Merge "runas_app: allow sigkill of untrusted_app"
diff --git a/microdroid/system/private/microdroid_manager.te b/microdroid/system/private/microdroid_manager.te
index a5b71f0..7e26f53 100644
--- a/microdroid/system/private/microdroid_manager.te
+++ b/microdroid/system/private/microdroid_manager.te
@@ -123,6 +123,9 @@
# Allow microdroid_manager to write kmsg_debug (stdio_to_kmsg).
allow microdroid_manager kmsg_debug_device:chr_file w_file_perms;
+# Read tombstone_transmit_status_prop to wait for initialization of tombstone_transmit
+get_prop(microdroid_manager, tombstone_transmit_status_prop)
+
# Domains other than microdroid can't write extra_apks
neverallow { domain -microdroid_manager -init -vendor_init } extra_apk_file:file no_w_file_perms;
neverallow { domain -microdroid_manager -init -vendor_init } extra_apk_file:dir no_w_dir_perms;
diff --git a/microdroid/system/private/property.te b/microdroid/system/private/property.te
index d983775..1bbe2a9 100644
--- a/microdroid/system/private/property.te
+++ b/microdroid/system/private/property.te
@@ -1,4 +1,5 @@
system_internal_prop(ctl_tombstoned_prop)
+system_restricted_prop(tombstone_transmit_status_prop)
system_restricted_prop(boot_status_prop)
diff --git a/microdroid/system/private/property_contexts b/microdroid/system/private/property_contexts
index 0d5786c..d32e0e8 100644
--- a/microdroid/system/private/property_contexts
+++ b/microdroid/system/private/property_contexts
@@ -161,3 +161,5 @@
persist.device_config.runtime_native_boot. u:object_r:device_config_runtime_native_boot_prop:s0 prefix
apexd.payload_metadata.path u:object_r:apexd_payload_metadata_prop:s0 exact string
+
+tombstone_transmit.init_done u:object_r:tombstone_transmit_status_prop:s0 exact bool
diff --git a/microdroid/system/private/tombstone_transmit.te b/microdroid/system/private/tombstone_transmit.te
index 1887654..4f2b5ab 100644
--- a/microdroid/system/private/tombstone_transmit.te
+++ b/microdroid/system/private/tombstone_transmit.te
@@ -8,3 +8,9 @@
allow tombstone_transmit tombstone_data_file:file { r_file_perms unlink };
allow tombstone_transmit self:{ vsock_socket } create_socket_perms_no_ioctl;
+
+# allow tombstone_transmit to notify its initialization
+set_prop(tombstone_transmit, tombstone_transmit_status_prop)
+
+# Only tombstone_transmit can set its status
+neverallow { domain -init -tombstone_transmit } tombstone_transmit_status_prop:property_service set;
diff --git a/private/adbd.te b/private/adbd.te
index 48fa849..d72d5b1 100644
--- a/private/adbd.te
+++ b/private/adbd.te
@@ -49,6 +49,8 @@
# Create and use network sockets.
net_domain(adbd)
+# Connect to mdnsd via mdnsd socket.
+unix_socket_connect(adbd, mdnsd, mdnsd)
# Access /dev/usb-ffs/adb/ep0
allow adbd functionfs:dir search;
diff --git a/private/app_neverallows.te b/private/app_neverallows.te
index 6231623..0579740 100644
--- a/private/app_neverallows.te
+++ b/private/app_neverallows.te
@@ -265,3 +265,26 @@
-mediaprovider
-mediaprovider_app
} { userdebug_or_eng_prop }:file read;
+
+
+# Do not allow untrusted app to access /dev/socket/mdnsd since U. The socket is
+# used to communicate to the mdnsd responder. The mdnsd responder will be
+# replaced by a java implementation which is integrated into the system server.
+# For untrusted apps running with API level 33-, they still have access to
+# /dev/socket/mdnsd for backward compatibility.
+neverallow {
+ all_untrusted_apps
+ -untrusted_app_25
+ -untrusted_app_27
+ -untrusted_app_29
+ -untrusted_app_30
+ -untrusted_app_32
+} mdnsd_socket:sock_file write;
+neverallow {
+ all_untrusted_apps
+ -untrusted_app_25
+ -untrusted_app_27
+ -untrusted_app_29
+ -untrusted_app_30
+ -untrusted_app_32
+} mdnsd:unix_stream_socket connectto;
diff --git a/private/compat/33.0/33.0.cil b/private/compat/33.0/33.0.cil
index 2f8887b..d75b0fc 100644
--- a/private/compat/33.0/33.0.cil
+++ b/private/compat/33.0/33.0.cil
@@ -2489,7 +2489,10 @@
(typeattributeset untrusted_app_27_33_0 (untrusted_app_27))
(typeattributeset untrusted_app_29_33_0 (untrusted_app_29))
(typeattributeset untrusted_app_30_33_0 (untrusted_app_30))
-(typeattributeset untrusted_app_33_0 (untrusted_app))
+(typeattributeset untrusted_app_33_0
+ ( untrusted_app
+ untrusted_app_32
+))
(typeattributeset update_engine_33_0 (update_engine))
(typeattributeset update_engine_data_file_33_0 (update_engine_data_file))
(typeattributeset update_engine_exec_33_0 (update_engine_exec))
diff --git a/private/credstore.te b/private/credstore.te
index c410d76..2d9824b 100644
--- a/private/credstore.te
+++ b/private/credstore.te
@@ -10,3 +10,8 @@
# credstore needs to get keys from the remotely provisioned pool
allow credstore remotelyprovisionedkeypool_service:service_manager find;
+allow credstore keystore:keystore2 get_attestation_key;
+
+# credstore needs to get keys from the RKPD
+get_prop(credstore, device_config_remote_key_provisioning_native_prop)
+allow credstore remote_provisioning_service:service_manager find;
diff --git a/private/property.te b/private/property.te
index dee6369..c4351d1 100644
--- a/private/property.te
+++ b/private/property.te
@@ -628,7 +628,7 @@
neverallow domain system_and_vendor_property_type:{file property_service} *;
neverallow {
- # Only init and the remote provisioner can set the ro.remote_provisioning.* props
+ # Only init and the remote provisioner can set the remote_provisioning props
domain
-init
-remote_prov_app
diff --git a/private/property_contexts b/private/property_contexts
index e8293c6..8b403ca 100644
--- a/private/property_contexts
+++ b/private/property_contexts
@@ -1367,6 +1367,9 @@
remote_provisioning.strongbox.rkp_only u:object_r:remote_prov_prop:s0 exact bool
remote_provisioning.tee.rkp_only u:object_r:remote_prov_prop:s0 exact bool
+# Hostname for the remote provisioning server a device should communicate with
+remote_provisioning.hostname u:object_r:remote_prov_prop:s0 exact string
+
# Broadcast boot stages, which keystore listens to
keystore.boot_level u:object_r:keystore_listen_prop:s0 exact int
diff --git a/private/remote_prov_app.te b/private/remote_prov_app.te
index f49eb63..d5f8e3f 100644
--- a/private/remote_prov_app.te
+++ b/private/remote_prov_app.te
@@ -8,6 +8,9 @@
# The app needs access to properly build a DeviceInfo package for the verifying server
get_prop(remote_prov_app, vendor_security_patch_level_prop)
+# if rkpd is enabled, remote provisioner is a noop
+get_prop(remote_prov_app, device_config_remote_key_provisioning_native_prop)
+
allow remote_prov_app {
app_api_service
mediametrics_service
diff --git a/private/seapp_contexts b/private/seapp_contexts
index d3f065b..d950c3d 100644
--- a/private/seapp_contexts
+++ b/private/seapp_contexts
@@ -170,7 +170,8 @@
user=_app isPrivApp=true name=com.google.android.gms.* domain=gmscore_app type=privapp_data_file levelFrom=user
user=_app isPrivApp=true name=com.google.android.gms:* domain=gmscore_app type=privapp_data_file levelFrom=user
user=_app isPrivApp=true name=com.google.android.gsf domain=gmscore_app type=privapp_data_file levelFrom=user
-user=_app minTargetSdkVersion=32 domain=untrusted_app type=app_data_file levelFrom=all
+user=_app minTargetSdkVersion=34 domain=untrusted_app type=app_data_file levelFrom=all
+user=_app minTargetSdkVersion=32 domain=untrusted_app_32 type=app_data_file levelFrom=all
user=_app minTargetSdkVersion=30 domain=untrusted_app_30 type=app_data_file levelFrom=all
user=_app minTargetSdkVersion=29 domain=untrusted_app_29 type=app_data_file levelFrom=all
user=_app minTargetSdkVersion=28 domain=untrusted_app_27 type=app_data_file levelFrom=all
diff --git a/private/surfaceflinger.te b/private/surfaceflinger.te
index 26c781b..91e9aba 100644
--- a/private/surfaceflinger.te
+++ b/private/surfaceflinger.te
@@ -49,6 +49,9 @@
allow surfaceflinger video_device:dir r_dir_perms;
allow surfaceflinger video_device:chr_file rw_file_perms;
+# Access the secure heap.
+allow surfaceflinger dmabuf_system_secure_heap_device:chr_file r_file_perms;
+
# Create and use netlink kobject uevent sockets.
allow surfaceflinger self:netlink_kobject_uevent_socket create_socket_perms_no_ioctl;
diff --git a/private/untrusted_app.te b/private/untrusted_app.te
index 56e44db..d0f9b24 100644
--- a/private/untrusted_app.te
+++ b/private/untrusted_app.te
@@ -2,7 +2,7 @@
### Untrusted apps.
###
### This file defines the rules for untrusted apps running with
-### targetSdkVersion >= 32.
+### targetSdkVersion >= 34.
###
### See public/untrusted_app.te for more information about which apps are
### placed in this selinux domain.
@@ -20,4 +20,4 @@
allow untrusted_app sdk_sandbox_data_file:fd use;
allow untrusted_app sdk_sandbox_data_file:file write;
-neverallow untrusted_app sdk_sandbox_data_file:file { open create };
\ No newline at end of file
+neverallow untrusted_app sdk_sandbox_data_file:file { open create };
diff --git a/private/untrusted_app_25.te b/private/untrusted_app_25.te
index 4235d7e..2c0391f 100644
--- a/private/untrusted_app_25.te
+++ b/private/untrusted_app_25.te
@@ -52,3 +52,10 @@
# allow sending RTM_GETNEIGH{TBL} messages.
allow untrusted_app_25 self:netlink_route_socket nlmsg_getneigh;
auditallow untrusted_app_25 self:netlink_route_socket nlmsg_getneigh;
+
+# Connect to mdnsd via mdnsd socket.
+unix_socket_connect(untrusted_app_25, mdnsd, mdnsd)
+userdebug_or_eng(`
+ auditallow untrusted_app_25 mdnsd_socket:sock_file write;
+ auditallow untrusted_app_25 mdnsd:unix_stream_socket connectto;
+')
diff --git a/private/untrusted_app_27.te b/private/untrusted_app_27.te
index c747af1..163803a 100644
--- a/private/untrusted_app_27.te
+++ b/private/untrusted_app_27.te
@@ -40,3 +40,10 @@
# allow sending RTM_GETNEIGH{TBL} messages.
allow untrusted_app_27 self:netlink_route_socket nlmsg_getneigh;
auditallow untrusted_app_27 self:netlink_route_socket nlmsg_getneigh;
+
+# Connect to mdnsd via mdnsd socket.
+unix_socket_connect(untrusted_app_27, mdnsd, mdnsd)
+userdebug_or_eng(`
+ auditallow untrusted_app_27 mdnsd_socket:sock_file write;
+ auditallow untrusted_app_27 mdnsd:unix_stream_socket connectto;
+')
diff --git a/private/untrusted_app_29.te b/private/untrusted_app_29.te
index 03f3334..758ed23 100644
--- a/private/untrusted_app_29.te
+++ b/private/untrusted_app_29.te
@@ -19,3 +19,9 @@
allow untrusted_app_29 self:netlink_route_socket nlmsg_getneigh;
auditallow untrusted_app_29 self:netlink_route_socket nlmsg_getneigh;
+# Connect to mdnsd via mdnsd socket.
+unix_socket_connect(untrusted_app_29, mdnsd, mdnsd)
+userdebug_or_eng(`
+ auditallow untrusted_app_29 mdnsd_socket:sock_file write;
+ auditallow untrusted_app_29 mdnsd:unix_stream_socket connectto;
+')
diff --git a/private/untrusted_app_30.te b/private/untrusted_app_30.te
index 569c300..830106d 100644
--- a/private/untrusted_app_30.te
+++ b/private/untrusted_app_30.te
@@ -21,3 +21,9 @@
allow untrusted_app_30 self:netlink_route_socket nlmsg_getneigh;
auditallow untrusted_app_30 self:netlink_route_socket nlmsg_getneigh;
+# Connect to mdnsd via mdnsd socket.
+unix_socket_connect(untrusted_app_30, mdnsd, mdnsd)
+userdebug_or_eng(`
+ auditallow untrusted_app_30 mdnsd_socket:sock_file write;
+ auditallow untrusted_app_30 mdnsd:unix_stream_socket connectto;
+')
diff --git a/private/untrusted_app_32.te b/private/untrusted_app_32.te
new file mode 100644
index 0000000..643c122
--- /dev/null
+++ b/private/untrusted_app_32.te
@@ -0,0 +1,30 @@
+###
+### Untrusted apps.
+###
+### This file defines the rules for untrusted apps running with
+### 31 < targetSdkVersion <= 33.
+###
+### See public/untrusted_app.te for more information about which apps are
+### placed in this selinux domain.
+###
+
+typeattribute untrusted_app_32 coredomain;
+
+app_domain(untrusted_app_32)
+untrusted_app_domain(untrusted_app_32)
+net_domain(untrusted_app_32)
+bluetooth_domain(untrusted_app_32)
+
+# Allow webview to access fd shared by sdksandbox for experiments data
+# TODO(b/229249719): Will not be supported in Android U
+allow untrusted_app_32 sdk_sandbox_data_file:fd use;
+allow untrusted_app_32 sdk_sandbox_data_file:file write;
+
+neverallow untrusted_app_32 sdk_sandbox_data_file:file { open create };
+
+# Connect to mdnsd via mdnsd socket.
+unix_socket_connect(untrusted_app_32, mdnsd, mdnsd)
+userdebug_or_eng(`
+ auditallow untrusted_app_32 mdnsd_socket:sock_file write;
+ auditallow untrusted_app_32 mdnsd:unix_stream_socket connectto;
+')
diff --git a/public/hal_graphics_allocator.te b/public/hal_graphics_allocator.te
index 7ef27113..35a19de 100644
--- a/public/hal_graphics_allocator.te
+++ b/public/hal_graphics_allocator.te
@@ -11,6 +11,9 @@
allow hal_graphics_allocator ion_device:chr_file r_file_perms;
allow hal_graphics_allocator dmabuf_system_heap_device:chr_file r_file_perms;
+# Access the secure heap
+allow hal_graphics_allocator dmabuf_system_secure_heap_device:chr_file r_file_perms;
+
# allow to run with real-time scheduling policy
allow hal_graphics_allocator self:global_capability_class_set sys_nice;
diff --git a/public/net.te b/public/net.te
index 31c9c45..aa30b62 100644
--- a/public/net.te
+++ b/public/net.te
@@ -21,6 +21,3 @@
# Talks to netd via fwmarkd socket.
unix_socket_connect(netdomain, fwmarkd, netd)
-
-# Connect to mdnsd via mdnsd socket.
-unix_socket_connect(netdomain, mdnsd, mdnsd)
diff --git a/public/netd.te b/public/netd.te
index 9b8fdb0..e3ea1cb 100644
--- a/public/netd.te
+++ b/public/netd.te
@@ -3,6 +3,8 @@
type netd_exec, system_file_type, exec_type, file_type;
net_domain(netd)
+# Connect to mdnsd via mdnsd socket.
+unix_socket_connect(netd, mdnsd, mdnsd)
# in addition to ioctls allowlisted for all domains, grant netd priv_sock_ioctls.
allowxperm netd self:udp_socket ioctl priv_sock_ioctls;
diff --git a/public/untrusted_app.te b/public/untrusted_app.te
index 0a67614..a4ee6f5 100644
--- a/public/untrusted_app.te
+++ b/public/untrusted_app.te
@@ -17,9 +17,12 @@
###
# This file defines the rules for untrusted apps running with
-# targetSdkVersion >= 32.
+# targetSdkVersion >= 34.
type untrusted_app, domain;
# This file defines the rules for untrusted apps running with
+# 31 < targetSdkVersion <= 33.
+type untrusted_app_32, domain;
+# This file defines the rules for untrusted apps running with
# 29 < targetSdkVersion <= 31.
type untrusted_app_30, domain;
# This file defines the rules for untrusted apps running with