Merge "Add all supported instance names for audio IModule"
diff --git a/build/soong/service_fuzzer_bindings.go b/build/soong/service_fuzzer_bindings.go
index 97ba9a8..1525625 100644
--- a/build/soong/service_fuzzer_bindings.go
+++ b/build/soong/service_fuzzer_bindings.go
@@ -47,6 +47,7 @@
"android.hardware.bluetooth.audio.IBluetoothAudioProviderFactory/default": EXCEPTION_NO_FUZZER,
"android.hardware.broadcastradio.IBroadcastRadio/amfm": EXCEPTION_NO_FUZZER,
"android.hardware.broadcastradio.IBroadcastRadio/dab": EXCEPTION_NO_FUZZER,
+ "android.hardware.bluetooth.IBluetoothHci/default": EXCEPTION_NO_FUZZER,
"android.hardware.camera.provider.ICameraProvider/internal/0": EXCEPTION_NO_FUZZER,
"android.hardware.cas.IMediaCasService/default": EXCEPTION_NO_FUZZER,
"android.hardware.confirmationui.IConfirmationUI/default": []string{"android.hardware.confirmationui-service.trusty_fuzzer"},
diff --git a/private/artd.te b/private/artd.te
index 96b2990..88094e7 100644
--- a/private/artd.te
+++ b/private/artd.te
@@ -82,6 +82,18 @@
allow artd app_data_file_type:dir { create_dir_perms relabelfrom relabelto };
allow artd app_data_file_type:file { create_file_perms relabelfrom relabelto };
+# Allow symlinks for secondary dex files. This has be to restricted because
+# symlinks can cause various security issues. We allow "privapp_data_file" just
+# for GMS because so far we only see GMS using symlinks.
+allow artd privapp_data_file:lnk_file { getattr read };
+
+# Read access to SELinux context files, for restorecon.
+allow artd file_contexts_file:file r_file_perms;
+allow artd seapp_contexts_file:file r_file_perms;
+
+# Check validity of SELinux context, for restorecon.
+selinux_check_context(artd)
+
# Never allow running other binaries without a domain transition.
# The only exception is art_exec. It is allowed to use the artd domain because
# it is a thin wrapper that executes other binaries on behalf of artd.
diff --git a/private/compat/33.0/33.0.cil b/private/compat/33.0/33.0.cil
index 849be82..2f8887b 100644
--- a/private/compat/33.0/33.0.cil
+++ b/private/compat/33.0/33.0.cil
@@ -2116,7 +2116,7 @@
(typeattributeset proc_drop_caches_33_0 (proc_drop_caches))
(typeattributeset proc_extra_free_kbytes_33_0 (proc_extra_free_kbytes))
(typeattributeset proc_filesystems_33_0 (proc_filesystems))
-(typeattributeset proc_fs_verity_33_0 (proc_fs_verity))
+(typeattributeset proc_fs_verity_33_0 (proc))
(typeattributeset proc_hostname_33_0 (proc_hostname))
(typeattributeset proc_hung_task_33_0 (proc_hung_task))
(typeattributeset proc_interrupts_33_0 (proc_interrupts))
diff --git a/private/compat/33.0/33.0.ignore.cil b/private/compat/33.0/33.0.ignore.cil
index 4e6c053..4fcda87 100644
--- a/private/compat/33.0/33.0.ignore.cil
+++ b/private/compat/33.0/33.0.ignore.cil
@@ -13,6 +13,7 @@
device_config_vendor_system_native_prop
devicelock_service
fwk_sensor_service
+ hal_bluetooth_service
hal_bootctl_service
hal_cas_service
hal_remoteaccess_service
diff --git a/private/crosvm.te b/private/crosvm.te
index 9c45131..d4d29b0 100644
--- a/private/crosvm.te
+++ b/private/crosvm.te
@@ -42,6 +42,12 @@
# Note that the open permission is not given as the socket is passed by FD.
allow crosvm virtualizationservice:unix_stream_socket { accept read write getattr getopt };
+# Let crosvm open test artifacts under /data/local/tmp with file path. (e.g. custom pvmfw.img)
+userdebug_or_eng(`
+ allow crosvm shell_data_file:dir search;
+ allow crosvm shell_data_file:file open;
+')
+
# The instance image and the composite image should be writable as well because they could represent
# mutable disks.
allow crosvm {
diff --git a/private/domain.te b/private/domain.te
index 9de23ba..2b2619b 100644
--- a/private/domain.te
+++ b/private/domain.te
@@ -2,7 +2,9 @@
# This occurs when the process crashes.
# We do not apply this to the su domain to avoid interfering with
# tests (b/114136122)
-domain_auto_trans({ domain userdebug_or_eng(`-su') }, crash_dump_exec, crash_dump);
+# We exempt crosvm because parts of its memory are inaccessible to the
+# kernel. TODO(b/238324526): Remove this.
+domain_auto_trans({ domain userdebug_or_eng(`-su') -crosvm }, crash_dump_exec, crash_dump);
allow domain crash_dump:process sigchld;
# Allow every process to check the heapprofd.enable properties to determine
@@ -650,7 +652,7 @@
# Restrict write access to etm sysfs interface.
neverallow { domain -ueventd -vendor_init } sysfs_devices_cs_etm:file no_w_file_perms;
-# Restrict write access to shell owned files. The /data/local/tmp directory is
+# Restrict direct access to shell owned files. The /data/local/tmp directory is
# untrustworthy, and non-allowed domains should not be trusting any content in
# those directories. We allow shell files to be passed around by file
# descriptor, but not directly opened.
@@ -669,6 +671,51 @@
userdebug_or_eng(`-crosvm')
} shell_data_file:file open;
+# In addition to the symlink reading restrictions above, restrict
+# write access to shell owned directories. The /data/local/tmp
+# directory is untrustworthy, and non-allowed domains should
+# not be trusting any content in those directories.
+# artd doesn't need to access /data/local/tmp, but it needs to access
+# /data/{user,user_de}/<user-id>/com.android.shell/... for compiling secondary
+# dex files.
+neverallow {
+ domain
+ -adbd
+ -artd
+ -dumpstate
+ -installd
+ -init
+ -shell
+ -vold
+} shell_data_file:dir no_w_dir_perms;
+
+neverallow {
+ domain
+ -adbd
+ -appdomain
+ -artd
+ -dumpstate
+ -init
+ -installd
+ -simpleperf_app_runner
+ -system_server # why?
+ userdebug_or_eng(`-uncrypt')
+} shell_data_file:dir open;
+
+neverallow {
+ domain
+ -adbd
+ -appdomain
+ -artd
+ -dumpstate
+ -init
+ -installd
+ -simpleperf_app_runner
+ -system_server # why?
+ userdebug_or_eng(`-uncrypt')
+ userdebug_or_eng(`-crosvm')
+} shell_data_file:dir search;
+
# respect system_app sandboxes
neverallow {
domain
diff --git a/private/genfs_contexts b/private/genfs_contexts
index d0af186..6fa98ea 100644
--- a/private/genfs_contexts
+++ b/private/genfs_contexts
@@ -43,7 +43,6 @@
genfscon proc /sys/fs/protected_hardlinks u:object_r:proc_security:s0
genfscon proc /sys/fs/protected_symlinks u:object_r:proc_security:s0
genfscon proc /sys/fs/suid_dumpable u:object_r:proc_security:s0
-genfscon proc /sys/fs/verity/require_signatures u:object_r:proc_fs_verity:s0
genfscon proc /sys/kernel/bpf_ u:object_r:proc_bpf:s0
genfscon proc /sys/kernel/core_pattern u:object_r:usermodehelper:s0
genfscon proc /sys/kernel/core_pipe_limit u:object_r:usermodehelper:s0
diff --git a/private/property_contexts b/private/property_contexts
index 38ed8d5..d8ee31f 100644
--- a/private/property_contexts
+++ b/private/property_contexts
@@ -642,6 +642,7 @@
external_storage.sdcardfs.enabled u:object_r:storage_config_prop:s0 exact bool
external_storage.cross_user.enabled u:object_r:storage_config_prop:s0 exact bool
ro.fuse.bpf.enabled u:object_r:storage_config_prop:s0 exact bool
+ro.fuse.bpf.is_running u:object_r:vold_status_prop:s0 exact bool
# hypervisor.*: configured by the vendor to advertise capabilities of their
# hypervisor to virtualizationservice.
diff --git a/private/seapp_contexts b/private/seapp_contexts
index 81563a5..d3f065b 100644
--- a/private/seapp_contexts
+++ b/private/seapp_contexts
@@ -165,6 +165,7 @@
user=_app seinfo=platform isPrivApp=true name=com.android.permissioncontroller domain=permissioncontroller_app type=privapp_data_file levelFrom=all
user=_app isPrivApp=true name=com.android.vzwomatrigger domain=vzwomatrigger_app type=privapp_data_file levelFrom=all
user=_app isPrivApp=true name=com.android.rkpdapp domain=rkpdapp type=privapp_data_file levelFrom=user
+user=_app isPrivApp=true name=com.google.android.rkpdapp domain=rkpdapp type=privapp_data_file levelFrom=user
user=_app isPrivApp=true name=com.google.android.gms domain=gmscore_app type=privapp_data_file levelFrom=user
user=_app isPrivApp=true name=com.google.android.gms.* domain=gmscore_app type=privapp_data_file levelFrom=user
user=_app isPrivApp=true name=com.google.android.gms:* domain=gmscore_app type=privapp_data_file levelFrom=user
diff --git a/private/service_contexts b/private/service_contexts
index b78dba6..be6ce34 100644
--- a/private/service_contexts
+++ b/private/service_contexts
@@ -22,6 +22,7 @@
android.hardware.biometrics.face.IFace/default u:object_r:hal_face_service:s0
android.hardware.biometrics.fingerprint.IFingerprint/default u:object_r:hal_fingerprint_service:s0
android.hardware.biometrics.fingerprint.IFingerprint/virtual u:object_r:hal_fingerprint_service:s0
+android.hardware.bluetooth.IBluetoothHci/default u:object_r:hal_bluetooth_service:s0
android.hardware.bluetooth.audio.IBluetoothAudioProviderFactory/default u:object_r:hal_audio_service:s0
android.hardware.broadcastradio.IBroadcastRadio/amfm u:object_r:hal_broadcastradio_service:s0
android.hardware.broadcastradio.IBroadcastRadio/dab u:object_r:hal_broadcastradio_service:s0
diff --git a/public/domain.te b/public/domain.te
index 1e135b0..79e62d0 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -1101,6 +1101,7 @@
neverallow {
domain
-appdomain
+ -artd
-installd
} { app_data_file privapp_data_file }:lnk_file read;
@@ -1111,37 +1112,6 @@
-installd
} shell_data_file:lnk_file read;
-# In addition to the symlink reading restrictions above, restrict
-# write access to shell owned directories. The /data/local/tmp
-# directory is untrustworthy, and non-allowed domains should
-# not be trusting any content in those directories.
-# artd doesn't need to access /data/local/tmp, but it needs to access
-# /data/{user,user_de}/<user-id>/com.android.shell/... for compiling secondary
-# dex files.
-neverallow {
- domain
- -adbd
- -artd
- -dumpstate
- -installd
- -init
- -shell
- -vold
-} shell_data_file:dir no_w_dir_perms;
-
-neverallow {
- domain
- -adbd
- -appdomain
- -artd
- -dumpstate
- -init
- -installd
- -simpleperf_app_runner
- -system_server # why?
- userdebug_or_eng(`-uncrypt')
-} shell_data_file:dir { open search };
-
# servicemanager and vndservicemanager are the only processes which handle the
# service_manager list request
neverallow * ~{
diff --git a/public/dumpstate.te b/public/dumpstate.te
index c0af235..6b112dc 100644
--- a/public/dumpstate.te
+++ b/public/dumpstate.te
@@ -150,6 +150,7 @@
# Allow dumpstate to call dump() on specific hals.
dump_hal(hal_authsecret)
+dump_hal(hal_bluetooth)
dump_hal(hal_contexthub)
dump_hal(hal_drm)
dump_hal(hal_dumpstate)
diff --git a/public/hal_bluetooth.te b/public/hal_bluetooth.te
index 97177ba..53bbef2 100644
--- a/public/hal_bluetooth.te
+++ b/public/hal_bluetooth.te
@@ -1,8 +1,10 @@
# HwBinder IPC from clients into server, and callbacks
binder_call(hal_bluetooth_client, hal_bluetooth_server)
binder_call(hal_bluetooth_server, hal_bluetooth_client)
+binder_call(hal_bluetooth_server, servicemanager)
hal_attribute_hwservice(hal_bluetooth, hal_bluetooth_hwservice)
+hal_attribute_service(hal_bluetooth, hal_bluetooth_service)
wakelock_use(hal_bluetooth);
diff --git a/public/service.te b/public/service.te
index 1fcaaf1..5a71575 100644
--- a/public/service.te
+++ b/public/service.te
@@ -272,6 +272,7 @@
type hal_audio_service, protected_service, hal_service_type, service_manager_type;
type hal_audiocontrol_service, hal_service_type, service_manager_type;
type hal_authsecret_service, protected_service, hal_service_type, service_manager_type;
+type hal_bluetooth_service, protected_service, hal_service_type, service_manager_type;
type hal_bootctl_service, protected_service, hal_service_type, service_manager_type;
type hal_broadcastradio_service, protected_service, hal_service_type, service_manager_type;
type hal_camera_service, protected_service, hal_service_type, service_manager_type;