Snap for 5110273 from cab37daeb658b434c515029a3a9c328c1e377688 to qt-release
Change-Id: I6ad5054a8141c02290f4302883273418d83ed996
diff --git a/private/access_vectors b/private/access_vectors
index 59e6d32..b77dcc1 100644
--- a/private/access_vectors
+++ b/private/access_vectors
@@ -547,6 +547,16 @@
class netlink_crypto_socket
inherits socket
+class infiniband_pkey
+{
+ access
+}
+
+class infiniband_endport
+{
+ manage_subnet
+}
+
#
# Define the access vector interpretation for controlling capabilities
# in user namespaces
@@ -573,6 +583,8 @@
inherits socket
{
node_bind
+ name_connect
+ association
}
class icmp_socket
@@ -729,3 +741,6 @@
finalizeDecryptUnit
pread
}
+
+class xdp_socket
+inherits socket
diff --git a/private/app_neverallows.te b/private/app_neverallows.te
index 340ec94..cfee1a3 100644
--- a/private/app_neverallows.te
+++ b/private/app_neverallows.te
@@ -112,8 +112,35 @@
# No untrusted component should be touching /dev/fuse
neverallow all_untrusted_apps fuse_device:chr_file *;
-# Do not allow untrusted apps to directly open tun_device
-neverallow all_untrusted_apps tun_device:chr_file open;
+# Do not allow untrusted apps to directly open or
+# issue ioctls to the tun_device
+neverallow all_untrusted_apps tun_device:chr_file { open ioctl };
+# Additionally, assert that the following ioctls are never reachable.
+# This should already be blocked by the neverallow rule above, but this
+# is added for robustness, and to prove equivalence to the kernel patch at
+# https://android.googlesource.com/kernel/common/+/11cee2be0c2062ba88f04eb51196506f870a3b5d%5E%21
+neverallowxperm all_untrusted_apps tun_device:chr_file ioctl {
+ SIOCGIFHWADDR
+ SIOCSIFHWADDR
+ TUNATTACHFILTER
+ TUNDETACHFILTER
+ TUNGETFEATURES
+ TUNGETFILTER
+ TUNGETSNDBUF
+ TUNGETVNETHDRSZ
+ TUNSETDEBUG
+ TUNSETGROUP
+ TUNSETIFF
+ TUNSETLINK
+ TUNSETNOCSUM
+ TUNSETOFFLOAD
+ TUNSETOWNER
+ TUNSETPERSIST
+ TUNSETQUEUE
+ TUNSETSNDBUF
+ TUNSETTXFILTER
+ TUNSETVNETHDRSZ
+};
# Only allow appending to /data/anr/traces.txt (b/27853304, b/18340553)
neverallow all_untrusted_apps anr_data_file:file ~{ open append };
diff --git a/private/compat/26.0/26.0.ignore.cil b/private/compat/26.0/26.0.ignore.cil
index 17af59b..1a8c536 100644
--- a/private/compat/26.0/26.0.ignore.cil
+++ b/private/compat/26.0/26.0.ignore.cil
@@ -15,6 +15,7 @@
apex_service
apexd
apexd_exec
+ apexd_prop
apexd_tmpfs
atrace
binder_calls_stats_service
@@ -36,6 +37,7 @@
ctl_interface_start_prop
ctl_interface_stop_prop
ctl_sigstop_prop
+ device_config_boot_count_prop
e2fs
e2fs_exec
exfat
@@ -65,6 +67,8 @@
exported3_system_prop
fastbootd
fingerprint_vendor_data_file
+ flags_health_check
+ flags_health_check_exec
fs_bpf
fwk_stats_hwservice
hal_atrace_hwservice
diff --git a/private/compat/27.0/27.0.ignore.cil b/private/compat/27.0/27.0.ignore.cil
index 00ee630..4e42041 100644
--- a/private/compat/27.0/27.0.ignore.cil
+++ b/private/compat/27.0/27.0.ignore.cil
@@ -14,6 +14,7 @@
apex_service
apexd
apexd_exec
+ apexd_prop
apexd_tmpfs
atrace
binder_calls_stats_service
@@ -34,6 +35,7 @@
ctl_interface_start_prop
ctl_interface_stop_prop
ctl_sigstop_prop
+ device_config_boot_count_prop
exfat
exported2_config_prop
exported2_default_prop
@@ -60,6 +62,8 @@
exported_vold_prop
exported_wifi_prop
fastbootd
+ flags_health_check
+ flags_health_check_exec
fingerprint_vendor_data_file
fs_bpf
fwk_stats_hwservice
diff --git a/private/compat/28.0/28.0.ignore.cil b/private/compat/28.0/28.0.ignore.cil
index c0ea25e..a42a636 100644
--- a/private/compat/28.0/28.0.ignore.cil
+++ b/private/compat/28.0/28.0.ignore.cil
@@ -14,11 +14,15 @@
apex_service
apexd
apexd_exec
+ apexd_prop
apexd_tmpfs
biometric_service
;; TODO(b/116344577): remove after the issue is resolved
buffer_hub_service
+ device_config_boot_count_prop
fastbootd
+ flags_health_check
+ flags_health_check_exec
fwk_bufferhub_hwservice
fwk_stats_hwservice
color_display_service
diff --git a/private/file_contexts b/private/file_contexts
index 6638b45..ae20f5d 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -281,6 +281,7 @@
/system/bin/sgdisk u:object_r:sgdisk_exec:s0
/system/bin/blkid u:object_r:blkid_exec:s0
/system/bin/tzdatacheck u:object_r:tzdatacheck_exec:s0
+/system/bin/flags_health_check -- u:object_r:flags_health_check_exec:s0
/system/bin/idmap u:object_r:idmap_exec:s0
/system/bin/update_engine u:object_r:update_engine_exec:s0
/system/bin/bspatch u:object_r:update_engine_exec:s0
diff --git a/private/flags_health_check.te b/private/flags_health_check.te
new file mode 100644
index 0000000..fb41aff
--- /dev/null
+++ b/private/flags_health_check.te
@@ -0,0 +1,3 @@
+typeattribute flags_health_check coredomain;
+
+init_daemon_domain(flags_health_check)
diff --git a/private/isolated_app.te b/private/isolated_app.te
index a17f22a..1b56c5c 100644
--- a/private/isolated_app.te
+++ b/private/isolated_app.te
@@ -57,9 +57,6 @@
##### Neverallow
#####
-# Do not allow isolated_app to directly open tun_device
-neverallow isolated_app tun_device:chr_file open;
-
# Isolated apps should not directly open app data files themselves.
neverallow isolated_app { app_data_file privapp_data_file }:file open;
diff --git a/private/property_contexts b/private/property_contexts
index 58cc983..dff3cf8 100644
--- a/private/property_contexts
+++ b/private/property_contexts
@@ -161,3 +161,6 @@
# Properties that relate to time / time zone detection behavior.
persist.time. u:object_r:time_prop:s0
+
+# Properties that relate to server configurable flags
+persist.device_config.attempted_boot_count u:object_r:device_config_boot_count_prop:s0
diff --git a/private/security_classes b/private/security_classes
index e0007d1..25b4cba 100644
--- a/private/security_classes
+++ b/private/security_classes
@@ -35,7 +35,6 @@
class key_socket
class unix_stream_socket
class unix_dgram_socket
-class bpf
# sysv-ipc-related classes
class sem
@@ -93,6 +92,10 @@
class netlink_rdma_socket
class netlink_crypto_socket
+# Infiniband
+class infiniband_pkey
+class infiniband_endport
+
# Capability checks when on a non-init user namespace
class cap_userns
class cap2_userns
@@ -132,6 +135,10 @@
class process2
+class bpf
+
+class xdp_socket
+
# Property service
class property_service # userspace
diff --git a/private/system_server.te b/private/system_server.te
index 7222fcc..1ca27cf 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -336,6 +336,7 @@
# tun device used for 3rd party vpn apps
allow system_server tun_device:chr_file rw_file_perms;
+allowxperm system_server tun_device:chr_file ioctl { TUNGETIFF TUNSETIFF };
# Manage system data files.
allow system_server system_data_file:dir create_dir_perms;
diff --git a/public/apexd.te b/public/apexd.te
index 73daf38..0f0f5ac 100644
--- a/public/apexd.te
+++ b/public/apexd.te
@@ -4,8 +4,12 @@
binder_use(apexd)
add_service(apexd, apex_service)
+set_prop(apexd, apexd_prop)
neverallow { domain -init -apexd } apex_service:service_manager find;
neverallow { domain -init -apexd } apexd:binder call;
neverallow domain apexd:process ptrace;
+
+# only apexd can set apexd sysprop
+neverallow { domain -apexd -init } apexd_prop:property_service set;
diff --git a/public/app.te b/public/app.te
index 7f0d554..5499302 100644
--- a/public/app.te
+++ b/public/app.te
@@ -334,7 +334,7 @@
# Apps receive an open tun fd from the framework for
# device traffic. Do not allow untrusted app to directly open tun_device
-allow { appdomain -isolated_app -ephemeral_app } tun_device:chr_file { read write getattr ioctl append };
+allow { appdomain -isolated_app -ephemeral_app } tun_device:chr_file { read write getattr append };
# Connect to adbd and use a socket transferred from it.
# This is used for e.g. adb backup/restore.
diff --git a/public/domain.te b/public/domain.te
index 89f1635..0244b7a 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -300,6 +300,10 @@
# named pipes, and named sockets). We start off with a safe set.
allowxperm domain { file_type fs_type domain dev_type }:{ dir notdevfile_class_set blk_file } ioctl { FIOCLEX FIONCLEX };
+# If a domain has ioctl access to tun_device, it must clearly enumerate the
+# ioctls used. Safe defaults are listed below.
+allowxperm domain tun_device:chr_file ioctl { FIOCLEX FIONCLEX };
+
# Allow a process to make a determination whether a file descriptor
# for a plain file or pipe (fifo_file) is a tty. Note that granting
# this whitelist to domain does not grant the ioctl permission to
@@ -474,7 +478,18 @@
# Limit what domains can mount filesystems or change their mount flags.
# sdcard_type / vfat is exempt as a larger set of domains need
# this capability, including device-specific domains.
-neverallow { domain -kernel -init -recovery -vold -zygote -update_engine -otapreopt_chroot -apexd } { fs_type -sdcard_type }:filesystem { mount remount relabelfrom relabelto };
+neverallow {
+ domain
+ -apexd
+ recovery_only(`userdebug_or_eng(`-fastbootd')')
+ -init
+ -kernel
+ -otapreopt_chroot
+ -recovery
+ -update_engine
+ -vold
+ -zygote
+} { fs_type -sdcard_type }:filesystem { mount remount relabelfrom relabelto };
# Files from cache should never be executed
neverallow domain { cache_file cache_backup_file cache_private_backup_file cache_recovery_file }:file execute;
@@ -509,6 +524,7 @@
neverallow {
domain
with_asan(`-asan_extract')
+ recovery_only(`userdebug_or_eng(`-fastbootd')')
} {
system_file_type
vendor_file_type
@@ -532,7 +548,8 @@
# the write to /system restriction above is not bypassed via context=
# mount to another type.
neverallow * contextmount_type:dir_file_class_set
- { create write setattr relabelfrom relabelto append unlink link rename };
+ { create setattr relabelfrom relabelto append link rename };
+neverallow { domain recovery_only(`userdebug_or_eng(`-fastbootd')') } contextmount_type:dir_file_class_set { write unlink };
# Do not allow service_manager add for default service labels.
# Instead domains should use a more specific type such as
diff --git a/public/fastbootd.te b/public/fastbootd.te
index fe1005e..4b79b64 100644
--- a/public/fastbootd.te
+++ b/public/fastbootd.te
@@ -62,6 +62,27 @@
allow fastbootd proc_cmdline:file r_file_perms;
allow fastbootd rootfs:dir r_dir_perms;
allow fastbootd sysfs_dt_firmware_android:file r_file_perms;
+
+ userdebug_or_eng(`
+ # Refined manipulation of /mnt/scratch, without these perms resorts
+ # to deleting scratch partition when partition(s) are flashed.
+ allow fastbootd self:process setfscreate;
+ allow fastbootd overlayfs_file:dir { create_dir_perms mounton };
+ allow fastbootd {
+ system_file_type
+ unlabeled
+ vendor_file_type
+ }:dir { remove_name rmdir search write };
+ allow fastbootd {
+ overlayfs_file
+ system_file_type
+ unlabeled
+ vendor_file_type
+ }:{ file lnk_file } unlink;
+ allow fastbootd tmpfs:dir rw_dir_perms;
+ allow fastbootd labeledfs:filesystem { mount unmount };
+ get_prop(fastbootd, persistent_properties_ready_prop)
+ ')
')
###
diff --git a/public/flags_heatlh_check.te b/public/flags_heatlh_check.te
new file mode 100644
index 0000000..1f6c8ee
--- /dev/null
+++ b/public/flags_heatlh_check.te
@@ -0,0 +1,11 @@
+# The flags_health_check command run by init.
+type flags_health_check, domain, coredomain;
+type flags_health_check_exec, system_file_type, exec_type, file_type;
+
+set_prop(flags_health_check, device_config_boot_count_prop)
+
+# system property device_config_boot_count_prop is used for deciding when to perform server
+# configurable flags related disaster recovery. Mistakenly set up by unrelated components can, at a
+# wrong timing, trigger server configurable flag related disaster recovery, which will override
+# server configured values of all flags with default values.
+neverallow { domain -init -flags_health_check } device_config_boot_count_prop:property_service set;
diff --git a/public/global_macros b/public/global_macros
index b2fe6ae..00f9fb3 100644
--- a/public/global_macros
+++ b/public/global_macros
@@ -12,8 +12,8 @@
define(`socket_class_set', `{ socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket key_socket unix_stream_socket unix_dgram_socket appletalk_socket netlink_route_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_dnrt_socket netlink_kobject_uevent_socket tun_socket netlink_iscsi_socket netlink_fib_lookup_socket netlink_connector_socket netlink_netfilter_socket netlink_generic_socket netlink_scsitransport_socket netlink_rdma_socket netlink_crypto_socket sctp_socket icmp_socket ax25_socket ipx_socket netrom_socket atmpvc_socket x25_socket rose_socket decnet_socket atmsvc_socket rds_socket irda_socket pppox_socket llc_socket can_socket tipc_socket bluetooth_socket iucv_socket rxrpc_socket isdn_socket phonet_socket ieee802154_socket caif_socket alg_socket nfc_socket vsock_socket kcm_socket qipcrtr_socket smc_socket }')
define(`dgram_socket_class_set', `{ udp_socket unix_dgram_socket }')
-define(`stream_socket_class_set', `{ tcp_socket unix_stream_socket }')
-define(`unpriv_socket_class_set', `{ tcp_socket udp_socket unix_stream_socket unix_dgram_socket }')
+define(`stream_socket_class_set', `{ tcp_socket unix_stream_socket sctp_socket }')
+define(`unpriv_socket_class_set', `{ tcp_socket udp_socket unix_stream_socket unix_dgram_socket sctp_socket }')
define(`ipc_class_set', `{ sem msgq shm ipc }')
diff --git a/public/property.te b/public/property.te
index 0457300..d903e00 100644
--- a/public/property.te
+++ b/public/property.te
@@ -1,3 +1,4 @@
+type apexd_prop, property_type;
type audio_prop, property_type, core_property_type;
type boottime_prop, property_type;
type bluetooth_a2dp_offload_prop, property_type;
@@ -25,6 +26,7 @@
type debuggerd_prop, property_type, core_property_type;
type debug_prop, property_type, core_property_type;
type default_prop, property_type, core_property_type;
+type device_config_boot_count_prop, property_type;
type device_logging_prop, property_type;
type dhcp_prop, property_type, core_property_type;
type dumpstate_options_prop, property_type;
@@ -329,6 +331,7 @@
-system_writes_vendor_properties_violators
} {
property_type
+ -apexd_prop
-audio_prop
-bluetooth_a2dp_offload_prop
-bluetooth_prop
@@ -387,6 +390,7 @@
-ffs_prop
-fingerprint_prop
-firstboot_prop
+ -device_config_boot_count_prop
-hwservicemanager_prop
-last_boot_reason_prop
-system_lmk_prop
diff --git a/public/property_contexts b/public/property_contexts
index 7b7b66a..14ccb75 100644
--- a/public/property_contexts
+++ b/public/property_contexts
@@ -151,6 +151,7 @@
wlan.driver.status u:object_r:exported_wifi_prop:s0 exact enum ok unloaded
# vendor-init-readable
+apexd.status u:object_r:apexd_prop:s0 exact enum starting ready
dev.bootcomplete u:object_r:exported3_system_prop:s0 exact bool
persist.sys.usb.usbradio.config u:object_r:exported3_system_prop:s0 exact string
sys.boot_completed u:object_r:exported3_system_prop:s0 exact bool
@@ -173,6 +174,7 @@
drm.64bit.enabled u:object_r:exported2_default_prop:s0 exact bool
dumpstate.dry_run u:object_r:exported_dumpstate_prop:s0 exact bool
hal.instrumentation.enable u:object_r:exported2_default_prop:s0 exact bool
+init.svc.bugreport u:object_r:exported2_default_prop:s0 exact string
init.svc.console u:object_r:exported2_default_prop:s0 exact string
init.svc.dumpstatez u:object_r:exported2_default_prop:s0 exact string
init.svc.mediadrm u:object_r:exported2_default_prop:s0 exact string
diff --git a/public/sgdisk.te b/public/sgdisk.te
index 7a7ba82..9d71249 100644
--- a/public/sgdisk.te
+++ b/public/sgdisk.te
@@ -5,6 +5,18 @@
# Allowed to read/write low-level partition tables
allow sgdisk block_device:dir search;
allow sgdisk vold_device:blk_file rw_file_perms;
+# HDIO_GETGEO needed to get the number of disk heads
+# on vold_device. How quaint.
+allowxperm sgdisk vold_device:blk_file ioctl { HDIO_GETGEO };
+# sgdisk also uses BLKGETSIZE and BLKGETSIZE64. BLKGETSIZE64
+# is granted to all block device users in domain.te, so
+# no need to mention it here. sgdisk should not be
+# using the BLKGETSIZE ioctl as it is useless for devices over
+# 2T in size, but we allow it for now and hope that sgdisk
+# will fix their bug.
+allowxperm sgdisk vold_device:blk_file ioctl { BLKGETSIZE };
+# Force a re-read of the partition table.
+allowxperm sgdisk vold_device:blk_file ioctl { BLKRRPART };
# Inherit and use pty created by android_fork_execvp()
allow sgdisk devpts:chr_file { read write ioctl getattr };
diff --git a/public/vendor_init.te b/public/vendor_init.te
index c5cad47..bbfd418 100644
--- a/public/vendor_init.te
+++ b/public/vendor_init.te
@@ -173,6 +173,7 @@
not_compatible_property(`
set_prop(vendor_init, {
property_type
+ -device_config_boot_count_prop
-restorecon_prop
-netd_stable_secret_prop
-firstboot_prop
@@ -180,6 +181,7 @@
-system_boot_reason_prop
-bootloader_boot_reason_prop
-last_boot_reason_prop
+ -apexd_prop
})
')
diff --git a/treble_sepolicy_tests_for_release.mk b/treble_sepolicy_tests_for_release.mk
index e7c73c9..bc6d685 100644
--- a/treble_sepolicy_tests_for_release.mk
+++ b/treble_sepolicy_tests_for_release.mk
@@ -89,16 +89,18 @@
$(treble_sepolicy_tests_$(version)): PRIVATE_PLAT_PUB_SEPOLICY := $(base_plat_pub_policy.cil)
$(treble_sepolicy_tests_$(version)): PRIVATE_FAKE_TREBLE :=
ifeq ($(PRODUCT_FULL_TREBLE_OVERRIDE),true)
-ifdef PRODUCT_SHIPPING_API_LEVEL
+# TODO(b/113124961): account for PRODUCT_SHIPPING_API_LEVEL when determining
+# fake treble status once emulator is no longer fake treble.
+#ifdef PRODUCT_SHIPPING_API_LEVEL
# These requirements were originally added in Android Oreo. Devices
# launching after this should not distinguish between
# PRODUCT_FULL_TREBLE and PRODUCT_FULL_TREBLE_OVERRIDE since this could
# lead to release problems where they think they pass this test but
# fail it when it actually gets runned for compliance.
-ifeq ($(call math_gt_or_eq,$(PRODUCT_SHIPPING_API_LEVEL),26),)
+#ifeq ($(call math_gt_or_eq,$(PRODUCT_SHIPPING_API_LEVEL),26),)
$(treble_sepolicy_tests_$(version)): PRIVATE_FAKE_TREBLE := --fake-treble
-endif # if PRODUCT_SHIPPING_API_LEVEL < 26 (Android Oreo)
-endif # PRODUCT_SHIPPING_API_LEVEL defined
+#endif # if PRODUCT_SHIPPING_API_LEVEL < 26 (Android Oreo)
+#endif # PRODUCT_SHIPPING_API_LEVEL defined
endif # PRODUCT_FULL_TREBLE_OVERRIDE = true
$(treble_sepolicy_tests_$(version)): $(HOST_OUT_EXECUTABLES)/treble_sepolicy_tests \
$(all_fc_files) $(built_sepolicy) $(built_plat_sepolicy) \
