Merge "Add proper permission for AIDL bootcontrol server"
diff --git a/microdroid/system/private/microdroid_manager.te b/microdroid/system/private/microdroid_manager.te
index 432ab13..a8eba6c 100644
--- a/microdroid/system/private/microdroid_manager.te
+++ b/microdroid/system/private/microdroid_manager.te
@@ -79,6 +79,9 @@
# that is different from what is recorded in the instance.img file.
allow microdroid_manager proc_bootconfig:file r_file_perms;
+# Allow microdroid_manager to read/write failure serial device
+allow microdroid_manager serial_device:chr_file w_file_perms;
+
# Allow microdroid_manager to handle extra_apks
allow microdroid_manager extra_apk_file:dir create_dir_perms;
diff --git a/microdroid/system/private/property_contexts b/microdroid/system/private/property_contexts
index 2b95520..57f28ae 100644
--- a/microdroid/system/private/property_contexts
+++ b/microdroid/system/private/property_contexts
@@ -116,6 +116,7 @@
ro.build.version.release u:object_r:build_prop:s0 exact string
ro.build.version.sdk u:object_r:build_prop:s0 exact int
ro.build.version.security_patch u:object_r:build_prop:s0 exact string
+ro.build.version.known_codenames u:object_r:build_prop:s0 exact string
ro.debuggable u:object_r:build_prop:s0 exact bool
ro.product.cpu.abilist u:object_r:build_prop:s0 exact string
ro.adb.secure u:object_r:build_prop:s0 exact bool
diff --git a/prebuilts/api/32.0/private/system_server.te b/prebuilts/api/32.0/private/system_server.te
index 82b2a1f..6aca000 100644
--- a/prebuilts/api/32.0/private/system_server.te
+++ b/prebuilts/api/32.0/private/system_server.te
@@ -91,7 +91,7 @@
crash_dump
webview_zygote
zygote
-}:process { sigkill signull };
+}:process { getpgid sigkill signull };
# Read /system/bin/app_process.
allow system_server zygote_exec:file r_file_perms;
diff --git a/prebuilts/api/33.0/private/bpfloader.te b/prebuilts/api/33.0/private/bpfloader.te
index d7b27b5..54cc916 100644
--- a/prebuilts/api/33.0/private/bpfloader.te
+++ b/prebuilts/api/33.0/private/bpfloader.te
@@ -6,9 +6,9 @@
allow bpfloader kmsg_device:chr_file w_file_perms;
# These permissions are required to pin ebpf maps & programs.
-allow bpfloader { fs_bpf fs_bpf_tethering fs_bpf_vendor }:dir { add_name create search write };
-allow bpfloader { fs_bpf fs_bpf_tethering fs_bpf_vendor }:file { create read setattr };
-allow { fs_bpf_tethering fs_bpf_vendor } fs_bpf:filesystem associate;
+allow bpfloader bpffs_type:dir { add_name create remove_name search write };
+allow bpfloader bpffs_type:file { create read rename setattr };
+allow { bpffs_type -fs_bpf } fs_bpf:filesystem associate;
# Allow bpfloader to create bpf maps and programs.
allow bpfloader self:bpf { map_create map_read map_write prog_load prog_run };
@@ -26,17 +26,21 @@
###
# TODO: get rid of init & vendor_init; Note: we don't care about getattr/mounton/search
-neverallow { domain -init -vendor_init } { fs_bpf fs_bpf_tethering fs_bpf_vendor }:dir { open read setattr };
-neverallow { domain -bpfloader } { fs_bpf fs_bpf_tethering fs_bpf_vendor }:dir { add_name create write };
-neverallow domain { fs_bpf fs_bpf_tethering fs_bpf_vendor }:dir ~{ add_name create getattr mounton open read search setattr write };
+neverallow { domain -init -vendor_init } bpffs_type:dir { open read setattr };
+neverallow { domain -bpfloader } bpffs_type:dir { add_name create remove_name write };
+neverallow domain bpffs_type:dir ~{ add_name create getattr mounton open read remove_name search setattr write };
# TODO: get rid of init & vendor_init
-neverallow { domain -bpfloader -init -vendor_init } { fs_bpf fs_bpf_tethering fs_bpf_vendor }:file { map open setattr };
-neverallow { domain -bpfloader } { fs_bpf fs_bpf_tethering fs_bpf_vendor }:file create;
-neverallow { domain -bpfloader -gpuservice -init -lmkd -mediaprovider_app -netd -netutils_wrapper -network_stack -system_server -vendor_init } { fs_bpf }:file read;
-neverallow { domain -bpfloader -gpuservice -init -lmkd -netd -netutils_wrapper -network_stack -system_server -vendor_init } { fs_bpf_tethering }:file read;
-neverallow { domain -bpfloader -gpuservice -netd -netutils_wrapper -network_stack -system_server } { fs_bpf fs_bpf_tethering }:file write;
-neverallow domain { fs_bpf fs_bpf_tethering }:file ~{ create map open read setattr write };
+neverallow { domain -bpfloader -init -vendor_init } bpffs_type:file { map open setattr };
+neverallow { domain -bpfloader } bpffs_type:file { create rename };
+neverallow { domain -bpfloader -gpuservice -init -lmkd -mediaprovider_app -netd -netutils_wrapper -system_server -vendor_init } fs_bpf:file read;
+neverallow { domain -bpfloader -init -network_stack -vendor_init } fs_bpf_net_private:file read;
+neverallow { domain -bpfloader -init -network_stack -system_server -vendor_init } fs_bpf_net_shared:file read;
+neverallow { domain -bpfloader -init -netd -network_stack -system_server -vendor_init } fs_bpf_netd_readonly:file read;
+neverallow { domain -bpfloader -init -netd -netutils_wrapper -network_stack -system_server -vendor_init } fs_bpf_netd_shared:file read;
+neverallow { domain -bpfloader -init -network_stack -vendor_init } fs_bpf_tethering:file read;
+neverallow { domain -bpfloader -gpuservice -netd -netutils_wrapper -network_stack -system_server } { bpffs_type -fs_bpf_vendor }:file write;
+neverallow domain bpffs_type:file ~{ create map open read rename setattr write };
neverallow { domain -bpfloader } *:bpf { map_create prog_load };
diff --git a/prebuilts/api/33.0/private/file.te b/prebuilts/api/33.0/private/file.te
index 4161dc9..c4ee2aa 100644
--- a/prebuilts/api/33.0/private/file.te
+++ b/prebuilts/api/33.0/private/file.te
@@ -1,6 +1,13 @@
# /proc/config.gz
type config_gz, fs_type, proc_type;
+# /sys/fs/bpf/<dir> for mainline tethering use
+# TODO: move S+ fs_bpf_tethering here from public/file.te
+type fs_bpf_net_private, fs_type, bpffs_type;
+type fs_bpf_net_shared, fs_type, bpffs_type;
+type fs_bpf_netd_readonly, fs_type, bpffs_type;
+type fs_bpf_netd_shared, fs_type, bpffs_type;
+
# /data/misc/storaged
type storaged_data_file, file_type, data_file_type, core_data_file_type;
diff --git a/prebuilts/api/33.0/private/genfs_contexts b/prebuilts/api/33.0/private/genfs_contexts
index 1c604fc..6578470 100644
--- a/prebuilts/api/33.0/private/genfs_contexts
+++ b/prebuilts/api/33.0/private/genfs_contexts
@@ -395,5 +395,9 @@
genfscon usbfs / u:object_r:usbfs:s0
genfscon binfmt_misc / u:object_r:binfmt_miscfs:s0
genfscon bpf / u:object_r:fs_bpf:s0
+genfscon bpf /net_private u:object_r:fs_bpf_net_private:s0
+genfscon bpf /net_shared u:object_r:fs_bpf_net_shared:s0
+genfscon bpf /netd_readonly u:object_r:fs_bpf_netd_readonly:s0
+genfscon bpf /netd_shared u:object_r:fs_bpf_netd_shared:s0
genfscon bpf /tethering u:object_r:fs_bpf_tethering:s0
genfscon bpf /vendor u:object_r:fs_bpf_vendor:s0
diff --git a/prebuilts/api/33.0/private/netd.te b/prebuilts/api/33.0/private/netd.te
index 30dcd08..4aa288b 100644
--- a/prebuilts/api/33.0/private/netd.te
+++ b/prebuilts/api/33.0/private/netd.te
@@ -6,6 +6,10 @@
# Allow netd to spawn dnsmasq in it's own domain
domain_auto_trans(netd, dnsmasq_exec, dnsmasq)
+allow netd { fs_bpf fs_bpf_netd_readonly fs_bpf_netd_shared }:dir search;
+allow netd { fs_bpf fs_bpf_netd_readonly fs_bpf_netd_shared }:file read;
+allow netd { fs_bpf fs_bpf_netd_shared }:file write;
+
# give netd permission to setup iptables rule with xt_bpf, attach program to cgroup, and read/write
# the map created by bpfloader
allow netd bpfloader:bpf { prog_run map_read map_write };
diff --git a/prebuilts/api/33.0/private/netutils_wrapper.te b/prebuilts/api/33.0/private/netutils_wrapper.te
index af0360f..900b35c 100644
--- a/prebuilts/api/33.0/private/netutils_wrapper.te
+++ b/prebuilts/api/33.0/private/netutils_wrapper.te
@@ -25,7 +25,9 @@
# For vendor code that update the iptables rules at runtime. They need to reload
# the whole chain including the xt_bpf rules. They need to access to the pinned
# program when reloading the rule.
-allow netutils_wrapper fs_bpf:file { read write };
+allow netutils_wrapper { fs_bpf fs_bpf_netd_shared }:dir search;
+allow netutils_wrapper { fs_bpf fs_bpf_netd_shared }:file read;
+allow netutils_wrapper { fs_bpf }:file write;
allow netutils_wrapper bpfloader:bpf prog_run;
# For /data/misc/net access to ndc and ip
diff --git a/prebuilts/api/33.0/private/network_stack.te b/prebuilts/api/33.0/private/network_stack.te
index b105938..3cdf884 100644
--- a/prebuilts/api/33.0/private/network_stack.te
+++ b/prebuilts/api/33.0/private/network_stack.te
@@ -22,6 +22,14 @@
# Monitor neighbors via netlink.
allow network_stack self:netlink_route_socket nlmsg_write;
+# Use netlink uevent sockets.
+allow network_stack self:netlink_kobject_uevent_socket create_socket_perms_no_ioctl;
+
+# give network_stack the same netlink permissions as netd
+allow network_stack self:netlink_nflog_socket create_socket_perms_no_ioctl;
+allow network_stack self:netlink_socket create_socket_perms_no_ioctl;
+allow network_stack self:netlink_generic_socket create_socket_perms_no_ioctl;
+
allow network_stack app_api_service:service_manager find;
allow network_stack dnsresolver_service:service_manager find;
allow network_stack mdns_service:service_manager find;
@@ -52,12 +60,57 @@
allow network_stack self:netlink_netfilter_socket create_socket_perms_no_ioctl;
allow network_stack network_stack_service:service_manager find;
# allow Tethering(network_stack process) to run/update/read the eBPF maps to offload tethering traffic by eBPF.
-allow network_stack { fs_bpf fs_bpf_tethering }:dir search;
-allow network_stack { fs_bpf fs_bpf_tethering }:file { read write };
+allow network_stack { fs_bpf_net_private fs_bpf_net_shared fs_bpf_netd_readonly fs_bpf_netd_shared fs_bpf_tethering }:dir search;
+allow network_stack { fs_bpf_net_private fs_bpf_net_shared fs_bpf_netd_readonly fs_bpf_netd_shared fs_bpf_tethering }:file { read write };
allow network_stack bpfloader:bpf { map_read map_write prog_run };
-# Only the bpfloader and the network_stack should ever touch 'fs_bpf_tethering' programs/maps.
+# Use XFRM (IPsec) netlink sockets
+allow network_stack self:netlink_xfrm_socket { create_socket_perms_no_ioctl nlmsg_write nlmsg_read };
+
+# tun device used for 3rd party vpn apps and test network manager
+allow network_stack tun_device:chr_file rw_file_perms;
+allowxperm network_stack tun_device:chr_file ioctl { TUNGETIFF TUNSETIFF TUNSETLINK TUNSETCARRIER };
+
+############### NEVER ALLOW RULES
+# This place is as good as any for these rules,
+# and it is probably the most appropriate because
+# network_stack itself is entirely mainline code.
+#
# Unfortunately init/vendor_init have all sorts of extra privs
+
+# T+: Only the bpfloader and the network_stack should ever touch 'fs_bpf_net_private' programs/maps.
+neverallow { domain -bpfloader -init -network_stack -vendor_init } fs_bpf_net_private:dir ~getattr;
+neverallow { domain -bpfloader -init -network_stack -vendor_init } fs_bpf_net_private:file *;
+
+neverallow { domain -bpfloader -network_stack } fs_bpf_net_private:dir ~{ getattr open read search setattr };
+neverallow { domain -bpfloader -network_stack } fs_bpf_net_private:file ~{ map open read setattr };
+
+# T+: Only the bpfloader, network_stack and system_server should ever touch 'fs_bpf_net_shared' programs/maps.
+neverallow { domain -bpfloader -init -network_stack -system_server -vendor_init } fs_bpf_net_shared:dir ~getattr;
+neverallow { domain -bpfloader -init -network_stack -system_server -vendor_init } fs_bpf_net_shared:file *;
+
+neverallow { domain -bpfloader -network_stack -system_server } fs_bpf_net_shared:dir ~{ getattr open read search setattr };
+neverallow { domain -bpfloader -network_stack -system_server } fs_bpf_net_shared:file ~{ map open read setattr };
+
+# T+: Only the bpfloader, netd, network_stack and system_server should ever touch 'fs_bpf_netd_readonly' programs/maps.
+# netd's access should be readonly
+neverallow { domain -bpfloader -init -netd -network_stack -system_server -vendor_init } fs_bpf_netd_readonly:dir ~getattr;
+neverallow { domain -bpfloader -init -netd -network_stack -system_server -vendor_init } fs_bpf_netd_readonly:file *;
+neverallow netd fs_bpf_netd_readonly:file write;
+
+neverallow { domain -bpfloader -netd -network_stack -system_server } fs_bpf_netd_readonly:dir ~{ getattr open read search setattr };
+neverallow { domain -bpfloader -netd -network_stack -system_server } fs_bpf_netd_readonly:file ~{ map open read setattr };
+
+# T+: Only the bpfloader, netd, netutils_wrapper, network_stack and system_server should ever touch 'fs_bpf_netd_shared' programs/maps.
+# netutils_wrapper requires access to be able to run iptables and only needs readonly access
+neverallow { domain -bpfloader -init -netd -netutils_wrapper -network_stack -system_server -vendor_init } fs_bpf_netd_shared:dir ~getattr;
+neverallow { domain -bpfloader -init -netd -netutils_wrapper -network_stack -system_server -vendor_init } fs_bpf_netd_shared:file *;
+neverallow netutils_wrapper fs_bpf_netd_shared:file write;
+
+neverallow { domain -bpfloader -netd -netutils_wrapper -network_stack -system_server } fs_bpf_netd_shared:dir ~{ getattr open read search setattr };
+neverallow { domain -bpfloader -netd -netutils_wrapper -network_stack -system_server } fs_bpf_netd_shared:file ~{ map open read setattr };
+
+# S+: Only the bpfloader and the network_stack should ever touch 'fs_bpf_tethering' programs/maps.
neverallow { domain -bpfloader -init -network_stack -vendor_init } fs_bpf_tethering:dir ~getattr;
neverallow { domain -bpfloader -init -network_stack -vendor_init } fs_bpf_tethering:file *;
diff --git a/prebuilts/api/33.0/private/remote_prov_app.te b/prebuilts/api/33.0/private/remote_prov_app.te
index 43b69d2..f49eb63 100644
--- a/prebuilts/api/33.0/private/remote_prov_app.te
+++ b/prebuilts/api/33.0/private/remote_prov_app.te
@@ -10,5 +10,6 @@
allow remote_prov_app {
app_api_service
+ mediametrics_service
remoteprovisioning_service
}:service_manager find;
diff --git a/prebuilts/api/33.0/private/system_server.te b/prebuilts/api/33.0/private/system_server.te
index ba097f2..bb02047 100644
--- a/prebuilts/api/33.0/private/system_server.te
+++ b/prebuilts/api/33.0/private/system_server.te
@@ -159,11 +159,14 @@
allow system_server self:netlink_netfilter_socket create_socket_perms_no_ioctl;
# Create/use netlink_tcpdiag_socket for looking up connection UIDs for VPN apps.
-allow system_server self:netlink_tcpdiag_socket { create_socket_perms_no_ioctl nlmsg_read };
+allow system_server self:netlink_tcpdiag_socket
+ { create_socket_perms_no_ioctl nlmsg_read nlmsg_write };
# Use netlink uevent sockets.
allow system_server self:netlink_kobject_uevent_socket create_socket_perms_no_ioctl;
+allow system_server self:netlink_nflog_socket create_socket_perms_no_ioctl;
+
# Use generic netlink sockets.
allow system_server self:netlink_socket create_socket_perms_no_ioctl;
allow system_server self:netlink_generic_socket create_socket_perms_no_ioctl;
@@ -180,6 +183,9 @@
# Set and get routes directly via netlink.
allow system_server self:netlink_route_socket nlmsg_write;
+# Use XFRM (IPsec) netlink sockets
+allow system_server self:netlink_xfrm_socket { create_socket_perms_no_ioctl nlmsg_write nlmsg_read };
+
# Kill apps.
allow system_server appdomain:process { getpgid sigkill signal };
# signull allowed for kill(pid, 0) existence test.
@@ -472,9 +478,9 @@
# write access to ALSA interfaces (/dev/snd/*) needed for MIDI
allow system_server audio_device:chr_file rw_file_perms;
-# tun device used for 3rd party vpn apps
+# tun device used for 3rd party vpn apps and test network manager
allow system_server tun_device:chr_file rw_file_perms;
-allowxperm system_server tun_device:chr_file ioctl { TUNGETIFF TUNSETIFF };
+allowxperm system_server tun_device:chr_file ioctl { TUNGETIFF TUNSETIFF TUNSETLINK TUNSETCARRIER };
# Manage data/ota_package
allow system_server ota_package_file:dir rw_dir_perms;
@@ -1148,7 +1154,8 @@
# allow system_server to read the eBPF maps that stores the traffic stats information and update
# the map after snapshot is recorded, and to read, update and run the maps and programs used for
# time in state accounting
-allow system_server fs_bpf:file { read write };
+allow system_server { fs_bpf fs_bpf_net_shared fs_bpf_netd_readonly fs_bpf_netd_shared }:dir search;
+allow system_server { fs_bpf fs_bpf_net_shared fs_bpf_netd_readonly fs_bpf_netd_shared }:file { read write };
allow system_server bpfloader:bpf { map_read map_write prog_run };
# in order to invoke side effect of close() on such a socket calling synchronize_rcu()
allow system_server self:key_socket create;
diff --git a/prebuilts/api/33.0/public/app.te b/prebuilts/api/33.0/public/app.te
index da24012..de3d0ca 100644
--- a/prebuilts/api/33.0/public/app.te
+++ b/prebuilts/api/33.0/public/app.te
@@ -53,7 +53,8 @@
# These messages are broadcast messages from the kernel to userspace.
# Do not allow the writing of netlink messages, which has been a source
# of rooting vulns in the past.
-neverallow appdomain domain:netlink_kobject_uevent_socket { write append };
+neverallow { appdomain -network_stack }
+ domain:netlink_kobject_uevent_socket { write append };
# Sockets under /dev/socket that are not specifically typed.
neverallow appdomain socket_device:sock_file write;
diff --git a/prebuilts/api/33.0/public/attributes b/prebuilts/api/33.0/public/attributes
index 906dbcd..742264a 100644
--- a/prebuilts/api/33.0/public/attributes
+++ b/prebuilts/api/33.0/public/attributes
@@ -10,6 +10,9 @@
# TODO(b/202520796) Remove this attribute once the sc-dev branch stops using it.
attribute bdev_type;
+# Attribute for all bpf filesystem subtypes.
+attribute bpffs_type;
+
# All types used for processes.
attribute domain;
diff --git a/prebuilts/api/33.0/public/file.te b/prebuilts/api/33.0/public/file.te
index 9d333f5..2bfa282 100644
--- a/prebuilts/api/33.0/public/file.te
+++ b/prebuilts/api/33.0/public/file.te
@@ -129,9 +129,10 @@
userdebug_or_eng(`
typeattribute sysfs_vendor_sched mlstrustedobject;
')
-type fs_bpf, fs_type;
-type fs_bpf_tethering, fs_type;
-type fs_bpf_vendor, fs_type;
+type fs_bpf, fs_type, bpffs_type;
+# TODO: S+ fs_bpf_tethering (used by mainline) should be private
+type fs_bpf_tethering, fs_type, bpffs_type;
+type fs_bpf_vendor, fs_type, bpffs_type;
type configfs, fs_type;
# /sys/devices/cs_etm
type sysfs_devices_cs_etm, fs_type, sysfs_type;
diff --git a/prebuilts/api/33.0/public/ioctl_defines b/prebuilts/api/33.0/public/ioctl_defines
index fa96726..0e22670 100644
--- a/prebuilts/api/33.0/public/ioctl_defines
+++ b/prebuilts/api/33.0/public/ioctl_defines
@@ -2437,6 +2437,7 @@
define(`TUNGETSNDBUF', `0x800454d3')
define(`TUNGETVNETHDRSZ', `0x800454d7')
define(`TUNGETVNETLE', `0x800454dd')
+define(`TUNSETCARRIER', `0x400454e2')
define(`TUNSETDEBUG', `0x400454c9')
define(`TUNSETGROUP', `0x400454ce')
define(`TUNSETIFF', `0x400454ca')
diff --git a/prebuilts/api/33.0/public/netd.te b/prebuilts/api/33.0/public/netd.te
index 64b4c7d..7c7655e 100644
--- a/prebuilts/api/33.0/public/netd.te
+++ b/prebuilts/api/33.0/public/netd.te
@@ -64,8 +64,6 @@
r_dir_file(netd, cgroup_v2)
-allow netd fs_bpf:file { read write };
-
# TODO: netd previously thought it needed these permissions to do WiFi related
# work. However, after all the WiFi stuff is gone, we still need them.
# Why?
diff --git a/private/bpfloader.te b/private/bpfloader.te
index d7b27b5..54cc916 100644
--- a/private/bpfloader.te
+++ b/private/bpfloader.te
@@ -6,9 +6,9 @@
allow bpfloader kmsg_device:chr_file w_file_perms;
# These permissions are required to pin ebpf maps & programs.
-allow bpfloader { fs_bpf fs_bpf_tethering fs_bpf_vendor }:dir { add_name create search write };
-allow bpfloader { fs_bpf fs_bpf_tethering fs_bpf_vendor }:file { create read setattr };
-allow { fs_bpf_tethering fs_bpf_vendor } fs_bpf:filesystem associate;
+allow bpfloader bpffs_type:dir { add_name create remove_name search write };
+allow bpfloader bpffs_type:file { create read rename setattr };
+allow { bpffs_type -fs_bpf } fs_bpf:filesystem associate;
# Allow bpfloader to create bpf maps and programs.
allow bpfloader self:bpf { map_create map_read map_write prog_load prog_run };
@@ -26,17 +26,21 @@
###
# TODO: get rid of init & vendor_init; Note: we don't care about getattr/mounton/search
-neverallow { domain -init -vendor_init } { fs_bpf fs_bpf_tethering fs_bpf_vendor }:dir { open read setattr };
-neverallow { domain -bpfloader } { fs_bpf fs_bpf_tethering fs_bpf_vendor }:dir { add_name create write };
-neverallow domain { fs_bpf fs_bpf_tethering fs_bpf_vendor }:dir ~{ add_name create getattr mounton open read search setattr write };
+neverallow { domain -init -vendor_init } bpffs_type:dir { open read setattr };
+neverallow { domain -bpfloader } bpffs_type:dir { add_name create remove_name write };
+neverallow domain bpffs_type:dir ~{ add_name create getattr mounton open read remove_name search setattr write };
# TODO: get rid of init & vendor_init
-neverallow { domain -bpfloader -init -vendor_init } { fs_bpf fs_bpf_tethering fs_bpf_vendor }:file { map open setattr };
-neverallow { domain -bpfloader } { fs_bpf fs_bpf_tethering fs_bpf_vendor }:file create;
-neverallow { domain -bpfloader -gpuservice -init -lmkd -mediaprovider_app -netd -netutils_wrapper -network_stack -system_server -vendor_init } { fs_bpf }:file read;
-neverallow { domain -bpfloader -gpuservice -init -lmkd -netd -netutils_wrapper -network_stack -system_server -vendor_init } { fs_bpf_tethering }:file read;
-neverallow { domain -bpfloader -gpuservice -netd -netutils_wrapper -network_stack -system_server } { fs_bpf fs_bpf_tethering }:file write;
-neverallow domain { fs_bpf fs_bpf_tethering }:file ~{ create map open read setattr write };
+neverallow { domain -bpfloader -init -vendor_init } bpffs_type:file { map open setattr };
+neverallow { domain -bpfloader } bpffs_type:file { create rename };
+neverallow { domain -bpfloader -gpuservice -init -lmkd -mediaprovider_app -netd -netutils_wrapper -system_server -vendor_init } fs_bpf:file read;
+neverallow { domain -bpfloader -init -network_stack -vendor_init } fs_bpf_net_private:file read;
+neverallow { domain -bpfloader -init -network_stack -system_server -vendor_init } fs_bpf_net_shared:file read;
+neverallow { domain -bpfloader -init -netd -network_stack -system_server -vendor_init } fs_bpf_netd_readonly:file read;
+neverallow { domain -bpfloader -init -netd -netutils_wrapper -network_stack -system_server -vendor_init } fs_bpf_netd_shared:file read;
+neverallow { domain -bpfloader -init -network_stack -vendor_init } fs_bpf_tethering:file read;
+neverallow { domain -bpfloader -gpuservice -netd -netutils_wrapper -network_stack -system_server } { bpffs_type -fs_bpf_vendor }:file write;
+neverallow domain bpffs_type:file ~{ create map open read rename setattr write };
neverallow { domain -bpfloader } *:bpf { map_create prog_load };
diff --git a/private/compat/33.0/33.0.cil b/private/compat/33.0/33.0.cil
index 3a096be..d71298a 100644
--- a/private/compat/33.0/33.0.cil
+++ b/private/compat/33.0/33.0.cil
@@ -10,6 +10,10 @@
(type iorapd_exec)
(type iorapd_service)
(type iorapd_tmpfs)
+(type timezone_service)
+(type tzdatacheck)
+(type tzdatacheck_exec)
+(type zoneinfo_data_file)
(expandtypeattribute (DockObserver_service_33_0) true)
(expandtypeattribute (IProxyService_service_33_0) true)
diff --git a/private/compat/33.0/33.0.ignore.cil b/private/compat/33.0/33.0.ignore.cil
index f15e8f3..305116c 100644
--- a/private/compat/33.0/33.0.ignore.cil
+++ b/private/compat/33.0/33.0.ignore.cil
@@ -5,8 +5,10 @@
(typeattribute new_objects)
(typeattributeset new_objects
( new_objects
+ device_config_memory_safety_native_prop
device_config_vendor_system_native_prop
hal_bootctl_service
+ permissive_mte_prop
system_net_netd_service
virtual_face_hal_prop
virtual_fingerprint_hal_prop
diff --git a/private/compos_verify.te b/private/compos_verify.te
index 0a281f8..5b3615e 100644
--- a/private/compos_verify.te
+++ b/private/compos_verify.te
@@ -6,9 +6,10 @@
binder_use(compos_verify);
virtualizationservice_use(compos_verify);
-# Access instance image files
+# Read instance image & write VM logs
allow compos_verify apex_module_data_file:dir search;
-r_dir_file(compos_verify, apex_compos_data_file)
+allow compos_verify apex_compos_data_file:dir rw_dir_perms;
+allow compos_verify apex_compos_data_file:file { rw_file_perms create };
# Read CompOS info & signature files
allow compos_verify apex_art_data_file:dir search;
diff --git a/private/domain.te b/private/domain.te
index af50226..81e781e 100644
--- a/private/domain.te
+++ b/private/domain.te
@@ -77,6 +77,11 @@
# Read access to bq configuration values
get_prop(domain, bq_config_prop);
+# Allow all domains to check whether MTE is set to permissive mode.
+get_prop(domain, permissive_mte_prop);
+
+get_prop(domain, device_config_memory_safety_native_prop);
+
# For now, everyone can access core property files
# Device specific properties are not granted by default
not_compatible_property(`
diff --git a/private/file.te b/private/file.te
index 4161dc9..c4ee2aa 100644
--- a/private/file.te
+++ b/private/file.te
@@ -1,6 +1,13 @@
# /proc/config.gz
type config_gz, fs_type, proc_type;
+# /sys/fs/bpf/<dir> for mainline tethering use
+# TODO: move S+ fs_bpf_tethering here from public/file.te
+type fs_bpf_net_private, fs_type, bpffs_type;
+type fs_bpf_net_shared, fs_type, bpffs_type;
+type fs_bpf_netd_readonly, fs_type, bpffs_type;
+type fs_bpf_netd_shared, fs_type, bpffs_type;
+
# /data/misc/storaged
type storaged_data_file, file_type, data_file_type, core_data_file_type;
diff --git a/private/file_contexts b/private/file_contexts
index e27cbe9..09b53b5 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -325,7 +325,6 @@
/system/bin/viewcompiler u:object_r:viewcompiler_exec:s0
/system/bin/sgdisk u:object_r:sgdisk_exec:s0
/system/bin/blkid u:object_r:blkid_exec:s0
-/system/bin/tzdatacheck u:object_r:tzdatacheck_exec:s0
/system/bin/flags_health_check -- u:object_r:flags_health_check_exec:s0
/system/bin/idmap2(d)? u:object_r:idmap_exec:s0
/system/bin/update_engine u:object_r:update_engine_exec:s0
@@ -652,7 +651,6 @@
/data/misc_ce/[0-9]+/wifi(/.*)? u:object_r:wifi_data_file:s0
/data/misc/wifi/sockets(/.*)? u:object_r:wpa_socket:s0
/data/misc/wifi/sockets/wpa_ctrl.* u:object_r:system_wpa_socket:s0
-/data/misc/zoneinfo(/.*)? u:object_r:zoneinfo_data_file:s0
/data/misc/vold(/.*)? u:object_r:vold_data_file:s0
/data/misc/update_engine(/.*)? u:object_r:update_engine_data_file:s0
/data/misc/update_engine_log(/.*)? u:object_r:update_engine_log_data_file:s0
diff --git a/private/flags_health_check.te b/private/flags_health_check.te
index 54ecd45..cef7bde 100644
--- a/private/flags_health_check.te
+++ b/private/flags_health_check.te
@@ -25,6 +25,7 @@
set_prop(flags_health_check, device_config_surface_flinger_native_boot_prop)
set_prop(flags_health_check, device_config_vendor_system_native_prop)
set_prop(flags_health_check, device_config_virtualization_framework_native_prop)
+set_prop(flags_health_check, device_config_memory_safety_native_prop)
# system property device_config_boot_count_prop is used for deciding when to perform server
# configurable flags related disaster recovery. Mistakenly set up by unrelated components can, at a
diff --git a/private/genfs_contexts b/private/genfs_contexts
index 1c604fc..6578470 100644
--- a/private/genfs_contexts
+++ b/private/genfs_contexts
@@ -395,5 +395,9 @@
genfscon usbfs / u:object_r:usbfs:s0
genfscon binfmt_misc / u:object_r:binfmt_miscfs:s0
genfscon bpf / u:object_r:fs_bpf:s0
+genfscon bpf /net_private u:object_r:fs_bpf_net_private:s0
+genfscon bpf /net_shared u:object_r:fs_bpf_net_shared:s0
+genfscon bpf /netd_readonly u:object_r:fs_bpf_netd_readonly:s0
+genfscon bpf /netd_shared u:object_r:fs_bpf_netd_shared:s0
genfscon bpf /tethering u:object_r:fs_bpf_tethering:s0
genfscon bpf /vendor u:object_r:fs_bpf_vendor:s0
diff --git a/private/netd.te b/private/netd.te
index 30dcd08..4aa288b 100644
--- a/private/netd.te
+++ b/private/netd.te
@@ -6,6 +6,10 @@
# Allow netd to spawn dnsmasq in it's own domain
domain_auto_trans(netd, dnsmasq_exec, dnsmasq)
+allow netd { fs_bpf fs_bpf_netd_readonly fs_bpf_netd_shared }:dir search;
+allow netd { fs_bpf fs_bpf_netd_readonly fs_bpf_netd_shared }:file read;
+allow netd { fs_bpf fs_bpf_netd_shared }:file write;
+
# give netd permission to setup iptables rule with xt_bpf, attach program to cgroup, and read/write
# the map created by bpfloader
allow netd bpfloader:bpf { prog_run map_read map_write };
diff --git a/private/netutils_wrapper.te b/private/netutils_wrapper.te
index af0360f..900b35c 100644
--- a/private/netutils_wrapper.te
+++ b/private/netutils_wrapper.te
@@ -25,7 +25,9 @@
# For vendor code that update the iptables rules at runtime. They need to reload
# the whole chain including the xt_bpf rules. They need to access to the pinned
# program when reloading the rule.
-allow netutils_wrapper fs_bpf:file { read write };
+allow netutils_wrapper { fs_bpf fs_bpf_netd_shared }:dir search;
+allow netutils_wrapper { fs_bpf fs_bpf_netd_shared }:file read;
+allow netutils_wrapper { fs_bpf }:file write;
allow netutils_wrapper bpfloader:bpf prog_run;
# For /data/misc/net access to ndc and ip
diff --git a/private/network_stack.te b/private/network_stack.te
index 24d2c66..3cdf884 100644
--- a/private/network_stack.te
+++ b/private/network_stack.te
@@ -60,8 +60,8 @@
allow network_stack self:netlink_netfilter_socket create_socket_perms_no_ioctl;
allow network_stack network_stack_service:service_manager find;
# allow Tethering(network_stack process) to run/update/read the eBPF maps to offload tethering traffic by eBPF.
-allow network_stack { fs_bpf fs_bpf_tethering }:dir search;
-allow network_stack { fs_bpf fs_bpf_tethering }:file { read write };
+allow network_stack { fs_bpf_net_private fs_bpf_net_shared fs_bpf_netd_readonly fs_bpf_netd_shared fs_bpf_tethering }:dir search;
+allow network_stack { fs_bpf_net_private fs_bpf_net_shared fs_bpf_netd_readonly fs_bpf_netd_shared fs_bpf_tethering }:file { read write };
allow network_stack bpfloader:bpf { map_read map_write prog_run };
# Use XFRM (IPsec) netlink sockets
@@ -71,8 +71,46 @@
allow network_stack tun_device:chr_file rw_file_perms;
allowxperm network_stack tun_device:chr_file ioctl { TUNGETIFF TUNSETIFF TUNSETLINK TUNSETCARRIER };
-# Only the bpfloader and the network_stack should ever touch 'fs_bpf_tethering' programs/maps.
+############### NEVER ALLOW RULES
+# This place is as good as any for these rules,
+# and it is probably the most appropriate because
+# network_stack itself is entirely mainline code.
+#
# Unfortunately init/vendor_init have all sorts of extra privs
+
+# T+: Only the bpfloader and the network_stack should ever touch 'fs_bpf_net_private' programs/maps.
+neverallow { domain -bpfloader -init -network_stack -vendor_init } fs_bpf_net_private:dir ~getattr;
+neverallow { domain -bpfloader -init -network_stack -vendor_init } fs_bpf_net_private:file *;
+
+neverallow { domain -bpfloader -network_stack } fs_bpf_net_private:dir ~{ getattr open read search setattr };
+neverallow { domain -bpfloader -network_stack } fs_bpf_net_private:file ~{ map open read setattr };
+
+# T+: Only the bpfloader, network_stack and system_server should ever touch 'fs_bpf_net_shared' programs/maps.
+neverallow { domain -bpfloader -init -network_stack -system_server -vendor_init } fs_bpf_net_shared:dir ~getattr;
+neverallow { domain -bpfloader -init -network_stack -system_server -vendor_init } fs_bpf_net_shared:file *;
+
+neverallow { domain -bpfloader -network_stack -system_server } fs_bpf_net_shared:dir ~{ getattr open read search setattr };
+neverallow { domain -bpfloader -network_stack -system_server } fs_bpf_net_shared:file ~{ map open read setattr };
+
+# T+: Only the bpfloader, netd, network_stack and system_server should ever touch 'fs_bpf_netd_readonly' programs/maps.
+# netd's access should be readonly
+neverallow { domain -bpfloader -init -netd -network_stack -system_server -vendor_init } fs_bpf_netd_readonly:dir ~getattr;
+neverallow { domain -bpfloader -init -netd -network_stack -system_server -vendor_init } fs_bpf_netd_readonly:file *;
+neverallow netd fs_bpf_netd_readonly:file write;
+
+neverallow { domain -bpfloader -netd -network_stack -system_server } fs_bpf_netd_readonly:dir ~{ getattr open read search setattr };
+neverallow { domain -bpfloader -netd -network_stack -system_server } fs_bpf_netd_readonly:file ~{ map open read setattr };
+
+# T+: Only the bpfloader, netd, netutils_wrapper, network_stack and system_server should ever touch 'fs_bpf_netd_shared' programs/maps.
+# netutils_wrapper requires access to be able to run iptables and only needs readonly access
+neverallow { domain -bpfloader -init -netd -netutils_wrapper -network_stack -system_server -vendor_init } fs_bpf_netd_shared:dir ~getattr;
+neverallow { domain -bpfloader -init -netd -netutils_wrapper -network_stack -system_server -vendor_init } fs_bpf_netd_shared:file *;
+neverallow netutils_wrapper fs_bpf_netd_shared:file write;
+
+neverallow { domain -bpfloader -netd -netutils_wrapper -network_stack -system_server } fs_bpf_netd_shared:dir ~{ getattr open read search setattr };
+neverallow { domain -bpfloader -netd -netutils_wrapper -network_stack -system_server } fs_bpf_netd_shared:file ~{ map open read setattr };
+
+# S+: Only the bpfloader and the network_stack should ever touch 'fs_bpf_tethering' programs/maps.
neverallow { domain -bpfloader -init -network_stack -vendor_init } fs_bpf_tethering:dir ~getattr;
neverallow { domain -bpfloader -init -network_stack -vendor_init } fs_bpf_tethering:file *;
diff --git a/private/perfetto.te b/private/perfetto.te
index 0904a67..45fa60b 100644
--- a/private/perfetto.te
+++ b/private/perfetto.te
@@ -116,17 +116,13 @@
# TODO(b/72998741) Remove exemption. Further restricted in a subsequent
# neverallow. Currently only getattr and search are allowed.
-vendor_data_file
- -zoneinfo_data_file
-perfetto_traces_data_file
-perfetto_configs_data_file
with_native_coverage(`-method_trace_data_file')
}:dir *;
neverallow perfetto { system_data_file -perfetto_traces_data_file }:dir ~{ getattr search };
-neverallow perfetto zoneinfo_data_file:dir ~r_dir_perms;
-neverallow perfetto { data_file_type -zoneinfo_data_file -perfetto_traces_data_file }:lnk_file *;
neverallow perfetto {
data_file_type
- -zoneinfo_data_file
-perfetto_traces_data_file
-perfetto_configs_data_file
with_native_coverage(`-method_trace_data_file')
diff --git a/private/platform_app.te b/private/platform_app.te
index b723633..972593f 100644
--- a/private/platform_app.te
+++ b/private/platform_app.te
@@ -67,7 +67,6 @@
allow platform_app persistent_data_block_service:service_manager find;
allow platform_app radio_service:service_manager find;
allow platform_app thermal_service:service_manager find;
-allow platform_app timezone_service:service_manager find;
allow platform_app app_api_service:service_manager find;
allow platform_app system_api_service:service_manager find;
allow platform_app vr_manager_service:service_manager find;
diff --git a/private/property_contexts b/private/property_contexts
index 2b86612..8d33c24 100644
--- a/private/property_contexts
+++ b/private/property_contexts
@@ -259,6 +259,7 @@
persist.device_config.vendor_system_native. u:object_r:device_config_vendor_system_native_prop:s0
persist.device_config.virtualization_framework_native. u:object_r:device_config_virtualization_framework_native_prop:s0
persist.device_config.window_manager_native_boot. u:object_r:device_config_window_manager_native_boot_prop:s0
+persist.device_config.memory_safety_native. u:object_r:device_config_memory_safety_native_prop:s0
# F2FS smart idle maint prop
persist.device_config.storage_native_boot.smart_idle_maint_enabled u:object_r:smart_idle_maint_enabled_prop:s0 exact bool
@@ -742,6 +743,7 @@
persist.sys.locale u:object_r:exported_system_prop:s0 exact string
persist.sys.timezone u:object_r:exported_system_prop:s0 exact string
+persist.sys.mte.permissive u:object_r:permissive_mte_prop:s0 exact string
persist.sys.test_harness u:object_r:test_harness_prop:s0 exact bool
ro.arch u:object_r:build_prop:s0 exact string
diff --git a/private/remote_prov_app.te b/private/remote_prov_app.te
index 43b69d2..f49eb63 100644
--- a/private/remote_prov_app.te
+++ b/private/remote_prov_app.te
@@ -10,5 +10,6 @@
allow remote_prov_app {
app_api_service
+ mediametrics_service
remoteprovisioning_service
}:service_manager find;
diff --git a/private/service_contexts b/private/service_contexts
index 5049f25..8aa7497 100644
--- a/private/service_contexts
+++ b/private/service_contexts
@@ -349,7 +349,6 @@
texttospeech u:object_r:texttospeech_service:s0
time_detector u:object_r:timedetector_service:s0
time_zone_detector u:object_r:timezonedetector_service:s0
-timezone u:object_r:timezone_service:s0
thermalservice u:object_r:thermal_service:s0
tracing.proxy u:object_r:tracingproxy_service:s0
translation u:object_r:translation_service:s0
diff --git a/private/su.te b/private/su.te
index 587f449..2496473 100644
--- a/private/su.te
+++ b/private/su.te
@@ -27,4 +27,6 @@
# Do not audit accesses to keystore2 namespace for the su domain.
dontaudit su keystore2_key_type:{ keystore2 keystore2_key } *;
+ # Allow root to set MTE permissive mode.
+ set_prop(su, permissive_mte_prop);
')
diff --git a/private/system_server.te b/private/system_server.te
index 81cde09..d3ad100 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -623,10 +623,6 @@
allow system_server wifi_data_file:dir create_dir_perms;
allow system_server wifi_data_file:file create_file_perms;
-# Manage /data/misc/zoneinfo.
-allow system_server zoneinfo_data_file:dir create_dir_perms;
-allow system_server zoneinfo_data_file:file create_file_perms;
-
# Manage /data/app-staging.
allow system_server staging_data_file:dir create_dir_perms;
allow system_server staging_data_file:file create_file_perms;
@@ -762,6 +758,7 @@
set_prop(system_server, device_config_surface_flinger_native_boot_prop)
set_prop(system_server, device_config_vendor_system_native_prop)
set_prop(system_server, device_config_virtualization_framework_native_prop)
+set_prop(system_server, device_config_memory_safety_native_prop)
set_prop(system_server, smart_idle_maint_enabled_prop)
# Allow query ART device config properties
@@ -1164,7 +1161,8 @@
# allow system_server to read the eBPF maps that stores the traffic stats information and update
# the map after snapshot is recorded, and to read, update and run the maps and programs used for
# time in state accounting
-allow system_server fs_bpf:file { read write };
+allow system_server { fs_bpf fs_bpf_net_shared fs_bpf_netd_readonly fs_bpf_netd_shared }:dir search;
+allow system_server { fs_bpf fs_bpf_net_shared fs_bpf_netd_readonly fs_bpf_netd_shared }:file { read write };
allow system_server bpfloader:bpf { map_read map_write prog_run };
# in order to invoke side effect of close() on such a socket calling synchronize_rcu()
allow system_server self:key_socket create;
diff --git a/private/toolbox.te b/private/toolbox.te
index 1e53d72..5878997 100644
--- a/private/toolbox.te
+++ b/private/toolbox.te
@@ -5,3 +5,8 @@
# rm -rf in /data/misc/virtualizationservice
allow toolbox virtualizationservice_data_file:dir { rmdir rw_dir_perms };
allow toolbox virtualizationservice_data_file:file { getattr unlink };
+
+# If we can't remove these directories we try to chmod them. That
+# doesn't work, but it doesn't matter as virtualizationservice itself
+# will delete them when it starts. See b/235338094#comment39
+dontaudit toolbox virtualizationservice_data_file:dir setattr;
diff --git a/private/traced.te b/private/traced.te
index 6810c35..3029094 100644
--- a/private/traced.te
+++ b/private/traced.te
@@ -93,15 +93,11 @@
# TODO(b/72998741) Remove vendor_data_file exemption. Further restricted in a
# subsequent neverallow. Currently only getattr and search are allowed.
-vendor_data_file
- -zoneinfo_data_file
with_native_coverage(`-method_trace_data_file')
}:dir *;
neverallow traced { system_data_file }:dir ~{ getattr search };
-neverallow traced zoneinfo_data_file:dir ~r_dir_perms;
-neverallow traced { data_file_type -zoneinfo_data_file }:lnk_file *;
neverallow traced {
data_file_type
- -zoneinfo_data_file
-perfetto_traces_data_file
-perfetto_traces_bugreport_data_file
-trace_data_file
diff --git a/private/traced_probes.te b/private/traced_probes.te
index f2be14d..204ea08 100644
--- a/private/traced_probes.te
+++ b/private/traced_probes.te
@@ -139,15 +139,11 @@
# TODO(b/72998741) Remove vendor_data_file exemption. Further restricted in a
# subsequent neverallow. Currently only getattr and search are allowed.
-vendor_data_file
- -zoneinfo_data_file
with_native_coverage(`-method_trace_data_file')
}:dir *;
neverallow traced_probes system_data_file:dir ~{ getattr userdebug_or_eng(`open read') search };
-neverallow traced_probes zoneinfo_data_file:dir ~r_dir_perms;
-neverallow traced_probes { data_file_type -zoneinfo_data_file }:lnk_file *;
neverallow traced_probes {
data_file_type
- -zoneinfo_data_file
-packages_list_file
with_native_coverage(`-method_trace_data_file')
-game_mode_intervention_list_file
diff --git a/private/tzdatacheck.te b/private/tzdatacheck.te
deleted file mode 100644
index 502735c..0000000
--- a/private/tzdatacheck.te
+++ /dev/null
@@ -1,3 +0,0 @@
-typeattribute tzdatacheck coredomain;
-
-init_daemon_domain(tzdatacheck)
diff --git a/public/attributes b/public/attributes
index 906dbcd..742264a 100644
--- a/public/attributes
+++ b/public/attributes
@@ -10,6 +10,9 @@
# TODO(b/202520796) Remove this attribute once the sc-dev branch stops using it.
attribute bdev_type;
+# Attribute for all bpf filesystem subtypes.
+attribute bpffs_type;
+
# All types used for processes.
attribute domain;
diff --git a/public/domain.te b/public/domain.te
index 5054aa6..8fba442 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -227,11 +227,10 @@
# read and stat any sysfs symlinks
allow domain sysfs:lnk_file { getattr read };
-# libc references /data/misc/zoneinfo and /system/usr/share/zoneinfo for
-# timezone related information.
+# libc references /system/usr/share/zoneinfo for timezone related information.
# This directory is considered to be a VNDK-stable
-allow domain { system_zoneinfo_file zoneinfo_data_file }:file r_file_perms;
-allow domain { system_zoneinfo_file zoneinfo_data_file }:dir r_dir_perms;
+allow domain { system_zoneinfo_file }:file r_file_perms;
+allow domain { system_zoneinfo_file }:dir r_dir_perms;
# Lots of processes access current CPU information
r_dir_file(domain, sysfs_devices_system_cpu)
@@ -836,11 +835,6 @@
-vendor_init
} {
core_data_file_type
- # libc includes functions like mktime and localtime which attempt to access
- # files in /data/misc/zoneinfo/tzdata and /system/usr/share/zoneinfo/tzdata.
- # These functions are considered vndk-stable and thus must be allowed for
- # all processes.
- -zoneinfo_data_file
with_native_coverage(`-method_trace_data_file')
}:file_class_set ~{ append getattr ioctl read write map };
neverallow {
@@ -849,7 +843,6 @@
} {
core_data_file_type
-unencrypted_data_file
- -zoneinfo_data_file
with_native_coverage(`-method_trace_data_file')
}:file_class_set ~{ append getattr ioctl read write map };
# vendor init needs to be able to read unencrypted_data_file to create directories with FBE.
@@ -870,7 +863,6 @@
-system_data_root_file
-vendor_userdir_file
-vendor_data_file
- -zoneinfo_data_file
with_native_coverage(`-method_trace_data_file')
}:dir *;
neverallow {
@@ -883,7 +875,6 @@
-system_data_root_file
-vendor_userdir_file
-vendor_data_file
- -zoneinfo_data_file
with_native_coverage(`-method_trace_data_file')
}:dir *;
# vendor init needs to be able to read unencrypted_data_file to create directories with FBE.
diff --git a/public/dumpstate.te b/public/dumpstate.te
index 52eb3ff..9f19b3f 100644
--- a/public/dumpstate.te
+++ b/public/dumpstate.te
@@ -112,6 +112,9 @@
sysfs_zram
}:file r_file_perms;
+# Ignore other file access under /sys.
+dontaudit dumpstate sysfs:file r_file_perms;
+
# Other random bits of data we want to collect
no_debugfs_restriction(`
allow dumpstate debugfs:file r_file_perms;
@@ -328,6 +331,7 @@
mnt_vendor_file
mirror_data_file
mnt_user_file
+ mnt_product_file
}:dir search;
dontaudit dumpstate {
apex_mnt_dir
diff --git a/public/file.te b/public/file.te
index f0ddb37..eb55210 100644
--- a/public/file.te
+++ b/public/file.te
@@ -129,9 +129,10 @@
userdebug_or_eng(`
typeattribute sysfs_vendor_sched mlstrustedobject;
')
-type fs_bpf, fs_type;
-type fs_bpf_tethering, fs_type;
-type fs_bpf_vendor, fs_type;
+type fs_bpf, fs_type, bpffs_type;
+# TODO: S+ fs_bpf_tethering (used by mainline) should be private
+type fs_bpf_tethering, fs_type, bpffs_type;
+type fs_bpf_vendor, fs_type, bpffs_type;
type configfs, fs_type;
# /sys/devices/cs_etm
type sysfs_devices_cs_etm, fs_type, sysfs_type;
@@ -450,7 +451,6 @@
type trace_data_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
type vpn_data_file, file_type, data_file_type, core_data_file_type;
type wifi_data_file, file_type, data_file_type, core_data_file_type;
-type zoneinfo_data_file, file_type, data_file_type, core_data_file_type;
type vold_data_file, file_type, data_file_type, core_data_file_type;
type tee_data_file, file_type, data_file_type;
type update_engine_data_file, file_type, data_file_type, core_data_file_type;
diff --git a/public/hal_configstore.te b/public/hal_configstore.te
index 069da47..29bab48 100644
--- a/public/hal_configstore.te
+++ b/public/hal_configstore.te
@@ -42,7 +42,6 @@
data_file_type
-anr_data_file # for crash dump collection
-tombstone_data_file # for crash dump collection
- -zoneinfo_data_file # granted to domain
with_native_coverage(`-method_trace_data_file')
}:{ file fifo_file sock_file } *;
diff --git a/public/mediaextractor.te b/public/mediaextractor.te
index 1315b8f..44786fc 100644
--- a/public/mediaextractor.te
+++ b/public/mediaextractor.te
@@ -67,7 +67,6 @@
# descriptor opened outside the process.
neverallow mediaextractor {
data_file_type
- -zoneinfo_data_file # time zone data from /data/misc/zoneinfo
userdebug_or_eng(`-apk_data_file') # for loading media extractor plugins
with_native_coverage(`-method_trace_data_file')
}:file open;
diff --git a/public/netd.te b/public/netd.te
index bdd721a..9b8fdb0 100644
--- a/public/netd.te
+++ b/public/netd.te
@@ -64,8 +64,6 @@
r_dir_file(netd, cgroup_v2)
-allow netd fs_bpf:file { read write };
-
# TODO: netd previously thought it needed these permissions to do WiFi related
# work. However, after all the WiFi stuff is gone, we still need them.
# Why?
diff --git a/public/property.te b/public/property.te
index 98cabd1..9b538cf 100644
--- a/public/property.te
+++ b/public/property.te
@@ -193,6 +193,7 @@
system_public_prop(ctl_stop_prop)
system_public_prop(dalvik_runtime_prop)
system_public_prop(debug_prop)
+system_public_prop(device_config_memory_safety_native_prop)
system_public_prop(dumpstate_options_prop)
system_public_prop(exported_system_prop)
system_public_prop(exported_bluetooth_prop)
@@ -212,6 +213,7 @@
system_public_prop(lowpan_prop)
system_public_prop(nfc_prop)
system_public_prop(ota_prop)
+system_public_prop(permissive_mte_prop)
system_public_prop(powerctl_prop)
system_public_prop(qemu_hw_prop)
system_public_prop(qemu_sf_lcd_density_prop)
diff --git a/public/service.te b/public/service.te
index d7cf74c..cba419e 100644
--- a/public/service.te
+++ b/public/service.te
@@ -228,7 +228,6 @@
type telecom_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type thermal_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type timedetector_service, app_api_service, system_server_service, service_manager_type;
-type timezone_service, system_server_service, service_manager_type;
type timezonedetector_service, app_api_service, system_server_service, service_manager_type;
type translation_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type trust_service, app_api_service, system_server_service, service_manager_type;
diff --git a/public/shell.te b/public/shell.te
index 8570260..496061c 100644
--- a/public/shell.te
+++ b/public/shell.te
@@ -60,7 +60,6 @@
r_dir_file(shell, system_file)
allow shell system_file:file x_file_perms;
allow shell toolbox_exec:file rx_file_perms;
-allow shell tzdatacheck_exec:file rx_file_perms;
allow shell shell_exec:file rx_file_perms;
allow shell zygote_exec:file rx_file_perms;
diff --git a/public/tzdatacheck.te b/public/tzdatacheck.te
deleted file mode 100644
index cf9b95d..0000000
--- a/public/tzdatacheck.te
+++ /dev/null
@@ -1,18 +0,0 @@
-# The tzdatacheck command run by init.
-type tzdatacheck, domain;
-type tzdatacheck_exec, system_file_type, exec_type, file_type;
-
-allow tzdatacheck zoneinfo_data_file:dir create_dir_perms;
-allow tzdatacheck zoneinfo_data_file:file unlink;
-
-# Below are strong assertion that only init, system_server and tzdatacheck
-# can modify the /data time zone rules directories. This is to make it very
-# clear that only these domains should modify the actual time zone rules data.
-# The tzdatacheck binary itself may be executed by shell for tests but it must
-# not be able to modify the real rules.
-# If other users / binaries could modify time zone rules on device this might
-# have negative implications for users (who may get incorrect local times)
-# or break assumptions made / invalidate data held by the components actually
-# responsible for updating time zone rules.
-neverallow { domain -system_server -init -tzdatacheck } zoneinfo_data_file:file no_w_file_perms;
-neverallow { domain -system_server -init -tzdatacheck } zoneinfo_data_file:dir no_w_dir_perms;
diff --git a/tests/sepolicy_tests.py b/tests/sepolicy_tests.py
index 0a87a13..79c55de 100644
--- a/tests/sepolicy_tests.py
+++ b/tests/sepolicy_tests.py
@@ -44,6 +44,9 @@
return pol.AssertPathTypesHaveAttr(partitions, exceptions, "system_file_type")
+def TestBpffsTypeViolations(pol):
+ return pol.AssertGenfsFilesystemTypesHaveAttr("bpf", "bpffs_type")
+
def TestProcTypeViolations(pol):
return pol.AssertGenfsFilesystemTypesHaveAttr("proc", "proc_type")
@@ -128,6 +131,7 @@
Option.take_action(self, action, dest, opt, value, values, parser)
Tests = [
+ "TestBpffsTypeViolations",
"TestDataTypeViolators",
"TestProcTypeViolations",
"TestSysfsTypeViolations",
@@ -175,6 +179,8 @@
results = ""
# If an individual test is not specified, run all tests.
+ if options.test is None or "TestBpffsTypeViolations" in options.test:
+ results += TestBpffsTypeViolations(pol)
if options.test is None or "TestDataTypeViolations" in options.test:
results += TestDataTypeViolations(pol)
if options.test is None or "TestProcTypeViolations" in options.test:
diff --git a/vendor/file_contexts b/vendor/file_contexts
index dd1e4a1..3646d4b 100644
--- a/vendor/file_contexts
+++ b/vendor/file_contexts
@@ -22,12 +22,12 @@
/(vendor|system/vendor)/bin/hw/android\.hardware\.boot@1\.[0-9]+-service u:object_r:hal_bootctl_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.boot-service.default u:object_r:hal_bootctl_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.broadcastradio@\d+\.\d+-service u:object_r:hal_broadcastradio_default_exec:s0
-/(vendor|system/vendor)/bin/hw/android\.hardware\.camera\.provider@2\.[0-9]+-service_64 u:object_r:hal_camera_default_exec:s0
-/(vendor|system/vendor)/bin/hw/android\.hardware\.camera\.provider@2\.[0-9]+-service u:object_r:hal_camera_default_exec:s0
-/(vendor|system/vendor)/bin/hw/android\.hardware\.camera\.provider@2\.[0-9]+-service-lazy_64 u:object_r:hal_camera_default_exec:s0
-/(vendor|system/vendor)/bin/hw/android\.hardware\.camera\.provider@2\.[0-9]+-service-lazy u:object_r:hal_camera_default_exec:s0
-/(vendor|system/vendor)/bin/hw/android\.hardware\.camera\.provider@2\.[0-9]+-external-service u:object_r:hal_camera_default_exec:s0
-/(vendor|system/vendor)/bin/hw/android\.hardware\.camera\.provider@2\.[0-9]+-external-service-lazy u:object_r:hal_camera_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.camera\.provider(@2\.[0-9]+|-V1)-service_64 u:object_r:hal_camera_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.camera\.provider(@2\.[0-9]+|-V1)-service u:object_r:hal_camera_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.camera\.provider(@2\.[0-9]+|-V1)-service-lazy_64 u:object_r:hal_camera_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.camera\.provider(@2\.[0-9]+|-V1)-service-lazy u:object_r:hal_camera_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.camera\.provider(@2\.[0-9]+|-V1)-external-service u:object_r:hal_camera_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.camera\.provider(@2\.[0-9]+|-V1)-external-service-lazy u:object_r:hal_camera_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.configstore@1\.[0-9]+-service u:object_r:hal_configstore_default_exec:s0
/(vendor|sustem/vendor)/bin/hw/android\.hardware\.confirmationui@1\.0-service u:object_r:hal_confirmationui_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.contexthub@1\.[0-9]+-service u:object_r:hal_contexthub_default_exec:s0