Merge "Clean up APEX-related `otapreopt_chroot` policies."
diff --git a/Android.mk b/Android.mk
index a6c4f2a..eed488a 100644
--- a/Android.mk
+++ b/Android.mk
@@ -217,12 +217,6 @@
endif # ($(PRODUCT_SEPOLICY_SPLIT),true)
-ifneq ($(TARGET_BUILD_VARIANT), user)
-LOCAL_REQUIRED_MODULES += \
- selinux_denial_metadata \
-
-endif
-
ifneq ($(with_asan),true)
ifneq ($(SELINUX_IGNORE_NEVERALLOWS),true)
LOCAL_REQUIRED_MODULES += \
@@ -293,6 +287,12 @@
product_sepolicy_and_mapping.sha256 \
endif
+
+ifneq ($(TARGET_BUILD_VARIANT), user)
+LOCAL_REQUIRED_MODULES += \
+ selinux_denial_metadata \
+
+endif
include $(BUILD_PHONY_PACKAGE)
#################################
@@ -1085,7 +1085,7 @@
LOCAL_MODULE := selinux_denial_metadata
LOCAL_MODULE_CLASS := ETC
-LOCAL_MODULE_PATH := $(TARGET_OUT)/etc/selinux
+LOCAL_MODULE_PATH := $(TARGET_OUT_VENDOR)/etc/selinux
include $(BUILD_SYSTEM)/base_rules.mk
diff --git a/apex/apex.test-file_contexts b/apex/apex.test-file_contexts
index 784ad54..a14e14b 100644
--- a/apex/apex.test-file_contexts
+++ b/apex/apex.test-file_contexts
@@ -1,2 +1,4 @@
-(/.*)? u:object_r:system_file:s0
-/bin/surfaceflinger u:object_r:surfaceflinger_exec:s0
+/bin/apex_test_preInstallHook u:object_r:apex_test_prepostinstall_exec:s0
+/bin/apex_test_postInstallHook u:object_r:apex_test_prepostinstall_exec:s0
+(/.*)? u:object_r:system_file:s0
+/bin/surfaceflinger u:object_r:surfaceflinger_exec:s0
diff --git a/private/apex_test_prepostinstall.te b/private/apex_test_prepostinstall.te
new file mode 100644
index 0000000..f1bc214
--- /dev/null
+++ b/private/apex_test_prepostinstall.te
@@ -0,0 +1,20 @@
+# APEX pre- & post-install test.
+#
+# Allow to run pre- and post-install hooks for APEX test modules
+# in debuggable builds.
+
+type apex_test_prepostinstall, domain, coredomain;
+type apex_test_prepostinstall_exec, system_file_type, exec_type, file_type;
+
+userdebug_or_eng(`
+ # /dev/zero
+ allow apex_test_prepostinstall apexd:fd use;
+ # Logwrapper.
+ create_pty(apex_test_prepostinstall)
+ # Logwrapper executing sh.
+ allow apex_test_prepostinstall shell_exec:file rx_file_perms;
+ # Logwrapper exec.
+ allow apex_test_prepostinstall system_file:file execute_no_trans;
+ # Ls.
+ allow apex_test_prepostinstall toolbox_exec:file rx_file_perms;
+')
diff --git a/private/apexd.te b/private/apexd.te
index 5beaa4b..4a496e5 100644
--- a/private/apexd.te
+++ b/private/apexd.te
@@ -70,6 +70,20 @@
# Allow apexd to log to the kernel.
allow apexd kmsg_device:chr_file w_file_perms;
+# Apex pre- & post-install permission.
+
+# Allow self-execute for the fork mount helper.
+allow apexd apexd_exec:file execute_no_trans;
+
+# Allow to execute shell for pre- and postinstall scripts. A transition
+# rule is required, thus restricted to execute and not execute_no_trans.
+allow apexd shell_exec:file { r_file_perms execute };
+
+# Allow transition to test APEX preinstall domain.
+userdebug_or_eng(`
+ domain_auto_trans(apexd, apex_test_prepostinstall_exec, apex_test_prepostinstall)
+')
+
neverallow { domain -apexd -init } apex_data_file:dir no_w_dir_perms;
neverallow { domain -apexd -init -kernel } apex_data_file:file no_w_file_perms;
neverallow { domain -apexd } apex_mnt_dir:lnk_file no_w_file_perms;
diff --git a/private/audioserver.te b/private/audioserver.te
index 445413e..53b6299 100644
--- a/private/audioserver.te
+++ b/private/audioserver.te
@@ -32,6 +32,7 @@
allow audioserver activity_service:service_manager find;
allow audioserver appops_service:service_manager find;
allow audioserver batterystats_service:service_manager find;
+allow audioserver external_vibrator_service:service_manager find;
allow audioserver permission_service:service_manager find;
allow audioserver power_service:service_manager find;
allow audioserver scheduling_policy_service:service_manager find;
diff --git a/private/compat/28.0/28.0.ignore.cil b/private/compat/28.0/28.0.ignore.cil
index 7c1a78d..a8a833a 100644
--- a/private/compat/28.0/28.0.ignore.cil
+++ b/private/compat/28.0/28.0.ignore.cil
@@ -42,6 +42,7 @@
gsid
gsid_exec
color_display_service
+ external_vibrator_service
hal_atrace_hwservice
hal_face_hwservice
hal_health_storage_hwservice
diff --git a/private/ephemeral_app.te b/private/ephemeral_app.te
index 9a6a300..3d3433e 100644
--- a/private/ephemeral_app.te
+++ b/private/ephemeral_app.te
@@ -24,6 +24,9 @@
allow ephemeral_app privapp_data_file:file { r_file_perms execute };
allow ephemeral_app app_data_file:file { r_file_perms execute };
+# Follow priv-app symlinks. This is used for dynamite functionality.
+allow ephemeral_app privapp_data_file:lnk_file r_file_perms;
+
# Allow the renderscript compiler to be run.
domain_auto_trans(ephemeral_app, rs_exec, rs)
diff --git a/private/priv_app.te b/private/priv_app.te
index 9232bd0..71e787f 100644
--- a/private/priv_app.te
+++ b/private/priv_app.te
@@ -28,6 +28,8 @@
# TODO: Tighten (b/112357170)
allow priv_app privapp_data_file:file execute;
+allow priv_app privapp_data_file:lnk_file create_file_perms;
+
allow priv_app app_api_service:service_manager find;
allow priv_app audioserver_service:service_manager find;
allow priv_app cameraserver_service:service_manager find;
@@ -231,3 +233,6 @@
# is dangerous and allows a full compromise of a privileged process
# by an unprivileged process. b/112357170
neverallow priv_app app_data_file:file no_x_file_perms;
+
+# Do not follow untrusted app provided symlinks
+neverallow priv_app app_data_file:lnk_file { open read getattr };
diff --git a/private/service_contexts b/private/service_contexts
index 2ad99eb..4ce5566 100644
--- a/private/service_contexts
+++ b/private/service_contexts
@@ -59,6 +59,7 @@
dumpstate u:object_r:dumpstate_service:s0
econtroller u:object_r:radio_service:s0
euicc_card_controller u:object_r:radio_service:s0
+external_vibrator_service u:object_r:external_vibrator_service:s0
lowpan u:object_r:lowpan_service:s0
ethernet u:object_r:ethernet_service:s0
face u:object_r:face_service:s0
@@ -86,6 +87,7 @@
imms u:object_r:imms_service:s0
ipmemorystore u:object_r:ipmemorystore_service:s0
ipsec u:object_r:ipsec_service:s0
+ircs u:object_r:radio_service:s0
iris u:object_r:iris_service:s0
isms_msim u:object_r:radio_service:s0
isms2 u:object_r:radio_service:s0
diff --git a/private/untrusted_app_all.te b/private/untrusted_app_all.te
index 9b91806..712a360 100644
--- a/private/untrusted_app_all.te
+++ b/private/untrusted_app_all.te
@@ -25,6 +25,12 @@
allow untrusted_app_all privapp_data_file:file { r_file_perms execute };
allow untrusted_app_all app_data_file:file { r_file_perms execute };
+# Follow priv-app symlinks. This is used for dynamite functionality.
+allow untrusted_app_all privapp_data_file:lnk_file r_file_perms;
+
+# Allow handling of less common filesystem objects
+allow untrusted_app_all app_data_file:{ lnk_file sock_file fifo_file } create_file_perms;
+
# Allow loading and deleting executable shared libraries
# within an application home directory. Such shared libraries would be
# created by things like renderscript or via other mechanisms.
diff --git a/public/app.te b/public/app.te
index 6e760d1..18603b6 100644
--- a/public/app.te
+++ b/public/app.te
@@ -66,7 +66,7 @@
# App sandbox file accesses.
allow { appdomain -isolated_app } { app_data_file privapp_data_file }:dir create_dir_perms;
-allow { appdomain -isolated_app } { app_data_file privapp_data_file }:notdevfile_class_set create_file_perms;
+allow { appdomain -isolated_app } { app_data_file privapp_data_file }:file create_file_perms;
# Traverse into expanded storage
allow appdomain mnt_expand_file:dir r_dir_perms;
diff --git a/public/service.te b/public/service.te
index 21f7648..ad5fc0a 100644
--- a/public/service.te
+++ b/public/service.te
@@ -82,6 +82,7 @@
type diskstats_service, system_api_service, system_server_service, service_manager_type;
type display_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type color_display_service, system_api_service, system_server_service, service_manager_type;
+type external_vibrator_service, system_server_service, service_manager_type;
type font_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type netd_listener_service, system_server_service, service_manager_type;
type network_watchlist_service, system_server_service, service_manager_type;