Merge "Allow dexopt_chroot_setup to bind-mount /system{,_ext}/lib{,64}." into maindiff --git a/apex/Android.bp b/apex/Android.bp
index c9c06e3..5b2a75e 100644
--- a/apex/Android.bp
+++ b/apex/Android.bp
@@ -286,3 +286,10 @@
"com.android.telephonymodules-file_contexts",
],
}
+
+filegroup {
+ name: "com.android.configinfrastructure-file_contexts",
+ srcs: [
+ "com.android.configinfrastructure-file_contexts",
+ ],
+}
diff --git a/apex/com.android.configinfrastructure-file_contexts b/apex/com.android.configinfrastructure-file_contexts
new file mode 100644
index 0000000..23e7b89
--- /dev/null
+++ b/apex/com.android.configinfrastructure-file_contexts
@@ -0,0 +1 @@
+(/.*)? u:object_r:system_file:s0
\ No newline at end of file
diff --git a/build/soong/service_fuzzer_bindings.go b/build/soong/service_fuzzer_bindings.go
index b7364bd..6917693 100644
--- a/build/soong/service_fuzzer_bindings.go
+++ b/build/soong/service_fuzzer_bindings.go
@@ -193,6 +193,7 @@
"android.system.vmtethering.IVmTethering": EXCEPTION_NO_FUZZER,
"ambient_context": EXCEPTION_NO_FUZZER,
"app_binding": EXCEPTION_NO_FUZZER,
+ "app_function": EXCEPTION_NO_FUZZER,
"app_hibernation": EXCEPTION_NO_FUZZER,
"app_integrity": EXCEPTION_NO_FUZZER,
"app_prediction": EXCEPTION_NO_FUZZER,
@@ -390,6 +391,7 @@
"procstats": EXCEPTION_NO_FUZZER,
"profcollectd": EXCEPTION_NO_FUZZER,
"profiling_service": EXCEPTION_NO_FUZZER,
+ "protolog": EXCEPTION_NO_FUZZER,
"radio.phonesubinfo": EXCEPTION_NO_FUZZER,
"radio.phone": EXCEPTION_NO_FUZZER,
"radio.sms": EXCEPTION_NO_FUZZER,
diff --git a/contexts/plat_file_contexts_test b/contexts/plat_file_contexts_test
index 4c8f9cb..29225ce 100644
--- a/contexts/plat_file_contexts_test
+++ b/contexts/plat_file_contexts_test
@@ -37,6 +37,7 @@
/sys sysfs
/apex apex_mnt_dir
/bootstrap-apex apex_mnt_dir
+/mnt/vm vm_data_file
/postinstall postinstall_mnt_dir
/postinstall/apex postinstall_apex_mnt_dir
diff --git a/prebuilts/api/202404/202404_general_sepolicy.conf b/prebuilts/api/202404/202404_general_sepolicy.conf
index 7486c32..5ce168c 100644
--- a/prebuilts/api/202404/202404_general_sepolicy.conf
+++ b/prebuilts/api/202404/202404_general_sepolicy.conf
@@ -20767,6 +20767,7 @@
# TODO(b/196225233): Remove hal_uwb_vendor_server
-hal_uwb_vendor_server
-hal_nlinterceptor_server
+ -hal_tv_tuner_server
} self:{ capability cap_userns } { net_admin net_raw };
# Unless a HAL's job is to communicate over the network, or control network
@@ -20789,6 +20790,7 @@
-hal_uwb_vendor_server
-hal_nlinterceptor_server
-hal_bluetooth_server
+ -hal_tv_tuner_server
} domain:{ udp_socket rawip_socket } *;
neverallow {
@@ -20802,6 +20804,7 @@
-hal_telephony_server
-hal_nlinterceptor_server
-hal_bluetooth_server
+ -hal_tv_tuner_server
} {
domain
diff --git a/private/compat/202404/202404.ignore.cil b/private/compat/202404/202404.ignore.cil
index 6874821..b60e5c4 100644
--- a/private/compat/202404/202404.ignore.cil
+++ b/private/compat/202404/202404.ignore.cil
@@ -14,4 +14,5 @@
proc_compaction_proactiveness
proc_cgroups
sysfs_udc
+ app_function_service
))
diff --git a/private/crosvm.te b/private/crosvm.te
index 0c2acb9..6f07391 100644
--- a/private/crosvm.te
+++ b/private/crosvm.te
@@ -40,10 +40,14 @@
apex_virt_data_file
shell_data_file
vendor_microdroid_file
+ is_flag_enabled(RELEASE_AVF_ENABLE_EARLY_VM, `vm_data_file')
}:file { getattr read ioctl lock };
# Allow searching the directory where the composite disk images are.
-allow crosvm virtualizationservice_data_file:dir search;
+allow crosvm {
+ virtualizationservice_data_file
+ is_flag_enabled(RELEASE_AVF_ENABLE_EARLY_VM, `vm_data_file')
+}:dir search;
# When running a VM as root we get spurious capability denials.
# Suppress them.
@@ -74,6 +78,7 @@
privapp_data_file
apex_compos_data_file
apex_virt_data_file
+ is_flag_enabled(RELEASE_AVF_ENABLE_EARLY_VM, `vm_data_file')
}:file write;
# Allow crosvm to pipe console log to shell or app which could be the owner of a VM.
@@ -153,6 +158,7 @@
app_data_file
privapp_data_file
is_flag_enabled(RELEASE_UNLOCKED_STORAGE_API, `storage_area_content_file')
+ is_flag_enabled(RELEASE_AVF_ENABLE_EARLY_VM, `vm_data_file')
userdebug_or_eng(`-shell_data_file')
}:file open;
diff --git a/private/dumpstate.te b/private/dumpstate.te
index 20341e4..13b7b9f 100644
--- a/private/dumpstate.te
+++ b/private/dumpstate.te
@@ -537,6 +537,7 @@
linkerconfig_file
mirror_data_file
mnt_user_file
+ vm_data_file
}:dir getattr;
# Allow dumpstate to talk to bufferhubd over binder
diff --git a/private/early_virtmgr.te b/private/early_virtmgr.te
index 4e332f6..484077c 100644
--- a/private/early_virtmgr.te
+++ b/private/early_virtmgr.te
@@ -5,4 +5,15 @@
type early_virtmgr_exec, system_file_type, exec_type, file_type;
use_bootstrap_libs(early_virtmgr)
+
+ allow early_virtmgr vm_data_file:dir create_dir_perms;
+ allow early_virtmgr vm_data_file:file create_file_perms;
+
+ ###
+ ### Neverallow rules
+ ###
+
+ # Only crosvm and early_virtmgr can access vm_data_file
+ neverallow { domain -crosvm -early_virtmgr -init } vm_data_file:dir no_w_dir_perms;
+ neverallow { domain -crosvm -early_virtmgr } vm_data_file:file no_rw_file_perms;
')
diff --git a/private/file.te b/private/file.te
index d30465b..038e899 100644
--- a/private/file.te
+++ b/private/file.te
@@ -117,6 +117,9 @@
# virtualizationmanager, which runs at a more constrained MLS level.
type virtualizationservice_data_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
+# /mnt/vm
+type vm_data_file, file_type, core_data_file_type;
+
# /data/system/environ
type environ_system_data_file, file_type, data_file_type, core_data_file_type;
diff --git a/private/file_contexts b/private/file_contexts
index 76f412a..f5da4af 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -432,7 +432,6 @@
/(vendor|system/vendor)/overlay(/.*)? u:object_r:vendor_overlay_file:s0
/(vendor|system/vendor)/framework(/.*)? u:object_r:vendor_framework_file:s0
-/(vendor|system/vendor)/apex(/[^/]+){0,2} u:object_r:vendor_apex_file:s0
/(vendor|system/vendor)/bin/misc_writer u:object_r:vendor_misc_writer_exec:s0
/(vendor|system/vendor)/bin/boringssl_self_test(32|64) u:object_r:vendor_boringssl_self_test_exec:s0
@@ -462,6 +461,8 @@
# secure-element service: vendor uuid mapping config file
/(odm|vendor/odm|vendor|system/vendor)/etc/hal_uuid_map_(.*)?\.xml u:object_r:vendor_uuid_mapping_config_file:s0
+# APEX packages
+/(odm|vendor/odm|vendor|system/vendor)/apex(/[^/]+){0,2} u:object_r:vendor_apex_file:s0
# Input configuration
/(odm|vendor/odm|vendor|system/vendor)/usr/keylayout(/.*)?\.kl u:object_r:vendor_keylayout_file:s0
@@ -921,3 +922,7 @@
# dexopt_chroot_setup inside chroot, in addition to the files and directories
# matching the pattern below.
/mnt/pre_reboot_dexopt(/.*)? u:object_r:pre_reboot_dexopt_file:s0
+
+#############################
+# For early boot VM
+/mnt/vm u:object_r:vm_data_file:s0
diff --git a/private/init.te b/private/init.te
index e4bafd8..8ab1aab 100644
--- a/private/init.te
+++ b/private/init.te
@@ -115,6 +115,8 @@
userdebug_or_eng(`
allow init kmsg_debug_device:chr_file { open write relabelto };
')
+# /mnt/vm, also permissions to mkdir / mount / chmod / chown
+allow init vm_data_file:dir { add_name create search write getattr setattr relabelto mounton };
# allow init to mount and unmount debugfs in debug builds
userdebug_or_eng(`
@@ -305,6 +307,7 @@
-storage_area_app_dir
-storage_area_content_file
')
+ -vm_data_file
-bpffs_type
-exec_type
-misc_logd_file
@@ -324,6 +327,7 @@
-storage_area_app_dir
-storage_area_content_file
')
+ -vm_data_file
-bpffs_type
-credstore_data_file
-exec_type
@@ -351,6 +355,7 @@
-storage_area_app_dir
-storage_area_content_file
')
+ -vm_data_file
-bpffs_type
-exec_type
-gsi_data_file
@@ -383,6 +388,7 @@
-storage_area_app_dir
-storage_area_content_file
')
+ -vm_data_file
-bpffs_type
-exec_type
-gsi_data_file
@@ -408,6 +414,7 @@
-storage_area_app_dir
-storage_area_content_file
')
+ -vm_data_file
-bpffs_type
-exec_type
-gsi_data_file
@@ -439,6 +446,7 @@
-storage_area_app_dir
-storage_area_content_file
')
+ -vm_data_file
-privapp_data_file
}:dir_file_class_set relabelto;
diff --git a/private/netd.te b/private/netd.te
index 37581a6..8b6ea4c 100644
--- a/private/netd.te
+++ b/private/netd.te
@@ -79,13 +79,6 @@
allow netd system_file:file lock;
dontaudit netd system_file:dir write;
-# Allow netd to write to qtaguid ctrl file.
-# TODO: Add proper rules to prevent other process to access qtaguid_proc file
-# after migration complete
-allow netd proc_qtaguid_ctrl:file rw_file_perms;
-# Allow netd to read /dev/qtaguid. This is the same privilege level that normal apps have.
-allow netd qtaguid_device:chr_file r_file_perms;
-
r_dir_file(netd, proc_net_type)
# For /proc/sys/net/ipv[46]/route/flush.
allow netd proc_net_type:file rw_file_perms;
diff --git a/private/property_contexts b/private/property_contexts
index 7a27625..7e18be3 100644
--- a/private/property_contexts
+++ b/private/property_contexts
@@ -361,7 +361,7 @@
ro.virtual_ab.num_merge_threads u:object_r:virtual_ab_prop:s0 exact int
ro.virtual_ab.num_verify_threads u:object_r:virtual_ab_prop:s0 exact int
ro.virtual_ab.cow_op_merge_size u:object_r:virtual_ab_prop:s0 exact int
-ro.virtual_ab.verify_threshold_block_size u:object_r:virtual_ab_prop:s0 exact int
+ro.virtual_ab.verify_threshold_size u:object_r:virtual_ab_prop:s0 exact int
ro.virtual_ab.verify_block_size u:object_r:virtual_ab_prop:s0 exact int
# OEMs can set this prop at build time to configure how many seconds to delay
diff --git a/private/service.te b/private/service.te
index 6c55ed4..c6580cf 100644
--- a/private/service.te
+++ b/private/service.te
@@ -13,6 +13,7 @@
type mediatuner_service, app_api_service, service_manager_type;
type on_device_intelligence_service, app_api_service, system_server_service, service_manager_type, isolated_compute_allowed_service;
type profcollectd_service, service_manager_type;
+type protolog_service, system_api_service, system_server_service, service_manager_type;
type resolver_service, system_server_service, service_manager_type;
type rkpd_registrar_service, service_manager_type;
type rkpd_refresh_service, service_manager_type;
diff --git a/private/service_contexts b/private/service_contexts
index d1eecd5..b4163d8 100644
--- a/private/service_contexts
+++ b/private/service_contexts
@@ -176,6 +176,7 @@
')
ambient_context u:object_r:ambient_context_service:s0
app_binding u:object_r:app_binding_service:s0
+app_function u:object_r:app_function_service:s0
app_hibernation u:object_r:app_hibernation_service:s0
app_integrity u:object_r:app_integrity_service:s0
app_prediction u:object_r:app_prediction_service:s0
@@ -369,6 +370,7 @@
powerstats u:object_r:powerstats_service:s0
power u:object_r:power_service:s0
profiling_service u:object_r:profiling_service:s0
+protolog u:object_r:protolog_service:s0
print u:object_r:print_service:s0
processinfo u:object_r:processinfo_service:s0
procstats u:object_r:procstats_service:s0
diff --git a/private/shell.te b/private/shell.te
index f896541..18e3462 100644
--- a/private/shell.te
+++ b/private/shell.te
@@ -203,6 +203,9 @@
# TODO(b/351113293): Remove this once the AVF RKP HAL registration is moved to
# a separate process.
binder_call(shell, virtualizationservice)
+# Allow the shell to inspect whether AVF remote attestation is supported
+# through the system property.
+get_prop(shell, avf_virtualizationservice_prop)
# Allow reading the outcome of perf_event_open LSM support test for CTS.
get_prop(shell, init_perf_lsm_hooks_prop)
diff --git a/private/vold.te b/private/vold.te
index 2c1fb8f..339877d 100644
--- a/private/vold.te
+++ b/private/vold.te
@@ -235,7 +235,7 @@
allowxperm vold vold_device:blk_file ioctl { BLKDISCARD BLKGETSIZE };
allow vold dm_device:chr_file rw_file_perms;
allow vold dm_device:blk_file rw_file_perms;
-allowxperm vold dm_device:blk_file ioctl { BLKDISCARD BLKSECDISCARD BLKREPORTZONE BLKRESETZONE };
+allowxperm vold dm_device:blk_file ioctl { BLKDISCARD BLKSECDISCARD BLKREPORTZONE BLKRESETZONE BLKROSET BLKROGET };
# For vold Process::killProcessesWithOpenFiles function.
allow vold domain:dir r_dir_perms;
allow vold domain:{ file lnk_file } r_file_perms;
diff --git a/public/service.te b/public/service.te
index 6ba1dcc..0982629 100644
--- a/public/service.te
+++ b/public/service.te
@@ -68,6 +68,9 @@
type adservices_manager_service, system_api_service, system_server_service, service_manager_type;
type alarm_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type app_binding_service, system_server_service, service_manager_type;
+starting_at_board_api(202504, `
+ type app_function_service, app_api_service, system_server_service, service_manager_type;
+')
type app_hibernation_service, app_api_service, system_api_service, system_server_service, service_manager_type;
type app_integrity_service, system_api_service, system_server_service, service_manager_type;
type app_prediction_service, app_api_service, system_server_service, service_manager_type;
diff --git a/tools/sepolicy-analyze/neverallow.c b/tools/sepolicy-analyze/neverallow.c
index 745ab13..4b88206 100644
--- a/tools/sepolicy-analyze/neverallow.c
+++ b/tools/sepolicy-analyze/neverallow.c
@@ -382,7 +382,6 @@
char *p, *start;
int result;
- int non_comment_len = 0, cur_non_comment_len = 0;
char *cur_non_comment_text = calloc(1, (end - text) + 1);
char *non_comment_text = cur_non_comment_text;
if (!cur_non_comment_text)