evsmanagerd u:object_r:evsmanagerd_exec:s0
/system/bin/android\.automotive\.evs\.manager@1\.[0-9]+ u:object_r:evsmanagerd_exec:s0
+/system/bin/uprobestats u:object_r:uprobestats_exec:s0
#############################
# Vendor files
@@ -497,6 +492,9 @@
/(system_ext|system/system_ext)/bin/aidl_lazy_cb_test_server u:object_r:aidl_lazy_test_server_exec:s0
/(system_ext|system/system_ext)/bin/hidl_lazy_test_server u:object_r:hidl_lazy_test_server_exec:s0
/(system_ext|system/system_ext)/bin/hidl_lazy_cb_test_server u:object_r:hidl_lazy_test_server_exec:s0
+/(system_ext|system/system_ext)/bin/hwservicemanager u:object_r:hwservicemanager_exec:s0
+/(system_ext|system/system_ext)/bin/hw/android\.hidl\.allocator@1\.0-service u:object_r:hal_allocator_default_exec:s0
+
/(system_ext|system/system_ext)/bin/canhalconfigurator(-aidl)? u:object_r:canhalconfigurator_exec:s0
@@ -565,7 +563,6 @@
/data/gsi_persistent_data u:object_r:gsi_persistent_data_file:s0
/data/gsi/ota(/.*)? u:object_r:ota_image_data_file:s0
/data/tombstones(/.*)? u:object_r:tombstone_data_file:s0
-/data/vendor/tombstones/wifi(/.*)? u:object_r:tombstone_wifi_data_file:s0
/data/local/tests(/.*)? u:object_r:shell_test_data_file:s0
/data/local/tmp(/.*)? u:object_r:shell_data_file:s0
/data/local/tmp/ltp(/.*)? u:object_r:nativetest_data_file:s0
@@ -601,6 +598,7 @@
/data/misc/apexdata(/.*)? u:object_r:apex_module_data_file:s0
/data/misc/apexdata/com\.android\.art(/.*)? u:object_r:apex_art_data_file:s0
/data/misc/apexdata/com\.android\.compos(/.*)? u:object_r:apex_compos_data_file:s0
+/data/misc/apexdata/com\.android\.virt(/.*)? u:object_r:apex_virt_data_file:s0
/data/misc/apexdata/com\.android\.permission(/.*)? u:object_r:apex_system_server_data_file:s0
/data/misc/apexdata/com\.android\.scheduling(/.*)? u:object_r:apex_system_server_data_file:s0
/data/misc/apexdata/com\.android\.tethering(/.*)? u:object_r:apex_system_server_data_file:s0
@@ -639,8 +637,8 @@
/data/misc/odrefresh(/.*)? u:object_r:odrefresh_data_file:s0
/data/misc/odsign(/.*)? u:object_r:odsign_data_file:s0
/data/misc/odsign/metrics(/.*)? u:object_r:odsign_metrics_file:s0
-/data/misc/perfetto-traces/bugreport(.*)? u:object_r:perfetto_traces_bugreport_data_file:s0
/data/misc/perfetto-traces(/.*)? u:object_r:perfetto_traces_data_file:s0
+/data/misc/perfetto-traces/bugreport(.*)? u:object_r:perfetto_traces_bugreport_data_file:s0
/data/misc/perfetto-configs(/.*)? u:object_r:perfetto_configs_data_file:s0
/data/misc/prereboot(/.*)? u:object_r:prereboot_data_file:s0
/data/misc/profcollectd(/.*)? u:object_r:profcollectd_data_file:s0
@@ -683,6 +681,7 @@
/data/vendor_ce/.* u:object_r:vendor_data_file:s0
/data/vendor_de u:object_r:vendor_userdir_file:s0
/data/vendor_de/.* u:object_r:vendor_data_file:s0
+/data/vendor/tombstones/wifi(/.*)? u:object_r:tombstone_wifi_data_file:s0
# storaged proto files
/data/misc_de/[0-9]+/storaged(/.*)? u:object_r:storaged_data_file:s0
@@ -737,7 +736,7 @@
/data/incremental/MT_[^/]+/mount/.blocks_written u:object_r:incremental_control_file:s0
# Boot animation data
-/data/bootanim(/.*)? u:object_r:bootanim_data_file:s0
+/data/misc/bootanim(/.*)? u:object_r:bootanim_data_file:s0
#############################
# Expanded data files
#
@@ -841,10 +840,10 @@
/metadata/password_slots(/.*)? u:object_r:password_slot_metadata_file:s0
/metadata/ota(/.*)? u:object_r:ota_metadata_file:s0
/metadata/bootstat(/.*)? u:object_r:metadata_bootstat_file:s0
-/metadata/sepolicy(/.*)? u:object_r:sepolicy_metadata_file:s0
/metadata/staged-install(/.*)? u:object_r:staged_install_file:s0
/metadata/userspacereboot(/.*)? u:object_r:userspace_reboot_metadata_file:s0
/metadata/watchdog(/.*)? u:object_r:watchdog_metadata_file:s0
+/metadata/repair-mode(/.*)? u:object_r:repair_mode_metadata_file:s0
#############################
# asec containers
diff --git a/private/flags_health_check.te b/private/flags_health_check.te
index 9480b40..b7f5808 100644
--- a/private/flags_health_check.te
+++ b/private/flags_health_check.te
@@ -3,6 +3,7 @@
init_daemon_domain(flags_health_check)
set_prop(flags_health_check, device_config_boot_count_prop)
+set_prop(flags_health_check, device_config_core_experiments_team_internal_prop)
set_prop(flags_health_check, device_config_edgetpu_native_prop)
set_prop(flags_health_check, device_config_reset_performed_prop)
set_prop(flags_health_check, device_config_runtime_native_boot_prop)
@@ -24,6 +25,7 @@
set_prop(flags_health_check, device_config_configuration_prop)
set_prop(flags_health_check, device_config_connectivity_prop)
set_prop(flags_health_check, device_config_surface_flinger_native_boot_prop)
+set_prop(flags_health_check, device_config_aconfig_flags_prop)
set_prop(flags_health_check, device_config_vendor_system_native_prop)
set_prop(flags_health_check, device_config_vendor_system_native_boot_prop)
set_prop(flags_health_check, device_config_virtualization_framework_native_prop)
@@ -31,6 +33,8 @@
set_prop(flags_health_check, device_config_memory_safety_native_prop)
set_prop(flags_health_check, device_config_remote_key_provisioning_native_prop)
set_prop(flags_health_check, device_config_camera_native_prop)
+set_prop(flags_health_check, device_config_tethering_u_or_later_native_prop)
+set_prop(flags_health_check, next_boot_prop)
# system property device_config_boot_count_prop is used for deciding when to perform server
# configurable flags related disaster recovery. Mistakenly set up by unrelated components can, at a
diff --git a/private/fsverity_init.te b/private/fsverity_init.te
index 2e5089c..a3765ec 100644
--- a/private/fsverity_init.te
+++ b/private/fsverity_init.te
@@ -14,8 +14,3 @@
# Read the on-device signing certificate, to be able to add it to the keyring
allow fsverity_init odsign:fd use;
allow fsverity_init odsign_data_file:file { getattr read };
-
-# When kernel requests an algorithm, the crypto API first looks for an
-# already registered algorithm with that name. If it fails, the kernel creates
-# an implementation of the algorithm from templates.
-dontaudit fsverity_init kernel:system module_request;
diff --git a/private/genfs_contexts b/private/genfs_contexts
index 759ac38..41c60df 100644
--- a/private/genfs_contexts
+++ b/private/genfs_contexts
@@ -19,6 +19,7 @@
genfscon proc /locks u:object_r:proc_locks:s0
genfscon proc /lowmemorykiller u:object_r:proc_lowmemorykiller:s0
genfscon proc /meminfo u:object_r:proc_meminfo:s0
+genfscon proc /memhealth u:object_r:proc_memhealth:s0
genfscon proc /misc u:object_r:proc_misc:s0
genfscon proc /modules u:object_r:proc_modules:s0
genfscon proc /mounts u:object_r:proc_mounts:s0
@@ -91,6 +92,7 @@
genfscon proc /sys/vm/min_free_order_shift u:object_r:proc_min_free_order_shift:s0
genfscon proc /sys/vm/watermark_boost_factor u:object_r:proc_watermark_boost_factor:s0
genfscon proc /sys/vm/watermark_scale_factor u:object_r:proc_watermark_scale_factor:s0
+genfscon proc /sys/vm/percpu_pagelist_high_fraction u:object_r:proc_percpu_pagelist_high_fraction:s0
genfscon proc /timer_list u:object_r:proc_timer:s0
genfscon proc /timer_stats u:object_r:proc_timer:s0
genfscon proc /tty/drivers u:object_r:proc_tty_drivers:s0
@@ -156,6 +158,7 @@
genfscon sysfs /power/autosleep u:object_r:sysfs_power:s0
genfscon sysfs /power/state u:object_r:sysfs_power:s0
genfscon sysfs /power/suspend_stats u:object_r:sysfs_suspend_stats:s0
+genfscon sysfs /power/sync_on_suspend u:object_r:sysfs_sync_on_suspend:s0
genfscon sysfs /power/wakeup_count u:object_r:sysfs_power:s0
genfscon sysfs /power/wake_lock u:object_r:sysfs_wake_lock:s0
genfscon sysfs /power/wake_unlock u:object_r:sysfs_wake_lock:s0
@@ -176,6 +179,7 @@
genfscon sysfs /devices/virtual/timed_output/vibrator/enable u:object_r:sysfs_vibrator:s0
genfscon sysfs /devices/virtual/misc/uhid u:object_r:sysfs_uhid:s0
genfscon sysfs /kernel/vendor_sched u:object_r:sysfs_vendor_sched:s0
+genfscon sysfs /devices/uprobe u:object_r:sysfs_uprobe:s0
genfscon debugfs /kprobes u:object_r:debugfs_kprobes:s0
genfscon debugfs /mmc0 u:object_r:debugfs_mmc:s0
@@ -284,6 +288,8 @@
genfscon tracefs /events/binder/binder_unlock/ u:object_r:debugfs_tracing:s0
genfscon tracefs /events/binder/binder_transaction_alloc_buf/ u:object_r:debugfs_tracing:s0
genfscon tracefs /events/binder/binder_set_priority/ u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/binder/binder_command/ u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/binder/binder_return/ u:object_r:debugfs_tracing:s0
genfscon tracefs /events/lowmemorykiller/ u:object_r:debugfs_tracing:s0
genfscon tracefs /events/sync/ u:object_r:debugfs_tracing:s0
genfscon tracefs /events/fence/ u:object_r:debugfs_tracing:s0
@@ -349,6 +355,8 @@
genfscon debugfs /tracing/events/binder/binder_unlock/ u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/events/binder/binder_transaction_alloc_buf/ u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/events/binder/binder_set_priority/ u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/binder/binder_command/ u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/binder/binder_return/ u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/events/lowmemorykiller/ u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/events/sync/ u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/events/fence/ u:object_r:debugfs_tracing:s0
@@ -385,6 +393,7 @@
genfscon binder /vndbinder u:object_r:vndbinder_device:s0
genfscon binder /binder_logs u:object_r:binderfs_logs:s0
genfscon binder /binder_logs/proc u:object_r:binderfs_logs_proc:s0
+genfscon binder /binder_logs/stats u:object_r:binderfs_logs_stats:s0
genfscon binder /features u:object_r:binderfs_features:s0
genfscon inotifyfs / u:object_r:inotify:s0
@@ -410,3 +419,4 @@
genfscon bpf /netd_shared u:object_r:fs_bpf_netd_shared:s0
genfscon bpf /tethering u:object_r:fs_bpf_tethering:s0
genfscon bpf /vendor u:object_r:fs_bpf_vendor:s0
+genfscon bpf /uprobe_private u:object_r:fs_bpf_uprobe_private:s0
diff --git a/private/gmscore_app.te b/private/gmscore_app.te
index 46b90c6..859c2ec 100644
--- a/private/gmscore_app.te
+++ b/private/gmscore_app.te
@@ -36,7 +36,6 @@
allow gmscore_app perfetto_traces_data_file:file { read getattr };
# Allow GMS core to generate unique hardware IDs
-allow gmscore_app keystore:keystore_key gen_unique_id;
allow gmscore_app keystore:keystore2_key gen_unique_id;
# Allow GMS core to access /sys/fs/selinux/policyvers for compatibility check
@@ -46,6 +45,7 @@
dontaudit gmscore_app exec_type:file r_file_perms;
dontaudit gmscore_app device:dir r_dir_perms;
dontaudit gmscore_app fs_bpf:dir r_dir_perms;
+dontaudit gmscore_app kernel:security *;
dontaudit gmscore_app net_dns_prop:file r_file_perms;
dontaudit gmscore_app proc:file r_file_perms;
dontaudit gmscore_app proc_interrupts:file r_file_perms;
diff --git a/private/incidentd.te b/private/incidentd.te
index e86b3bf..bf98d31 100644
--- a/private/incidentd.te
+++ b/private/incidentd.te
@@ -29,9 +29,7 @@
allow incidentd proc_pagetypeinfo:file r_file_perms;
# section id 2002, allow reading /d/wakeup_sources
-no_debugfs_restriction(`
- allow incidentd debugfs_wakeup_sources:file r_file_perms;
-')
+userdebug_or_eng(`allow incidentd debugfs_wakeup_sources:file r_file_perms');
# section id 2003, allow executing top
allow incidentd proc_meminfo:file { open read };
diff --git a/private/installd.te b/private/installd.te
index 7615c92..f9fb206 100644
--- a/private/installd.te
+++ b/private/installd.te
@@ -54,3 +54,7 @@
# Allow installd manage dirs in /data/misc_ce/0/sdksandbox
allow installd sdk_sandbox_system_data_file:dir { create_dir_perms relabelfrom };
+
+# Allow installd to enable fs-verity for app file passed as FD;
+allow installd { untrusted_app_all priv_app gmscore_app }:fd use;
+allowxperm installd app_data_file_type:file ioctl FS_IOC_ENABLE_VERITY;
diff --git a/private/isolated_compute_app.te b/private/isolated_compute_app.te
index d5e8a74..5d4070d 100644
--- a/private/isolated_compute_app.te
+++ b/private/isolated_compute_app.te
@@ -21,6 +21,8 @@
hal_client_domain(isolated_compute_app, hal_allocator)
hwbinder_use(isolated_compute_app)
+hal_client_domain(isolated_compute_app, hal_codec2)
+
allow isolated_compute_app dmabuf_system_heap_device:chr_file r_file_perms;
# Allow access to network sockets received over IPC. New socket creation is not
diff --git a/private/kernel.te b/private/kernel.te
index 03ba79f..2d46b3e 100644
--- a/private/kernel.te
+++ b/private/kernel.te
@@ -44,19 +44,3 @@
dontaudit kernel dm_user_device:chr_file { create setattr };
dontaudit kernel tmpfs:lnk_file read;
dontaudit kernel tmpfs:blk_file { open read };
-
-# Some contexts are changed before the device is flipped into enforcing mode
-# during the setup of Apex sepolicy. These denials can be suppressed since
-# the permissions should not be allowed after the device is flipped into
-# enforcing mode.
-dontaudit kernel device:dir { open read relabelto };
-dontaudit kernel tmpfs:file { getattr open read relabelfrom };
-dontaudit kernel {
- file_contexts_file
- hwservice_contexts_file
- mac_perms_file
- property_contexts_file
- seapp_contexts_file
- sepolicy_test_file
- service_contexts_file
-}:file relabelto;
diff --git a/private/keystore.te b/private/keystore.te
index cd2ef76..73961ac 100644
--- a/private/keystore.te
+++ b/private/keystore.te
@@ -26,7 +26,7 @@
# Allow keystore to write to statsd.
unix_socket_send(keystore, statsdw, statsd)
-# Keystore need access to the keystore_key context files to load the keystore key backend.
+# Keystore need access to the keystore2_key_contexts file to load the keystore key backend.
allow keystore keystore2_key_contexts_file:file r_file_perms;
# Allow keystore to listen to changing boot levels
diff --git a/private/keystore2_key_contexts b/private/keystore2_key_contexts
index 3833971..868bf15 100644
--- a/private/keystore2_key_contexts
+++ b/private/keystore2_key_contexts
@@ -4,10 +4,10 @@
# <namespace> <label>
#
# <namespace> must be an integer in the interval [0 ... 2^31)
-# su_key is a keystore_key namespace for the su domain intended for native tests.
+# su_key is a keystore2_key namespace for the su domain intended for native tests.
0 u:object_r:su_key:s0
-# shell_key is a keystore_key namespace for the shell domain intended for native tests.
+# shell_key is a keystore2_key namespace for the shell domain intended for native tests.
1 u:object_r:shell_key:s0
# vold_key is a keystore2_key namespace for vold. It allows using raw Keymint blobs.
diff --git a/private/lpdumpd.te b/private/lpdumpd.te
index 9f5f87e..09ba079 100644
--- a/private/lpdumpd.te
+++ b/private/lpdumpd.te
@@ -18,6 +18,16 @@
allow lpdumpd sysfs_dt_firmware_android:file r_file_perms;
read_fstab(lpdumpd)
+# Allow to get A/B slot suffix from device tree or kernel cmdline.
+r_dir_file(lpdumpd, sysfs_dt_firmware_android);
+allow lpdumpd proc_cmdline:file r_file_perms;
+
+# Allow reading Virtual A/B status information.
+get_prop(lpdumpd, virtual_ab_prop)
+allow lpdumpd metadata_file:dir search;
+allow lpdumpd ota_metadata_file:dir { r_dir_perms lock };
+allow lpdumpd ota_metadata_file:file r_file_perms;
+
### Neverallow rules
# Disallow other domains to get lpdump_service and call lpdumpd.
diff --git a/private/network_stack.te b/private/network_stack.te
index d9135a1..8e09be8 100644
--- a/private/network_stack.te
+++ b/private/network_stack.te
@@ -43,7 +43,6 @@
binder_call(network_stack, netd);
# in order to invoke side effect of close() on such a socket calling synchronize_rcu()
-# TODO: Remove this permission when 4.9 kernel is deprecated.
allow network_stack self:key_socket create;
# Java's Os.close() in libcore/luni/src/main/java/libcore/io/BlockGuardOs.java;l=100
# calls if (fd.isSocket$()) if (isLingerSocket(fd)) ...
@@ -63,6 +62,8 @@
allow network_stack { fs_bpf_net_private fs_bpf_net_shared fs_bpf_netd_readonly fs_bpf_netd_shared fs_bpf_tethering }:dir search;
allow network_stack { fs_bpf_net_private fs_bpf_net_shared fs_bpf_netd_readonly fs_bpf_netd_shared fs_bpf_tethering }:file { getattr read write };
allow network_stack bpfloader:bpf { map_read map_write prog_run };
+# allow Tethering(network_stack process) to read flag value in tethering_u_or_later_native namespace
+get_prop(network_stack, device_config_tethering_u_or_later_native_prop)
# Use XFRM (IPsec) netlink sockets
allow network_stack self:netlink_xfrm_socket { create_socket_perms_no_ioctl nlmsg_write nlmsg_read };
diff --git a/private/ot_ctl.te b/private/ot_ctl.te
deleted file mode 100644
index 12e7ce2..0000000
--- a/private/ot_ctl.te
+++ /dev/null
@@ -1,11 +0,0 @@
-#
-# ot_ctl is the commandline tool for controling the native Thread network daemon (ot_daemon).
-#
-
-type ot_ctl, domain, coredomain;
-type ot_ctl_exec, exec_type, system_file_type, file_type;
-
-init_daemon_domain(ot_ctl)
-
-# Allow the ot_ctl to read/write the socket file.
-allow ot_ctl threadnetwork_data_file:sock_file {read write};
diff --git a/private/ot_daemon.te b/private/ot_daemon.te
index b22ff90..066d3d5 100644
--- a/private/ot_daemon.te
+++ b/private/ot_daemon.te
@@ -17,4 +17,18 @@
allow ot_daemon threadnetwork_data_file:file create_file_perms;
allow ot_daemon threadnetwork_data_file:sock_file {create unlink};
+# Allow OT daemon to read/write the Thread tunnel interface
+allow ot_daemon tun_device:chr_file {read write};
+
+# Allow OT daemon to read/write on the socket created by System Server
+allow ot_daemon system_server:rawip_socket rw_socket_perms_no_ioctl;
+
hal_client_domain(ot_daemon, hal_threadnetwork)
+
+# Only ot_daemon can publish the binder service
+binder_use(ot_daemon)
+add_service(ot_daemon, ot_daemon_service)
+binder_call(ot_daemon, system_server)
+
+# Allow OT daemon to write to statsd
+unix_socket_send(ot_daemon, statsdw, statsd)
diff --git a/private/otapreopt_chroot.te b/private/otapreopt_chroot.te
index ea9d4ee..73e170b 100644
--- a/private/otapreopt_chroot.te
+++ b/private/otapreopt_chroot.te
@@ -36,9 +36,10 @@
# Allow otapreopt_chroot to read the persist.apexd.verity_on_system system property.
get_prop(otapreopt_chroot, apexd_prop)
-# Allow otapreopt to use file descriptors from update-engine. It will
-# close them immediately.
+# Allow otapreopt to use file descriptors from update-engine and the postinstall
+# script. It will read dexopt commands from stdin and write progress to stdout.
allow otapreopt_chroot postinstall:fd use;
+allow otapreopt_chroot postinstall:fifo_file { read write getattr };
allow otapreopt_chroot update_engine:fd use;
allow otapreopt_chroot update_engine:fifo_file write;
diff --git a/private/platform_app.te b/private/platform_app.te
index 1bd0020..cd95353 100644
--- a/private/platform_app.te
+++ b/private/platform_app.te
@@ -116,6 +116,9 @@
# allow platform apps to read qemu.hw.mainkeys
get_prop(platform_app, qemu_hw_prop)
+# allow platform apps to read sys.boot.reason.last
+get_prop(platform_app, last_boot_reason_prop)
+
# allow platform apps to create symbolic link
allow platform_app app_data_file:lnk_file create_file_perms;
diff --git a/private/priv_app.te b/private/priv_app.te
index 52077ef..cadefe1 100644
--- a/private/priv_app.te
+++ b/private/priv_app.te
@@ -150,7 +150,7 @@
dontaudit priv_app sysfs:file read;
dontaudit priv_app sysfs_android_usb:file read;
dontaudit priv_app sysfs_dm:file r_file_perms;
-dontaudit priv_app { wifi_prop wifi_hal_prop }:file read;
+dontaudit priv_app { wifi_prop wifi_config_prop wifi_hal_prop }:file read;
# allow privileged apps to use UDP sockets provided by the system server but not
# modify them other than to connect
@@ -176,6 +176,9 @@
# allow privileged apps to read the vendor property that indicates if Incremental File System is enabled
get_prop(priv_app, incremental_prop)
+# allow privileged apps to read the device config flags.
+get_prop(priv_app, device_config_aconfig_flags_prop)
+
# Required for Phonesky to be able to read APEX files under /data/apex/active/.
allow priv_app apex_data_file:dir search;
allow priv_app staging_data_file:file r_file_perms;
diff --git a/private/profman.te b/private/profman.te
index 390f83e..7ad49b2 100644
--- a/private/profman.te
+++ b/private/profman.te
@@ -10,3 +10,8 @@
# Allow profman to use file descriptors passed from privileged programs.
allow profman { artd installd }:fd use;
+
+# Allow profman to read from memfd created by artd.
+# profman needs to read the embedded profile that artd extracts from an APK,
+# which is passed by a memfd.
+allow profman artd_tmpfs:file { getattr read map lock };
diff --git a/private/property.te b/private/property.te
index 66c9cea..e1b42a0 100644
--- a/private/property.te
+++ b/private/property.te
@@ -2,6 +2,7 @@
system_internal_prop(adbd_prop)
system_internal_prop(apexd_payload_metadata_prop)
system_internal_prop(ctl_snapuserd_prop)
+system_internal_prop(device_config_core_experiments_team_internal_prop)
system_internal_prop(device_config_lmkd_native_prop)
system_internal_prop(device_config_mglru_native_prop)
system_internal_prop(device_config_profcollect_native_boot_prop)
@@ -14,6 +15,7 @@
system_internal_prop(device_config_configuration_prop)
system_internal_prop(device_config_connectivity_prop)
system_internal_prop(device_config_swcodec_native_prop)
+system_internal_prop(device_config_tethering_u_or_later_native_prop)
system_internal_prop(dmesgd_start_prop)
system_internal_prop(fastbootd_protocol_prop)
system_internal_prop(gsid_prop)
@@ -29,6 +31,7 @@
system_internal_prop(net_464xlat_fromvendor_prop)
system_internal_prop(net_connectivity_prop)
system_internal_prop(netd_stable_secret_prop)
+system_internal_prop(next_boot_prop)
system_internal_prop(odsign_prop)
system_internal_prop(perf_drop_caches_prop)
system_internal_prop(pm_prop)
@@ -50,6 +53,11 @@
system_internal_prop(ctl_odsign_prop)
system_internal_prop(virtualizationservice_prop)
system_internal_prop(ctl_apex_load_prop)
+system_internal_prop(enable_16k_pages_prop)
+system_internal_prop(sensors_config_prop)
+system_internal_prop(hypervisor_pvmfw_prop)
+system_internal_prop(hypervisor_virtualizationmanager_prop)
+system_internal_prop(game_manager_config_prop)
# Properties which can't be written outside system
system_restricted_prop(device_config_virtualization_framework_native_prop)
diff --git a/private/property_contexts b/private/property_contexts
index d556acf..69e4ec2 100644
--- a/private/property_contexts
+++ b/private/property_contexts
@@ -115,6 +115,7 @@
suspend.sleep_time_scale_factor u:object_r:suspend_prop:s0 exact double
suspend.failed_suspend_backoff_enabled u:object_r:suspend_prop:s0 exact bool
suspend.short_suspend_backoff_enabled u:object_r:suspend_prop:s0 exact bool
+suspend.disable_sync_on_suspend u:object_r:suspend_prop:s0 exact bool
# Fastbootd protocol control property
fastbootd.protocol u:object_r:fastbootd_protocol_prop:s0 exact enum usb tcp
@@ -253,6 +254,7 @@
persist.device_config.camera_native. u:object_r:device_config_camera_native_prop:s0
persist.device_config.configuration. u:object_r:device_config_configuration_prop:s0
persist.device_config.connectivity. u:object_r:device_config_connectivity_prop:s0
+persist.device_config.core_experiments_team_internal. u:object_r:device_config_core_experiments_team_internal_prop:s0
persist.device_config.edgetpu_native. u:object_r:device_config_edgetpu_native_prop:s0
persist.device_config.input_native_boot. u:object_r:device_config_input_native_boot_prop:s0
persist.device_config.lmkd_native. u:object_r:device_config_lmkd_native_prop:s0
@@ -268,12 +270,17 @@
persist.device_config.storage_native_boot. u:object_r:device_config_storage_native_boot_prop:s0
persist.device_config.surface_flinger_native_boot. u:object_r:device_config_surface_flinger_native_boot_prop:s0
persist.device_config.swcodec_native. u:object_r:device_config_swcodec_native_prop:s0
+persist.device_config.aconfig_flags. u:object_r:device_config_aconfig_flags_prop:s0
persist.device_config.vendor_system_native. u:object_r:device_config_vendor_system_native_prop:s0
persist.device_config.vendor_system_native_boot. u:object_r:device_config_vendor_system_native_boot_prop:s0
persist.device_config.virtualization_framework_native. u:object_r:device_config_virtualization_framework_native_prop:s0
persist.device_config.window_manager_native_boot. u:object_r:device_config_window_manager_native_boot_prop:s0
persist.device_config.memory_safety_native_boot. u:object_r:device_config_memory_safety_native_boot_prop:s0
persist.device_config.memory_safety_native. u:object_r:device_config_memory_safety_native_prop:s0
+persist.device_config.tethering_u_or_later_native. u:object_r:device_config_tethering_u_or_later_native_prop:s0
+
+# Properties that is for staging
+next_boot. u:object_r:next_boot_prop:s0
# F2FS smart idle maint prop
persist.device_config.storage_native_boot.smart_idle_maint_enabled u:object_r:smart_idle_maint_enabled_prop:s0 exact bool
@@ -409,6 +416,7 @@
ro.camera.enableCamera1MaxZsl u:object_r:camera_config_prop:s0 exact bool
ro.camera.disableJpegR u:object_r:camera_config_prop:s0 exact bool
ro.camera.enableCompositeAPI0JpegR u:object_r:camera_config_prop:s0 exact bool
+ro.camera.enableVirtualCamera u:object_r:camera_config_prop:s0 exact bool
ro.camerax.extensions.enabled u:object_r:camerax_extensions_prop:s0 exact bool
@@ -505,6 +513,7 @@
keyguard.no_require_sim u:object_r:keyguard_config_prop:s0 exact bool
media.c2.dmabuf.padding u:object_r:codec2_config_prop:s0 exact int
+media.c2.hal.selection u:object_r:codec2_config_prop:s0 exact enum aidl hidl
media.recorder.show_manufacturer_and_model u:object_r:media_config_prop:s0 exact bool
media.resolution.limit.32bit u:object_r:media_config_prop:s0 exact int
@@ -576,6 +585,7 @@
bluetooth.profile.pan.panu.enabled u:object_r:bluetooth_config_prop:s0 exact bool
bluetooth.profile.pbap.client.enabled u:object_r:bluetooth_config_prop:s0 exact bool
bluetooth.profile.pbap.server.enabled u:object_r:bluetooth_config_prop:s0 exact bool
+bluetooth.profile.pbap.sim.enabled u:object_r:bluetooth_config_prop:s0 exact bool
bluetooth.profile.sap.server.enabled u:object_r:bluetooth_config_prop:s0 exact bool
bluetooth.profile.vcp.controller.enabled u:object_r:bluetooth_config_prop:s0 exact bool
@@ -667,6 +677,7 @@
ro.config.alarm_alert u:object_r:systemsound_config_prop:s0 exact string
ro.config.alarm_vol_default u:object_r:systemsound_config_prop:s0 exact int
ro.config.alarm_vol_steps u:object_r:systemsound_config_prop:s0 exact int
+ro.config.assistant_vol_min u:object_r:systemsound_config_prop:s0 exact int
ro.config.media_vol_default u:object_r:systemsound_config_prop:s0 exact int
ro.config.media_vol_steps u:object_r:systemsound_config_prop:s0 exact int
ro.config.notification_sound u:object_r:systemsound_config_prop:s0 exact string
@@ -698,6 +709,9 @@
ro.fuse.bpf.enabled u:object_r:storage_config_prop:s0 exact bool
ro.fuse.bpf.is_running u:object_r:vold_status_prop:s0 exact bool
+hypervisor.pvmfw.path u:object_r:hypervisor_pvmfw_prop:s0 exact string
+hypervisor.virtualizationmanager.debug_policy.path u:object_r:hypervisor_virtualizationmanager_prop:s0 exact string
+
# hypervisor.*: configured by the vendor to advertise capabilities of their
# hypervisor to virtualizationservice.
hypervisor.memory_reclaim.supported u:object_r:hypervisor_restricted_prop:s0 exact bool
@@ -706,6 +720,7 @@
ro.lmk.critical u:object_r:lmkd_config_prop:s0 exact int
ro.lmk.critical_upgrade u:object_r:lmkd_config_prop:s0 exact bool
ro.lmk.debug u:object_r:lmkd_config_prop:s0 exact bool
+ro.lmk.delay_monitors_until_boot u:object_r:lmkd_config_prop:s0 exact bool
ro.lmk.downgrade_pressure u:object_r:lmkd_config_prop:s0 exact int
ro.lmk.filecache_min_kb u:object_r:lmkd_config_prop:s0 exact int
ro.lmk.kill_heaviest_task u:object_r:lmkd_config_prop:s0 exact bool
@@ -812,6 +827,7 @@
drm.64bit.enabled u:object_r:mediadrm_config_prop:s0 exact bool
media.mediadrmservice.enable u:object_r:mediadrm_config_prop:s0 exact bool
+persist.drm.forcel3.enabled u:object_r:drm_forcel3_prop:s0 exact bool
drm.service.enabled u:object_r:drm_service_config_prop:s0 exact bool
@@ -942,6 +958,10 @@
ro.actionable_compatible_property.enabled u:object_r:build_prop:s0 exact bool
+
+# Property for enabling 16k pages developer option.
+ro.product.build.16k_page.enabled u:object_r:enable_16k_pages_prop:s0 exact bool
+
ro.debuggable u:object_r:userdebug_or_eng_prop:s0 exact bool
ro.force.debuggable u:object_r:build_prop:s0 exact bool
@@ -1110,6 +1130,8 @@
ro.product.brand_for_attestation u:object_r:build_attestation_prop:s0 exact string
ro.product.model_for_attestation u:object_r:build_attestation_prop:s0 exact string
ro.product.name_for_attestation u:object_r:build_attestation_prop:s0 exact string
+ro.product.device_for_attestation u:object_r:build_attestation_prop:s0 exact string
+ro.product.manufacturer_for_attestation u:object_r:build_attestation_prop:s0 exact string
# GRF property for the first api level of the vendor partition
ro.board.first_api_level u:object_r:build_vendor_prop:s0 exact int
@@ -1141,6 +1163,7 @@
ro.crypto.type u:object_r:vold_status_prop:s0 exact enum block file managed none
ro.property_service.version u:object_r:property_service_version_prop:s0 exact int
+ro.property_service.async_persist_writes u:object_r:build_config_prop:s0 exact bool
ro.vendor.redirect_socket_calls u:object_r:vendor_socket_hook_prop:s0 exact bool
@@ -1324,6 +1347,8 @@
ro.surface_flinger.uclamp.min u:object_r:surfaceflinger_prop:s0 exact int
ro.surface_flinger.ignore_hdr_camera_layers u:object_r:surfaceflinger_prop:s0 exact bool
ro.surface_flinger.clear_slots_with_set_layer_buffer u:object_r:surfaceflinger_prop:s0 exact bool
+ro.surface_flinger.prime_shader_cache.ultrahdr u:object_r:surfaceflinger_prop:s0 exact bool
+ro.surface_flinger.game_default_frame_rate_override u:object_r:surfaceflinger_prop:s0 exact int
ro.sf.disable_triple_buffer u:object_r:surfaceflinger_prop:s0 exact bool
ro.sf.lcd_density u:object_r:surfaceflinger_prop:s0 exact int
@@ -1566,3 +1591,9 @@
# Properties for Quick Start setup.
ro.quick_start.oem_id u:object_r:quick_start_prop:s0 exact string
ro.quick_start.device_id u:object_r:quick_start_prop:s0 exact string
+
+# Properties for sensor service
+sensors.aosp_low_power_sensor_fusion.maximum_rate u:object_r:sensors_config_prop:s0 exact uint
+
+# Propertues for game manager service
+persist.graphics.game_default_frame_rate.enabled u:object_r:game_manager_config_prop:s0 exact bool
diff --git a/private/rs.te b/private/rs.te
index 906373b..2674c0e 100644
--- a/private/rs.te
+++ b/private/rs.te
@@ -32,6 +32,10 @@
# File descriptors passed from app to renderscript
allow rs { untrusted_app_all ephemeral_app priv_app }:fd use;
+# See b/291211299. Since rs is deprecated, this shouldn't be too dangerous, since new
+# renderscript usages shouldn't be popping up.
+dontaudit rs { zygote surfaceflinger hal_graphics_allocator }:fd use;
+
# rs can access app data, so ensure it can only be entered via an app domain and cannot have
# CAP_DAC_OVERRIDE.
neverallow rs rs:capability_class_set *;
diff --git a/private/runas_app.te b/private/runas_app.te
index a5f47f4..9142a19 100644
--- a/private/runas_app.te
+++ b/private/runas_app.te
@@ -30,3 +30,6 @@
# processes, but not the whole system.
allow runas_app self:perf_event { open read write kernel };
neverallow runas_app self:perf_event ~{ open read write kernel };
+
+# Suppress bionic loader denial /data/local/tests directories.
+dontaudit runas_app shell_test_data_file:dir search;
diff --git a/private/sdk_sandbox_34.te b/private/sdk_sandbox_34.te
index d45da88..bb15057 100644
--- a/private/sdk_sandbox_34.te
+++ b/private/sdk_sandbox_34.te
@@ -3,89 +3,7 @@
###
### This file defines the security policy for the sdk sandbox processes
### for targetSdkVersion=34.
-type sdk_sandbox_34, domain, coredomain, sdk_sandbox_all;
+type sdk_sandbox_34, domain, coredomain, sdk_sandbox_all, sdk_sandbox_current;
net_domain(sdk_sandbox_34)
app_domain(sdk_sandbox_34)
-
-# Allow finding services. This is different from ephemeral_app policy.
-# Adding services manually to the allowlist is preferred hence app_api_service is not used.
-allow sdk_sandbox_34 {
- activity_service
- activity_task_service
- appops_service
- audio_service
- audioserver_service
- batteryproperties_service
- batterystats_service
- cameraserver_service
- connectivity_service
- connmetrics_service
- deviceidle_service
- display_service
- dropbox_service
- ephemeral_app_api_service
- font_service
- game_service
- gpu_service
- graphicsstats_service
- hardware_properties_service
- hint_service
- imms_service
- input_method_service
- input_service
- IProxyService_service
- ipsec_service
- launcherapps_service
- legacy_permission_service
- light_service
- locale_service
- media_communication_service
- mediadrmserver_service
- mediaextractor_service
- mediametrics_service
- media_projection_service
- media_router_service
- mediaserver_service
- media_session_service
- memtrackproxy_service
- midi_service
- netpolicy_service
- netstats_service
- network_management_service
- notification_service
- package_service
- permission_checker_service
- permission_service
- permissionmgr_service
- platform_compat_service
- power_service
- procstats_service
- radio_service
- registry_service
- restrictions_service
- rttmanager_service
- search_service
- selection_toolbar_service
- sensor_privacy_service
- sensorservice_service
- servicediscovery_service
- settings_service
- speech_recognition_service
- statusbar_service
- storagestats_service
- surfaceflinger_service
- telecom_service
- tethering_service
- textclassification_service
- textservices_service
- texttospeech_service
- thermal_service
- translation_service
- tv_iapp_service
- tv_input_service
- uimode_service
- vcn_management_service
- webviewupdate_service
-}:service_manager find;
-
diff --git a/private/sdk_sandbox_audit.te b/private/sdk_sandbox_audit.te
new file mode 100644
index 0000000..bb531ca
--- /dev/null
+++ b/private/sdk_sandbox_audit.te
@@ -0,0 +1,34 @@
+###
+### SDK Sandbox process.
+###
+### This file defines the audit sdk sandbox security policy for
+### the set of restrictions proposed for the next SDK level.
+###
+### The sdk_sandbox_audit domain has the same rules as the
+### sdk_sandbox_current domain and additional auditing rules
+### for the accesses we are considering forbidding in the upcoming
+### sdk_sandbox_next domain.
+type sdk_sandbox_audit, domain, coredomain, sdk_sandbox_all, sdk_sandbox_current;
+
+net_domain(sdk_sandbox_audit)
+app_domain(sdk_sandbox_audit)
+
+# Auditallow rules for accesses that are currently allowed but we
+# might remove in the future.
+
+auditallow sdk_sandbox_audit {
+ cameraserver_service
+ ephemeral_app_api_service
+ mediadrmserver_service
+ radio_service
+}:service_manager find;
+
+auditallow sdk_sandbox_audit {
+ property_type
+ -system_property_type
+}:file rw_file_perms;
+
+auditallow sdk_sandbox_audit {
+ property_type
+ -system_property_type
+}:dir rw_dir_perms;
diff --git a/private/sdk_sandbox_current.te b/private/sdk_sandbox_current.te
new file mode 100644
index 0000000..55e5bc1
--- /dev/null
+++ b/private/sdk_sandbox_current.te
@@ -0,0 +1,87 @@
+###
+### SDK Sandbox process.
+###
+### This file defines the security policy for the sdk sandbox processes
+### for the current SDK level.
+
+# Allow finding services. This is different from ephemeral_app policy.
+# Adding services manually to the allowlist is preferred hence app_api_service is not used.
+allow sdk_sandbox_current {
+ activity_service
+ activity_task_service
+ appops_service
+ audio_service
+ audioserver_service
+ batteryproperties_service
+ batterystats_service
+ cameraserver_service
+ connectivity_service
+ connmetrics_service
+ deviceidle_service
+ display_service
+ dropbox_service
+ ephemeral_app_api_service
+ font_service
+ game_service
+ gpu_service
+ graphicsstats_service
+ hardware_properties_service
+ hint_service
+ imms_service
+ input_method_service
+ input_service
+ IProxyService_service
+ ipsec_service
+ launcherapps_service
+ legacy_permission_service
+ light_service
+ locale_service
+ media_communication_service
+ mediadrmserver_service
+ mediaextractor_service
+ mediametrics_service
+ media_projection_service
+ media_router_service
+ mediaserver_service
+ media_session_service
+ memtrackproxy_service
+ midi_service
+ netpolicy_service
+ netstats_service
+ network_management_service
+ notification_service
+ package_service
+ permission_checker_service
+ permission_service
+ permissionmgr_service
+ platform_compat_service
+ power_service
+ procstats_service
+ radio_service
+ registry_service
+ restrictions_service
+ rttmanager_service
+ search_service
+ selection_toolbar_service
+ sensor_privacy_service
+ sensorservice_service
+ servicediscovery_service
+ settings_service
+ speech_recognition_service
+ statusbar_service
+ storagestats_service
+ surfaceflinger_service
+ telecom_service
+ tethering_service
+ textclassification_service
+ textservices_service
+ texttospeech_service
+ thermal_service
+ translation_service
+ tv_iapp_service
+ tv_input_service
+ uimode_service
+ vcn_management_service
+ webviewupdate_service
+}:service_manager find;
+
diff --git a/private/seapp_contexts b/private/seapp_contexts
index abd6c7b..74701df 100644
--- a/private/seapp_contexts
+++ b/private/seapp_contexts
@@ -13,6 +13,7 @@
# fromRunAs (boolean)
# isIsolatedComputeApp (boolean)
# isSdkSandboxNext (boolean)
+# isSdkSandboxAudit (boolean)
#
# All specified input selectors in an entry must match (i.e. logical AND).
# An unspecified string or boolean selector with no default will match any
@@ -47,9 +48,21 @@
# be mapped to isolated_compute_app by default. It is expected to be used together
# with user=_isolated. This selector should not be used unless it is intended
# to provide isolated processes with relaxed security restrictions.
+# An unspecified isIsolatedComputeApp defaults to false.
+#
+# The sdk_sandbox_next and sdk_sandbox_audit domains are special domains for the
+# SDK sandbox process. sdk_sandbox_next defines the set of restrictions proposed
+# for the upcoming dessert release. sdk_sandbox_audit uses the same restrictions
+# as the current dessert release, with additional auditing rules for the accesses
+# we are considering forbidding in the upcoming release.
#
# isSdkSandboxNext=true means sdk sandbox processes will get
# sdk_sandbox_next sepolicy applied to them.
+# An unspecified isSdkSandboxNext defaults to false.
+#
+# isSdkSandboxAudit=true means sdk sandbox processes will get
+# sdk_sandbox_audit sepolicy applied to them.
+# An unspecified isSdkSandboxAudit defaults to false.
#
# Precedence: entries are compared using the following rules, in the order shown
# (see external/selinux/libselinux/src/android/android_platform.c,
@@ -67,8 +80,8 @@
# minTargetSdkVersion= integer. Note that minTargetSdkVersion=
# defaults to 0 if unspecified.
# (8) fromRunAs=true before fromRunAs=false.
-# (9) isIsolatedComputeApp=true before isIsolatedComputeApp=false
-# (10) isSdkSandboxNext=true before isSdkSandboxNext=false
+# (9) Platform seapp_contexts files (system, system_ext, product) before
+# vendor seapp_contexts files (vendor, odm).
# (A fixed selector is more specific than a prefix, i.e. ending in *, and a
# longer prefix is more specific than a shorter prefix.)
# Apps are checked against entries in precedence order until the first match,
@@ -159,6 +172,7 @@
user=_app seinfo=platform name=com.android.traceur domain=traceur_app type=app_data_file levelFrom=all
user=system seinfo=platform domain=system_app type=system_app_data_file
user=system seinfo=platform isPrivApp=true name=com.android.DeviceAsWebcam domain=device_as_webcam type=system_app_data_file levelFrom=all
+user=system seinfo=platform isPrivApp=true name=com.android.virtualcamera domain=virtual_camera type=app_data_file levelFrom=all
user=bluetooth seinfo=bluetooth domain=bluetooth type=bluetooth_data_file
user=network_stack seinfo=network_stack domain=network_stack type=radio_data_file
user=nfc seinfo=platform domain=nfc type=nfc_data_file
@@ -171,6 +185,7 @@
user=_isolated isIsolatedComputeApp=true domain=isolated_compute_app levelFrom=user
user=_sdksandbox domain=sdk_sandbox_34 type=sdk_sandbox_data_file levelFrom=all
user=_sdksandbox isSdkSandboxNext=true domain=sdk_sandbox_next type=sdk_sandbox_data_file levelFrom=all
+user=_sdksandbox isSdkSandboxAudit=true domain=sdk_sandbox_audit type=sdk_sandbox_data_file levelFrom=all
user=_app seinfo=app_zygote domain=app_zygote levelFrom=user
user=_app seinfo=media domain=mediaprovider type=app_data_file levelFrom=user
user=_app seinfo=platform domain=platform_app type=app_data_file levelFrom=user
diff --git a/private/service.te b/private/service.te
index f07400b..861afb3 100644
--- a/private/service.te
+++ b/private/service.te
@@ -21,4 +21,6 @@
type statsmanager_service, system_api_service, system_server_service, service_manager_type;
type tracingproxy_service, system_server_service, service_manager_type;
type transparency_service, system_server_service, service_manager_type;
+type vfio_handler_service, service_manager_type;
type uce_service, service_manager_type;
+type wearable_sensing_service, system_api_service, system_server_service, service_manager_type;
diff --git a/private/service_contexts b/private/service_contexts
index a731dfd..898cb14 100644
--- a/private/service_contexts
+++ b/private/service_contexts
@@ -24,6 +24,7 @@
android.hardware.automotive.remoteaccess.IRemoteAccess/default u:object_r:hal_remoteaccess_service:s0
android.hardware.automotive.vehicle.IVehicle/default u:object_r:hal_vehicle_service:s0
android.hardware.biometrics.face.IFace/default u:object_r:hal_face_service:s0
+android.hardware.biometrics.face.IFace/virtual u:object_r:hal_face_service:s0
android.hardware.biometrics.fingerprint.IFingerprint/default u:object_r:hal_fingerprint_service:s0
android.hardware.biometrics.fingerprint.IFingerprint/virtual u:object_r:hal_fingerprint_service:s0
android.hardware.bluetooth.IBluetoothHci/default u:object_r:hal_bluetooth_service:s0
@@ -33,6 +34,7 @@
# The instance here is internal/0 following naming convention for ICameraProvider.
# It advertises internal camera devices.
android.hardware.camera.provider.ICameraProvider/internal/0 u:object_r:hal_camera_service:s0
+android.hardware.camera.provider.ICameraProvider/virtual/0 u:object_r:virtual_camera_service:s0
android.hardware.cas.IMediaCasService/default u:object_r:hal_cas_service:s0
android.hardware.confirmationui.IConfirmationUI/default u:object_r:hal_confirmationui_service:s0
android.hardware.contexthub.IContextHub/default u:object_r:hal_contexthub_service:s0
@@ -49,6 +51,9 @@
android.hardware.input.processor.IInputProcessor/default u:object_r:hal_input_processor_service:s0
android.hardware.ir.IConsumerIr/default u:object_r:hal_ir_service:s0
android.hardware.light.ILights/default u:object_r:hal_light_service:s0
+android.hardware.macsec.IMacsecPskPlugin/default u:object_r:hal_macsec_service:s0
+android.hardware.media.c2.IComponentStore/default u:object_r:hal_codec2_service:s0
+android.hardware.media.c2.IComponentStore/software u:object_r:hal_codec2_service:s0
android.hardware.memtrack.IMemtrack/default u:object_r:hal_memtrack_service:s0
android.hardware.net.nlinterceptor.IInterceptor/default u:object_r:hal_nlinterceptor_service:s0
android.hardware.nfc.INfc/default u:object_r:hal_nfc_service:s0
@@ -85,6 +90,7 @@
android.hardware.radio.voice.IRadioVoice/slot2 u:object_r:hal_radio_service:s0
android.hardware.radio.voice.IRadioVoice/slot3 u:object_r:hal_radio_service:s0
android.hardware.rebootescrow.IRebootEscrow/default u:object_r:hal_rebootescrow_service:s0
+android.hardware.security.authgraph.IAuthGraphKeyExchange/nonsecure u:object_r:hal_authgraph_service:s0
android.hardware.security.keymint.IKeyMintDevice/default u:object_r:hal_keymint_service:s0
android.hardware.security.keymint.IRemotelyProvisionedComponent/default u:object_r:hal_remotelyprovisionedcomponent_service:s0
android.hardware.gatekeeper.IGatekeeper/default u:object_r:hal_gatekeeper_service:s0
@@ -146,6 +152,7 @@
android.service.gatekeeper.IGateKeeperService u:object_r:gatekeeper_service:s0
android.system.composd u:object_r:compos_service:s0
android.system.virtualizationservice u:object_r:virtualization_service:s0
+android.system.virtualizationservice_internal.IVfioHandler u:object_r:vfio_handler_service:s0
ambient_context u:object_r:ambient_context_service:s0
app_binding u:object_r:app_binding_service:s0
app_hibernation u:object_r:app_hibernation_service:s0
@@ -153,6 +160,7 @@
app_prediction u:object_r:app_prediction_service:s0
app_search u:object_r:app_search_service:s0
apexservice u:object_r:apex_service:s0
+archive u:object_r:archive_service:s0
attestation_verification u:object_r:attestation_verification_service:s0
blob_store u:object_r:blob_store_service:s0
gsiservice u:object_r:gsi_service:s0
@@ -316,6 +324,7 @@
oem_lock u:object_r:oem_lock_service:s0
ondevicepersonalization_system_service u:object_r:ondevicepersonalization_system_service:s0
otadexopt u:object_r:otadexopt_service:s0
+ot_daemon u:object_r:ot_daemon_service:s0
overlay u:object_r:overlay_service:s0
pac_proxy u:object_r:pac_proxy_service:s0
package u:object_r:package_service:s0
@@ -343,6 +352,7 @@
rcs u:object_r:radio_service:s0
reboot_readiness u:object_r:reboot_readiness_service:s0
recovery u:object_r:recovery_service:s0
+remote_auth u:object_r:remote_auth_service:s0
remote_provisioning u:object_r:remote_provisioning_service:s0
resolver u:object_r:resolver_service:s0
resources u:object_r:resources_manager_service:s0
@@ -360,6 +370,7 @@
search_ui u:object_r:search_ui_service:s0
secure_element u:object_r:secure_element_service:s0
sec_key_att_app_id_provider u:object_r:sec_key_att_app_id_provider_service:s0
+security_state u:object_r:security_state_service:s0
selection_toolbar u:object_r:selection_toolbar_service:s0
sensorservice u:object_r:sensorservice_service:s0
sensor_privacy u:object_r:sensor_privacy_service:s0
@@ -407,6 +418,7 @@
time_detector u:object_r:timedetector_service:s0
time_zone_detector u:object_r:timezonedetector_service:s0
thermalservice u:object_r:thermal_service:s0
+thread_network u:object_r:threadnetwork_service:s0
tracing.proxy u:object_r:tracingproxy_service:s0
translation u:object_r:translation_service:s0
transparency u:object_r:transparency_service:s0
@@ -424,8 +436,10 @@
uwb u:object_r:uwb_service:s0
vcn_management u:object_r:vcn_management_service:s0
vibrator u:object_r:vibrator_service:s0
+vibrator_control u:object_r:vibrator_control_service:s0
vibrator_manager u:object_r:vibrator_manager_service:s0
virtualdevice u:object_r:virtual_device_service:s0
+virtualdevice_native u:object_r:virtual_device_native_service:s0
virtual_touchpad u:object_r:virtual_touchpad_service:s0
voiceinteraction u:object_r:voiceinteraction_service:s0
vold u:object_r:vold_service:s0
@@ -433,6 +447,7 @@
vrmanager u:object_r:vr_manager_service:s0
wallpaper u:object_r:wallpaper_service:s0
wallpaper_effects_generation u:object_r:wallpaper_effects_generation_service:s0
+wearable_sensing u:object_r:wearable_sensing_service:s0
webviewupdate u:object_r:webviewupdate_service:s0
wifip2p u:object_r:wifip2p_service:s0
wifiscanner u:object_r:wifiscanner_service:s0
diff --git a/private/shell.te b/private/shell.te
index 1b859d1..aa6bef8 100644
--- a/private/shell.te
+++ b/private/shell.te
@@ -250,3 +250,6 @@
# Allow shell to set persist.sysui.notification.ranking_update_ashmem property
userdebug_or_eng(`set_prop(shell, persist_sysui_ranking_update_prop)')
+# Allow shell to read the build properties for attestation feature
+get_prop(shell, build_attestation_prop)
+
diff --git a/private/system_app.te b/private/system_app.te
index e2bec30..06b0feb 100644
--- a/private/system_app.te
+++ b/private/system_app.te
@@ -52,6 +52,7 @@
set_prop(system_app, usb_control_prop)
set_prop(system_app, usb_prop)
set_prop(system_app, log_tag_prop)
+set_prop(system_app, drm_forcel3_prop)
userdebug_or_eng(`set_prop(system_app, logpersistd_logging_prop)')
auditallow system_app net_radio_prop:property_service set;
auditallow system_app usb_control_prop:property_service set;
@@ -66,6 +67,9 @@
# Allow developer settings to query gsid status
get_prop(system_app, gsid_prop)
+# Allow developer settings to check 16k pages boot option status
+get_prop(system_app, enable_16k_pages_prop)
+
# Create /data/anr/traces.txt.
allow system_app anr_data_file:dir ra_dir_perms;
allow system_app anr_data_file:file create_file_perms;
@@ -117,26 +121,6 @@
# Ignore access to zram when Debug.getMemInfo is called.
dontaudit system_app sysfs_zram:dir search;
-allow system_app keystore:keystore_key {
- get_state
- get
- insert
- delete
- exist
- list
- reset
- password
- lock
- unlock
- is_empty
- sign
- verify
- grant
- duplicate
- clear_uid
- user_changed
-};
-
allow system_app keystore:keystore2_key {
delete
get_info
diff --git a/private/system_server.te b/private/system_server.te
index e78a734..97e64af 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -147,9 +147,6 @@
sys_tty_config
};
-# Trigger module auto-load.
-allow system_server kernel:system module_request;
-
# Allow alarmtimers to be set
allow system_server self:global_capability2_class_set wake_alarm;
@@ -296,6 +293,7 @@
binder_call(system_server, installd)
binder_call(system_server, incidentd)
binder_call(system_server, netd)
+binder_call(system_server, ot_daemon)
userdebug_or_eng(`binder_call(system_server, profcollectd)')
binder_call(system_server, statsd)
binder_call(system_server, storaged)
@@ -308,6 +306,7 @@
# Use HALs
hal_client_domain(system_server, hal_allocator)
hal_client_domain(system_server, hal_audio)
+hal_client_domain(system_server, hal_authgraph)
hal_client_domain(system_server, hal_authsecret)
hal_client_domain(system_server, hal_broadcastradio)
hal_client_domain(system_server, hal_codec2)
@@ -743,6 +742,7 @@
set_prop(system_server, cppreopt_prop)
# server configurable flags properties
+set_prop(system_server, device_config_core_experiments_team_internal_prop)
set_prop(system_server, device_config_edgetpu_native_prop)
set_prop(system_server, device_config_input_native_boot_prop)
set_prop(system_server, device_config_netd_native_prop)
@@ -764,15 +764,20 @@
set_prop(system_server, device_config_configuration_prop)
set_prop(system_server, device_config_connectivity_prop)
set_prop(system_server, device_config_surface_flinger_native_boot_prop)
+set_prop(system_server, device_config_aconfig_flags_prop)
set_prop(system_server, device_config_vendor_system_native_prop)
set_prop(system_server, device_config_vendor_system_native_boot_prop)
set_prop(system_server, device_config_virtualization_framework_native_prop)
set_prop(system_server, device_config_memory_safety_native_boot_prop)
set_prop(system_server, device_config_memory_safety_native_prop)
set_prop(system_server, device_config_remote_key_provisioning_native_prop)
+set_prop(system_server, device_config_tethering_u_or_later_native_prop)
set_prop(system_server, smart_idle_maint_enabled_prop)
set_prop(system_server, arm64_memtag_prop)
+# staged flag properties
+set_prop(system_server, next_boot_prop)
+
# Allow query ART device config properties
get_prop(system_server, device_config_runtime_native_boot_prop)
get_prop(system_server, device_config_runtime_native_prop)
@@ -854,6 +859,10 @@
# Allow the heap dump ART plugin to the count of sessions waiting for OOME
get_prop(system_server, traced_oome_heap_session_count_prop)
+# Allow the sensor service (running in the system service) to read sensor
+# configuration properties
+get_prop(system_server, sensors_config_prop)
+
# Create a socket for connections from debuggerd.
allow system_server system_ndebug_socket:sock_file create_file_perms;
@@ -919,6 +928,9 @@
allow system_server sysfs_zram:dir search;
allow system_server sysfs_zram:file rw_file_perms;
+# Read /sys/fs/selinux/policy
+allow system_server kernel:security read_policy;
+
add_service(system_server, system_server_service);
allow system_server artd_service:service_manager find;
allow system_server audioserver_service:service_manager find;
@@ -949,11 +961,13 @@
allow system_server mediatuner_service:service_manager find;
allow system_server netd_service:service_manager find;
allow system_server nfc_service:service_manager find;
+allow system_server ot_daemon_service:service_manager find;
allow system_server radio_service:service_manager find;
allow system_server stats_service:service_manager find;
allow system_server storaged_service:service_manager find;
allow system_server surfaceflinger_service:service_manager find;
allow system_server update_engine_service:service_manager find;
+allow system_server virtual_camera_service:service_manager find;
allow system_server vold_service:service_manager find;
allow system_server wifinl80211_service:service_manager find;
allow system_server logd_service:service_manager find;
@@ -963,34 +977,13 @@
add_service(system_server, batteryproperties_service)
-allow system_server keystore:keystore_key {
- get_state
- get
- insert
- delete
- exist
- list
- reset
- password
- lock
- unlock
- is_empty
- sign
- verify
- grant
- duplicate
- clear_uid
- add_auth
- user_changed
-};
-
allow system_server keystore:keystore2 {
add_auth
change_password
change_user
clear_ns
clear_uid
- get_state
+ get_last_auth_time
lock
pull_metrics
reset
@@ -1043,6 +1036,7 @@
# Create new process groups and clean up old cgroups
allow system_server cgroup:dir create_dir_perms;
+allow system_server cgroup:file setattr;
allow system_server cgroup_v2:dir create_dir_perms;
allow system_server cgroup_v2:file { r_file_perms setattr };
@@ -1107,7 +1101,7 @@
allow system_server toolbox_exec:file rx_file_perms;
# Allow system process to setup fs-verity
-allowxperm system_server { apk_data_file system_data_file apex_system_server_data_file }:file ioctl FS_IOC_ENABLE_VERITY;
+allowxperm system_server { apk_data_file apk_tmp_file system_data_file apex_system_server_data_file }:file ioctl FS_IOC_ENABLE_VERITY;
# Allow system process to measure fs-verity for apps, including those being installed
allowxperm system_server { apk_data_file apk_tmp_file }:file ioctl FS_IOC_MEASURE_VERITY;
@@ -1138,6 +1132,7 @@
allow system_server dmabuf_system_secure_heap_device:chr_file r_file_perms;
r_dir_file(system_server, proc_asound)
+r_dir_file(system_server, proc_memhealth)
r_dir_file(system_server, proc_net_type)
r_dir_file(system_server, proc_qtaguid_stat)
allow system_server {
@@ -1190,6 +1185,9 @@
allow system_server bpfloader:bpf { map_read map_write prog_run };
# in order to invoke side effect of close() on such a socket calling synchronize_rcu()
allow system_server self:key_socket create;
+# Java's Os.close() in libcore/luni/src/main/java/libcore/io/BlockGuardOs.java;l=100
+# calls if (fd.isSocket$()) if (isLingerSocket(fd)) ...
+dontaudit system_server self:key_socket getopt;
# Allow system_server to start clatd in its own domain and kill it.
domain_auto_trans(system_server, clatd_exec, clatd)
@@ -1308,6 +1306,7 @@
-system_server
-flags_health_check
} {
+ device_config_core_experiments_team_internal_prop
device_config_activity_manager_native_boot_prop
device_config_connectivity_prop
device_config_input_native_boot_prop
@@ -1324,7 +1323,10 @@
device_config_surface_flinger_native_boot_prop
device_config_sys_traced_prop
device_config_swcodec_native_prop
+ device_config_aconfig_flags_prop
device_config_window_manager_native_boot_prop
+ device_config_tethering_u_or_later_native_prop
+ next_boot_prop
}:property_service set;
# Only allow system_server and init to set tuner_server_ctl_prop
@@ -1441,6 +1443,9 @@
allow system_server watchdog_metadata_file:dir rw_dir_perms;
allow system_server watchdog_metadata_file:file create_file_perms;
+allow system_server repair_mode_metadata_file:dir rw_dir_perms;
+allow system_server repair_mode_metadata_file:file create_file_perms;
+
allow system_server gsi_persistent_data_file:dir rw_dir_perms;
allow system_server gsi_persistent_data_file:file create_file_perms;
@@ -1540,5 +1545,16 @@
neverallow { domain -init -system_server } font_data_file:file no_w_file_perms;
neverallow { domain -init -system_server } font_data_file:dir no_w_dir_perms;
+# Allow reading /system/etc/font_fallback.xml
+allow system_server system_font_fallback_file:file r_file_perms;
+
# Allow system server to set dynamic ART properties.
set_prop(system_server, dalvik_dynamic_config_prop)
+
+# Allow system server to read binderfs
+allow system_server binderfs_logs:dir r_dir_perms;
+allow system_server binderfs_logs_stats:file r_file_perms;
+
+# Allow GameManagerService to read and write persist.graphics.game_default_frame_rate.enabled
+set_prop(system_server, game_manager_config_prop)
+
diff --git a/private/system_suspend.te b/private/system_suspend.te
index bef7c6d..683d913 100644
--- a/private/system_suspend.te
+++ b/private/system_suspend.te
@@ -37,6 +37,9 @@
allow system_suspend sysfs_wake_lock:file rw_file_perms;
allow system_suspend self:global_capability2_class_set block_suspend;
+# Allow init to set /sys/power/sync_on_suspend.
+allow init sysfs_sync_on_suspend:file w_file_perms;
+
neverallow {
domain
-atrace # tracing
diff --git a/private/traced.te b/private/traced.te
index fc75239..d4e5bec 100644
--- a/private/traced.te
+++ b/private/traced.te
@@ -52,6 +52,11 @@
userdebug_or_eng(`system_server_tmpfs')
}:file { getattr map read write };
+# Allow setting debug properties which guard initialization of the Perfetto SDK
+# in SurfaceFlinger and HWUI's copy of Skia.
+# Required for the android.sdk_sysprop_guard data source.
+# TODO(b/281329340): remove this when no longer needed.
+set_prop(traced, debug_prop)
# Allow traced to notify Traceur when a trace ends by setting the
# sys.trace.trace_end_signal property.
set_prop(traced, system_trace_prop)
diff --git a/private/traceur_app.te b/private/traceur_app.te
index 2937e26..a743917 100644
--- a/private/traceur_app.te
+++ b/private/traceur_app.te
@@ -10,6 +10,8 @@
allow traceur_app trace_data_file:file create_file_perms;
allow traceur_app trace_data_file:dir rw_dir_perms;
+allow traceur_app wm_trace_data_file:dir rw_dir_perms;
+allow traceur_app wm_trace_data_file:file { getattr r_file_perms unlink };
allow traceur_app atrace_exec:file rx_file_perms;
# To exec the perfetto cmdline client and pass it the trace config on
diff --git a/private/untrusted_app_25.te b/private/untrusted_app_25.te
index 2c0391f..d59245c 100644
--- a/private/untrusted_app_25.te
+++ b/private/untrusted_app_25.te
@@ -59,3 +59,12 @@
auditallow untrusted_app_25 mdnsd_socket:sock_file write;
auditallow untrusted_app_25 mdnsd:unix_stream_socket connectto;
')
+
+# Allow calling inotify on APKs for backwards compatibility. This is disallowed
+# for targetSdkVersion>=34 to remove a sidechannel.
+allow untrusted_app_25 apk_data_file:dir { watch watch_reads };
+allow untrusted_app_25 apk_data_file:file { watch watch_reads };
+userdebug_or_eng(`
+ auditallow untrusted_app_25 apk_data_file:dir { watch watch_reads };
+ auditallow untrusted_app_25 apk_data_file:file { watch watch_reads };
+')
diff --git a/private/untrusted_app_27.te b/private/untrusted_app_27.te
index 163803a..8c970d8 100644
--- a/private/untrusted_app_27.te
+++ b/private/untrusted_app_27.te
@@ -47,3 +47,12 @@
auditallow untrusted_app_27 mdnsd_socket:sock_file write;
auditallow untrusted_app_27 mdnsd:unix_stream_socket connectto;
')
+
+# Allow calling inotify on APKs for backwards compatibility. This is disallowed
+# for targetSdkVersion>=34 to remove a sidechannel.
+allow untrusted_app_27 apk_data_file:dir { watch watch_reads };
+allow untrusted_app_27 apk_data_file:file { watch watch_reads };
+userdebug_or_eng(`
+ auditallow untrusted_app_27 apk_data_file:dir { watch watch_reads };
+ auditallow untrusted_app_27 apk_data_file:file { watch watch_reads };
+')
diff --git a/private/untrusted_app_29.te b/private/untrusted_app_29.te
index 758ed23..ed0bbfc 100644
--- a/private/untrusted_app_29.te
+++ b/private/untrusted_app_29.te
@@ -25,3 +25,12 @@
auditallow untrusted_app_29 mdnsd_socket:sock_file write;
auditallow untrusted_app_29 mdnsd:unix_stream_socket connectto;
')
+
+# Allow calling inotify on APKs for backwards compatibility. This is disallowed
+# for targetSdkVersion>=34 to remove a sidechannel.
+allow untrusted_app_29 apk_data_file:dir { watch watch_reads };
+allow untrusted_app_29 apk_data_file:file { watch watch_reads };
+userdebug_or_eng(`
+ auditallow untrusted_app_29 apk_data_file:dir { watch watch_reads };
+ auditallow untrusted_app_29 apk_data_file:file { watch watch_reads };
+')
diff --git a/private/untrusted_app_30.te b/private/untrusted_app_30.te
index 830106d..c87548e 100644
--- a/private/untrusted_app_30.te
+++ b/private/untrusted_app_30.te
@@ -27,3 +27,12 @@
auditallow untrusted_app_30 mdnsd_socket:sock_file write;
auditallow untrusted_app_30 mdnsd:unix_stream_socket connectto;
')
+
+# Allow calling inotify on APKs for backwards compatibility. This is disallowed
+# for targetSdkVersion>=34 to remove a sidechannel.
+allow untrusted_app_30 apk_data_file:dir { watch watch_reads };
+allow untrusted_app_30 apk_data_file:file { watch watch_reads };
+userdebug_or_eng(`
+ auditallow untrusted_app_30 apk_data_file:dir { watch watch_reads };
+ auditallow untrusted_app_30 apk_data_file:file { watch watch_reads };
+')
diff --git a/private/untrusted_app_32.te b/private/untrusted_app_32.te
index 643c122..6e95fd1 100644
--- a/private/untrusted_app_32.te
+++ b/private/untrusted_app_32.te
@@ -28,3 +28,12 @@
auditallow untrusted_app_32 mdnsd_socket:sock_file write;
auditallow untrusted_app_32 mdnsd:unix_stream_socket connectto;
')
+
+# Allow calling inotify on APKs for backwards compatibility. This is disallowed
+# for targetSdkVersion>=34 to remove a sidechannel.
+allow untrusted_app_32 apk_data_file:dir { watch watch_reads };
+allow untrusted_app_32 apk_data_file:file { watch watch_reads };
+userdebug_or_eng(`
+ auditallow untrusted_app_32 apk_data_file:dir { watch watch_reads };
+ auditallow untrusted_app_32 apk_data_file:file { watch watch_reads };
+')
diff --git a/private/uprobestats.te b/private/uprobestats.te
new file mode 100644
index 0000000..f2a4ae3
--- /dev/null
+++ b/private/uprobestats.te
@@ -0,0 +1,16 @@
+type uprobestats, domain, coredomain;
+
+typeattribute uprobestats bpfdomain;
+
+type uprobestats_exec, system_file_type, exec_type, file_type;
+
+# Allow uprobestats to be invoked by statsd.
+domain_auto_trans(statsd, uprobestats_exec, uprobestats)
+
+allow uprobestats fs_bpf_uprobe_private:file { read write };
+allow uprobestats fs_bpf_uprobe_private:dir search;
+allow uprobestats bpfloader:bpf { map_read map_write prog_run };
+allow uprobestats self:capability2 perfmon;
+allow uprobestats self:perf_event { cpu open write };
+allow uprobestats sysfs_uprobe:file { open read };
+allow uprobestats sysfs_uprobe:dir { search };
diff --git a/private/vfio_handler.te b/private/vfio_handler.te
new file mode 100644
index 0000000..1b553e9
--- /dev/null
+++ b/private/vfio_handler.te
@@ -0,0 +1,35 @@
+# vfio_handler is a helper service for VFIO tasks, like binding platform devices to VFIO driver.
+# vfio_handler is separate from virtualizationservice as VFIO tasks require root.
+type vfio_handler, domain, coredomain;
+type vfio_handler_exec, system_file_type, exec_type, file_type;
+
+# When init runs a file labelled with vfio_handler_exec, run it in the vfio_handler domain.
+init_daemon_domain(vfio_handler)
+
+# Let the vfio_handler domain register the vfio_handler_service with ServiceManager.
+add_service(vfio_handler, vfio_handler_service)
+
+# Let the vfio_handler domain use Binder.
+binder_use(vfio_handler)
+
+# Allow vfio_handler to check if VFIO is supported
+allow vfio_handler vfio_device:chr_file getattr;
+allow vfio_handler vfio_device:dir r_dir_perms;
+
+# Allow vfio_handler to bind/unbind platform devices
+allow vfio_handler sysfs:dir r_dir_perms;
+allow vfio_handler sysfs:file rw_file_perms;
+
+# Allow vfio_handler to write to VM DTBO via a file created by virtualizationservice.
+allow vfio_handler virtualizationservice:fd use;
+allow vfio_handler virtualizationservice_data_file:file write;
+
+# vfio_handler can only use fd from virtualizationservice, and can't open files itself
+neverallow vfio_handler virtualizationservice_data_file:file { open create };
+
+# Allow vfio_handler to search /dev/block for accessing dtbo.img
+allow vfio_handler block_device:dir search;
+allow vfio_handler dtbo_block_device:blk_file r_file_perms;
+
+# Only vfio_handler can add vfio_handler_service
+neverallow { domain -vfio_handler } vfio_handler_service:service_manager add;
diff --git a/private/virtual_camera.te b/private/virtual_camera.te
new file mode 100644
index 0000000..765a59f
--- /dev/null
+++ b/private/virtual_camera.te
@@ -0,0 +1,20 @@
+# virtual_camera - virtual camera daemon
+
+type virtual_camera, domain, coredomain;
+type virtual_camera_exec, system_file_type, exec_type, file_type;
+
+init_daemon_domain(virtual_camera)
+
+# Since virtual_camera is not a real HAL we don't set the
+# hal_server_domain(virtual_camera, hal_camera) macro but only the rules that
+# we actually need from halserverdomain and hal_camera_server:
+binder_use(virtual_camera)
+
+# Allow virtual_camera to use fd from apps
+allow virtual_camera { appdomain -isolated_app }:fd use;
+
+# Only allow virtual_camera to add a virtual_camera_service and no one else.
+add_service(virtual_camera, virtual_camera_service);
+
+# Allow virtual_camera to map graphic buffers
+hal_client_domain(virtual_camera, hal_graphics_allocator)
diff --git a/private/virtualizationmanager.te b/private/virtualizationmanager.te
index b6bcd98..d6f0e19 100644
--- a/private/virtualizationmanager.te
+++ b/private/virtualizationmanager.te
@@ -5,7 +5,7 @@
# Allow virtualizationmanager to communicate use, read and write over the adb connection.
allow virtualizationmanager adbd:fd use;
-allow virtualizationmanager adbd:unix_stream_socket { read write };
+allow virtualizationmanager adbd:unix_stream_socket { getattr read write };
# Allow writing VM logs to the shell console
allow virtualizationmanager devpts:chr_file { read write getattr ioctl };
@@ -40,6 +40,7 @@
allow virtualizationmanager {
app_data_file
apex_compos_data_file
+ apex_virt_data_file
privapp_data_file
}:file { getattr read write };
@@ -65,6 +66,16 @@
get_prop(virtualizationmanager, hypervisor_prop)
get_prop(virtualizationmanager, hypervisor_restricted_prop)
+# Allow virtualizationmanager to be read custom pvmfw.img configuration
+userdebug_or_eng(`get_prop(virtualizationmanager, hypervisor_pvmfw_prop)')
+dontaudit virtualizationmanager hypervisor_pvmfw_prop:file read;
+neverallow { domain -init -dumpstate userdebug_or_eng(`-virtualizationmanager') } hypervisor_pvmfw_prop:file no_rw_file_perms;
+
+# Allow virtualizationmanager to be read custom virtualizationmanager configuration
+userdebug_or_eng(`get_prop(virtualizationmanager, hypervisor_virtualizationmanager_prop)')
+dontaudit virtualizationmanager hypervisor_virtualizationmanager_prop:file read;
+neverallow { domain -init -dumpstate userdebug_or_eng(`-virtualizationmanager') } hypervisor_virtualizationmanager_prop:file no_rw_file_perms;
+
# Allow virtualizationmanager service to talk to tombstoned to push guest ramdumps
unix_socket_connect(virtualizationmanager, tombstoned_crash, tombstoned)
diff --git a/private/virtualizationservice.te b/private/virtualizationservice.te
index 561e778..93cd04c 100644
--- a/private/virtualizationservice.te
+++ b/private/virtualizationservice.te
@@ -15,6 +15,10 @@
# Let the virtualizationservice domain register the virtualization_service with ServiceManager.
add_service(virtualizationservice, virtualization_service)
+# Let virtualizationservice find and communicate with vfio_handler.
+allow virtualizationservice vfio_handler_service:service_manager find;
+binder_call(virtualizationservice, vfio_handler)
+
# Allow calling into the system server to find "permission_service".
binder_call(virtualizationservice, system_server)
allow virtualizationservice permission_service:service_manager find;
@@ -30,13 +34,23 @@
# Let virtualizationservice create and delete temporary directories of VMs. To remove old
# directories, it needs the permission to unlink the files created by virtualizationmanager.
allow virtualizationservice virtualizationservice_data_file:dir create_dir_perms;
-allow virtualizationservice virtualizationservice_data_file:{ file sock_file } unlink;
+allow virtualizationservice virtualizationservice_data_file:sock_file unlink;
+allow virtualizationservice virtualizationservice_data_file:file create_file_perms;
# Allow to use fd (e.g. /dev/pts/0) inherited from adbd so that we can redirect output from
# crosvm to the console
allow virtualizationservice adbd:fd use;
allow virtualizationservice adbd:unix_stream_socket { read write };
+# Allow to connnect to and run VirtMgr to start the service VM for remote attestation.
+virtualizationservice_use(virtualizationservice)
+
+# Allow virtualizationservice to read and write in the apex data directory
+# /data/misc/apexdata/com.android.virt
+allow virtualizationservice apex_module_data_file:dir search;
+allow virtualizationservice apex_virt_data_file:dir create_dir_perms;
+allow virtualizationservice apex_virt_data_file:file create_file_perms;
+
# Let virtualizationservice to accept vsock connection from the guest VMs to singleton services
# such as the guest tombstone server.
allow virtualizationservice self:vsock_socket { create_socket_perms_no_ioctl listen accept };
@@ -54,6 +68,16 @@
allow virtualizationservice tombstone_data_file:file { append getattr };
allow virtualizationservice tombstoned:fd use;
+# Allow virtualizationservice to check if VFIO is supported
+allow virtualizationservice vfio_device:chr_file getattr;
+allow virtualizationservice vfio_device:dir r_dir_perms;
+
+# Allow virtualizationservice to access VM DTBO via a file created by virtualizationmanager.
+allow virtualizationservice virtualizationmanager:fd use;
+
+# Allow virtualizationservice to access vendor_configs_file to get the list of assignable devices.
+r_dir_file(virtualizationservice, vendor_configs_file)
+
neverallow {
domain
-init
@@ -72,3 +96,6 @@
-virtualizationmanager
-virtualizationservice
}:process setrlimit;
+
+# Only virtualizationservice can communicate to vfio_handler
+neverallow { domain -virtualizationservice -servicemanager } vfio_handler:binder call;
diff --git a/private/vold.te b/private/vold.te
index 957e5d0..4256ac3 100644
--- a/private/vold.te
+++ b/private/vold.te
@@ -7,6 +7,10 @@
domain_auto_trans(vold, sdcardd_exec, sdcardd);
domain_auto_trans(vold, fuseblkd_untrusted_exec, fuseblkd_untrusted);
+# Switch to e2fs domain when running mkfs.ext4 to format a partition
+domain_auto_trans(vold, e2fs_exec, e2fs);
+
+
# For a handful of probing tools, we choose an even more restrictive
# domain when working with untrusted block devices
domain_trans(vold, blkid_exec, blkid);
diff --git a/private/webview_zygote.te b/private/webview_zygote.te
index 0556950..7b05af2 100644
--- a/private/webview_zygote.te
+++ b/private/webview_zygote.te
@@ -83,6 +83,8 @@
allow webview_zygote system_data_file:lnk_file r_file_perms;
+allow webview_zygote properties_device:dir mounton;
+
# Send unsolicited message to system_server
unix_socket_send(webview_zygote, system_unsolzygote, system_server)
diff --git a/private/zygote.te b/private/zygote.te
index c5cc73a..4815ecc 100644
--- a/private/zygote.te
+++ b/private/zygote.te
@@ -76,6 +76,8 @@
user_profile_data_file
# /storage/emulated/$userId/Android/{data,obb}
media_rw_data_file
+ # /dev/__properties__
+ properties_device
}:dir { mounton search };
# Traverse /data_mirror to get to the above directories while their normal paths
@@ -265,6 +267,9 @@
# Allow zygote to query for compression/features.
r_dir_file(zygote, sysfs_fs_f2fs)
+# Allow zygote to read fonts_customization.xml for preloading font files that matches device locale.
+allow zygote system_font_fallback_file:file r_file_perms;
+
###
### neverallow rules
###
diff --git a/public/attributes b/public/attributes
index cb46856..fa47b25 100644
--- a/public/attributes
+++ b/public/attributes
@@ -221,7 +221,8 @@
# All domains used for apps with bluetooth access.
attribute bluetoothdomain;
-# All domains used for binder service domains.
+# Specific domains that expose a binder service.
+# Deprecated, consider granting the exact permissions required by your service.
attribute binderservicedomain;
# All domains which have BPF access.
@@ -330,6 +331,7 @@
hal_attribute(atrace);
hal_attribute(audio);
hal_attribute(audiocontrol);
+hal_attribute(authgraph);
hal_attribute(authsecret);
hal_attribute(bluetooth);
hal_attribute(bootctl);
@@ -363,6 +365,7 @@
hal_attribute(keymint);
hal_attribute(light);
hal_attribute(lowpan);
+hal_attribute(macsec);
hal_attribute(memtrack);
hal_attribute(neuralnetworks);
hal_attribute(nfc);
diff --git a/public/cameraserver.te b/public/cameraserver.te
index c88e3f0..8a4016c 100644
--- a/public/cameraserver.te
+++ b/public/cameraserver.te
@@ -37,6 +37,7 @@
allow cameraserver hidl_token_hwservice:hwservice_manager find;
allow cameraserver hal_camera_service:service_manager find;
+allow cameraserver virtual_camera_service:service_manager find;
# Allow to talk with surfaceflinger through unix stream socket
allow cameraserver surfaceflinger:unix_stream_socket { read write };
diff --git a/public/device.te b/public/device.te
index fa29256..4a824c9 100644
--- a/public/device.te
+++ b/public/device.te
@@ -93,6 +93,10 @@
# Documented at https://source.android.com/devices/bootloader/partitions
type boot_block_device, dev_type;
+# dtbo block device, type used for getting DTBO information for AVF.
+# Documented at https://source.android.com/docs/core/architecture/dto/partitions
+type dtbo_block_device, dev_type;
+
# Userdata block device mounted on /data.
# Documented at https://source.android.com/devices/bootloader/partitions
type userdata_block_device, dev_type;
@@ -129,3 +133,6 @@
# Root disk file for disk tunables
type rootdisk_sysdev, dev_type;
+
+# vfio device
+type vfio_device, dev_type;
diff --git a/public/dnsmasq.te b/public/dnsmasq.te
index 86f1eb1..d189c89 100644
--- a/public/dnsmasq.te
+++ b/public/dnsmasq.te
@@ -23,6 +23,3 @@
allow dnsmasq netd:unix_stream_socket { getattr read write };
allow dnsmasq netd:unix_dgram_socket { read write };
allow dnsmasq netd:udp_socket { read write };
-
-# sometimes a network device vanishes and we try to load module netdev-{devicename}
-dontaudit dnsmasq kernel:system module_request;
diff --git a/public/domain.te b/public/domain.te
index 4ad73f1..ec8b247 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -57,6 +57,9 @@
allow domain method_trace_data_file:file create_file_perms;
')
+# Allow everyone to read aconfig flags
+get_prop(domain, device_config_aconfig_flags_prop);
+
# Root fs.
allow domain tmpfs:dir { getattr search };
allow domain rootfs:dir search;
@@ -334,10 +337,6 @@
allow domain apex_mnt_dir:dir { getattr search };
allow domain apex_mnt_dir:lnk_file r_file_perms;
-# Allow everyone to read media server-configurable flags, so that libstagefright can be
-# configured using server-configurable flags
-get_prop(domain, device_config_media_native_prop)
-
###
### neverallow rules
###
@@ -437,6 +436,10 @@
neverallow * init:binder *;
neverallow * vendor_init:binder *;
+# Binderfs logs contain sensitive information about other processes.
+neverallow { domain -dumpstate -init -vendor_init userdebug_or_eng(`-domain') } { binderfs_logs binderfs_logs_proc }:file no_rw_file_perms;
+neverallow { domain -dumpstate -init -vendor_init -system_server } binderfs_logs_stats:file no_rw_file_perms;
+
# Don't allow raw read/write/open access to block_device
# Rather force a relabel to a more specific type
neverallow { domain -kernel -init -recovery } block_device:blk_file { open read write };
@@ -579,7 +582,6 @@
-init
-recovery
-system_server
- -shell # Shell is further restricted in shell.te
-ueventd # Further restricted in ueventd.te
} frp_block_device:blk_file no_rw_file_perms;
diff --git a/public/dumpstate.te b/public/dumpstate.te
index 4877f14..496d95974 100644
--- a/public/dumpstate.te
+++ b/public/dumpstate.te
@@ -146,11 +146,12 @@
# Allow dumpstate to make binder calls to any binder service
binder_call(dumpstate, binderservicedomain)
-binder_call(dumpstate, { appdomain netd wificond })
+binder_call(dumpstate, { appdomain artd netd wificond })
# Allow dumpstate to call dump() on specific hals.
dump_hal(hal_audio)
dump_hal(hal_audiocontrol)
+dump_hal(hal_authgraph)
dump_hal(hal_authsecret)
dump_hal(hal_bluetooth)
dump_hal(hal_broadcastradio)
@@ -379,6 +380,7 @@
allow dumpstate binderfs_logs:dir r_dir_perms;
allow dumpstate binderfs_logs:file r_file_perms;
allow dumpstate binderfs_logs_proc:file r_file_perms;
+allow dumpstate binderfs_logs_stats:file r_file_perms;
use_apex_info(dumpstate)
diff --git a/public/e2fs.te b/public/e2fs.te
index 6bce10f..973abb9 100644
--- a/public/e2fs.te
+++ b/public/e2fs.te
@@ -9,6 +9,12 @@
allow e2fs metadata_block_device:blk_file rw_file_perms;
allow e2fs dm_device:blk_file rw_file_perms;
allow e2fs zoned_block_device:blk_file rw_file_perms;
+# Vold needs to capture mkfs.ext4's output
+allow e2fs vold:fd use;
+# Need to be able to format a partition
+allow e2fs sysfs_dm:dir r_dir_perms;
+allow e2fs sysfs_dm:file r_file_perms;
+
allowxperm e2fs { userdata_block_device metadata_block_device dm_device zoned_block_device }:blk_file ioctl {
BLKSECDISCARD BLKDISCARD BLKPBSZGET BLKDISCARDZEROES BLKROGET BLKREPORTZONE BLKRESETZONE
};
diff --git a/public/fastbootd.te b/public/fastbootd.te
index 8452b97..788a76f 100644
--- a/public/fastbootd.te
+++ b/public/fastbootd.te
@@ -87,7 +87,6 @@
allow fastbootd cache_file:dir search;
allow fastbootd proc_filesystems:file { getattr open read };
allow fastbootd self:capability sys_rawio;
- dontaudit fastbootd kernel:system module_request;
allowxperm fastbootd dev_type:blk_file ioctl BLKROSET;
allow fastbootd overlayfs_file:dir { create_dir_perms mounton };
allow fastbootd {
diff --git a/public/file.te b/public/file.te
index f7fafcb..091c557 100644
--- a/public/file.te
+++ b/public/file.te
@@ -7,6 +7,7 @@
type binderfs, fs_type;
type binderfs_logs, fs_type;
type binderfs_logs_proc, fs_type;
+type binderfs_logs_stats, fs_type;
type binderfs_features, fs_type;
# Security-sensitive proc nodes that should not be writable to most.
type proc_security, fs_type, proc_type;
@@ -15,6 +16,7 @@
type proc_min_free_order_shift, fs_type, proc_type;
type proc_kpageflags, fs_type, proc_type;
type proc_watermark_boost_factor, fs_type, proc_type;
+type proc_percpu_pagelist_high_fraction, fs_type, proc_type;
# proc, sysfs, or other nodes that permit configuration of kernel usermodehelpers.
type usermodehelper, fs_type, proc_type;
type sysfs_usermodehelper, fs_type, sysfs_type;
@@ -46,6 +48,7 @@
type proc_lowmemorykiller, fs_type, proc_type;
type proc_max_map_count, fs_type, proc_type;
type proc_meminfo, fs_type, proc_type;
+type proc_memhealth, fs_type, proc_type;
type proc_misc, fs_type, proc_type;
type proc_modules, fs_type, proc_type;
type proc_mounts, fs_type, proc_type;
@@ -115,6 +118,7 @@
type sysfs_rtc, fs_type, sysfs_type;
type sysfs_suspend_stats, fs_type, sysfs_type;
type sysfs_switch, fs_type, sysfs_type;
+type sysfs_sync_on_suspend, fs_type, sysfs_type;
type sysfs_transparent_hugepage, fs_type, sysfs_type;
type sysfs_lru_gen_enabled, fs_type, sysfs_type;
type sysfs_usb, fs_type, sysfs_type;
@@ -287,6 +291,8 @@
type staged_install_file, file_type;
# Metadata information within /metadata/watchdog
type watchdog_metadata_file, file_type;
+# Repair mode files within /metadata/repair-mode
+type repair_mode_metadata_file, file_type;
# Type for /dev/cpu_variant:.*.
type dev_cpu_variant, file_type;
diff --git a/public/fingerprintd.te b/public/fingerprintd.te
index 8cf2411..eab38dd 100644
--- a/public/fingerprintd.te
+++ b/public/fingerprintd.te
@@ -17,7 +17,6 @@
# Need to add auth tokens to KeyStore
use_keystore(fingerprintd)
-allow fingerprintd keystore:keystore_key { add_auth };
allow fingerprintd keystore:keystore2 { add_auth };
# For permissions checking
diff --git a/public/gatekeeperd.te b/public/gatekeeperd.te
index d48c5f8..0035bc6 100644
--- a/public/gatekeeperd.te
+++ b/public/gatekeeperd.te
@@ -22,7 +22,6 @@
# Need to add auth tokens to KeyStore
use_keystore(gatekeeperd)
-allow gatekeeperd keystore:keystore_key { add_auth };
allow gatekeeperd keystore:keystore2 { add_auth };
allow gatekeeperd authorization_service:service_manager find;
diff --git a/public/hal_authgraph.te b/public/hal_authgraph.te
new file mode 100644
index 0000000..f053cb0
--- /dev/null
+++ b/public/hal_authgraph.te
@@ -0,0 +1,7 @@
+binder_call(hal_authgraph_client, hal_authgraph_server)
+
+hal_attribute_service(hal_authgraph, hal_authgraph_service)
+binder_call(hal_authgraph_server, servicemanager)
+
+allow hal_authgraph_server tee_device:chr_file rw_file_perms;
+allow hal_authgraph_server ion_device:chr_file r_file_perms;
diff --git a/public/hal_codec2.te b/public/hal_codec2.te
index a379bb3..f05e00a 100644
--- a/public/hal_codec2.te
+++ b/public/hal_codec2.te
@@ -7,6 +7,7 @@
binder_call(hal_codec2_server, hal_codec2_client)
hal_attribute_hwservice(hal_codec2, hal_codec2_hwservice)
+hal_attribute_service(hal_codec2, hal_codec2_service)
# The following permissions are added to hal_codec2_server because vendor and
# vndk libraries provided for Codec2 implementation need them.
diff --git a/public/hal_drm.te b/public/hal_drm.te
index 34ca0b2..0ee0c5f 100644
--- a/public/hal_drm.te
+++ b/public/hal_drm.te
@@ -13,6 +13,8 @@
# Permit reading device's serial number from system properties
get_prop(hal_drm_server, serialno_prop)
+# Permit reading force L3 system property
+get_prop(hal_drm_server, drm_forcel3_prop)
# Read files already opened under /data
allow hal_drm system_data_file:file { getattr read };
diff --git a/public/hal_dumpstate.te b/public/hal_dumpstate.te
index 193b05a..eaa223b 100644
--- a/public/hal_dumpstate.te
+++ b/public/hal_dumpstate.te
@@ -9,6 +9,8 @@
binder_call(hal_dumpstate_server, servicemanager)
+binder_use(hal_dumpstate_server)
+
# write bug reports in /data/data/com.android.shell/files/bugreports/bugreport
allow hal_dumpstate shell_data_file:file write;
# allow reading /proc/interrupts for all hal impls
diff --git a/public/hal_face.te b/public/hal_face.te
index 0134576..e14666a 100644
--- a/public/hal_face.te
+++ b/public/hal_face.te
@@ -5,7 +5,7 @@
hal_attribute_hwservice(hal_face, hal_face_hwservice)
hal_attribute_service(hal_face, hal_face_service)
-binder_call(hal_face_server, servicemanager)
+binder_use(hal_face_server)
# Allow access to the ion memory allocation device.
allow hal_face ion_device:chr_file r_file_perms;
diff --git a/public/hal_macsec.te b/public/hal_macsec.te
new file mode 100644
index 0000000..27225db
--- /dev/null
+++ b/public/hal_macsec.te
@@ -0,0 +1,7 @@
+# Binder IPC from client to server, and callbacks
+binder_call(hal_macsec_client, hal_macsec_server)
+binder_call(hal_macsec_server, hal_macsec_client)
+
+hal_attribute_service(hal_macsec, hal_macsec_service)
+
+binder_use(hal_macsec_server)
diff --git a/public/hal_telephony.te b/public/hal_telephony.te
index e21796a..306d459 100644
--- a/public/hal_telephony.te
+++ b/public/hal_telephony.te
@@ -8,7 +8,6 @@
allowxperm hal_telephony_server self:udp_socket ioctl priv_sock_ioctls;
allow hal_telephony_server self:netlink_route_socket nlmsg_write;
-allow hal_telephony_server kernel:system module_request;
allow hal_telephony_server self:global_capability_class_set { setpcap setgid setuid net_admin net_raw };
allow hal_telephony_server cgroup:dir create_dir_perms;
allow hal_telephony_server cgroup:{ file lnk_file } r_file_perms;
diff --git a/public/hal_vibrator.te b/public/hal_vibrator.te
index c902495..85b8e8c 100644
--- a/public/hal_vibrator.te
+++ b/public/hal_vibrator.te
@@ -12,3 +12,6 @@
# vibrator sysfs rw access
allow hal_vibrator sysfs_vibrator:file rw_file_perms;
allow hal_vibrator sysfs_vibrator:dir search;
+
+# Allow HAL vibrator to control some parameters of a vibration, such as scaling.
+allow hal_vibrator vibrator_control_service:service_manager find;
diff --git a/public/hal_wifi_supplicant.te b/public/hal_wifi_supplicant.te
index b531a22..498469d 100644
--- a/public/hal_wifi_supplicant.te
+++ b/public/hal_wifi_supplicant.te
@@ -11,7 +11,6 @@
r_dir_file(hal_wifi_supplicant, sysfs_type)
r_dir_file(hal_wifi_supplicant, proc_net_type)
-allow hal_wifi_supplicant kernel:system module_request;
allow hal_wifi_supplicant self:global_capability_class_set { setuid net_admin setgid net_raw };
allow hal_wifi_supplicant cgroup:dir create_dir_perms;
allow hal_wifi_supplicant cgroup_v2:dir create_dir_perms;
diff --git a/public/init.te b/public/init.te
index c01dc93..29dd42d 100644
--- a/public/init.te
+++ b/public/init.te
@@ -26,7 +26,7 @@
allow init properties_device:dir relabelto;
allow init properties_serial:file { write relabelto };
allow init property_type:file { append create getattr map open read relabelto rename setattr unlink write };
-# /dev/__properties__/property_info
+# /dev/__properties__/property_info and /dev/__properties/appcompat_override/property_info
allow init properties_device:file create_file_perms;
allow init property_info:file relabelto;
# /dev/event-log-tags
@@ -56,6 +56,7 @@
userdata_block_device
}:{ blk_file lnk_file } relabelto;
+allow init dtbo_block_device:lnk_file relabelto;
allow init super_block_device:lnk_file relabelto;
# Create /mnt/sdcard -> /storage/self/primary symlink.
diff --git a/public/logpersist.te b/public/logpersist.te
index 6c1c404..f2e856b 100644
--- a/public/logpersist.te
+++ b/public/logpersist.te
@@ -28,3 +28,8 @@
# -system_app # Smith.apk
# } logpersist:process transition;
neverallow * logpersist:process dyntransition;
+
+allowxperm logpersist misc_logd_file:file ioctl {
+ F2FS_IOC_RELEASE_COMPRESS_BLOCKS
+ FS_IOC_SETFLAGS
+};
diff --git a/public/mediaswcodec.te b/public/mediaswcodec.te
index edbab03..b3b26c1 100644
--- a/public/mediaswcodec.te
+++ b/public/mediaswcodec.te
@@ -21,7 +21,8 @@
# permissions and be isolated from the rest of the system and network.
# Lengthier explanation here:
# https://android-developers.googleblog.com/2016/05/hardening-media-stack.html
-neverallow mediaswcodec domain:{ tcp_socket udp_socket rawip_socket } *;
+neverallow mediaswcodec domain:{ udp_socket rawip_socket } *;
+neverallow mediaswcodec { domain userdebug_or_eng(`-su') }:tcp_socket *;
allow mediaswcodec dmabuf_system_heap_device:chr_file r_file_perms;
allow mediaswcodec dmabuf_system_secure_heap_device:chr_file r_file_perms;
diff --git a/public/netd.te b/public/netd.te
index a5c27f9..41ae9ec 100644
--- a/public/netd.te
+++ b/public/netd.te
@@ -185,6 +185,4 @@
# (things it requires should be built directly into the kernel)
dontaudit netd self:capability sys_module;
-dontaudit netd kernel:system module_request;
-
dontaudit netd appdomain:unix_stream_socket { read write };
diff --git a/public/property.te b/public/property.te
index 17a9845..1a5b105 100644
--- a/public/property.te
+++ b/public/property.te
@@ -65,6 +65,7 @@
system_restricted_prop(build_bootimage_prop)
system_restricted_prop(build_prop)
system_restricted_prop(composd_vm_art_prop)
+system_restricted_prop(device_config_aconfig_flags_prop)
system_restricted_prop(device_config_camera_native_prop)
system_restricted_prop(device_config_edgetpu_native_prop)
system_restricted_prop(device_config_media_native_prop)
@@ -74,6 +75,7 @@
system_restricted_prop(device_config_surface_flinger_native_boot_prop)
system_restricted_prop(device_config_vendor_system_native_prop)
system_restricted_prop(device_config_vendor_system_native_boot_prop)
+system_restricted_prop(drm_forcel3_prop)
system_restricted_prop(fingerprint_prop)
system_restricted_prop(gwp_asan_prop)
system_restricted_prop(hal_instrumentation_prop)
@@ -102,7 +104,6 @@
system_restricted_prop(vold_status_prop)
system_restricted_prop(vts_status_prop)
-
compatible_property_only(`
# DO NOT ADD ANY PROPERTIES HERE
system_restricted_prop(config_prop)
diff --git a/public/racoon.te b/public/racoon.te
index e4b299e..b0383f0 100644
--- a/public/racoon.te
+++ b/public/racoon.te
@@ -13,7 +13,6 @@
allowxperm racoon tun_device:chr_file ioctl TUNSETIFF;
allow racoon cgroup:dir { add_name create };
allow racoon cgroup_v2:dir { add_name create };
-allow racoon kernel:system module_request;
allow racoon self:key_socket create_socket_perms_no_ioctl;
allow racoon self:tun_socket create_socket_perms_no_ioctl;
@@ -26,10 +25,3 @@
allow racoon vpn_data_file:dir w_dir_perms;
use_keystore(racoon)
-
-# Racoon (VPN) has a restricted set of permissions from the default.
-allow racoon keystore:keystore_key {
- get
- sign
- verify
-};
diff --git a/public/service.te b/public/service.te
index fc966b1..a208dcf 100644
--- a/public/service.te
+++ b/public/service.te
@@ -37,6 +37,7 @@
type netd_service, service_manager_type;
type nfc_service, service_manager_type;
type ondevicepersonalization_system_service, system_api_service, system_server_service, service_manager_type;
+type ot_daemon_service, service_manager_type;
type radio_service, service_manager_type;
type secure_element_service, service_manager_type;
type service_manager_service, service_manager_type;
@@ -49,6 +50,7 @@
type update_engine_service, service_manager_type;
type update_engine_stable_service, service_manager_type;
type virtualization_service, service_manager_type;
+type virtual_camera_service, service_manager_type;
type virtual_touchpad_service, service_manager_type;
type vold_service, service_manager_type;
type vr_hwc_service, service_manager_type;
@@ -69,6 +71,7 @@
type app_search_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type appops_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type appwidget_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type archive_service, app_api_service, system_server_service, service_manager_type;
type assetatlas_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type attestation_verification_service, app_api_service, system_server_service, service_manager_type;
type audio_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
@@ -80,7 +83,7 @@
type binder_calls_stats_service, system_server_service, service_manager_type;
type blob_store_service, app_api_service, system_server_service, service_manager_type;
type bluetooth_manager_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type broadcastradio_service, system_server_service, service_manager_type;
+type broadcastradio_service, app_api_service, system_server_service, service_manager_type;
type cacheinfo_service, system_api_service, system_server_service, service_manager_type;
type cameraproxy_service, system_server_service, service_manager_type;
type clipboard_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
@@ -196,6 +199,7 @@
type reboot_readiness_service, app_api_service, system_server_service, service_manager_type;
type recovery_service, system_server_service, service_manager_type;
type registry_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type remote_auth_service, app_api_service, system_server_service, service_manager_type;
type remote_provisioning_service, system_server_service, service_manager_type;
type resources_manager_service, system_api_service, system_server_service, service_manager_type;
type restrictions_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
@@ -208,6 +212,7 @@
type search_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type search_ui_service, app_api_service, system_server_service, service_manager_type;
type sec_key_att_app_id_provider_service, app_api_service, system_server_service, service_manager_type;
+type security_state_service, system_server_service, service_manager_type;
type selection_toolbar_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type sensorservice_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type sensor_privacy_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
@@ -233,6 +238,7 @@
type texttospeech_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type telecom_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type thermal_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type threadnetwork_service, app_api_service, system_server_service, service_manager_type;
type timedetector_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type timezonedetector_service, app_api_service, system_server_service, service_manager_type;
type translation_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
@@ -248,9 +254,11 @@
type user_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type uwb_service, app_api_service, system_server_service, service_manager_type;
type vcn_management_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type vibrator_control_service, system_server_service, service_manager_type;
type vibrator_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type vibrator_manager_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type virtual_device_service, app_api_service, system_server_service, service_manager_type;
+type virtual_device_native_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type voiceinteraction_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type vpn_management_service, app_api_service, system_server_service, service_manager_type;
type vr_manager_service, system_server_service, service_manager_type;
@@ -273,6 +281,7 @@
type hal_audio_service, protected_service, hal_service_type, service_manager_type;
type hal_audiocontrol_service, hal_service_type, service_manager_type;
+type hal_authgraph_service, protected_service, hal_service_type, service_manager_type;
type hal_authsecret_service, protected_service, hal_service_type, service_manager_type;
type hal_bluetooth_service, protected_service, hal_service_type, service_manager_type;
type hal_bootctl_service, protected_service, hal_service_type, service_manager_type;
@@ -280,6 +289,7 @@
type hal_camera_service, protected_service, hal_service_type, service_manager_type;
type hal_can_controller_service, protected_service, hal_service_type, service_manager_type;
type hal_cas_service, hal_service_type, service_manager_type;
+type hal_codec2_service, hal_service_type, service_manager_type, isolated_compute_allowed_service;
type hal_confirmationui_service, protected_service, hal_service_type, service_manager_type;
type hal_contexthub_service, protected_service, hal_service_type, service_manager_type;
type hal_drm_service, hal_service_type, service_manager_type;
@@ -299,6 +309,7 @@
type hal_ivn_service, protected_service, hal_service_type, service_manager_type;
type hal_keymint_service, protected_service, hal_service_type, service_manager_type;
type hal_light_service, protected_service, hal_service_type, service_manager_type;
+type hal_macsec_service, protected_service, hal_service_type, service_manager_type;
type hal_memtrack_service, protected_service, hal_service_type, service_manager_type;
type hal_neuralnetworks_service, hal_service_type, service_manager_type;
type hal_nfc_service, protected_service, hal_service_type, service_manager_type;
diff --git a/public/shell.te b/public/shell.te
index 6c67cea..d4d13e3 100644
--- a/public/shell.te
+++ b/public/shell.te
@@ -63,8 +63,6 @@
allow shell shell_exec:file rx_file_perms;
allow shell zygote_exec:file rx_file_perms;
-r_dir_file(shell, apk_data_file)
-
userdebug_or_eng(`
# "systrace --boot" support - allow boottrace service to run
allow shell boottrace_data_file:dir rw_dir_perms;
diff --git a/public/su.te b/public/su.te
index bcdc322..2887740 100644
--- a/public/su.te
+++ b/public/su.te
@@ -48,7 +48,6 @@
dontaudit su servicemanager:service_manager list;
dontaudit su hwservicemanager:hwservice_manager list;
dontaudit su vndservicemanager:service_manager list;
- dontaudit su keystore:keystore_key *;
dontaudit su keystore:keystore2 *;
dontaudit su domain:drmservice *;
dontaudit su unlabeled:filesystem *;
diff --git a/public/te_macros b/public/te_macros
index c4ebc63..d2f4406 100644
--- a/public/te_macros
+++ b/public/te_macros
@@ -440,8 +440,7 @@
#####################################
# binder_service(domain)
-# Mark a domain as being a Binder service domain.
-# Used to allow binder IPC to the various system services.
+# Deprecated. Consider granting the exact permissions required by your service.
define(`binder_service', `
typeattribute $1 binderservicedomain;
')
diff --git a/public/update_engine.te b/public/update_engine.te
index ab7090b..6f79902 100644
--- a/public/update_engine.te
+++ b/public/update_engine.te
@@ -29,9 +29,6 @@
allow update_engine update_engine_log_data_file:dir create_dir_perms;
allow update_engine update_engine_log_data_file:file create_file_perms;
-# Don't allow kernel module loading, just silence the logs.
-dontaudit update_engine kernel:system module_request;
-
# Register the service to perform Binder IPC.
binder_use(update_engine)
add_service(update_engine, update_engine_service)
@@ -76,3 +73,7 @@
allow update_engine snapshotctl_log_data_file:dir rw_dir_perms;
allow update_engine snapshotctl_log_data_file:file create_file_perms;
')
+
+# Allow determining filesystems available on system.
+# Needed for checking if overlayfs is enabled
+allow update_engine proc_filesystems:file r_file_perms;
diff --git a/public/wificond.te b/public/wificond.te
index 98db0d7..1bd89f5 100644
--- a/public/wificond.te
+++ b/public/wificond.te
@@ -33,11 +33,8 @@
typeattribute wificond wifi_keystore_service_server;
add_hwservice(wificond, system_wifi_keystore_hwservice)
-# Allow keystore binder access to serve the HwBinder service.
-allow wificond keystore_service:service_manager find;
-allow wificond keystore:keystore_key get;
-
# Allow keystore2 binder access to serve the HwBinder service.
+allow wificond keystore_service:service_manager find;
allow wificond wifi_key:keystore2_key {
get_info
use
diff --git a/tests/Android.bp b/tests/Android.bp
index cc0bdc1..743c856 100644
--- a/tests/Android.bp
+++ b/tests/Android.bp
@@ -50,9 +50,7 @@
},
libs: [
"mini_cil_parser",
- "pysepolwrap",
],
- data: [":libsepolwrap"],
}
python_binary_host {
@@ -146,3 +144,35 @@
name: "check_prop_prefix",
srcs: ["check_prop_prefix.py"],
}
+
+python_binary_host {
+ name: "sepolicy_freeze_test",
+ srcs: [
+ "sepolicy_freeze_test.py",
+ ],
+ version: {
+ py3: {
+ embedded_launcher: true,
+ },
+ },
+ libs: [
+ "mini_cil_parser",
+ ],
+}
+
+python_test_host {
+ name: "policy_test",
+ srcs: [
+ "fc_sort.py",
+ "policy.py",
+ "policy_test.py",
+ ],
+ test_options: {
+ unit_test: true,
+ },
+ version: {
+ py3: {
+ embedded_launcher: true,
+ },
+ },
+}
diff --git a/tests/apex_sepolicy_tests.py b/tests/apex_sepolicy_tests.py
index 518ebbc..3c51b67 100644
--- a/tests/apex_sepolicy_tests.py
+++ b/tests/apex_sepolicy_tests.py
@@ -65,7 +65,13 @@
scontext: set[str]
-Rule = AllowRead
+@dataclass
+class ResolveType:
+ """Rule checking if type can be resolved"""
+ pass
+
+
+Rule = AllowRead | ResolveType
def match_path(path: str, matcher: Matcher) -> bool:
@@ -94,10 +100,18 @@
continue # no errors
errors.append(f"Error: {path}: {s} can't read. (tcontext={tcontext})")
+ case ResolveType():
+ if tcontext not in pol.GetAllTypes(False):
+ errors.append(f"Error: {path}: tcontext({tcontext}) is unknown")
return errors
-rules = [
+target_specific_rules = [
+ (Glob('*'), ResolveType()),
+]
+
+
+generic_rules = [
# permissions
(Is('./etc/permissions/'), AllowRead('dir', {'system_server'})),
(Glob('./etc/permissions/*.xml'), AllowRead('file', {'system_server'})),
@@ -114,7 +128,10 @@
]
-def check_line(pol: policy.Policy, line: str) -> List[str]:
+all_rules = target_specific_rules + generic_rules
+
+
+def check_line(pol: policy.Policy, line: str, rules) -> List[str]:
"""Parses a file_contexts line and runs checks"""
# skip empty/comment line
line = line.strip()
@@ -151,6 +168,7 @@
def do_main(work_dir):
"""Do testing"""
parser = argparse.ArgumentParser()
+ parser.add_argument('--all', action='store_true', help='tests ALL aspects')
parser.add_argument('-f', '--file_contexts', help='output of "deapexer list -Z"')
args = parser.parse_args()
@@ -158,10 +176,15 @@
policy_path = extract_data('precompiled_sepolicy', work_dir)
pol = policy.Policy(policy_path, None, lib_path)
+ if args.all:
+ rules = all_rules
+ else:
+ rules = generic_rules
+
errors = []
with open(args.file_contexts, 'rt', encoding='utf-8') as file_contexts:
for line in file_contexts:
- errors.extend(check_line(pol, line))
+ errors.extend(check_line(pol, line, rules))
if len(errors) > 0:
sys.exit('\n'.join(errors))
diff --git a/tests/apex_sepolicy_tests_test.py b/tests/apex_sepolicy_tests_test.py
index 9c87a00..6e719ed 100644
--- a/tests/apex_sepolicy_tests_test.py
+++ b/tests/apex_sepolicy_tests_test.py
@@ -43,12 +43,12 @@
return self.__class__.pol
def assert_ok(self, line: str):
- errors = apex.check_line(self.pol, line)
+ errors = apex.check_line(self.pol, line, apex.all_rules)
self.assertEqual(errors, [], "Should be no errors")
def assert_error(self, line: str, expected_error: str):
pattern = re.compile(expected_error)
- errors = apex.check_line(self.pol, line)
+ errors = apex.check_line(self.pol, line, apex.all_rules)
for err in errors:
if re.search(pattern, err):
return
@@ -76,17 +76,19 @@
r'Error: \./etc/permissions/permisssion.xml: .* can\'t read')
def test_initscripts(self):
+ # here, netd_service is chosen randomly for invalid label for a file
+
# init reads .rc file
self.assert_ok('./etc/init.rc u:object_r:vendor_file:s0')
- self.assert_error('./etc/init.rc u:object_r:unknown:s0',
+ self.assert_error('./etc/init.rc u:object_r:netd_service:s0',
r'Error: .* can\'t read')
# init reads .#rc file
self.assert_ok('./etc/init.32rc u:object_r:vendor_file:s0')
- self.assert_error('./etc/init.32rc u:object_r:unknown:s0',
+ self.assert_error('./etc/init.32rc u:object_r:netd_service:s0',
r'Error: .* can\'t read')
# init skips file with unknown extension => no errors
self.assert_ok('./etc/init.x32rc u:object_r:vendor_file:s0')
- self.assert_ok('./etc/init.x32rc u:object_r:unknown:s0')
+ self.assert_ok('./etc/init.x32rc u:object_r:netd_service:s0')
def test_linkerconfig(self):
self.assert_ok('./etc/linker.config.pb u:object_r:system_file:s0')
@@ -96,5 +98,9 @@
self.assert_error('./ u:object_r:apex_data_file:s0',
r'Error: .*linkerconfig.* can\'t read')
+ def test_unknown_label(self):
+ self.assert_error('./bin/hw/foo u:object_r:foo_exec:s0',
+ r'Error: \./bin/hw/foo: tcontext\(foo_exec\) is unknown')
+
if __name__ == '__main__':
unittest.main(verbosity=2)
diff --git a/tests/policy.py b/tests/policy.py
index 910dd3d..8fc2ef7 100644
--- a/tests/policy.py
+++ b/tests/policy.py
@@ -30,7 +30,46 @@
# 1) there is a match - return True or 2) run out of characters - return
# False.
#
+COMMON_PREFIXES = {
+ "/(vendor|system/vendor)": ["/vendor", "/system/vendor"],
+ "/(odm|vendor/odm)": ["/odm", "/vendor/odm"],
+ "/(product|system/product)": ["/product", "/system/product"],
+ "/(system_ext|system/system_ext)": ["/system_ext", "/system/system_ext"],
+}
+
def MatchPathPrefix(pathregex, prefix):
+ # Before running regex compile loop, try two heuristics, because compiling
+ # regex is too expensive. These two can handle more than 90% out of all
+ # MatchPathPrefix calls.
+
+ # Heuristic 1: handle common prefixes for partitions
+ for c in COMMON_PREFIXES:
+ if not pathregex.startswith(c):
+ continue
+ found = False
+ for p in COMMON_PREFIXES[c]:
+ if prefix.startswith(p):
+ found = True
+ prefix = prefix[len(p):]
+ pathregex = pathregex[len(c):]
+ break
+ if not found:
+ return False
+
+ # Heuristic 2: compare normal characters as long as possible
+ idx = 0
+ while idx < len(prefix):
+ if idx == len(pathregex):
+ return False
+ if pathregex[idx] in fc_sort.META_CHARS or pathregex[idx] == '\\':
+ break
+ if pathregex[idx] != prefix[idx]:
+ return False
+ idx += 1
+ if idx == len(prefix):
+ return True
+
+ # Fall back to regex compile loop.
for i in range(len(pathregex), 0, -1):
try:
pattern = re.compile('^' + pathregex[0:i] + "$")
@@ -70,17 +109,22 @@
# Query policy for the types associated with Attr
TypesPol = self.QueryTypeAttribute(Attr, True) - set(ExcludedTypes)
# Search file_contexts to find types associated with input paths.
- TypesFc, Files = self.__GetTypesAndFilesByFilePathPrefix(MatchPrefix, DoNotMatchPrefix)
- violators = TypesFc.intersection(TypesPol)
+ PathTypes = self.__GetTypesAndFilesByFilePathPrefix(MatchPrefix, DoNotMatchPrefix)
+ violators = set()
+ for PathType in PathTypes:
+ filepath, filetype = PathType
+ if filetype in TypesPol:
+ violators.add((str(filetype), str(filepath)))
+
ret = ""
if len(violators) > 0:
ret += "The following types on "
ret += " ".join(str(x) for x in sorted(MatchPrefix))
ret += " must not be associated with the "
- ret += "\"" + Attr + "\" attribute: "
- ret += " ".join(str(x) for x in sorted(violators)) + "\n"
- ret += " corresponding to files: "
- ret += " ".join(str(x) for x in sorted(Files)) + "\n"
+ ret += "\"" + Attr + "\" attribute.\n"
+ ret += "Violator types and corresponding paths:\n"
+ ret += "\n".join(str(x) for x in sorted(violators))
+ ret += "\n"
return ret
# Check that all types for "filesystem" have "attribute" associated with them
@@ -107,18 +151,22 @@
TypesPol = self.QueryTypeAttribute(Attr, True)
# Search file_contexts to find paths/types that should be associated with
# Attr.
- TypesFc, Files = self.__GetTypesAndFilesByFilePathPrefix(MatchPrefix, DoNotMatchPrefix)
- violators = TypesFc.difference(TypesPol)
+ PathTypes = self.__GetTypesAndFilesByFilePathPrefix(MatchPrefix, DoNotMatchPrefix)
+ violators = set()
+ for PathType in PathTypes:
+ filepath, filetype = PathType
+ if filetype not in TypesPol:
+ violators.add((str(filetype), str(filepath)))
ret = ""
if len(violators) > 0:
ret += "The following types on "
ret += " ".join(str(x) for x in sorted(MatchPrefix))
ret += " must be associated with the "
- ret += "\"" + Attr + "\" attribute: "
- ret += " ".join(str(x) for x in sorted(violators)) + "\n"
- ret += " corresponding to files: "
- ret += " ".join(str(x) for x in sorted(Files)) + "\n"
+ ret += "\"" + Attr + "\" attribute.\n"
+ ret += "Violator types and corresponding paths:\n"
+ ret += "\n".join(str(x) for x in sorted(violators))
+ ret += "\n"
return ret
def AssertPropertyOwnersAreExclusive(self):
@@ -295,8 +343,7 @@
# Return types that match MatchPrefixes but do not match
# DoNotMatchPrefixes
def __GetTypesAndFilesByFilePathPrefix(self, MatchPrefixes, DoNotMatchPrefixes):
- Types = set()
- Files = set()
+ ret = []
MatchPrefixesWithIndex = []
for MatchPrefix in MatchPrefixes:
@@ -307,9 +354,8 @@
for PathType in PathTypes:
if MatchPathPrefixes(PathType[0], DoNotMatchPrefixes):
continue
- Types.add(PathType[1])
- Files.add(PathType[0])
- return Types, Files
+ ret.append(PathType)
+ return ret
def __GetTERules(self, policydbP, avtabIterP, Rules):
if Rules is None:
@@ -429,6 +475,7 @@
# load file_contexts
def __InitFC(self, FcPaths):
+ self.__FcDict = {}
if FcPaths is None:
return
fc = []
@@ -438,7 +485,6 @@
fd = open(path, "r")
fc += fd.readlines()
fd.close()
- self.__FcDict = {}
for i in fc:
rec = i.split()
try:
@@ -467,3 +513,159 @@
def __del__(self):
if self.__policydbP is not None:
self.__libsepolwrap.destroy_policy(self.__policydbP)
+
+coredomainAllowlist = {
+ # TODO: how do we make sure vendor_init doesn't have bad coupling with
+ # /vendor? It is the only system process which is not coredomain.
+ 'vendor_init',
+ # TODO(b/152813275): need to avoid allowlist for rootdir
+ "modprobe",
+ "slideshow",
+ }
+
+class scontext:
+ def __init__(self):
+ self.fromSystem = False
+ self.fromVendor = False
+ self.coredomain = False
+ self.appdomain = False
+ self.attributes = set()
+ self.entrypoints = []
+ self.entrypointpaths = []
+ self.error = ""
+
+class TestPolicy:
+ """A policy loaded in memory with its domains easily accessible."""
+
+ def __init__(self):
+ self.alldomains = {}
+ self.coredomains = set()
+ self.appdomains = set()
+ self.vendordomains = set()
+ self.pol = None
+
+ # compat vars
+ self.alltypes = set()
+ self.oldalltypes = set()
+ self.compatMapping = None
+ self.pubtypes = set()
+
+ def GetAllDomains(self):
+ for result in self.pol.QueryTypeAttribute("domain", True):
+ self.alldomains[result] = scontext()
+
+ def GetAppDomains(self):
+ for d in self.alldomains:
+ # The application of the "appdomain" attribute is trusted because core
+ # selinux policy contains neverallow rules that enforce that only zygote
+ # and runas spawned processes may transition to processes that have
+ # the appdomain attribute.
+ if "appdomain" in self.alldomains[d].attributes:
+ self.alldomains[d].appdomain = True
+ self.appdomains.add(d)
+
+ def GetCoreDomains(self):
+ for d in self.alldomains:
+ domain = self.alldomains[d]
+ # TestCoredomainViolations will verify if coredomain was incorrectly
+ # applied.
+ if "coredomain" in domain.attributes:
+ domain.coredomain = True
+ self.coredomains.add(d)
+ # check whether domains are executed off of /system or /vendor
+ if d in coredomainAllowlist:
+ continue
+ # TODO(b/153112003): add checks to prevent app domains from being
+ # incorrectly labeled as coredomain. Apps don't have entrypoints as
+ # they're always dynamically transitioned to by zygote.
+ if d in self.appdomains:
+ continue
+ # TODO(b/153112747): need to handle cases where there is a dynamic
+ # transition OR there happens to be no context in AOSP files.
+ if not domain.entrypointpaths:
+ continue
+
+ for path in domain.entrypointpaths:
+ vendor = any(MatchPathPrefix(path, prefix) for prefix in
+ ["/vendor", "/odm"])
+ system = any(MatchPathPrefix(path, prefix) for prefix in
+ ["/init", "/system_ext", "/product" ])
+
+ # only mark entrypoint as system if it is not in legacy /system/vendor
+ if MatchPathPrefix(path, "/system/vendor"):
+ vendor = True
+ elif MatchPathPrefix(path, "/system"):
+ system = True
+
+ if not vendor and not system:
+ domain.error += "Unrecognized entrypoint for " + d + " at " + path + "\n"
+
+ domain.fromSystem = domain.fromSystem or system
+ domain.fromVendor = domain.fromVendor or vendor
+
+ ###
+ # Add the entrypoint type and path(s) to each domain.
+ #
+ def GetDomainEntrypoints(self):
+ for x in self.pol.QueryExpandedTERule(tclass=set(["file"]), perms=set(["entrypoint"])):
+ if not x.sctx in self.alldomains:
+ continue
+ self.alldomains[x.sctx].entrypoints.append(str(x.tctx))
+ # postinstall_file represents a special case specific to A/B OTAs.
+ # Update_engine mounts a partition and relabels it postinstall_file.
+ # There is no file_contexts entry associated with postinstall_file
+ # so skip the lookup.
+ if x.tctx == "postinstall_file":
+ continue
+ entrypointpath = self.pol.QueryFc(x.tctx)
+ if not entrypointpath:
+ continue
+ self.alldomains[x.sctx].entrypointpaths.extend(entrypointpath)
+
+ ###
+ # Get attributes associated with each domain
+ #
+ def GetAttributes(self):
+ for domain in self.alldomains:
+ for result in self.pol.QueryTypeAttribute(domain, False):
+ self.alldomains[domain].attributes.add(result)
+
+ def setup(self, pol):
+ self.pol = pol
+ self.GetAllDomains()
+ self.GetAttributes()
+ self.GetDomainEntrypoints()
+ self.GetAppDomains()
+ self.GetCoreDomains()
+
+ def GetAllTypes(self, basepol, oldpol):
+ self.alltypes = basepol.GetAllTypes(False)
+ self.oldalltypes = oldpol.GetAllTypes(False)
+
+ # setup for the policy compatibility tests
+ def compatSetup(self, basepol, oldpol, mapping, types):
+ self.GetAllTypes(basepol, oldpol)
+ self.compatMapping = mapping
+ self.pubtypes = types
+
+ def DomainsWithAttribute(self, attr):
+ domains = []
+ for domain in self.alldomains:
+ if attr in self.alldomains[domain].attributes:
+ domains.append(domain)
+ return domains
+
+ def PrintScontexts(self):
+ for d in sorted(self.alldomains.keys()):
+ sctx = self.alldomains[d]
+ print(d)
+ print("\tcoredomain="+str(sctx.coredomain))
+ print("\tappdomain="+str(sctx.appdomain))
+ print("\tfromSystem="+str(sctx.fromSystem))
+ print("\tfromVendor="+str(sctx.fromVendor))
+ print("\tattributes="+str(sctx.attributes))
+ print("\tentrypoints="+str(sctx.entrypoints))
+ print("\tentrypointpaths=")
+ if sctx.entrypointpaths is not None:
+ for path in sctx.entrypointpaths:
+ print("\t\t"+str(path))
diff --git a/tests/policy_test.py b/tests/policy_test.py
new file mode 100644
index 0000000..3cf4a1b
--- /dev/null
+++ b/tests/policy_test.py
@@ -0,0 +1,56 @@
+# Copyright 2023 The Android Open Source Project
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+"""Tests for policy"""
+
+import unittest
+from policy import MatchPathPrefix
+
+# pylint: disable=missing-docstring
+class PolicyTests(unittest.TestCase):
+ def assertMatches(self, path, prefix):
+ self.assertTrue(MatchPathPrefix(path, prefix))
+
+ def assertDoesNotMatch(self, path, prefix):
+ self.assertFalse(MatchPathPrefix(path, prefix))
+
+ # tests
+
+ def test_match_path_prefix(self):
+ # check common prefix heuristics
+ self.assertMatches("/(vendor|system/vendor)/bin/sh", "/vendor/bin")
+ self.assertMatches("/(vendor|system/vendor)/bin/sh", "/system/vendor/bin"),
+ self.assertMatches("/(odm|vendor/odm)/etc/selinux", "/odm/etc"),
+ self.assertMatches("/(odm|vendor/odm)/etc/selinux", "/vendor/odm/etc"),
+ self.assertMatches("/(system_ext|system/system_ext)/bin/foo", "/system_ext/bin"),
+ self.assertMatches("/(system_ext|system/system_ext)/bin/foo", "/system/system_ext/bin"),
+ self.assertMatches("/(product|system/product)/lib/libc.so", "/product/lib"),
+ self.assertMatches("/(product|system/product)/lib/libc.so", "/system/product/lib"),
+ self.assertDoesNotMatch("/(vendor|system/vendor)/bin/sh", "/system/bin"),
+ self.assertDoesNotMatch("/(odm|vendor/odm)/etc/selinux", "/vendor/etc"),
+ self.assertDoesNotMatch("/(system_ext|system/system_ext)/bin/foo", "/system/bin"),
+ self.assertDoesNotMatch("/(product|system/product)/lib/libc.so", "/system/lib"),
+
+ # check generic regex
+ self.assertMatches("(/.*)+", "/system/etc/vintf")
+ self.assertDoesNotMatch("(/.*)+", "foo/bar/baz")
+
+ self.assertMatches("/(system|product)/lib(64)?(/.*)+.*\.so", "/system/lib/hw/libbaz.so")
+ self.assertMatches("/(system|product)/lib(64)?(/.*)+.*\.so", "/system/lib64/")
+ self.assertMatches("/(system|product)/lib(64)?(/.*)+.*\.so", "/product/lib/hw/libbaz.so")
+ self.assertMatches("/(system|product)/lib(64)?(/.*)+.*\.so", "/product/lib64/")
+ self.assertDoesNotMatch("/(system|product)/lib(64)?(/.*)+.*\.so", "/vendor/lib/hw/libbaz.so")
+ self.assertDoesNotMatch("/(system|product)/lib(64)?(/.*)+.*\.so", "/odm/lib64/")
+
+if __name__ == '__main__':
+ unittest.main(verbosity=2)
diff --git a/tests/sepolicy_freeze_test.py b/tests/sepolicy_freeze_test.py
new file mode 100644
index 0000000..72c8fde
--- /dev/null
+++ b/tests/sepolicy_freeze_test.py
@@ -0,0 +1,56 @@
+# Copyright 2023 The Android Open Source Project
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+from optparse import OptionParser
+import mini_parser
+import os
+import sys
+
+def do_main():
+ usage = "sepolicy_freeze_test "
+ usage += "-c current_cil -p prebuilt_cil [--help]"
+ parser = OptionParser(usage=usage)
+ parser.add_option("-c", "--current", dest="current", metavar="FILE")
+ parser.add_option("-p", "--prebuilt", dest="prebuilt", metavar="FILE")
+
+ (options, args) = parser.parse_args()
+
+ if not options.current or not options.prebuilt:
+ sys.exit("Must specify both current and prebuilt\n" + parser.usage)
+ if not os.path.exists(options.current):
+ sys.exit("Current policy " + options.current + " does not exist\n"
+ + parser.usage)
+ if not os.path.exists(options.prebuilt):
+ sys.exit("Prebuilt policy " + options.prebuilt + " does not exist\n"
+ + parser.usage)
+
+ current_policy = mini_parser.MiniCilParser(options.current)
+ prebuilt_policy = mini_parser.MiniCilParser(options.prebuilt)
+
+ results = ""
+ removed_types = prebuilt_policy.types - current_policy.types
+ removed_attributes = prebuilt_policy.typeattributes - current_policy.typeattributes
+ removed_attributes = set(filter(lambda x: "base_typeattr_" not in x, removed_attributes))
+
+ if removed_types:
+ results += "The following public types were removed:\n" + ", ".join(removed_types) + "\n"
+
+ if removed_attributes:
+ results += "The following public attributes were removed:\n" + ", ".join(removed_attributes) + "\n"
+
+ if len(results) > 0:
+ sys.exit(results)
+
+if __name__ == '__main__':
+ do_main()
diff --git a/tests/sepolicy_tests.py b/tests/sepolicy_tests.py
index 63144dd..4ef161b 100644
--- a/tests/sepolicy_tests.py
+++ b/tests/sepolicy_tests.py
@@ -84,8 +84,11 @@
return pol.AssertPathTypesHaveAttr(partitions, exceptions, "vendor_file_type")
def TestCoreDataTypeViolations(pol):
- return pol.AssertPathTypesHaveAttr(["/data/"], ["/data/vendor",
+ ret = pol.AssertPathTypesHaveAttr(["/data/"], ["/data/vendor",
"/data/vendor_ce", "/data/vendor_de"], "core_data_file_type")
+ ret += pol.AssertPathTypesDoNotHaveAttr(["/data/vendor/", "/data/vendor_ce/",
+ "/data/vendor_de/"], [], "core_data_file_type")
+ return ret
def TestPropertyTypeViolations(pol):
return pol.AssertPropertyOwnersAreExclusive()
@@ -115,7 +118,152 @@
return pol.AssertPathTypesHaveAttr(["/dev/dma_heap/"], [],
"dmabuf_heap_device_type")
+def TestCoredomainViolations(test_policy):
+ # verify that all domains launched from /system have the coredomain
+ # attribute
+ ret = ""
+ for d in test_policy.alldomains:
+ domain = test_policy.alldomains[d]
+ if domain.fromSystem and domain.fromVendor:
+ ret += "The following domain is system and vendor: " + d + "\n"
+
+ for domain in test_policy.alldomains.values():
+ ret += domain.error
+
+ violators = []
+ for d in test_policy.alldomains:
+ domain = test_policy.alldomains[d]
+ if domain.fromSystem and "coredomain" not in domain.attributes:
+ violators.append(d);
+ if len(violators) > 0:
+ ret += "The following domain(s) must be associated with the "
+ ret += "\"coredomain\" attribute because they are executed off of "
+ ret += "/system:\n"
+ ret += " ".join(str(x) for x in sorted(violators)) + "\n"
+
+ # verify that all domains launched form /vendor do not have the coredomain
+ # attribute
+ violators = []
+ for d in test_policy.alldomains:
+ domain = test_policy.alldomains[d]
+ if domain.fromVendor and "coredomain" in domain.attributes:
+ violators.append(d)
+ if len(violators) > 0:
+ ret += "The following domains must not be associated with the "
+ ret += "\"coredomain\" attribute because they are executed off of "
+ ret += "/vendor or /system/vendor:\n"
+ ret += " ".join(str(x) for x in sorted(violators)) + "\n"
+
+ return ret
+
+def TestViolatorAttribute(test_policy, attribute):
+ # TODO(b/113124961): re-enable once all violator attributes are removed.
+ return ""
+
+ # ret = ""
+ # return ret
+
+ # violators = test_policy.DomainsWithAttribute(attribute)
+ # if len(violators) > 0:
+ # ret += "SELinux: The following domains violate the Treble ban "
+ # ret += "against use of the " + attribute + " attribute: "
+ # ret += " ".join(str(x) for x in sorted(violators)) + "\n"
+ # return ret
+
+def TestViolatorAttributes(test_policy):
+ ret = ""
+ ret += TestViolatorAttribute(test_policy, "socket_between_core_and_vendor_violators")
+ ret += TestViolatorAttribute(test_policy, "vendor_executes_system_violators")
+ return ret
+
+def TestIsolatedAttributeConsistency(test_policy):
+ permissionAllowList = {
+ # access given from technical_debt.cil
+ "codec2_config_prop" : ["file"],
+ "device_config_nnapi_native_prop":["file"],
+ "hal_allocator_default":["binder", "fd"],
+ "hal_codec2": ["binder", "fd"],
+ "hal_codec2_hwservice":["hwservice_manager"],
+ "hal_graphics_allocator": ["binder", "fd"],
+ "hal_graphics_allocator_service":["service_manager"],
+ "hal_graphics_allocator_hwservice":["hwservice_manager"],
+ "hal_graphics_allocator_server":["binder", "service_manager"],
+ "hal_graphics_mapper_hwservice":["hwservice_manager"],
+ "hal_neuralnetworks": ["binder", "fd"],
+ "hal_neuralnetworks_service": ["service_manager"],
+ "hal_neuralnetworks_hwservice":["hwservice_manager"],
+ "hal_omx_hwservice":["hwservice_manager"],
+ "hidl_allocator_hwservice":["hwservice_manager"],
+ "hidl_manager_hwservice":["hwservice_manager"],
+ "hidl_memory_hwservice":["hwservice_manager"],
+ "hidl_token_hwservice":["hwservice_manager"],
+ "hwservicemanager":["binder"],
+ "hwservicemanager_prop":["file"],
+ "mediacodec":["binder", "fd"],
+ "mediaswcodec":["binder", "fd"],
+ "media_variant_prop":["file"],
+ "nnapi_ext_deny_product_prop":["file"],
+ "servicemanager":["fd"],
+ "toolbox_exec": ["file"],
+ # extra types being granted to isolated_compute_app
+ "isolated_compute_allowed":["service_manager", "chr_file"],
+ }
+
+ def resolveHalServerSubtype(target):
+ # permission given as a client in technical_debt.cil
+ hal_server_attributes = [
+ "hal_codec2_server",
+ "hal_graphics_allocator_server",
+ "hal_neuralnetworks_server"]
+
+ for attr in hal_server_attributes:
+ if target in test_policy.pol.QueryTypeAttribute(Type=attr, IsAttr=True):
+ return attr.rsplit("_", 1)[0]
+ return target
+
+ def checkIsolatedComputeAllowed(tctx, tclass):
+ # check if the permission is in isolated_compute_allowed
+ allowedMemberTypes = test_policy.pol.QueryTypeAttribute(Type="isolated_compute_allowed_service", IsAttr=True) \
+ .union(test_policy.pol.QueryTypeAttribute(Type="isolated_compute_allowed_device", IsAttr=True))
+ return tctx in allowedMemberTypes and tclass in permissionAllowList["isolated_compute_allowed"]
+
+ def checkPermissions(permissions):
+ violated_permissions = []
+ for perm in permissions:
+ tctx, tclass, p = perm.split(":")
+ tctx = resolveHalServerSubtype(tctx)
+ # check unwanted permissions
+ if not checkIsolatedComputeAllowed(tctx, tclass) and \
+ ( tctx not in permissionAllowList \
+ or tclass not in permissionAllowList[tctx] \
+ or ( p == "write") \
+ or ( p == "rw_file_perms") ):
+ violated_permissions += [perm]
+ return violated_permissions
+
+ ret = ""
+
+ isolatedMemberTypes = test_policy.pol.QueryTypeAttribute(Type="isolated_app_all", IsAttr=True)
+ baseRules = test_policy.pol.QueryExpandedTERule(scontext=["isolated_app"])
+ basePermissionSet = set([":".join([rule.tctx, rule.tclass, perm])
+ for rule in baseRules for perm in rule.perms])
+ for subType in isolatedMemberTypes:
+ if subType == "isolated_app" : continue
+ currentTypeRule = test_policy.pol.QueryExpandedTERule(scontext=[subType])
+ typePermissionSet = set([":".join([rule.tctx, rule.tclass, perm])
+ for rule in currentTypeRule for perm in rule.perms
+ if not rule.tctx in [subType, subType + "_userfaultfd"]])
+ deltaPermissionSet = typePermissionSet.difference(basePermissionSet)
+ violated_permissions = checkPermissions(list(deltaPermissionSet))
+ for perm in violated_permissions:
+ ret += "allow %s %s:%s %s \n" % (subType, *perm.split(":"))
+
+ if ret:
+ ret = ("Found prohibited permission granted for isolated like types. " + \
+ "Please replace your allow statements that involve \"-isolated_app\" with " + \
+ "\"-isolated_app_all\". Violations are shown as the following: \n") + ret
+ return ret
###
# extend OptionParser to allow the same option flag to be used multiple times.
@@ -147,6 +295,9 @@
"TestPropertyTypeViolations",
"TestAppDataTypeViolations",
"TestDmaHeapDevTypeViolations",
+ "TestCoredomainViolations",
+ "TestViolatorAttributes",
+ "TestIsolatedAttributeConsistency",
]
def do_main(libpath):
@@ -179,6 +330,8 @@
parser.usage)
pol = policy.Policy(options.policy, options.file_contexts, libpath)
+ test_policy = policy.TestPolicy()
+ test_policy.setup(pol)
results = ""
# If an individual test is not specified, run all tests.
@@ -206,6 +359,12 @@
results += TestAppDataTypeViolations(pol)
if options.test is None or "TestDmaHeapDevTypeViolations" in options.test:
results += TestDmaHeapDevTypeViolations(pol)
+ if options.test is None or "TestCoredomainViolations" in options.test:
+ results += TestCoredomainViolations(test_policy)
+ if options.test is None or "TestViolatorAttributes" in options.test:
+ results += TestViolatorAttributes(test_policy)
+ if options.test is None or "TestIsolatedAttributeConsistency" in options.test:
+ results += TestIsolatedAttributeConsistency(test_policy)
if len(results) > 0:
sys.exit(results)
diff --git a/tests/treble_sepolicy_tests.py b/tests/treble_sepolicy_tests.py
index 0628d35..ff1a348 100644
--- a/tests/treble_sepolicy_tests.py
+++ b/tests/treble_sepolicy_tests.py
@@ -16,236 +16,30 @@
from optparse import Option, OptionValueError
import os
import mini_parser
-import pkgutil
-import policy
-from policy import MatchPathPrefix
import re
import shutil
import sys
import tempfile
-DEBUG=False
-SHARED_LIB_EXTENSION = '.dylib' if sys.platform == 'darwin' else '.so'
-
-# TODO(b/266998144): consider rename this file.
-
'''
-Use file_contexts and policy to verify Treble requirements
-are not violated.
+Verify that Treble compatibility are not broken.
'''
-coredomainAllowlist = {
- # TODO: how do we make sure vendor_init doesn't have bad coupling with
- # /vendor? It is the only system process which is not coredomain.
- 'vendor_init',
- # TODO(b/152813275): need to avoid allowlist for rootdir
- "modprobe",
- "slideshow",
- }
-
-class scontext:
- def __init__(self):
- self.fromSystem = False
- self.fromVendor = False
- self.coredomain = False
- self.appdomain = False
- self.attributes = set()
- self.entrypoints = []
- self.entrypointpaths = []
- self.error = ""
-
-
-class TestPolicy:
- """A policy loaded in memory with its domains easily accessible."""
-
- def __init__(self):
- self.alldomains = {}
- self.coredomains = set()
- self.appdomains = set()
- self.vendordomains = set()
- self.pol = None
-
- # compat vars
- self.alltypes = set()
- self.oldalltypes = set()
- self.compatMapping = None
- self.pubtypes = set()
-
- # Distinguish between PRODUCT_FULL_TREBLE and PRODUCT_FULL_TREBLE_OVERRIDE
- self.FakeTreble = False
-
- def GetAllDomains(self):
- for result in self.pol.QueryTypeAttribute("domain", True):
- self.alldomains[result] = scontext()
-
- def GetAppDomains(self):
- for d in self.alldomains:
- # The application of the "appdomain" attribute is trusted because core
- # selinux policy contains neverallow rules that enforce that only zygote
- # and runas spawned processes may transition to processes that have
- # the appdomain attribute.
- if "appdomain" in self.alldomains[d].attributes:
- self.alldomains[d].appdomain = True
- self.appdomains.add(d)
-
- def GetCoreDomains(self):
- for d in self.alldomains:
- domain = self.alldomains[d]
- # TestCoredomainViolations will verify if coredomain was incorrectly
- # applied.
- if "coredomain" in domain.attributes:
- domain.coredomain = True
- self.coredomains.add(d)
- # check whether domains are executed off of /system or /vendor
- if d in coredomainAllowlist:
- continue
- # TODO(b/153112003): add checks to prevent app domains from being
- # incorrectly labeled as coredomain. Apps don't have entrypoints as
- # they're always dynamically transitioned to by zygote.
- if d in self.appdomains:
- continue
- # TODO(b/153112747): need to handle cases where there is a dynamic
- # transition OR there happens to be no context in AOSP files.
- if not domain.entrypointpaths:
- continue
-
- for path in domain.entrypointpaths:
- vendor = any(MatchPathPrefix(path, prefix) for prefix in
- ["/vendor", "/odm"])
- system = any(MatchPathPrefix(path, prefix) for prefix in
- ["/init", "/system_ext", "/product" ])
-
- # only mark entrypoint as system if it is not in legacy /system/vendor
- if MatchPathPrefix(path, "/system/vendor"):
- vendor = True
- elif MatchPathPrefix(path, "/system"):
- system = True
-
- if not vendor and not system:
- domain.error += "Unrecognized entrypoint for " + d + " at " + path + "\n"
-
- domain.fromSystem = domain.fromSystem or system
- domain.fromVendor = domain.fromVendor or vendor
-
- ###
- # Add the entrypoint type and path(s) to each domain.
- #
- def GetDomainEntrypoints(self):
- for x in self.pol.QueryExpandedTERule(tclass=set(["file"]), perms=set(["entrypoint"])):
- if not x.sctx in self.alldomains:
- continue
- self.alldomains[x.sctx].entrypoints.append(str(x.tctx))
- # postinstall_file represents a special case specific to A/B OTAs.
- # Update_engine mounts a partition and relabels it postinstall_file.
- # There is no file_contexts entry associated with postinstall_file
- # so skip the lookup.
- if x.tctx == "postinstall_file":
- continue
- entrypointpath = self.pol.QueryFc(x.tctx)
- if not entrypointpath:
- continue
- self.alldomains[x.sctx].entrypointpaths.extend(entrypointpath)
-
- ###
- # Get attributes associated with each domain
- #
- def GetAttributes(self):
- for domain in self.alldomains:
- for result in self.pol.QueryTypeAttribute(domain, False):
- self.alldomains[domain].attributes.add(result)
-
- def setup(self, pol):
- self.pol = pol
- self.GetAllDomains()
- self.GetAttributes()
- self.GetDomainEntrypoints()
- self.GetAppDomains()
- self.GetCoreDomains()
-
- def GetAllTypes(self, basepol, oldpol):
- self.alltypes = basepol.GetAllTypes(False)
- self.oldalltypes = oldpol.GetAllTypes(False)
-
- # setup for the policy compatibility tests
- def compatSetup(self, basepol, oldpol, mapping, types):
- self.GetAllTypes(basepol, oldpol)
- self.compatMapping = mapping
- self.pubtypes = types
-
- def DomainsWithAttribute(self, attr):
- domains = []
- for domain in self.alldomains:
- if attr in self.alldomains[domain].attributes:
- domains.append(domain)
- return domains
-
- def PrintScontexts(self):
- for d in sorted(self.alldomains.keys()):
- sctx = self.alldomains[d]
- print(d)
- print("\tcoredomain="+str(sctx.coredomain))
- print("\tappdomain="+str(sctx.appdomain))
- print("\tfromSystem="+str(sctx.fromSystem))
- print("\tfromVendor="+str(sctx.fromVendor))
- print("\tattributes="+str(sctx.attributes))
- print("\tentrypoints="+str(sctx.entrypoints))
- print("\tentrypointpaths=")
- if sctx.entrypointpaths is not None:
- for path in sctx.entrypointpaths:
- print("\t\t"+str(path))
#############################################################
# Tests
#############################################################
-def TestCoredomainViolations(test_policy):
- # verify that all domains launched from /system have the coredomain
- # attribute
- ret = ""
-
- for d in test_policy.alldomains:
- domain = test_policy.alldomains[d]
- if domain.fromSystem and domain.fromVendor:
- ret += "The following domain is system and vendor: " + d + "\n"
-
- for domain in test_policy.alldomains.values():
- ret += domain.error
-
- violators = []
- for d in test_policy.alldomains:
- domain = test_policy.alldomains[d]
- if domain.fromSystem and "coredomain" not in domain.attributes:
- violators.append(d);
- if len(violators) > 0:
- ret += "The following domain(s) must be associated with the "
- ret += "\"coredomain\" attribute because they are executed off of "
- ret += "/system:\n"
- ret += " ".join(str(x) for x in sorted(violators)) + "\n"
-
- # verify that all domains launched form /vendor do not have the coredomain
- # attribute
- violators = []
- for d in test_policy.alldomains:
- domain = test_policy.alldomains[d]
- if domain.fromVendor and "coredomain" in domain.attributes:
- violators.append(d)
- if len(violators) > 0:
- ret += "The following domains must not be associated with the "
- ret += "\"coredomain\" attribute because they are executed off of "
- ret += "/vendor or /system/vendor:\n"
- ret += " ".join(str(x) for x in sorted(violators)) + "\n"
-
- return ret
###
# Make sure that any new public type introduced in the new policy that was not
# present in the old policy has been recorded in the mapping file.
-def TestNoUnmappedNewTypes(test_policy):
- newt = test_policy.alltypes - test_policy.oldalltypes
+def TestNoUnmappedNewTypes(base_pub_policy, old_pub_policy, mapping):
+ newt = base_pub_policy.types - old_pub_policy.types
ret = ""
violators = []
for n in newt:
- if n in test_policy.pubtypes and test_policy.compatMapping.rTypeattributesets.get(n) is None:
+ if mapping.rTypeattributesets.get(n) is None:
violators.append(n)
if len(violators) > 0:
@@ -262,13 +56,13 @@
###
# Make sure that any public type removed in the current policy has its
# declaration added to the mapping file for use in non-platform policy
-def TestNoUnmappedRmTypes(test_policy):
- rmt = test_policy.oldalltypes - test_policy.alltypes
+def TestNoUnmappedRmTypes(base_pub_policy, old_pub_policy, mapping):
+ rmt = old_pub_policy.types - base_pub_policy.types
ret = ""
violators = []
for o in rmt:
- if o in test_policy.compatMapping.pubtypes and not o in test_policy.compatMapping.types:
+ if o in mapping.pubtypes and not o in mapping.types:
violators.append(o)
if len(violators) > 0:
@@ -281,124 +75,11 @@
ret += "https://android-review.googlesource.com/c/platform/system/sepolicy/+/822743\n"
return ret
-def TestTrebleCompatMapping(test_policy):
- ret = TestNoUnmappedNewTypes(test_policy)
- ret += TestNoUnmappedRmTypes(test_policy)
+def TestTrebleCompatMapping(base_pub_policy, old_pub_policy, mapping):
+ ret = TestNoUnmappedNewTypes(base_pub_policy, old_pub_policy, mapping)
+ ret += TestNoUnmappedRmTypes(base_pub_policy, old_pub_policy, mapping)
return ret
-def TestViolatorAttribute(test_policy, attribute):
- ret = ""
- if test_policy.FakeTreble:
- return ret
-
- violators = test_policy.DomainsWithAttribute(attribute)
- if len(violators) > 0:
- ret += "SELinux: The following domains violate the Treble ban "
- ret += "against use of the " + attribute + " attribute: "
- ret += " ".join(str(x) for x in sorted(violators)) + "\n"
- return ret
-
-def TestViolatorAttributes(test_policy):
- ret = ""
- ret += TestViolatorAttribute(test_policy, "socket_between_core_and_vendor_violators")
- ret += TestViolatorAttribute(test_policy, "vendor_executes_system_violators")
- return ret
-
-# TODO move this to sepolicy_tests
-def TestCoreDataTypeViolations(test_policy):
- return test_policy.pol.AssertPathTypesDoNotHaveAttr(["/data/vendor/", "/data/vendor_ce/",
- "/data/vendor_de/"], [], "core_data_file_type")
-
-# TODO move this to sepolicy_tests
-def TestIsolatedAttributeConsistency(test_policy):
- permissionAllowList = {
- # access given from technical_debt.cil
- "codec2_config_prop" : ["file"],
- "device_config_nnapi_native_prop":["file"],
- "hal_allocator_default":["binder", "fd"],
- "hal_codec2": ["binder", "fd"],
- "hal_codec2_hwservice":["hwservice_manager"],
- "hal_graphics_allocator": ["binder", "fd"],
- "hal_graphics_allocator_service":["service_manager"],
- "hal_graphics_allocator_hwservice":["hwservice_manager"],
- "hal_graphics_allocator_server":["binder", "service_manager"],
- "hal_graphics_mapper_hwservice":["hwservice_manager"],
- "hal_neuralnetworks": ["binder", "fd"],
- "hal_neuralnetworks_service": ["service_manager"],
- "hal_neuralnetworks_hwservice":["hwservice_manager"],
- "hal_omx_hwservice":["hwservice_manager"],
- "hidl_allocator_hwservice":["hwservice_manager"],
- "hidl_manager_hwservice":["hwservice_manager"],
- "hidl_memory_hwservice":["hwservice_manager"],
- "hidl_token_hwservice":["hwservice_manager"],
- "hwservicemanager":["binder"],
- "hwservicemanager_prop":["file"],
- "mediacodec":["binder", "fd"],
- "mediaswcodec":["binder", "fd"],
- "media_variant_prop":["file"],
- "nnapi_ext_deny_product_prop":["file"],
- "servicemanager":["fd"],
- "toolbox_exec": ["file"],
- # extra types being granted to isolated_compute_app
- "isolated_compute_allowed":["service_manager", "chr_file"],
- }
-
- def resolveHalServerSubtype(target):
- # permission given as a client in technical_debt.cil
- hal_server_attributes = [
- "hal_codec2_server",
- "hal_graphics_allocator_server",
- "hal_neuralnetworks_server"]
-
- for attr in hal_server_attributes:
- if target in test_policy.pol.QueryTypeAttribute(Type=attr, IsAttr=True):
- return attr.rsplit("_", 1)[0]
- return target
-
- def checkIsolatedComputeAllowed(tctx, tclass):
- # check if the permission is in isolated_compute_allowed
- allowedMemberTypes = test_policy.pol.QueryTypeAttribute(Type="isolated_compute_allowed_service", IsAttr=True) \
- .union(test_policy.pol.QueryTypeAttribute(Type="isolated_compute_allowed_device", IsAttr=True))
- return tctx in allowedMemberTypes and tclass in permissionAllowList["isolated_compute_allowed"]
-
-
- def checkPermissions(permissions):
- violated_permissions = []
- for perm in permissions:
- tctx, tclass, p = perm.split(":")
- tctx = resolveHalServerSubtype(tctx)
- # check unwanted permissions
- if not checkIsolatedComputeAllowed(tctx, tclass) and \
- ( tctx not in permissionAllowList \
- or tclass not in permissionAllowList[tctx] \
- or ( p == "write") \
- or ( p == "rw_file_perms") ):
- violated_permissions += [perm]
- return violated_permissions
-
- ret = ""
-
- isolatedMemberTypes = test_policy.pol.QueryTypeAttribute(Type="isolated_app_all", IsAttr=True)
- baseRules = test_policy.pol.QueryExpandedTERule(scontext=["isolated_app"])
- basePermissionSet = set([":".join([rule.tctx, rule.tclass, perm])
- for rule in baseRules for perm in rule.perms])
- for subType in isolatedMemberTypes:
- if subType == "isolated_app" : continue
- currentTypeRule = test_policy.pol.QueryExpandedTERule(scontext=[subType])
- typePermissionSet = set([":".join([rule.tctx, rule.tclass, perm])
- for rule in currentTypeRule for perm in rule.perms
- if not rule.tctx in [subType, subType + "_userfaultfd"]])
- deltaPermissionSet = typePermissionSet.difference(basePermissionSet)
- violated_permissions = checkPermissions(list(deltaPermissionSet))
- for perm in violated_permissions:
- ret += "allow %s %s:%s %s \n" % (subType, *perm.split(":"))
-
- if ret:
- ret = ("Found prohibited permission granted for isolated like types. " + \
- "Please replace your allow statements that involve \"-isolated_app\" with " + \
- "\"-isolated_app_all\". Violations are shown as the following: \n") + ret
- return ret
-
###
# extend OptionParser to allow the same option flag to be used multiple times.
# This is used to allow multiple file_contexts files and tests to be
@@ -416,111 +97,38 @@
else:
Option.take_action(self, action, dest, opt, value, values, parser)
-Tests = {"CoredomainViolations": TestCoredomainViolations,
- "CoreDatatypeViolations": TestCoreDataTypeViolations,
- "TrebleCompatMapping": TestTrebleCompatMapping,
- "ViolatorAttributes": TestViolatorAttributes,
- "IsolatedAttributeConsistency": TestIsolatedAttributeConsistency}
-
-def do_main(libpath):
- """
- Args:
- libpath: string, path to libsepolwrap.so
- """
- test_policy = TestPolicy()
-
+def do_main():
usage = "treble_sepolicy_tests "
- usage += "-f nonplat_file_contexts -f plat_file_contexts "
- usage += "-p curr_policy -b base_policy -o old_policy "
- usage +="-m mapping file [--test test] [--help]"
+ usage += "-b base_pub_policy -o old_pub_policy "
+ usage += "-m mapping file [--test test] [--help]"
parser = OptionParser(option_class=MultipleOption, usage=usage)
- parser.add_option("-b", "--basepolicy", dest="basepolicy", metavar="FILE")
- parser.add_option("-u", "--base-pub-policy", dest="base_pub_policy",
+ parser.add_option("-b", "--base-pub-policy", dest="base_pub_policy",
metavar="FILE")
- parser.add_option("-f", "--file_contexts", dest="file_contexts",
- metavar="FILE", action="extend", type="string")
parser.add_option("-m", "--mapping", dest="mapping", metavar="FILE")
- parser.add_option("-o", "--oldpolicy", dest="oldpolicy", metavar="FILE")
- parser.add_option("-p", "--policy", dest="policy", metavar="FILE")
- parser.add_option("-t", "--test", dest="tests", action="extend",
- help="Test options include "+str(Tests))
- parser.add_option("--fake-treble", action="store_true", dest="faketreble",
- default=False)
+ parser.add_option("-o", "--old-pub-policy", dest="old_pub_policy",
+ metavar="FILE")
(options, args) = parser.parse_args()
- if not options.policy:
- sys.exit("Must specify current monolithic policy file\n" + parser.usage)
- if not os.path.exists(options.policy):
- sys.exit("Error: policy file " + options.policy + " does not exist\n"
- + parser.usage)
- if not options.file_contexts:
- sys.exit("Error: Must specify file_contexts file(s)\n" + parser.usage)
- for f in options.file_contexts:
- if not os.path.exists(f):
- sys.exit("Error: File_contexts file " + f + " does not exist\n" +
- parser.usage)
-
# Mapping files and public platform policy are only necessary for the
# TrebleCompatMapping test.
- if options.tests is None or options.tests == "TrebleCompatMapping":
- if not options.basepolicy:
- sys.exit("Must specify the current platform-only policy file\n"
- + parser.usage)
- if not options.mapping:
- sys.exit("Must specify a compatibility mapping file\n"
- + parser.usage)
- if not options.oldpolicy:
- sys.exit("Must specify the previous monolithic policy file\n"
- + parser.usage)
- if not options.base_pub_policy:
- sys.exit("Must specify the current platform-only public policy "
- + ".cil file\n" + parser.usage)
- basepol = policy.Policy(options.basepolicy, None, libpath)
- oldpol = policy.Policy(options.oldpolicy, None, libpath)
- mapping = mini_parser.MiniCilParser(options.mapping)
- pubpol = mini_parser.MiniCilParser(options.base_pub_policy)
- test_policy.compatSetup(basepol, oldpol, mapping, pubpol.types)
+ if not options.mapping:
+ sys.exit("Must specify a compatibility mapping file\n"
+ + parser.usage)
+ if not options.old_pub_policy:
+ sys.exit("Must specify the previous public policy .cil file\n"
+ + parser.usage)
+ if not options.base_pub_policy:
+ sys.exit("Must specify the current platform-only public policy "
+ + ".cil file\n" + parser.usage)
+ mapping = mini_parser.MiniCilParser(options.mapping)
+ base_pub_policy = mini_parser.MiniCilParser(options.base_pub_policy)
+ old_pub_policy = mini_parser.MiniCilParser(options.old_pub_policy)
- if options.faketreble:
- test_policy.FakeTreble = True
-
- pol = policy.Policy(options.policy, options.file_contexts, libpath)
- test_policy.setup(pol)
-
- if DEBUG:
- test_policy.PrintScontexts()
-
- results = ""
- # If an individual test is not specified, run all tests.
- if options.tests is None:
- for t in Tests.values():
- results += t(test_policy)
- else:
- for tn in options.tests:
- t = Tests.get(tn)
- if t:
- results += t(test_policy)
- else:
- err = "Error: unknown test: " + tn + "\n"
- err += "Available tests:\n"
- for tn in Tests.keys():
- err += tn + "\n"
- sys.exit(err)
+ results = TestTrebleCompatMapping(base_pub_policy, old_pub_policy, mapping)
if len(results) > 0:
sys.exit(results)
if __name__ == '__main__':
- temp_dir = tempfile.mkdtemp()
- try:
- libname = "libsepolwrap" + SHARED_LIB_EXTENSION
- libpath = os.path.join(temp_dir, libname)
- with open(libpath, "wb") as f:
- blob = pkgutil.get_data("treble_sepolicy_tests", libname)
- if not blob:
- sys.exit("Error: libsepolwrap does not exist. Is this binary corrupted?\n")
- f.write(blob)
- do_main(libpath)
- finally:
- shutil.rmtree(temp_dir)
+ do_main()
diff --git a/tools/Android.mk b/tools/Android.mk
deleted file mode 100644
index 34f4385..0000000
--- a/tools/Android.mk
+++ /dev/null
@@ -1,3 +0,0 @@
-LOCAL_PATH:= $(call my-dir)
-
-include $(call all-makefiles-under,$(LOCAL_PATH))
diff --git a/tools/check_seapp.c b/tools/check_seapp.c
index 0d7a4d1..02882af 100644
--- a/tools/check_seapp.c
+++ b/tools/check_seapp.c
@@ -21,6 +21,7 @@
#define log_info(fmt, ...) if (logging_verbose ) { log_msg(stdout, "Info: ", fmt, ##__VA_ARGS__); }
#define APP_DATA_REQUIRED_ATTRIB "app_data_file_type"
+#define COREDOMAIN "coredomain"
/**
* Initializes an empty, static list.
@@ -61,6 +62,7 @@
typedef struct list list;
typedef struct key_map_regex key_map_regex;
typedef struct file_info file_info;
+typedef struct coredomain_violation_entry coredomain_violation_entry;
enum map_match {
map_no_matches,
@@ -106,7 +108,7 @@
key_dir dir;
char *data;
key_map_regex regex;
- bool (*fn_validate)(char *value, char **errmsg);
+ bool (*fn_validate)(char *value, const char *filename, int lineno, char **errmsg);
};
/**
@@ -149,6 +151,7 @@
sepol_policy_file_t *pf;
sepol_handle_t *handle;
sepol_context_t *con;
+ bool vendor;
};
struct file_info {
@@ -157,6 +160,14 @@
list_element listify;
};
+struct coredomain_violation_entry {
+ list_element listify;
+ char *domain;
+ char *filename;
+ int lineno;
+};
+
+static void coredomain_violation_list_freefn(list_element *e);
static void input_file_list_freefn(list_element *e);
static void line_order_list_freefn(list_element *e);
static void rule_map_free(rule_map *rm, bool is_in_htable);
@@ -169,13 +180,16 @@
static list input_file_list = list_init(input_file_list_freefn);
+static list coredomain_violation_list = list_init(coredomain_violation_list_freefn);
+
static policy_info pol = {
.policy_file_name = NULL,
.policy_file = NULL,
.db = NULL,
.pf = NULL,
.handle = NULL,
- .con = NULL
+ .con = NULL,
+ .vendor = false
};
/**
@@ -192,12 +206,12 @@
static list nallow_list = list_init(line_order_list_freefn);
/* validation call backs */
-static bool validate_bool(char *value, char **errmsg);
-static bool validate_levelFrom(char *value, char **errmsg);
-static bool validate_domain(char *value, char **errmsg);
-static bool validate_type(char *value, char **errmsg);
-static bool validate_selinux_level(char *value, char **errmsg);
-static bool validate_uint(char *value, char **errmsg);
+static bool validate_bool(char *value, const char *filename, int lineno, char **errmsg);
+static bool validate_levelFrom(char *value, const char *filename, int lineno, char **errmsg);
+static bool validate_domain(char *value, const char *filename, int lineno, char **errmsg);
+static bool validate_type(char *value, const char *filename, int lineno, char **errmsg);
+static bool validate_selinux_level(char *value, const char *filename, int lineno, char **errmsg);
+static bool validate_uint(char *value, const char *filename, int lineno, char **errmsg);
/**
* The heart of the mapping process, this must be updated if a new key value pair is added
@@ -214,6 +228,7 @@
{ .name = "minTargetSdkVersion", .dir = dir_in, .fn_validate = validate_uint },
{ .name = "fromRunAs", .dir = dir_in, .fn_validate = validate_bool },
{ .name = "isIsolatedComputeApp", .dir = dir_in, .fn_validate = validate_bool },
+ { .name = "isSdkSandboxAudit", .dir = dir_in, .fn_validate = validate_bool },
{ .name = "isSdkSandboxNext", .dir = dir_in, .fn_validate = validate_bool },
/*Outputs*/
{ .name = "domain", .dir = dir_out, .fn_validate = validate_domain },
@@ -278,6 +293,14 @@
free(f);
}
+static void coredomain_violation_list_freefn(list_element *e) {
+ coredomain_violation_entry *c = list_entry(e, typeof(*c), listify);
+
+ free(c->domain);
+ free(c->filename);
+ free(c);
+}
+
/**
* Send a logging message to a file
* @param out
@@ -377,8 +400,11 @@
return true;
}
-static bool validate_bool(char *value, char **errmsg) {
-
+static bool validate_bool(
+ char *value,
+ __attribute__ ((unused)) const char *filename,
+ __attribute__ ((unused)) int lineno,
+ char **errmsg) {
if (!strcmp("true", value) || !strcmp("false", value)) {
return true;
}
@@ -387,8 +413,11 @@
return false;
}
-static bool validate_levelFrom(char *value, char **errmsg) {
-
+static bool validate_levelFrom(
+ char *value,
+ __attribute__ ((unused)) const char *filename,
+ __attribute__ ((unused)) int lineno,
+ char **errmsg) {
if (strcasecmp(value, "none") && strcasecmp(value, "all") &&
strcasecmp(value, "app") && strcasecmp(value, "user")) {
*errmsg = "Expecting one of: \"none\", \"all\", \"app\" or \"user\"";
@@ -397,7 +426,7 @@
return true;
}
-static bool validate_domain(char *value, char **errmsg) {
+static bool validate_domain(char *value, const char *filename, int lineno, char **errmsg) {
#if defined(LINK_SEPOL_STATIC)
/*
@@ -408,17 +437,37 @@
return true;
}
- if (!find_type(pol.db, value, TYPE_TYPE)) {
+ type_datum_t *type_dat = find_type(pol.db, value, TYPE_TYPE);
+ if (!type_dat) {
*errmsg = "Expecting a valid SELinux type";
return false;
}
+
+ if (pol.vendor) {
+ type_datum_t *attrib_dat = find_type(pol.db, COREDOMAIN, TYPE_ATTRIB);
+ if (!attrib_dat) {
+ *errmsg = "The attribute " COREDOMAIN " is not defined in the policy";
+ return false;
+ }
+
+ if (type_has_attribute(pol.db, type_dat, attrib_dat)) {
+ coredomain_violation_entry *entry = (coredomain_violation_entry *)malloc(sizeof(*entry));
+ entry->domain = strdup(value);
+ entry->filename = strdup(filename);
+ entry->lineno = lineno;
+ list_append(&coredomain_violation_list, &entry->listify);
+ }
+ }
#endif
return true;
}
-static bool validate_type(char *value, char **errmsg) {
-
+static bool validate_type(
+ char *value,
+ __attribute__ ((unused)) const char *filename,
+ __attribute__ ((unused)) int lineno,
+ char **errmsg) {
#if defined(LINK_SEPOL_STATIC)
/*
* No policy file present means we cannot check
@@ -451,8 +500,11 @@
return true;
}
-static bool validate_selinux_level(char *value, char **errmsg) {
-
+static bool validate_selinux_level(
+ char *value,
+ __attribute__ ((unused)) const char *filename,
+ __attribute__ ((unused)) int lineno,
+ char **errmsg) {
/*
* No policy file present means we cannot check
* SE Linux MLS
@@ -470,8 +522,11 @@
return true;
}
-static bool validate_uint(char *value, char **errmsg) {
-
+static bool validate_uint(
+ char *value,
+ __attribute__ ((unused)) const char *filename,
+ __attribute__ ((unused)) int lineno,
+ char **errmsg) {
char *endptr;
long longvalue;
longvalue = strtol(value, &endptr, 10);
@@ -528,7 +583,7 @@
/* If the key has a validation routine, call it */
if (m->fn_validate) {
- rc = m->fn_validate(value, &errmsg);
+ rc = m->fn_validate(value, filename, lineno, &errmsg);
if (!rc) {
log_error("Could not validate key \"%s\" for value \"%s\" on line: %d in file: \"%s\": %s\n", key, value,
@@ -996,7 +1051,7 @@
int c;
file_info *input_file;
- while ((c = getopt(argc, argv, "ho:p:v")) != -1) {
+ while ((c = getopt(argc, argv, "ho:p:vc")) != -1) {
switch (c) {
case 'h':
usage();
@@ -1010,6 +1065,9 @@
case 'v':
log_set_verbose();
break;
+ case 'c':
+ pol.vendor = true;
+ break;
case '?':
if (optopt == 'o' || optopt == 'p')
log_error("Option -%c requires an argument.\n", optopt);
@@ -1228,6 +1286,7 @@
bool found_issues = false;
hash_entry *e;
rule_map *r;
+ coredomain_violation_entry *c;
list_for_each(&line_order_list, cursor) {
e = list_entry(cursor, typeof(*e), listify);
rule_map_validate(e->r);
@@ -1247,6 +1306,25 @@
}
}
+ bool coredomain_violation = false;
+ list_for_each(&coredomain_violation_list, cursor) {
+ c = list_entry(cursor, typeof(*c), listify);
+ fprintf(stderr, "Forbidden attribute " COREDOMAIN " assigned to domain \"%s\" in "
+ "File \"%s\" on line %d\n", c->domain, c->filename, c->lineno);
+ coredomain_violation = true;
+ }
+
+ if (coredomain_violation) {
+ fprintf(stderr, "********************************************************************************\n");
+ fprintf(stderr, "You tried to assign coredomain with vendor seapp_contexts, which is not allowed.\n"
+ "Either move offending entries to system, system_ext, or product seapp_contexts,\n"
+ "or remove 'coredomain' attribute from the domains.\n"
+ "See an example of how to fix this:\n"
+ "https://android-review.googlesource.com/2671075\n");
+ fprintf(stderr, "********************************************************************************\n");
+ found_issues = true;
+ }
+
if (found_issues) {
exit(EXIT_FAILURE);
}
@@ -1305,6 +1383,7 @@
list_free(&input_file_list);
list_free(&line_order_list);
list_free(&nallow_list);
+ list_free(&coredomain_violation_list);
hdestroy();
}
diff --git a/tools/checkfc.c b/tools/checkfc.c
index 83c631e..051e24b 100644
--- a/tools/checkfc.c
+++ b/tools/checkfc.c
@@ -7,6 +7,7 @@
#include <sepol/module.h>
#include <sepol/policydb/policydb.h>
#include <sepol/sepol.h>
+#include <selinux/context.h>
#include <selinux/selinux.h>
#include <selinux/label.h>
#include <sys/stat.h>
@@ -209,8 +210,14 @@
"If -e is specified, then the context_file is allowed to be empty.\n\n"
"usage2: %s -c file_contexts1 file_contexts2\n\n"
- "Compares two file contexts files and reports one of subset, equal, superset, or incomparable.\n\n",
- name, name);
+ "Compares two file contexts files and reports one of \n"
+ "subset, equal, superset, or incomparable.\n\n"
+
+ "usage3: %s -t file_contexts test_data\n\n"
+ "Validates a file contexts file against test_data.\n"
+ "test_data is a text file where each line has the format:\n"
+ " path expected_type\n\n\n",
+ name, name, name);
exit(1);
}
@@ -264,6 +271,88 @@
printf("%s\n", result_str[result]);
}
+static int warnings = 0;
+static int log_callback(int type, const char *fmt, ...) {
+ va_list ap;
+
+ if (type == SELINUX_WARNING) {
+ warnings += 1;
+ }
+ va_start(ap, fmt);
+ vfprintf(stderr, fmt, ap);
+ va_end(ap);
+ return 0;
+}
+
+static void do_test_data_and_die_on_error(struct selinux_opt opts[], unsigned int backend,
+ char *paths[])
+{
+ opts[0].value = NULL; /* not validating against a policy */
+ opts[1].value = paths[0];
+ global_state.sepolicy.sehnd[0] = selabel_open(backend, opts, 2);
+ if (!global_state.sepolicy.sehnd[0]) {
+ fprintf(stderr, "Error: could not load context file from %s: %s\n",
+ paths[0], strerror(errno));
+ exit(1);
+ }
+
+ FILE* test_data = fopen(paths[1], "r");
+ if (test_data == NULL) {
+ fprintf(stderr, "Error: could not load test file from %s : %s\n",
+ paths[1], strerror(errno));
+ exit(1);
+ }
+
+ char line[1024];
+ while (fgets(line, sizeof(line), test_data)) {
+ char *path;
+ char *expected_type;
+
+ if (!strcmp(line, "\n") || line[0] == '#') {
+ continue;
+ }
+
+ int ret = sscanf(line, "%ms %ms", &path, &expected_type);
+ if (ret != 2) {
+ fprintf(stderr, "Error: unable to parse the line %s\n", line);
+ exit(1);
+ }
+
+ char *found_context;
+ ret = selabel_lookup(global_state.sepolicy.sehnd[0], &found_context, path, 0);
+ if (ret != 0) {
+ fprintf(stderr, "Error: unable to lookup the path for %s\n", line);
+ exit(1);
+ }
+
+ context_t found = context_new(found_context);
+ const char *found_type = context_type_get(found);
+
+ if (strcmp(found_type, expected_type)) {
+ fprintf(stderr, "Incorrect type for %s: resolved to %s, expected %s\n",
+ path, found_type, expected_type);
+ }
+
+ free(found_context);
+ context_free(found);
+ free(path);
+ free(expected_type);
+ }
+ fclose(test_data);
+
+ // Prints the coverage of file_contexts on the test data. It includes
+ // warnings for rules that have not been hit by any test example.
+ union selinux_callback cb;
+ cb.func_log = log_callback;
+ selinux_set_callback(SELINUX_CB_LOG, cb);
+ selabel_stats(global_state.sepolicy.sehnd[0]);
+ if (warnings) {
+ fprintf(stderr, "No test entries were found for the contexts above. " \
+ "You may need to update %s.\n", paths[1]);
+ exit(1);
+ }
+}
+
static void do_fc_check_and_die_on_error(struct selinux_opt opts[], unsigned int backend, filemode mode,
const char *sepolicy_file, const char *context_file, bool allow_empty)
{
@@ -345,11 +434,12 @@
bool allow_empty = false;
bool compare = false;
+ bool test_data = false;
char c;
filemode mode = filemode_file_contexts;
- while ((c = getopt(argc, argv, "clpsve")) != -1) {
+ while ((c = getopt(argc, argv, "clpsvet")) != -1) {
switch (c) {
case 'c':
compare = true;
@@ -373,6 +463,9 @@
mode = filemode_vendor_service_contexts;
backend = SELABEL_CTX_ANDROID_SERVICE;
break;
+ case 't':
+ test_data = true;
+ break;
case 'h':
default:
usage(argv[0]);
@@ -385,7 +478,7 @@
usage(argv[0]);
}
- if (compare && backend != SELABEL_CTX_FILE) {
+ if ((compare || test_data) && backend != SELABEL_CTX_FILE) {
usage(argv[0]);
}
@@ -393,6 +486,8 @@
if (compare) {
do_compare_and_die_on_error(opts, backend, &(argv[index]));
+ } else if (test_data) {
+ do_test_data_and_die_on_error(opts, backend, &(argv[index]));
} else {
/* remaining args are sepolicy file and context file */
char *sepolicy_file = argv[index];
diff --git a/tools/finalize-sdk-rel.sh b/tools/finalize-sdk-rel.sh
new file mode 100755
index 0000000..80c6fa8
--- /dev/null
+++ b/tools/finalize-sdk-rel.sh
@@ -0,0 +1,95 @@
+#!/bin/bash
+
+# Copyright (C) 2023 The Android Open Source Project
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+if [ $# -ne 2 ]; then
+ echo "Usage: $0 <top> <ver>"
+ exit 1
+fi
+
+top=$1
+ver=$2
+
+mkdir -p "$top/system/sepolicy/prebuilts/api/${ver}.0/"
+cp -r "$top/system/sepolicy/public/" "$top/system/sepolicy/prebuilts/api/${ver}.0/"
+cp -r "$top/system/sepolicy/private/" "$top/system/sepolicy/prebuilts/api/${ver}.0/"
+
+cat > "$top/system/sepolicy/prebuilts/api/${ver}.0/Android.bp" <<EOF
+// Automatically generated file, do not edit!
+se_policy_conf {
+ name: "${ver}.0_plat_pub_policy.conf",
+ srcs: [":se_build_files{.plat_public_${ver}.0}", ":se_build_files{.reqd_mask}"],
+ installable: false,
+ build_variant: "user",
+}
+
+se_policy_cil {
+ name: "${ver}.0_plat_pub_policy.cil",
+ src: ":${ver}.0_plat_pub_policy.conf",
+ filter_out: [":reqd_policy_mask.cil"],
+ secilc_check: false,
+ installable: false,
+}
+
+se_policy_conf {
+ name: "${ver}.0_product_pub_policy.conf",
+ srcs: [
+ ":se_build_files{.plat_public_${ver}.0}",
+ ":se_build_files{.system_ext_public_${ver}.0}",
+ ":se_build_files{.product_public_${ver}.0}",
+ ":se_build_files{.reqd_mask}",
+ ],
+ installable: false,
+ build_variant: "user",
+}
+
+se_policy_cil {
+ name: "${ver}.0_product_pub_policy.cil",
+ src: ":${ver}.0_product_pub_policy.conf",
+ filter_out: [":reqd_policy_mask.cil"],
+ secilc_check: false,
+ installable: false,
+}
+
+se_policy_conf {
+ name: "${ver}.0_plat_policy.conf",
+ srcs: [
+ ":se_build_files{.plat_public_${ver}.0}",
+ ":se_build_files{.plat_private_${ver}.0}",
+ ":se_build_files{.system_ext_public_${ver}.0}",
+ ":se_build_files{.system_ext_private_${ver}.0}",
+ ":se_build_files{.product_public_${ver}.0}",
+ ":se_build_files{.product_private_${ver}.0}",
+ ],
+ installable: false,
+ build_variant: "user",
+}
+
+se_policy_cil {
+ name: "${ver}.0_plat_policy.cil",
+ src: ":${ver}.0_plat_policy.conf",
+ additional_cil_files: [":sepolicy_technical_debt{.plat_private_${ver}.0}"],
+ installable: false,
+}
+
+se_policy_binary {
+ name: "${ver}.0_plat_policy",
+ srcs: [":${ver}.0_plat_policy.cil"],
+ installable: false,
+ dist: {
+ targets: ["base-sepolicy-files-for-mapping"],
+ },
+}
+EOF
diff --git a/tools/policy_version_check.sh b/tools/policy_version_check.sh
index 33ce861..f82c53d 100755
--- a/tools/policy_version_check.sh
+++ b/tools/policy_version_check.sh
@@ -1,6 +1,6 @@
#!/bin/bash
-MK=$(awk -F= '/POLICYVERS/ { print $2 }' policy_version.mk | tr -d ' [:space:]')
+MK=$(awk -F= '/PolicyVers/ { print $2 }' build/soong/policy.go | tr -d ' [:space:]')
BP=$(awk -F= '/DSEPOLICY_VERSION/ { print $2 }' Android.bp | awk -F\" ' { print $1 }')
if [ "$MK" != "$BP" ]; then
diff --git a/tools/sepolicy_generate_compat.py b/tools/sepolicy_generate_compat.py
index cd61c9a..a941d6f 100644
--- a/tools/sepolicy_generate_compat.py
+++ b/tools/sepolicy_generate_compat.py
@@ -223,6 +223,7 @@
name: "plat_{ver}.cil",
stem: "{ver}.cil",
bottom_half: [":{ver}.board.compat.map{{.plat_private}}"],
+ version: "{ver}",
}}
se_cil_compat_map {{
@@ -230,6 +231,7 @@
stem: "{ver}.cil",
bottom_half: [":{ver}.board.compat.map{{.system_ext_private}}"],
system_ext_specific: true,
+ version: "{ver}",
}}
se_cil_compat_map {{
@@ -237,11 +239,13 @@
stem: "{ver}.cil",
bottom_half: [":{ver}.board.compat.map{{.product_private}}"],
product_specific: true,
+ version: "{ver}",
}}
se_cil_compat_map {{
name: "{ver}.ignore.cil",
bottom_half: [":{ver}.board.ignore.map{{.plat_private}}"],
+ version: "{ver}",
}}
se_cil_compat_map {{
@@ -249,6 +253,7 @@
stem: "{ver}.ignore.cil",
bottom_half: [":{ver}.board.ignore.map{{.system_ext_private}}"],
system_ext_specific: true,
+ version: "{ver}",
}}
se_cil_compat_map {{
@@ -256,11 +261,13 @@
stem: "{ver}.ignore.cil",
bottom_half: [":{ver}.board.ignore.map{{.product_private}}"],
product_specific: true,
+ version: "{ver}",
}}
se_compat_cil {{
name: "{ver}.compat.cil",
srcs: [":{ver}.board.compat.cil{{.plat_private}}"],
+ version: "{ver}",
}}
se_compat_cil {{
@@ -268,6 +275,7 @@
stem: "{ver}.compat.cil",
srcs: [":{ver}.board.compat.cil{{.system_ext_private}}"],
system_ext_specific: true,
+ version: "{ver}",
}}
"""
diff --git a/treble_sepolicy_tests_for_release.mk b/treble_sepolicy_tests_for_release.mk
index c8d5b46..9d6960b 100644
--- a/treble_sepolicy_tests_for_release.mk
+++ b/treble_sepolicy_tests_for_release.mk
@@ -11,15 +11,9 @@
LOCAL_MODULE_CLASS := FAKE
LOCAL_MODULE_TAGS := optional
-# BOARD_SYSTEM_EXT_PREBUILT_DIR can be set as system_ext prebuilt dir in sepolicy
-# make file of the system_ext partition.
-SYSTEM_EXT_PREBUILT_POLICY := $(BOARD_SYSTEM_EXT_PREBUILT_DIR)
-# BOARD_PRODUCT_PREBUILT_DIR can be set as product prebuilt dir in sepolicy
-# make file of the product partition.
-PRODUCT_PREBUILT_POLICY := $(BOARD_PRODUCT_PREBUILT_DIR)
IS_TREBLE_TEST_ENABLED_PARTNER := false
ifeq ($(filter 26.0 27.0 28.0 29.0,$(version)),)
-ifneq (,$(SYSTEM_EXT_PREBUILT_POLICY)$(PRODUCT_PREBUILT_POLICY))
+ifneq (,$(BOARD_SYSTEM_EXT_PREBUILT_DIR)$(BOARD_PRODUCT_PREBUILT_DIR))
IS_TREBLE_TEST_ENABLED_PARTNER := true
endif # (,$(SYSTEM_EXT_PREBUILT_POLICY)$(PRODUCT_PREBUILT_POLICY))
endif # ($(filter 26.0 27.0 28.0 29.0,$(version)),)
@@ -30,59 +24,7 @@
# built to enable us to determine the diff between the current policy and the
# $(version) policy, which will be used in tests to make sure that compatibility has
# been maintained by our mapping files.
-$(version)_PLAT_PUBLIC_POLICY := $(LOCAL_PATH)/prebuilts/api/$(version)/public
-$(version)_PLAT_PRIVATE_POLICY := $(LOCAL_PATH)/prebuilts/api/$(version)/private
-ifeq ($(IS_TREBLE_TEST_ENABLED_PARTNER),true)
-ifneq (,$(SYSTEM_EXT_PREBUILT_POLICY))
-$(version)_PLAT_PUBLIC_POLICY += \
- $(SYSTEM_EXT_PREBUILT_POLICY)/prebuilts/api/$(version)/public
-$(version)_PLAT_PRIVATE_POLICY += \
- $(SYSTEM_EXT_PREBUILT_POLICY)/prebuilts/api/$(version)/private
-endif # (,$(SYSTEM_EXT_PREBUILT_POLICY))
-ifneq (,$(PRODUCT_PREBUILT_POLICY))
-$(version)_PLAT_PUBLIC_POLICY += \
- $(PRODUCT_PREBUILT_POLICY)/prebuilts/api/$(version)/public
-$(version)_PLAT_PRIVATE_POLICY += \
- $(PRODUCT_PREBUILT_POLICY)/prebuilts/api/$(version)/private
-endif # (,$(PRODUCT_PREBUILT_POLICY))
-endif # ($(IS_TREBLE_TEST_ENABLED_PARTNER),true)
-policy_files := $(call build_policy, $(sepolicy_build_files), $($(version)_PLAT_PUBLIC_POLICY) $($(version)_PLAT_PRIVATE_POLICY))
-$(version)_plat_policy.conf := $(intermediates)/$(version)_plat_policy.conf
-$($(version)_plat_policy.conf): PRIVATE_MLS_SENS := $(MLS_SENS)
-$($(version)_plat_policy.conf): PRIVATE_MLS_CATS := $(MLS_CATS)
-$($(version)_plat_policy.conf): PRIVATE_TARGET_BUILD_VARIANT := user
-$($(version)_plat_policy.conf): PRIVATE_TGT_ARCH := $(my_target_arch)
-$($(version)_plat_policy.conf): PRIVATE_TGT_WITH_ASAN := $(with_asan)
-$($(version)_plat_policy.conf): PRIVATE_TGT_WITH_NATIVE_COVERAGE := $(with_native_coverage)
-$($(version)_plat_policy.conf): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
-$($(version)_plat_policy.conf): PRIVATE_SEPOLICY_SPLIT := true
-$($(version)_plat_policy.conf): PRIVATE_POLICY_FILES := $(policy_files)
-$($(version)_plat_policy.conf): $(policy_files) $(M4)
- $(transform-policy-to-conf)
- $(hide) sed '/dontaudit/d' $@ > $@.dontaudit
-
-policy_files :=
-
-built_$(version)_plat_sepolicy := $(intermediates)/built_$(version)_plat_sepolicy
-$(built_$(version)_plat_sepolicy): PRIVATE_ADDITIONAL_CIL_FILES := \
- $(call build_policy, technical_debt.cil , $($(version)_PLAT_PRIVATE_POLICY))
-$(built_$(version)_plat_sepolicy): PRIVATE_NEVERALLOW_ARG := $(NEVERALLOW_ARG)
-$(built_$(version)_plat_sepolicy): $($(version)_plat_policy.conf) $(HOST_OUT_EXECUTABLES)/checkpolicy \
- $(HOST_OUT_EXECUTABLES)/secilc \
- $(call build_policy, technical_debt.cil, $($(version)_PLAT_PRIVATE_POLICY)) \
- $(built_sepolicy_neverallows)
- @mkdir -p $(dir $@)
- $(hide) $(CHECKPOLICY_ASAN_OPTIONS) $(HOST_OUT_EXECUTABLES)/checkpolicy -M -C -c \
- $(POLICYVERS) -o $@ $<
- $(hide) cat $(PRIVATE_ADDITIONAL_CIL_FILES) >> $@
- $(hide) $(HOST_OUT_EXECUTABLES)/secilc -m -M true -G -c $(POLICYVERS) $(PRIVATE_NEVERALLOW_ARG) $@ -o $@ -f /dev/null
-
-$(call declare-1p-target,$(built_$(version)_plat_sepolicy),system/sepolicy)
-
-# TODO(b/214336258): move to Soong
-$(call dist-for-goals,base-sepolicy-files-for-mapping,$(built_$(version)_plat_sepolicy):$(version)_plat_sepolicy)
-
-$(version)_plat_policy.conf :=
+built_$(version)_plat_sepolicy_cil := $(call intermediates-dir-for,ETC,$(version)_plat_policy.cil)/$(version)_plat_policy.cil
$(version)_mapping.cil := $(call intermediates-dir-for,ETC,plat_$(version).cil)/plat_$(version).cil
$(version)_mapping.ignore.cil := \
@@ -106,51 +48,31 @@
# combining the current platform policy with nonplatform policy based on the
# $(version) policy release and also a special ignored file that exists purely for
# these tests.
+intermediates := $(TARGET_OUT_INTERMEDIATES)/ETC/$(LOCAL_MODULE)_intermediates
$(version)_mapping.combined.cil := $(intermediates)/$(version)_mapping.combined.cil
$($(version)_mapping.combined.cil): $($(version)_mapping.cil) $($(version)_mapping.ignore.cil)
mkdir -p $(dir $@)
cat $^ > $@
ifeq ($(IS_TREBLE_TEST_ENABLED_PARTNER),true)
-built_sepolicy_files := $(built_product_sepolicy)
public_cil_files := $(base_product_pub_policy.cil)
else
-built_sepolicy_files := $(built_plat_sepolicy)
public_cil_files := $(base_plat_pub_policy.cil)
endif # ($(IS_TREBLE_TEST_ENABLED_PARTNER),true)
-$(LOCAL_BUILT_MODULE): ALL_FC_ARGS := $(all_fc_args)
-$(LOCAL_BUILT_MODULE): PRIVATE_SEPOLICY := $(built_sepolicy)
-$(LOCAL_BUILT_MODULE): PRIVATE_SEPOLICY_OLD := $(built_$(version)_plat_sepolicy)
+$(LOCAL_BUILT_MODULE): PRIVATE_SEPOLICY_OLD := $(built_$(version)_plat_sepolicy_cil)
$(LOCAL_BUILT_MODULE): PRIVATE_COMBINED_MAPPING := $($(version)_mapping.combined.cil)
-$(LOCAL_BUILT_MODULE): PRIVATE_PLAT_SEPOLICY := $(built_sepolicy_files)
$(LOCAL_BUILT_MODULE): PRIVATE_PLAT_PUB_SEPOLICY := $(public_cil_files)
-$(LOCAL_BUILT_MODULE): PRIVATE_FAKE_TREBLE :=
-ifeq ($(PRODUCT_FULL_TREBLE_OVERRIDE),true)
-# TODO(b/113124961): remove fake-treble
-$(LOCAL_BUILT_MODULE): PRIVATE_FAKE_TREBLE := --fake-treble
-endif # PRODUCT_FULL_TREBLE_OVERRIDE = true
$(LOCAL_BUILT_MODULE): $(HOST_OUT_EXECUTABLES)/treble_sepolicy_tests \
- $(all_fc_files) $(built_sepolicy) \
- $(built_sepolicy_files) \
$(public_cil_files) \
- $(built_$(version)_plat_sepolicy) $($(version)_mapping.combined.cil)
+ $(built_$(version)_plat_sepolicy_cil) $($(version)_mapping.combined.cil)
@mkdir -p $(dir $@)
- $(hide) $(HOST_OUT_EXECUTABLES)/treble_sepolicy_tests $(ALL_FC_ARGS) \
- -b $(PRIVATE_PLAT_SEPOLICY) -m $(PRIVATE_COMBINED_MAPPING) \
- -o $(PRIVATE_SEPOLICY_OLD) -p $(PRIVATE_SEPOLICY) \
- -u $(PRIVATE_PLAT_PUB_SEPOLICY) \
- $(PRIVATE_FAKE_TREBLE)
+ $(hide) $(HOST_OUT_EXECUTABLES)/treble_sepolicy_tests \
+ -b $(PRIVATE_PLAT_PUB_SEPOLICY) -m $(PRIVATE_COMBINED_MAPPING) \
+ -o $(PRIVATE_SEPOLICY_OLD)
$(hide) touch $@
-$(version)_SYSTEM_EXT_PUBLIC_POLICY :=
-$(version)_SYSTEM_EXT_PRIVATE_POLICY :=
-$(version)_PRODUCT_PUBLIC_POLICY :=
-$(version)_PRODUCT_PRIVATE_POLICY :=
-$(version)_PLAT_PUBLIC_POLICY :=
-$(version)_PLAT_PRIVATE_POLICY :=
built_sepolicy_files :=
public_cil_files :=
-cil_files :=
$(version)_mapping.cil :=
$(version)_mapping.combined.cil :=
$(version)_mapping.ignore.cil :=
diff --git a/vendor/file_contexts b/vendor/file_contexts
index 80dfbdc..28613c9 100644
--- a/vendor/file_contexts
+++ b/vendor/file_contexts
@@ -14,8 +14,8 @@
/(vendor|system/vendor)/bin/hw/android\.hardware\.automotive\.evs(.*)? u:object_r:hal_evs_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.automotive\.ivn@V1-(.*)-service u:object_r:hal_ivn_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.automotive\.vehicle@2\.0-((default|emulator)-)*(service|protocan-service) u:object_r:hal_vehicle_default_exec:s0
-/(vendor|system/vendor)/bin/hw/android\.hardware\.automotive\.vehicle@V1-(default|emulator)-service u:object_r:hal_vehicle_default_exec:s0
-/(vendor|system/vendor)/bin/hw/android\.hardware\.automotive\.remoteaccess@V1-(.*)-service u:object_r:hal_remoteaccess_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.automotive\.vehicle@V[1-3]-(default|emulator)-service u:object_r:hal_vehicle_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.automotive\.remoteaccess@V[1-2]-(.*)-service u:object_r:hal_remoteaccess_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.bluetooth@1\.[0-9]+-service u:object_r:hal_bluetooth_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.bluetooth@1\.[0-9]+-service\.btlinux u:object_r:hal_bluetooth_btlinux_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.bluetooth-service.default u:object_r:hal_bluetooth_default_exec:s0
@@ -54,7 +54,7 @@
/(vendor|system/vendor)/bin/hw/android\.hardware\.graphics\.allocator@2\.0-service u:object_r:hal_graphics_allocator_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.graphics\.allocator@3\.0-service u:object_r:hal_graphics_allocator_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.graphics\.allocator@4\.0-service u:object_r:hal_graphics_allocator_default_exec:s0
-/(vendor|system/vendor)/bin/hw/android\.hardware\.graphics\.allocator-V1-service u:object_r:hal_graphics_allocator_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.graphics\.allocator-V[1-2]-service u:object_r:hal_graphics_allocator_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.graphics\.allocator-service u:object_r:hal_graphics_allocator_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.graphics\.composer@[0-9]\.[0-9]-service u:object_r:hal_graphics_composer_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.graphics\.composer3-service\.example u:object_r:hal_graphics_composer_default_exec:s0
@@ -76,6 +76,8 @@
/(vendor|system/vendor)/bin/hw/android\.hardware\.light@2\.0-service-lazy u:object_r:hal_light_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.lights-service\.example u:object_r:hal_light_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.lowpan@1\.0-service u:object_r:hal_lowpan_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.macsec-service u:object_r:hal_macsec_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.media\.c2-default-service u:object_r:mediacodec_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.memtrack@1\.0-service u:object_r:hal_memtrack_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.memtrack-service.example u:object_r:hal_memtrack_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.nfc@1\.0-service u:object_r:hal_nfc_default_exec:s0
@@ -96,6 +98,7 @@
/(vendor|system/vendor)/bin/hw/android\.hardware\.sensors-service(\.multihal)? u:object_r:hal_sensors_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.secure_element@1\.0-service u:object_r:hal_secure_element_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.secure_element-service.example u:object_r:hal_secure_element_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.security\.authgraph-service\.nonsecure u:object_r:hal_authgraph_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.security\.keymint-service u:object_r:hal_keymint_default_exec:s0
/(vendor|system/vendor)/bin/hw/rild u:object_r:rild_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.tetheroffload-service\.example u:object_r:hal_tetheroffload_default_exec:s0
@@ -124,6 +127,7 @@
/(vendor|system/vendor)/bin/hw/android\.hardware\.wifi-service-lazy u:object_r:hal_wifi_default_exec:s0
/(vendor|system/vendor)/bin/hw/hostapd u:object_r:hal_wifi_hostapd_default_exec:s0
/(vendor|system/vendor)/bin/hw/wpa_supplicant u:object_r:hal_wifi_supplicant_default_exec:s0
+/(vendor|system/vendor)/bin/hw/wpa_supplicant_macsec u:object_r:wpa_supplicant_macsec_exec:s0
/(vendor|system/vendor)/bin/install-recovery\.sh u:object_r:vendor_install_recovery_exec:s0
/(vendor|system/vendor)/bin/ot-rcp u:object_r:ot_rcp_exec:s0
/(vendor|system/vendor)/bin/vndservicemanager u:object_r:vndservicemanager_exec:s0
@@ -149,3 +153,46 @@
#
/data/vendor/wifi/hostapd(/.*)? u:object_r:hostapd_data_file:s0
/data/vendor/wifi/wpa(/.*)? u:object_r:wpa_data_file:s0
+
+#############################
+# Vendor libraries loaded from SP-HAL (former VNDK-SP)
+#
+/(vendor|system/vendor)/lib(64)?/android\.hardware\.common-V2-ndk\.so u:object_r:same_process_hal_file:s0
+/(vendor|system/vendor)/lib(64)?/android\.hardware\.common\.fmq-V1-ndk\.so u:object_r:same_process_hal_file:s0
+/(vendor|system/vendor)/lib(64)?/android\.hardware\.graphics\.allocator-V2-ndk\.so u:object_r:same_process_hal_file:s0
+/(vendor|system/vendor)/lib(64)?/android\.hardware\.graphics\.common-V4-ndk\.so u:object_r:same_process_hal_file:s0
+/(vendor|system/vendor)/lib(64)?/android\.hardware\.graphics\.common@1\.0\.so u:object_r:same_process_hal_file:s0
+/(vendor|system/vendor)/lib(64)?/android\.hardware\.graphics\.common@1\.1\.so u:object_r:same_process_hal_file:s0
+/(vendor|system/vendor)/lib(64)?/android\.hardware\.graphics\.common@1\.2\.so u:object_r:same_process_hal_file:s0
+/(vendor|system/vendor)/lib(64)?/android\.hardware\.graphics\.composer3-V1-ndk\.so u:object_r:same_process_hal_file:s0
+/(vendor|system/vendor)/lib(64)?/android\.hardware\.graphics\.mapper@2\.0\.so u:object_r:same_process_hal_file:s0
+/(vendor|system/vendor)/lib(64)?/android\.hardware\.graphics\.mapper@2\.1\.so u:object_r:same_process_hal_file:s0
+/(vendor|system/vendor)/lib(64)?/android\.hardware\.graphics\.mapper@3\.0\.so u:object_r:same_process_hal_file:s0
+/(vendor|system/vendor)/lib(64)?/android\.hardware\.graphics\.mapper@4\.0\.so u:object_r:same_process_hal_file:s0
+/(vendor|system/vendor)/lib(64)?/android\.hardware\.renderscript@1\.0\.so u:object_r:same_process_hal_file:s0
+/(vendor|system/vendor)/lib(64)?/android\.hidl\.memory\.token@1\.0\.so u:object_r:same_process_hal_file:s0
+/(vendor|system/vendor)/lib(64)?/android\.hidl\.memory@1\.0-impl\.so u:object_r:same_process_hal_file:s0
+/(vendor|system/vendor)/lib(64)?/android\.hidl\.memory@1\.0\.so u:object_r:same_process_hal_file:s0
+/(vendor|system/vendor)/lib(64)?/android\.hidl\.safe_union@1\.0\.so u:object_r:same_process_hal_file:s0
+/(vendor|system/vendor)/lib(64)?/libRSCpuRef\.so u:object_r:same_process_hal_file:s0
+/(vendor|system/vendor)/lib(64)?/libRSDriver\.so u:object_r:same_process_hal_file:s0
+/(vendor|system/vendor)/lib(64)?/libRS_internal\.so u:object_r:same_process_hal_file:s0
+/(vendor|system/vendor)/lib(64)?/libbase\.so u:object_r:same_process_hal_file:s0
+/(vendor|system/vendor)/lib(64)?/libbcinfo\.so u:object_r:same_process_hal_file:s0
+/(vendor|system/vendor)/lib(64)?/libblas\.so u:object_r:same_process_hal_file:s0
+/(vendor|system/vendor)/lib(64)?/libc\+\+\.so u:object_r:same_process_hal_file:s0
+/(vendor|system/vendor)/lib(64)?/libcompiler_rt\.so u:object_r:same_process_hal_file:s0
+/(vendor|system/vendor)/lib(64)?/libcutils\.so u:object_r:same_process_hal_file:s0
+/(vendor|system/vendor)/lib(64)?/libdmabufheap\.so u:object_r:same_process_hal_file:s0
+/(vendor|system/vendor)/lib(64)?/libgralloctypes\.so u:object_r:same_process_hal_file:s0
+/(vendor|system/vendor)/lib(64)?/libhardware\.so u:object_r:same_process_hal_file:s0
+/(vendor|system/vendor)/lib(64)?/libhidlbase\.so u:object_r:same_process_hal_file:s0
+/(vendor|system/vendor)/lib(64)?/libhidlmemory\.so u:object_r:same_process_hal_file:s0
+/(vendor|system/vendor)/lib(64)?/libion\.so u:object_r:same_process_hal_file:s0
+/(vendor|system/vendor)/lib(64)?/libjsoncpp\.so u:object_r:same_process_hal_file:s0
+/(vendor|system/vendor)/lib(64)?/liblzma\.so u:object_r:same_process_hal_file:s0
+/(vendor|system/vendor)/lib(64)?/libprocessgroup\.so u:object_r:same_process_hal_file:s0
+/(vendor|system/vendor)/lib(64)?/libunwindstack\.so u:object_r:same_process_hal_file:s0
+/(vendor|system/vendor)/lib(64)?/libutils\.so u:object_r:same_process_hal_file:s0
+/(vendor|system/vendor)/lib(64)?/libutilscallstack\.so u:object_r:same_process_hal_file:s0
+/(vendor|system/vendor)/lib(64)?/libz\.so u:object_r:same_process_hal_file:s0
diff --git a/vendor/hal_authgraph_default.te b/vendor/hal_authgraph_default.te
new file mode 100644
index 0000000..1676cca
--- /dev/null
+++ b/vendor/hal_authgraph_default.te
@@ -0,0 +1,5 @@
+type hal_authgraph_default, domain;
+hal_server_domain(hal_authgraph_default, hal_authgraph)
+
+type hal_authgraph_default_exec, exec_type, vendor_file_type, file_type;
+init_daemon_domain(hal_authgraph_default)
diff --git a/vendor/hal_drm_clearkey.te b/vendor/hal_drm_clearkey.te
index ab474d6..4b4ee46 100644
--- a/vendor/hal_drm_clearkey.te
+++ b/vendor/hal_drm_clearkey.te
@@ -4,3 +4,4 @@
init_daemon_domain(hal_drm_clearkey_aidl)
hal_server_domain(hal_drm_clearkey_aidl, hal_drm)
+allow hal_drm_clearkey_aidl mediacodec:fd use;
diff --git a/vendor/hal_evs_default.te b/vendor/hal_evs_default.te
index 0bdb7fd..9ed7a8a 100644
--- a/vendor/hal_evs_default.te
+++ b/vendor/hal_evs_default.te
@@ -32,3 +32,7 @@
# allow to access graphics related properties
get_prop(hal_evs_default, graphics_config_prop);
+get_prop(hal_evs_default, graphics_config_writable_prop)
+
+# allow to use binder IPC.
+binder_use(hal_evs_default)
diff --git a/vendor/hal_macsec_default.te b/vendor/hal_macsec_default.te
new file mode 100644
index 0000000..19b3d16
--- /dev/null
+++ b/vendor/hal_macsec_default.te
@@ -0,0 +1,8 @@
+type hal_macsec_default, domain;
+hal_server_domain(hal_macsec_default, hal_macsec)
+
+type hal_macsec_default_exec, exec_type, vendor_file_type, file_type;
+init_daemon_domain(hal_macsec_default)
+
+# Allow registering with service manager.
+binder_call(hal_macsec_default, servicemanager)
diff --git a/vendor/ot_rcp.te b/vendor/ot_rcp.te
index 0da517a..b1f57a7 100644
--- a/vendor/ot_rcp.te
+++ b/vendor/ot_rcp.te
@@ -10,7 +10,7 @@
allow hal_threadnetwork_default devpts:chr_file {open read write ioctl};
allow ot_rcp hal_threadnetwork_default:fd use;
allow ot_rcp hal_threadnetwork_default:fifo_file rw_file_perms;
-allow ot_rcp devpts:chr_file {read write};
+allow ot_rcp devpts:chr_file {read write ioctl};
allow ot_rcp self:udp_socket create_socket_perms_no_ioctl;
allow ot_rcp node:udp_socket node_bind;
allow ot_rcp port:udp_socket name_bind;
diff --git a/vendor/wpa_supplicant_macsec.te b/vendor/wpa_supplicant_macsec.te
new file mode 100644
index 0000000..1b90ac7
--- /dev/null
+++ b/vendor/wpa_supplicant_macsec.te
@@ -0,0 +1,28 @@
+# wpa supplicant macsec or equivalent
+type wpa_supplicant_macsec, domain;
+type wpa_supplicant_macsec_exec, exec_type, vendor_file_type, file_type;
+init_daemon_domain(wpa_supplicant_macsec)
+
+net_domain(wpa_supplicant_macsec)
+
+# Allow wpa_supplicant to configure nl80211
+allow wpa_supplicant_macsec proc_net_type:file write;
+
+# in addition to ioctls allowlisted for all domains, grant wpa_supplicant_macsec priv_sock_ioctls.
+allowxperm wpa_supplicant_macsec self:udp_socket ioctl priv_sock_ioctls;
+
+r_dir_file(wpa_supplicant_macsec, sysfs_type)
+r_dir_file(wpa_supplicant_macsec, proc_net_type)
+
+allow wpa_supplicant_macsec self:global_capability_class_set { setuid net_admin setgid net_raw };
+allow wpa_supplicant_macsec cgroup:dir create_dir_perms;
+allow wpa_supplicant_macsec cgroup_v2:dir create_dir_perms;
+allow wpa_supplicant_macsec self:netlink_route_socket nlmsg_write;
+allow wpa_supplicant_macsec self:netlink_socket create_socket_perms_no_ioctl;
+allow wpa_supplicant_macsec self:netlink_generic_socket create_socket_perms_no_ioctl;
+allow wpa_supplicant_macsec self:packet_socket create_socket_perms;
+allowxperm wpa_supplicant_macsec self:packet_socket ioctl { unpriv_sock_ioctls priv_sock_ioctls unpriv_tty_ioctls };
+
+binder_use(wpa_supplicant_macsec)
+hal_client_domain(wpa_supplicant_macsec, hal_macsec)
+