Merge changes Ib9972bcd,I87d18451 into main
* changes:
Use OutputFilesProvider on certain module types
Use OutputFilesProvider on certain module types
diff --git a/private/property.te b/private/property.te
index a55bfb2..19513d9 100644
--- a/private/property.te
+++ b/private/property.te
@@ -74,6 +74,9 @@
system_restricted_prop(persist_sysui_builder_extras_prop)
system_restricted_prop(persist_sysui_ranking_update_prop)
+# Properties which should only be written by vendor_init
+system_vendor_config_prop(avf_virtualizationservice_prop)
+
typeattribute log_prop log_property_type;
typeattribute log_tag_prop log_property_type;
typeattribute wifi_log_prop log_property_type;
diff --git a/private/property_contexts b/private/property_contexts
index f2cd2d6..9b48082 100644
--- a/private/property_contexts
+++ b/private/property_contexts
@@ -753,6 +753,9 @@
ro.fuse.bpf.enabled u:object_r:storage_config_prop:s0 exact bool
ro.fuse.bpf.is_running u:object_r:vold_status_prop:s0 exact bool
+# Allow the vendor to disable the remote attestation feature at boot-time.
+avf.remote_attestation.enabled u:object_r:avf_virtualizationservice_prop:s0 exact bool
+
hypervisor.pvmfw.path u:object_r:hypervisor_pvmfw_prop:s0 exact string
hypervisor.virtualizationmanager.debug_policy.path u:object_r:hypervisor_virtualizationmanager_prop:s0 exact string
diff --git a/private/system_app.te b/private/system_app.te
index 5016a40..e0ed8c3 100644
--- a/private/system_app.te
+++ b/private/system_app.te
@@ -13,7 +13,7 @@
# android.ui and system.ui
allow system_app rootfs:dir getattr;
-# Read and write /data/data subdirectory.
+# read/write certain subdirectories of /data/data for system UID apps.
allow system_app system_app_data_file:dir create_dir_perms;
allow system_app system_app_data_file:{ file lnk_file } create_file_perms;
diff --git a/private/virtualizationmanager.te b/private/virtualizationmanager.te
index 72cc0a6..9b3cfcf 100644
--- a/private/virtualizationmanager.te
+++ b/private/virtualizationmanager.te
@@ -61,6 +61,7 @@
# Let virtualizationmanager to accept vsock connection from the guest VMs
allow virtualizationmanager self:vsock_socket { create_socket_perms_no_ioctl listen accept };
+neverallow { domain -virtualizationmanager } virtualizationmanager:vsock_socket { accept bind create connect listen };
# Allow virtualizationmanager to inspect all hypervisor capabilities.
get_prop(virtualizationmanager, hypervisor_prop)
diff --git a/private/virtualizationservice.te b/private/virtualizationservice.te
index b5c04af..3d0aac0 100644
--- a/private/virtualizationservice.te
+++ b/private/virtualizationservice.te
@@ -34,6 +34,10 @@
# pVM remote attestation.
hal_server_domain(virtualizationservice, hal_remotelyprovisionedcomponent_avf)
+# Allow the virtualizationservice to inspect whether remote attestation is supported
+# through the system property.
+get_prop(virtualizationservice, avf_virtualizationservice_prop)
+
# Allow calling into the system server to find "permission_service".
binder_call(virtualizationservice, system_server)
allow virtualizationservice permission_service:service_manager find;
@@ -83,6 +87,7 @@
# Let virtualizationservice to accept vsock connection from the guest VMs to singleton services
# such as the guest tombstone server.
allow virtualizationservice self:vsock_socket { create_socket_perms_no_ioctl listen accept };
+neverallow { domain -virtualizationservice } virtualizationservice:vsock_socket { accept bind create connect listen };
# Allow virtualizationservice to read/write its own sysprop. Only the process can do so.
set_prop(virtualizationservice, virtualizationservice_prop)
diff --git a/private/vold.te b/private/vold.te
index 7716bd1..2c1fb8f 100644
--- a/private/vold.te
+++ b/private/vold.te
@@ -63,16 +63,14 @@
allow vold keystore:keystore2 delete_all_keys;
is_flag_enabled(RELEASE_UNLOCKED_STORAGE_API, `
- # Allow vold to encrypt storage area directories on behalf of apps.
- allow vold {
- storage_area_dir
- storage_area_app_dir
- }:dir {
- getattr
- ioctl # for FS_IOC_SET_ENCRYPTION_POLICY
+ allow vold storage_area_app_dir:dir search;
+ # Allow vold to get the encryption policy and
+ # verify the ownership of storage areas
+ allow vold storage_area_dir:dir {
+ read
open
- read # for open(O_RDONLY) for ioctl
- search
+ getattr
+ ioctl
};
')
@@ -409,6 +407,7 @@
-vold
-init
-vendor_init
+ is_flag_enabled(RELEASE_UNLOCKED_STORAGE_API, ` -vold_prepare_subdirs ')
} data_file_type:dir ioctl { FS_IOC_SET_ENCRYPTION_POLICY };
# Only vold should ever add/remove file-based encryption keys.
diff --git a/private/vold_prepare_subdirs.te b/private/vold_prepare_subdirs.te
index 1dc00b2..44c9ea5 100644
--- a/private/vold_prepare_subdirs.te
+++ b/private/vold_prepare_subdirs.te
@@ -75,6 +75,15 @@
type_transition vold_prepare_subdirs storage_area_app_dir:dir storage_area_dir;
selinux_check_context(vold_prepare_subdirs)
+
+ allowxperm vold_prepare_subdirs storage_area_dir:dir ioctl FS_IOC_SET_ENCRYPTION_POLICY;
+')
+
+is_flag_enabled(RELEASE_UNLOCKED_STORAGE_API, `
+ neverallowxperm vold_prepare_subdirs {
+ data_file_type
+ -storage_area_dir
+ }:dir ioctl FS_IOC_SET_ENCRYPTION_POLICY;
')
# Migrate legacy labels to apex_system_server_data_file (b/217581286)