Merge "Allow CompOS to start a VM with its instance image."
diff --git a/apex/com.android.compos-file_contexts b/apex/com.android.compos-file_contexts
index f404a07..d678ca6 100644
--- a/apex/com.android.compos-file_contexts
+++ b/apex/com.android.compos-file_contexts
@@ -1,5 +1,4 @@
(/.*)? u:object_r:system_file:s0
-/bin/compos_key_cmd u:object_r:compos_key_cmd_exec:s0
/bin/compos_key_main u:object_r:compos_exec:s0
/bin/compsvc u:object_r:compos_exec:s0
/bin/compsvc_worker u:object_r:compos_exec:s0
diff --git a/microdroid/system/private/compos.te b/microdroid/system/private/compos.te
index a126a02..9e6b2bb 100644
--- a/microdroid/system/private/compos.te
+++ b/microdroid/system/private/compos.te
@@ -2,9 +2,6 @@
type compos, domain, coredomain, microdroid_payload;
type compos_exec, exec_type, file_type, system_file_type;
-type compos_key_cmd, domain, coredomain;
-type compos_key_cmd_exec, exec_type, file_type, system_file_type;
-
allow compos self:vsock_socket { create_socket_perms_no_ioctl listen accept };
# Talk to binder services (for keystore)
diff --git a/prebuilts/api/31.0/private/odsign.te b/prebuilts/api/31.0/private/odsign.te
index 0ff3b7b..c6c7808 100644
--- a/prebuilts/api/31.0/private/odsign.te
+++ b/prebuilts/api/31.0/private/odsign.te
@@ -54,6 +54,9 @@
set_prop(odsign, odsign_prop)
neverallow { domain -odsign -init } odsign_prop:property_service set;
+# Allow odsign to stop itself
+set_prop(odsign, ctl_odsign_prop)
+
# Neverallows
neverallow { domain -odsign -init -fsverity_init } odsign_data_file:dir *;
neverallow { domain -odsign -init -fsverity_init } odsign_data_file:file *;
diff --git a/prebuilts/api/31.0/private/property.te b/prebuilts/api/31.0/private/property.te
index 4f67251..faa0183 100644
--- a/prebuilts/api/31.0/private/property.te
+++ b/prebuilts/api/31.0/private/property.te
@@ -36,6 +36,7 @@
system_internal_prop(verity_status_prop)
system_internal_prop(zygote_wrap_prop)
system_internal_prop(ctl_mediatranscoding_prop)
+system_internal_prop(ctl_odsign_prop)
###
### Neverallow rules
diff --git a/prebuilts/api/31.0/private/property_contexts b/prebuilts/api/31.0/private/property_contexts
index 5ecb87f..eedbe8a 100644
--- a/prebuilts/api/31.0/private/property_contexts
+++ b/prebuilts/api/31.0/private/property_contexts
@@ -168,6 +168,9 @@
# Restrict access to stopping apexd.
ctl.stop$apexd u:object_r:ctl_apexd_prop:s0
+# Restrict access to stopping odsign
+ctl.stop$odsign u:object_r:ctl_odsign_prop:s0
+
# Restrict access to starting media.transcoding.
ctl.start$media.transcoding u:object_r:ctl_mediatranscoding_prop:s0
diff --git a/private/compat/31.0/31.0.ignore.cil b/private/compat/31.0/31.0.ignore.cil
index 1fcfa4d..06859d9 100644
--- a/private/compat/31.0/31.0.ignore.cil
+++ b/private/compat/31.0/31.0.ignore.cil
@@ -10,6 +10,8 @@
hal_system_suspend_service
hal_tv_tuner_service
power_stats_service
+ snapuserd_prop
+ snapuserd_proxy_socket
tare_service
transformer_service
proc_watermark_boost_factor
diff --git a/private/compos.te b/private/compos.te
index a86fd38..f4cdc17 100644
--- a/private/compos.te
+++ b/private/compos.te
@@ -1,6 +1,3 @@
# TODO(b/193504816): move this to compos APEX
type compos, domain, coredomain;
type compos_exec, exec_type, file_type, system_file_type;
-
-type compos_key_cmd, domain, coredomain;
-type compos_key_cmd_exec, exec_type, file_type, system_file_type;
diff --git a/private/file_contexts b/private/file_contexts
index c9b7c69..a5dd5a6 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -162,6 +162,7 @@
/dev/socket/rild u:object_r:rild_socket:s0
/dev/socket/rild-debug u:object_r:rild_debug_socket:s0
/dev/socket/snapuserd u:object_r:snapuserd_socket:s0
+/dev/socket/snapuserd_proxy u:object_r:snapuserd_proxy_socket:s0
/dev/socket/tombstoned_crash u:object_r:tombstoned_crash_socket:s0
/dev/socket/tombstoned_java_trace u:object_r:tombstoned_java_trace_socket:s0
/dev/socket/tombstoned_intercept u:object_r:tombstoned_intercept_socket:s0
diff --git a/private/odsign.te b/private/odsign.te
index 10adcd5..0b2f187 100644
--- a/private/odsign.te
+++ b/private/odsign.te
@@ -58,6 +58,9 @@
set_prop(odsign, odsign_prop)
neverallow { domain -odsign -init } odsign_prop:property_service set;
+# Allow odsign to stop itself
+set_prop(odsign, ctl_odsign_prop)
+
# Neverallows
neverallow { domain -odsign -init -fsverity_init } odsign_data_file:dir *;
neverallow { domain -odsign -init -fsverity_init } odsign_data_file:file *;
diff --git a/private/property.te b/private/property.te
index 49d18ee..671a24a 100644
--- a/private/property.te
+++ b/private/property.te
@@ -30,6 +30,7 @@
system_internal_prop(profcollectd_node_id_prop)
system_internal_prop(rollback_test_prop)
system_internal_prop(setupwizard_prop)
+system_internal_prop(snapuserd_prop)
system_internal_prop(system_adbd_prop)
system_internal_prop(traced_perf_enabled_prop)
system_internal_prop(userspace_reboot_log_prop)
@@ -37,6 +38,7 @@
system_internal_prop(verity_status_prop)
system_internal_prop(zygote_wrap_prop)
system_internal_prop(ctl_mediatranscoding_prop)
+system_internal_prop(ctl_odsign_prop)
###
### Neverallow rules
diff --git a/private/property_contexts b/private/property_contexts
index fa5389d..7f97281 100644
--- a/private/property_contexts
+++ b/private/property_contexts
@@ -169,6 +169,9 @@
# Restrict access to stopping apexd.
ctl.stop$apexd u:object_r:ctl_apexd_prop:s0
+# Restrict access to stopping odsign
+ctl.stop$odsign u:object_r:ctl_odsign_prop:s0
+
# Restrict access to starting media.transcoding.
ctl.start$media.transcoding u:object_r:ctl_mediatranscoding_prop:s0
@@ -278,10 +281,12 @@
sys.boot_from_charger_mode u:object_r:charger_status_prop:s0 exact int
ro.enable_boot_charger_mode u:object_r:charger_config_prop:s0 exact bool
-# Virtual A/B properties
+# Virtual A/B and snapuserd properties
ro.virtual_ab.enabled u:object_r:virtual_ab_prop:s0 exact bool
ro.virtual_ab.retrofit u:object_r:virtual_ab_prop:s0 exact bool
ro.virtual_ab.compression.enabled u:object_r:virtual_ab_prop:s0 exact bool
+snapuserd.ready u:object_r:snapuserd_prop:s0 exact bool
+snapuserd.proxy_ready u:object_r:snapuserd_prop:s0 exact bool
ro.product.ab_ota_partitions u:object_r:ota_prop:s0 exact string
# Property to set/clear the warm reset flag after an OTA update.
diff --git a/private/shell.te b/private/shell.te
index 2f983f2..dc820bd 100644
--- a/private/shell.te
+++ b/private/shell.te
@@ -106,8 +106,16 @@
# Allow shell to execute simpleperf without a domain transition.
allow shell simpleperf_exec:file rx_file_perms;
-# Allow shell to execute profcollectctl without a domain transition.
-allow shell profcollectd_exec:file rx_file_perms;
+userdebug_or_eng(`
+ # Allow shell to execute profcollectctl without a domain transition.
+ allow shell profcollectd_exec:file rx_file_perms;
+
+ # Allow shell to read profcollectd data files.
+ r_dir_file(shell, profcollectd_data_file)
+
+ # Allow to issue control commands to profcollectd binder service.
+ allow shell profcollectd:binder call;
+')
# Allow shell to call perf_event_open for profiling other shell processes, but
# not the whole system.
@@ -173,11 +181,6 @@
userdebug_or_eng(`set_prop(shell, persist_debug_prop)')
-# Allow to issue control commands to profcollectd binder service.
-userdebug_or_eng(`
- allow shell profcollectd:binder call;
-')
-
# Allow shell to read the keystore key contexts files. Used by native tests to test label lookup.
allow shell keystore2_key_contexts_file:file r_file_perms;
diff --git a/private/snapuserd.te b/private/snapuserd.te
index d96b31e..2956891 100644
--- a/private/snapuserd.te
+++ b/private/snapuserd.te
@@ -17,10 +17,24 @@
allow snapuserd dm_user_device:dir r_dir_perms;
allow snapuserd dm_user_device:chr_file rw_file_perms;
-# Reading and writing to /dev/socket/snapuserd.
+# Reading and writing to /dev/socket/snapuserd and snapuserd_proxy.
allow snapuserd snapuserd_socket:unix_stream_socket { accept listen getattr read write };
+allow snapuserd snapuserd_proxy_socket:sock_file write;
# This arises due to first-stage init opening /dev/null without F_CLOEXEC
# (see SetStdioToDevNull in init). When we fork() and execveat() snapuserd
# again, the descriptor leaks into the new process.
allow snapuserd kernel:fd use;
+
+# snapuserd.* properties
+set_prop(snapuserd, snapuserd_prop)
+
+# For inotify watching for /dev/socket/snapuserd_proxy to appear.
+allow snapuserd tmpfs:dir read;
+
+# Forbid anything other than snapuserd and init setting snapuserd properties.
+neverallow {
+ domain
+ -snapuserd
+ -init
+} snapuserd_prop:property_service set;
diff --git a/public/file.te b/public/file.te
index cf65c7d..2d98bb0 100644
--- a/public/file.te
+++ b/public/file.te
@@ -499,6 +499,7 @@
type rild_socket, file_type;
type rild_debug_socket, file_type;
type snapuserd_socket, file_type, coredomain_socket;
+type snapuserd_proxy_socket, file_type, coredomain_socket;
type statsdw_socket, file_type, coredomain_socket, mlstrustedobject;
type system_wpa_socket, file_type, data_file_type, core_data_file_type, coredomain_socket;
type system_ndebug_socket, file_type, data_file_type, core_data_file_type, coredomain_socket, mlstrustedobject;
