Merge "Allow MM to open/syncfs/close encryptedstore dir"
diff --git a/apex/com.android.virt-file_contexts b/apex/com.android.virt-file_contexts
index caef62d..9c13bd5 100644
--- a/apex/com.android.virt-file_contexts
+++ b/apex/com.android.virt-file_contexts
@@ -1,5 +1,5 @@
(/.*)? u:object_r:system_file:s0
/bin/crosvm u:object_r:crosvm_exec:s0
/bin/fd_server u:object_r:fd_server_exec:s0
-/bin/virtmgr u:object_r:virtmgr_exec:s0
+/bin/virtmgr u:object_r:virtualizationmanager_exec:s0
/bin/virtualizationservice u:object_r:virtualizationservice_exec:s0
diff --git a/build/soong/service_fuzzer_bindings.go b/build/soong/service_fuzzer_bindings.go
index 91231a4..f706339 100644
--- a/build/soong/service_fuzzer_bindings.go
+++ b/build/soong/service_fuzzer_bindings.go
@@ -90,6 +90,9 @@
"android.hardware.radio.network.IRadioNetwork/slot1": EXCEPTION_NO_FUZZER,
"android.hardware.radio.network.IRadioNetwork/slot2": EXCEPTION_NO_FUZZER,
"android.hardware.radio.network.IRadioNetwork/slot3": EXCEPTION_NO_FUZZER,
+ "android.hardware.radio.satellite.IRadioSatellite/slot1": EXCEPTION_NO_FUZZER,
+ "android.hardware.radio.satellite.IRadioSatellite/slot2": EXCEPTION_NO_FUZZER,
+ "android.hardware.radio.satellite.IRadioSatellite/slot3": EXCEPTION_NO_FUZZER,
"android.hardware.radio.sim.IRadioSim/slot1": EXCEPTION_NO_FUZZER,
"android.hardware.radio.sim.IRadioSim/slot2": EXCEPTION_NO_FUZZER,
"android.hardware.radio.sim.IRadioSim/slot3": EXCEPTION_NO_FUZZER,
@@ -113,10 +116,11 @@
"android.hardware.security.sharedsecret.ISharedSecret/default": EXCEPTION_NO_FUZZER,
"android.hardware.sensors.ISensors/default": EXCEPTION_NO_FUZZER,
"android.hardware.soundtrigger3.ISoundTriggerHw/default": EXCEPTION_NO_FUZZER,
+ "android.hardware.tetheroffload.IOffload/default": EXCEPTION_NO_FUZZER,
"android.hardware.thermal.IThermal/default": EXCEPTION_NO_FUZZER,
- "android.hardware.tv.cec.IHdmiCec/default": EXCEPTION_NO_FUZZER,
- "android.hardware.tv.earc.IEArc/default": EXCEPTION_NO_FUZZER,
- "android.hardware.tv.hdmi.IHdmi/default": EXCEPTION_NO_FUZZER,
+ "android.hardware.tv.hdmi.cec.IHdmiCec/default": EXCEPTION_NO_FUZZER,
+ "android.hardware.tv.hdmi.connection.IHdmiConnection/default": EXCEPTION_NO_FUZZER,
+ "android.hardware.tv.hdmi.earc.IEArc/default": EXCEPTION_NO_FUZZER,
"android.hardware.tv.input.ITvInput/default": EXCEPTION_NO_FUZZER,
"android.hardware.tv.tuner.ITuner/default": EXCEPTION_NO_FUZZER,
"android.hardware.usb.IUsb/default": EXCEPTION_NO_FUZZER,
diff --git a/microdroid/system/private/domain.te b/microdroid/system/private/domain.te
index 13e359a..4251a9e 100644
--- a/microdroid/system/private/domain.te
+++ b/microdroid/system/private/domain.te
@@ -363,16 +363,13 @@
# These partitions are intended to be read-only and must never be
# modified. Doing so would violate important Android security guarantees
# and invalidate dm-verity signatures.
-neverallow {
- domain
- with_asan(`-asan_extract')
-} {
+neverallow domain {
system_file_type
vendor_file_type
exec_type
}:dir_file_class_set { create write setattr relabelfrom append unlink link rename };
-neverallow { domain -kernel with_asan(`-asan_extract') } { system_file_type vendor_file_type exec_type }:dir_file_class_set relabelto;
+neverallow { domain -kernel } { system_file_type vendor_file_type exec_type }:dir_file_class_set relabelto;
# Don't allow mounting on top of /system files or directories
neverallow * exec_type:dir_file_class_set mounton;
@@ -445,7 +442,6 @@
-init
-vendor_init
-toolbox # TODO(b/141108496) We want to remove toolbox
- with_asan(`-asan_extract')
} system_data_file:file no_w_file_perms;
#
diff --git a/microdroid/system/private/microdroid_manager.te b/microdroid/system/private/microdroid_manager.te
index 9e3df3b..51372ad 100644
--- a/microdroid/system/private/microdroid_manager.te
+++ b/microdroid/system/private/microdroid_manager.te
@@ -126,6 +126,9 @@
# Allow microdroid_manager to write kmsg_debug (stdio_to_kmsg).
allow microdroid_manager kmsg_debug_device:chr_file w_file_perms;
+# Read tombstone_transmit_status_prop to wait for initialization of tombstone_transmit
+get_prop(microdroid_manager, tombstone_transmit_status_prop)
+
# Domains other than microdroid can't write extra_apks
neverallow { domain -microdroid_manager -init -vendor_init } extra_apk_file:file no_w_file_perms;
neverallow { domain -microdroid_manager -init -vendor_init } extra_apk_file:dir no_w_dir_perms;
diff --git a/microdroid/system/private/property.te b/microdroid/system/private/property.te
index d983775..1bbe2a9 100644
--- a/microdroid/system/private/property.te
+++ b/microdroid/system/private/property.te
@@ -1,4 +1,5 @@
system_internal_prop(ctl_tombstoned_prop)
+system_restricted_prop(tombstone_transmit_status_prop)
system_restricted_prop(boot_status_prop)
diff --git a/microdroid/system/private/property_contexts b/microdroid/system/private/property_contexts
index 0d5786c..235ab14 100644
--- a/microdroid/system/private/property_contexts
+++ b/microdroid/system/private/property_contexts
@@ -161,3 +161,9 @@
persist.device_config.runtime_native_boot. u:object_r:device_config_runtime_native_boot_prop:s0 prefix
apexd.payload_metadata.path u:object_r:apexd_payload_metadata_prop:s0 exact string
+
+tombstone_transmit.init_done u:object_r:tombstone_transmit_status_prop:s0 exact bool
+
+# tombstone_transmit.start starts tombstone_transmit after creating a directory
+# assigning the same label as ctl.start$tombstone_transmit
+tombstone_transmit.start u:object_r:ctl_tombstone_transmit_prop:s0 exact bool
diff --git a/microdroid/system/private/tombstone_transmit.te b/microdroid/system/private/tombstone_transmit.te
index 1887654..4f2b5ab 100644
--- a/microdroid/system/private/tombstone_transmit.te
+++ b/microdroid/system/private/tombstone_transmit.te
@@ -8,3 +8,9 @@
allow tombstone_transmit tombstone_data_file:file { r_file_perms unlink };
allow tombstone_transmit self:{ vsock_socket } create_socket_perms_no_ioctl;
+
+# allow tombstone_transmit to notify its initialization
+set_prop(tombstone_transmit, tombstone_transmit_status_prop)
+
+# Only tombstone_transmit can set its status
+neverallow { domain -init -tombstone_transmit } tombstone_transmit_status_prop:property_service set;
diff --git a/prebuilts/api/33.0/private/compat/32.0/32.0.ignore.cil b/prebuilts/api/33.0/private/compat/32.0/32.0.ignore.cil
index b5aa501..767bfe3 100644
--- a/prebuilts/api/33.0/private/compat/32.0/32.0.ignore.cil
+++ b/prebuilts/api/33.0/private/compat/32.0/32.0.ignore.cil
@@ -59,6 +59,7 @@
mdns_service
nearby_service
persist_wm_debug_prop
+ prng_seeder
proc_watermark_boost_factor
proc_watermark_scale_factor
prng_seeder
diff --git a/prebuilts/api/33.0/private/file.te b/prebuilts/api/33.0/private/file.te
index cf9ea02..c5837f9 100644
--- a/prebuilts/api/33.0/private/file.te
+++ b/prebuilts/api/33.0/private/file.te
@@ -12,7 +12,7 @@
type storaged_data_file, file_type, data_file_type, core_data_file_type;
# /data/misc/wmtrace for wm traces
-type wm_trace_data_file, file_type, data_file_type, core_data_file_type;
+type wm_trace_data_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
# /data/misc/a11ytrace for accessibility traces
type accessibility_trace_data_file, file_type, data_file_type, core_data_file_type;
diff --git a/prebuilts/api/33.0/private/platform_app.te b/prebuilts/api/33.0/private/platform_app.te
index 6112ae0..b40f6b9 100644
--- a/prebuilts/api/33.0/private/platform_app.te
+++ b/prebuilts/api/33.0/private/platform_app.te
@@ -57,6 +57,12 @@
auditallow platform_app proc_net_type:{ dir file lnk_file } { getattr open read };
')
+# Allow writing and removing wmshell protolog in /data/misc/wmtrace.
+userdebug_or_eng(`
+ allow platform_app wm_trace_data_file:dir rw_dir_perms;
+ allow platform_app wm_trace_data_file:file { getattr setattr create unlink w_file_perms };
+')
+
allow platform_app audioserver_service:service_manager find;
allow platform_app cameraserver_service:service_manager find;
allow platform_app drmserver_service:service_manager find;
diff --git a/private/access_vectors b/private/access_vectors
index 6cd8c4e..adb3a61 100644
--- a/private/access_vectors
+++ b/private/access_vectors
@@ -789,3 +789,10 @@
integrity
confidentiality
}
+
+class io_uring
+{
+ override_creds
+ sqpoll
+ cmd
+}
diff --git a/private/adbd.te b/private/adbd.te
index 48fa849..d72d5b1 100644
--- a/private/adbd.te
+++ b/private/adbd.te
@@ -49,6 +49,8 @@
# Create and use network sockets.
net_domain(adbd)
+# Connect to mdnsd via mdnsd socket.
+unix_socket_connect(adbd, mdnsd, mdnsd)
# Access /dev/usb-ffs/adb/ep0
allow adbd functionfs:dir search;
diff --git a/private/app.te b/private/app.te
index a7939b0..8838782 100644
--- a/private/app.te
+++ b/private/app.te
@@ -95,9 +95,9 @@
# Exception for crash_dump to allow for app crash reporting.
# Exception for renderscript binaries (/system/bin/bcc, /system/bin/ld.mc)
# to allow renderscript to create privileged executable files.
-# Exception for virtmgr to allow running VMs as child processes.
+# Exception for virtualizationmanager to allow running VMs as child processes.
neverallow { appdomain -shell userdebug_or_eng(`-su') }
- { domain -appdomain -crash_dump -rs -virtmgr }:process { transition };
+ { domain -appdomain -crash_dump -rs -virtualizationmanager }:process { transition };
neverallow { appdomain -shell userdebug_or_eng(`-su') }
{ domain -appdomain }:process { dyntransition };
diff --git a/private/app_neverallows.te b/private/app_neverallows.te
index 6231623..5d5723e 100644
--- a/private/app_neverallows.te
+++ b/private/app_neverallows.te
@@ -265,3 +265,31 @@
-mediaprovider
-mediaprovider_app
} { userdebug_or_eng_prop }:file read;
+
+# Do not allow untrusted app to access /dev/socket/mdnsd since U. The socket is
+# used to communicate to the mdnsd responder. The mdnsd responder will be
+# replaced by a java implementation which is integrated into the system server.
+# For untrusted apps running with API level 33-, they still have access to
+# /dev/socket/mdnsd for backward compatibility.
+neverallow {
+ all_untrusted_apps
+ -untrusted_app_25
+ -untrusted_app_27
+ -untrusted_app_29
+ -untrusted_app_30
+ -untrusted_app_32
+} mdnsd_socket:sock_file write;
+neverallow {
+ all_untrusted_apps
+ -untrusted_app_25
+ -untrusted_app_27
+ -untrusted_app_29
+ -untrusted_app_30
+ -untrusted_app_32
+} mdnsd:unix_stream_socket connectto;
+
+# Do not allow untrusted apps to use anonymous inodes. At the moment,
+# type transitions are the only way to distinguish between different
+# anon_inode usages like userfaultfd and io_uring. This prevents us from
+# creating a more fine-grained neverallow policy for each anon_inode usage.
+neverallow all_untrusted_apps domain:anon_inode *;
diff --git a/private/artd.te b/private/artd.te
index c887258..ef54d8c 100644
--- a/private/artd.te
+++ b/private/artd.te
@@ -31,8 +31,10 @@
# Read access to primary dex'es on writable partitions
# ({/data,/mnt/expand/<volume-uuid>}/app/...).
+# Also allow creating the "oat" directory before restorecon.
allow artd mnt_expand_file:dir { getattr search };
-r_dir_file(artd, apk_data_file)
+allow artd apk_data_file:dir { rw_dir_perms create setattr relabelfrom };
+allow artd apk_data_file:file r_file_perms;
# Read access to vendor APKs ({/vendor,/odm}/{app,priv-app}/...).
r_dir_file(artd, vendor_app_file)
@@ -46,8 +48,8 @@
# Read/write access to all compilation artifacts generated on device for apps'
# primary dex'es. (/data/dalvik-cache/..., /data/app/.../oat/..., etc.)
-allow artd dalvikcache_data_file:dir create_dir_perms;
-allow artd dalvikcache_data_file:file create_file_perms;
+allow artd dalvikcache_data_file:dir { create_dir_perms relabelto };
+allow artd dalvikcache_data_file:file { create_file_perms relabelto };
# Read access to the ART APEX data directory.
# Needed for reading the boot image generated on device.
diff --git a/private/bpfdomain.te b/private/bpfdomain.te
index ada65ae..7c8f5c0 100644
--- a/private/bpfdomain.te
+++ b/private/bpfdomain.te
@@ -19,3 +19,7 @@
# so let's allow all bpffs_type's instead,
# this will keep things working even if this is fixed.
allow bpfdomain bpffs_type:lnk_file read;
+
+# Needed for //frameworks/libs/net:
+# common/native/bpf_headers/include/bpf/WaitForProgsLoaded.h
+get_prop(bpfdomain, bpf_progs_loaded_prop)
diff --git a/private/compat/28.0/28.0.cil b/private/compat/28.0/28.0.cil
index 321e938..d79d2f8 100644
--- a/private/compat/28.0/28.0.cil
+++ b/private/compat/28.0/28.0.cil
@@ -30,6 +30,7 @@
;; mapping file compiles with vendor policies without exported_audio_prop type.
(typeattribute exported_audio_prop_28_0)
+;; mapping information from ToT policy's types to 28.0 policy's types.
(expandtypeattribute (accessibility_service_28_0) true)
(expandtypeattribute (account_service_28_0) true)
(expandtypeattribute (activity_service_28_0) true)
diff --git a/private/compat/28.0/28.0.compat.cil b/private/compat/28.0/28.0.compat.cil
index 2e85b23..783950c 100644
--- a/private/compat/28.0/28.0.compat.cil
+++ b/private/compat/28.0/28.0.compat.cil
@@ -1,3 +1,7 @@
+;; complement CIL file for compatibility between ToT policy and 28.0 vendors.
+;; will be compiled along with other normal policy files, on 28.0 vendors.
+;;
+
(typeattribute vendordomain)
(typeattributeset vendordomain ((and (domain) ((not (coredomain))))))
(allowx vendordomain dev_type (ioctl blk_file ((range 0x0000 0xffff))))
diff --git a/private/compat/28.0/28.0.ignore.cil b/private/compat/28.0/28.0.ignore.cil
index e7ddf48..7213f95 100644
--- a/private/compat/28.0/28.0.ignore.cil
+++ b/private/compat/28.0/28.0.ignore.cil
@@ -1,6 +1,6 @@
-;; new_objects - a collection of types that have been introduced that have no
-;; analogue in older policy. Thus, we do not need to map these types to
-;; previous ones. Add here to pass checkapi tests.
+;; new_objects - a collection of types that have been introduced with ToT policy
+;; that have no analogue in 28.0 policy. Thus, we do not need to map
+;; these types to previous ones. Add here to pass checkapi tests.
(type new_objects)
(typeattribute new_objects)
(typeattributeset new_objects
diff --git a/private/compat/29.0/29.0.cil b/private/compat/29.0/29.0.cil
index 5dba020..7315687 100644
--- a/private/compat/29.0/29.0.cil
+++ b/private/compat/29.0/29.0.cil
@@ -14,6 +14,7 @@
(type sysfs_mac_address)
(type wificond_service)
+;; mapping information from ToT policy's types to 29.0 policy's types.
(expandtypeattribute (accessibility_service_29_0) true)
(expandtypeattribute (account_service_29_0) true)
(expandtypeattribute (activity_service_29_0) true)
diff --git a/private/compat/29.0/29.0.compat.cil b/private/compat/29.0/29.0.compat.cil
index ccd9d1a..0bb2ae8 100644
--- a/private/compat/29.0/29.0.compat.cil
+++ b/private/compat/29.0/29.0.compat.cil
@@ -1,3 +1,7 @@
+;; complement CIL file for compatibility between ToT policy and 29.0 vendors.
+;; will be compiled along with other normal policy files, on 29.0 vendors.
+;;
+
(typeattribute vendordomain)
(typeattributeset vendordomain ((and (domain) ((not (coredomain))))))
(allow vendordomain self (netlink_route_socket (nlmsg_readpriv)))
diff --git a/private/compat/29.0/29.0.ignore.cil b/private/compat/29.0/29.0.ignore.cil
index 1079046..e40888d 100644
--- a/private/compat/29.0/29.0.ignore.cil
+++ b/private/compat/29.0/29.0.ignore.cil
@@ -1,6 +1,6 @@
-;; new_objects - a collection of types that have been introduced that have no
-;; analogue in older policy. Thus, we do not need to map these types to
-;; previous ones. Add here to pass checkapi tests.
+;; new_objects - a collection of types that have been introduced with ToT policy
+;; that have no analogue in 29.0 policy. Thus, we do not need to map
+;; these types to previous ones. Add here to pass checkapi tests.
(type new_objects)
(typeattribute new_objects)
(typeattributeset new_objects
diff --git a/private/compat/30.0/30.0.cil b/private/compat/30.0/30.0.cil
index 44044fb..83d83ff 100644
--- a/private/compat/30.0/30.0.cil
+++ b/private/compat/30.0/30.0.cil
@@ -21,6 +21,7 @@
(typeattribute binder_in_vendor_violators)
+;; mapping information from ToT policy's types to 30.0 policy's types.
(expandtypeattribute (DockObserver_service_30_0) true)
(expandtypeattribute (IProxyService_service_30_0) true)
(expandtypeattribute (accessibility_service_30_0) true)
diff --git a/private/compat/30.0/30.0.compat.cil b/private/compat/30.0/30.0.compat.cil
index 97c5874..b8bd755 100644
--- a/private/compat/30.0/30.0.compat.cil
+++ b/private/compat/30.0/30.0.compat.cil
@@ -1,3 +1,7 @@
+;; complement CIL file for compatibility between ToT policy and 30.0 vendors.
+;; will be compiled along with other normal policy files, on 30.0 vendors.
+;;
+
(typeattribute vendordomain)
(typeattributeset vendordomain ((and (domain) ((not (coredomain))))))
diff --git a/private/compat/30.0/30.0.ignore.cil b/private/compat/30.0/30.0.ignore.cil
index ba0a494..0a3d2e9 100644
--- a/private/compat/30.0/30.0.ignore.cil
+++ b/private/compat/30.0/30.0.ignore.cil
@@ -1,6 +1,6 @@
-;; new_objects - a collection of types that have been introduced that have no
-;; analogue in older policy. Thus, we do not need to map these types to
-;; previous ones. Add here to pass checkapi tests.
+;; new_objects - a collection of types that have been introduced with ToT policy
+;; that have no analogue in 30.0 policy. Thus, we do not need to map
+;; these types to previous ones. Add here to pass checkapi tests.
(type new_objects)
(typeattribute new_objects)
(typeattributeset new_objects
diff --git a/private/compat/31.0/31.0.cil b/private/compat/31.0/31.0.cil
index 0e90912..b0df314 100644
--- a/private/compat/31.0/31.0.cil
+++ b/private/compat/31.0/31.0.cil
@@ -9,6 +9,7 @@
(type vr_hwc)
(type vr_hwc_exec)
+;; mapping information from ToT policy's types to 31.0 policy's types.
(expandtypeattribute (DockObserver_service_31_0) true)
(expandtypeattribute (IProxyService_service_31_0) true)
(expandtypeattribute (aac_drc_prop_31_0) true)
diff --git a/private/compat/31.0/31.0.compat.cil b/private/compat/31.0/31.0.compat.cil
index 628abfc..787c92a 100644
--- a/private/compat/31.0/31.0.compat.cil
+++ b/private/compat/31.0/31.0.compat.cil
@@ -1 +1,3 @@
-;; This file can't be empty.
+;; complement CIL file for compatibility between ToT policy and 31.0 vendors.
+;; will be compiled along with other normal policy files, on 31.0 vendors.
+;;
diff --git a/private/compat/31.0/31.0.ignore.cil b/private/compat/31.0/31.0.ignore.cil
index a5a3475..0e39f3e 100644
--- a/private/compat/31.0/31.0.ignore.cil
+++ b/private/compat/31.0/31.0.ignore.cil
@@ -1,6 +1,6 @@
-;; new_objects - a collection of types that have been introduced that have no
-;; analogue in older policy. Thus, we do not need to map these types to
-;; previous ones. Add here to pass checkapi tests.
+;; new_objects - a collection of types that have been introduced with ToT policy
+;; that have no analogue in 31.0 policy. Thus, we do not need to map
+;; these types to previous ones. Add here to pass checkapi tests.
(type new_objects)
(typeattribute new_objects)
(typeattributeset new_objects
diff --git a/private/compat/32.0/32.0.cil b/private/compat/32.0/32.0.cil
index 3672436..171f0ad 100644
--- a/private/compat/32.0/32.0.cil
+++ b/private/compat/32.0/32.0.cil
@@ -9,6 +9,7 @@
(type vr_hwc)
(type vr_hwc_exec)
+;; mapping information from ToT policy's types to 32.0 policy's types.
(expandtypeattribute (DockObserver_service_32_0) true)
(expandtypeattribute (IProxyService_service_32_0) true)
(expandtypeattribute (aac_drc_prop_32_0) true)
diff --git a/private/compat/32.0/32.0.compat.cil b/private/compat/32.0/32.0.compat.cil
index 628abfc..00ac11f 100644
--- a/private/compat/32.0/32.0.compat.cil
+++ b/private/compat/32.0/32.0.compat.cil
@@ -1 +1,3 @@
-;; This file can't be empty.
+;; complement CIL file for compatibility between ToT policy and 32.0 vendors.
+;; will be compiled along with other normal policy files, on 32.0 vendors.
+;;
diff --git a/private/compat/32.0/32.0.ignore.cil b/private/compat/32.0/32.0.ignore.cil
index 50e3be7..ec2a16d 100644
--- a/private/compat/32.0/32.0.ignore.cil
+++ b/private/compat/32.0/32.0.ignore.cil
@@ -1,6 +1,6 @@
-;; new_objects - a collection of types that have been introduced that have no
-;; analogue in older policy. Thus, we do not need to map these types to
-;; previous ones. Add here to pass checkapi tests.
+;; new_objects - a collection of types that have been introduced with ToT policy
+;; that have no analogue in 32.0 policy. Thus, we do not need to map
+;; these types to previous ones. Add here to pass checkapi tests.
(type new_objects)
(typeattribute new_objects)
(typeattributeset new_objects
@@ -59,6 +59,7 @@
mdns_service
nearby_service
persist_wm_debug_prop
+ prng_seeder
proc_watermark_boost_factor
remotelyprovisionedkeypool_service
resources_manager_service
diff --git a/private/compat/33.0/33.0.cil b/private/compat/33.0/33.0.cil
index 2f8887b..56da496 100644
--- a/private/compat/33.0/33.0.cil
+++ b/private/compat/33.0/33.0.cil
@@ -19,6 +19,7 @@
(type wpantund_service)
(type zoneinfo_data_file)
+;; mapping information from ToT policy's types to 33.0 policy's types.
(expandtypeattribute (DockObserver_service_33_0) true)
(expandtypeattribute (IProxyService_service_33_0) true)
(expandtypeattribute (aac_drc_prop_33_0) true)
@@ -2489,7 +2490,10 @@
(typeattributeset untrusted_app_27_33_0 (untrusted_app_27))
(typeattributeset untrusted_app_29_33_0 (untrusted_app_29))
(typeattributeset untrusted_app_30_33_0 (untrusted_app_30))
-(typeattributeset untrusted_app_33_0 (untrusted_app))
+(typeattributeset untrusted_app_33_0
+ ( untrusted_app
+ untrusted_app_32
+))
(typeattributeset update_engine_33_0 (update_engine))
(typeattributeset update_engine_data_file_33_0 (update_engine_data_file))
(typeattributeset update_engine_exec_33_0 (update_engine_exec))
diff --git a/private/compat/33.0/33.0.compat.cil b/private/compat/33.0/33.0.compat.cil
index 628abfc..53ee8ff 100644
--- a/private/compat/33.0/33.0.compat.cil
+++ b/private/compat/33.0/33.0.compat.cil
@@ -1 +1,3 @@
-;; This file can't be empty.
+;; complement CIL file for compatibility between ToT policy and 33.0 vendors.
+;; will be compiled along with other normal policy files, on 33.0 vendors.
+;;
diff --git a/private/compat/33.0/33.0.ignore.cil b/private/compat/33.0/33.0.ignore.cil
index c16fcab..af2f22e 100644
--- a/private/compat/33.0/33.0.ignore.cil
+++ b/private/compat/33.0/33.0.ignore.cil
@@ -1,6 +1,6 @@
-;; new_objects - a collection of types that have been introduced that have no
-;; analogue in older policy. Thus, we do not need to map these types to
-;; previous ones. Add here to pass checkapi tests.
+;; new_objects - a collection of types that have been introduced with ToT policy
+;; that have no analogue in 33.0 policy. Thus, we do not need to map
+;; these types to previous ones. Add here to pass checkapi tests.
(type new_objects)
(typeattribute new_objects)
(typeattributeset new_objects
@@ -8,6 +8,7 @@
adaptive_haptics_prop
apex_ready_prop
artd
+ bt_device
credential_service
device_config_camera_native_prop
device_config_memory_safety_native_prop
@@ -21,12 +22,13 @@
hal_cas_service
hal_remoteaccess_service
hal_secure_element_service
+ hal_tetheroffload_service
hal_thermal_service
hal_usb_gadget_service
hal_tv_input_service
- hal_tv_earc_service
- hal_tv_hdmi_service
hal_tv_hdmi_cec_service
+ hal_tv_hdmi_connection_service
+ hal_tv_hdmi_earc_service
hal_wifi_service
healthconnect_service
hypervisor_restricted_prop
@@ -41,6 +43,7 @@
timezone_metadata_prop
tuner_config_prop
tuner_server_ctl_prop
+ usb_uvc_enabled_prop
virtual_face_hal_prop
virtual_fingerprint_hal_prop
hal_gatekeeper_service
@@ -48,4 +51,6 @@
hal_confirmationui_service
hal_fastboot_service
hal_can_controller_service
+ zoned_block_device
+ future_pm_prop
))
diff --git a/private/coredomain.te b/private/coredomain.te
index 55f715d..96ce488 100644
--- a/private/coredomain.te
+++ b/private/coredomain.te
@@ -93,6 +93,8 @@
coredomain
-appdomain
-artd
+ -dex2oat
+ -dexoptanalyzer
-idmap
-init
-installd
@@ -112,6 +114,8 @@
coredomain
-appdomain
-artd
+ -dex2oat
+ -dexoptanalyzer
-idmap
-init
-installd
diff --git a/private/credstore.te b/private/credstore.te
index c410d76..434808f 100644
--- a/private/credstore.te
+++ b/private/credstore.te
@@ -10,3 +10,8 @@
# credstore needs to get keys from the remotely provisioned pool
allow credstore remotelyprovisionedkeypool_service:service_manager find;
+allow credstore keystore:keystore2 get_attestation_key;
+
+# credstore needs to get keys from the RKPD
+get_prop(credstore, remote_prov_prop)
+allow credstore remote_provisioning_service:service_manager find;
diff --git a/private/crosvm.te b/private/crosvm.te
index d4d29b0..aae8323 100644
--- a/private/crosvm.te
+++ b/private/crosvm.te
@@ -14,10 +14,10 @@
tmpfs_domain(crosvm)
# Let crosvm receive file descriptors from VirtualizationService.
-allow crosvm virtualizationservice:fd use;
+allow crosvm virtualizationmanager:fd use;
-# Allow sending VirtualizationService the failure reason from the VM via pipe.
-allow crosvm virtualizationservice:fifo_file write;
+# Allow sending VirtualizationService the failure reason and console/log from the VM via pipe.
+allow crosvm virtualizationmanager:fifo_file write;
# Let crosvm read the composite disk images (virtualizationservice_data_file), APEXes
# (staging_data_file), APKs (apk_data_file and shell_data_file where the latter is for test apks in
@@ -36,11 +36,14 @@
# Allow searching the directory where the composite disk images are.
allow crosvm virtualizationservice_data_file:dir search;
+# Allow crosvm to mlock guest memory.
+allow crosvm self:capability ipc_lock;
+
# Let crosvm access its control socket as created by VS.
# read, write, getattr: listener socket polling
# accept: listener socket accepting new connection
# Note that the open permission is not given as the socket is passed by FD.
-allow crosvm virtualizationservice:unix_stream_socket { accept read write getattr getopt };
+allow crosvm virtualizationmanager:unix_stream_socket { accept read write getattr getopt };
# Let crosvm open test artifacts under /data/local/tmp with file path. (e.g. custom pvmfw.img)
userdebug_or_eng(`
@@ -71,6 +74,11 @@
# when the vm is created by the `vm` tool) and handed over to crosvm as FD.
allow crosvm shell_data_file:file write;
+# crosvm tries to read serial device, including the write-only pipe from virtualizationmanager (to
+# forward console/log to the host logcat).
+# crosvm only needs write permission, so dontaudit read
+dontaudit crosvm virtualizationmanager:fifo_file read;
+
# Don't allow crosvm to open files that it doesn't own.
# This is important because a malicious application could try to start a VM with a composite disk
# image referring by name to files which it doesn't have permission to open, trying to get crosvm to
@@ -110,9 +118,9 @@
-shell_data_file
}:file read;
-# Only virtualizationservice can run crosvm
+# Only virtualizationmanager can run crosvm
neverallow {
domain
-crosvm
- -virtualizationservice
+ -virtualizationmanager
} crosvm_exec:file no_x_file_perms;
diff --git a/private/dex2oat.te b/private/dex2oat.te
index 2ce2459..ea9ab9c 100644
--- a/private/dex2oat.te
+++ b/private/dex2oat.te
@@ -10,6 +10,8 @@
# Access /vendor/framework
allow dex2oat vendor_framework_file:dir { getattr search };
allow dex2oat vendor_framework_file:file { getattr open read map };
+# Access /vendor/overlay
+r_dir_file(dex2oat, vendor_overlay_file);
allow dex2oat tmpfs:file { read getattr map };
@@ -59,6 +61,9 @@
# Allow dex2oat to use file descriptors passed from privileged programs.
allow dex2oat { artd installd odrefresh odsign }:fd use;
+# Allow dex2oat to read the /proc filesystem for CPU features, etc.
+allow dex2oat proc_filesystems:file r_file_perms;
+
##################
# A/B OTA Dexopt #
##################
diff --git a/private/dexoptanalyzer.te b/private/dexoptanalyzer.te
index 8eb1d29..ca715c1 100644
--- a/private/dexoptanalyzer.te
+++ b/private/dexoptanalyzer.te
@@ -45,6 +45,10 @@
# package manager.
allow dexoptanalyzer { privapp_data_file app_data_file }:file { getattr read map };
+# dexoptanalyzer checks the DM files next to dex files. We don't need this check
+# for secondary dex files, but it's not harmful. Just deny it and ignore it.
+dontaudit dexoptanalyzer { privapp_data_file app_data_file }:dir search;
+
# Allow testing /data/user/0 which symlinks to /data/data
allow dexoptanalyzer system_data_file:lnk_file { getattr };
diff --git a/private/domain.te b/private/domain.te
index 2b2619b..e0ba975 100644
--- a/private/domain.te
+++ b/private/domain.te
@@ -290,7 +290,7 @@
-apexd
-installd
-priv_app
- -virtualizationservice
+ -virtualizationmanager
} staging_data_file:dir *;
neverallow {
domain
@@ -303,7 +303,7 @@
-installd
-priv_app
-shell
- -virtualizationservice
+ -virtualizationmanager
-crosvm
} staging_data_file:file *;
neverallow { domain -init -system_server -installd} staging_data_file:dir no_w_dir_perms;
diff --git a/private/dumpstate.te b/private/dumpstate.te
index ee59cb7..fe442b3 100644
--- a/private/dumpstate.te
+++ b/private/dumpstate.te
@@ -30,6 +30,9 @@
# Allow dumpstate to make binder calls to incidentd
binder_call(dumpstate, incidentd)
+# Kill incident in case of a timeout
+allow dumpstate incident:process { signal sigkill };
+
# Allow dumpstate to make binder calls to storaged service
binder_call(dumpstate, storaged)
diff --git a/private/fastbootd.te b/private/fastbootd.te
index d93ee42..7dc1741 100644
--- a/private/fastbootd.te
+++ b/private/fastbootd.te
@@ -50,7 +50,7 @@
hal_client_domain(fastbootd, hal_fastboot)
')
-# io_uring_setup needs ipc_lock and permission to operate anon inodes
+# This capability allows fastbootd to circumvent memlock rlimits while using
+# io_uring. An Alternative would be to up the memlock rlimit for the fastbootd service.
allow fastbootd self:capability ipc_lock;
-
-allow fastbootd self:anon_inode create_file_perms;
+io_uring_use(fastbootd)
diff --git a/private/file.te b/private/file.te
index 134b377..776c8e5 100644
--- a/private/file.te
+++ b/private/file.te
@@ -13,7 +13,7 @@
type storaged_data_file, file_type, data_file_type, core_data_file_type;
# /data/misc/wmtrace for wm traces
-type wm_trace_data_file, file_type, data_file_type, core_data_file_type;
+type wm_trace_data_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
# /data/misc/a11ytrace for accessibility traces
type accessibility_trace_data_file, file_type, data_file_type, core_data_file_type;
@@ -91,7 +91,9 @@
type odsign_metrics_file, file_type, data_file_type, core_data_file_type;
# /data/misc/virtualizationservice
-type virtualizationservice_data_file, file_type, data_file_type, core_data_file_type;
+# The type needs to be mlstrustedobject to allow for being accessed from
+# virtualizationmanager, which runs at a more constrained MLS level.
+type virtualizationservice_data_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
# /data/system/environ
type environ_system_data_file, file_type, data_file_type, core_data_file_type;
@@ -100,7 +102,9 @@
type bootanim_data_file, file_type, data_file_type, core_data_file_type;
# /dev/kvm
-type kvm_device, dev_type;
+# The type needs to be mlstrustedobject to allow for being accessed from
+# crosvm, which runs at a more constrained MLS level.
+type kvm_device, dev_type, mlstrustedobject;
# /apex/com.android.virt/bin/fd_server
type fd_server_exec, system_file_type, exec_type, file_type;
diff --git a/private/file_contexts b/private/file_contexts
index 632e069..4c3f108 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -79,6 +79,7 @@
/dev/audio.* u:object_r:audio_device:s0
/dev/binder u:object_r:binder_device:s0
/dev/block(/.*)? u:object_r:block_device:s0
+/dev/block/by-name/zoned_device u:object_r:zoned_block_device:s0
/dev/block/dm-[0-9]+ u:object_r:dm_device:s0
/dev/block/loop[0-9]* u:object_r:loop_device:s0
/dev/block/vd[a-z][0-9]* u:object_r:vd_device:s0
@@ -223,7 +224,6 @@
/system/bin/boringssl_self_test(32|64) u:object_r:boringssl_self_test_exec:s0
/system/bin/prng_seeder u:object_r:prng_seeder_exec:s0
/system/bin/charger u:object_r:charger_exec:s0
-/system/bin/canhalconfigurator(-aidl)? u:object_r:canhalconfigurator_exec:s0
/system/bin/e2fsdroid u:object_r:e2fs_exec:s0
/system/bin/mke2fs u:object_r:e2fs_exec:s0
/system/bin/e2fsck -- u:object_r:fsck_exec:s0
@@ -373,7 +373,6 @@
/system/bin/simpleperf u:object_r:simpleperf_exec:s0
/system/bin/simpleperf_app_runner u:object_r:simpleperf_app_runner_exec:s0
/system/bin/migrate_legacy_obb_data u:object_r:migrate_legacy_obb_data_exec:s0
-/system/bin/android\.frameworks\.automotive\.display@1\.0-service u:object_r:automotive_display_service_exec:s0
/system/bin/snapuserd u:object_r:snapuserd_exec:s0
/system/bin/odsign u:object_r:odsign_exec:s0
/system/bin/vehicle_binding_util u:object_r:vehicle_binding_util_exec:s0
@@ -493,6 +492,9 @@
/(system_ext|system/system_ext)/bin/hidl_lazy_test_server u:object_r:hidl_lazy_test_server_exec:s0
/(system_ext|system/system_ext)/bin/hidl_lazy_cb_test_server u:object_r:hidl_lazy_test_server_exec:s0
+/(system_ext|system/system_ext)/bin/android\.frameworks\.automotive\.display@1\.0-service u:object_r:automotive_display_service_exec:s0
+/(system_ext|system/system_ext)/bin/canhalconfigurator(-aidl)? u:object_r:canhalconfigurator_exec:s0
+
/(system_ext|system/system_ext)/lib(64)?(/.*)? u:object_r:system_lib_file:s0
#############################
diff --git a/private/gpuservice.te b/private/gpuservice.te
index 76a2370..8388e89 100644
--- a/private/gpuservice.te
+++ b/private/gpuservice.te
@@ -59,9 +59,6 @@
# Needed for enabling bpf programs and accessing bpf maps (read-only and read/write).
allow gpuservice bpfloader:bpf { map_read map_write prog_run };
-# Needed for getting a prop to ensure bpf programs loaded.
-get_prop(gpuservice, bpf_progs_loaded_prop)
-
add_service(gpuservice, gpu_service)
# Only uncomment below line when in development
diff --git a/private/installd.te b/private/installd.te
index 9673cfd..7615c92 100644
--- a/private/installd.te
+++ b/private/installd.te
@@ -47,7 +47,10 @@
allow installd staging_data_file:file unlink;
allow installd staging_data_file:dir { open read remove_name rmdir search write getattr };
-allow installd { dex2oat dexoptanalyzer }:process { sigkill signal };
+allow installd { dex2oat dexoptanalyzer }:process signal;
+
+# installd kills subprocesses if they time out.
+allow installd { dex2oat dexoptanalyzer profman }:process sigkill;
# Allow installd manage dirs in /data/misc_ce/0/sdksandbox
allow installd sdk_sandbox_system_data_file:dir { create_dir_perms relabelfrom };
diff --git a/private/netd.te b/private/netd.te
index 4aa288b..ae43e47 100644
--- a/private/netd.te
+++ b/private/netd.te
@@ -23,7 +23,6 @@
set_prop(netd, netd_stable_secret_prop)
get_prop(netd, adbd_config_prop)
-get_prop(netd, bpf_progs_loaded_prop)
get_prop(netd, hwservicemanager_prop)
get_prop(netd, device_config_netd_native_prop)
diff --git a/private/platform_app.te b/private/platform_app.te
index f14e52d..46abb16 100644
--- a/private/platform_app.te
+++ b/private/platform_app.te
@@ -57,6 +57,12 @@
auditallow platform_app proc_net_type:{ dir file lnk_file } { getattr open read };
')
+# Allow writing and removing wmshell protolog in /data/misc/wmtrace.
+userdebug_or_eng(`
+ allow platform_app wm_trace_data_file:dir rw_dir_perms;
+ allow platform_app wm_trace_data_file:file { getattr setattr create unlink w_file_perms };
+')
+
allow platform_app audioserver_service:service_manager find;
allow platform_app cameraserver_service:service_manager find;
allow platform_app drmserver_service:service_manager find;
diff --git a/private/property.te b/private/property.te
index dee6369..5383300 100644
--- a/private/property.te
+++ b/private/property.te
@@ -628,7 +628,7 @@
neverallow domain system_and_vendor_property_type:{file property_service} *;
neverallow {
- # Only init and the remote provisioner can set the ro.remote_provisioning.* props
+ # Only init and the remote provisioner can set the remote_provisioning props
domain
-init
-remote_prov_app
@@ -681,3 +681,9 @@
domain
-init
} log_file_logger_prop:property_service set;
+
+neverallow {
+ domain
+ -init
+ -vendor_init
+} usb_uvc_enabled_prop:property_service set;
diff --git a/private/property_contexts b/private/property_contexts
index f208e52..f3c8d55 100644
--- a/private/property_contexts
+++ b/private/property_contexts
@@ -573,6 +573,7 @@
bluetooth.core.le.inquiry_scan_interval u:object_r:bluetooth_config_prop:s0 exact uint
bluetooth.core.le.inquiry_scan_window u:object_r:bluetooth_config_prop:s0 exact uint
+bluetooth.core.le.vendor_capabilities.enabled u:object_r:bluetooth_config_prop:s0 exact bool
bluetooth.sco.disable_enhanced_connection u:object_r:bluetooth_config_prop:s0 exact bool
persist.nfc.debug_enabled u:object_r:nfc_prop:s0 exact bool
@@ -592,21 +593,32 @@
ro.hdmi.cec.source.send_standby_on_sleep u:object_r:hdmi_config_prop:s0 exact enum to_tv broadcast none
ro.hdmi.cec.source.playback_device_action_on_routing_control u:object_r:hdmi_config_prop:s0 exact enum none wake_up_only wake_up_and_send_active_source
-pm.dexopt.ab-ota u:object_r:exported_pm_prop:s0 exact string
-pm.dexopt.bg-dexopt u:object_r:exported_pm_prop:s0 exact string
-pm.dexopt.boot u:object_r:exported_pm_prop:s0 exact string
-pm.dexopt.cmdline u:object_r:exported_pm_prop:s0 exact string
-pm.dexopt.disable_bg_dexopt u:object_r:exported_pm_prop:s0 exact bool
-pm.dexopt.downgrade_after_inactive_days u:object_r:exported_pm_prop:s0 exact int
-pm.dexopt.first-boot u:object_r:exported_pm_prop:s0 exact string
-pm.dexopt.inactive u:object_r:exported_pm_prop:s0 exact string
-pm.dexopt.install u:object_r:exported_pm_prop:s0 exact string
-pm.dexopt.install-fast u:object_r:exported_pm_prop:s0 exact string
-pm.dexopt.install-bulk u:object_r:exported_pm_prop:s0 exact string
-pm.dexopt.install-bulk-secondary u:object_r:exported_pm_prop:s0 exact string
-pm.dexopt.install-bulk-downgraded u:object_r:exported_pm_prop:s0 exact string
-pm.dexopt.install-bulk-secondary-downgraded u:object_r:exported_pm_prop:s0 exact string
-pm.dexopt.shared u:object_r:exported_pm_prop:s0 exact string
+pm.dexopt.bg-dexopt u:object_r:exported_pm_prop:s0 exact string
+pm.dexopt.bg-dexopt.concurrency u:object_r:exported_pm_prop:s0 exact int
+pm.dexopt.first-boot u:object_r:exported_pm_prop:s0 exact string
+pm.dexopt.first-boot.concurrency u:object_r:exported_pm_prop:s0 exact int
+pm.dexopt.boot-after-ota u:object_r:exported_pm_prop:s0 exact string
+pm.dexopt.boot-after-ota.concurrency u:object_r:exported_pm_prop:s0 exact int
+pm.dexopt.boot-after-mainline-update u:object_r:exported_pm_prop:s0 exact string
+pm.dexopt.boot-after-mainline-update.concurrency u:object_r:exported_pm_prop:s0 exact int
+
+pm.dexopt.post-boot u:object_r:exported_pm_prop:s0 exact string
+pm.dexopt.ab-ota u:object_r:exported_pm_prop:s0 exact string
+pm.dexopt.cmdline u:object_r:exported_pm_prop:s0 exact string
+pm.dexopt.inactive u:object_r:exported_pm_prop:s0 exact string
+pm.dexopt.install u:object_r:exported_pm_prop:s0 exact string
+pm.dexopt.install-fast u:object_r:exported_pm_prop:s0 exact string
+pm.dexopt.install-bulk u:object_r:exported_pm_prop:s0 exact string
+pm.dexopt.install-bulk-secondary u:object_r:exported_pm_prop:s0 exact string
+pm.dexopt.install-bulk-downgraded u:object_r:exported_pm_prop:s0 exact string
+pm.dexopt.install-bulk-secondary-downgraded u:object_r:exported_pm_prop:s0 exact string
+
+pm.dexopt.shared u:object_r:exported_pm_prop:s0 exact string
+
+pm.dexopt.disable_bg_dexopt u:object_r:exported_pm_prop:s0 exact bool
+pm.dexopt.downgrade_after_inactive_days u:object_r:exported_pm_prop:s0 exact int
+
+pm.dexopt. u:object_r:future_pm_prop:s0 prefix
ro.apk_verity.mode u:object_r:apk_verity_prop:s0 exact int
@@ -1356,6 +1368,12 @@
remote_provisioning.strongbox.rkp_only u:object_r:remote_prov_prop:s0 exact bool
remote_provisioning.tee.rkp_only u:object_r:remote_prov_prop:s0 exact bool
+# Hostname for the remote provisioning server a device should communicate with
+remote_provisioning.hostname u:object_r:remote_prov_prop:s0 exact string
+
+# Indicates the system should use rkpd instead of RemoteProvisioner
+remote_provisioning.enable_rkpd u:object_r:remote_prov_prop:s0 exact bool
+
# Broadcast boot stages, which keystore listens to
keystore.boot_level u:object_r:keystore_listen_prop:s0 exact int
@@ -1483,3 +1501,6 @@
# Adaptive haptics settings property
vibrator.adaptive_haptics.enabled u:object_r:adaptive_haptics_prop:s0 exact string
+
+# UVC Gadget property
+ro.usb.uvc.enabled u:object_r:usb_uvc_enabled_prop:s0 exact bool
diff --git a/private/remote_prov_app.te b/private/remote_prov_app.te
index f49eb63..d5f8e3f 100644
--- a/private/remote_prov_app.te
+++ b/private/remote_prov_app.te
@@ -8,6 +8,9 @@
# The app needs access to properly build a DeviceInfo package for the verifying server
get_prop(remote_prov_app, vendor_security_patch_level_prop)
+# if rkpd is enabled, remote provisioner is a noop
+get_prop(remote_prov_app, device_config_remote_key_provisioning_native_prop)
+
allow remote_prov_app {
app_api_service
mediametrics_service
diff --git a/private/rkpd_app.te b/private/rkpd_app.te
index 21f9b0c..2d25540 100644
--- a/private/rkpd_app.te
+++ b/private/rkpd_app.te
@@ -12,6 +12,7 @@
# Grant access to certain system properties related to RKP
get_prop(rkpdapp, device_config_remote_key_provisioning_native_prop)
+get_prop(rkpdapp, remote_prov_prop)
# Grant access to the normal services that are available to all apps
allow rkpdapp app_api_service:service_manager find;
diff --git a/private/runas_app.te b/private/runas_app.te
index c1b354a..a5f47f4 100644
--- a/private/runas_app.te
+++ b/private/runas_app.te
@@ -14,7 +14,7 @@
r_dir_file(runas_app, untrusted_app_all)
# Allow lldb/ndk-gdb/simpleperf to ptrace attach to debuggable app processes.
-allow runas_app untrusted_app_all:process { ptrace signal sigstop };
+allow runas_app untrusted_app_all:process { ptrace sigkill signal sigstop };
allow runas_app untrusted_app_all:unix_stream_socket connectto;
# Allow executing system image simpleperf without a domain transition.
diff --git a/private/seapp_contexts b/private/seapp_contexts
index d3f065b..d950c3d 100644
--- a/private/seapp_contexts
+++ b/private/seapp_contexts
@@ -170,7 +170,8 @@
user=_app isPrivApp=true name=com.google.android.gms.* domain=gmscore_app type=privapp_data_file levelFrom=user
user=_app isPrivApp=true name=com.google.android.gms:* domain=gmscore_app type=privapp_data_file levelFrom=user
user=_app isPrivApp=true name=com.google.android.gsf domain=gmscore_app type=privapp_data_file levelFrom=user
-user=_app minTargetSdkVersion=32 domain=untrusted_app type=app_data_file levelFrom=all
+user=_app minTargetSdkVersion=34 domain=untrusted_app type=app_data_file levelFrom=all
+user=_app minTargetSdkVersion=32 domain=untrusted_app_32 type=app_data_file levelFrom=all
user=_app minTargetSdkVersion=30 domain=untrusted_app_30 type=app_data_file levelFrom=all
user=_app minTargetSdkVersion=29 domain=untrusted_app_29 type=app_data_file levelFrom=all
user=_app minTargetSdkVersion=28 domain=untrusted_app_27 type=app_data_file levelFrom=all
diff --git a/private/security_classes b/private/security_classes
index 0d3cc80..99f947f 100644
--- a/private/security_classes
+++ b/private/security_classes
@@ -142,6 +142,8 @@
class perf_event
+class io_uring
+
# Introduced in https://github.com/torvalds/linux/commit/59438b46471ae6cdfb761afc8c9beaf1e428a331
class lockdown
diff --git a/private/service_contexts b/private/service_contexts
index b6722c5..8de1d42 100644
--- a/private/service_contexts
+++ b/private/service_contexts
@@ -70,6 +70,9 @@
android.hardware.radio.network.IRadioNetwork/slot1 u:object_r:hal_radio_service:s0
android.hardware.radio.network.IRadioNetwork/slot2 u:object_r:hal_radio_service:s0
android.hardware.radio.network.IRadioNetwork/slot3 u:object_r:hal_radio_service:s0
+android.hardware.radio.satellite.IRadioSatellite/slot1 u:object_r:hal_radio_service:s0
+android.hardware.radio.satellite.IRadioSatellite/slot2 u:object_r:hal_radio_service:s0
+android.hardware.radio.satellite.IRadioSatellite/slot3 u:object_r:hal_radio_service:s0
android.hardware.radio.sim.IRadioSim/slot1 u:object_r:hal_radio_service:s0
android.hardware.radio.sim.IRadioSim/slot2 u:object_r:hal_radio_service:s0
android.hardware.radio.sim.IRadioSim/slot3 u:object_r:hal_radio_service:s0
@@ -88,10 +91,11 @@
android.hardware.security.sharedsecret.ISharedSecret/default u:object_r:hal_sharedsecret_service:s0
android.hardware.sensors.ISensors/default u:object_r:hal_sensors_service:s0
android.hardware.soundtrigger3.ISoundTriggerHw/default u:object_r:hal_audio_service:s0
+android.hardware.tetheroffload.IOffload/default u:object_r:hal_tetheroffload_service:s0
android.hardware.thermal.IThermal/default u:object_r:hal_thermal_service:s0
-android.hardware.tv.cec.IHdmiCec/default u:object_r:hal_tv_hdmi_cec_service:s0
-android.hardware.tv.earc.IEArc/default u:object_r:hal_tv_earc_service:s0
-android.hardware.tv.hdmi.IHdmi/default u:object_r:hal_tv_hdmi_service:s0
+android.hardware.tv.hdmi.cec.IHdmiCec/default u:object_r:hal_tv_hdmi_cec_service:s0
+android.hardware.tv.hdmi.connection.IHdmiConnection/default u:object_r:hal_tv_hdmi_connection_service:s0
+android.hardware.tv.hdmi.earc.IEArc/default u:object_r:hal_tv_hdmi_earc_service:s0
android.hardware.tv.tuner.ITuner/default u:object_r:hal_tv_tuner_service:s0
android.hardware.tv.input.ITvInput/default u:object_r:hal_tv_input_service:s0
android.hardware.usb.IUsb/default u:object_r:hal_usb_service:s0
diff --git a/private/snapuserd.te b/private/snapuserd.te
index 1be5a5e..797a6c2 100644
--- a/private/snapuserd.te
+++ b/private/snapuserd.te
@@ -8,8 +8,6 @@
allow snapuserd kmsg_device:chr_file rw_file_perms;
-allow snapuserd self:capability ipc_lock;
-
# Allow snapuserd to reach block devices in /dev/block.
allow snapuserd block_device:dir search;
@@ -54,4 +52,12 @@
-init
} snapuserd_prop:property_service set;
-allow snapuserd self:anon_inode create_file_perms;
+# Allow to read/write/create OTA metadata files
+allow snapuserd metadata_file:dir search;
+allow snapuserd ota_metadata_file:dir rw_dir_perms;
+allow snapuserd ota_metadata_file:file create_file_perms;
+
+# This capability allows snapuserd to circumvent memlock rlimits while using
+# io_uring. An Alternative would be to up the memlock rlimit for the snapuserd service.
+allow snapuserd self:capability ipc_lock;
+io_uring_use(snapuserd)
diff --git a/private/su.te b/private/su.te
index 2496473..cc00e10 100644
--- a/private/su.te
+++ b/private/su.te
@@ -19,6 +19,9 @@
# Put the perfetto command into its domain so it is the same on user, userdebug and eng.
domain_auto_trans(su, perfetto_exec, perfetto)
+ # Put the virtmgr command into its domain.
+ domain_auto_trans(su, virtualizationmanager_exec, virtualizationmanager)
+
# su is also permissive to permit setenforce.
permissive su;
diff --git a/private/surfaceflinger.te b/private/surfaceflinger.te
index 26c781b..91e9aba 100644
--- a/private/surfaceflinger.te
+++ b/private/surfaceflinger.te
@@ -49,6 +49,9 @@
allow surfaceflinger video_device:dir r_dir_perms;
allow surfaceflinger video_device:chr_file rw_file_perms;
+# Access the secure heap.
+allow surfaceflinger dmabuf_system_secure_heap_device:chr_file r_file_perms;
+
# Create and use netlink kobject uevent sockets.
allow surfaceflinger self:netlink_kobject_uevent_socket create_socket_perms_no_ioctl;
diff --git a/private/system_app.te b/private/system_app.te
index 3b92c0f..9116058 100644
--- a/private/system_app.te
+++ b/private/system_app.te
@@ -177,6 +177,9 @@
# Settings app reads ro.oem_unlock_supported
get_prop(system_app, oem_unlock_prop)
+# Settings app reads ro.usb.uvc.enabled
+get_prop(system_app, usb_uvc_enabled_prop)
+
# Allow system apps to act as Perfetto producers.
perfetto_producer(system_app)
diff --git a/private/system_server.te b/private/system_server.te
index 576da94..53acab0 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -331,9 +331,9 @@
hal_client_domain(system_server, hal_tetheroffload)
hal_client_domain(system_server, hal_thermal)
hal_client_domain(system_server, hal_tv_cec)
-hal_client_domain(system_server, hal_tv_earc)
-hal_client_domain(system_server, hal_tv_hdmi)
hal_client_domain(system_server, hal_tv_hdmi_cec)
+hal_client_domain(system_server, hal_tv_hdmi_connection)
+hal_client_domain(system_server, hal_tv_hdmi_earc)
hal_client_domain(system_server, hal_tv_input)
hal_client_domain(system_server, hal_usb)
hal_client_domain(system_server, hal_usb_gadget)
diff --git a/private/system_suspend.te b/private/system_suspend.te
index d924187..bef7c6d 100644
--- a/private/system_suspend.te
+++ b/private/system_suspend.te
@@ -29,6 +29,14 @@
allow system_suspend dumpstate:fd use;
allow system_suspend dumpstate:fifo_file write;
+# Allow init to take kernel wakelock and system suspend to
+# remove kenel wakelocks and the capability to access these
+# files
+allow init sysfs_wake_lock:file rw_file_perms;
+allow init self:global_capability2_class_set block_suspend;
+allow system_suspend sysfs_wake_lock:file rw_file_perms;
+allow system_suspend self:global_capability2_class_set block_suspend;
+
neverallow {
domain
-atrace # tracing
diff --git a/private/untrusted_app.te b/private/untrusted_app.te
index 56e44db..d0f9b24 100644
--- a/private/untrusted_app.te
+++ b/private/untrusted_app.te
@@ -2,7 +2,7 @@
### Untrusted apps.
###
### This file defines the rules for untrusted apps running with
-### targetSdkVersion >= 32.
+### targetSdkVersion >= 34.
###
### See public/untrusted_app.te for more information about which apps are
### placed in this selinux domain.
@@ -20,4 +20,4 @@
allow untrusted_app sdk_sandbox_data_file:fd use;
allow untrusted_app sdk_sandbox_data_file:file write;
-neverallow untrusted_app sdk_sandbox_data_file:file { open create };
\ No newline at end of file
+neverallow untrusted_app sdk_sandbox_data_file:file { open create };
diff --git a/private/untrusted_app_25.te b/private/untrusted_app_25.te
index 4235d7e..2c0391f 100644
--- a/private/untrusted_app_25.te
+++ b/private/untrusted_app_25.te
@@ -52,3 +52,10 @@
# allow sending RTM_GETNEIGH{TBL} messages.
allow untrusted_app_25 self:netlink_route_socket nlmsg_getneigh;
auditallow untrusted_app_25 self:netlink_route_socket nlmsg_getneigh;
+
+# Connect to mdnsd via mdnsd socket.
+unix_socket_connect(untrusted_app_25, mdnsd, mdnsd)
+userdebug_or_eng(`
+ auditallow untrusted_app_25 mdnsd_socket:sock_file write;
+ auditallow untrusted_app_25 mdnsd:unix_stream_socket connectto;
+')
diff --git a/private/untrusted_app_27.te b/private/untrusted_app_27.te
index c747af1..163803a 100644
--- a/private/untrusted_app_27.te
+++ b/private/untrusted_app_27.te
@@ -40,3 +40,10 @@
# allow sending RTM_GETNEIGH{TBL} messages.
allow untrusted_app_27 self:netlink_route_socket nlmsg_getneigh;
auditallow untrusted_app_27 self:netlink_route_socket nlmsg_getneigh;
+
+# Connect to mdnsd via mdnsd socket.
+unix_socket_connect(untrusted_app_27, mdnsd, mdnsd)
+userdebug_or_eng(`
+ auditallow untrusted_app_27 mdnsd_socket:sock_file write;
+ auditallow untrusted_app_27 mdnsd:unix_stream_socket connectto;
+')
diff --git a/private/untrusted_app_29.te b/private/untrusted_app_29.te
index 03f3334..758ed23 100644
--- a/private/untrusted_app_29.te
+++ b/private/untrusted_app_29.te
@@ -19,3 +19,9 @@
allow untrusted_app_29 self:netlink_route_socket nlmsg_getneigh;
auditallow untrusted_app_29 self:netlink_route_socket nlmsg_getneigh;
+# Connect to mdnsd via mdnsd socket.
+unix_socket_connect(untrusted_app_29, mdnsd, mdnsd)
+userdebug_or_eng(`
+ auditallow untrusted_app_29 mdnsd_socket:sock_file write;
+ auditallow untrusted_app_29 mdnsd:unix_stream_socket connectto;
+')
diff --git a/private/untrusted_app_30.te b/private/untrusted_app_30.te
index 569c300..830106d 100644
--- a/private/untrusted_app_30.te
+++ b/private/untrusted_app_30.te
@@ -21,3 +21,9 @@
allow untrusted_app_30 self:netlink_route_socket nlmsg_getneigh;
auditallow untrusted_app_30 self:netlink_route_socket nlmsg_getneigh;
+# Connect to mdnsd via mdnsd socket.
+unix_socket_connect(untrusted_app_30, mdnsd, mdnsd)
+userdebug_or_eng(`
+ auditallow untrusted_app_30 mdnsd_socket:sock_file write;
+ auditallow untrusted_app_30 mdnsd:unix_stream_socket connectto;
+')
diff --git a/private/untrusted_app_32.te b/private/untrusted_app_32.te
new file mode 100644
index 0000000..643c122
--- /dev/null
+++ b/private/untrusted_app_32.te
@@ -0,0 +1,30 @@
+###
+### Untrusted apps.
+###
+### This file defines the rules for untrusted apps running with
+### 31 < targetSdkVersion <= 33.
+###
+### See public/untrusted_app.te for more information about which apps are
+### placed in this selinux domain.
+###
+
+typeattribute untrusted_app_32 coredomain;
+
+app_domain(untrusted_app_32)
+untrusted_app_domain(untrusted_app_32)
+net_domain(untrusted_app_32)
+bluetooth_domain(untrusted_app_32)
+
+# Allow webview to access fd shared by sdksandbox for experiments data
+# TODO(b/229249719): Will not be supported in Android U
+allow untrusted_app_32 sdk_sandbox_data_file:fd use;
+allow untrusted_app_32 sdk_sandbox_data_file:file write;
+
+neverallow untrusted_app_32 sdk_sandbox_data_file:file { open create };
+
+# Connect to mdnsd via mdnsd socket.
+unix_socket_connect(untrusted_app_32, mdnsd, mdnsd)
+userdebug_or_eng(`
+ auditallow untrusted_app_32 mdnsd_socket:sock_file write;
+ auditallow untrusted_app_32 mdnsd:unix_stream_socket connectto;
+')
diff --git a/private/virtmgr.te b/private/virtmgr.te
deleted file mode 100644
index 225b6cb..0000000
--- a/private/virtmgr.te
+++ /dev/null
@@ -1,8 +0,0 @@
-# Domain for a child process that manages virtual machines on behalf of its parent.
-
-type virtmgr, domain, coredomain;
-type virtmgr_exec, system_file_type, exec_type, file_type;
-
-# Allow virtmgr to communicate use, read and write over the adb connection.
-allow virtmgr adbd:fd use;
-allow virtmgr adbd:unix_stream_socket { read write };
diff --git a/private/virtualizationmanager.te b/private/virtualizationmanager.te
new file mode 100644
index 0000000..4cd32b7
--- /dev/null
+++ b/private/virtualizationmanager.te
@@ -0,0 +1,77 @@
+# Domain for a child process that manages virtual machines on behalf of its parent.
+
+type virtualizationmanager, domain, coredomain;
+type virtualizationmanager_exec, system_file_type, exec_type, file_type;
+
+# Allow virtualizationmanager to communicate use, read and write over the adb connection.
+allow virtualizationmanager adbd:fd use;
+allow virtualizationmanager adbd:unix_stream_socket { read write };
+
+# Let the virtualizationmanager domain use Binder.
+binder_use(virtualizationmanager)
+
+# Let virtualizationmanager find and communicate with virtualizationservice.
+allow virtualizationmanager virtualization_service:service_manager find;
+binder_call(virtualizationmanager, virtualizationservice)
+
+# Allow calling into the system server to find native services. "permission_service" to check
+# permissions, and "package_native" for staged apex info.
+binder_call(virtualizationmanager, system_server)
+allow virtualizationmanager { package_native_service permission_service }:service_manager find;
+
+# When virtualizationmanager execs a file with the crosvm_exec label, run it in the crosvm domain.
+domain_auto_trans(virtualizationmanager, crosvm_exec, crosvm)
+
+# Let virtualizationmanager kill crosvm.
+allow virtualizationmanager crosvm:process sigkill;
+
+# Let virtualizationmanager create files inside virtualizationservice's temporary directories.
+allow virtualizationmanager virtualizationservice_data_file:dir rw_dir_perms;
+allow virtualizationmanager virtualizationservice_data_file:{ file sock_file } create_file_perms;
+
+# Let virtualizationmanager read and write files from its various clients, but not open them
+# directly as they must be passed over Binder by the client.
+allow virtualizationmanager apk_data_file:file { getattr read };
+
+# Write access is needed for mutable partitions like instance.img
+allow virtualizationmanager {
+ app_data_file
+ apex_compos_data_file
+ privapp_data_file
+}:file { getattr read write };
+
+# shell_data_file is used for automated tests and manual debugging.
+allow virtualizationmanager shell_data_file:file { getattr read write };
+
+# Allow virtualizationmanager to read apex-info-list.xml and access the APEX files listed there.
+allow virtualizationmanager apex_info_file:file r_file_perms;
+allow virtualizationmanager apex_data_file:dir search;
+allow virtualizationmanager staging_data_file:file r_file_perms;
+allow virtualizationmanager staging_data_file:dir search;
+
+# Run derive_classpath in our domain
+allow virtualizationmanager derive_classpath_exec:file rx_file_perms;
+allow virtualizationmanager apex_mnt_dir:dir r_dir_perms;
+# Ignore harmless denials on /proc/self/fd
+dontaudit virtualizationmanager self:dir write;
+
+# Let virtualizationmanager to accept vsock connection from the guest VMs
+allow virtualizationmanager self:vsock_socket { create_socket_perms_no_ioctl listen accept };
+
+# Allow virtualizationmanager to inspect all hypervisor capabilities.
+get_prop(virtualizationmanager, hypervisor_prop)
+get_prop(virtualizationmanager, hypervisor_restricted_prop)
+
+# Allow virtualizationmanager service to talk to tombstoned to push guest ramdumps
+unix_socket_connect(virtualizationmanager, tombstoned_crash, tombstoned)
+
+# Append ramdumps to tombstone files passed as fds from tombstoned
+allow virtualizationmanager tombstone_data_file:file { append getattr };
+allow virtualizationmanager tombstoned:fd use;
+
+# Allow reading files under /proc/[crosvm pid]/, for collecting CPU & memory usage inside VM.
+r_dir_file(virtualizationmanager, crosvm);
+
+# For debug purposes we try to get the canonical path from /proc/self/fd/N. That triggers
+# a harmless denial for CompOS log files, so ignore that.
+dontaudit virtualizationmanager apex_module_data_file:dir search;
diff --git a/private/virtualizationservice.te b/private/virtualizationservice.te
index 883ff56..561e778 100644
--- a/private/virtualizationservice.te
+++ b/private/virtualizationservice.te
@@ -1,80 +1,49 @@
type virtualizationservice, domain, coredomain;
type virtualizationservice_exec, system_file_type, exec_type, file_type;
+# The domain needs to be a 'mlstrustedsubject' to change the memlock rlimit of
+# the virtualizationmanager domain running at a more constrained MLS level.
+typeattribute virtualizationservice mlstrustedsubject;
+
# When init runs a file labelled with virtualizationservice_exec, run it in the
# virtualizationservice domain.
init_daemon_domain(virtualizationservice)
# Let the virtualizationservice domain use Binder.
binder_use(virtualizationservice)
-# ... and host a binder service
-binder_service(virtualizationservice)
-
-# Allow calling into the system server so that it can check permissions.
-binder_call(virtualizationservice, system_server)
-allow virtualizationservice permission_service:service_manager find;
-# Allow virtualizationservice to access "package_native" service for staged apex info.
-allow virtualizationservice package_native_service:service_manager find;
# Let the virtualizationservice domain register the virtualization_service with ServiceManager.
add_service(virtualizationservice, virtualization_service)
-# When virtualizationservice execs a file with the crosvm_exec label, run it in the crosvm domain.
-domain_auto_trans(virtualizationservice, crosvm_exec, crosvm)
+# Allow calling into the system server to find "permission_service".
+binder_call(virtualizationservice, system_server)
+allow virtualizationservice permission_service:service_manager find;
-# Let virtualizationservice (and specifically its children) mlock VM memory and page tables.
+# Let virtualizationservice remove memlock rlimit of virtualizationmanager. This is necessary
+# to mlock VM memory and page tables.
allow virtualizationservice self:capability sys_resource;
+allow virtualizationservice virtualizationmanager:process setrlimit;
-# Let virtualizationservice kill crosvm.
-allow virtualizationservice crosvm:process sigkill;
+# Let virtualizationservice set the owner of a VM's temporary directory.
+allow virtualizationservice self:capability chown;
-# Let virtualizationservice access its data directory.
-allow virtualizationservice virtualizationservice_data_file:file create_file_perms;
+# Let virtualizationservice create and delete temporary directories of VMs. To remove old
+# directories, it needs the permission to unlink the files created by virtualizationmanager.
allow virtualizationservice virtualizationservice_data_file:dir create_dir_perms;
-
-# Let virtualizationservice manage crosvm control sockets.
-allow virtualizationservice virtualizationservice_data_file:sock_file create_file_perms;
+allow virtualizationservice virtualizationservice_data_file:{ file sock_file } unlink;
# Allow to use fd (e.g. /dev/pts/0) inherited from adbd so that we can redirect output from
# crosvm to the console
allow virtualizationservice adbd:fd use;
allow virtualizationservice adbd:unix_stream_socket { read write };
-# Let virtualizationservice read and write files from its various clients, but not open them
-# directly as they must be passed over Binder by the client.
-allow virtualizationservice apk_data_file:file { getattr read };
-# Write access is needed for mutable partitions like instance.img
-allow virtualizationservice {
- app_data_file
- apex_compos_data_file
- privapp_data_file
-}:file { getattr read write };
-
-# shell_data_file is used for automated tests and manual debugging.
-allow virtualizationservice shell_data_file:file { getattr read write };
-
-# Allow virtualizationservice to read apex-info-list.xml and access the APEX files listed there.
-allow virtualizationservice apex_info_file:file r_file_perms;
-allow virtualizationservice apex_data_file:dir search;
-allow virtualizationservice staging_data_file:file r_file_perms;
-allow virtualizationservice staging_data_file:dir search;
-
-# Run derive_classpath in our domain
-allow virtualizationservice derive_classpath_exec:file rx_file_perms;
-allow virtualizationservice apex_mnt_dir:dir r_dir_perms;
-# Ignore harmless denials on /proc/self/fd
-dontaudit virtualizationservice self:dir write;
-
-# Let virtualizationservice to accept vsock connection from the guest VMs
+# Let virtualizationservice to accept vsock connection from the guest VMs to singleton services
+# such as the guest tombstone server.
allow virtualizationservice self:vsock_socket { create_socket_perms_no_ioctl listen accept };
# Allow virtualizationservice to read/write its own sysprop. Only the process can do so.
set_prop(virtualizationservice, virtualizationservice_prop)
-# Allow virtualizationservice to inspect all hypervisor capabilities.
-get_prop(virtualizationservice, hypervisor_prop)
-get_prop(virtualizationservice, hypervisor_restricted_prop)
-
# Allow writing stats to statsd
unix_socket_send(virtualizationservice, statsdw, statsd)
@@ -85,9 +54,6 @@
allow virtualizationservice tombstone_data_file:file { append getattr };
allow virtualizationservice tombstoned:fd use;
-# Allow reading files under /proc/[crosvm pid]/, for collecting CPU & memory usage inside VM.
-r_dir_file(virtualizationservice, crosvm);
-
neverallow {
domain
-init
@@ -97,5 +63,12 @@
neverallow {
domain
-init
+ -virtualizationmanager
-virtualizationservice
} virtualizationservice_data_file:file { open create };
+
+neverallow virtualizationservice {
+ domain
+ -virtualizationmanager
+ -virtualizationservice
+}:process setrlimit;
diff --git a/public/attributes b/public/attributes
index ebc199c..5509813 100644
--- a/public/attributes
+++ b/public/attributes
@@ -370,9 +370,9 @@
hal_attribute(tetheroffload);
hal_attribute(thermal);
hal_attribute(tv_cec);
-hal_attribute(tv_earc);
-hal_attribute(tv_hdmi);
hal_attribute(tv_hdmi_cec);
+hal_attribute(tv_hdmi_connection);
+hal_attribute(tv_hdmi_earc);
hal_attribute(tv_input);
hal_attribute(tv_tuner);
hal_attribute(usb);
diff --git a/public/device.te b/public/device.te
index 1bb386f..ead7fbc 100644
--- a/public/device.te
+++ b/public/device.te
@@ -7,6 +7,7 @@
type hwbinder_device, dev_type, mlstrustedobject;
type vndbinder_device, dev_type;
type block_device, dev_type;
+type bt_device, dev_type;
type camera_device, dev_type;
type dm_device, dev_type;
type dm_user_device, dev_type;
@@ -94,6 +95,9 @@
# Documented at https://source.android.com/devices/bootloader/partitions
type userdata_block_device, dev_type;
+# Zoned block device.
+type zoned_block_device, dev_type;
+
# Cache block device mounted on /cache.
# Documented at https://source.android.com/devices/bootloader/partitions
type cache_block_device, dev_type;
diff --git a/public/domain.te b/public/domain.te
index 79e62d0..56c3142 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -537,6 +537,14 @@
neverallow { domain -coredomain -vendor_init } exported_pm_prop:file no_rw_file_perms;
')
+# New "pm.dexopt." sysprops should be explicitly listed as exported_pm_prop.
+neverallow { domain -init -dumpstate -vendor_init } future_pm_prop:property_service set;
+neverallow { domain -init -dumpstate -vendor_init } future_pm_prop:file no_rw_file_perms;
+
+# ART may introduce new sysprops. SELinux denials due to reading new sysprops on
+# old platforms shouldn't be regarded as a problem.
+dontaudit domain future_pm_prop:file read;
+
neverallow { domain -init } aac_drc_prop:property_service set;
neverallow { domain -init } build_prop:property_service set;
neverallow { domain -init } userdebug_or_eng_prop:property_service set;
diff --git a/public/e2fs.te b/public/e2fs.te
index 20f70d9..8dcf0cc 100644
--- a/public/e2fs.te
+++ b/public/e2fs.te
@@ -8,6 +8,7 @@
allow e2fs userdata_block_device:blk_file rw_file_perms;
allow e2fs metadata_block_device:blk_file rw_file_perms;
allow e2fs dm_device:blk_file rw_file_perms;
+allow e2fs zoned_block_device:blk_file rw_file_perms;
allowxperm e2fs { userdata_block_device metadata_block_device dm_device }:blk_file ioctl {
BLKSECDISCARD BLKDISCARD BLKPBSZGET BLKDISCARDZEROES BLKROGET BLKREPORTZONE BLKRESETZONE
};
diff --git a/public/fsck.te b/public/fsck.te
index 4fb3817..1a74ba8 100644
--- a/public/fsck.te
+++ b/public/fsck.te
@@ -17,6 +17,7 @@
allow fsck userdata_block_device:blk_file rw_file_perms;
allow fsck cache_block_device:blk_file rw_file_perms;
allow fsck dm_device:blk_file rw_file_perms;
+allow fsck zoned_block_device:blk_file rw_file_perms;
userdebug_or_eng(`
allow fsck system_block_device:blk_file rw_file_perms;
')
diff --git a/public/hal_graphics_allocator.te b/public/hal_graphics_allocator.te
index 7ef27113..35a19de 100644
--- a/public/hal_graphics_allocator.te
+++ b/public/hal_graphics_allocator.te
@@ -11,6 +11,9 @@
allow hal_graphics_allocator ion_device:chr_file r_file_perms;
allow hal_graphics_allocator dmabuf_system_heap_device:chr_file r_file_perms;
+# Access the secure heap
+allow hal_graphics_allocator dmabuf_system_secure_heap_device:chr_file r_file_perms;
+
# allow to run with real-time scheduling policy
allow hal_graphics_allocator self:global_capability_class_set sys_nice;
diff --git a/public/hal_tetheroffload.te b/public/hal_tetheroffload.te
index cf51723..c9553dc 100644
--- a/public/hal_tetheroffload.te
+++ b/public/hal_tetheroffload.te
@@ -3,6 +3,9 @@
binder_call(hal_tetheroffload_server, hal_tetheroffload_client)
hal_attribute_hwservice(hal_tetheroffload, hal_tetheroffload_hwservice)
+hal_attribute_service(hal_tetheroffload, hal_tetheroffload_service)
+
+binder_use(hal_tetheroffload_server)
# allow the client to pass the server already open netlink sockets
allow hal_tetheroffload_server hal_tetheroffload_client:netlink_netfilter_socket { getattr read setopt write };
diff --git a/public/hal_tv_earc.te b/public/hal_tv_earc.te
deleted file mode 100644
index 419d16e..0000000
--- a/public/hal_tv_earc.te
+++ /dev/null
@@ -1,7 +0,0 @@
-# Binder IPC from clients into server, and callbacks
-binder_call(hal_tv_earc_client, hal_tv_earc_server)
-binder_call(hal_tv_earc_server, hal_tv_earc_client)
-binder_use(hal_tv_earc_client)
-binder_use(hal_tv_earc_server)
-
-hal_attribute_service(hal_tv_earc, hal_tv_earc_service)
diff --git a/public/hal_tv_hdmi.te b/public/hal_tv_hdmi.te
deleted file mode 100644
index 8e91aa2..0000000
--- a/public/hal_tv_hdmi.te
+++ /dev/null
@@ -1,7 +0,0 @@
-# Binder IPC from clients into server, and callbacks
-binder_call(hal_tv_hdmi_client, hal_tv_hdmi_server)
-binder_call(hal_tv_hdmi_server, hal_tv_hdmi_client)
-binder_call(hal_tv_hdmi_client, servicemanager)
-binder_call(hal_tv_hdmi_server, servicemanager)
-
-hal_attribute_service(hal_tv_hdmi, hal_tv_hdmi_service)
diff --git a/public/hal_tv_hdmi_cec.te b/public/hal_tv_hdmi_cec.te
index 1b75676..eb01b67 100644
--- a/public/hal_tv_hdmi_cec.te
+++ b/public/hal_tv_hdmi_cec.te
@@ -1,7 +1,7 @@
# Binder IPC from clients into server, and callbacks
binder_call(hal_tv_hdmi_cec_client, hal_tv_hdmi_cec_server)
binder_call(hal_tv_hdmi_cec_server, hal_tv_hdmi_cec_client)
-binder_call(hal_tv_hdmi_cec_client, servicemanager)
-binder_call(hal_tv_hdmi_cec_server, servicemanager)
+binder_use(hal_tv_hdmi_cec_client)
+binder_use(hal_tv_hdmi_cec_server)
hal_attribute_service(hal_tv_hdmi_cec, hal_tv_hdmi_cec_service)
diff --git a/public/hal_tv_hdmi_connection.te b/public/hal_tv_hdmi_connection.te
new file mode 100644
index 0000000..f6de27d
--- /dev/null
+++ b/public/hal_tv_hdmi_connection.te
@@ -0,0 +1,7 @@
+# Binder IPC from clients into server, and callbacks
+binder_call(hal_tv_hdmi_connection_client, hal_tv_hdmi_connection_server)
+binder_call(hal_tv_hdmi_connection_server, hal_tv_hdmi_connection_client)
+binder_use(hal_tv_hdmi_connection_client)
+binder_use(hal_tv_hdmi_connection_server)
+
+hal_attribute_service(hal_tv_hdmi_connection, hal_tv_hdmi_connection_service)
diff --git a/public/hal_tv_hdmi_earc.te b/public/hal_tv_hdmi_earc.te
new file mode 100644
index 0000000..2d76fc6
--- /dev/null
+++ b/public/hal_tv_hdmi_earc.te
@@ -0,0 +1,7 @@
+# Binder IPC from clients into server, and callbacks
+binder_call(hal_tv_hdmi_earc_client, hal_tv_hdmi_earc_server)
+binder_call(hal_tv_hdmi_earc_server, hal_tv_hdmi_earc_client)
+binder_use(hal_tv_hdmi_earc_client)
+binder_use(hal_tv_hdmi_earc_server)
+
+hal_attribute_service(hal_tv_hdmi_earc, hal_tv_hdmi_earc_service)
diff --git a/public/hal_usb_gadget.te b/public/hal_usb_gadget.te
index 45bfdbe..c0df9a9 100644
--- a/public/hal_usb_gadget.te
+++ b/public/hal_usb_gadget.te
@@ -14,3 +14,6 @@
allow hal_usb_gadget_server functionfs:dir { read search };
allow hal_usb_gadget_server functionfs:file read;
allow hal_usb_gadget_server proc_interrupts:file r_file_perms;
+
+# Read access to ro.usb.uvc.enabled
+get_prop(hal_usb_gadget_server, usb_uvc_enabled_prop)
diff --git a/public/net.te b/public/net.te
index 31c9c45..aa30b62 100644
--- a/public/net.te
+++ b/public/net.te
@@ -21,6 +21,3 @@
# Talks to netd via fwmarkd socket.
unix_socket_connect(netdomain, fwmarkd, netd)
-
-# Connect to mdnsd via mdnsd socket.
-unix_socket_connect(netdomain, mdnsd, mdnsd)
diff --git a/public/netd.te b/public/netd.te
index 9b8fdb0..e3ea1cb 100644
--- a/public/netd.te
+++ b/public/netd.te
@@ -3,6 +3,8 @@
type netd_exec, system_file_type, exec_type, file_type;
net_domain(netd)
+# Connect to mdnsd via mdnsd socket.
+unix_socket_connect(netd, mdnsd, mdnsd)
# in addition to ioctls allowlisted for all domains, grant netd priv_sock_ioctls.
allowxperm netd self:udp_socket ioctl priv_sock_ioctls;
diff --git a/public/property.te b/public/property.te
index c0a3a6e..0cde294 100644
--- a/public/property.te
+++ b/public/property.te
@@ -187,6 +187,7 @@
system_vendor_config_prop(zygote_config_prop)
system_vendor_config_prop(dck_prop)
system_vendor_config_prop(tuner_config_prop)
+system_vendor_config_prop(usb_uvc_enabled_prop)
# Properties with no restrictions
system_public_prop(adbd_config_prop)
@@ -208,6 +209,7 @@
system_public_prop(exported_bluetooth_prop)
system_public_prop(exported_overlay_prop)
system_public_prop(exported_pm_prop)
+system_public_prop(future_pm_prop)
system_public_prop(ffs_control_prop)
system_public_prop(framework_status_prop)
system_public_prop(gesture_prop)
diff --git a/public/service.te b/public/service.te
index 154905d..154ebb9 100644
--- a/public/service.te
+++ b/public/service.te
@@ -314,10 +314,11 @@
type hal_secure_element_service, protected_service, hal_service_type, service_manager_type;
type hal_sharedsecret_service, protected_service, hal_service_type, service_manager_type;
type hal_system_suspend_service, protected_service, hal_service_type, service_manager_type;
+type hal_tetheroffload_service, protected_service, hal_service_type, service_manager_type;
type hal_thermal_service, protected_service, hal_service_type, service_manager_type;
-type hal_tv_earc_service, protected_service, hal_service_type, service_manager_type;
-type hal_tv_hdmi_service, protected_service, hal_service_type, service_manager_type;
type hal_tv_hdmi_cec_service, protected_service, hal_service_type, service_manager_type;
+type hal_tv_hdmi_connection_service, protected_service, hal_service_type, service_manager_type;
+type hal_tv_hdmi_earc_service, protected_service, hal_service_type, service_manager_type;
type hal_tv_input_service, protected_service, hal_service_type, service_manager_type;
type hal_tv_tuner_service, protected_service, hal_service_type, service_manager_type;
type hal_usb_service, protected_service, hal_service_type, service_manager_type;
diff --git a/public/su.te b/public/su.te
index 60d0230..3473e74 100644
--- a/public/su.te
+++ b/public/su.te
@@ -97,9 +97,9 @@
typeattribute su hal_tetheroffload_client;
typeattribute su hal_thermal_client;
typeattribute su hal_tv_cec_client;
- typeattribute su hal_tv_earc_client;
- typeattribute su hal_tv_hdmi_client;
typeattribute su hal_tv_hdmi_cec_client;
+ typeattribute su hal_tv_hdmi_connection_client;
+ typeattribute su hal_tv_hdmi_earc_client;
typeattribute su hal_tv_input_client;
typeattribute su hal_tv_tuner_client;
typeattribute su hal_usb_client;
diff --git a/public/te_macros b/public/te_macros
index 3bb3904..ad86a19 100644
--- a/public/te_macros
+++ b/public/te_macros
@@ -176,39 +176,30 @@
dontaudit su $1_userfaultfd:anon_inode *;
# Other domains may not use userfaultfd anon_inodes created by this domain.
neverallow { domain -$1 } $1_userfaultfd:anon_inode *;
-# This domain may not use userfaultfd anon_inodes created by other domains.
-neverallow $1 ~$1_userfaultfd:anon_inode *;
')
####################################
# virtualizationservice_use(domain)
# Allow domain to create and communicate with a virtual machine using
-# virtualizationservice.
+# virtualizationservice and virtualizationmanager.
define(`virtualizationservice_use', `
-allow $1 virtualization_service:service_manager find;
-# Let the client call virtualizationservice.
-binder_call($1, virtualizationservice)
-# Let virtualizationservice call back to the client.
-binder_call(virtualizationservice, $1)
-# Transition to virtmgr when the client executes it.
-domain_auto_trans($1, virtmgr_exec, virtmgr)
-# Allow virtmgr to communicate over UDS with the client.
-allow virtmgr $1:unix_stream_socket { getattr read write };
-# Allow virtmgr and the client to signal each other using pipes.
-allow virtmgr $1:fifo_file { getattr read write };
-# Let the client pass file descriptors to virtualizationservice/virtmgr and on
-# to crosvm
-allow { virtualizationservice virtmgr crosvm } $1:fd use;
+# Transition to virtualizationmanager when the client executes it.
+domain_auto_trans($1, virtualizationmanager_exec, virtualizationmanager)
+# Allow virtualizationmanager to communicate over UDS with the client.
+allow { virtualizationmanager crosvm } $1:unix_stream_socket { getattr read write };
+# Let the client pass file descriptors to virtualizationmanager and on to crosvm.
+allow { virtualizationmanager crosvm } $1:fd use;
+# Let the client use file descriptors created by virtualizationmanager.
+allow $1 virtualizationmanager:fd use;
# Allow piping console log to the client
-allow { virtualizationservice crosvm } $1:fifo_file { getattr write};
-# Allow client to read/write vsock created by virtualizationservice to
-# communicate with the VM that it created. Notice that we do not grant
-# permission to create a vsock; the client can only connect to VMs
-# that it owns.
-allow $1 virtualizationservice:vsock_socket { getattr getopt read write };
+allow { virtualizationmanager crosvm } $1:fifo_file { getattr read write };
+# Allow client to read/write vsock created by virtualizationmanager to communicate with the VM
+# that it created. Notice that we do not grant permission to create a vsock;
+# the client can only connect to VMs that it owns.
+allow $1 virtualizationmanager:vsock_socket { getattr getopt read write };
# Allow client to inspect hypervisor capabilities
get_prop($1, hypervisor_prop)
-# Allow client to read (but not open) the crashdump provided by virtualizationservice
+# Allow client to read (but not open) the crashdump provided by virtualizationmanager
allow $1 virtualizationservice_data_file:file { getattr read };
')
@@ -1050,3 +1041,21 @@
allow $1 apex_mnt_dir:dir r_dir_perms;
allow $1 apex_info_file:file r_file_perms;
')
+
+####################################
+# io_uring_use(domain)
+# Allow domain to create/use io_uring.
+define(`io_uring_use', `
+# Set up a type_transition to "io_uring" named anonymous inode object.
+type $1_iouring;
+type_transition $1 $1:anon_inode $1_iouring "[io_uring]";
+# Allow domain to create/use io_uring anon_inode.
+allow $1 $1_iouring:anon_inode { create map read write };
+allow $1 self:io_uring sqpoll;
+# Other domains may not use iouring anon_inodes created by this domain.
+neverallow { domain -$1 } $1_iouring:anon_inode *;
+# io_uring checks for CAP_IPC_LOCK to determine whether or not to track
+# memory usage per uid against RLIMIT_MEMLOCK. This can lead folks to
+# grant CAP_IPC_LOCK to silence avc denials, which is undesireable.
+dontaudit $1 self:global_capability_class_set ipc_lock;
+')
diff --git a/public/untrusted_app.te b/public/untrusted_app.te
index 0a67614..a4ee6f5 100644
--- a/public/untrusted_app.te
+++ b/public/untrusted_app.te
@@ -17,9 +17,12 @@
###
# This file defines the rules for untrusted apps running with
-# targetSdkVersion >= 32.
+# targetSdkVersion >= 34.
type untrusted_app, domain;
# This file defines the rules for untrusted apps running with
+# 31 < targetSdkVersion <= 33.
+type untrusted_app_32, domain;
+# This file defines the rules for untrusted apps running with
# 29 < targetSdkVersion <= 31.
type untrusted_app_30, domain;
# This file defines the rules for untrusted apps running with
diff --git a/public/vold.te b/public/vold.te
index 41f95d3..209bf49 100644
--- a/public/vold.te
+++ b/public/vold.te
@@ -227,6 +227,9 @@
allow vold userdata_block_device:blk_file rw_file_perms;
allowxperm vold userdata_block_device:blk_file ioctl BLKSECDISCARD;
+# Access zoned block device.
+allow vold zoned_block_device:blk_file rw_file_perms;
+
# Access metadata block device used for encryption meta-data.
allow vold metadata_block_device:blk_file rw_file_perms;
allowxperm vold metadata_block_device:blk_file ioctl BLKSECDISCARD;
diff --git a/tools/sepolicy_generate_compat.py b/tools/sepolicy_generate_compat.py
index ca5ae91..cd61c9a 100644
--- a/tools/sepolicy_generate_compat.py
+++ b/tools/sepolicy_generate_compat.py
@@ -29,9 +29,13 @@
"""This tool generates a mapping file for {ver} core sepolicy."""
temp_dir = ''
-compat_cil_template = ";; This file can't be empty.\n"
-ignore_cil_template = """;; new_objects - a collection of types that have been introduced that have no
-;; analogue in older policy. Thus, we do not need to map these types to
+mapping_cil_footer = ";; mapping information from ToT policy's types to %s policy's types.\n"
+compat_cil_template = """;; complement CIL file for compatibility between ToT policy and %s vendors.
+;; will be compiled along with other normal policy files, on %s vendors.
+;;
+"""
+ignore_cil_template = """;; new_objects - a collection of types that have been introduced with ToT policy
+;; that have no analogue in %s policy. Thus, we do not need to map these types to
;; previous ones. Add here to pass checkapi tests.
(type new_objects)
(typeattribute new_objects)
@@ -484,16 +488,17 @@
f.write(';; types removed from current policy\n')
f.write('\n'.join(f'(type {x})' for x in sorted(target_removed_types)))
f.write('\n\n')
+ f.write(mapping_cil_footer % args.target_version)
f.write(mapping_file_cil.unparse())
with open(target_compat_file, 'w') as f:
logging.info('writing %s' % target_compat_file)
- f.write(compat_cil_template)
+ f.write(compat_cil_template % (args.target_version, args.target_version))
with open(target_ignore_file, 'w') as f:
logging.info('writing %s' % target_ignore_file)
f.write(ignore_cil_template %
- ('\n '.join(sorted(target_ignored_types))))
+ (args.target_version, '\n '.join(sorted(target_ignored_types))))
finally:
logging.info('Deleting temporary dir: {}'.format(temp_dir))
shutil.rmtree(temp_dir)
diff --git a/vendor/file_contexts b/vendor/file_contexts
index 7f3cc88..f167e65 100644
--- a/vendor/file_contexts
+++ b/vendor/file_contexts
@@ -17,6 +17,7 @@
/(vendor|system/vendor)/bin/hw/android\.hardware\.automotive\.remoteaccess@V1-(.*)-service u:object_r:hal_remoteaccess_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.bluetooth@1\.[0-9]+-service u:object_r:hal_bluetooth_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.bluetooth@1\.[0-9]+-service\.btlinux u:object_r:hal_bluetooth_btlinux_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.bluetooth-service.default u:object_r:hal_bluetooth_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.biometrics\.face@1\.[0-9]+-service\.example u:object_r:hal_face_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.biometrics\.face-service\.example u:object_r:hal_face_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.biometrics\.fingerprint@2\.1-service u:object_r:hal_fingerprint_default_exec:s0
@@ -96,12 +97,13 @@
/(vendor|system/vendor)/bin/hw/android\.hardware\.security\.dice-service\.non-secure-software u:object_r:hal_dice_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.security\.keymint-service u:object_r:hal_keymint_default_exec:s0
/(vendor|system/vendor)/bin/hw/rild u:object_r:rild_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.tetheroffload-service\.example u:object_r:hal_tetheroffload_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.thermal@1\.[01]-service u:object_r:hal_thermal_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.thermal-service\.example u:object_r:hal_thermal_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.tv\.cec@1\.[01]-service u:object_r:hal_tv_cec_default_exec:s0
-/(vendor|system/vendor)/bin/hw/android\.hardware\.tv\.cec-service u:object_r:hal_tv_hdmi_cec_default_exec:s0
-/(vendor|system/vendor)/bin/hw/android\.hardware\.tv\.earc-service u:object_r:hal_tv_earc_default_exec:s0
-/(vendor|system/vendor)/bin/hw/android\.hardware\.tv\.hdmi-service u:object_r:hal_tv_hdmi_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.tv\.hdmi.cec-service u:object_r:hal_tv_hdmi_cec_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.tv\.hdmi.connection-service u:object_r:hal_tv_hdmi_connection_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.tv\.hdmi.earc-service u:object_r:hal_tv_hdmi_earc_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.tv\.input@1\.0-service u:object_r:hal_tv_input_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.tv\.input-service\.example u:object_r:hal_tv_input_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.tv\.tuner@1\.[01]-service u:object_r:hal_tv_tuner_default_exec:s0
diff --git a/vendor/hal_bluetooth_default.te b/vendor/hal_bluetooth_default.te
index 01d60db..efa75a7 100644
--- a/vendor/hal_bluetooth_default.te
+++ b/vendor/hal_bluetooth_default.te
@@ -1,5 +1,8 @@
type hal_bluetooth_default, domain;
hal_server_domain(hal_bluetooth_default, hal_bluetooth)
+allow hal_bluetooth_default bt_device:chr_file { open read write };
+allow hal_bluetooth_default self:bluetooth_socket { create bind read write };
+
type hal_bluetooth_default_exec, exec_type, vendor_file_type, file_type;
init_daemon_domain(hal_bluetooth_default)
diff --git a/vendor/hal_tv_earc_default.te b/vendor/hal_tv_earc_default.te
deleted file mode 100644
index 0f5814a..0000000
--- a/vendor/hal_tv_earc_default.te
+++ /dev/null
@@ -1,5 +0,0 @@
-type hal_tv_earc_default, domain;
-hal_server_domain(hal_tv_earc_default, hal_tv_earc)
-
-type hal_tv_earc_default_exec, exec_type, vendor_file_type, file_type;
-init_daemon_domain(hal_tv_earc_default)
diff --git a/vendor/hal_tv_hdmi_connection_default.te b/vendor/hal_tv_hdmi_connection_default.te
new file mode 100644
index 0000000..bad8961
--- /dev/null
+++ b/vendor/hal_tv_hdmi_connection_default.te
@@ -0,0 +1,5 @@
+type hal_tv_hdmi_connection_default, domain;
+hal_server_domain(hal_tv_hdmi_connection_default, hal_tv_hdmi_connection)
+
+type hal_tv_hdmi_connection_default_exec, exec_type, vendor_file_type, file_type;
+init_daemon_domain(hal_tv_hdmi_connection_default)
diff --git a/vendor/hal_tv_hdmi_default.te b/vendor/hal_tv_hdmi_default.te
deleted file mode 100644
index e974fd8..0000000
--- a/vendor/hal_tv_hdmi_default.te
+++ /dev/null
@@ -1,5 +0,0 @@
-type hal_tv_hdmi_default, domain;
-hal_server_domain(hal_tv_hdmi_default, hal_tv_hdmi)
-
-type hal_tv_hdmi_default_exec, exec_type, vendor_file_type, file_type;
-init_daemon_domain(hal_tv_hdmi_default)
diff --git a/vendor/hal_tv_hdmi_earc_default.te b/vendor/hal_tv_hdmi_earc_default.te
new file mode 100644
index 0000000..d2a729d
--- /dev/null
+++ b/vendor/hal_tv_hdmi_earc_default.te
@@ -0,0 +1,5 @@
+type hal_tv_hdmi_earc_default, domain;
+hal_server_domain(hal_tv_hdmi_earc_default, hal_tv_hdmi_earc)
+
+type hal_tv_hdmi_earc_default_exec, exec_type, vendor_file_type, file_type;
+init_daemon_domain(hal_tv_hdmi_earc_default)
