Merge "Allow dumpstate to exec derive_sdk"
diff --git a/Android.mk b/Android.mk
index 8f0b37c..bd2bd56 100644
--- a/Android.mk
+++ b/Android.mk
@@ -478,7 +478,6 @@
LOCAL_REQUIRED_MODULES += precompiled_sepolicy.product_sepolicy_and_mapping.sha256
endif
-LOCAL_REQUIRED_MODULES += precompiled_sepolicy.apex_sepolicy.sha256
endif # ($(PRODUCT_PRECOMPILED_SEPOLICY),false)
diff --git a/apex/Android.bp b/apex/Android.bp
index 8c9db86..c4080ca 100644
--- a/apex/Android.bp
+++ b/apex/Android.bp
@@ -99,6 +99,13 @@
}
filegroup {
+ name: "com.android.federatedcompute-file_contexts",
+ srcs: [
+ "com.android.federatedcompute-file_contexts",
+ ],
+}
+
+filegroup {
name: "com.android.geotz-file_contexts",
srcs: [
"com.android.geotz-file_contexts",
@@ -272,3 +279,17 @@
"com.android.healthconnect-file_contexts",
],
}
+
+filegroup {
+ name: "com.android.rkpd-file_contexts",
+ srcs: [
+ "com.android.rkpd-file_contexts",
+ ],
+}
+
+filegroup {
+ name: "com.android.devicelock-file_contexts",
+ srcs: [
+ "com.android.devicelock-file_contexts",
+ ],
+}
diff --git a/apex/com.android.devicelock-file_contexts b/apex/com.android.devicelock-file_contexts
new file mode 100644
index 0000000..83b4b58
--- /dev/null
+++ b/apex/com.android.devicelock-file_contexts
@@ -0,0 +1 @@
+(/.*)? u:object_r:system_file:s0
diff --git a/apex/com.android.federatedcompute-file_contexts b/apex/com.android.federatedcompute-file_contexts
new file mode 100644
index 0000000..9398505
--- /dev/null
+++ b/apex/com.android.federatedcompute-file_contexts
@@ -0,0 +1 @@
+(/.*)? u:object_r:system_file:s0
diff --git a/apex/com.android.rkpd-file_contexts b/apex/com.android.rkpd-file_contexts
new file mode 100644
index 0000000..4424c8a
--- /dev/null
+++ b/apex/com.android.rkpd-file_contexts
@@ -0,0 +1,2 @@
+(/.*)? u:object_r:system_file:s0
+/bin/rkpd u:object_r:rkpd_exec:s0
diff --git a/build/soong/service_fuzzer_bindings.go b/build/soong/service_fuzzer_bindings.go
index 7a7f61f..05e55ba 100644
--- a/build/soong/service_fuzzer_bindings.go
+++ b/build/soong/service_fuzzer_bindings.go
@@ -23,17 +23,21 @@
"android.hardware.automotive.evs.IEvsEnumerator/hw/0": []string{},
"android.hardware.boot.IBootControl/default": []string{},
"android.hardware.automotive.evs.IEvsEnumerator/hw/1": []string{},
+ "android.hardware.automotive.remoteaccess.IRemoteAccess/default": []string{},
"android.hardware.automotive.vehicle.IVehicle/default": []string{},
"android.hardware.automotive.audiocontrol.IAudioControl/default": []string{},
"android.hardware.biometrics.face.IFace/default": []string{},
"android.hardware.biometrics.fingerprint.IFingerprint/default": []string{},
"android.hardware.biometrics.fingerprint.IFingerprint/virtual": []string{},
"android.hardware.bluetooth.audio.IBluetoothAudioProviderFactory/default": []string{},
+ "android.hardware.broadcastradio.IBroadcastRadio/amfm": []string{},
+ "android.hardware.broadcastradio.IBroadcastRadio/dab": []string{},
"android.hardware.camera.provider.ICameraProvider/internal/0": []string{},
"android.hardware.contexthub.IContextHub/default": []string{},
"android.hardware.drm.IDrmFactory/clearkey": []string{},
"android.hardware.drm.ICryptoFactory/clearkey": []string{},
"android.hardware.dumpstate.IDumpstateDevice/default": []string{},
+ "android.hardware.gatekeeper.IGatekeeper/default": []string{},
"android.hardware.gnss.IGnss/default": []string{},
"android.hardware.graphics.allocator.IAllocator/default": []string{},
"android.hardware.graphics.composer3.IComposer/default": []string{},
@@ -168,6 +172,7 @@
"country_detector": []string{},
"coverage": []string{},
"cpuinfo": []string{},
+ "credential": []string{},
"crossprofileapps": []string{},
"dataloader_manager": []string{},
"dbinfo": []string{},
@@ -175,6 +180,7 @@
"device_policy": []string{},
"device_identifiers": []string{},
"deviceidle": []string{},
+ "device_lock": []string{},
"device_state": []string{},
"devicestoragemonitor": []string{},
"diskstats": []string{},
@@ -208,6 +214,7 @@
"hardware": []string{},
"hardware_properties": []string{},
"hdmi_control": []string{},
+ "healthconnect": []string{},
"ions": []string{},
"idmap": []string{},
"incident": []string{},
@@ -310,6 +317,8 @@
"resolver": []string{},
"resources": []string{},
"restrictions": []string{},
+ "rkpd.registrar": []string{},
+ "rkpd.refresh": []string{},
"role": []string{},
"rollback": []string{},
"rttmanager": []string{},
diff --git a/com.android.sepolicy/33/definitions/definitions.cil b/com.android.sepolicy/33/definitions/definitions.cil
index 3c47764..ffe4660 100644
--- a/com.android.sepolicy/33/definitions/definitions.cil
+++ b/com.android.sepolicy/33/definitions/definitions.cil
@@ -7,87 +7,9 @@
(sid amend)
(sidorder (amend))
-(classorder (file service_manager))
+(classorder (file))
;;;;;;;;;;;;;;;;;;;;;; shell.te ;;;;;;;;;;;;;;;;;;;;;;
(type shell)
(type sepolicy_test_file)
-(class file (ioctl read getattr lock map open watch watch_reads execute_no_trans))
-
-;;;;;;;;;;;;;;;;;;;;;; sdk_sandbox.te ;;;;;;;;;;;;;;;;;;;;;;
-(class service_manager (add find list ))
-
-(type activity_service)
-(type activity_task_service)
-(type appops_service)
-(type audioserver_service)
-(type audio_service)
-(type batteryproperties_service)
-(type batterystats_service)
-(type connectivity_service)
-(type connmetrics_service)
-(type deviceidle_service)
-(type display_service)
-(type dropbox_service)
-(type font_service)
-(type game_service)
-(type gpu_service)
-(type graphicsstats_service)
-(type hardware_properties_service)
-(type hint_service)
-(type imms_service)
-(type input_method_service)
-(type input_service)
-(type IProxyService_service)
-(type ipsec_service)
-(type launcherapps_service)
-(type legacy_permission_service)
-(type light_service)
-(type locale_service)
-(type media_communication_service)
-(type mediaextractor_service)
-(type mediametrics_service)
-(type media_projection_service)
-(type media_router_service)
-(type mediaserver_service)
-(type media_session_service)
-(type memtrackproxy_service)
-(type midi_service)
-(type netpolicy_service)
-(type netstats_service)
-(type network_management_service)
-(type notification_service)
-(type package_service)
-(type permission_checker_service)
-(type permissionmgr_service)
-(type permission_service)
-(type platform_compat_service)
-(type power_service)
-(type procstats_service)
-(type registry_service)
-(type restrictions_service)
-(type rttmanager_service)
-(type sdk_sandbox)
-(type search_service)
-(type selection_toolbar_service)
-(type sensor_privacy_service)
-(type sensorservice_service)
-(type servicediscovery_service)
-(type settings_service)
-(type speech_recognition_service)
-(type statusbar_service)
-(type storagestats_service)
-(type surfaceflinger_service)
-(type system_linker_exec)
-(type telecom_service)
-(type tethering_service)
-(type textclassification_service)
-(type textservices_service)
-(type texttospeech_service)
-(type thermal_service)
-(type translation_service)
-(type tv_iapp_service)
-(type tv_input_service)
-(type uimode_service)
-(type vcn_management_service)
-(type webviewupdate_service)
+(class file (ioctl read getattr lock map open watch watch_reads))
diff --git a/com.android.sepolicy/33/sdk_sandbox.te b/com.android.sepolicy/33/sdk_sandbox.te
deleted file mode 100644
index 7c7b15b..0000000
--- a/com.android.sepolicy/33/sdk_sandbox.te
+++ /dev/null
@@ -1,77 +0,0 @@
-# Allow finding services. This is different from ephemeral_app policy.
-# Adding services manually to the allowlist is preferred hence app_api_service is not used.
-
-allow sdk_sandbox activity_service:service_manager find;
-allow sdk_sandbox activity_task_service:service_manager find;
-allow sdk_sandbox appops_service:service_manager find;
-allow sdk_sandbox audio_service:service_manager find;
-allow sdk_sandbox audioserver_service:service_manager find;
-allow sdk_sandbox batteryproperties_service:service_manager find;
-allow sdk_sandbox batterystats_service:service_manager find;
-allow sdk_sandbox connectivity_service:service_manager find;
-allow sdk_sandbox connmetrics_service:service_manager find;
-allow sdk_sandbox deviceidle_service:service_manager find;
-allow sdk_sandbox display_service:service_manager find;
-allow sdk_sandbox dropbox_service:service_manager find;
-allow sdk_sandbox font_service:service_manager find;
-allow sdk_sandbox game_service:service_manager find;
-allow sdk_sandbox gpu_service:service_manager find;
-allow sdk_sandbox graphicsstats_service:service_manager find;
-allow sdk_sandbox hardware_properties_service:service_manager find;
-allow sdk_sandbox hint_service:service_manager find;
-allow sdk_sandbox imms_service:service_manager find;
-allow sdk_sandbox input_method_service:service_manager find;
-allow sdk_sandbox input_service:service_manager find;
-allow sdk_sandbox IProxyService_service:service_manager find;
-allow sdk_sandbox ipsec_service:service_manager find;
-allow sdk_sandbox launcherapps_service:service_manager find;
-allow sdk_sandbox legacy_permission_service:service_manager find;
-allow sdk_sandbox light_service:service_manager find;
-allow sdk_sandbox locale_service:service_manager find;
-allow sdk_sandbox media_communication_service:service_manager find;
-allow sdk_sandbox mediaextractor_service:service_manager find;
-allow sdk_sandbox mediametrics_service:service_manager find;
-allow sdk_sandbox media_projection_service:service_manager find;
-allow sdk_sandbox media_router_service:service_manager find;
-allow sdk_sandbox mediaserver_service:service_manager find;
-allow sdk_sandbox media_session_service:service_manager find;
-allow sdk_sandbox memtrackproxy_service:service_manager find;
-allow sdk_sandbox midi_service:service_manager find;
-allow sdk_sandbox netpolicy_service:service_manager find;
-allow sdk_sandbox netstats_service:service_manager find;
-allow sdk_sandbox network_management_service:service_manager find;
-allow sdk_sandbox notification_service:service_manager find;
-allow sdk_sandbox package_service:service_manager find;
-allow sdk_sandbox permission_checker_service:service_manager find;
-allow sdk_sandbox permission_service:service_manager find;
-allow sdk_sandbox permissionmgr_service:service_manager find;
-allow sdk_sandbox platform_compat_service:service_manager find;
-allow sdk_sandbox power_service:service_manager find;
-allow sdk_sandbox procstats_service:service_manager find;
-allow sdk_sandbox registry_service:service_manager find;
-allow sdk_sandbox restrictions_service:service_manager find;
-allow sdk_sandbox rttmanager_service:service_manager find;
-allow sdk_sandbox search_service:service_manager find;
-allow sdk_sandbox selection_toolbar_service:service_manager find;
-allow sdk_sandbox sensor_privacy_service:service_manager find;
-allow sdk_sandbox sensorservice_service:service_manager find;
-allow sdk_sandbox servicediscovery_service:service_manager find;
-allow sdk_sandbox settings_service:service_manager find;
-allow sdk_sandbox speech_recognition_service:service_manager find;
-allow sdk_sandbox statusbar_service:service_manager find;
-allow sdk_sandbox storagestats_service:service_manager find;
-allow sdk_sandbox surfaceflinger_service:service_manager find;
-allow sdk_sandbox telecom_service:service_manager find;
-allow sdk_sandbox tethering_service:service_manager find;
-allow sdk_sandbox textclassification_service:service_manager find;
-allow sdk_sandbox textservices_service:service_manager find;
-allow sdk_sandbox texttospeech_service:service_manager find;
-allow sdk_sandbox thermal_service:service_manager find;
-allow sdk_sandbox translation_service:service_manager find;
-allow sdk_sandbox tv_iapp_service:service_manager find;
-allow sdk_sandbox tv_input_service:service_manager find;
-allow sdk_sandbox uimode_service:service_manager find;
-allow sdk_sandbox vcn_management_service:service_manager find;
-allow sdk_sandbox webviewupdate_service:service_manager find;
-
-allow sdk_sandbox system_linker_exec:file execute_no_trans;
diff --git a/microdroid/system/private/compos.te b/microdroid/system/private/compos.te
index 26dffe5..f4bb79b 100644
--- a/microdroid/system/private/compos.te
+++ b/microdroid/system/private/compos.te
@@ -2,18 +2,6 @@
type compos, domain, coredomain, microdroid_payload;
type compos_exec, exec_type, file_type, system_file_type;
-# Allow using various binder services
-binder_use(compos);
-allow compos authfs_binder_service:service_manager find;
-binder_call(compos, authfs_service);
-
-# Read artifacts created by odrefresh and create signature files.
-allow compos authfs_fuse:dir rw_dir_perms;
-allow compos authfs_fuse:file create_file_perms;
-
-# Allow locating the authfs mount directory.
-allow compos authfs_data_file:dir search;
-
# Run derive_classpath in our domain
allow compos derive_classpath_exec:file rx_file_perms;
allow compos apex_mnt_dir:dir r_dir_perms;
diff --git a/microdroid/system/private/compos_key_helper.te b/microdroid/system/private/compos_key_helper.te
index 56f8d2a..b117d0c 100644
--- a/microdroid/system/private/compos_key_helper.te
+++ b/microdroid/system/private/compos_key_helper.te
@@ -9,8 +9,8 @@
# Allow using DICE binder service
binder_use(compos_key_helper);
allow compos_key_helper dice_node_service:service_manager find;
-binder_call(compos_key_helper, diced);
-allow compos_key_helper diced:diced { get_attestation_chain derive };
+binder_call(compos_key_helper, dice_service);
+allow compos_key_helper dice_service:diced { get_attestation_chain derive };
# Communicate with compos via stdin/stdout pipes
allow compos_key_helper compos:fd use;
diff --git a/microdroid/system/private/dice_service.te b/microdroid/system/private/dice_service.te
new file mode 100644
index 0000000..341108c
--- /dev/null
+++ b/microdroid/system/private/dice_service.te
@@ -0,0 +1,24 @@
+type dice_service, domain, coredomain;
+type dice_service_exec, system_file_type, exec_type, file_type;
+
+# Block crash dumps to ensure the DICE secrets are not leaked.
+typeattribute dice_service no_crash_dump_domain;
+
+# dice_service can be started by init.
+init_daemon_domain(dice_service)
+
+# dice_service hosts AIDL services.
+binder_use(dice_service)
+binder_service(dice_service)
+add_service(dice_service, dice_node_service)
+add_service(dice_service, dice_maintenance_service)
+
+# dice_service can check SELinux permissions.
+selinux_check_access(dice_service)
+
+# dice_service is using bootstrap bionic.
+use_bootstrap_libs(dice_service)
+
+# Read config from the device tree and open-dice driver.
+allow dice_service sysfs_dt_avf:file r_file_perms;
+allow dice_service open_dice_device:chr_file rw_file_perms;
diff --git a/microdroid/system/private/diced.te b/microdroid/system/private/diced.te
deleted file mode 100644
index 2dba244..0000000
--- a/microdroid/system/private/diced.te
+++ /dev/null
@@ -1,23 +0,0 @@
-type diced, domain, coredomain;
-type diced_exec, system_file_type, exec_type, file_type;
-
-# Block crash dumps to ensure the DICE secrets are not leaked.
-typeattribute diced no_crash_dump_domain;
-
-# diced can be started by init
-init_daemon_domain(diced)
-
-# diced can talk to dice HAL
-hal_client_domain(diced, hal_dice)
-
-# diced hosts AIDL services
-binder_use(diced)
-binder_service(diced)
-add_service(diced, dice_node_service)
-add_service(diced, dice_maintenance_service)
-
-# diced can check SELinux permissions.
-selinux_check_access(diced)
-
-# diced is using bootstrap bionic
-use_bootstrap_libs(diced)
diff --git a/microdroid/system/private/file_contexts b/microdroid/system/private/file_contexts
index 152063c..a81bdc1 100644
--- a/microdroid/system/private/file_contexts
+++ b/microdroid/system/private/file_contexts
@@ -105,7 +105,7 @@
/system/bin/linkerconfig u:object_r:linkerconfig_exec:s0
/system/bin/bootstrap/linker(64)? u:object_r:system_linker_exec:s0
/system/bin/bootstrap/linkerconfig u:object_r:linkerconfig_exec:s0
-/system/bin/diced.microdroid u:object_r:diced_exec:s0
+/system/bin/dice-service.microdroid u:object_r:dice_service_exec:s0
/system/bin/servicemanager.microdroid u:object_r:servicemanager_exec:s0
/system/bin/init u:object_r:init_exec:s0
/system/bin/logcat -- u:object_r:logcat_exec:s0
diff --git a/microdroid/system/private/microdroid_app.te b/microdroid/system/private/microdroid_app.te
index de58326..d9d533a 100644
--- a/microdroid/system/private/microdroid_app.te
+++ b/microdroid/system/private/microdroid_app.te
@@ -9,9 +9,9 @@
type microdroid_app, domain, coredomain, microdroid_payload;
type microdroid_app_exec, exec_type, file_type, system_file_type;
-# Talk to binder services (for diced)
+# Talk to binder services (for dice_service)
binder_use(microdroid_app);
allow microdroid_app dice_node_service:service_manager find;
-binder_call(microdroid_app, diced);
-allow microdroid_app diced:diced { get_attestation_chain derive };
+binder_call(microdroid_app, dice_service);
+allow microdroid_app dice_service:diced { get_attestation_chain derive };
diff --git a/microdroid/system/private/microdroid_manager.te b/microdroid/system/private/microdroid_manager.te
index d4ad862..06fb979 100644
--- a/microdroid/system/private/microdroid_manager.te
+++ b/microdroid/system/private/microdroid_manager.te
@@ -45,20 +45,21 @@
# microdroid_manager is using bootstrap bionic
use_bootstrap_libs(microdroid_manager)
-# microdroid_manager can talk to diced over binder
+# microdroid_manager can talk to dice_service over binder
binder_use(microdroid_manager)
-binder_call(microdroid_manager, diced)
+binder_call(microdroid_manager, dice_service)
allow microdroid_manager { dice_node_service dice_maintenance_service }:service_manager find;
-allow microdroid_manager diced:diced { derive demote_self };
+allow microdroid_manager dice_service:diced { derive demote_self };
# microdroid_manager create /apex/vm-payload-metadata for apexd
# TODO(b/199371341) create a new label for the file so that only microdroid_manager can create it.
allow microdroid_manager apex_mnt_dir:dir w_dir_perms;
allow microdroid_manager apex_mnt_dir:file create_file_perms;
-# Allow microdroid_manager to start the services apexd-vm, apkdmverity,tombstone_transmit & zipfuse
+# Allow microdroid_manager to start various services
set_prop(microdroid_manager, ctl_apexd_vm_prop)
set_prop(microdroid_manager, ctl_apkdmverity_prop)
+set_prop(microdroid_manager, ctl_authfs_prop)
set_prop(microdroid_manager, ctl_seriallogging_prop)
set_prop(microdroid_manager, ctl_tombstone_transmit_prop)
set_prop(microdroid_manager, ctl_zipfuse_prop)
@@ -93,4 +94,14 @@
neverallow { domain -microdroid_manager -init -vendor_init } extra_apk_file:file no_w_file_perms;
neverallow { domain -microdroid_manager -init -vendor_init } extra_apk_file:dir no_w_dir_perms;
+# Only microdroid_payload and a few other critical binaries can be run by microdroid_manager,
+# in their own domains.
neverallow microdroid_manager { file_type fs_type }:file execute_no_trans;
+neverallow microdroid_manager {
+ domain
+ -crash_dump
+ -microdroid_payload
+ -apkdmverity
+ -zipfuse
+ -kexec
+}:process transition;
diff --git a/microdroid/system/private/microdroid_payload.te b/microdroid/system/private/microdroid_payload.te
index fd36b02..4ea187b 100644
--- a/microdroid/system/private/microdroid_payload.te
+++ b/microdroid/system/private/microdroid_payload.te
@@ -27,16 +27,6 @@
# Write to /dev/kmsg.
allow microdroid_payload kmsg_device:chr_file rw_file_perms;
-# Only microdroid_payload and a few other critical binaries can be run by microdroid_manager
-neverallow microdroid_manager {
- domain
- -crash_dump
- -microdroid_payload
- -apkdmverity
- -zipfuse
- -kexec
-}:process transition;
-
# Allow microdroid_payload to open binder servers via vsock.
allow microdroid_payload self:vsock_socket { create_socket_perms_no_ioctl listen accept };
@@ -45,3 +35,15 @@
# Payload can read /proc/meminfo.
allow microdroid_payload proc_meminfo:file r_file_perms;
+
+# Allow use of authfs.
+binder_use(microdroid_payload);
+allow microdroid_payload authfs_binder_service:service_manager find;
+binder_call(microdroid_payload, authfs_service);
+
+# Allow locating the authfs mount directory.
+allow microdroid_payload authfs_data_file:dir search;
+
+# Read and write files authfs-proxied files.
+allow microdroid_payload authfs_fuse:dir rw_dir_perms;
+allow microdroid_payload authfs_fuse:file create_file_perms;
diff --git a/microdroid/system/private/property_contexts b/microdroid/system/private/property_contexts
index 569a0fe..cade2aa 100644
--- a/microdroid/system/private/property_contexts
+++ b/microdroid/system/private/property_contexts
@@ -27,6 +27,7 @@
ctl.start$apexd-vm u:object_r:ctl_apexd_vm_prop:s0
ctl.start$apkdmverity u:object_r:ctl_apkdmverity_prop:s0
+ctl.start$authfs_service u:object_r:ctl_authfs_prop:s0
ctl.start$seriallogging u:object_r:ctl_seriallogging_prop:s0
ctl.start$tombstone_transmit u:object_r:ctl_tombstone_transmit_prop:s0
ctl.start$zipfuse u:object_r:ctl_zipfuse_prop:s0
diff --git a/microdroid/system/private/service_contexts b/microdroid/system/private/service_contexts
index 9a27306..76bae22 100644
--- a/microdroid/system/private/service_contexts
+++ b/microdroid/system/private/service_contexts
@@ -1,5 +1,3 @@
-android.hardware.security.dice.IDiceDevice/default u:object_r:hal_dice_service:s0
-
adb u:object_r:adb_service:s0
android.security.dice.IDiceMaintenance u:object_r:dice_maintenance_service:s0
android.security.dice.IDiceNode u:object_r:dice_node_service:s0
diff --git a/microdroid/system/public/hal_dice.te b/microdroid/system/public/hal_dice.te
deleted file mode 100644
index 92222c5..0000000
--- a/microdroid/system/public/hal_dice.te
+++ /dev/null
@@ -1,4 +0,0 @@
-binder_call(hal_dice_client, hal_dice_server)
-
-hal_attribute_service(hal_dice, hal_dice_service)
-binder_call(hal_dice_server, servicemanager)
diff --git a/microdroid/system/public/property.te b/microdroid/system/public/property.te
index 9363d9b..bab49f2 100644
--- a/microdroid/system/public/property.te
+++ b/microdroid/system/public/property.te
@@ -11,6 +11,7 @@
type ctl_apexd_prop, property_type;
type ctl_apexd_vm_prop, property_type;
type ctl_apkdmverity_prop, property_type;
+type ctl_authfs_prop, property_type;
type ctl_console_prop, property_type;
type ctl_default_prop, property_type;
type ctl_fuse_prop, property_type;
diff --git a/microdroid/vendor/file_contexts b/microdroid/vendor/file_contexts
index 002fb14..533814c 100644
--- a/microdroid/vendor/file_contexts
+++ b/microdroid/vendor/file_contexts
@@ -3,6 +3,3 @@
#
(/.*)? u:object_r:vendor_file:s0
/etc(/.*)? u:object_r:vendor_configs_file:s0
-
-# HAL location
-/bin/hw/android\.hardware\.security\.dice-service\.microdroid u:object_r:hal_dice_default_exec:s0
diff --git a/microdroid/vendor/hal_dice_default.te b/microdroid/vendor/hal_dice_default.te
deleted file mode 100644
index 9fbf90d..0000000
--- a/microdroid/vendor/hal_dice_default.te
+++ /dev/null
@@ -1,14 +0,0 @@
-type hal_dice_default, domain;
-hal_server_domain(hal_dice_default, hal_dice)
-
-# Block crash dumps to ensure the DICE secrets are not leaked.
-typeattribute hal_dice_default no_crash_dump_domain;
-
-type hal_dice_default_exec, exec_type, vendor_file_type, file_type;
-init_daemon_domain(hal_dice_default)
-
-# hal_dice_default is using bootstrap bionic
-use_bootstrap_libs(hal_dice_default)
-
-allow hal_dice_default sysfs_dt_avf:file r_file_perms;
-allow hal_dice_default open_dice_device:chr_file rw_file_perms;
diff --git a/private/app_zygote.te b/private/app_zygote.te
index 8a62341..8aa288e 100644
--- a/private/app_zygote.te
+++ b/private/app_zygote.te
@@ -159,6 +159,7 @@
neverallow app_zygote {
domain
-app_zygote
+ -prng_seeder
userdebug_or_eng(`-su')
userdebug_or_eng(`-heapprofd')
userdebug_or_eng(`-traced_perf')
diff --git a/private/artd.te b/private/artd.te
index 58fe6ef..cb2b6c2 100644
--- a/private/artd.te
+++ b/private/artd.te
@@ -1,5 +1,6 @@
# ART service daemon.
typeattribute artd coredomain;
+typeattribute artd mlstrustedsubject;
type artd_exec, system_file_type, exec_type, file_type;
type artd_tmpfs, file_type;
@@ -62,7 +63,8 @@
allow artd self:global_capability_class_set { dac_override dac_read_search fowner chown };
# Read/write access to profiles (/data/misc/profiles/{ref,cur}/...).
-allow artd user_profile_data_file:dir { getattr search };
+allow artd user_profile_root_file:dir { getattr search };
+allow artd user_profile_data_file:dir rw_dir_perms;
allow artd user_profile_data_file:file create_file_perms;
# Never allow running other binaries without a domain transition.
diff --git a/private/compat/33.0/33.0.cil b/private/compat/33.0/33.0.cil
index 163a300..849be82 100644
--- a/private/compat/33.0/33.0.cil
+++ b/private/compat/33.0/33.0.cil
@@ -1637,7 +1637,11 @@
(typeattributeset exported_overlay_prop_33_0 (exported_overlay_prop))
(typeattributeset exported_pm_prop_33_0 (exported_pm_prop))
(typeattributeset exported_secure_prop_33_0 (exported_secure_prop))
-(typeattributeset exported_system_prop_33_0 (exported_system_prop))
+(typeattributeset exported_system_prop_33_0
+ ( exported_system_prop
+ locale_prop
+ timezone_prop
+))
(typeattributeset external_vibrator_service_33_0 (external_vibrator_service))
(typeattributeset extra_free_kbytes_33_0 (extra_free_kbytes))
(typeattributeset extra_free_kbytes_exec_33_0 (extra_free_kbytes_exec))
diff --git a/private/compat/33.0/33.0.ignore.cil b/private/compat/33.0/33.0.ignore.cil
index 90e2eaf..bdb4869 100644
--- a/private/compat/33.0/33.0.ignore.cil
+++ b/private/compat/33.0/33.0.ignore.cil
@@ -7,16 +7,24 @@
( new_objects
apex_ready_prop
artd
+ credential_service
device_config_memory_safety_native_prop
device_config_vendor_system_native_prop
+ devicelock_service
hal_bootctl_service
+ hal_remoteaccess_service
hal_tv_input_service
+ healthconnect_service
keystore_config_prop
permissive_mte_prop
+ prng_seeder
servicemanager_prop
system_net_netd_service
+ timezone_metadata_prop
tuner_config_prop
tuner_server_ctl_prop
virtual_face_hal_prop
virtual_fingerprint_hal_prop
+ hal_gatekeeper_service
+ hal_broadcastradio_service
))
diff --git a/private/domain.te b/private/domain.te
index 3d59a27..632b9f6 100644
--- a/private/domain.te
+++ b/private/domain.te
@@ -121,6 +121,9 @@
# should be used.
get_prop(domain, log_file_logger_prop)
+# Allow all processes to connect to PRNG seeder daemon.
+unix_socket_connect(domain, prng_seeder, prng_seeder)
+
# No domains other than a select few can access the misc_block_device. This
# block device is reserved for OTA use.
# Do not assert this rule on userdebug/eng builds, due to some devices using
@@ -498,6 +501,7 @@
-logd # Logging by writing to logd Unix domain socket is public API
-netd # netdomain needs this
-mdnsd # netdomain needs this
+ -prng_seeder # Any process using libcrypto needs this
userdebug_or_eng(`-su') # communications with su are permitted only on userdebug or eng builds
-init
-tombstoned # linker to tombstoned
@@ -630,3 +634,5 @@
sdk_sandbox
untrusted_app_all
} system_app_data_file:dir_file_class_set { create unlink open };
+
+neverallow { domain -init } mtectrl:process { dyntransition transition };
diff --git a/private/file.te b/private/file.te
index 3f5531f..60e2274 100644
--- a/private/file.te
+++ b/private/file.te
@@ -120,3 +120,8 @@
# This executable does not have its own domain because it is executed in the caller's domain. For
# example, it is executed in the `artd` domain when artd calls it.
type art_exec_exec, system_file_type, exec_type, file_type;
+
+# Filesystem entry for for PRNG seeder socket. Processes require
+# write permission on this to connect, and needs to be mlstrustedobject
+# in to satisfy MLS constraints for trusted domains.
+type prng_seeder_socket, file_type, coredomain_socket, mlstrustedobject;
diff --git a/private/file_contexts b/private/file_contexts
index f5d40c8..951c9b5 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -149,6 +149,7 @@
/dev/socket/pdx/system/vr/display/manager u:object_r:pdx_display_manager_endpoint_socket:s0
/dev/socket/pdx/system/vr/display/screenshot u:object_r:pdx_display_screenshot_endpoint_socket:s0
/dev/socket/pdx/system/vr/display/vsync u:object_r:pdx_display_vsync_endpoint_socket:s0
+/dev/socket/prng_seeder u:object_r:prng_seeder_socket:s0
/dev/socket/property_service u:object_r:property_socket:s0
/dev/socket/racoon u:object_r:racoon_socket:s0
/dev/socket/recovery u:object_r:recovery_socket:s0
@@ -220,6 +221,7 @@
/system/bin/bcc u:object_r:rs_exec:s0
/system/bin/blank_screen u:object_r:blank_screen_exec:s0
/system/bin/boringssl_self_test(32|64) u:object_r:boringssl_self_test_exec:s0
+/system/bin/prng_seeder u:object_r:prng_seeder_exec:s0
/system/bin/charger u:object_r:charger_exec:s0
/system/bin/canhalconfigurator u:object_r:canhalconfigurator_exec:s0
/system/bin/e2fsdroid u:object_r:e2fs_exec:s0
diff --git a/private/init.te b/private/init.te
index 9e50bd4..f03a138 100644
--- a/private/init.te
+++ b/private/init.te
@@ -109,6 +109,9 @@
# Allow accessing /sys/kernel/tracing/instances/bootreceiver to set up tracing.
allow init debugfs_bootreceiver_tracing:file w_file_perms;
+# PRNG seeder daemon socket is created and listened on by init before forking.
+allow init prng_seeder:unix_stream_socket { create bind listen };
+
# Devices with kernels where CONFIG_HIST_TRIGGERS isn't enabled will
# attempt to write a non exisiting 'synthetic_events' file, when setting
# up synthetic events. This is a no-op in tracefs.
diff --git a/private/mtectrl.te b/private/mtectrl.te
index 436dcae..a727b25 100644
--- a/private/mtectrl.te
+++ b/private/mtectrl.te
@@ -4,7 +4,12 @@
init_daemon_domain(mtectrl)
+# to set the sys prop to match the bootloader message state.
+set_prop(mtectrl, arm64_memtag_prop)
+
# mtectrl communicates the request to the bootloader via the misc partition.
-allow mtectrl misc_block_device:blk_file w_file_perms;
+# needs to write to update the request in misc partition, and read to sync
+# back to the property.
+allow mtectrl misc_block_device:blk_file rw_file_perms;
allow mtectrl block_device:dir r_dir_perms;
read_fstab(mtectrl)
diff --git a/private/prng_seeder.te b/private/prng_seeder.te
new file mode 100644
index 0000000..299e37b
--- /dev/null
+++ b/private/prng_seeder.te
@@ -0,0 +1,17 @@
+# PRNG seeder daemon
+# Started from early init, maintains a FIPS approved DRBG which it periodically reseeds from
+# /dev/hw_random. When BoringSSL (libcrypto) in other processes needs seeding data for its
+# internal DRBGs it will connect to /dev/socket/prng_seeder and the daemon will write a
+# fixed size block of entropy then disconnect. No other IO is performed.
+typeattribute prng_seeder coredomain;
+
+# mlstrustedsubject required in order to allow connections from trusted app domains.
+typeattribute prng_seeder mlstrustedsubject;
+
+type prng_seeder_exec, system_file_type, exec_type, file_type;
+init_daemon_domain(prng_seeder)
+
+# Socket open and listen are performed by init.
+allow prng_seeder prng_seeder:unix_stream_socket { read write getattr accept };
+allow prng_seeder hw_random_device:chr_file { read open };
+allow prng_seeder kmsg_debug_device:chr_file { w_file_perms getattr ioctl };
diff --git a/private/property.te b/private/property.te
index 805b70d..61144be 100644
--- a/private/property.te
+++ b/private/property.te
@@ -38,6 +38,7 @@
system_internal_prop(setupwizard_prop)
system_internal_prop(snapuserd_prop)
system_internal_prop(system_adbd_prop)
+system_internal_prop(timezone_metadata_prop)
system_internal_prop(traced_perf_enabled_prop)
system_internal_prop(tuner_server_ctl_prop)
system_internal_prop(userspace_reboot_log_prop)
@@ -430,6 +431,7 @@
-init
-shell
-system_app
+ -mtectrl
} {
arm64_memtag_prop
gwp_asan_prop
diff --git a/private/property_contexts b/private/property_contexts
index a67ea73..515c007 100644
--- a/private/property_contexts
+++ b/private/property_contexts
@@ -783,8 +783,25 @@
net.redirect_socket_calls.hooked u:object_r:socket_hook_prop:s0 exact bool
-persist.sys.locale u:object_r:exported_system_prop:s0 exact string
-persist.sys.timezone u:object_r:exported_system_prop:s0 exact string
+# Settings system properties containing mutable "global" device settings.
+#
+# These can't be Android settings because they are also read by low-level
+# binaries that don't have access to "real" SettingsProvider settings. This
+# will usually be because of when they execute, e.g. during boot when Android
+# services are not yet running, and/or because they are needed by binaries that
+# are not "Android aware", i.e. they have light integration with the Android
+# platform via the low-level system properties lib. Processes like shell may
+# modify these for testing purposes, but doing so is generally discouraged;
+# updates to these props will generally require intents to be sent to
+# long-running Android apps so they can update cached data and their UI state.
+persist.sys.locale u:object_r:locale_prop:s0 exact string
+persist.sys.timezone u:object_r:timezone_prop:s0 exact string
+
+# Time zone metadata system properties. Holds information associated with the
+# device's time zone and will therefore be written to at the same time. Unlike
+# timezone_prop props, these do not need to be read by other processes.
+persist.sys.timezone_confidence u:object_r:timezone_metadata_prop:s0 exact uint
+
persist.sys.mte.permissive u:object_r:permissive_mte_prop:s0 exact string
persist.sys.test_harness u:object_r:test_harness_prop:s0 exact bool
diff --git a/private/rkpd.te b/private/rkpd.te
new file mode 100644
index 0000000..d75638a
--- /dev/null
+++ b/private/rkpd.te
@@ -0,0 +1,15 @@
+# Policies for Remote Key Provisioning Daemon (rkpd)
+type rkpd, domain;
+type rkpd_exec, system_file_type, exec_type, file_type;
+
+typeattribute rkpd coredomain;
+
+binder_use(rkpd)
+binder_service(rkpd)
+
+init_daemon_domain(rkpd)
+
+add_service(rkpd, rkpd_registrar_service)
+add_service(rkpd, rkpd_refresh_service)
+
+
diff --git a/private/sdk_sandbox.te b/private/sdk_sandbox.te
index 3f4a49b..d851ab7 100644
--- a/private/sdk_sandbox.te
+++ b/private/sdk_sandbox.te
@@ -10,6 +10,84 @@
net_domain(sdk_sandbox)
app_domain(sdk_sandbox)
+# Allow finding services. This is different from ephemeral_app policy.
+# Adding services manually to the allowlist is preferred hence app_api_service is not used.
+
+allow sdk_sandbox activity_service:service_manager find;
+allow sdk_sandbox activity_task_service:service_manager find;
+allow sdk_sandbox appops_service:service_manager find;
+allow sdk_sandbox audio_service:service_manager find;
+allow sdk_sandbox audioserver_service:service_manager find;
+allow sdk_sandbox batteryproperties_service:service_manager find;
+allow sdk_sandbox batterystats_service:service_manager find;
+allow sdk_sandbox connectivity_service:service_manager find;
+allow sdk_sandbox connmetrics_service:service_manager find;
+allow sdk_sandbox deviceidle_service:service_manager find;
+allow sdk_sandbox display_service:service_manager find;
+allow sdk_sandbox dropbox_service:service_manager find;
+allow sdk_sandbox font_service:service_manager find;
+allow sdk_sandbox game_service:service_manager find;
+allow sdk_sandbox gpu_service:service_manager find;
+allow sdk_sandbox graphicsstats_service:service_manager find;
+allow sdk_sandbox hardware_properties_service:service_manager find;
+allow sdk_sandbox hint_service:service_manager find;
+allow sdk_sandbox imms_service:service_manager find;
+allow sdk_sandbox input_method_service:service_manager find;
+allow sdk_sandbox input_service:service_manager find;
+allow sdk_sandbox IProxyService_service:service_manager find;
+allow sdk_sandbox ipsec_service:service_manager find;
+allow sdk_sandbox launcherapps_service:service_manager find;
+allow sdk_sandbox legacy_permission_service:service_manager find;
+allow sdk_sandbox light_service:service_manager find;
+allow sdk_sandbox locale_service:service_manager find;
+allow sdk_sandbox media_communication_service:service_manager find;
+allow sdk_sandbox mediaextractor_service:service_manager find;
+allow sdk_sandbox mediametrics_service:service_manager find;
+allow sdk_sandbox media_projection_service:service_manager find;
+allow sdk_sandbox media_router_service:service_manager find;
+allow sdk_sandbox mediaserver_service:service_manager find;
+allow sdk_sandbox media_session_service:service_manager find;
+allow sdk_sandbox memtrackproxy_service:service_manager find;
+allow sdk_sandbox midi_service:service_manager find;
+allow sdk_sandbox netpolicy_service:service_manager find;
+allow sdk_sandbox netstats_service:service_manager find;
+allow sdk_sandbox network_management_service:service_manager find;
+allow sdk_sandbox notification_service:service_manager find;
+allow sdk_sandbox package_service:service_manager find;
+allow sdk_sandbox permission_checker_service:service_manager find;
+allow sdk_sandbox permission_service:service_manager find;
+allow sdk_sandbox permissionmgr_service:service_manager find;
+allow sdk_sandbox platform_compat_service:service_manager find;
+allow sdk_sandbox power_service:service_manager find;
+allow sdk_sandbox procstats_service:service_manager find;
+allow sdk_sandbox registry_service:service_manager find;
+allow sdk_sandbox restrictions_service:service_manager find;
+allow sdk_sandbox rttmanager_service:service_manager find;
+allow sdk_sandbox search_service:service_manager find;
+allow sdk_sandbox selection_toolbar_service:service_manager find;
+allow sdk_sandbox sensor_privacy_service:service_manager find;
+allow sdk_sandbox sensorservice_service:service_manager find;
+allow sdk_sandbox servicediscovery_service:service_manager find;
+allow sdk_sandbox settings_service:service_manager find;
+allow sdk_sandbox speech_recognition_service:service_manager find;
+allow sdk_sandbox statusbar_service:service_manager find;
+allow sdk_sandbox storagestats_service:service_manager find;
+allow sdk_sandbox surfaceflinger_service:service_manager find;
+allow sdk_sandbox telecom_service:service_manager find;
+allow sdk_sandbox tethering_service:service_manager find;
+allow sdk_sandbox textclassification_service:service_manager find;
+allow sdk_sandbox textservices_service:service_manager find;
+allow sdk_sandbox texttospeech_service:service_manager find;
+allow sdk_sandbox thermal_service:service_manager find;
+allow sdk_sandbox translation_service:service_manager find;
+allow sdk_sandbox tv_iapp_service:service_manager find;
+allow sdk_sandbox tv_input_service:service_manager find;
+allow sdk_sandbox uimode_service:service_manager find;
+allow sdk_sandbox vcn_management_service:service_manager find;
+allow sdk_sandbox webviewupdate_service:service_manager find;
+
+allow sdk_sandbox system_linker_exec:file execute_no_trans;
+
# Write app-specific trace data to the Perfetto traced damon. This requires
# connecting to its producer socket and obtaining a (per-process) tmpfs fd.
perfetto_producer(sdk_sandbox)
diff --git a/private/service.te b/private/service.te
index 1f407a6..84e39ae 100644
--- a/private/service.te
+++ b/private/service.te
@@ -10,6 +10,8 @@
type mediatuner_service, app_api_service, service_manager_type;
type profcollectd_service, service_manager_type;
type resolver_service, system_server_service, service_manager_type;
+type rkpd_registrar_service, service_manager_type;
+type rkpd_refresh_service, service_manager_type;
type safety_center_service, app_api_service, system_api_service, system_server_service, service_manager_type;
type stats_service, service_manager_type;
type statsbootstrap_service, system_server_service, service_manager_type;
diff --git a/private/service_contexts b/private/service_contexts
index 1504bac..f8c99df 100644
--- a/private/service_contexts
+++ b/private/service_contexts
@@ -5,12 +5,15 @@
android.hardware.automotive.evs.IEvsEnumerator/hw/0 u:object_r:hal_evs_service:s0
android.hardware.boot.IBootControl/default u:object_r:hal_bootctl_service:s0
android.hardware.automotive.evs.IEvsEnumerator/hw/1 u:object_r:hal_evs_service:s0
-android.hardware.automotive.vehicle.IVehicle/default u:object_r:hal_vehicle_service:s0
android.hardware.automotive.audiocontrol.IAudioControl/default u:object_r:hal_audiocontrol_service:s0
+android.hardware.automotive.remoteaccess.IRemoteAccess/default u:object_r:hal_remoteaccess_service:s0
+android.hardware.automotive.vehicle.IVehicle/default u:object_r:hal_vehicle_service:s0
android.hardware.biometrics.face.IFace/default u:object_r:hal_face_service:s0
android.hardware.biometrics.fingerprint.IFingerprint/default u:object_r:hal_fingerprint_service:s0
android.hardware.biometrics.fingerprint.IFingerprint/virtual u:object_r:hal_fingerprint_service:s0
android.hardware.bluetooth.audio.IBluetoothAudioProviderFactory/default u:object_r:hal_audio_service:s0
+android.hardware.broadcastradio.IBroadcastRadio/amfm u:object_r:hal_broadcastradio_service:s0
+android.hardware.broadcastradio.IBroadcastRadio/dab u:object_r:hal_broadcastradio_service:s0
# The instance here is internal/0 following naming convention for ICameraProvider.
# It advertises internal camera devices.
android.hardware.camera.provider.ICameraProvider/internal/0 u:object_r:hal_camera_service:s0
@@ -56,6 +59,7 @@
android.hardware.security.dice.IDiceDevice/default u:object_r:hal_dice_service:s0
android.hardware.security.keymint.IKeyMintDevice/default u:object_r:hal_keymint_service:s0
android.hardware.security.keymint.IRemotelyProvisionedComponent/default u:object_r:hal_remotelyprovisionedcomponent_service:s0
+android.hardware.gatekeeper.IGatekeeper/default u:object_r:hal_gatekeeper_service:s0
android.hardware.security.secureclock.ISecureClock/default u:object_r:hal_secureclock_service:s0
android.hardware.security.sharedsecret.ISharedSecret/default u:object_r:hal_sharedsecret_service:s0
android.hardware.sensors.ISensors/default u:object_r:hal_sensors_service:s0
@@ -140,6 +144,7 @@
com.android.net.IProxyService u:object_r:IProxyService_service:s0
companiondevice u:object_r:companion_device_service:s0
communal u:object_r:communal_service:s0
+credential u:object_r:credential_service:s0
platform_compat u:object_r:platform_compat_service:s0
platform_compat_native u:object_r:platform_compat_service:s0
connectivity u:object_r:connectivity_service:s0
@@ -160,6 +165,7 @@
device_policy u:object_r:device_policy_service:s0
device_identifiers u:object_r:device_identifiers_service:s0
deviceidle u:object_r:deviceidle_service:s0
+device_lock u:object_r:devicelock_service:s0
device_state u:object_r:device_state_service:s0
devicestoragemonitor u:object_r:devicestoragemonitor_service:s0
diskstats u:object_r:diskstats_service:s0
@@ -193,6 +199,7 @@
hardware u:object_r:hardware_service:s0
hardware_properties u:object_r:hardware_properties_service:s0
hdmi_control u:object_r:hdmi_control_service:s0
+healthconnect u:object_r:healthconnect_service:s0
ions u:object_r:radio_service:s0
idmap u:object_r:idmap_service:s0
incident u:object_r:incident_service:s0
@@ -295,6 +302,8 @@
resolver u:object_r:resolver_service:s0
resources u:object_r:resources_manager_service:s0
restrictions u:object_r:restrictions_service:s0
+rkpd.registrar u:object_r:rkpd_registrar_service:s0
+rkpd.refresh u:object_r:rkpd_refresh_service:s0
role u:object_r:role_service:s0
rollback u:object_r:rollback_service:s0
rttmanager u:object_r:rttmanager_service:s0
diff --git a/private/surfaceflinger.te b/private/surfaceflinger.te
index bb16f20..dbb5507 100644
--- a/private/surfaceflinger.te
+++ b/private/surfaceflinger.te
@@ -58,7 +58,9 @@
set_prop(surfaceflinger, exported_system_prop)
set_prop(surfaceflinger, exported3_system_prop)
set_prop(surfaceflinger, ctl_bootanim_prop)
+set_prop(surfaceflinger, locale_prop)
set_prop(surfaceflinger, surfaceflinger_display_prop)
+set_prop(surfaceflinger, timezone_prop)
# Get properties.
get_prop(surfaceflinger, qemu_sf_lcd_density_prop)
diff --git a/private/system_app.te b/private/system_app.te
index 822fbb5..61d3b5d 100644
--- a/private/system_app.te
+++ b/private/system_app.te
@@ -44,8 +44,10 @@
set_prop(system_app, exported_system_prop)
set_prop(system_app, exported3_system_prop)
set_prop(system_app, gesture_prop)
+set_prop(system_app, locale_prop)
set_prop(system_app, logd_prop)
set_prop(system_app, net_radio_prop)
+set_prop(system_app, timezone_prop)
set_prop(system_app, usb_control_prop)
set_prop(system_app, usb_prop)
set_prop(system_app, log_tag_prop)
diff --git a/private/system_server.te b/private/system_server.te
index ab0bfe0..eb1e46a 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -717,6 +717,9 @@
set_prop(system_server, provisioned_prop)
set_prop(system_server, retaildemo_prop)
set_prop(system_server, dmesgd_start_prop)
+set_prop(system_server, locale_prop)
+set_prop(system_server, timezone_metadata_prop)
+set_prop(system_server, timezone_prop)
userdebug_or_eng(`set_prop(system_server, wifi_log_prop)')
userdebug_or_eng(`set_prop(system_server, system_user_mode_emulation_prop)')
diff --git a/public/attributes b/public/attributes
index aeed208..f431725 100644
--- a/public/attributes
+++ b/public/attributes
@@ -362,6 +362,7 @@
hal_attribute(power);
hal_attribute(power_stats);
hal_attribute(rebootescrow);
+hal_attribute(remoteaccess);
hal_attribute(secure_element);
hal_attribute(sensors);
hal_attribute(telephony);
diff --git a/public/domain.te b/public/domain.te
index 11a14c5..dc467a6 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -123,6 +123,7 @@
get_prop(domain, hw_timeout_multiplier_prop)
get_prop(domain, init_service_status_prop)
get_prop(domain, libc_debug_prop)
+get_prop(domain, locale_prop)
get_prop(domain, logd_prop)
get_prop(domain, mediadrm_config_prop)
get_prop(domain, property_service_version_prop)
@@ -130,6 +131,7 @@
get_prop(domain, socket_hook_prop)
get_prop(domain, surfaceflinger_prop)
get_prop(domain, telephony_status_prop)
+get_prop(domain, timezone_prop)
get_prop({domain - untrusted_app_all }, userdebug_or_eng_prop)
get_prop(domain, vendor_socket_hook_prop)
get_prop(domain, vndk_prop)
@@ -436,6 +438,7 @@
# Only the kernel hwrng thread should be able to read from the HW RNG.
neverallow {
domain
+ -prng_seeder # PRNG seeder daemon periodically reseeds itself from HW RNG
-shell # For CTS, restricted to just getattr in shell.te
-ueventd # To create the /dev/hw_random file
} hw_random_device:chr_file *;
diff --git a/public/dumpstate.te b/public/dumpstate.te
index a2d2417..c73c2e7 100644
--- a/public/dumpstate.te
+++ b/public/dumpstate.te
@@ -78,6 +78,7 @@
hal_audio_server
hal_audiocontrol_server
hal_bluetooth_server
+ hal_broadcastradio_server
hal_camera_server
hal_codec2_server
hal_drm_server
diff --git a/public/hal_broadcastradio.te b/public/hal_broadcastradio.te
index 84a2597..bb882c9 100644
--- a/public/hal_broadcastradio.te
+++ b/public/hal_broadcastradio.te
@@ -2,3 +2,6 @@
binder_call(hal_broadcastradio_server, hal_broadcastradio_client)
hal_attribute_hwservice(hal_broadcastradio, hal_broadcastradio_hwservice)
+hal_attribute_service(hal_broadcastradio, hal_broadcastradio_service)
+
+binder_call(hal_broadcastradio_server, servicemanager)
diff --git a/public/hal_configstore.te b/public/hal_configstore.te
index 29bab48..886286e 100644
--- a/public/hal_configstore.te
+++ b/public/hal_configstore.te
@@ -31,6 +31,7 @@
domain
-hal_configstore_server
-logd
+ -prng_seeder
userdebug_or_eng(`-su')
-tombstoned
userdebug_or_eng(`-heapprofd')
diff --git a/public/hal_gatekeeper.te b/public/hal_gatekeeper.te
index b918f88..fc23e64 100644
--- a/public/hal_gatekeeper.te
+++ b/public/hal_gatekeeper.te
@@ -1,6 +1,8 @@
binder_call(hal_gatekeeper_client, hal_gatekeeper_server)
hal_attribute_hwservice(hal_gatekeeper, hal_gatekeeper_hwservice)
+hal_attribute_service(hal_gatekeeper, hal_gatekeeper_service)
+binder_call(hal_gatekeeper_server, servicemanager)
# TEE access.
allow hal_gatekeeper tee_device:chr_file rw_file_perms;
diff --git a/public/hal_remoteaccess.te b/public/hal_remoteaccess.te
new file mode 100644
index 0000000..8a55529
--- /dev/null
+++ b/public/hal_remoteaccess.te
@@ -0,0 +1,6 @@
+# HwBinder IPC from client to server, and callbacks
+binder_call(hal_remoteaccess_client, hal_remoteaccess_server)
+binder_call(hal_remoteaccess_server, hal_remoteaccess_client)
+
+hal_attribute_service(hal_remoteaccess, hal_remoteaccess_service)
+
diff --git a/public/prng_seeder.te b/public/prng_seeder.te
new file mode 100644
index 0000000..7438452
--- /dev/null
+++ b/public/prng_seeder.te
@@ -0,0 +1,2 @@
+# PRNG seeder daemon
+type prng_seeder, domain;
diff --git a/public/property.te b/public/property.te
index 80df624..a9e61b5 100644
--- a/public/property.te
+++ b/public/property.te
@@ -212,6 +212,7 @@
system_public_prop(sota_prop)
system_public_prop(hwservicemanager_prop)
system_public_prop(lmkd_prop)
+system_public_prop(locale_prop)
system_public_prop(logd_prop)
system_public_prop(logpersistd_logging_prop)
system_public_prop(log_prop)
@@ -230,6 +231,7 @@
system_public_prop(system_prop)
system_public_prop(system_user_mode_emulation_prop)
system_public_prop(telephony_status_prop)
+system_public_prop(timezone_prop)
system_public_prop(usb_control_prop)
system_public_prop(vold_post_fs_data_prop)
system_public_prop(wifi_hal_prop)
diff --git a/public/service.te b/public/service.te
index 4bd5e65..a844b82 100644
--- a/public/service.te
+++ b/public/service.te
@@ -102,6 +102,7 @@
# with EMMA_INSTRUMENT=true. We should consider locking this down in the future.
type coverage_service, system_server_service, service_manager_type;
type cpuinfo_service, system_api_service, system_server_service, service_manager_type;
+type credential_service, system_api_service, system_server_service, service_manager_type;
type dataloader_manager_service, system_server_service, service_manager_type;
type dbinfo_service, system_api_service, system_server_service, service_manager_type;
type device_config_service, system_server_service, service_manager_type;
@@ -119,6 +120,7 @@
type font_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type netd_listener_service, system_server_service, service_manager_type;
type network_watchlist_service, system_server_service, service_manager_type;
+type devicelock_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type DockObserver_service, system_server_service, service_manager_type;
type dreams_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type dropbox_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
@@ -136,6 +138,7 @@
type hardware_service, system_server_service, service_manager_type;
type hardware_properties_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type hdmi_control_service, app_api_service, system_server_service, service_manager_type;
+type healthconnect_service, app_api_service, system_server_service, service_manager_type;
type hint_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type imms_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type incremental_service, system_server_service, service_manager_type;
@@ -268,6 +271,7 @@
type hal_audiocontrol_service, hal_service_type, service_manager_type;
type hal_authsecret_service, protected_service, hal_service_type, service_manager_type;
type hal_bootctl_service, protected_service, hal_service_type, service_manager_type;
+type hal_broadcastradio_service, protected_service, hal_service_type, service_manager_type;
type hal_camera_service, protected_service, hal_service_type, service_manager_type;
type hal_contexthub_service, protected_service, hal_service_type, service_manager_type;
type hal_dice_service, protected_service, hal_service_type, service_manager_type;
@@ -294,6 +298,7 @@
type hal_power_stats_service, protected_service, hal_service_type, service_manager_type;
type hal_radio_service, protected_service, hal_service_type, service_manager_type;
type hal_rebootescrow_service, protected_service, hal_service_type, service_manager_type;
+type hal_remoteaccess_service, protected_service, hal_service_type, service_manager_type;
type hal_remotelyprovisionedcomponent_service, protected_service, hal_service_type, service_manager_type;
type hal_sensors_service, protected_service, hal_service_type, service_manager_type;
type hal_secureclock_service, protected_service, hal_service_type, service_manager_type;
@@ -309,6 +314,7 @@
type hal_nlinterceptor_service, protected_service, hal_service_type, service_manager_type;
type hal_wifi_hostapd_service, protected_service, hal_service_type, service_manager_type;
type hal_wifi_supplicant_service, protected_service, hal_service_type, service_manager_type;
+type hal_gatekeeper_service, protected_service, hal_service_type, service_manager_type;
###
### Neverallow rules
diff --git a/public/vendor_init.te b/public/vendor_init.te
index c8ddfb9..61fa686 100644
--- a/public/vendor_init.te
+++ b/public/vendor_init.te
@@ -282,7 +282,8 @@
###
# Vendor init shouldn't communicate with any vendor process, nor most system processes.
-neverallow_establish_socket_comms(vendor_init, { domain -init -logd -su -vendor_init });
+neverallow_establish_socket_comms(vendor_init, {
+ domain -init -logd -prng_seeder -su -vendor_init });
# The vendor_init domain is only entered via an exec based transition from the
# init domain, never via setcon().
diff --git a/tools/fuzzer_bindings_check.py b/tools/fuzzer_bindings_check.py
index d2cc3ae..1791f30 100644
--- a/tools/fuzzer_bindings_check.py
+++ b/tools/fuzzer_bindings_check.py
@@ -48,7 +48,7 @@
# First will be service name and second will be its label.
service_name = tokens[0]
if service_name not in bindings:
- sys.exit("\nerror: Service {0} is being added, but we have no fuzzer on file for it. "
+ sys.exit("\nerror: Service '{0}' is being added, but we have no fuzzer on file for it. "
"Fuzzers are listed at $ANDROID_BUILD_TOP/system/sepolicy/build/soong/service_fuzzer_bindings.go \n\n"
"NOTE: automatic service fuzzers are currently not supported in Java (b/232439254) "
"and Rust (b/164122727). In this case, please ignore this for now. \n\n"
@@ -57,8 +57,9 @@
"by adding these things: \n"
"- a cc_fuzz Android.bp entry \n"
"- a main file that constructs your service and calls 'fuzzService' \n\n"
- "An example can be found here: \n "
- "$ANDROID_BUILD_TOP/hardware/interfaces/vibrator/aidl/default/fuzzer.cpp \n\n"
+ "An examples can be found here: \n"
+ "- $ANDROID_BUILD_TOP/hardware/interfaces/vibrator/aidl/default/fuzzer.cpp \n"
+ "- https://source.android.com/docs/core/architecture/aidl/aidl-fuzzing \n\n"
"This is only ~30 lines of configuration. It requires dependency injection "
"for your service which is a good practice, and (in AOSP) you will get bugs "
"automatically filed on you. You will find out about issues without needing "
diff --git a/vendor/file_contexts b/vendor/file_contexts
index 24f0d51..ceb1492 100644
--- a/vendor/file_contexts
+++ b/vendor/file_contexts
@@ -13,6 +13,7 @@
/(vendor|system/vendor)/bin/hw/android\.hardware\.automotive\.evs(.*)? u:object_r:hal_evs_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.automotive\.vehicle@2\.0-((default|emulator)-)*(service|protocan-service) u:object_r:hal_vehicle_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.automotive\.vehicle@V1-(default|emulator)-service u:object_r:hal_vehicle_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.automotive\.remoteaccess@V1-default-service u:object_r:hal_remoteaccess_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.bluetooth@1\.[0-9]+-service u:object_r:hal_bluetooth_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.bluetooth@1\.[0-9]+-service\.btlinux u:object_r:hal_bluetooth_btlinux_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.biometrics\.face@1\.[0-9]+-service\.example u:object_r:hal_face_default_exec:s0
@@ -23,6 +24,7 @@
/(vendor|system/vendor)/bin/hw/android\.hardware\.boot@1\.[0-9]+-service u:object_r:hal_bootctl_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.boot-service.default u:object_r:hal_bootctl_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.broadcastradio@\d+\.\d+-service u:object_r:hal_broadcastradio_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.broadcastradio-service.default u:object_r:hal_broadcastradio_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.camera\.provider(@2\.[0-9]+|-V1)-service_64 u:object_r:hal_camera_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.camera\.provider(@2\.[0-9]+|-V1)-service u:object_r:hal_camera_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.camera\.provider(@2\.[0-9]+|-V1)-service-lazy_64 u:object_r:hal_camera_default_exec:s0
diff --git a/vendor/hal_remoteaccess_default.te b/vendor/hal_remoteaccess_default.te
new file mode 100644
index 0000000..571b827
--- /dev/null
+++ b/vendor/hal_remoteaccess_default.te
@@ -0,0 +1,6 @@
+type hal_remoteaccess_default, domain;
+hal_server_domain(hal_remoteaccess_default, hal_remoteaccess)
+
+# may be started by init
+type hal_remoteaccess_default_exec, exec_type, vendor_file_type, file_type;
+init_daemon_domain(hal_remoteaccess_default)