Merge "Support legacy apexdata labels"
diff --git a/build/soong/policy.go b/build/soong/policy.go
index 4becbc1..390c439 100644
--- a/build/soong/policy.go
+++ b/build/soong/policy.go
@@ -200,7 +200,7 @@
}
func (c *policyConf) transformPolicyToConf(ctx android.ModuleContext) android.OutputPath {
- conf := android.PathForModuleOut(ctx, "conf").OutputPath
+ conf := android.PathForModuleOut(ctx, c.stem()).OutputPath
rule := android.NewRuleBuilder(pctx, ctx)
srcs := android.PathsForModuleSrc(ctx, c.properties.Srcs)
diff --git a/private/apexd.te b/private/apexd.te
index 791a4ff..69645a1 100644
--- a/private/apexd.te
+++ b/private/apexd.te
@@ -13,6 +13,10 @@
allow apexd apex_metadata_file:dir create_dir_perms;
allow apexd apex_metadata_file:file create_file_perms;
+# Allow creating and writing APEX files/dirs in the SEPolicy metadata dir
+allow apexd sepolicy_metadata_file:dir create_dir_perms;
+allow apexd sepolicy_metadata_file:file create_file_perms;
+
# Allow reserving space on /data/apex/ota_reserved for apex decompression
allow apexd apex_ota_reserved_file:dir create_dir_perms;
allow apexd apex_ota_reserved_file:file create_file_perms;
diff --git a/private/bpfdomain.te b/private/bpfdomain.te
new file mode 100644
index 0000000..f0888a7
--- /dev/null
+++ b/private/bpfdomain.te
@@ -0,0 +1,13 @@
+# platform should have ownership of network attachpoints for BPF
+neverallow {
+ bpfdomain
+ -bpfloader
+ -netd
+ -netutils_wrapper
+ -network_stack
+ -system_server
+} self:global_capability_class_set { net_admin net_raw };
+
+# any domain which uses bpf is a bpfdomain
+neverallow { domain -bpfdomain } *:bpf *;
+
diff --git a/private/bpfloader.te b/private/bpfloader.te
index 02337a0..7644cac 100644
--- a/private/bpfloader.te
+++ b/private/bpfloader.te
@@ -1,15 +1,14 @@
-# bpf program loader
-type bpfloader, domain;
type bpfloader_exec, system_file_type, exec_type, file_type;
-typeattribute bpfloader coredomain;
+
+typeattribute bpfloader bpfdomain;
# allow bpfloader to write to the kernel log (starts early)
allow bpfloader kmsg_device:chr_file w_file_perms;
# These permissions are required to pin ebpf maps & programs.
-allow bpfloader { fs_bpf fs_bpf_tethering }:dir { add_name create search write };
-allow bpfloader { fs_bpf fs_bpf_tethering }:file { create read setattr };
-allow fs_bpf_tethering fs_bpf:filesystem associate;
+allow bpfloader { fs_bpf fs_bpf_tethering fs_bpf_vendor }:dir { add_name create search write };
+allow bpfloader { fs_bpf fs_bpf_tethering fs_bpf_vendor }:file { create read setattr };
+allow { fs_bpf_tethering fs_bpf_vendor } fs_bpf:filesystem associate;
# Allow bpfloader to create bpf maps and programs.
allow bpfloader self:bpf { map_create map_read map_write prog_load prog_run };
@@ -27,24 +26,26 @@
###
# TODO: get rid of init & vendor_init; Note: we don't care about getattr/mounton/search
-neverallow { domain -init -vendor_init } { fs_bpf fs_bpf_tethering }:dir { open read setattr };
-neverallow { domain -bpfloader } { fs_bpf fs_bpf_tethering }:dir { add_name create write };
-neverallow domain { fs_bpf fs_bpf_tethering }:dir ~{ add_name create getattr mounton open read search setattr write };
+neverallow { domain -init -vendor_init } { fs_bpf fs_bpf_tethering fs_bpf_vendor }:dir { open read setattr };
+neverallow { domain -bpfloader } { fs_bpf fs_bpf_tethering fs_bpf_vendor }:dir { add_name create write };
+neverallow domain { fs_bpf fs_bpf_tethering fs_bpf_vendor }:dir ~{ add_name create getattr mounton open read search setattr write };
# TODO: get rid of init & vendor_init
-neverallow { domain -bpfloader -init -vendor_init } { fs_bpf fs_bpf_tethering }:file { map open setattr };
-neverallow { domain -bpfloader } { fs_bpf fs_bpf_tethering }:file create;
+neverallow { domain -bpfloader -init -vendor_init } { fs_bpf fs_bpf_tethering fs_bpf_vendor }:file { map open setattr };
+neverallow { domain -bpfloader } { fs_bpf fs_bpf_tethering fs_bpf_vendor }:file create;
neverallow { domain -bpfloader -gpuservice -init -lmkd -mediaprovider_app -netd -netutils_wrapper -network_stack -system_server -vendor_init } { fs_bpf }:file read;
neverallow { domain -bpfloader -gpuservice -init -lmkd -netd -netutils_wrapper -network_stack -system_server -vendor_init } { fs_bpf_tethering }:file read;
neverallow { domain -bpfloader -gpuservice -netd -netutils_wrapper -network_stack -system_server } { fs_bpf fs_bpf_tethering }:file write;
neverallow domain { fs_bpf fs_bpf_tethering }:file ~{ create map open read setattr write };
neverallow { domain -bpfloader } *:bpf { map_create prog_load };
+
neverallow { domain -bpfloader -gpuservice -mediaprovider_app -netd -netutils_wrapper -network_stack -system_server } *:bpf prog_run;
neverallow { domain -bpfloader -gpuservice -lmkd -mediaprovider_app -netd -network_stack -system_server } *:bpf { map_read map_write };
-
neverallow { domain -bpfloader -init } bpfloader_exec:file { execute execute_no_trans };
+neverallow { coredomain -bpfloader -init } fs_bpf_vendor:file *;
+
neverallow bpfloader *:{ tcp_socket udp_socket rawip_socket } *;
# No domain should be allowed to ptrace bpfloader
diff --git a/private/compat/32.0/32.0.ignore.cil b/private/compat/32.0/32.0.ignore.cil
index f834ca3..f1307ad 100644
--- a/private/compat/32.0/32.0.ignore.cil
+++ b/private/compat/32.0/32.0.ignore.cil
@@ -21,8 +21,10 @@
fwk_automotive_display_service
extra_free_kbytes
extra_free_kbytes_exec
+ fs_bpf_vendor
gesture_prop
hal_contexthub_service
+ hal_camera_service
hal_dice_service
hal_drm_service
hal_dumpstate_service
diff --git a/private/genfs_contexts b/private/genfs_contexts
index cb28221..f20251d 100644
--- a/private/genfs_contexts
+++ b/private/genfs_contexts
@@ -393,3 +393,4 @@
genfscon binfmt_misc / u:object_r:binfmt_miscfs:s0
genfscon bpf / u:object_r:fs_bpf:s0
genfscon bpf /tethering u:object_r:fs_bpf_tethering:s0
+genfscon bpf /vendor u:object_r:fs_bpf_vendor:s0
diff --git a/private/gpuservice.te b/private/gpuservice.te
index f20d932..35167d5 100644
--- a/private/gpuservice.te
+++ b/private/gpuservice.te
@@ -1,5 +1,7 @@
# gpuservice - server for gpu stats and other gpu related services
typeattribute gpuservice coredomain;
+typeattribute gpuservice bpfdomain;
+
type gpuservice_exec, system_file_type, exec_type, file_type;
init_daemon_domain(gpuservice)
diff --git a/private/lmkd.te b/private/lmkd.te
index aee1b7f..13828a4 100644
--- a/private/lmkd.te
+++ b/private/lmkd.te
@@ -1,4 +1,5 @@
typeattribute lmkd coredomain;
+typeattribute lmkd bpfdomain;
init_daemon_domain(lmkd)
diff --git a/private/mediaprovider_app.te b/private/mediaprovider_app.te
index 82dcdb2..bcbbfcc 100644
--- a/private/mediaprovider_app.te
+++ b/private/mediaprovider_app.te
@@ -1,7 +1,7 @@
###
### A domain for further sandboxing the MediaProvider mainline module.
###
-type mediaprovider_app, domain, coredomain;
+type mediaprovider_app, domain, coredomain, bpfdomain;
app_domain(mediaprovider_app)
diff --git a/private/netd.te b/private/netd.te
index a0c8f8f..10ba20e 100644
--- a/private/netd.te
+++ b/private/netd.te
@@ -1,4 +1,5 @@
typeattribute netd coredomain;
+typeattribute netd bpfdomain;
init_daemon_domain(netd)
diff --git a/private/netutils_wrapper.te b/private/netutils_wrapper.te
index cdc342d..06aadc2 100644
--- a/private/netutils_wrapper.te
+++ b/private/netutils_wrapper.te
@@ -1,4 +1,5 @@
typeattribute netutils_wrapper coredomain;
+typeattribute netutils_wrapper bpfdomain;
r_dir_file(netutils_wrapper, system_file);
diff --git a/private/network_stack.te b/private/network_stack.te
index 2546888..b105938 100644
--- a/private/network_stack.te
+++ b/private/network_stack.te
@@ -1,5 +1,7 @@
# Networking service app
-typeattribute network_stack coredomain, mlstrustedsubject;
+typeattribute network_stack coredomain;
+typeattribute network_stack mlstrustedsubject;
+typeattribute network_stack bpfdomain;
app_domain(network_stack);
net_domain(network_stack);
diff --git a/private/profcollectd.te b/private/profcollectd.te
index 63f42cb..1dc6849 100644
--- a/private/profcollectd.te
+++ b/private/profcollectd.te
@@ -48,6 +48,8 @@
# Allow profcollectd to publish a binder service and make binder calls.
binder_use(profcollectd)
+ # Allow profcollectd to call callbacks registered by system_server when ETM is ready.
+ binder_call(profcollectd, system_server)
add_service(profcollectd, profcollectd_service)
# Allow to temporarily lift the kptr_restrict setting and get kernel start address
diff --git a/private/property_contexts b/private/property_contexts
index 05e5179..b8709e8 100644
--- a/private/property_contexts
+++ b/private/property_contexts
@@ -269,7 +269,7 @@
persist.vendor.apex. u:object_r:apexd_select_prop:s0
ro.boot.vendor.apex. u:object_r:apexd_select_prop:s0
-bpf.progs_loaded u:object_r:bpf_progs_loaded_prop:s0
+bpf.progs_loaded u:object_r:bpf_progs_loaded_prop:s0 exact bool
gsid. u:object_r:gsid_prop:s0
ro.gsid. u:object_r:gsid_prop:s0
@@ -707,7 +707,7 @@
# shell-only props for ARM memory tagging (MTE).
arm64.memtag. u:object_r:arm64_memtag_prop:s0 prefix string
-persist.arm64.memtag.mode u:object_r:arm64_memtag_prop:s0 exact string
+persist.arm64.memtag.default u:object_r:arm64_memtag_prop:s0 exact string
net.redirect_socket_calls.hooked u:object_r:socket_hook_prop:s0 exact bool
diff --git a/private/service_contexts b/private/service_contexts
index 1ada543..7075f4d 100644
--- a/private/service_contexts
+++ b/private/service_contexts
@@ -4,6 +4,9 @@
android.hardware.biometrics.face.IFace/default u:object_r:hal_face_service:s0
android.hardware.biometrics.fingerprint.IFingerprint/default u:object_r:hal_fingerprint_service:s0
android.hardware.bluetooth.audio.IBluetoothAudioProviderFactory/default u:object_r:hal_audio_service:s0
+# The instance here is internal/0 following naming convention for ICameraProvider.
+# It advertises internal camera devices.
+android.hardware.camera.provider.ICameraProvider/internal/0 u:object_r:hal_camera_service:s0
android.hardware.contexthub.IContextHub/default u:object_r:hal_contexthub_service:s0
android.hardware.drm.IDrmFactory/clearkey u:object_r:hal_drm_service:s0
android.hardware.drm.ICryptoFactory/clearkey u:object_r:hal_drm_service:s0
diff --git a/private/system_server.te b/private/system_server.te
index 1cf7ac4..6dd483d 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -8,6 +8,7 @@
typeattribute system_server scheduler_service_server;
typeattribute system_server sensor_service_server;
typeattribute system_server stats_service_server;
+typeattribute system_server bpfdomain;
# Define a type for tmpfs-backed ashmem regions.
tmpfs_domain(system_server)
@@ -448,6 +449,7 @@
allow system_server adbd_socket:sock_file rw_file_perms;
allow system_server rtc_device:chr_file rw_file_perms;
allow system_server audio_device:dir r_dir_perms;
+allow system_server uhid_device:chr_file rw_file_perms;
# write access to ALSA interfaces (/dev/snd/*) needed for MIDI
allow system_server audio_device:chr_file rw_file_perms;
diff --git a/public/attributes b/public/attributes
index b97bffc..73861bd 100644
--- a/public/attributes
+++ b/public/attributes
@@ -219,6 +219,10 @@
# All domains used for binder service domains.
attribute binderservicedomain;
+# All domains which have BPF access.
+attribute bpfdomain;
+expandattribute bpfdomain false;
+
# update_engine related domains that need to apply an update and run
# postinstall. This includes the background daemon and the sideload tool from
# recovery for A/B devices.
diff --git a/public/bpfloader.te b/public/bpfloader.te
new file mode 100644
index 0000000..81c32ee
--- /dev/null
+++ b/public/bpfloader.te
@@ -0,0 +1 @@
+type bpfloader, domain, coredomain;
diff --git a/public/cameraserver.te b/public/cameraserver.te
index 577a465..d41339a 100644
--- a/public/cameraserver.te
+++ b/public/cameraserver.te
@@ -35,6 +35,7 @@
allow cameraserver surfaceflinger_service:service_manager find;
allow cameraserver hidl_token_hwservice:hwservice_manager find;
+allow cameraserver hal_camera_service:service_manager find;
# Allow to talk with surfaceflinger through unix stream socket
allow cameraserver surfaceflinger:unix_stream_socket { read write };
diff --git a/public/file.te b/public/file.te
index 5850e7d..3545e24 100644
--- a/public/file.te
+++ b/public/file.te
@@ -128,6 +128,7 @@
')
type fs_bpf, fs_type;
type fs_bpf_tethering, fs_type;
+type fs_bpf_vendor, fs_type;
type configfs, fs_type;
# /sys/devices/cs_etm
type sysfs_devices_cs_etm, fs_type, sysfs_type;
diff --git a/public/hal_camera.te b/public/hal_camera.te
index 45fad56..df70ab6 100644
--- a/public/hal_camera.te
+++ b/public/hal_camera.te
@@ -2,7 +2,11 @@
binder_call(hal_camera_client, hal_camera_server)
binder_call(hal_camera_server, hal_camera_client)
+#binder IPC from client to service manager and callbacks
+binder_use(hal_camera_server)
+
hal_attribute_hwservice(hal_camera, hal_camera_hwservice)
+hal_attribute_service(hal_camera, hal_camera_service)
allow hal_camera device:dir r_dir_perms;
allow hal_camera video_device:dir r_dir_perms;
@@ -32,7 +36,7 @@
neverallow hal_camera_server { file_type fs_type }:file execute_no_trans;
# hal_camera should never need network access. Disallow network sockets.
-neverallow hal_camera_server domain:{ tcp_socket udp_socket rawip_socket } *;
+neverallow hal_camera_server { domain userdebug_or_eng(`-su') }:{ tcp_socket udp_socket rawip_socket } *;
# Only camera HAL may directly access the camera hardware
neverallow { halserverdomain -hal_camera_server } camera_device:chr_file *;
diff --git a/public/hal_wifi_hostapd.te b/public/hal_wifi_hostapd.te
index b508aa5..eeb72ba 100644
--- a/public/hal_wifi_hostapd.te
+++ b/public/hal_wifi_hostapd.te
@@ -5,7 +5,7 @@
hal_attribute_hwservice(hal_wifi_hostapd, hal_wifi_hostapd_hwservice)
hal_attribute_service(hal_wifi_hostapd, hal_wifi_hostapd_service)
-binder_call(hal_wifi_hostapd_server, servicemanager)
+binder_use(hal_wifi_hostapd_server)
allow hal_wifi_hostapd_server dumpstate:fifo_file write;
diff --git a/public/property.te b/public/property.te
index 9f9d489..7957f8c 100644
--- a/public/property.te
+++ b/public/property.te
@@ -16,7 +16,6 @@
compatible_property_only(`
# DO NOT ADD ANY PROPERTIES HERE
system_internal_prop(boottime_prop)
- system_internal_prop(bpf_progs_loaded_prop)
system_internal_prop(charger_prop)
system_internal_prop(cold_boot_done_prop)
system_internal_prop(ctl_adbd_prop)
@@ -182,6 +181,7 @@
system_public_prop(bluetooth_a2dp_offload_prop)
system_public_prop(bluetooth_audio_hal_prop)
system_public_prop(bluetooth_prop)
+system_public_prop(bpf_progs_loaded_prop)
system_public_prop(charger_status_prop)
system_public_prop(ctl_default_prop)
system_public_prop(ctl_interface_start_prop)
@@ -236,7 +236,6 @@
not_compatible_property(`
# DO NOT ADD ANY PROPERTIES HERE
system_public_prop(boottime_prop)
- system_public_prop(bpf_progs_loaded_prop)
system_public_prop(charger_prop)
system_public_prop(cold_boot_done_prop)
system_public_prop(ctl_adbd_prop)
diff --git a/public/service.te b/public/service.te
index 012a781..46eaff1 100644
--- a/public/service.te
+++ b/public/service.te
@@ -268,6 +268,7 @@
type hal_audio_service, vendor_service, protected_service, service_manager_type;
type hal_audiocontrol_service, vendor_service, service_manager_type;
type hal_authsecret_service, vendor_service, protected_service, service_manager_type;
+type hal_camera_service, vendor_service, protected_service, service_manager_type;
type hal_contexthub_service, vendor_service, protected_service, service_manager_type;
type hal_dice_service, vendor_service, protected_service, service_manager_type;
type hal_drm_service, vendor_service, service_manager_type;
diff --git a/tests/policy.py b/tests/policy.py
index 06157fd..60c6962 100644
--- a/tests/policy.py
+++ b/tests/policy.py
@@ -396,7 +396,8 @@
self.__libsepolwrap = lib
def __GenfsDictAdd(self, Dict, buf):
- fs, path, context = buf.split(" ")
+ fs, buf = buf.split(' ', 1)
+ path, context = buf.rsplit(' ', 1)
Type = context.split(":")[2]
if not fs in Dict:
Dict[fs] = {Type}