Merge "Remove deprecated SEPolicy permission for keystore" into main
diff --git a/build/soong/compat_cil.go b/build/soong/compat_cil.go
index fef2e69..d02d61e 100644
--- a/build/soong/compat_cil.go
+++ b/build/soong/compat_cil.go
@@ -119,7 +119,7 @@
func compatTestFactory() android.SingletonModule {
f := &compatTestModule{}
f.AddProperties(&f.properties)
- android.InitAndroidModule(f)
+ android.InitAndroidArchModule(f, android.DeviceSupported, android.MultilibCommon)
android.AddLoadHook(f, func(ctx android.LoadHookContext) {
f.loadHook(ctx)
})
diff --git a/build/soong/sepolicy_neverallow.go b/build/soong/sepolicy_neverallow.go
index 78cbc84..c2a21dd 100644
--- a/build/soong/sepolicy_neverallow.go
+++ b/build/soong/sepolicy_neverallow.go
@@ -57,7 +57,7 @@
func neverallowTestFactory() android.Module {
n := &neverallowTestModule{}
n.AddProperties(&n.properties)
- android.InitAndroidModule(n)
+ android.InitAndroidArchModule(n, android.DeviceSupported, android.MultilibCommon)
android.AddLoadHook(n, func(ctx android.LoadHookContext) {
n.loadHook(ctx)
})
diff --git a/build/soong/service_fuzzer_bindings.go b/build/soong/service_fuzzer_bindings.go
index 698d68f..4e2a0da 100644
--- a/build/soong/service_fuzzer_bindings.go
+++ b/build/soong/service_fuzzer_bindings.go
@@ -410,6 +410,7 @@
"restrictions": EXCEPTION_NO_FUZZER,
"rkpd.registrar": EXCEPTION_NO_FUZZER,
"rkpd.refresh": EXCEPTION_NO_FUZZER,
+ "rkp_cert_processor.service": EXCEPTION_NO_FUZZER,
"role": EXCEPTION_NO_FUZZER,
"rollback": EXCEPTION_NO_FUZZER,
"rttmanager": EXCEPTION_NO_FUZZER,
diff --git a/contexts/plat_file_contexts_test b/contexts/plat_file_contexts_test
index 72b17ca..7bda60c 100644
--- a/contexts/plat_file_contexts_test
+++ b/contexts/plat_file_contexts_test
@@ -326,6 +326,7 @@
/system/bin/tcpdump tcpdump_exec
/system/bin/tune2fs fsck_exec
/system/bin/resize2fs fsck_exec
+/system/bin/rkp_cert_processor rkp_cert_processor_exec
/system/bin/toolbox toolbox_exec
/system/bin/toybox toolbox_exec
/system/bin/ld.mc rs_exec
@@ -485,6 +486,7 @@
/system/bin/android.automotive.evs.manager@1.99 evsmanagerd_exec
/system/bin/uprobestats uprobestats_exec
/system/bin/trace_redactor trace_redactor_exec
+/system/bin/bert_collector bert_collector_exec
/vendor vendor_file
/vendor/does_not_exist vendor_file
@@ -777,8 +779,8 @@
/system/system_ext/bin/canhalconfigurator canhalconfigurator_exec
/system/system_ext/bin/canhalconfigurator-aidl canhalconfigurator_exec
-/system_ext/bin/custom_vm_setup custom_vm_setup_exec
-/system/system_ext/bin/custom_vm_setup custom_vm_setup_exec
+/system_ext/bin/linux_vm_setup linux_vm_setup_exec
+/system/system_ext/bin/linux_vm_setup linux_vm_setup_exec
/system_ext/lib system_lib_file
/system_ext/lib/does_not_exist system_lib_file
diff --git a/private/bert_collector.te b/private/bert_collector.te
new file mode 100644
index 0000000..b11bd76
--- /dev/null
+++ b/private/bert_collector.te
@@ -0,0 +1,12 @@
+type bert_collector, domain, coredomain;
+type bert_collector_exec, system_file_type, exec_type, file_type;
+
+init_daemon_domain(bert_collector)
+
+r_dir_file(bert_collector, sysfs_firmware_acpi_tables)
+
+binder_use(bert_collector)
+binder_call(bert_collector, system_server)
+
+allow bert_collector dropbox_service:service_manager find;
+allow bert_collector proc_version:file r_file_perms;
diff --git a/private/compat/202404/202404.ignore.cil b/private/compat/202404/202404.ignore.cil
index 787531a..9ac4963 100644
--- a/private/compat/202404/202404.ignore.cil
+++ b/private/compat/202404/202404.ignore.cil
@@ -20,4 +20,5 @@
virtual_face
virtual_face_exec
advanced_protection_service
+ sysfs_firmware_acpi_tables
))
diff --git a/private/custom_vm_setup.te b/private/custom_vm_setup.te
deleted file mode 100644
index c14f5e0..0000000
--- a/private/custom_vm_setup.te
+++ /dev/null
@@ -1,6 +0,0 @@
-type custom_vm_setup, domain, coredomain;
-type custom_vm_setup_exec, system_file_type, exec_type, file_type;
-
-is_flag_enabled(RELEASE_AVF_SUPPORT_CUSTOM_VM_WITH_PARAVIRTUALIZED_DEVICES, `
- init_daemon_domain(custom_vm_setup)
-')
diff --git a/private/file.te b/private/file.te
index 70b8523..662d5cc 100644
--- a/private/file.te
+++ b/private/file.te
@@ -182,6 +182,9 @@
# Type for /sys/kernel/mm/pgsize_migration/enabled
type sysfs_pgsize_migration, fs_type, sysfs_type;
+# /sys/firmware/acpi/tables
+type sysfs_firmware_acpi_tables, fs_type, sysfs_type;
+
# Allow files to be created in their appropriate filesystems.
allow fs_type self:filesystem associate;
allow cgroup tmpfs:filesystem associate;
diff --git a/private/file_contexts b/private/file_contexts
index fa2fe3a..496e954 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -362,7 +362,8 @@
/system/bin/virtual_camera u:object_r:virtual_camera_exec:s0
/system/bin/hw/android\.frameworks\.bufferhub@1\.0-service u:object_r:fwk_bufferhub_exec:s0
/system/bin/hw/android\.system\.suspend-service u:object_r:system_suspend_exec:s0
-/system/etc/aconfig(/.*)? u:object_r:system_aconfig_storage_file:s0
+/system/bin/rkp_cert_processor u:object_r:rkp_cert_processor_exec:s0
+/system/etc/aconfig(/.*)? u:object_r:system_aconfig_storage_file:s0
/system/etc/cgroups\.json u:object_r:cgroup_desc_file:s0
/system/etc/task_profiles/cgroups_[0-9]+\.json u:object_r:cgroup_desc_api_file:s0
/system/etc/event-log-tags u:object_r:system_event_log_tags_file:s0
@@ -407,6 +408,7 @@
/system/bin/evsmanagerd u:object_r:evsmanagerd_exec:s0
/system/bin/android\.automotive\.evs\.manager@1\.[0-9]+ u:object_r:evsmanagerd_exec:s0
/system/bin/uprobestats u:object_r:uprobestats_exec:s0
+/system/bin/bert_collector u:object_r:bert_collector_exec:s0
#############################
# Vendor files
@@ -534,7 +536,7 @@
/(system_ext|system/system_ext)/bin/hwservicemanager u:object_r:hwservicemanager_exec:s0
/(system_ext|system/system_ext)/bin/hw/android\.hidl\.allocator@1\.0-service u:object_r:hal_allocator_default_exec:s0
-/(system_ext|system/system_ext)/bin/custom_vm_setup u:object_r:custom_vm_setup_exec:s0
+/(system_ext|system/system_ext)/bin/linux_vm_setup u:object_r:linux_vm_setup_exec:s0
/(system_ext|system/system_ext)/bin/canhalconfigurator(-aidl)? u:object_r:canhalconfigurator_exec:s0
diff --git a/private/genfs_contexts b/private/genfs_contexts
index b8b7247..e300d78 100644
--- a/private/genfs_contexts
+++ b/private/genfs_contexts
@@ -149,6 +149,7 @@
genfscon sysfs /devices/virtual/net u:object_r:sysfs_net:s0
genfscon sysfs /devices/virtual/switch u:object_r:sysfs_switch:s0
genfscon sysfs /devices/virtual/wakeup u:object_r:sysfs_wakeup:s0
+genfscon sysfs /firmware/acpi/tables u:object_r:sysfs_firmware_acpi_tables:s0
genfscon sysfs /firmware/devicetree/base/avf u:object_r:sysfs_dt_avf:s0
genfscon sysfs /firmware/devicetree/base/firmware/android u:object_r:sysfs_dt_firmware_android:s0
genfscon sysfs /fs/ext4/features u:object_r:sysfs_fs_ext4_features:s0
diff --git a/private/keystore.te b/private/keystore.te
index 64d2e31..3a1c242 100644
--- a/private/keystore.te
+++ b/private/keystore.te
@@ -20,6 +20,9 @@
# Allow keystore to check if the system is rkp only.
get_prop(keystore, remote_prov_prop)
+# Allow keystore to check whether to post-process RKP certificates
+get_prop(keystore, remote_prov_cert_prop)
+
# Allow keystore to check rkpd feature flags
get_prop(keystore, device_config_remote_key_provisioning_native_prop)
@@ -45,6 +48,7 @@
binder_use(keystore)
binder_service(keystore)
binder_call(keystore, remote_provisioning_service_server)
+binder_call(keystore, rkp_cert_processor)
binder_call(keystore, system_server)
binder_call(keystore, wificond)
@@ -55,6 +59,8 @@
add_service(keystore, keystore_service)
allow keystore sec_key_att_app_id_provider_service:service_manager find;
allow keystore remote_provisioning_service:service_manager find;
+allow keystore rkp_cert_processor_service:service_manager find;
+
add_service(keystore, apc_service)
add_service(keystore, keystore_compat_hal_service)
add_service(keystore, authorization_service)
diff --git a/private/linux_vm_setup.te b/private/linux_vm_setup.te
new file mode 100644
index 0000000..ba483e8
--- /dev/null
+++ b/private/linux_vm_setup.te
@@ -0,0 +1,6 @@
+type linux_vm_setup, domain, coredomain;
+type linux_vm_setup_exec, system_file_type, exec_type, file_type;
+
+is_flag_enabled(RELEASE_AVF_SUPPORT_CUSTOM_VM_WITH_PARAVIRTUALIZED_DEVICES, `
+ init_daemon_domain(linux_vm_setup)
+')
diff --git a/private/property.te b/private/property.te
index 8cc91e4..40beca5 100644
--- a/private/property.te
+++ b/private/property.te
@@ -19,6 +19,7 @@
system_internal_prop(device_config_swcodec_native_prop)
system_internal_prop(device_config_tethering_u_or_later_native_prop)
system_internal_prop(dmesgd_start_prop)
+system_internal_prop(bert_collector_start_prop)
system_internal_prop(fastbootd_protocol_prop)
system_internal_prop(gsid_prop)
system_internal_prop(init_perf_lsm_hooks_prop)
@@ -43,6 +44,7 @@
system_internal_prop(profcollectd_node_id_prop)
system_internal_prop(radio_cdma_ecm_prop)
system_internal_prop(remote_prov_prop)
+system_internal_prop(remote_prov_cert_prop)
system_internal_prop(rollback_test_prop)
system_internal_prop(setupwizard_prop)
system_internal_prop(snapshotctl_prop)
@@ -783,6 +785,11 @@
} remote_prov_prop:property_service set;
neverallow {
+ domain
+ -init
+} remote_prov_cert_prop:property_service set;
+
+neverallow {
# Only allow init and shell to set rollback_test_prop
domain
-init
diff --git a/private/property_contexts b/private/property_contexts
index 13dff31..24462cb 100644
--- a/private/property_contexts
+++ b/private/property_contexts
@@ -870,6 +870,8 @@
dmesgd.start u:object_r:dmesgd_start_prop:s0 exact bool
+acpi.bert_collector.start u:object_r:bert_collector_start_prop:s0 exact bool
+
odsign.key.done u:object_r:odsign_prop:s0 exact bool
odsign.verification.done u:object_r:odsign_prop:s0 exact bool
odsign.verification.success u:object_r:odsign_prop:s0 exact bool
@@ -1539,6 +1541,9 @@
# Hostname for the remote provisioning server a device should communicate with
remote_provisioning.hostname u:object_r:remote_prov_prop:s0 exact string
+# Support for post-processing RKP certificates
+remote_provisioning.use_cert_processor u:object_r:remote_prov_cert_prop:s0 exact bool
+
# Connection Timeout for remote provisioning step
remote_provisioning.connect_timeout_millis u:object_r:remote_prov_prop:s0 exact int
diff --git a/private/rkp_cert_processor.te b/private/rkp_cert_processor.te
new file mode 100644
index 0000000..578bd4c
--- /dev/null
+++ b/private/rkp_cert_processor.te
@@ -0,0 +1,12 @@
+# Cert processor service
+type rkp_cert_processor, domain, coredomain;
+type rkp_cert_processor_exec, system_file_type, exec_type, file_type;
+
+init_daemon_domain(rkp_cert_processor)
+net_domain(rkp_cert_processor)
+
+binder_use(rkp_cert_processor)
+
+add_service(rkp_cert_processor, rkp_cert_processor_service)
+
+use_bootstrap_libs(rkp_cert_processor)
diff --git a/private/service.te b/private/service.te
index a4d00f3..1f31477 100644
--- a/private/service.te
+++ b/private/service.te
@@ -22,6 +22,7 @@
type resolver_service, system_server_service, service_manager_type;
type rkpd_registrar_service, service_manager_type;
type rkpd_refresh_service, service_manager_type;
+type rkp_cert_processor_service, service_manager_type;
type safety_center_service, app_api_service, system_api_service, system_server_service, service_manager_type;
type stats_service, service_manager_type;
type statsbootstrap_service, system_server_service, service_manager_type;
diff --git a/private/service_contexts b/private/service_contexts
index 7c3efc7..37652ae 100644
--- a/private/service_contexts
+++ b/private/service_contexts
@@ -399,6 +399,7 @@
restrictions u:object_r:restrictions_service:s0
rkpd.registrar u:object_r:rkpd_registrar_service:s0
rkpd.refresh u:object_r:rkpd_refresh_service:s0
+rkp_cert_processor.service u:object_r:rkp_cert_processor_service:s0
role u:object_r:role_service:s0
rollback u:object_r:rollback_service:s0
rttmanager u:object_r:rttmanager_service:s0
diff --git a/private/shell.te b/private/shell.te
index 18e3462..a6e9975 100644
--- a/private/shell.te
+++ b/private/shell.te
@@ -479,7 +479,7 @@
allow shell vendor_shell_exec:file rx_file_perms;
is_flag_enabled(RELEASE_AVF_SUPPORT_CUSTOM_VM_WITH_PARAVIRTUALIZED_DEVICES, `
- allow shell custom_vm_setup_exec:file { entrypoint r_file_perms };
+ allow shell linux_vm_setup_exec:file { entrypoint r_file_perms };
')
# Everything is labeled as rootfs in recovery mode. Allow shell to