Merge "Adding storaged fuzzers"
diff --git a/private/domain.te b/private/domain.te
index 1c27662..b51fd3c 100644
--- a/private/domain.te
+++ b/private/domain.te
@@ -683,6 +683,7 @@
-dumpstate
-installd
userdebug_or_eng(`-uncrypt')
+ userdebug_or_eng(`-virtualizationmanager')
userdebug_or_eng(`-virtualizationservice')
userdebug_or_eng(`-crosvm')
} shell_data_file:file open;
@@ -729,6 +730,7 @@
-simpleperf_app_runner
-system_server # why?
userdebug_or_eng(`-uncrypt')
+ userdebug_or_eng(`-virtualizationmanager')
userdebug_or_eng(`-crosvm')
} shell_data_file:dir search;
diff --git a/private/file_contexts b/private/file_contexts
index 7432c2f..b1c7508 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -376,9 +376,11 @@
/system/bin/simpleperf u:object_r:simpleperf_exec:s0
/system/bin/simpleperf_app_runner u:object_r:simpleperf_app_runner_exec:s0
/system/bin/migrate_legacy_obb_data u:object_r:migrate_legacy_obb_data_exec:s0
+/system/bin/android\.frameworks\.automotive\.display@1\.0-service u:object_r:automotive_display_service_exec:s0
/system/bin/snapuserd u:object_r:snapuserd_exec:s0
/system/bin/odsign u:object_r:odsign_exec:s0
/system/bin/vehicle_binding_util u:object_r:vehicle_binding_util_exec:s0
+/system/bin/cardisplayproxyd u:object_r:automotive_display_service_exec:s0
/system/bin/evsmanagerd u:object_r:evsmanagerd_exec:s0
/system/bin/android\.automotive\.evs\.manager@1\.[0-9]+ u:object_r:evsmanagerd_exec:s0
@@ -494,9 +496,7 @@
/(system_ext|system/system_ext)/bin/hidl_lazy_test_server u:object_r:hidl_lazy_test_server_exec:s0
/(system_ext|system/system_ext)/bin/hidl_lazy_cb_test_server u:object_r:hidl_lazy_test_server_exec:s0
-/(system_ext|system/system_ext)/bin/android\.frameworks\.automotive\.display@1\.0-service u:object_r:automotive_display_service_exec:s0
/(system_ext|system/system_ext)/bin/canhalconfigurator(-aidl)? u:object_r:canhalconfigurator_exec:s0
-/(system_ext|system/system_ext)/bin/cardisplayproxyd u:object_r:automotive_display_service_exec:s0
/(system_ext|system/system_ext)/lib(64)?(/.*)? u:object_r:system_lib_file:s0
diff --git a/private/gpuservice.te b/private/gpuservice.te
index 7ee60ec..08c3902 100644
--- a/private/gpuservice.te
+++ b/private/gpuservice.te
@@ -64,5 +64,8 @@
# Needed for enabling write access to persist.graphics.egl from developer option switch UI, through gpuservice.
set_prop(gpuservice, graphics_config_writable_prop)
+# Needed for querying permission
+allow gpuservice permission_service:service_manager find;
+
# Only uncomment below line when in development
# userdebug_or_eng(`permissive gpuservice;')
diff --git a/private/isolated_compute_app.te b/private/isolated_compute_app.te
index 4ed4b36..d5e8a74 100644
--- a/private/isolated_compute_app.te
+++ b/private/isolated_compute_app.te
@@ -8,19 +8,14 @@
###
### TODO(b/266923392): Clean rules for isolated_compute_app characteristics
###
-type isolated_compute_app, domain;
typeattribute isolated_compute_app coredomain;
app_domain(isolated_compute_app)
isolated_app_domain(isolated_compute_app)
-allow isolated_compute_app audioserver_service:service_manager find;
-allow isolated_compute_app cameraserver_service:service_manager find;
-allow isolated_compute_app content_capture_service:service_manager find;
-allow isolated_compute_app device_state_service:service_manager find;
-allow isolated_compute_app speech_recognition_service:service_manager find;
-allow isolated_compute_app mediaserver_service:service_manager find;
+allow isolated_compute_app isolated_compute_allowed_service:service_manager find;
+allow isolated_compute_app isolated_compute_allowed_device:chr_file { read write ioctl map };
# Enable access to hardware services for camera functionalilites
hal_client_domain(isolated_compute_app, hal_allocator)
diff --git a/private/property_contexts b/private/property_contexts
index 51e6cf8..d67d673 100644
--- a/private/property_contexts
+++ b/private/property_contexts
@@ -292,6 +292,7 @@
apexd.config.dm_delete.timeout u:object_r:apexd_config_prop:s0 exact uint
apexd.config.dm_create.timeout u:object_r:apexd_config_prop:s0 exact uint
apexd.config.loop_wait.attempts u:object_r:apexd_config_prop:s0 exact uint
+apexd.config.boot_activation.threads u:object_r:apexd_config_prop:s0 exact uint
persist.apexd. u:object_r:apexd_prop:s0
persist.vendor.apex. u:object_r:apexd_select_prop:s0
ro.boot.vendor.apex. u:object_r:apexd_select_prop:s0
@@ -532,6 +533,8 @@
bluetooth.hardware.power.idle_cur_ma u:object_r:bluetooth_config_prop:s0 exact int
bluetooth.hardware.power.tx_cur_ma u:object_r:bluetooth_config_prop:s0 exact int
bluetooth.hardware.power.rx_cur_ma u:object_r:bluetooth_config_prop:s0 exact int
+bluetooth.hardware.radio.le_tx_path_loss_comp_db u:object_r:bluetooth_config_prop:s0 exact int
+bluetooth.hardware.radio.le_rx_path_loss_comp_db u:object_r:bluetooth_config_prop:s0 exact int
bluetooth.framework.support_persisted_state u:object_r:bluetooth_config_prop:s0 exact bool
bluetooth.framework.adapter_address_validation u:object_r:bluetooth_config_prop:s0 exact bool
diff --git a/private/sdk_sandbox.te b/private/sdk_sandbox.te
index fc4fce3..4806e6d 100644
--- a/private/sdk_sandbox.te
+++ b/private/sdk_sandbox.te
@@ -92,6 +92,7 @@
-pan_result_prop
-permissive_mte_prop
-persist_debug_prop
+ -persist_sysui_builder_extras_prop
-pm_prop
-powerctl_prop
-property_service_version_prop
diff --git a/private/system_server.te b/private/system_server.te
index 7fea6e7..df0dfa7 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -321,6 +321,7 @@
hal_client_domain(system_server, hal_input_classifier)
hal_client_domain(system_server, hal_input_processor)
hal_client_domain(system_server, hal_ir)
+hal_client_domain(system_server, hal_keymint)
hal_client_domain(system_server, hal_light)
hal_client_domain(system_server, hal_memtrack)
hal_client_domain(system_server, hal_neuralnetworks)
@@ -1107,6 +1108,8 @@
# Allow system process to measure fs-verity for apps, apps being installed and system files
allowxperm system_server { apk_data_file apk_tmp_file system_file }:file ioctl FS_IOC_MEASURE_VERITY;
+allowxperm system_server apk_tmp_file:file ioctl FS_IOC_SETFLAGS;
+allow system_server system_file:file ioctl;
# Postinstall
#
diff --git a/private/virtualizationmanager.te b/private/virtualizationmanager.te
index 946c783..bfad8e7 100644
--- a/private/virtualizationmanager.te
+++ b/private/virtualizationmanager.te
@@ -69,10 +69,17 @@
allow virtualizationmanager tombstone_data_file:file { append getattr };
allow virtualizationmanager tombstoned:fd use;
-# Allow virtualizationservice to read AVF debug policy
+# Allow virtualizationmanager to read AVF debug policy
allow virtualizationmanager sysfs_dt_avf:dir search;
allow virtualizationmanager sysfs_dt_avf:file { open read };
+# Let virtualizationmanager open test artifacts under /data/local/tmp with file path.
+# (e.g. custom debug policy)
+userdebug_or_eng(`
+ allow virtualizationmanager shell_data_file:dir search;
+ allow virtualizationmanager shell_data_file:file open;
+')
+
# Allow reading files under /proc/[crosvm pid]/, for collecting CPU & memory usage inside VM.
r_dir_file(virtualizationmanager, crosvm);
diff --git a/private/zygote.te b/private/zygote.te
index 9c47468..d61a431 100644
--- a/private/zygote.te
+++ b/private/zygote.te
@@ -247,6 +247,10 @@
# preloaded classes
get_prop(zygote, persist_wm_debug_prop)
+# Allow zygote to read persist_sysui_builder_extras_prop to toggle experimental features in
+# core preloaded classes
+get_prop(zygote, persist_sysui_builder_extras_prop)
+
# Allow zygote to read /apex/apex-info-list.xml
allow zygote apex_info_file:file r_file_perms;
diff --git a/public/attributes b/public/attributes
index 09463e3..16a8e66 100644
--- a/public/attributes
+++ b/public/attributes
@@ -209,6 +209,12 @@
# All apps with UID between AID_ISOLATED_START (99000) and AID_ISOLATED_END (99999).
attribute isolated_app_all;
+# All service types that would be allowed for isolated_compute_app.
+attribute isolated_compute_allowed_service;
+
+# All device types that would be allowed for isolated_compute_app.
+attribute isolated_compute_allowed_device;
+
# All domains used for apps with network access.
attribute netdomain;
diff --git a/public/device.te b/public/device.te
index 066600e..fa29256 100644
--- a/public/device.te
+++ b/public/device.te
@@ -4,7 +4,7 @@
type ashmem_libcutils_device, dev_type, mlstrustedobject;
type audio_device, dev_type;
type binder_device, dev_type, mlstrustedobject;
-type hwbinder_device, dev_type, mlstrustedobject;
+type hwbinder_device, dev_type, mlstrustedobject, isolated_compute_allowed_device;
type vndbinder_device, dev_type;
type block_device, dev_type;
type bt_device, dev_type;
@@ -48,9 +48,9 @@
type zero_device, dev_type, mlstrustedobject;
type fuse_device, dev_type, mlstrustedobject;
type iio_device, dev_type;
-type ion_device, dev_type, mlstrustedobject;
+type ion_device, dev_type, mlstrustedobject, isolated_compute_allowed_device;
type dmabuf_heap_device, dmabuf_heap_device_type, dev_type, mlstrustedobject;
-type dmabuf_system_heap_device, dmabuf_heap_device_type, dev_type, mlstrustedobject;
+type dmabuf_system_heap_device, dmabuf_heap_device_type, dev_type, mlstrustedobject, isolated_compute_allowed_device;
type dmabuf_system_secure_heap_device, dmabuf_heap_device_type, dev_type, mlstrustedobject;
type qtaguid_device, dev_type;
type watchdog_device, dev_type;
diff --git a/public/isolated_compute_app.te b/public/isolated_compute_app.te
new file mode 100644
index 0000000..f2ae9a1
--- /dev/null
+++ b/public/isolated_compute_app.te
@@ -0,0 +1 @@
+type isolated_compute_app, domain;
diff --git a/public/service.te b/public/service.te
index 0936cc4..27403ca 100644
--- a/public/service.te
+++ b/public/service.te
@@ -2,11 +2,11 @@
type apc_service, service_manager_type;
type apex_service, service_manager_type;
type artd_service, service_manager_type;
-type audioserver_service, service_manager_type;
+type audioserver_service, service_manager_type, isolated_compute_allowed_service;
type authorization_service, service_manager_type;
type batteryproperties_service, app_api_service, ephemeral_app_api_service, service_manager_type;
type bluetooth_service, service_manager_type;
-type cameraserver_service, service_manager_type;
+type cameraserver_service, service_manager_type, isolated_compute_allowed_service;
type fwk_camera_service, service_manager_type;
type default_android_service, service_manager_type;
type device_config_updatable_service, system_api_service, system_server_service,service_manager_type;
@@ -29,7 +29,7 @@
type legacykeystore_service, service_manager_type;
type lpdump_service, service_manager_type;
type mdns_service, service_manager_type;
-type mediaserver_service, service_manager_type;
+type mediaserver_service, service_manager_type, isolated_compute_allowed_service;
type mediametrics_service, service_manager_type;
type mediaextractor_service, service_manager_type;
type mediadrmserver_service, service_manager_type;
@@ -93,7 +93,7 @@
type connectivity_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type connmetrics_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type consumer_ir_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type content_capture_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type content_capture_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type, isolated_compute_allowed_service;
type content_suggestions_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type content_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type country_detector_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
@@ -107,7 +107,7 @@
type dbinfo_service, system_api_service, system_server_service, service_manager_type;
type device_config_service, system_server_service, service_manager_type;
type device_policy_service, app_api_service, system_server_service, service_manager_type;
-type device_state_service, app_api_service, system_api_service, system_server_service, service_manager_type;
+type device_state_service, app_api_service, system_api_service, system_server_service, service_manager_type, isolated_compute_allowed_service;
type deviceidle_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type device_identifiers_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type devicestoragemonitor_service, system_server_service, service_manager_type;
@@ -224,7 +224,7 @@
type system_server_dumper_service, system_api_service, system_server_service, service_manager_type;
type system_update_service, system_server_service, service_manager_type;
type soundtrigger_middleware_service, system_server_service, service_manager_type;
-type speech_recognition_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type speech_recognition_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type, isolated_compute_allowed_service;
type tare_service, app_api_service, system_server_service, service_manager_type;
type task_service, system_server_service, service_manager_type;
type testharness_service, system_server_service, service_manager_type;
diff --git a/tests/apex_sepolicy_tests.py b/tests/apex_sepolicy_tests.py
index 2cdde3c..0bcc998 100644
--- a/tests/apex_sepolicy_tests.py
+++ b/tests/apex_sepolicy_tests.py
@@ -105,6 +105,8 @@
# ./ and apex_manifest.pb
(Is('./apex_manifest.pb'), AllowRead('file', {'linkerconfig', 'apexd'})),
(Is('./'), AllowRead('dir', {'linkerconfig', 'apexd'})),
+ # linker.config.pb
+ (Is('./etc/linker.config.pb'), AllowRead('file', {'linkerconfig'})),
]
diff --git a/tests/apex_sepolicy_tests_test.py b/tests/apex_sepolicy_tests_test.py
index 125290c..9b427a0 100644
--- a/tests/apex_sepolicy_tests_test.py
+++ b/tests/apex_sepolicy_tests_test.py
@@ -88,6 +88,11 @@
self.assert_ok('./etc/init.x32rc u:object_r:vendor_file:s0')
self.assert_ok('./etc/init.x32rc u:object_r:unknown:s0')
+ def test_linkerconfig(self):
+ self.assert_ok('./etc/linker.config.pb u:object_r:system_file:s0')
+ self.assert_ok('./etc/linker.config.pb u:object_r:linkerconfig_file:s0')
+ self.assert_error('./etc/linker.config.pb u:object_r:vendor_file:s0',
+ r'Error: .*linkerconfig.* can\'t read')
if __name__ == '__main__':
unittest.main(verbosity=2)
diff --git a/tests/treble_sepolicy_tests.py b/tests/treble_sepolicy_tests.py
index 2c52e2c..0628d35 100644
--- a/tests/treble_sepolicy_tests.py
+++ b/tests/treble_sepolicy_tests.py
@@ -312,10 +312,9 @@
# TODO move this to sepolicy_tests
def TestIsolatedAttributeConsistency(test_policy):
permissionAllowList = {
- # hardware related
+ # access given from technical_debt.cil
"codec2_config_prop" : ["file"],
"device_config_nnapi_native_prop":["file"],
- "dmabuf_system_heap_device":["chr_file"],
"hal_allocator_default":["binder", "fd"],
"hal_codec2": ["binder", "fd"],
"hal_codec2_hwservice":["hwservice_manager"],
@@ -325,6 +324,7 @@
"hal_graphics_allocator_server":["binder", "service_manager"],
"hal_graphics_mapper_hwservice":["hwservice_manager"],
"hal_neuralnetworks": ["binder", "fd"],
+ "hal_neuralnetworks_service": ["service_manager"],
"hal_neuralnetworks_hwservice":["hwservice_manager"],
"hal_omx_hwservice":["hwservice_manager"],
"hidl_allocator_hwservice":["hwservice_manager"],
@@ -333,22 +333,14 @@
"hidl_token_hwservice":["hwservice_manager"],
"hwservicemanager":["binder"],
"hwservicemanager_prop":["file"],
- "hwbinder_device":["chr_file"],
"mediacodec":["binder", "fd"],
"mediaswcodec":["binder", "fd"],
"media_variant_prop":["file"],
"nnapi_ext_deny_product_prop":["file"],
- "ion_device" : ["chr_file"],
- # system services
- "audioserver_service":["service_manager"],
- "cameraserver_service":["service_manager"],
- "content_capture_service":["service_manager"],
- "device_state_service":["service_manager"],
- "hal_neuralnetworks_service":["service_manager"],
"servicemanager":["fd"],
- "speech_recognition_service":["service_manager"],
- "mediaserver_service" :["service_manager"],
"toolbox_exec": ["file"],
+ # extra types being granted to isolated_compute_app
+ "isolated_compute_allowed":["service_manager", "chr_file"],
}
def resolveHalServerSubtype(target):
@@ -363,15 +355,24 @@
return attr.rsplit("_", 1)[0]
return target
+ def checkIsolatedComputeAllowed(tctx, tclass):
+ # check if the permission is in isolated_compute_allowed
+ allowedMemberTypes = test_policy.pol.QueryTypeAttribute(Type="isolated_compute_allowed_service", IsAttr=True) \
+ .union(test_policy.pol.QueryTypeAttribute(Type="isolated_compute_allowed_device", IsAttr=True))
+ return tctx in allowedMemberTypes and tclass in permissionAllowList["isolated_compute_allowed"]
+
+
def checkPermissions(permissions):
violated_permissions = []
for perm in permissions:
tctx, tclass, p = perm.split(":")
tctx = resolveHalServerSubtype(tctx)
- if tctx not in permissionAllowList \
+ # check unwanted permissions
+ if not checkIsolatedComputeAllowed(tctx, tclass) and \
+ ( tctx not in permissionAllowList \
or tclass not in permissionAllowList[tctx] \
- or ( p == "write" and not perm.startswith("hwbinder_device:chr_file") ) \
- or ( p == "rw_file_perms"):
+ or ( p == "write") \
+ or ( p == "rw_file_perms") ):
violated_permissions += [perm]
return violated_permissions