Merge "Suppress keystore F2FS related audit"
diff --git a/apex/Android.bp b/apex/Android.bp
index b5199f0..8be5aa1 100644
--- a/apex/Android.bp
+++ b/apex/Android.bp
@@ -197,6 +197,13 @@
}
filegroup {
+ name: "com.android.uwb-file_contexts",
+ srcs: [
+ "com.android.uwb-file_contexts",
+ ],
+}
+
+filegroup {
name: "com.android.virt-file_contexts",
srcs: [
"com.android.virt-file_contexts",
diff --git a/apex/com.android.compos-file_contexts b/apex/com.android.compos-file_contexts
index f404a07..d678ca6 100644
--- a/apex/com.android.compos-file_contexts
+++ b/apex/com.android.compos-file_contexts
@@ -1,5 +1,4 @@
(/.*)? u:object_r:system_file:s0
-/bin/compos_key_cmd u:object_r:compos_key_cmd_exec:s0
/bin/compos_key_main u:object_r:compos_exec:s0
/bin/compsvc u:object_r:compos_exec:s0
/bin/compsvc_worker u:object_r:compos_exec:s0
diff --git a/apex/com.android.uwb-file_contexts b/apex/com.android.uwb-file_contexts
new file mode 100644
index 0000000..f6b21da
--- /dev/null
+++ b/apex/com.android.uwb-file_contexts
@@ -0,0 +1,2 @@
+(/.*)? u:object_r:system_file:s0
+/lib(64)?(/.*) u:object_r:system_lib_file:s0
diff --git a/microdroid/system/private/compos.te b/microdroid/system/private/compos.te
index a126a02..9e6b2bb 100644
--- a/microdroid/system/private/compos.te
+++ b/microdroid/system/private/compos.te
@@ -2,9 +2,6 @@
type compos, domain, coredomain, microdroid_payload;
type compos_exec, exec_type, file_type, system_file_type;
-type compos_key_cmd, domain, coredomain;
-type compos_key_cmd_exec, exec_type, file_type, system_file_type;
-
allow compos self:vsock_socket { create_socket_perms_no_ioctl listen accept };
# Talk to binder services (for keystore)
diff --git a/microdroid/system/private/microdroid_manager.te b/microdroid/system/private/microdroid_manager.te
index ac81c90..728d156 100644
--- a/microdroid/system/private/microdroid_manager.te
+++ b/microdroid/system/private/microdroid_manager.te
@@ -30,4 +30,8 @@
# Let microdroid_manager to create a vsock connection back to the host VM
allow microdroid_manager self:vsock_socket { create_socket_perms_no_ioctl };
+# microdroid_manager is using bootstrap bionic
+allow microdroid_manager system_bootstrap_lib_file:dir r_dir_perms;
+allow microdroid_manager system_bootstrap_lib_file:file { execute read open getattr map };
+
neverallow microdroid_manager { file_type fs_type }:file execute_no_trans;
diff --git a/prebuilts/api/31.0/private/odsign.te b/prebuilts/api/31.0/private/odsign.te
index 0ff3b7b..c6c7808 100644
--- a/prebuilts/api/31.0/private/odsign.te
+++ b/prebuilts/api/31.0/private/odsign.te
@@ -54,6 +54,9 @@
set_prop(odsign, odsign_prop)
neverallow { domain -odsign -init } odsign_prop:property_service set;
+# Allow odsign to stop itself
+set_prop(odsign, ctl_odsign_prop)
+
# Neverallows
neverallow { domain -odsign -init -fsverity_init } odsign_data_file:dir *;
neverallow { domain -odsign -init -fsverity_init } odsign_data_file:file *;
diff --git a/prebuilts/api/31.0/private/property.te b/prebuilts/api/31.0/private/property.te
index 4f67251..faa0183 100644
--- a/prebuilts/api/31.0/private/property.te
+++ b/prebuilts/api/31.0/private/property.te
@@ -36,6 +36,7 @@
system_internal_prop(verity_status_prop)
system_internal_prop(zygote_wrap_prop)
system_internal_prop(ctl_mediatranscoding_prop)
+system_internal_prop(ctl_odsign_prop)
###
### Neverallow rules
diff --git a/prebuilts/api/31.0/private/property_contexts b/prebuilts/api/31.0/private/property_contexts
index 5ecb87f..eedbe8a 100644
--- a/prebuilts/api/31.0/private/property_contexts
+++ b/prebuilts/api/31.0/private/property_contexts
@@ -168,6 +168,9 @@
# Restrict access to stopping apexd.
ctl.stop$apexd u:object_r:ctl_apexd_prop:s0
+# Restrict access to stopping odsign
+ctl.stop$odsign u:object_r:ctl_odsign_prop:s0
+
# Restrict access to starting media.transcoding.
ctl.start$media.transcoding u:object_r:ctl_mediatranscoding_prop:s0
diff --git a/private/compat/31.0/31.0.ignore.cil b/private/compat/31.0/31.0.ignore.cil
index 1fcfa4d..72994dd 100644
--- a/private/compat/31.0/31.0.ignore.cil
+++ b/private/compat/31.0/31.0.ignore.cil
@@ -9,9 +9,14 @@
camera2_extensions_prop
hal_system_suspend_service
hal_tv_tuner_service
+ hal_wifi_hostapd_service
power_stats_service
+ snapuserd_prop
+ snapuserd_proxy_socket
tare_service
transformer_service
proc_watermark_boost_factor
untrusted_app_30
+ proc_vendor_sched
+ sysfs_vendor_sched
))
diff --git a/private/compos.te b/private/compos.te
index a86fd38..f4cdc17 100644
--- a/private/compos.te
+++ b/private/compos.te
@@ -1,6 +1,3 @@
# TODO(b/193504816): move this to compos APEX
type compos, domain, coredomain;
type compos_exec, exec_type, file_type, system_file_type;
-
-type compos_key_cmd, domain, coredomain;
-type compos_key_cmd_exec, exec_type, file_type, system_file_type;
diff --git a/private/crosvm.te b/private/crosvm.te
index 42e5181..7426ef9 100644
--- a/private/crosvm.te
+++ b/private/crosvm.te
@@ -24,6 +24,7 @@
staging_data_file
apk_data_file
app_data_file
+ apex_compos_data_file
userdebug_or_eng(`shell_data_file')
}:file { getattr read ioctl lock };
@@ -49,6 +50,7 @@
allow crosvm {
virtualizationservice_data_file
app_data_file
+ apex_compos_data_file
}:file write;
# Allow crosvm to pipe console log to shell or app which could be the owner of a VM.
diff --git a/private/fastbootd.te b/private/fastbootd.te
index 40b3945..2c65281 100644
--- a/private/fastbootd.te
+++ b/private/fastbootd.te
@@ -22,6 +22,7 @@
# Determine allocation scheme (whether B partitions needs to be
# at the second half of super.
get_prop(fastbootd, virtual_ab_prop)
+ get_prop(fastbootd, snapuserd_prop)
# Needed for TCP protocol
allow fastbootd node:tcp_socket node_bind;
diff --git a/private/file_contexts b/private/file_contexts
index c9b7c69..a5dd5a6 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -162,6 +162,7 @@
/dev/socket/rild u:object_r:rild_socket:s0
/dev/socket/rild-debug u:object_r:rild_debug_socket:s0
/dev/socket/snapuserd u:object_r:snapuserd_socket:s0
+/dev/socket/snapuserd_proxy u:object_r:snapuserd_proxy_socket:s0
/dev/socket/tombstoned_crash u:object_r:tombstoned_crash_socket:s0
/dev/socket/tombstoned_java_trace u:object_r:tombstoned_java_trace_socket:s0
/dev/socket/tombstoned_intercept u:object_r:tombstoned_intercept_socket:s0
diff --git a/private/genfs_contexts b/private/genfs_contexts
index b890ba6..8af6198 100644
--- a/private/genfs_contexts
+++ b/private/genfs_contexts
@@ -104,6 +104,7 @@
genfscon proc /vmallocinfo u:object_r:proc_vmallocinfo:s0
genfscon proc /vmstat u:object_r:proc_vmstat:s0
genfscon proc /zoneinfo u:object_r:proc_zoneinfo:s0
+genfscon proc /vendor_sched u:object_r:proc_vendor_sched:s0
genfscon fusectl / u:object_r:fusectlfs:s0
@@ -165,6 +166,7 @@
genfscon sysfs /module/wlan/parameters/fwpath u:object_r:sysfs_wlan_fwpath:s0
genfscon sysfs /devices/virtual/timed_output/vibrator/enable u:object_r:sysfs_vibrator:s0
genfscon sysfs /devices/virtual/misc/uhid u:object_r:sysfs_uhid:s0
+genfscon sysfs /kernel/vendor_sched u:object_r:sysfs_vendor_sched:s0
genfscon debugfs /kprobes u:object_r:debugfs_kprobes:s0
genfscon debugfs /mmc0 u:object_r:debugfs_mmc:s0
diff --git a/private/odsign.te b/private/odsign.te
index 10adcd5..3297af7 100644
--- a/private/odsign.te
+++ b/private/odsign.te
@@ -44,9 +44,9 @@
allow odsign apex_art_data_file:dir { rw_dir_perms rmdir rename };
allow odsign apex_art_data_file:file { rw_file_perms unlink };
-# For CompOS pending key files
-allow odsign apex_compos_data_file:dir { getattr search write remove_name };
-allow odsign apex_compos_data_file:file { r_file_perms unlink };
+# For CompOS instance & key files
+allow odsign apex_compos_data_file:dir rw_dir_perms;
+allow odsign apex_compos_data_file:file { r_file_perms unlink rename };
# Run odrefresh to refresh ART artifacts
domain_auto_trans(odsign, odrefresh_exec, odrefresh)
@@ -58,6 +58,9 @@
set_prop(odsign, odsign_prop)
neverallow { domain -odsign -init } odsign_prop:property_service set;
+# Allow odsign to stop itself
+set_prop(odsign, ctl_odsign_prop)
+
# Neverallows
neverallow { domain -odsign -init -fsverity_init } odsign_data_file:dir *;
neverallow { domain -odsign -init -fsverity_init } odsign_data_file:file *;
diff --git a/private/property.te b/private/property.te
index 49d18ee..671a24a 100644
--- a/private/property.te
+++ b/private/property.te
@@ -30,6 +30,7 @@
system_internal_prop(profcollectd_node_id_prop)
system_internal_prop(rollback_test_prop)
system_internal_prop(setupwizard_prop)
+system_internal_prop(snapuserd_prop)
system_internal_prop(system_adbd_prop)
system_internal_prop(traced_perf_enabled_prop)
system_internal_prop(userspace_reboot_log_prop)
@@ -37,6 +38,7 @@
system_internal_prop(verity_status_prop)
system_internal_prop(zygote_wrap_prop)
system_internal_prop(ctl_mediatranscoding_prop)
+system_internal_prop(ctl_odsign_prop)
###
### Neverallow rules
diff --git a/private/property_contexts b/private/property_contexts
index fa5389d..7f97281 100644
--- a/private/property_contexts
+++ b/private/property_contexts
@@ -169,6 +169,9 @@
# Restrict access to stopping apexd.
ctl.stop$apexd u:object_r:ctl_apexd_prop:s0
+# Restrict access to stopping odsign
+ctl.stop$odsign u:object_r:ctl_odsign_prop:s0
+
# Restrict access to starting media.transcoding.
ctl.start$media.transcoding u:object_r:ctl_mediatranscoding_prop:s0
@@ -278,10 +281,12 @@
sys.boot_from_charger_mode u:object_r:charger_status_prop:s0 exact int
ro.enable_boot_charger_mode u:object_r:charger_config_prop:s0 exact bool
-# Virtual A/B properties
+# Virtual A/B and snapuserd properties
ro.virtual_ab.enabled u:object_r:virtual_ab_prop:s0 exact bool
ro.virtual_ab.retrofit u:object_r:virtual_ab_prop:s0 exact bool
ro.virtual_ab.compression.enabled u:object_r:virtual_ab_prop:s0 exact bool
+snapuserd.ready u:object_r:snapuserd_prop:s0 exact bool
+snapuserd.proxy_ready u:object_r:snapuserd_prop:s0 exact bool
ro.product.ab_ota_partitions u:object_r:ota_prop:s0 exact string
# Property to set/clear the warm reset flag after an OTA update.
diff --git a/private/recovery.te b/private/recovery.te
index bba2a0d..2dba93b 100644
--- a/private/recovery.te
+++ b/private/recovery.te
@@ -38,6 +38,7 @@
allow recovery snapuserd_socket:sock_file write;
allow recovery snapuserd:unix_stream_socket connectto;
allow recovery dm_user_device:dir r_dir_perms;
+ get_prop(recovery, snapuserd_prop)
# Set fastbootd protocol property
set_prop(recovery, fastbootd_protocol_prop)
diff --git a/private/service_contexts b/private/service_contexts
index 4da2781..337ee80 100644
--- a/private/service_contexts
+++ b/private/service_contexts
@@ -20,6 +20,7 @@
android.hardware.vibrator.IVibrator/default u:object_r:hal_vibrator_service:s0
android.hardware.vibrator.IVibratorManager/default u:object_r:hal_vibrator_service:s0
android.hardware.weaver.IWeaver/default u:object_r:hal_weaver_service:s0
+android.hardware.wifi.hostapd.IHostapd/default u:object_r:hal_wifi_hostapd_service:s0
android.frameworks.stats.IStats/default u:object_r:fwk_stats_service:s0
android.system.keystore2.IKeystoreService/default u:object_r:keystore_service:s0
android.system.suspend.ISystemSuspend/default u:object_r:hal_system_suspend_service:s0
diff --git a/private/shell.te b/private/shell.te
index 2f983f2..dc820bd 100644
--- a/private/shell.te
+++ b/private/shell.te
@@ -106,8 +106,16 @@
# Allow shell to execute simpleperf without a domain transition.
allow shell simpleperf_exec:file rx_file_perms;
-# Allow shell to execute profcollectctl without a domain transition.
-allow shell profcollectd_exec:file rx_file_perms;
+userdebug_or_eng(`
+ # Allow shell to execute profcollectctl without a domain transition.
+ allow shell profcollectd_exec:file rx_file_perms;
+
+ # Allow shell to read profcollectd data files.
+ r_dir_file(shell, profcollectd_data_file)
+
+ # Allow to issue control commands to profcollectd binder service.
+ allow shell profcollectd:binder call;
+')
# Allow shell to call perf_event_open for profiling other shell processes, but
# not the whole system.
@@ -173,11 +181,6 @@
userdebug_or_eng(`set_prop(shell, persist_debug_prop)')
-# Allow to issue control commands to profcollectd binder service.
-userdebug_or_eng(`
- allow shell profcollectd:binder call;
-')
-
# Allow shell to read the keystore key contexts files. Used by native tests to test label lookup.
allow shell keystore2_key_contexts_file:file r_file_perms;
diff --git a/private/snapuserd.te b/private/snapuserd.te
index d96b31e..2956891 100644
--- a/private/snapuserd.te
+++ b/private/snapuserd.te
@@ -17,10 +17,24 @@
allow snapuserd dm_user_device:dir r_dir_perms;
allow snapuserd dm_user_device:chr_file rw_file_perms;
-# Reading and writing to /dev/socket/snapuserd.
+# Reading and writing to /dev/socket/snapuserd and snapuserd_proxy.
allow snapuserd snapuserd_socket:unix_stream_socket { accept listen getattr read write };
+allow snapuserd snapuserd_proxy_socket:sock_file write;
# This arises due to first-stage init opening /dev/null without F_CLOEXEC
# (see SetStdioToDevNull in init). When we fork() and execveat() snapuserd
# again, the descriptor leaks into the new process.
allow snapuserd kernel:fd use;
+
+# snapuserd.* properties
+set_prop(snapuserd, snapuserd_prop)
+
+# For inotify watching for /dev/socket/snapuserd_proxy to appear.
+allow snapuserd tmpfs:dir read;
+
+# Forbid anything other than snapuserd and init setting snapuserd properties.
+neverallow {
+ domain
+ -snapuserd
+ -init
+} snapuserd_prop:property_service set;
diff --git a/private/update_engine.te b/private/update_engine.te
index d828e1f..c3f575f 100644
--- a/private/update_engine.te
+++ b/private/update_engine.te
@@ -24,6 +24,7 @@
# Allow to communicate with the snapuserd service, for dm-user snapshots.
allow update_engine snapuserd:unix_stream_socket connectto;
allow update_engine snapuserd_socket:sock_file write;
+get_prop(update_engine, snapuserd_prop)
# Allow to communicate with apexd for calculating and reserving space for
# capex decompression
diff --git a/private/virtualizationservice.te b/private/virtualizationservice.te
index 837fc59..f92c94f 100644
--- a/private/virtualizationservice.te
+++ b/private/virtualizationservice.te
@@ -54,7 +54,11 @@
# directly as they must be passed over Binder by the client.
allow virtualizationservice apk_data_file:file { getattr read };
# Write access is needed for mutable partitions like instance.img
-allow virtualizationservice app_data_file:file { getattr read write };
+allow virtualizationservice {
+ app_data_file
+ apex_compos_data_file
+}:file { getattr read write };
+
# shell_data_file is used for automated tests and manual debugging.
allow virtualizationservice shell_data_file:file { getattr read write };
diff --git a/public/file.te b/public/file.te
index cf65c7d..9bb1ff9 100644
--- a/public/file.te
+++ b/public/file.te
@@ -78,6 +78,7 @@
type proc_vmallocinfo, fs_type, proc_type;
type proc_vmstat, fs_type, proc_type;
type proc_zoneinfo, fs_type, proc_type;
+type proc_vendor_sched, proc_type, fs_type;
type selinuxfs, fs_type, mlstrustedobject;
type fusectlfs, fs_type;
type cgroup, fs_type, mlstrustedobject;
@@ -117,6 +118,10 @@
type sysfs_fs_f2fs, sysfs_type, fs_type;
type sysfs_fs_incfs_features, sysfs_type, fs_type;
type sysfs_fs_incfs_metrics, sysfs_type, fs_type;
+type sysfs_vendor_sched, sysfs_type, fs_type;
+userdebug_or_eng(`
+ typeattribute sysfs_vendor_sched mlstrustedobject;
+')
type fs_bpf, fs_type;
type fs_bpf_tethering, fs_type;
type configfs, fs_type;
@@ -499,6 +504,7 @@
type rild_socket, file_type;
type rild_debug_socket, file_type;
type snapuserd_socket, file_type, coredomain_socket;
+type snapuserd_proxy_socket, file_type, coredomain_socket;
type statsdw_socket, file_type, coredomain_socket, mlstrustedobject;
type system_wpa_socket, file_type, data_file_type, core_data_file_type, coredomain_socket;
type system_ndebug_socket, file_type, data_file_type, core_data_file_type, coredomain_socket, mlstrustedobject;
diff --git a/public/hal_wifi_hostapd.te b/public/hal_wifi_hostapd.te
index 55efc3c..b508aa5 100644
--- a/public/hal_wifi_hostapd.te
+++ b/public/hal_wifi_hostapd.te
@@ -3,6 +3,11 @@
binder_call(hal_wifi_hostapd_server, hal_wifi_hostapd_client)
hal_attribute_hwservice(hal_wifi_hostapd, hal_wifi_hostapd_hwservice)
+hal_attribute_service(hal_wifi_hostapd, hal_wifi_hostapd_service)
+
+binder_call(hal_wifi_hostapd_server, servicemanager)
+
+allow hal_wifi_hostapd_server dumpstate:fifo_file write;
allow hal_wifi_hostapd_server self:global_capability_class_set { net_admin net_raw };
diff --git a/public/service.te b/public/service.te
index f8f37f0..5cf379a 100644
--- a/public/service.te
+++ b/public/service.te
@@ -243,6 +243,7 @@
type wpantund_service, system_api_service, service_manager_type;
type tethering_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type emergency_affordance_service, system_server_service, service_manager_type;
+type hal_wifi_hostapd_service, vendor_service, protected_service, service_manager_type;
###
### HAL Services