Merge changes from topic "cherrypicker-L90100000954806085:N90400001269057103" into tm-dev
* changes:
Add xfrm netlink permissions for system server
Fix system server and network stack netlink permissions
diff --git a/apex/Android.bp b/apex/Android.bp
index 5d61303..8f11771 100644
--- a/apex/Android.bp
+++ b/apex/Android.bp
@@ -195,13 +195,6 @@
}
filegroup {
- name: "com.android.telephony-file_contexts",
- srcs: [
- "com.android.telephony-file_contexts",
- ],
-}
-
-filegroup {
name: "com.android.tzdata-file_contexts",
srcs: [
"com.android.tzdata-file_contexts",
diff --git a/apex/com.android.telephony-file_contexts b/apex/com.android.telephony-file_contexts
deleted file mode 100644
index f3a65d4..0000000
--- a/apex/com.android.telephony-file_contexts
+++ /dev/null
@@ -1 +0,0 @@
-(/.*)? u:object_r:system_file:s0
diff --git a/prebuilts/api/33.0/private/bluetooth.te b/prebuilts/api/33.0/private/bluetooth.te
index d548e80..0b001e2 100644
--- a/prebuilts/api/33.0/private/bluetooth.te
+++ b/prebuilts/api/33.0/private/bluetooth.te
@@ -46,6 +46,9 @@
allow bluetooth proc_filesystems:file r_file_perms;
get_prop(bluetooth, incremental_prop)
+# For Bluetooth to check security logging state
+get_prop(bluetooth, device_logging_prop)
+
# Allow write access to bluetooth specific properties
set_prop(bluetooth, binder_cache_bluetooth_server_prop);
neverallow { domain -bluetooth -init }
diff --git a/prebuilts/api/33.0/private/file.te b/prebuilts/api/33.0/private/file.te
index 1afa50f..4161dc9 100644
--- a/prebuilts/api/33.0/private/file.te
+++ b/prebuilts/api/33.0/private/file.te
@@ -19,6 +19,8 @@
# /data/misc/perfetto-configs for perfetto configs
type perfetto_configs_data_file, file_type, data_file_type, core_data_file_type;
+# /data/misc_{ce/de}/<user>/sdksandbox root data directory for sdk sandbox processes
+type sdk_sandbox_system_data_file, file_type, data_file_type, core_data_file_type;
# /data/misc_{ce/de}/<user>/sdksandbox/<app-name>/* subdirectory for sdk sandbox processes
type sdk_sandbox_data_file, file_type, data_file_type, core_data_file_type, app_data_file_type;
diff --git a/prebuilts/api/33.0/private/file_contexts b/prebuilts/api/33.0/private/file_contexts
index af51799..e21c18c 100644
--- a/prebuilts/api/33.0/private/file_contexts
+++ b/prebuilts/api/33.0/private/file_contexts
@@ -691,6 +691,10 @@
# Bootchart data
/data/bootchart(/.*)? u:object_r:bootchart_data_file:s0
+# Sandbox sdk data (managed by installd)
+/data/misc_de/[0-9]+/sdksandbox u:object_r:sdk_sandbox_system_data_file:s0
+/data/misc_ce/[0-9]+/sdksandbox u:object_r:sdk_sandbox_system_data_file:s0
+
# App data snapshots (managed by installd).
/data/misc_de/[0-9]+/rollback(/.*)? u:object_r:rollback_data_file:s0
/data/misc_ce/[0-9]+/rollback(/.*)? u:object_r:rollback_data_file:s0
diff --git a/prebuilts/api/33.0/private/installd.te b/prebuilts/api/33.0/private/installd.te
index 251a14f..538641d 100644
--- a/prebuilts/api/33.0/private/installd.te
+++ b/prebuilts/api/33.0/private/installd.te
@@ -48,3 +48,6 @@
allow installd staging_data_file:dir { open read remove_name rmdir search write };
allow installd { dex2oat dexoptanalyzer }:process { sigkill signal };
+
+# Allow installd manage dirs in /data/misc_ce/0/sdksandbox
+allow installd sdk_sandbox_system_data_file:dir { create_dir_perms relabelfrom };
diff --git a/prebuilts/api/33.0/private/sdk_sandbox.te b/prebuilts/api/33.0/private/sdk_sandbox.te
index d30d3d9..20d3adf 100644
--- a/prebuilts/api/33.0/private/sdk_sandbox.te
+++ b/prebuilts/api/33.0/private/sdk_sandbox.te
@@ -105,7 +105,10 @@
allow sdk_sandbox system_server:udp_socket {
connect getattr read recvfrom sendto write getopt setopt };
-# allow access to sdksandbox data directory
+# allow sandbox to search in sdk system server directory
+# additionally, for webview to work, getattr has been permitted
+allow sdk_sandbox sdk_sandbox_system_data_file:dir { getattr search };
+# allow sandbox to create files and dirs in sdk data directory
allow sdk_sandbox sdk_sandbox_data_file:dir create_dir_perms;
allow sdk_sandbox sdk_sandbox_data_file:file create_file_perms;
@@ -154,3 +157,29 @@
neverallow { sdk_sandbox } tmpfs:dir no_rw_file_perms;
neverallow sdk_sandbox hal_drm_service:service_manager find;
+
+# Only certain system components should have access to sdk_sandbox_system_data_file
+# sdk_sandbox only needs search. Restricted in follow up neverallow rule.
+neverallow {
+ domain
+ -init
+ -installd
+ -system_server
+ -vold_prepare_subdirs
+} sdk_sandbox_system_data_file:dir { relabelfrom };
+
+neverallow {
+ domain
+ -init
+ -installd
+ -sdk_sandbox
+ -system_server
+ -vold_prepare_subdirs
+ -zygote
+} sdk_sandbox_system_data_file:dir { create_dir_perms relabelto };
+
+# sdk_sandbox only needs to traverse through the sdk_sandbox_system_data_file
+neverallow sdk_sandbox sdk_sandbox_system_data_file:dir ~{ getattr search };
+
+# Only dirs should be created at sdk_sandbox_system_data_file level
+neverallow { domain -init } sdk_sandbox_system_data_file:file *;
diff --git a/prebuilts/api/33.0/private/system_server.te b/prebuilts/api/33.0/private/system_server.te
index 7aca98d..e6c129a 100644
--- a/prebuilts/api/33.0/private/system_server.te
+++ b/prebuilts/api/33.0/private/system_server.te
@@ -72,6 +72,9 @@
allow system_server sysfs_fs_f2fs:dir r_dir_perms;
allow system_server sysfs_fs_f2fs:file r_file_perms;
+# For SdkSandboxManagerService
+allow system_server sdk_sandbox_system_data_file:dir create_dir_perms;
+
# For art.
allow system_server { apex_art_data_file dalvikcache_data_file }:dir r_dir_perms;
allow system_server { apex_art_data_file dalvikcache_data_file }:file r_file_perms;
diff --git a/prebuilts/api/33.0/private/vold_prepare_subdirs.te b/prebuilts/api/33.0/private/vold_prepare_subdirs.te
index 818660c..ddb2828 100644
--- a/prebuilts/api/33.0/private/vold_prepare_subdirs.te
+++ b/prebuilts/api/33.0/private/vold_prepare_subdirs.te
@@ -12,6 +12,7 @@
allow vold_prepare_subdirs self:global_capability_class_set { chown dac_override dac_read_search fowner };
allow vold_prepare_subdirs self:process setfscreate;
allow vold_prepare_subdirs {
+ sdk_sandbox_system_data_file
system_data_file
vendor_data_file
}:dir { open read write add_name remove_name rmdir relabelfrom };
@@ -27,6 +28,7 @@
rollback_data_file
storaged_data_file
sdk_sandbox_data_file
+ sdk_sandbox_system_data_file
system_data_file
vold_data_file
}:dir { create_dir_perms relabelto };
diff --git a/prebuilts/api/33.0/private/zygote.te b/prebuilts/api/33.0/private/zygote.te
index ea983fd..41245c2 100644
--- a/prebuilts/api/33.0/private/zygote.te
+++ b/prebuilts/api/33.0/private/zygote.te
@@ -62,9 +62,10 @@
# Bind mount on /data/data and mounted volumes
allow zygote { system_data_file mnt_expand_file }:dir mounton;
-# Relabel /data/user /data/user_de and /data/data
+# Relabel /data/user /data/user_de /data/data and /data/misc_{ce,de}/<user-id>/sdksandbox
allow zygote tmpfs:{ dir lnk_file } relabelfrom;
allow zygote system_data_file:{ dir lnk_file } relabelto;
+allow zygote sdk_sandbox_system_data_file:dir { search relabelto };
# Zygote opens /mnt/expand to mount CE DE storage on each vol
allow zygote mnt_expand_file:dir { open read search relabelto };
@@ -94,6 +95,7 @@
app_data_file_type
system_data_file
mnt_expand_file
+ sdk_sandbox_system_data_file
}:dir getattr;
# Allow zygote to create JIT memory.
@@ -235,6 +237,9 @@
allow zygote vendor_apex_file:dir { getattr search };
allow zygote vendor_apex_file:file { getattr };
+# Allow zygote to query for compression/features.
+r_dir_file(zygote, sysfs_fs_f2fs)
+
###
### neverallow rules
###
diff --git a/prebuilts/api/33.0/public/vendor_init.te b/prebuilts/api/33.0/public/vendor_init.te
index bc6d3b9..b7302d4 100644
--- a/prebuilts/api/33.0/public/vendor_init.te
+++ b/prebuilts/api/33.0/public/vendor_init.te
@@ -272,6 +272,8 @@
get_prop(vendor_init, theme_prop)
set_prop(vendor_init, dck_prop)
+# Allow vendor_init to read vendor_system_native device config changes
+get_prop(vendor_init, device_config_vendor_system_native_prop)
###
### neverallow rules
diff --git a/private/bluetooth.te b/private/bluetooth.te
index d548e80..0b001e2 100644
--- a/private/bluetooth.te
+++ b/private/bluetooth.te
@@ -46,6 +46,9 @@
allow bluetooth proc_filesystems:file r_file_perms;
get_prop(bluetooth, incremental_prop)
+# For Bluetooth to check security logging state
+get_prop(bluetooth, device_logging_prop)
+
# Allow write access to bluetooth specific properties
set_prop(bluetooth, binder_cache_bluetooth_server_prop);
neverallow { domain -bluetooth -init }
diff --git a/private/file.te b/private/file.te
index 1afa50f..4161dc9 100644
--- a/private/file.te
+++ b/private/file.te
@@ -19,6 +19,8 @@
# /data/misc/perfetto-configs for perfetto configs
type perfetto_configs_data_file, file_type, data_file_type, core_data_file_type;
+# /data/misc_{ce/de}/<user>/sdksandbox root data directory for sdk sandbox processes
+type sdk_sandbox_system_data_file, file_type, data_file_type, core_data_file_type;
# /data/misc_{ce/de}/<user>/sdksandbox/<app-name>/* subdirectory for sdk sandbox processes
type sdk_sandbox_data_file, file_type, data_file_type, core_data_file_type, app_data_file_type;
diff --git a/private/file_contexts b/private/file_contexts
index af51799..e21c18c 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -691,6 +691,10 @@
# Bootchart data
/data/bootchart(/.*)? u:object_r:bootchart_data_file:s0
+# Sandbox sdk data (managed by installd)
+/data/misc_de/[0-9]+/sdksandbox u:object_r:sdk_sandbox_system_data_file:s0
+/data/misc_ce/[0-9]+/sdksandbox u:object_r:sdk_sandbox_system_data_file:s0
+
# App data snapshots (managed by installd).
/data/misc_de/[0-9]+/rollback(/.*)? u:object_r:rollback_data_file:s0
/data/misc_ce/[0-9]+/rollback(/.*)? u:object_r:rollback_data_file:s0
diff --git a/private/installd.te b/private/installd.te
index 251a14f..538641d 100644
--- a/private/installd.te
+++ b/private/installd.te
@@ -48,3 +48,6 @@
allow installd staging_data_file:dir { open read remove_name rmdir search write };
allow installd { dex2oat dexoptanalyzer }:process { sigkill signal };
+
+# Allow installd manage dirs in /data/misc_ce/0/sdksandbox
+allow installd sdk_sandbox_system_data_file:dir { create_dir_perms relabelfrom };
diff --git a/private/sdk_sandbox.te b/private/sdk_sandbox.te
index d30d3d9..20d3adf 100644
--- a/private/sdk_sandbox.te
+++ b/private/sdk_sandbox.te
@@ -105,7 +105,10 @@
allow sdk_sandbox system_server:udp_socket {
connect getattr read recvfrom sendto write getopt setopt };
-# allow access to sdksandbox data directory
+# allow sandbox to search in sdk system server directory
+# additionally, for webview to work, getattr has been permitted
+allow sdk_sandbox sdk_sandbox_system_data_file:dir { getattr search };
+# allow sandbox to create files and dirs in sdk data directory
allow sdk_sandbox sdk_sandbox_data_file:dir create_dir_perms;
allow sdk_sandbox sdk_sandbox_data_file:file create_file_perms;
@@ -154,3 +157,29 @@
neverallow { sdk_sandbox } tmpfs:dir no_rw_file_perms;
neverallow sdk_sandbox hal_drm_service:service_manager find;
+
+# Only certain system components should have access to sdk_sandbox_system_data_file
+# sdk_sandbox only needs search. Restricted in follow up neverallow rule.
+neverallow {
+ domain
+ -init
+ -installd
+ -system_server
+ -vold_prepare_subdirs
+} sdk_sandbox_system_data_file:dir { relabelfrom };
+
+neverallow {
+ domain
+ -init
+ -installd
+ -sdk_sandbox
+ -system_server
+ -vold_prepare_subdirs
+ -zygote
+} sdk_sandbox_system_data_file:dir { create_dir_perms relabelto };
+
+# sdk_sandbox only needs to traverse through the sdk_sandbox_system_data_file
+neverallow sdk_sandbox sdk_sandbox_system_data_file:dir ~{ getattr search };
+
+# Only dirs should be created at sdk_sandbox_system_data_file level
+neverallow { domain -init } sdk_sandbox_system_data_file:file *;
diff --git a/private/system_server.te b/private/system_server.te
index 7aca98d..e6c129a 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -72,6 +72,9 @@
allow system_server sysfs_fs_f2fs:dir r_dir_perms;
allow system_server sysfs_fs_f2fs:file r_file_perms;
+# For SdkSandboxManagerService
+allow system_server sdk_sandbox_system_data_file:dir create_dir_perms;
+
# For art.
allow system_server { apex_art_data_file dalvikcache_data_file }:dir r_dir_perms;
allow system_server { apex_art_data_file dalvikcache_data_file }:file r_file_perms;
diff --git a/private/vold_prepare_subdirs.te b/private/vold_prepare_subdirs.te
index 818660c..ddb2828 100644
--- a/private/vold_prepare_subdirs.te
+++ b/private/vold_prepare_subdirs.te
@@ -12,6 +12,7 @@
allow vold_prepare_subdirs self:global_capability_class_set { chown dac_override dac_read_search fowner };
allow vold_prepare_subdirs self:process setfscreate;
allow vold_prepare_subdirs {
+ sdk_sandbox_system_data_file
system_data_file
vendor_data_file
}:dir { open read write add_name remove_name rmdir relabelfrom };
@@ -27,6 +28,7 @@
rollback_data_file
storaged_data_file
sdk_sandbox_data_file
+ sdk_sandbox_system_data_file
system_data_file
vold_data_file
}:dir { create_dir_perms relabelto };
diff --git a/private/zygote.te b/private/zygote.te
index ea983fd..41245c2 100644
--- a/private/zygote.te
+++ b/private/zygote.te
@@ -62,9 +62,10 @@
# Bind mount on /data/data and mounted volumes
allow zygote { system_data_file mnt_expand_file }:dir mounton;
-# Relabel /data/user /data/user_de and /data/data
+# Relabel /data/user /data/user_de /data/data and /data/misc_{ce,de}/<user-id>/sdksandbox
allow zygote tmpfs:{ dir lnk_file } relabelfrom;
allow zygote system_data_file:{ dir lnk_file } relabelto;
+allow zygote sdk_sandbox_system_data_file:dir { search relabelto };
# Zygote opens /mnt/expand to mount CE DE storage on each vol
allow zygote mnt_expand_file:dir { open read search relabelto };
@@ -94,6 +95,7 @@
app_data_file_type
system_data_file
mnt_expand_file
+ sdk_sandbox_system_data_file
}:dir getattr;
# Allow zygote to create JIT memory.
@@ -235,6 +237,9 @@
allow zygote vendor_apex_file:dir { getattr search };
allow zygote vendor_apex_file:file { getattr };
+# Allow zygote to query for compression/features.
+r_dir_file(zygote, sysfs_fs_f2fs)
+
###
### neverallow rules
###
diff --git a/public/vendor_init.te b/public/vendor_init.te
index bc6d3b9..b7302d4 100644
--- a/public/vendor_init.te
+++ b/public/vendor_init.te
@@ -272,6 +272,8 @@
get_prop(vendor_init, theme_prop)
set_prop(vendor_init, dck_prop)
+# Allow vendor_init to read vendor_system_native device config changes
+get_prop(vendor_init, device_config_vendor_system_native_prop)
###
### neverallow rules