Merge "sepolicy: allow init to share a kallsyms fd with tracing daemons" into main
diff --git a/apex/Android.bp b/apex/Android.bp
index 37400dd..66f8ef3 100644
--- a/apex/Android.bp
+++ b/apex/Android.bp
@@ -253,6 +253,13 @@
}
filegroup {
+ name: "com.android.bt-file_contexts",
+ srcs: [
+ "com.android.bt-file_contexts",
+ ],
+}
+
+filegroup {
name: "com.android.car.framework-file_contexts",
srcs: [
"com.android.car.framework-file_contexts",
diff --git a/apex/com.android.bluetooth-file_contexts b/apex/com.android.bt-file_contexts
similarity index 100%
rename from apex/com.android.bluetooth-file_contexts
rename to apex/com.android.bt-file_contexts
diff --git a/apex/com.android.configinfrastructure-file_contexts b/apex/com.android.configinfrastructure-file_contexts
index 23e7b89..de74547 100644
--- a/apex/com.android.configinfrastructure-file_contexts
+++ b/apex/com.android.configinfrastructure-file_contexts
@@ -1 +1,2 @@
-(/.*)? u:object_r:system_file:s0
\ No newline at end of file
+(/.*)? u:object_r:system_file:s0
+/bin/aconfigd-mainline u:object_r:aconfigd_mainline_exec:s0
diff --git a/apex/com.android.virt-file_contexts b/apex/com.android.virt-file_contexts
index 75f9c10..bb0f909 100644
--- a/apex/com.android.virt-file_contexts
+++ b/apex/com.android.virt-file_contexts
@@ -12,3 +12,4 @@
is_flag_enabled(RELEASE_AVF_ENABLE_EARLY_VM, `
/bin/early_virtmgr u:object_r:early_virtmgr_exec:s0
')
+/lib(64)?(/.*)? u:object_r:system_lib_file:s0
diff --git a/contexts/plat_file_contexts_test b/contexts/plat_file_contexts_test
index 7b3b85b..fc2d7b8 100644
--- a/contexts/plat_file_contexts_test
+++ b/contexts/plat_file_contexts_test
@@ -190,6 +190,7 @@
/dev/socket socket_device
/dev/socket/does_not_exist socket_device
/dev/socket/adbd adbd_socket
+/dev/socket/aconfigd_mainline aconfigd_mainline_socket
/dev/socket/aconfigd_system aconfigd_socket
/dev/socket/dnsproxyd dnsproxyd_socket
/dev/socket/dumpstate dumpstate_socket
@@ -695,7 +696,7 @@
/odm/etc/selinux/odm_mac_permissions.xml mac_perms_file
/vendor/odm/etc/selinux/odm_mac_permissions.xml mac_perms_file
/odm/etc/selinux/odm_tee_service_contexts tee_service_contexts_file
-/vendor/odm//etc/selinux/odm_tee_service_contexts tee_service_contexts_file
+/vendor/odm/etc/selinux/odm_tee_service_contexts tee_service_contexts_file
/product system_file
/product/does_not_exist system_file
diff --git a/microdroid/system/private/apexd.te b/microdroid/system/private/apexd.te
index 275a455..8c331d0 100644
--- a/microdroid/system/private/apexd.te
+++ b/microdroid/system/private/apexd.te
@@ -92,6 +92,9 @@
# apexd can set apexd sysprop
set_prop(apexd, apexd_prop)
+# apexd can set apex.all.ready sysprop
+set_prop(apexd, apex_ready_prop)
+
# Allow apexd to stop itself
set_prop(apexd, ctl_apexd_prop)
diff --git a/microdroid/system/private/property_contexts b/microdroid/system/private/property_contexts
index 2bd5a22..803e25e 100644
--- a/microdroid/system/private/property_contexts
+++ b/microdroid/system/private/property_contexts
@@ -58,6 +58,7 @@
apexd.status u:object_r:apexd_prop:s0 exact enum starting activated ready
ro.apex.updatable u:object_r:apexd_prop:s0 exact bool
+apex.all.ready u:object_r:apex_ready_prop:s0 exact bool
ro.cold_boot_done u:object_r:cold_boot_done_prop:s0 exact bool
diff --git a/microdroid/system/public/property.te b/microdroid/system/public/property.te
index 7db53d0..18dab10 100644
--- a/microdroid/system/public/property.te
+++ b/microdroid/system/public/property.te
@@ -2,6 +2,7 @@
type apex_config_prop, property_type;
type apexd_payload_metadata_prop, property_type;
type apexd_prop, property_type;
+type apex_ready_prop, property_type;
type arm64_memtag_prop, property_type;
type bootloader_prop, property_type;
type boottime_prop, property_type;
diff --git a/private/aconfigd.te b/private/aconfigd.te
index 5ee967d..211405b 100644
--- a/private/aconfigd.te
+++ b/private/aconfigd.te
@@ -16,12 +16,6 @@
aconfig_storage_flags_metadata_file
}:file create_file_perms;
-# allow aconfigd to access shell_data_file for atest
-userdebug_or_eng(`
- allow aconfigd shell_data_file:dir search;
- allow aconfigd shell_data_file:file { getattr read open map };
-')
-
# allow aconfigd to log to the kernel dmesg via a file descriptor
# passed from init to aconfigd
allow aconfigd kmsg_device:chr_file write;
@@ -33,6 +27,7 @@
# allow aconfigd to read /apex dir
allow aconfigd apex_mnt_dir:dir r_dir_perms;
allow aconfigd apex_mnt_dir:file r_file_perms;
+dontaudit aconfigd apex_info_file:file r_file_perms;
###
### Neverallow assertions
@@ -41,3 +36,35 @@
# only init is allowed to enter the aconfigd domain
neverallow { domain -init } aconfigd:process transition;
neverallow * aconfigd:process dyntransition;
+
+# Do not allow write access to boot/map storage files except, aconfigd and aconfigd_mainline.
+# These files are meant to serve flag reads for all processes. They are created by aconfigd (for
+# platform storage files) and aconfigd_mainline (mainline storage files) processes.
+neverallow {
+ domain
+ -init
+ -aconfigd
+ -aconfigd_mainline
+} aconfig_storage_metadata_file:dir no_w_dir_perms;
+neverallow {
+ domain
+ -init
+ -aconfigd
+ -aconfigd_mainline
+} aconfig_storage_metadata_file:file no_w_file_perms;
+
+# Only aconfigd and aconfigd_mainline can access persist storage files
+# These files are meant to serve as persist flag value storage, only aconfigd and
+# aconfigd_mainline process should manage them. Other processes should have zero access.
+neverallow {
+ domain
+ -init
+ -aconfigd
+ -aconfigd_mainline
+} aconfig_storage_flags_metadata_file:dir *;
+neverallow {
+ domain
+ -init
+ -aconfigd
+ -aconfigd_mainline
+} aconfig_storage_flags_metadata_file:file no_rw_file_perms;
diff --git a/private/aconfigd_mainline.te b/private/aconfigd_mainline.te
new file mode 100644
index 0000000..cd98d4b
--- /dev/null
+++ b/private/aconfigd_mainline.te
@@ -0,0 +1,38 @@
+# aconfigd_mainline -- manager for mainline aconfig flags
+type aconfigd_mainline, domain, coredomain, mlstrustedsubject;
+type aconfigd_mainline_exec, exec_type, file_type, system_file_type;
+
+init_daemon_domain(aconfigd_mainline)
+
+# allow aconfigd_mainline to search /metadata dir as it needs to access files under
+# /metadata/aconfig dir
+allow aconfigd_mainline metadata_file:dir search;
+
+# aconfigd_mainline should be able to create storage files under /metadata/aconfig dir
+allow aconfigd_mainline {
+ aconfig_storage_metadata_file
+ aconfig_storage_flags_metadata_file
+}:dir create_dir_perms;
+
+allow aconfigd_mainline {
+ aconfig_storage_metadata_file
+ aconfig_storage_flags_metadata_file
+}:file create_file_perms;
+
+# allow aconfigd_mainline to log to the kernel.
+allow aconfigd_mainline kmsg_device:chr_file write;
+
+# allow aconfigd_mainline to read /apex dir, aconfigd_mainline need to loop thru all
+# dirs under /apex to find all currently mounted mainline modules and get their
+# storage files
+allow aconfigd_mainline apex_mnt_dir:dir r_dir_perms;
+allow aconfigd_mainline apex_mnt_dir:file r_file_perms;
+dontaudit aconfigd_mainline apex_info_file:file r_file_perms;
+
+###
+### Neverallow assertions
+###
+
+# only init is allowed to enter the aconfigd_mainline domain
+neverallow { domain -init } aconfigd_mainline:process transition;
+neverallow * aconfigd_mainline:process dyntransition;
diff --git a/private/apexd.te b/private/apexd.te
index 58a3658..3205b02 100644
--- a/private/apexd.te
+++ b/private/apexd.te
@@ -229,8 +229,8 @@
# The update_provider performs APEX updates. To do this, it needs to be able to find apex_service
# and make binder calls to apexd.
# WARNING: USING THE update_provider ATTRIBUTE WILL CAUSE CTS TO FAIL!
-neverallow { domain -init -apexd -system_server -update_engine -update_provider } apex_service:service_manager find;
+neverallow { domain -init -apexd -keystore -system_server -update_engine -update_provider } apex_service:service_manager find;
# WARNING: USING THE update_provider ATTRIBUTE WILL CAUSE CTS TO FAIL!
-neverallow { domain -init -apexd -system_server -servicemanager -update_engine -update_provider } apexd:binder call;
+neverallow { domain -init -apexd -keystore -system_server -servicemanager -update_engine -update_provider } apexd:binder call;
neverallow { domain userdebug_or_eng(`-crash_dump') } apexd:process ptrace;
diff --git a/private/compat/202404/202404.ignore.cil b/private/compat/202404/202404.ignore.cil
index 0bf3f7e..2ddfec3 100644
--- a/private/compat/202404/202404.ignore.cil
+++ b/private/compat/202404/202404.ignore.cil
@@ -10,6 +10,7 @@
fstype_prop
binderfs_logs_transactions
binderfs_logs_transaction_history
+ proc_compaction_proactiveness
proc_cgroups
ranging_service
supervision_service
@@ -22,7 +23,9 @@
media_quality_service
advanced_protection_service
sysfs_firmware_acpi_tables
- dynamic_instrumentation_service
intrusion_detection_service
wifi_mainline_supplicant_service
+ crosvm
+ early_virtmgr
+ virtualizationmanager
))
diff --git a/private/crosvm.te b/private/crosvm.te
index 71a35d9..a377e7a 100644
--- a/private/crosvm.te
+++ b/private/crosvm.te
@@ -1,4 +1,7 @@
-type crosvm, domain, coredomain;
+until_board_api(202504, `
+ type crosvm, domain, coredomain;
+')
+
type crosvm_exec, system_file_type, exec_type, file_type;
type crosvm_tmpfs, file_type;
@@ -112,11 +115,6 @@
allow crosvm virtualization_service:service_manager find;
allow crosvm virtualizationservice:binder { call transfer };
- # Allow crosvm to mount Terminal app internal storage directory
- # to guest VM over virtiofs
- allow crosvm privapp_data_file:dir { getattr open read search };
- allow crosvm privapp_data_file:file { open };
-
# Allow crosvm to play sound.
binder_call(crosvm, audioserver)
allow crosvm audioserver_service:service_manager find;
@@ -179,14 +177,12 @@
# image referring by name to files which it doesn't have permission to open, trying to get crosvm to
# open them on its behalf. By preventing crosvm from opening any other files we prevent this
# potential privilege escalation. See http://b/192453819 for more discussion.
-#
-# crosvm requires access to terminal app internal storage; the directory
-# is passed as a mount point to guest VM over virtiofs.
neverallow crosvm {
virtualizationservice_data_file
staging_data_file
apk_data_file
app_data_file
+ privapp_data_file
is_flag_enabled(RELEASE_UNLOCKED_STORAGE_API, `storage_area_content_file')
is_flag_enabled(RELEASE_AVF_ENABLE_EARLY_VM, `vm_data_file')
userdebug_or_eng(`-shell_data_file')
@@ -221,10 +217,12 @@
}:file read;
# Only virtualizationmanager can run crosvm
+# Allow vmlauncher app to launch crosvm for virtiofs
neverallow {
domain
-crosvm
-virtualizationmanager
+ -vmlauncher_app
is_flag_enabled(RELEASE_AVF_ENABLE_EARLY_VM, `-early_virtmgr')
} crosvm_exec:file no_x_file_perms;
diff --git a/private/domain.te b/private/domain.te
index d671a48..a8ec298 100644
--- a/private/domain.te
+++ b/private/domain.te
@@ -1170,6 +1170,8 @@
# Vendor components still can invoke shell commands via /system/bin/sh
-shell_exec
-toolbox_exec
+ -virtualizationmanager_exec
+ is_flag_enabled(RELEASE_AVF_ENABLE_EARLY_VM, `-early_virtmgr_exec')
}:file { entrypoint execute execute_no_trans };
')
@@ -1254,6 +1256,8 @@
# Vendor components still can invoke shell commands via /system/bin/sh
-shell_exec
-toolbox_exec
+ -virtualizationmanager_exec
+ is_flag_enabled(RELEASE_AVF_ENABLE_EARLY_VM, `-early_virtmgr_exec')
}:file *;
')
@@ -1658,7 +1662,6 @@
-runas
-system_server
-zygote
- -crosvm # required to access terminal app internal storage
} {
privapp_data_file
app_data_file
@@ -1724,7 +1727,6 @@
-artd # compile secondary dex files
-installd
-rs # spawned by appdomain, so carryover the exception above
- -crosvm # required to access terminal app internal storage
} {
privapp_data_file
app_data_file
@@ -2185,7 +2187,6 @@
-artd
-dumpstate
-installd
- userdebug_or_eng(`-aconfigd')
userdebug_or_eng(`-uncrypt')
userdebug_or_eng(`-virtualizationmanager')
userdebug_or_eng(`-virtualizationservice')
@@ -2233,7 +2234,6 @@
-installd
-simpleperf_app_runner
-system_server # why?
- userdebug_or_eng(`-aconfigd')
userdebug_or_eng(`-uncrypt')
userdebug_or_eng(`-virtualizationmanager')
userdebug_or_eng(`-crosvm')
@@ -2264,10 +2264,6 @@
# For now, don't allow processes other than gmscore to access /data/misc_ce/<userid>/checkin
neverallow { domain -gmscore_app -init -vold_prepare_subdirs } checkin_data_file:{dir file} *;
-# Do not allow write access to aconfig flag value files except init and aconfigd
-neverallow { domain -init -aconfigd -system_server } aconfig_storage_metadata_file:dir no_w_dir_perms;
-neverallow { domain -init -aconfigd -system_server } aconfig_storage_metadata_file:file no_w_file_perms;
-
neverallow { domain -dexopt_chroot_setup -init } proc:{ file dir } mounton;
neverallow { domain -dexopt_chroot_setup -init -zygote } proc_type:{ file dir } mounton;
diff --git a/private/early_virtmgr.te b/private/early_virtmgr.te
index e244be2..d1579fe 100644
--- a/private/early_virtmgr.te
+++ b/private/early_virtmgr.te
@@ -1,8 +1,8 @@
is_flag_enabled(RELEASE_AVF_ENABLE_EARLY_VM, `
- # Domain for a child process that manages early VMs available before /data mount, on behalf of
- # its parent.
- type early_virtmgr, domain, coredomain;
- type early_virtmgr_exec, system_file_type, exec_type, file_type;
+ until_board_api(202504, `
+ type early_virtmgr, domain, coredomain;
+ type early_virtmgr_exec, system_file_type, exec_type, file_type;
+ ')
use_bootstrap_libs(early_virtmgr)
diff --git a/private/file.te b/private/file.te
index 5512b6e..189fb47 100644
--- a/private/file.te
+++ b/private/file.te
@@ -158,6 +158,9 @@
# Type for aconfig daemon socket
type aconfigd_socket, file_type, coredomain_socket, mlstrustedobject;
+# Type for aconfig mainline daemon socket
+type aconfigd_mainline_socket, file_type, coredomain_socket, mlstrustedobject;
+
# Type for /(system|system_ext|product)/etc/aconfig
type system_aconfig_storage_file, system_file_type, file_type;
diff --git a/private/file_contexts b/private/file_contexts
index 3ff72aa..d6f7113 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -156,6 +156,7 @@
/dev/snd(/.*)? u:object_r:audio_device:s0
/dev/socket(/.*)? u:object_r:socket_device:s0
/dev/socket/adbd u:object_r:adbd_socket:s0
+/dev/socket/aconfigd_mainline u:object_r:aconfigd_mainline_socket:s0
/dev/socket/aconfigd_system u:object_r:aconfigd_socket:s0
/dev/socket/dnsproxyd u:object_r:dnsproxyd_socket:s0
/dev/socket/dumpstate u:object_r:dumpstate_socket:s0
diff --git a/private/gmscore_app.te b/private/gmscore_app.te
index fa3420a..148cb7e 100644
--- a/private/gmscore_app.te
+++ b/private/gmscore_app.te
@@ -132,8 +132,10 @@
allow gmscore_app shell_data_file:dir r_dir_perms;
# allow gms core app write to aconfigd socket
-allow gmscore_app aconfigd_socket:sock_file {read write};
-allow gmscore_app aconfigd:unix_stream_socket connectto;
+unix_socket_connect(gmscore_app, aconfigd, aconfigd);
+
+# allow gms core app write to aconfigd_mainline socket
+unix_socket_connect(gmscore_app, aconfigd_mainline, aconfigd_mainline);
# b/18504118: Allow reads from /data/anr/traces.txt
allow gmscore_app anr_data_file:file r_file_perms;
diff --git a/private/init.te b/private/init.te
index c3899e1..23c464c 100644
--- a/private/init.te
+++ b/private/init.te
@@ -90,6 +90,8 @@
# Allow init to set 16kb app compatibility props
set_prop(init, bionic_linker_16kb_app_compat_prop)
+set_prop(init, pm_16kb_app_compat_prop)
+
# Allow init to set/get prefetch boot prop to initiate record/replay
set_prop(init, ctl_prefetch_prop);
@@ -727,6 +729,8 @@
# swapon() needs write access to swap device
# system/core/fs_mgr/fs_mgr.c - fs_mgr_swapon_all
allow init swap_block_device:blk_file rw_file_perms;
+# Allow to change group owner and permissions for new swap setup in mmd
+allow init swap_block_device:blk_file setattr;
# Create and access /dev files without a specific type,
# e.g. /dev/.coldboot_done, /dev/.booting
diff --git a/private/installd.te b/private/installd.te
index 55e962a..50c378a 100644
--- a/private/installd.te
+++ b/private/installd.te
@@ -226,6 +226,13 @@
allow installd storage_area_key_file:file unlink;
')
+# Allow installd to delete the terminal app's data file.
+# `virtualizationservice_data_file` was used for a while, but it needs to be
+# deleted when terminal feature is disabled.
+# TODO(b/383026786): Remove this rule once the there is no
+# `virtualizationservice_data_file` in terminal app anymore..
+allow installd virtualizationservice_data_file:file unlink;
+
###
### Neverallow rules
###
diff --git a/private/keystore.te b/private/keystore.te
index 50542b0..014903e 100644
--- a/private/keystore.te
+++ b/private/keystore.te
@@ -41,6 +41,9 @@
set_prop(keystore, keystore_crash_prop)
+# Allow keystore to monitor the `apexd.status` property.
+get_prop(keystore, apexd_prop)
+
# keystore is using apex_info via libvintf
use_apex_info(keystore)
@@ -61,6 +64,10 @@
allow keystore remote_provisioning_service:service_manager find;
allow keystore rkp_cert_processor_service:service_manager find;
+# Allow keystore to communicate to apexd
+allow keystore apex_service:service_manager find;
+allow keystore apexd:binder call;
+
add_service(keystore, apc_service)
add_service(keystore, keystore_compat_hal_service)
add_service(keystore, authorization_service)
diff --git a/private/mmd.te b/private/mmd.te
index d299bd8..90510f1 100644
--- a/private/mmd.te
+++ b/private/mmd.te
@@ -13,9 +13,19 @@
add_service(mmd, mmd_service)
binder_use(mmd)
+# Read /proc/swaps
+allow mmd proc_swaps:file r_file_perms;
+
# zram sysfs access
allow mmd sysfs_zram:dir search;
allow mmd sysfs_zram:file rw_file_perms;
# procfs
allow mmd proc_meminfo:file r_file_perms;
+
+# mkswap /dev/block/zram command
+allow mmd block_device:dir search;
+allow mmd swap_block_device:blk_file rw_file_perms;
+
+# swapon syscall
+allow mmd self:capability sys_admin;
diff --git a/private/property.te b/private/property.te
index ccea344..92e244d 100644
--- a/private/property.te
+++ b/private/property.te
@@ -87,6 +87,8 @@
system_restricted_prop(persist_sysui_builder_extras_prop)
system_restricted_prop(persist_sysui_ranking_update_prop)
system_restricted_prop(page_size_prop)
+system_restricted_prop(pm_16kb_app_compat_prop)
+
# Properties with no restrictions
until_board_api(202504, `
@@ -110,6 +112,7 @@
system_vendor_config_prop(avf_virtualizationservice_prop)
system_vendor_config_prop(high_barometer_quality_prop)
system_vendor_config_prop(prefetch_boot_prop)
+system_vendor_config_prop(widevine_sys_vendor_prop)
typeattribute log_prop log_property_type;
typeattribute log_tag_prop log_property_type;
@@ -877,3 +880,10 @@
-shell
userdebug_or_eng(`-su')
} bionic_linker_16kb_app_compat_prop:property_service set;
+
+neverallow {
+ domain
+ -init
+ -shell
+ userdebug_or_eng(`-su')
+} pm_16kb_app_compat_prop:property_service set;
diff --git a/private/property_contexts b/private/property_contexts
index b650fad..643a179 100644
--- a/private/property_contexts
+++ b/private/property_contexts
@@ -483,6 +483,10 @@
# See b/323989070 for the discussion why this approach was chosen.
ro.audio.ihaladaptervendorextension_enabled u:object_r:system_audio_config_prop:s0 exact bool
+# String property used in audioparameterparser.example service to load
+# vendor implementation IHalAdapterVendorExtension
+ro.audio.ihaladaptervendorextension_libname u:object_r:system_audio_config_prop:s0 exact string
+
persist.config.calibration_fac u:object_r:camera_calibration_prop:s0 exact string
config.disable_cameraservice u:object_r:camera_config_prop:s0 exact bool
@@ -695,6 +699,11 @@
bluetooth.core.le.min_connection_interval u:object_r:bluetooth_config_prop:s0 exact uint
bluetooth.core.le.max_connection_interval u:object_r:bluetooth_config_prop:s0 exact uint
+bluetooth.core.le.min_connection_interval_relaxed u:object_r:bluetooth_config_prop:s0 exact uint
+bluetooth.core.le.max_connection_interval_relaxed u:object_r:bluetooth_config_prop:s0 exact uint
+bluetooth.core.le.min_connection_interval_aggressive u:object_r:bluetooth_config_prop:s0 exact uint
+bluetooth.core.le.max_connection_interval_aggressive u:object_r:bluetooth_config_prop:s0 exact uint
+bluetooth.core.le.aggressive_connection_threshold u:object_r:bluetooth_config_prop:s0 exact uint
bluetooth.core.le.connection_latency u:object_r:bluetooth_config_prop:s0 exact uint
bluetooth.core.le.connection_supervision_timeout u:object_r:bluetooth_config_prop:s0 exact uint
bluetooth.core.le.direct_connection_timeout u:object_r:bluetooth_config_prop:s0 exact uint
@@ -762,9 +771,12 @@
pm.dexopt. u:object_r:future_pm_prop:s0 prefix
+pm.16kb.app_compat.disabled u:object_r:pm_16kb_app_compat_prop:s0 exact bool
+
ro.apk_verity.mode u:object_r:apk_verity_prop:s0 exact int
ro.bluetooth.a2dp_offload.supported u:object_r:bluetooth_a2dp_offload_prop:s0 exact bool
+ro.bluetooth.leaudio_offload.supported u:object_r:bluetooth_a2dp_offload_prop:s0 exact bool
ro.boot.vendor.overlay.theme u:object_r:exported_overlay_prop:s0 exact string
@@ -1023,6 +1035,7 @@
ro.boot.revision u:object_r:bootloader_prop:s0 exact string
ro.boot.serialconsole u:object_r:bootloader_prop:s0 exact bool
ro.boot.vbmeta.avb_version u:object_r:bootloader_prop:s0 exact string
+ro.boot.vbmeta.public_key_digest u:object_r:bootloader_prop:s0 exact string
ro.boot.verifiedbootstate u:object_r:bootloader_prop:s0 exact string
ro.boot.veritymode u:object_r:bootloader_prop:s0 exact string
# Properties specific to virtualized deployments of Android
@@ -1782,6 +1795,13 @@
trusty.security_vm.enabled u:object_r:trusty_security_vm_sys_vendor_prop:s0 exact bool
trusty.security_vm.keymint.enabled u:object_r:trusty_security_vm_sys_vendor_prop:s0 exact bool
+# Properties that allows vendors to enable Trusty widevine VM features
+# Enable Widevine VM
+trusty.widevine_vm.enabled u:object_r:widevine_sys_vendor_prop:s0 exact bool
+# Sets the path used by Widevine HALs to find correct library for the widevine
+# service provider location
+widevine.liboemcrypto.path u:object_r:widevine_sys_vendor_prop:s0 exact string
+
# Properties for mmd
mmd. u:object_r:mmd_prop:s0
mmd.enabled_aconfig u:object_r:mmd_prop:s0 exact bool
diff --git a/private/seapp_contexts b/private/seapp_contexts
index ce49fc4..25ed1ba 100644
--- a/private/seapp_contexts
+++ b/private/seapp_contexts
@@ -224,4 +224,3 @@
user=_app isPrivApp=true name=com.android.virtualization.vmlauncher domain=vmlauncher_app type=privapp_data_file levelFrom=all
user=_app isPrivApp=true name=com.google.android.virtualization.vmlauncher domain=vmlauncher_app type=privapp_data_file levelFrom=all
user=_app isPrivApp=true name=com.android.virtualization.terminal domain=vmlauncher_app type=privapp_data_file levelFrom=all
-user=_app isPrivApp=true name=com.google.android.virtualization.terminal domain=vmlauncher_app type=privapp_data_file levelFrom=all
diff --git a/private/service.te b/private/service.te
index 7e89300..a90b3ba 100644
--- a/private/service.te
+++ b/private/service.te
@@ -62,6 +62,11 @@
type uce_service, service_manager_type;
type wearable_sensing_service, app_api_service, system_server_service, service_manager_type;
type wifi_mainline_supplicant_service, service_manager_type;
+type dynamic_instrumentation_service, app_api_service, system_server_service, service_manager_type;
+
+is_flag_enabled(RELEASE_RANGING_STACK, `
+ type ranging_service, app_api_service, system_server_service, service_manager_type;
+')
###
### Neverallow rules
diff --git a/private/service_contexts b/private/service_contexts
index 900a1fe..2e050eb 100644
--- a/private/service_contexts
+++ b/private/service_contexts
@@ -38,9 +38,7 @@
')
android.hardware.bluetooth.lmp_event.IBluetoothLmpEvent/default u:object_r:hal_bluetooth_service:s0
android.hardware.bluetooth.audio.IBluetoothAudioProviderFactory/default u:object_r:hal_audio_service:s0
-is_flag_enabled(RELEASE_BLUETOOTH_SOCKET_SERVICE, `
- android.hardware.bluetooth.socket.IBluetoothSocket/default u:object_r:hal_bluetooth_service:s0
-')
+android.hardware.bluetooth.socket.IBluetoothSocket/default u:object_r:hal_bluetooth_service:s0
android.hardware.broadcastradio.IBroadcastRadio/amfm u:object_r:hal_broadcastradio_service:s0
android.hardware.broadcastradio.IBroadcastRadio/dab u:object_r:hal_broadcastradio_service:s0
# The instance here is internal/0 following naming convention for ICameraProvider.
@@ -190,9 +188,7 @@
app_binding u:object_r:app_binding_service:s0
app_function u:object_r:app_function_service:s0
app_hibernation u:object_r:app_hibernation_service:s0
-starting_at_board_api(202504, `
- dynamic_instrumentation u:object_r:dynamic_instrumentation_service:s0
-')
+dynamic_instrumentation u:object_r:dynamic_instrumentation_service:s0
app_integrity u:object_r:app_integrity_service:s0
app_prediction u:object_r:app_prediction_service:s0
app_search u:object_r:app_search_service:s0
diff --git a/private/shell.te b/private/shell.te
index 6372609..890d6f4 100644
--- a/private/shell.te
+++ b/private/shell.te
@@ -114,6 +114,9 @@
# Allow shell to enable 16 KB backcompat globally.
set_prop(shell, bionic_linker_16kb_app_compat_prop)
+# Allow shell to disable compat in package manager
+set_prop(shell, pm_16kb_app_compat_prop)
+
# Allow shell to get encryption policy of /data/local/tmp/, for CTS
allowxperm shell shell_data_file:dir ioctl {
FS_IOC_GET_ENCRYPTION_POLICY
diff --git a/private/system_server.te b/private/system_server.te
index 99ef142..01097f2 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -823,6 +823,9 @@
# staged flag properties
set_prop(system_server, next_boot_prop)
+# Allow system server to read pm.16kb.app_compat.disabled
+get_prop(system_server, pm_16kb_app_compat_prop)
+
# Allow query ART device config properties
get_prop(system_server, device_config_runtime_native_boot_prop)
get_prop(system_server, device_config_runtime_native_prop)
@@ -1530,12 +1533,11 @@
allow system_server watchdog_metadata_file:dir rw_dir_perms;
allow system_server watchdog_metadata_file:file create_file_perms;
-allow system_server aconfig_storage_flags_metadata_file:dir rw_dir_perms;
-allow system_server aconfig_storage_flags_metadata_file:file create_file_perms;
-allow system_server aconfig_storage_metadata_file:dir search;
+# allow system_server write to aconfigd socket
+unix_socket_connect(system_server, aconfigd, aconfigd);
-allow system_server aconfigd_socket:sock_file {read write};
-allow system_server aconfigd:unix_stream_socket connectto;
+# allow system_server write to aconfigd_mainline socket
+unix_socket_connect(system_server, aconfigd_mainline, aconfigd_mainline);
allow system_server repair_mode_metadata_file:dir rw_dir_perms;
allow system_server repair_mode_metadata_file:file create_file_perms;
@@ -1585,10 +1587,6 @@
} password_slot_metadata_file:notdevfile_class_set ~{ relabelto getattr };
neverallow { domain -init -system_server } password_slot_metadata_file:notdevfile_class_set *;
-# Only system server should access /metadata/aconfig
-neverallow { domain -init -system_server -aconfigd } aconfig_storage_flags_metadata_file:dir *;
-neverallow { domain -init -system_server -aconfigd } aconfig_storage_flags_metadata_file:file no_rw_file_perms;
-
# Allow systemserver to read/write the invalidation property
set_prop(system_server, binder_cache_system_server_prop)
neverallow { domain -system_server -init }
diff --git a/private/tradeinmode.te b/private/tradeinmode.te
index dca1bc1..99035f8 100644
--- a/private/tradeinmode.te
+++ b/private/tradeinmode.te
@@ -22,6 +22,7 @@
get_prop(tradeinmode, odsign_prop)
get_prop(tradeinmode, build_attestation_prop)
get_prop(tradeinmode, adbd_tradeinmode_prop)
+set_prop(tradeinmode, powerctl_prop)
# Needed to start activities through "am".
binder_call(tradeinmode, system_server)
diff --git a/private/uprobestats.te b/private/uprobestats.te
index c55f23d..d778126 100644
--- a/private/uprobestats.te
+++ b/private/uprobestats.te
@@ -24,9 +24,7 @@
# For registration with system server as a process observer.
binder_use(uprobestats)
allow uprobestats activity_service:service_manager find;
-starting_at_board_api(202504, `
- allow uprobestats dynamic_instrumentation_service:service_manager find;
-')
+allow uprobestats dynamic_instrumentation_service:service_manager find;
binder_call(uprobestats, system_server);
# Allow uprobestats to talk to native package manager
diff --git a/private/virtual_camera.te b/private/virtual_camera.te
index c4fa6a1..31eadb2 100644
--- a/private/virtual_camera.te
+++ b/private/virtual_camera.te
@@ -55,3 +55,6 @@
allow virtual_camera adbd:fd use;
allow virtual_camera adbd:unix_stream_socket { getattr read write };
allow virtual_camera shell:fifo_file { getattr read write };
+
+# Allow virtual_camera to access dmabuf_system_heap_device
+allow virtual_camera dmabuf_system_heap_device:chr_file { read open };
diff --git a/private/virtualizationmanager.te b/private/virtualizationmanager.te
index ca72279..259c402 100644
--- a/private/virtualizationmanager.te
+++ b/private/virtualizationmanager.te
@@ -1,7 +1,7 @@
-# Domain for a child process that manages virtual machines on behalf of its parent.
-
-type virtualizationmanager, domain, coredomain;
-type virtualizationmanager_exec, system_file_type, exec_type, file_type;
+until_board_api(202504, `
+ type virtualizationmanager, domain, coredomain;
+ type virtualizationmanager_exec, system_file_type, exec_type, file_type;
+')
# Allow virtualizationmanager to communicate use, read and write over the adb connection.
allow virtualizationmanager adbd:fd use;
diff --git a/private/vmlauncher_app.te b/private/vmlauncher_app.te
index 8597fcd..ef34c31 100644
--- a/private/vmlauncher_app.te
+++ b/private/vmlauncher_app.te
@@ -12,6 +12,11 @@
virtualizationservice_use(vmlauncher_app)
allow vmlauncher_app fsck_exec:file { r_file_perms execute execute_no_trans };
+allow vmlauncher_app crosvm:fd use;
+allow vmlauncher_app crosvm_tmpfs:file { map read write };
+allow vmlauncher_app crosvm_exec:file rx_file_perms;
+
+allow vmlauncher_app privapp_data_file:sock_file { create unlink write getattr };
is_flag_enabled(RELEASE_AVF_SUPPORT_CUSTOM_VM_WITH_PARAVIRTUALIZED_DEVICES, `
# TODO(b/332677707): remove them when display service uses binder RPC.
diff --git a/public/crosvm.te b/public/crosvm.te
new file mode 100644
index 0000000..174a8b2
--- /dev/null
+++ b/public/crosvm.te
@@ -0,0 +1,7 @@
+starting_at_board_api(202504, `
+ type crosvm, domain, coredomain;
+')
+
+# system/sepolicy/public is for vendor-facing type and attribute definitions.
+# DO NOT ADD allow, neverallow, or dontaudit statements here.
+# Instead, add such policy rules to system/sepolicy/private/*.te.
diff --git a/public/early_virtmgr.te b/public/early_virtmgr.te
new file mode 100644
index 0000000..6caac18
--- /dev/null
+++ b/public/early_virtmgr.te
@@ -0,0 +1,12 @@
+is_flag_enabled(RELEASE_AVF_ENABLE_EARLY_VM, `
+ # Domain for a child process that manages early VMs available before /data mount, on behalf of
+ # its parent.
+ starting_at_board_api(202504, `
+ type early_virtmgr, domain, coredomain;
+ type early_virtmgr_exec, system_file_type, exec_type, file_type;
+ ')
+')
+
+# system/sepolicy/public is for vendor-facing type and attribute definitions.
+# DO NOT ADD allow, neverallow, or dontaudit statements here.
+# Instead, add such policy rules to system/sepolicy/private/*.te.
diff --git a/public/service.te b/public/service.te
index 854ceef..68f4ea0 100644
--- a/public/service.te
+++ b/public/service.te
@@ -75,9 +75,6 @@
type app_function_service, app_api_service, system_server_service, service_manager_type;
')
type app_hibernation_service, app_api_service, system_api_service, system_server_service, service_manager_type;
-starting_at_board_api(202504, `
- type dynamic_instrumentation_service, app_api_service, system_server_service, service_manager_type;
-')
type app_integrity_service, system_api_service, system_server_service, service_manager_type;
type app_prediction_service, app_api_service, system_server_service, service_manager_type;
type app_search_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
@@ -220,9 +217,6 @@
type print_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type processinfo_service, system_server_service, service_manager_type;
type procstats_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-is_flag_enabled(RELEASE_RANGING_STACK, `
- type ranging_service, app_api_service, system_server_service, service_manager_type;
-')
type reboot_readiness_service, app_api_service, system_server_service, service_manager_type;
type recovery_service, system_server_service, service_manager_type;
type registry_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
diff --git a/public/te_macros b/public/te_macros
index e446f56..2ba15b3 100644
--- a/public/te_macros
+++ b/public/te_macros
@@ -201,6 +201,10 @@
get_prop($1, hypervisor_prop)
# Allow client to read (but not open) the crashdump provided by virtualizationmanager
allow $1 virtualizationservice_data_file:file { getattr read };
+# Allow virtualizationmanager to read the path of the client using /proc/{PID}/exe
+allow virtualizationmanager $1:dir search;
+allow virtualizationmanager $1:file read;
+allow virtualizationmanager $1:lnk_file read;
')
####################################
diff --git a/public/virtualizationmanager.te b/public/virtualizationmanager.te
new file mode 100644
index 0000000..555bc23
--- /dev/null
+++ b/public/virtualizationmanager.te
@@ -0,0 +1,9 @@
+# Domain for a child process that manages virtual machines on behalf of its parent.
+starting_at_board_api(202504, `
+ type virtualizationmanager, domain, coredomain;
+ type virtualizationmanager_exec, system_file_type, exec_type, file_type;
+')
+
+# system/sepolicy/public is for vendor-facing type and attribute definitions.
+# DO NOT ADD allow, neverallow, or dontaudit statements here.
+# Instead, add such policy rules to system/sepolicy/private/*.te.
diff --git a/tests/sepolicy_freeze_test.py b/tests/sepolicy_freeze_test.py
index b9b935c..fa05eb1 100644
--- a/tests/sepolicy_freeze_test.py
+++ b/tests/sepolicy_freeze_test.py
@@ -48,10 +48,6 @@
removed_attributes = prebuilt_policy.typeattributes - current_policy.typeattributes
added_attributes = current_policy.typeattributes - prebuilt_policy.typeattributes
- # TODO(b/330670954): remove this once all internal references are removed.
- if "proc_compaction_proactiveness" in added_types:
- added_types.remove("proc_compaction_proactiveness")
-
if removed_types:
results += "The following public types were removed:\n" + ", ".join(removed_types) + "\n"
diff --git a/tools/finalize-vintf-resources.sh b/tools/finalize-vintf-resources.sh
index cdf82f1..3f3def6 100755
--- a/tools/finalize-vintf-resources.sh
+++ b/tools/finalize-vintf-resources.sh
@@ -30,6 +30,22 @@
cat > "$prebuilt_dir/Android.bp" <<EOF
// Automatically generated file, do not edit!
se_policy_conf {
+ name: "${ver}_reqd_policy_mask.conf",
+ defaults: ["se_policy_conf_flags_defaults"],
+ srcs: reqd_mask_policy,
+ installable: false,
+ build_variant: "user",
+ board_api_level: "${ver}",
+}
+
+se_policy_cil {
+ name: "${ver}_reqd_policy_mask.cil",
+ src: ":${ver}_reqd_policy_mask.conf",
+ secilc_check: false,
+ installable: false,
+}
+
+se_policy_conf {
name: "${ver}_plat_pub_policy.conf",
defaults: ["se_policy_conf_flags_defaults"],
srcs: [
@@ -38,12 +54,13 @@
],
installable: false,
build_variant: "user",
+ board_api_level: "${ver}",
}
se_policy_cil {
name: "${ver}_plat_pub_policy.cil",
src: ":${ver}_plat_pub_policy.conf",
- filter_out: [":reqd_policy_mask.cil"],
+ filter_out: [":${ver}_reqd_policy_mask.cil"],
secilc_check: false,
installable: false,
}
@@ -59,16 +76,25 @@
],
installable: false,
build_variant: "user",
+ board_api_level: "${ver}",
}
se_policy_cil {
name: "${ver}_product_pub_policy.cil",
src: ":${ver}_product_pub_policy.conf",
- filter_out: [":reqd_policy_mask.cil"],
+ filter_out: [":${ver}_reqd_policy_mask.cil"],
secilc_check: false,
installable: false,
}
+se_versioned_policy {
+ name: "${ver}_plat_pub_versioned.cil",
+ base: ":${ver}_product_pub_policy.cil",
+ target_policy: ":${ver}_product_pub_policy.cil",
+ version: "${ver}",
+ installable: false,
+}
+
se_policy_conf {
name: "${ver}_plat_policy.conf",
defaults: ["se_policy_conf_flags_defaults"],
diff --git a/vendor/file_contexts b/vendor/file_contexts
index 66ac4ec..220fbd2 100644
--- a/vendor/file_contexts
+++ b/vendor/file_contexts
@@ -14,7 +14,7 @@
/(vendor|system/vendor)/bin/hw/android\.hardware\.automotive\.evs(.*)? u:object_r:hal_evs_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.automotive\.ivn@V1-(.*)-service u:object_r:hal_ivn_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.automotive\.vehicle@2\.0-((default|emulator)-)*(service|protocan-service) u:object_r:hal_vehicle_default_exec:s0
-/(vendor|system/vendor)/bin/hw/android\.hardware\.automotive\.vehicle@V[1-3]-(default|emulator)-service u:object_r:hal_vehicle_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.automotive\.vehicle@V[0-9]+-(default|emulator)-service u:object_r:hal_vehicle_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.automotive\.remoteaccess@V[1-2]-(.*)-service u:object_r:hal_remoteaccess_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.bluetooth@1\.[0-9]+-service u:object_r:hal_bluetooth_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.bluetooth@1\.[0-9]+-service\.btlinux u:object_r:hal_bluetooth_btlinux_exec:s0
