Merge "Allow platform_app:systemui to write protolog file"
diff --git a/microdroid/system/private/domain.te b/microdroid/system/private/domain.te
index 13e359a..4251a9e 100644
--- a/microdroid/system/private/domain.te
+++ b/microdroid/system/private/domain.te
@@ -363,16 +363,13 @@
# These partitions are intended to be read-only and must never be
# modified. Doing so would violate important Android security guarantees
# and invalidate dm-verity signatures.
-neverallow {
- domain
- with_asan(`-asan_extract')
-} {
+neverallow domain {
system_file_type
vendor_file_type
exec_type
}:dir_file_class_set { create write setattr relabelfrom append unlink link rename };
-neverallow { domain -kernel with_asan(`-asan_extract') } { system_file_type vendor_file_type exec_type }:dir_file_class_set relabelto;
+neverallow { domain -kernel } { system_file_type vendor_file_type exec_type }:dir_file_class_set relabelto;
# Don't allow mounting on top of /system files or directories
neverallow * exec_type:dir_file_class_set mounton;
@@ -445,7 +442,6 @@
-init
-vendor_init
-toolbox # TODO(b/141108496) We want to remove toolbox
- with_asan(`-asan_extract')
} system_data_file:file no_w_file_perms;
#
diff --git a/microdroid/system/private/microdroid_manager.te b/microdroid/system/private/microdroid_manager.te
index a5b71f0..7e26f53 100644
--- a/microdroid/system/private/microdroid_manager.te
+++ b/microdroid/system/private/microdroid_manager.te
@@ -123,6 +123,9 @@
# Allow microdroid_manager to write kmsg_debug (stdio_to_kmsg).
allow microdroid_manager kmsg_debug_device:chr_file w_file_perms;
+# Read tombstone_transmit_status_prop to wait for initialization of tombstone_transmit
+get_prop(microdroid_manager, tombstone_transmit_status_prop)
+
# Domains other than microdroid can't write extra_apks
neverallow { domain -microdroid_manager -init -vendor_init } extra_apk_file:file no_w_file_perms;
neverallow { domain -microdroid_manager -init -vendor_init } extra_apk_file:dir no_w_dir_perms;
diff --git a/microdroid/system/private/property.te b/microdroid/system/private/property.te
index d983775..1bbe2a9 100644
--- a/microdroid/system/private/property.te
+++ b/microdroid/system/private/property.te
@@ -1,4 +1,5 @@
system_internal_prop(ctl_tombstoned_prop)
+system_restricted_prop(tombstone_transmit_status_prop)
system_restricted_prop(boot_status_prop)
diff --git a/microdroid/system/private/property_contexts b/microdroid/system/private/property_contexts
index 0d5786c..235ab14 100644
--- a/microdroid/system/private/property_contexts
+++ b/microdroid/system/private/property_contexts
@@ -161,3 +161,9 @@
persist.device_config.runtime_native_boot. u:object_r:device_config_runtime_native_boot_prop:s0 prefix
apexd.payload_metadata.path u:object_r:apexd_payload_metadata_prop:s0 exact string
+
+tombstone_transmit.init_done u:object_r:tombstone_transmit_status_prop:s0 exact bool
+
+# tombstone_transmit.start starts tombstone_transmit after creating a directory
+# assigning the same label as ctl.start$tombstone_transmit
+tombstone_transmit.start u:object_r:ctl_tombstone_transmit_prop:s0 exact bool
diff --git a/microdroid/system/private/tombstone_transmit.te b/microdroid/system/private/tombstone_transmit.te
index 1887654..4f2b5ab 100644
--- a/microdroid/system/private/tombstone_transmit.te
+++ b/microdroid/system/private/tombstone_transmit.te
@@ -8,3 +8,9 @@
allow tombstone_transmit tombstone_data_file:file { r_file_perms unlink };
allow tombstone_transmit self:{ vsock_socket } create_socket_perms_no_ioctl;
+
+# allow tombstone_transmit to notify its initialization
+set_prop(tombstone_transmit, tombstone_transmit_status_prop)
+
+# Only tombstone_transmit can set its status
+neverallow { domain -init -tombstone_transmit } tombstone_transmit_status_prop:property_service set;
diff --git a/private/access_vectors b/private/access_vectors
index 6cd8c4e..adb3a61 100644
--- a/private/access_vectors
+++ b/private/access_vectors
@@ -789,3 +789,10 @@
integrity
confidentiality
}
+
+class io_uring
+{
+ override_creds
+ sqpoll
+ cmd
+}
diff --git a/private/adbd.te b/private/adbd.te
index 48fa849..d72d5b1 100644
--- a/private/adbd.te
+++ b/private/adbd.te
@@ -49,6 +49,8 @@
# Create and use network sockets.
net_domain(adbd)
+# Connect to mdnsd via mdnsd socket.
+unix_socket_connect(adbd, mdnsd, mdnsd)
# Access /dev/usb-ffs/adb/ep0
allow adbd functionfs:dir search;
diff --git a/private/app_neverallows.te b/private/app_neverallows.te
index 6231623..5d5723e 100644
--- a/private/app_neverallows.te
+++ b/private/app_neverallows.te
@@ -265,3 +265,31 @@
-mediaprovider
-mediaprovider_app
} { userdebug_or_eng_prop }:file read;
+
+# Do not allow untrusted app to access /dev/socket/mdnsd since U. The socket is
+# used to communicate to the mdnsd responder. The mdnsd responder will be
+# replaced by a java implementation which is integrated into the system server.
+# For untrusted apps running with API level 33-, they still have access to
+# /dev/socket/mdnsd for backward compatibility.
+neverallow {
+ all_untrusted_apps
+ -untrusted_app_25
+ -untrusted_app_27
+ -untrusted_app_29
+ -untrusted_app_30
+ -untrusted_app_32
+} mdnsd_socket:sock_file write;
+neverallow {
+ all_untrusted_apps
+ -untrusted_app_25
+ -untrusted_app_27
+ -untrusted_app_29
+ -untrusted_app_30
+ -untrusted_app_32
+} mdnsd:unix_stream_socket connectto;
+
+# Do not allow untrusted apps to use anonymous inodes. At the moment,
+# type transitions are the only way to distinguish between different
+# anon_inode usages like userfaultfd and io_uring. This prevents us from
+# creating a more fine-grained neverallow policy for each anon_inode usage.
+neverallow all_untrusted_apps domain:anon_inode *;
diff --git a/private/compat/28.0/28.0.cil b/private/compat/28.0/28.0.cil
index 321e938..d79d2f8 100644
--- a/private/compat/28.0/28.0.cil
+++ b/private/compat/28.0/28.0.cil
@@ -30,6 +30,7 @@
;; mapping file compiles with vendor policies without exported_audio_prop type.
(typeattribute exported_audio_prop_28_0)
+;; mapping information from ToT policy's types to 28.0 policy's types.
(expandtypeattribute (accessibility_service_28_0) true)
(expandtypeattribute (account_service_28_0) true)
(expandtypeattribute (activity_service_28_0) true)
diff --git a/private/compat/28.0/28.0.compat.cil b/private/compat/28.0/28.0.compat.cil
index 2e85b23..783950c 100644
--- a/private/compat/28.0/28.0.compat.cil
+++ b/private/compat/28.0/28.0.compat.cil
@@ -1,3 +1,7 @@
+;; complement CIL file for compatibility between ToT policy and 28.0 vendors.
+;; will be compiled along with other normal policy files, on 28.0 vendors.
+;;
+
(typeattribute vendordomain)
(typeattributeset vendordomain ((and (domain) ((not (coredomain))))))
(allowx vendordomain dev_type (ioctl blk_file ((range 0x0000 0xffff))))
diff --git a/private/compat/28.0/28.0.ignore.cil b/private/compat/28.0/28.0.ignore.cil
index e7ddf48..7213f95 100644
--- a/private/compat/28.0/28.0.ignore.cil
+++ b/private/compat/28.0/28.0.ignore.cil
@@ -1,6 +1,6 @@
-;; new_objects - a collection of types that have been introduced that have no
-;; analogue in older policy. Thus, we do not need to map these types to
-;; previous ones. Add here to pass checkapi tests.
+;; new_objects - a collection of types that have been introduced with ToT policy
+;; that have no analogue in 28.0 policy. Thus, we do not need to map
+;; these types to previous ones. Add here to pass checkapi tests.
(type new_objects)
(typeattribute new_objects)
(typeattributeset new_objects
diff --git a/private/compat/29.0/29.0.cil b/private/compat/29.0/29.0.cil
index 5dba020..7315687 100644
--- a/private/compat/29.0/29.0.cil
+++ b/private/compat/29.0/29.0.cil
@@ -14,6 +14,7 @@
(type sysfs_mac_address)
(type wificond_service)
+;; mapping information from ToT policy's types to 29.0 policy's types.
(expandtypeattribute (accessibility_service_29_0) true)
(expandtypeattribute (account_service_29_0) true)
(expandtypeattribute (activity_service_29_0) true)
diff --git a/private/compat/29.0/29.0.compat.cil b/private/compat/29.0/29.0.compat.cil
index ccd9d1a..0bb2ae8 100644
--- a/private/compat/29.0/29.0.compat.cil
+++ b/private/compat/29.0/29.0.compat.cil
@@ -1,3 +1,7 @@
+;; complement CIL file for compatibility between ToT policy and 29.0 vendors.
+;; will be compiled along with other normal policy files, on 29.0 vendors.
+;;
+
(typeattribute vendordomain)
(typeattributeset vendordomain ((and (domain) ((not (coredomain))))))
(allow vendordomain self (netlink_route_socket (nlmsg_readpriv)))
diff --git a/private/compat/29.0/29.0.ignore.cil b/private/compat/29.0/29.0.ignore.cil
index 1079046..e40888d 100644
--- a/private/compat/29.0/29.0.ignore.cil
+++ b/private/compat/29.0/29.0.ignore.cil
@@ -1,6 +1,6 @@
-;; new_objects - a collection of types that have been introduced that have no
-;; analogue in older policy. Thus, we do not need to map these types to
-;; previous ones. Add here to pass checkapi tests.
+;; new_objects - a collection of types that have been introduced with ToT policy
+;; that have no analogue in 29.0 policy. Thus, we do not need to map
+;; these types to previous ones. Add here to pass checkapi tests.
(type new_objects)
(typeattribute new_objects)
(typeattributeset new_objects
diff --git a/private/compat/30.0/30.0.cil b/private/compat/30.0/30.0.cil
index 44044fb..83d83ff 100644
--- a/private/compat/30.0/30.0.cil
+++ b/private/compat/30.0/30.0.cil
@@ -21,6 +21,7 @@
(typeattribute binder_in_vendor_violators)
+;; mapping information from ToT policy's types to 30.0 policy's types.
(expandtypeattribute (DockObserver_service_30_0) true)
(expandtypeattribute (IProxyService_service_30_0) true)
(expandtypeattribute (accessibility_service_30_0) true)
diff --git a/private/compat/30.0/30.0.compat.cil b/private/compat/30.0/30.0.compat.cil
index 97c5874..b8bd755 100644
--- a/private/compat/30.0/30.0.compat.cil
+++ b/private/compat/30.0/30.0.compat.cil
@@ -1,3 +1,7 @@
+;; complement CIL file for compatibility between ToT policy and 30.0 vendors.
+;; will be compiled along with other normal policy files, on 30.0 vendors.
+;;
+
(typeattribute vendordomain)
(typeattributeset vendordomain ((and (domain) ((not (coredomain))))))
diff --git a/private/compat/30.0/30.0.ignore.cil b/private/compat/30.0/30.0.ignore.cil
index ba0a494..0a3d2e9 100644
--- a/private/compat/30.0/30.0.ignore.cil
+++ b/private/compat/30.0/30.0.ignore.cil
@@ -1,6 +1,6 @@
-;; new_objects - a collection of types that have been introduced that have no
-;; analogue in older policy. Thus, we do not need to map these types to
-;; previous ones. Add here to pass checkapi tests.
+;; new_objects - a collection of types that have been introduced with ToT policy
+;; that have no analogue in 30.0 policy. Thus, we do not need to map
+;; these types to previous ones. Add here to pass checkapi tests.
(type new_objects)
(typeattribute new_objects)
(typeattributeset new_objects
diff --git a/private/compat/31.0/31.0.cil b/private/compat/31.0/31.0.cil
index 0e90912..b0df314 100644
--- a/private/compat/31.0/31.0.cil
+++ b/private/compat/31.0/31.0.cil
@@ -9,6 +9,7 @@
(type vr_hwc)
(type vr_hwc_exec)
+;; mapping information from ToT policy's types to 31.0 policy's types.
(expandtypeattribute (DockObserver_service_31_0) true)
(expandtypeattribute (IProxyService_service_31_0) true)
(expandtypeattribute (aac_drc_prop_31_0) true)
diff --git a/private/compat/31.0/31.0.compat.cil b/private/compat/31.0/31.0.compat.cil
index 628abfc..787c92a 100644
--- a/private/compat/31.0/31.0.compat.cil
+++ b/private/compat/31.0/31.0.compat.cil
@@ -1 +1,3 @@
-;; This file can't be empty.
+;; complement CIL file for compatibility between ToT policy and 31.0 vendors.
+;; will be compiled along with other normal policy files, on 31.0 vendors.
+;;
diff --git a/private/compat/31.0/31.0.ignore.cil b/private/compat/31.0/31.0.ignore.cil
index a5a3475..0e39f3e 100644
--- a/private/compat/31.0/31.0.ignore.cil
+++ b/private/compat/31.0/31.0.ignore.cil
@@ -1,6 +1,6 @@
-;; new_objects - a collection of types that have been introduced that have no
-;; analogue in older policy. Thus, we do not need to map these types to
-;; previous ones. Add here to pass checkapi tests.
+;; new_objects - a collection of types that have been introduced with ToT policy
+;; that have no analogue in 31.0 policy. Thus, we do not need to map
+;; these types to previous ones. Add here to pass checkapi tests.
(type new_objects)
(typeattribute new_objects)
(typeattributeset new_objects
diff --git a/private/compat/32.0/32.0.cil b/private/compat/32.0/32.0.cil
index 3672436..171f0ad 100644
--- a/private/compat/32.0/32.0.cil
+++ b/private/compat/32.0/32.0.cil
@@ -9,6 +9,7 @@
(type vr_hwc)
(type vr_hwc_exec)
+;; mapping information from ToT policy's types to 32.0 policy's types.
(expandtypeattribute (DockObserver_service_32_0) true)
(expandtypeattribute (IProxyService_service_32_0) true)
(expandtypeattribute (aac_drc_prop_32_0) true)
diff --git a/private/compat/32.0/32.0.compat.cil b/private/compat/32.0/32.0.compat.cil
index 628abfc..00ac11f 100644
--- a/private/compat/32.0/32.0.compat.cil
+++ b/private/compat/32.0/32.0.compat.cil
@@ -1 +1,3 @@
-;; This file can't be empty.
+;; complement CIL file for compatibility between ToT policy and 32.0 vendors.
+;; will be compiled along with other normal policy files, on 32.0 vendors.
+;;
diff --git a/private/compat/32.0/32.0.ignore.cil b/private/compat/32.0/32.0.ignore.cil
index d810e0a..ec2a16d 100644
--- a/private/compat/32.0/32.0.ignore.cil
+++ b/private/compat/32.0/32.0.ignore.cil
@@ -1,6 +1,6 @@
-;; new_objects - a collection of types that have been introduced that have no
-;; analogue in older policy. Thus, we do not need to map these types to
-;; previous ones. Add here to pass checkapi tests.
+;; new_objects - a collection of types that have been introduced with ToT policy
+;; that have no analogue in 32.0 policy. Thus, we do not need to map
+;; these types to previous ones. Add here to pass checkapi tests.
(type new_objects)
(typeattribute new_objects)
(typeattributeset new_objects
diff --git a/private/compat/33.0/33.0.cil b/private/compat/33.0/33.0.cil
index 2f8887b..56da496 100644
--- a/private/compat/33.0/33.0.cil
+++ b/private/compat/33.0/33.0.cil
@@ -19,6 +19,7 @@
(type wpantund_service)
(type zoneinfo_data_file)
+;; mapping information from ToT policy's types to 33.0 policy's types.
(expandtypeattribute (DockObserver_service_33_0) true)
(expandtypeattribute (IProxyService_service_33_0) true)
(expandtypeattribute (aac_drc_prop_33_0) true)
@@ -2489,7 +2490,10 @@
(typeattributeset untrusted_app_27_33_0 (untrusted_app_27))
(typeattributeset untrusted_app_29_33_0 (untrusted_app_29))
(typeattributeset untrusted_app_30_33_0 (untrusted_app_30))
-(typeattributeset untrusted_app_33_0 (untrusted_app))
+(typeattributeset untrusted_app_33_0
+ ( untrusted_app
+ untrusted_app_32
+))
(typeattributeset update_engine_33_0 (update_engine))
(typeattributeset update_engine_data_file_33_0 (update_engine_data_file))
(typeattributeset update_engine_exec_33_0 (update_engine_exec))
diff --git a/private/compat/33.0/33.0.compat.cil b/private/compat/33.0/33.0.compat.cil
index 628abfc..53ee8ff 100644
--- a/private/compat/33.0/33.0.compat.cil
+++ b/private/compat/33.0/33.0.compat.cil
@@ -1 +1,3 @@
-;; This file can't be empty.
+;; complement CIL file for compatibility between ToT policy and 33.0 vendors.
+;; will be compiled along with other normal policy files, on 33.0 vendors.
+;;
diff --git a/private/compat/33.0/33.0.ignore.cil b/private/compat/33.0/33.0.ignore.cil
index ede2284..ffa7e4e 100644
--- a/private/compat/33.0/33.0.ignore.cil
+++ b/private/compat/33.0/33.0.ignore.cil
@@ -1,6 +1,6 @@
-;; new_objects - a collection of types that have been introduced that have no
-;; analogue in older policy. Thus, we do not need to map these types to
-;; previous ones. Add here to pass checkapi tests.
+;; new_objects - a collection of types that have been introduced with ToT policy
+;; that have no analogue in 33.0 policy. Thus, we do not need to map
+;; these types to previous ones. Add here to pass checkapi tests.
(type new_objects)
(typeattribute new_objects)
(typeattributeset new_objects
diff --git a/private/credstore.te b/private/credstore.te
index 2d9824b..434808f 100644
--- a/private/credstore.te
+++ b/private/credstore.te
@@ -13,5 +13,5 @@
allow credstore keystore:keystore2 get_attestation_key;
# credstore needs to get keys from the RKPD
-get_prop(credstore, device_config_remote_key_provisioning_native_prop)
+get_prop(credstore, remote_prov_prop)
allow credstore remote_provisioning_service:service_manager find;
diff --git a/private/dexoptanalyzer.te b/private/dexoptanalyzer.te
index 8eb1d29..ca715c1 100644
--- a/private/dexoptanalyzer.te
+++ b/private/dexoptanalyzer.te
@@ -45,6 +45,10 @@
# package manager.
allow dexoptanalyzer { privapp_data_file app_data_file }:file { getattr read map };
+# dexoptanalyzer checks the DM files next to dex files. We don't need this check
+# for secondary dex files, but it's not harmful. Just deny it and ignore it.
+dontaudit dexoptanalyzer { privapp_data_file app_data_file }:dir search;
+
# Allow testing /data/user/0 which symlinks to /data/data
allow dexoptanalyzer system_data_file:lnk_file { getattr };
diff --git a/private/fastbootd.te b/private/fastbootd.te
index d93ee42..7dc1741 100644
--- a/private/fastbootd.te
+++ b/private/fastbootd.te
@@ -50,7 +50,7 @@
hal_client_domain(fastbootd, hal_fastboot)
')
-# io_uring_setup needs ipc_lock and permission to operate anon inodes
+# This capability allows fastbootd to circumvent memlock rlimits while using
+# io_uring. An Alternative would be to up the memlock rlimit for the fastbootd service.
allow fastbootd self:capability ipc_lock;
-
-allow fastbootd self:anon_inode create_file_perms;
+io_uring_use(fastbootd)
diff --git a/private/installd.te b/private/installd.te
index 9673cfd..7615c92 100644
--- a/private/installd.te
+++ b/private/installd.te
@@ -47,7 +47,10 @@
allow installd staging_data_file:file unlink;
allow installd staging_data_file:dir { open read remove_name rmdir search write getattr };
-allow installd { dex2oat dexoptanalyzer }:process { sigkill signal };
+allow installd { dex2oat dexoptanalyzer }:process signal;
+
+# installd kills subprocesses if they time out.
+allow installd { dex2oat dexoptanalyzer profman }:process sigkill;
# Allow installd manage dirs in /data/misc_ce/0/sdksandbox
allow installd sdk_sandbox_system_data_file:dir { create_dir_perms relabelfrom };
diff --git a/private/property_contexts b/private/property_contexts
index 8b403ca..5611290 100644
--- a/private/property_contexts
+++ b/private/property_contexts
@@ -573,6 +573,7 @@
bluetooth.core.le.inquiry_scan_interval u:object_r:bluetooth_config_prop:s0 exact uint
bluetooth.core.le.inquiry_scan_window u:object_r:bluetooth_config_prop:s0 exact uint
+bluetooth.core.le.vendor_capabilities.enabled u:object_r:bluetooth_config_prop:s0 exact bool
bluetooth.sco.disable_enhanced_connection u:object_r:bluetooth_config_prop:s0 exact bool
persist.nfc.debug_enabled u:object_r:nfc_prop:s0 exact bool
@@ -1370,6 +1371,9 @@
# Hostname for the remote provisioning server a device should communicate with
remote_provisioning.hostname u:object_r:remote_prov_prop:s0 exact string
+# Indicates the system should use rkpd instead of RemoteProvisioner
+remote_provisioning.enable_rkpd u:object_r:remote_prov_prop:s0 exact bool
+
# Broadcast boot stages, which keystore listens to
keystore.boot_level u:object_r:keystore_listen_prop:s0 exact int
diff --git a/private/runas_app.te b/private/runas_app.te
index c1b354a..a5f47f4 100644
--- a/private/runas_app.te
+++ b/private/runas_app.te
@@ -14,7 +14,7 @@
r_dir_file(runas_app, untrusted_app_all)
# Allow lldb/ndk-gdb/simpleperf to ptrace attach to debuggable app processes.
-allow runas_app untrusted_app_all:process { ptrace signal sigstop };
+allow runas_app untrusted_app_all:process { ptrace sigkill signal sigstop };
allow runas_app untrusted_app_all:unix_stream_socket connectto;
# Allow executing system image simpleperf without a domain transition.
diff --git a/private/seapp_contexts b/private/seapp_contexts
index d3f065b..d950c3d 100644
--- a/private/seapp_contexts
+++ b/private/seapp_contexts
@@ -170,7 +170,8 @@
user=_app isPrivApp=true name=com.google.android.gms.* domain=gmscore_app type=privapp_data_file levelFrom=user
user=_app isPrivApp=true name=com.google.android.gms:* domain=gmscore_app type=privapp_data_file levelFrom=user
user=_app isPrivApp=true name=com.google.android.gsf domain=gmscore_app type=privapp_data_file levelFrom=user
-user=_app minTargetSdkVersion=32 domain=untrusted_app type=app_data_file levelFrom=all
+user=_app minTargetSdkVersion=34 domain=untrusted_app type=app_data_file levelFrom=all
+user=_app minTargetSdkVersion=32 domain=untrusted_app_32 type=app_data_file levelFrom=all
user=_app minTargetSdkVersion=30 domain=untrusted_app_30 type=app_data_file levelFrom=all
user=_app minTargetSdkVersion=29 domain=untrusted_app_29 type=app_data_file levelFrom=all
user=_app minTargetSdkVersion=28 domain=untrusted_app_27 type=app_data_file levelFrom=all
diff --git a/private/security_classes b/private/security_classes
index 0d3cc80..99f947f 100644
--- a/private/security_classes
+++ b/private/security_classes
@@ -142,6 +142,8 @@
class perf_event
+class io_uring
+
# Introduced in https://github.com/torvalds/linux/commit/59438b46471ae6cdfb761afc8c9beaf1e428a331
class lockdown
diff --git a/private/snapuserd.te b/private/snapuserd.te
index 2f2d3e7..797a6c2 100644
--- a/private/snapuserd.te
+++ b/private/snapuserd.te
@@ -8,8 +8,6 @@
allow snapuserd kmsg_device:chr_file rw_file_perms;
-allow snapuserd self:capability ipc_lock;
-
# Allow snapuserd to reach block devices in /dev/block.
allow snapuserd block_device:dir search;
@@ -54,9 +52,12 @@
-init
} snapuserd_prop:property_service set;
-allow snapuserd self:anon_inode create_file_perms;
-
# Allow to read/write/create OTA metadata files
allow snapuserd metadata_file:dir search;
allow snapuserd ota_metadata_file:dir rw_dir_perms;
allow snapuserd ota_metadata_file:file create_file_perms;
+
+# This capability allows snapuserd to circumvent memlock rlimits while using
+# io_uring. An Alternative would be to up the memlock rlimit for the snapuserd service.
+allow snapuserd self:capability ipc_lock;
+io_uring_use(snapuserd)
diff --git a/private/untrusted_app.te b/private/untrusted_app.te
index 56e44db..d0f9b24 100644
--- a/private/untrusted_app.te
+++ b/private/untrusted_app.te
@@ -2,7 +2,7 @@
### Untrusted apps.
###
### This file defines the rules for untrusted apps running with
-### targetSdkVersion >= 32.
+### targetSdkVersion >= 34.
###
### See public/untrusted_app.te for more information about which apps are
### placed in this selinux domain.
@@ -20,4 +20,4 @@
allow untrusted_app sdk_sandbox_data_file:fd use;
allow untrusted_app sdk_sandbox_data_file:file write;
-neverallow untrusted_app sdk_sandbox_data_file:file { open create };
\ No newline at end of file
+neverallow untrusted_app sdk_sandbox_data_file:file { open create };
diff --git a/private/untrusted_app_25.te b/private/untrusted_app_25.te
index 4235d7e..2c0391f 100644
--- a/private/untrusted_app_25.te
+++ b/private/untrusted_app_25.te
@@ -52,3 +52,10 @@
# allow sending RTM_GETNEIGH{TBL} messages.
allow untrusted_app_25 self:netlink_route_socket nlmsg_getneigh;
auditallow untrusted_app_25 self:netlink_route_socket nlmsg_getneigh;
+
+# Connect to mdnsd via mdnsd socket.
+unix_socket_connect(untrusted_app_25, mdnsd, mdnsd)
+userdebug_or_eng(`
+ auditallow untrusted_app_25 mdnsd_socket:sock_file write;
+ auditallow untrusted_app_25 mdnsd:unix_stream_socket connectto;
+')
diff --git a/private/untrusted_app_27.te b/private/untrusted_app_27.te
index c747af1..163803a 100644
--- a/private/untrusted_app_27.te
+++ b/private/untrusted_app_27.te
@@ -40,3 +40,10 @@
# allow sending RTM_GETNEIGH{TBL} messages.
allow untrusted_app_27 self:netlink_route_socket nlmsg_getneigh;
auditallow untrusted_app_27 self:netlink_route_socket nlmsg_getneigh;
+
+# Connect to mdnsd via mdnsd socket.
+unix_socket_connect(untrusted_app_27, mdnsd, mdnsd)
+userdebug_or_eng(`
+ auditallow untrusted_app_27 mdnsd_socket:sock_file write;
+ auditallow untrusted_app_27 mdnsd:unix_stream_socket connectto;
+')
diff --git a/private/untrusted_app_29.te b/private/untrusted_app_29.te
index 03f3334..758ed23 100644
--- a/private/untrusted_app_29.te
+++ b/private/untrusted_app_29.te
@@ -19,3 +19,9 @@
allow untrusted_app_29 self:netlink_route_socket nlmsg_getneigh;
auditallow untrusted_app_29 self:netlink_route_socket nlmsg_getneigh;
+# Connect to mdnsd via mdnsd socket.
+unix_socket_connect(untrusted_app_29, mdnsd, mdnsd)
+userdebug_or_eng(`
+ auditallow untrusted_app_29 mdnsd_socket:sock_file write;
+ auditallow untrusted_app_29 mdnsd:unix_stream_socket connectto;
+')
diff --git a/private/untrusted_app_30.te b/private/untrusted_app_30.te
index 569c300..830106d 100644
--- a/private/untrusted_app_30.te
+++ b/private/untrusted_app_30.te
@@ -21,3 +21,9 @@
allow untrusted_app_30 self:netlink_route_socket nlmsg_getneigh;
auditallow untrusted_app_30 self:netlink_route_socket nlmsg_getneigh;
+# Connect to mdnsd via mdnsd socket.
+unix_socket_connect(untrusted_app_30, mdnsd, mdnsd)
+userdebug_or_eng(`
+ auditallow untrusted_app_30 mdnsd_socket:sock_file write;
+ auditallow untrusted_app_30 mdnsd:unix_stream_socket connectto;
+')
diff --git a/private/untrusted_app_32.te b/private/untrusted_app_32.te
new file mode 100644
index 0000000..643c122
--- /dev/null
+++ b/private/untrusted_app_32.te
@@ -0,0 +1,30 @@
+###
+### Untrusted apps.
+###
+### This file defines the rules for untrusted apps running with
+### 31 < targetSdkVersion <= 33.
+###
+### See public/untrusted_app.te for more information about which apps are
+### placed in this selinux domain.
+###
+
+typeattribute untrusted_app_32 coredomain;
+
+app_domain(untrusted_app_32)
+untrusted_app_domain(untrusted_app_32)
+net_domain(untrusted_app_32)
+bluetooth_domain(untrusted_app_32)
+
+# Allow webview to access fd shared by sdksandbox for experiments data
+# TODO(b/229249719): Will not be supported in Android U
+allow untrusted_app_32 sdk_sandbox_data_file:fd use;
+allow untrusted_app_32 sdk_sandbox_data_file:file write;
+
+neverallow untrusted_app_32 sdk_sandbox_data_file:file { open create };
+
+# Connect to mdnsd via mdnsd socket.
+unix_socket_connect(untrusted_app_32, mdnsd, mdnsd)
+userdebug_or_eng(`
+ auditallow untrusted_app_32 mdnsd_socket:sock_file write;
+ auditallow untrusted_app_32 mdnsd:unix_stream_socket connectto;
+')
diff --git a/public/net.te b/public/net.te
index 31c9c45..aa30b62 100644
--- a/public/net.te
+++ b/public/net.te
@@ -21,6 +21,3 @@
# Talks to netd via fwmarkd socket.
unix_socket_connect(netdomain, fwmarkd, netd)
-
-# Connect to mdnsd via mdnsd socket.
-unix_socket_connect(netdomain, mdnsd, mdnsd)
diff --git a/public/netd.te b/public/netd.te
index 9b8fdb0..e3ea1cb 100644
--- a/public/netd.te
+++ b/public/netd.te
@@ -3,6 +3,8 @@
type netd_exec, system_file_type, exec_type, file_type;
net_domain(netd)
+# Connect to mdnsd via mdnsd socket.
+unix_socket_connect(netd, mdnsd, mdnsd)
# in addition to ioctls allowlisted for all domains, grant netd priv_sock_ioctls.
allowxperm netd self:udp_socket ioctl priv_sock_ioctls;
diff --git a/public/te_macros b/public/te_macros
index 11041b6..ad86a19 100644
--- a/public/te_macros
+++ b/public/te_macros
@@ -176,8 +176,6 @@
dontaudit su $1_userfaultfd:anon_inode *;
# Other domains may not use userfaultfd anon_inodes created by this domain.
neverallow { domain -$1 } $1_userfaultfd:anon_inode *;
-# This domain may not use userfaultfd anon_inodes created by other domains.
-neverallow $1 ~$1_userfaultfd:anon_inode *;
')
####################################
@@ -1043,3 +1041,21 @@
allow $1 apex_mnt_dir:dir r_dir_perms;
allow $1 apex_info_file:file r_file_perms;
')
+
+####################################
+# io_uring_use(domain)
+# Allow domain to create/use io_uring.
+define(`io_uring_use', `
+# Set up a type_transition to "io_uring" named anonymous inode object.
+type $1_iouring;
+type_transition $1 $1:anon_inode $1_iouring "[io_uring]";
+# Allow domain to create/use io_uring anon_inode.
+allow $1 $1_iouring:anon_inode { create map read write };
+allow $1 self:io_uring sqpoll;
+# Other domains may not use iouring anon_inodes created by this domain.
+neverallow { domain -$1 } $1_iouring:anon_inode *;
+# io_uring checks for CAP_IPC_LOCK to determine whether or not to track
+# memory usage per uid against RLIMIT_MEMLOCK. This can lead folks to
+# grant CAP_IPC_LOCK to silence avc denials, which is undesireable.
+dontaudit $1 self:global_capability_class_set ipc_lock;
+')
diff --git a/public/untrusted_app.te b/public/untrusted_app.te
index 0a67614..a4ee6f5 100644
--- a/public/untrusted_app.te
+++ b/public/untrusted_app.te
@@ -17,9 +17,12 @@
###
# This file defines the rules for untrusted apps running with
-# targetSdkVersion >= 32.
+# targetSdkVersion >= 34.
type untrusted_app, domain;
# This file defines the rules for untrusted apps running with
+# 31 < targetSdkVersion <= 33.
+type untrusted_app_32, domain;
+# This file defines the rules for untrusted apps running with
# 29 < targetSdkVersion <= 31.
type untrusted_app_30, domain;
# This file defines the rules for untrusted apps running with
diff --git a/tools/sepolicy_generate_compat.py b/tools/sepolicy_generate_compat.py
index ca5ae91..cd61c9a 100644
--- a/tools/sepolicy_generate_compat.py
+++ b/tools/sepolicy_generate_compat.py
@@ -29,9 +29,13 @@
"""This tool generates a mapping file for {ver} core sepolicy."""
temp_dir = ''
-compat_cil_template = ";; This file can't be empty.\n"
-ignore_cil_template = """;; new_objects - a collection of types that have been introduced that have no
-;; analogue in older policy. Thus, we do not need to map these types to
+mapping_cil_footer = ";; mapping information from ToT policy's types to %s policy's types.\n"
+compat_cil_template = """;; complement CIL file for compatibility between ToT policy and %s vendors.
+;; will be compiled along with other normal policy files, on %s vendors.
+;;
+"""
+ignore_cil_template = """;; new_objects - a collection of types that have been introduced with ToT policy
+;; that have no analogue in %s policy. Thus, we do not need to map these types to
;; previous ones. Add here to pass checkapi tests.
(type new_objects)
(typeattribute new_objects)
@@ -484,16 +488,17 @@
f.write(';; types removed from current policy\n')
f.write('\n'.join(f'(type {x})' for x in sorted(target_removed_types)))
f.write('\n\n')
+ f.write(mapping_cil_footer % args.target_version)
f.write(mapping_file_cil.unparse())
with open(target_compat_file, 'w') as f:
logging.info('writing %s' % target_compat_file)
- f.write(compat_cil_template)
+ f.write(compat_cil_template % (args.target_version, args.target_version))
with open(target_ignore_file, 'w') as f:
logging.info('writing %s' % target_ignore_file)
f.write(ignore_cil_template %
- ('\n '.join(sorted(target_ignored_types))))
+ (args.target_version, '\n '.join(sorted(target_ignored_types))))
finally:
logging.info('Deleting temporary dir: {}'.format(temp_dir))
shutil.rmtree(temp_dir)