Merge "profcollectd: allow to call callbacks registered by system_server."
diff --git a/Android.bp b/Android.bp
index df1e264..0ca82a6 100644
--- a/Android.bp
+++ b/Android.bp
@@ -865,6 +865,9 @@
"sepolicy_neverallows",
"sepolicy_neverallows_vendor",
],
+ dist: {
+ targets: ["base-sepolicy-files-for-mapping"],
+ },
}
// policy for recovery
@@ -933,6 +936,9 @@
name: "base_plat_sepolicy",
srcs: [":base_plat_sepolicy.cil"],
installable: false,
+ dist: {
+ targets: ["base-sepolicy-files-for-mapping"],
+ },
}
se_policy_conf {
@@ -1003,6 +1009,9 @@
filter_out: [":reqd_policy_mask.cil"],
secilc_check: false,
installable: false,
+ dist: {
+ targets: ["base-sepolicy-files-for-mapping"],
+ },
}
se_policy_conf {
diff --git a/Android.mk b/Android.mk
index 361c7c4..2e74b25 100644
--- a/Android.mk
+++ b/Android.mk
@@ -482,6 +482,7 @@
LOCAL_REQUIRED_MODULES += precompiled_sepolicy.product_sepolicy_and_mapping.sha256
endif
+LOCAL_REQUIRED_MODULES += precompiled_sepolicy.apex_sepolicy.sha256
endif # ($(PRODUCT_PRECOMPILED_SEPOLICY),false)
diff --git a/apex/com.android.bluetooth.updatable-file_contexts b/apex/com.android.bluetooth-file_contexts
similarity index 100%
rename from apex/com.android.bluetooth.updatable-file_contexts
rename to apex/com.android.bluetooth-file_contexts
diff --git a/build/soong/bug_map.go b/build/soong/bug_map.go
index 91c6347..00df33c 100644
--- a/build/soong/bug_map.go
+++ b/build/soong/bug_map.go
@@ -104,7 +104,7 @@
OutputFile: android.OptionalPathForPath(b.installSource),
ExtraEntries: []android.AndroidMkExtraEntriesFunc{
func(ctx android.AndroidMkExtraEntriesContext, entries *android.AndroidMkEntries) {
- entries.SetPath("LOCAL_MODULE_PATH", b.installPath.ToMakePath())
+ entries.SetPath("LOCAL_MODULE_PATH", b.installPath)
entries.SetString("LOCAL_INSTALLED_MODULE_STEM", b.stem())
},
},
diff --git a/build/soong/cil_compat_map.go b/build/soong/cil_compat_map.go
index 59d1172..78e870e 100644
--- a/build/soong/cil_compat_map.go
+++ b/build/soong/cil_compat_map.go
@@ -172,7 +172,7 @@
Class: "ETC",
}
ret.Extra = append(ret.Extra, func(w io.Writer, outputFile android.Path) {
- fmt.Fprintln(w, "LOCAL_MODULE_PATH :=", c.installPath.ToMakePath().String())
+ fmt.Fprintln(w, "LOCAL_MODULE_PATH :=", c.installPath.String())
if c.properties.Stem != nil {
fmt.Fprintln(w, "LOCAL_INSTALLED_MODULE_STEM :=", String(c.properties.Stem))
}
diff --git a/build/soong/compat_cil.go b/build/soong/compat_cil.go
index 3044425..6a1925d 100644
--- a/build/soong/compat_cil.go
+++ b/build/soong/compat_cil.go
@@ -109,7 +109,7 @@
OutputFile: android.OptionalPathForPath(c.installSource),
ExtraEntries: []android.AndroidMkExtraEntriesFunc{
func(ctx android.AndroidMkExtraEntriesContext, entries *android.AndroidMkEntries) {
- entries.SetPath("LOCAL_MODULE_PATH", c.installPath.ToMakePath())
+ entries.SetPath("LOCAL_MODULE_PATH", c.installPath)
entries.SetString("LOCAL_INSTALLED_MODULE_STEM", c.stem())
},
},
diff --git a/build/soong/policy.go b/build/soong/policy.go
index 2b190e6..4becbc1 100644
--- a/build/soong/policy.go
+++ b/build/soong/policy.go
@@ -255,7 +255,7 @@
ExtraEntries: []android.AndroidMkExtraEntriesFunc{
func(ctx android.AndroidMkExtraEntriesContext, entries *android.AndroidMkEntries) {
entries.SetBool("LOCAL_UNINSTALLABLE_MODULE", !c.installable())
- entries.SetPath("LOCAL_MODULE_PATH", c.installPath.ToMakePath())
+ entries.SetPath("LOCAL_MODULE_PATH", c.installPath)
entries.SetString("LOCAL_INSTALLED_MODULE_STEM", c.stem())
},
},
@@ -410,7 +410,7 @@
ExtraEntries: []android.AndroidMkExtraEntriesFunc{
func(ctx android.AndroidMkExtraEntriesContext, entries *android.AndroidMkEntries) {
entries.SetBool("LOCAL_UNINSTALLABLE_MODULE", !c.Installable())
- entries.SetPath("LOCAL_MODULE_PATH", c.installPath.ToMakePath())
+ entries.SetPath("LOCAL_MODULE_PATH", c.installPath)
entries.SetString("LOCAL_INSTALLED_MODULE_STEM", c.stem())
},
},
@@ -546,7 +546,7 @@
ExtraEntries: []android.AndroidMkExtraEntriesFunc{
func(ctx android.AndroidMkExtraEntriesContext, entries *android.AndroidMkEntries) {
entries.SetBool("LOCAL_UNINSTALLABLE_MODULE", !c.Installable())
- entries.SetPath("LOCAL_MODULE_PATH", c.installPath.ToMakePath())
+ entries.SetPath("LOCAL_MODULE_PATH", c.installPath)
entries.SetString("LOCAL_INSTALLED_MODULE_STEM", c.stem())
},
},
diff --git a/build/soong/selinux_contexts.go b/build/soong/selinux_contexts.go
index c55fba2..b30f35e 100644
--- a/build/soong/selinux_contexts.go
+++ b/build/soong/selinux_contexts.go
@@ -192,7 +192,7 @@
SubName: nameSuffix,
Extra: []android.AndroidMkExtraFunc{
func(w io.Writer, outputFile android.Path) {
- fmt.Fprintln(w, "LOCAL_MODULE_PATH :=", m.installPath.ToMakePath().String())
+ fmt.Fprintln(w, "LOCAL_MODULE_PATH :=", m.installPath.String())
fmt.Fprintln(w, "LOCAL_INSTALLED_MODULE_STEM :=", m.stem())
},
},
diff --git a/build/soong/sepolicy_neverallow.go b/build/soong/sepolicy_neverallow.go
index 119e477..98dd3cf 100644
--- a/build/soong/sepolicy_neverallow.go
+++ b/build/soong/sepolicy_neverallow.go
@@ -152,10 +152,11 @@
FlagWithArg("-c ", strconv.Itoa(PolicyVers)).
FlagWithOutput("-o ", binaryPolicy).
Input(checkpolicyConfPath)
+ rule.Build("neverallow_checkpolicy", "Neverallow check: "+ctx.ModuleName())
// Step 2. Run sepolicy-analyze with the conf file without the build test and binary policy
// file from Step 1
-
+ rule = android.NewRuleBuilder(pctx, ctx)
msg := `sepolicy-analyze failed. This is most likely due to the use\n` +
`of an expanded attribute in a neverallow assertion. Please fix\n` +
`the policy.`
@@ -170,9 +171,8 @@
Text(`"` + msg + `"`).
Text("; exit 1)")
- rule.Temporary(binaryPolicy)
rule.Command().Text("touch").Output(n.testTimestamp)
- rule.Build("neverallow", "Neverallow check: "+ctx.ModuleName())
+ rule.Build("neverallow_sepolicy-analyze", "Neverallow check: "+ctx.ModuleName())
}
func (n *neverallowTestModule) AndroidMkEntries() []android.AndroidMkEntries {
diff --git a/build/soong/sepolicy_vers.go b/build/soong/sepolicy_vers.go
index 9d1fe78..ca40173 100644
--- a/build/soong/sepolicy_vers.go
+++ b/build/soong/sepolicy_vers.go
@@ -97,7 +97,7 @@
OutputFile: android.OptionalPathForPath(v.installSource),
ExtraEntries: []android.AndroidMkExtraEntriesFunc{
func(ctx android.AndroidMkExtraEntriesContext, entries *android.AndroidMkEntries) {
- entries.SetPath("LOCAL_MODULE_PATH", v.installPath.ToMakePath())
+ entries.SetPath("LOCAL_MODULE_PATH", v.installPath)
entries.SetString("LOCAL_INSTALLED_MODULE_STEM", v.stem())
},
},
diff --git a/build/soong/versioned_policy.go b/build/soong/versioned_policy.go
index dc07910..c316d2a 100644
--- a/build/soong/versioned_policy.go
+++ b/build/soong/versioned_policy.go
@@ -172,7 +172,7 @@
ExtraEntries: []android.AndroidMkExtraEntriesFunc{
func(ctx android.AndroidMkExtraEntriesContext, entries *android.AndroidMkEntries) {
entries.SetBool("LOCAL_UNINSTALLABLE_MODULE", !m.installable())
- entries.SetPath("LOCAL_MODULE_PATH", m.installPath.ToMakePath())
+ entries.SetPath("LOCAL_MODULE_PATH", m.installPath)
entries.SetString("LOCAL_INSTALLED_MODULE_STEM", m.installSource.Base())
},
},
diff --git a/microdroid/Android.bp b/microdroid/Android.bp
index 3c82d4b..2e8766c 100644
--- a/microdroid/Android.bp
+++ b/microdroid/Android.bp
@@ -266,14 +266,6 @@
}
prebuilt_etc {
- name: "microdroid_hwservice_contexts",
- filename: "plat_hwservice_contexts",
- src: "system/private/hwservice_contexts",
- relative_install_path: "selinux",
- installable: false,
-}
-
-prebuilt_etc {
name: "microdroid_property_contexts",
filename: "plat_property_contexts",
src: "system/private/property_contexts",
@@ -288,11 +280,3 @@
relative_install_path: "selinux",
installable: false,
}
-
-prebuilt_etc {
- name: "microdroid_keystore2_key_contexts",
- filename: "plat_keystore2_key_contexts",
- src: "system/private/keystore2_key_contexts",
- relative_install_path: "selinux",
- installable: false,
-}
diff --git a/microdroid/system/private/access_vectors b/microdroid/system/private/access_vectors
index 22f2ffa..477f78f 100644
--- a/microdroid/system/private/access_vectors
+++ b/microdroid/system/private/access_vectors
@@ -746,6 +746,16 @@
use_dev_id
}
+class diced
+{
+ demote
+ demote_self
+ derive
+ get_attestation_chain
+ use_seal
+ use_sign
+}
+
class drmservice {
consumeRights
setPlaybackStatus
diff --git a/microdroid/system/private/apexd.te b/microdroid/system/private/apexd.te
index cca95c2..275a455 100644
--- a/microdroid/system/private/apexd.te
+++ b/microdroid/system/private/apexd.te
@@ -81,8 +81,7 @@
allow apexd rootfs:dir mounton;
# apexd is using bootstrap bionic
-allow apexd system_bootstrap_lib_file:dir r_dir_perms;
-allow apexd system_bootstrap_lib_file:file { execute read open getattr map };
+use_bootstrap_libs(apexd)
# Allow apexd to read file contexts when performing restorecon
allow apexd file_contexts_file:file r_file_perms;
diff --git a/microdroid/system/private/apkdmverity.te b/microdroid/system/private/apkdmverity.te
index 84e1575..c56f05e 100644
--- a/microdroid/system/private/apkdmverity.te
+++ b/microdroid/system/private/apkdmverity.te
@@ -4,8 +4,7 @@
type apkdmverity_exec, exec_type, file_type, system_file_type;
# apkdmverity is using bootstrap bionic
-allow apkdmverity system_bootstrap_lib_file:dir r_dir_perms;
-allow apkdmverity system_bootstrap_lib_file:file { execute read open getattr map };
+use_bootstrap_libs(apkdmverity)
# apkdmverity accesses "payload metadata disk" which points to
# a /dev/vd* block device file.
diff --git a/microdroid/system/private/binderservicedomain.te b/microdroid/system/private/binderservicedomain.te
deleted file mode 100644
index 99006bf..0000000
--- a/microdroid/system/private/binderservicedomain.te
+++ /dev/null
@@ -1,5 +0,0 @@
-allow binderservicedomain keystore:keystore_key { get_state get insert delete exist list sign verify };
-allow binderservicedomain keystore:keystore2 { get_state };
-allow binderservicedomain keystore:keystore2_key { delete get_info rebind use };
-
-use_keystore(binderservicedomain)
diff --git a/microdroid/system/private/compos.te b/microdroid/system/private/compos.te
index 174eda3..d9edb67 100644
--- a/microdroid/system/private/compos.te
+++ b/microdroid/system/private/compos.te
@@ -2,22 +2,18 @@
type compos, domain, coredomain, microdroid_payload;
type compos_exec, exec_type, file_type, system_file_type;
+# Expose RPC Binder service over vsock
allow compos self:vsock_socket { create_socket_perms_no_ioctl listen accept };
-# Allow using keystore and authfs_service binder services
+# Allow using various binder services
binder_use(compos);
-use_keystore(compos);
-allow compos authfs_binder_service:service_manager find;
+allow compos {
+ authfs_binder_service
+ dice_node_service
+}:service_manager find;
binder_call(compos, authfs_service);
-
-# Allow payloads to use and manage their keys
-allow compos vm_payload_key:keystore2_key {
- delete
- get_info
- manage_blob
- rebind
- use
-};
+binder_call(compos, diced);
+allow compos diced:diced { get_attestation_chain derive };
# Read artifacts created by odrefresh and create signature files.
allow compos authfs_fuse:dir rw_dir_perms;
@@ -34,7 +30,5 @@
# See b/35323867#comment3
dontaudit compos self:global_capability_class_set dac_override;
-# Allow domain transition into odrefresh and dex2oat.
-# TODO(b/209008712): Remove dex2oat once the migration is done.
+# Allow domain transition into odrefresh.
domain_auto_trans(compos, odrefresh_exec, odrefresh)
-domain_auto_trans(compos, dex2oat_exec, dex2oat)
diff --git a/microdroid/system/private/crash_dump.te b/microdroid/system/private/crash_dump.te
index 90587fa..a636e9c 100644
--- a/microdroid/system/private/crash_dump.te
+++ b/microdroid/system/private/crash_dump.te
@@ -56,7 +56,6 @@
-crash_dump
-init
-kernel
- -keystore
-logd
-ueventd
-vendor_init
@@ -65,7 +64,6 @@
userdebug_or_eng(`
allow crash_dump {
apexd
- keystore
logd
}:process { ptrace signal sigchld sigstop sigkill };
')
diff --git a/microdroid/system/private/diced.te b/microdroid/system/private/diced.te
new file mode 100644
index 0000000..9530794
--- /dev/null
+++ b/microdroid/system/private/diced.te
@@ -0,0 +1,20 @@
+type diced, domain, coredomain;
+type diced_exec, system_file_type, exec_type, file_type;
+
+# diced can be started by init
+init_daemon_domain(diced)
+
+# diced can talk to dice HAL
+hal_client_domain(diced, hal_dice)
+
+# diced hosts AIDL services
+binder_use(diced)
+binder_service(diced)
+add_service(diced, dice_node_service)
+add_service(diced, dice_maintenance_service)
+
+# diced can check SELinux permissions.
+selinux_check_access(diced)
+
+# diced is using bootstrap bionic
+use_bootstrap_libs(diced)
diff --git a/microdroid/system/private/domain.te b/microdroid/system/private/domain.te
index ad2c645..ae97f75 100644
--- a/microdroid/system/private/domain.te
+++ b/microdroid/system/private/domain.te
@@ -47,7 +47,7 @@
allow domain zero_device:chr_file rw_file_perms;
# /dev/binder can be accessed by ... everyone! :)
-allow { domain -hwservicemanager } binder_device:chr_file rw_file_perms;
+allow domain binder_device:chr_file rw_file_perms;
# Restrict binder ioctls to an allowlist. Additional ioctl commands may be
# added to individual domains, but this sets safe defaults for all processes.
@@ -411,15 +411,6 @@
# from service name to service_type are defined in {,hw,vnd}service_contexts.
neverallow * default_android_service:service_manager *;
-# Looking up the base class/interface of all HwBinder services is a bad idea.
-# hwservicemanager currently offer such lookups only to make it so that security
-# decisions are expressed in SELinux policy. However, it's unclear whether this
-# lookup has security implications. If it doesn't, hwservicemanager should be
-# modified to not offer this lookup.
-# This rule can be removed if hwservicemanager is modified to not permit these
-# lookups.
-neverallow * hidl_base_hwservice:hwservice_manager find;
-
neverallow { domain -init -vendor_init } vendor_default_prop:property_service set;
neverallow { domain -init } build_prop:property_service set;
@@ -428,8 +419,6 @@
# The service managers are only allowed to access their own device node
neverallow servicemanager hwbinder_device:chr_file no_rw_file_perms;
neverallow servicemanager vndbinder_device:chr_file no_rw_file_perms;
-neverallow hwservicemanager binder_device:chr_file no_rw_file_perms;
-neverallow hwservicemanager vndbinder_device:chr_file no_rw_file_perms;
# system services cant add vendor services
neverallow {
@@ -549,11 +538,6 @@
servicemanager
}:service_manager list;
-# hwservicemanager is the only process which handles hw list requests
-neverallow * ~{
- hwservicemanager
- }:hwservice_manager list;
-
# only service_manager_types can be added to service_manager
# TODO - rework this: neverallow * ~service_manager_type:service_manager { add find };
@@ -596,15 +580,6 @@
# Enforce AT_SECURE for executing crash_dump.
neverallow domain crash_dump:process noatsecure;
-# Do not permit non-core domains to register HwBinder services which are
-# guaranteed to be provided by core domains only.
-neverallow ~coredomain coredomain_hwservice:hwservice_manager add;
-
-# Do not permit the registeration of HwBinder services which are guaranteed to
-# be passthrough only (i.e., run in the process of their clients instead of a
-# separate server process).
-neverallow * same_process_hwservice:hwservice_manager add;
-
# If an already existing file is opened with O_CREAT, the kernel might generate
# a false report of a create denial. Silence these denials and make sure that
# inappropriate permissions are not granted.
diff --git a/microdroid/system/private/file_contexts b/microdroid/system/private/file_contexts
index 933c63f..50558f8 100644
--- a/microdroid/system/private/file_contexts
+++ b/microdroid/system/private/file_contexts
@@ -63,6 +63,7 @@
/dev/kmsg_debug u:object_r:kmsg_debug_device:s0
/dev/kvm u:object_r:kvm_device:s0
/dev/null u:object_r:null_device:s0
+/dev/open-dice0 u:object_r:open_dice_device:s0
/dev/random u:object_r:random_device:s0
/dev/rtc[0-9] u:object_r:rtc_device:s0
/dev/socket(/.*)? u:object_r:socket_device:s0
@@ -106,10 +107,9 @@
/system/bin/linkerconfig u:object_r:linkerconfig_exec:s0
/system/bin/bootstrap/linker(64)? u:object_r:system_linker_exec:s0
/system/bin/bootstrap/linkerconfig u:object_r:linkerconfig_exec:s0
-/system/bin/servicemanager u:object_r:servicemanager_exec:s0
-/system/bin/hwservicemanager u:object_r:hwservicemanager_exec:s0
+/system/bin/diced.microdroid u:object_r:diced_exec:s0
+/system/bin/servicemanager.microdroid u:object_r:servicemanager_exec:s0
/system/bin/init u:object_r:init_exec:s0
-/system/bin/keystore2 u:object_r:keystore_exec:s0
/system/bin/logcat -- u:object_r:logcat_exec:s0
/system/bin/logd u:object_r:logd_exec:s0
/system/bin/run-as -- u:object_r:runas_exec:s0
@@ -135,8 +135,6 @@
/system/etc/selinux/plat_mac_permissions\.xml u:object_r:mac_perms_file:s0
/system/etc/selinux/plat_property_contexts u:object_r:property_contexts_file:s0
/system/etc/selinux/plat_service_contexts u:object_r:service_contexts_file:s0
-/system/etc/selinux/plat_hwservice_contexts u:object_r:hwservice_contexts_file:s0
-/system/etc/selinux/plat_keystore2_key_contexts u:object_r:keystore2_key_contexts_file:s0
/system/etc/selinux/plat_file_contexts u:object_r:file_contexts_file:s0
/system/etc/selinux/plat_seapp_contexts u:object_r:seapp_contexts_file:s0
/system/etc/selinux/plat_sepolicy\.cil u:object_r:sepolicy_file:s0
@@ -163,7 +161,6 @@
/data/local/tmp(/.*)? u:object_r:shell_data_file:s0
/data/local/tmp/ltp(/.*)? u:object_r:nativetest_data_file:s0
/data/local/traces(/.*)? u:object_r:trace_data_file:s0
-/data/misc/keystore(/.*)? u:object_r:keystore_data_file:s0
/data/misc/authfs(/.*)? u:object_r:authfs_data_file:s0
/data/tombstones(/.*)? u:object_r:tombstone_data_file:s0
/data/vendor(/.*)? u:object_r:vendor_data_file:s0
diff --git a/microdroid/system/private/halclientdomain.te b/microdroid/system/private/halclientdomain.te
deleted file mode 100644
index f9b15f0..0000000
--- a/microdroid/system/private/halclientdomain.te
+++ /dev/null
@@ -1,12 +0,0 @@
-###
-### Rules for all domains which are clients of a HAL
-###
-
-# Find out whether a HAL in passthrough/in-process mode or
-# binderized/out-of-process mode
-hwbinder_use(halclientdomain)
-
-# Wait for HAL server to be up (used by getService)
-allow halclientdomain hidl_manager_hwservice:hwservice_manager find;
-
-get_prop(halclientdomain, hwservicemanager_prop)
diff --git a/microdroid/system/private/hwservice_contexts b/microdroid/system/private/hwservice_contexts
deleted file mode 100644
index 9b47b06..0000000
--- a/microdroid/system/private/hwservice_contexts
+++ /dev/null
@@ -1,7 +0,0 @@
-android.hardware.keymaster::IKeymasterDevice u:object_r:hal_keymaster_hwservice:s0
-android.hidl.allocator::IAllocator u:object_r:hidl_allocator_hwservice:s0
-android.hidl.base::IBase u:object_r:hidl_base_hwservice:s0
-android.hidl.manager::IServiceManager u:object_r:hidl_manager_hwservice:s0
-android.hidl.memory::IMapper u:object_r:hidl_memory_hwservice:s0
-android.hidl.token::ITokenManager u:object_r:hidl_token_hwservice:s0
-* u:object_r:default_android_hwservice:s0
diff --git a/microdroid/system/private/hwservicemanager.te b/microdroid/system/private/hwservicemanager.te
deleted file mode 100644
index 88b9e89..0000000
--- a/microdroid/system/private/hwservicemanager.te
+++ /dev/null
@@ -1,27 +0,0 @@
-typeattribute hwservicemanager coredomain;
-
-init_daemon_domain(hwservicemanager)
-
-allow hwservicemanager vendor_configs_file:file { open getattr };
-
-# Note that we do not use the binder_* macros here.
-# hwservicemanager provides name service (aka context manager)
-# for hwbinder.
-# Additionally, it initiates binder IPC calls to
-# clients who request service notifications. The permission
-# to do this is granted in the hwbinder_use macro.
-allow hwservicemanager self:binder set_context_mgr;
-
-# Scan through /system/lib64/hw looking for installed HALs
-allow hwservicemanager system_file:dir r_dir_perms;
-
-# Read hwservice_contexts
-allow hwservicemanager hwservice_contexts_file:file r_file_perms;
-
-# Check SELinux permissions.
-selinux_check_access(hwservicemanager)
-
-add_hwservice(hwservicemanager, hidl_manager_hwservice)
-add_hwservice(hwservicemanager, hidl_token_hwservice)
-
-set_prop(hwservicemanager, hwservicemanager_prop)
diff --git a/microdroid/system/private/init.te b/microdroid/system/private/init.te
index ff3f6f5..ff75f75 100644
--- a/microdroid/system/private/init.te
+++ b/microdroid/system/private/init.te
@@ -171,7 +171,6 @@
allow init {
file_type
-exec_type
- -keystore_data_file
-shell_data_file
-system_file_type
-vendor_file_type
@@ -181,7 +180,6 @@
file_type
-apex_info_file
-exec_type
- -keystore_data_file
-runtime_event_log_tags_file
-shell_data_file
-system_file_type
@@ -193,7 +191,6 @@
allow init {
file_type
-exec_type
- -keystore_data_file
-shell_data_file
-system_file_type
-vendor_file_type
@@ -203,7 +200,6 @@
file_type
-apex_mnt_dir
-exec_type
- -keystore_data_file
-shell_data_file
-system_file_type
-vendor_file_type
@@ -356,11 +352,6 @@
allow init self:global_capability_class_set kill;
allow init domain:process { getpgid sigkill signal };
-# Init creates keystore's directory on boot, and walks through
-# the directory as part of a recursive restorecon.
-allow init keystore_data_file:dir { open create read getattr setattr search };
-allow init keystore_data_file:file { getattr };
-
# Init creates /data/local/tmp at boot
allow init shell_data_file:dir { open create read getattr setattr search };
allow init shell_data_file:file { getattr };
@@ -437,8 +428,7 @@
allow init proc_pressure_mem:file { rw_file_perms setattr };
# init is using bootstrap bionic
-allow init system_bootstrap_lib_file:dir r_dir_perms;
-allow init system_bootstrap_lib_file:file { execute read open getattr map };
+use_bootstrap_libs(init)
# stat the root dir of fuse filesystems (for the mount handler)
allow init fuse:dir { search getattr };
diff --git a/microdroid/system/private/kernel.te b/microdroid/system/private/kernel.te
index 258c8d7..2938be4 100644
--- a/microdroid/system/private/kernel.te
+++ b/microdroid/system/private/kernel.te
@@ -90,7 +90,6 @@
dontaudit kernel tmpfs:file { getattr open read relabelfrom };
dontaudit kernel {
file_contexts_file
- hwservice_contexts_file
mac_perms_file
property_contexts_file
seapp_contexts_file
diff --git a/microdroid/system/private/keystore.te b/microdroid/system/private/keystore.te
deleted file mode 100644
index ee10910..0000000
--- a/microdroid/system/private/keystore.te
+++ /dev/null
@@ -1,20 +0,0 @@
-typeattribute keystore coredomain;
-
-init_daemon_domain(keystore)
-
-# talk to keymint
-hal_client_domain(keystore, hal_keymint)
-
-# Allow keystore to write to statsd.
-unix_socket_send(keystore, statsdw, statsd)
-
-# Keystore need access to the keystore_key context files to load the keystore key backend.
-allow keystore keystore2_key_contexts_file:file r_file_perms;
-
-# microdroid doesn't use keymaster HAL
-dontaudit keystore hal_keymaster_hwservice:hwservice_manager find;
-
-# microdroid isn't related to F2FS, but sqlite3 tries to query F2FS features.
-dontauditxperm keystore keystore_data_file:file ioctl F2FS_IOC_GET_FEATURES;
-
-set_prop(keystore, keystore_crash_prop)
diff --git a/microdroid/system/private/keystore2_key_contexts b/microdroid/system/private/keystore2_key_contexts
deleted file mode 100644
index 02cdd5e..0000000
--- a/microdroid/system/private/keystore2_key_contexts
+++ /dev/null
@@ -1,11 +0,0 @@
-# Keystore 2.0 key contexts.
-# This file defines Keystore 2.0 namespaces and maps them to labels.
-# Format:
-# <namespace> <label>
-#
-# <namespace> must be an integer in the interval [0 ... 2^31)
-
-# vm_payload_key is a keystore2_key namespace intended for microdroid VM payloads.
-# TODO(b/191843770): sort out a longer term policy
-140 u:object_r:vm_payload_key:s0
-
diff --git a/microdroid/system/private/logd.te b/microdroid/system/private/logd.te
index fa1cb40..06d4fa6 100644
--- a/microdroid/system/private/logd.te
+++ b/microdroid/system/private/logd.te
@@ -5,16 +5,12 @@
allow logd adbd:dir search;
allow logd adbd:file { getattr open read };
allow logd device:dir search;
-allow logd hwservicemanager:dir search;
-allow logd hwservicemanager:file { open read };
allow logd init:dir search;
allow logd init:fd use;
allow logd init:file { getattr open read };
allow logd kernel:dir search;
allow logd kernel:file { getattr open read };
allow logd kernel:system { syslog_mod syslog_read };
-allow logd keystore:dir search;
-allow logd keystore:file { getattr open read };
allow logd linkerconfig_file:dir search;
allow logd microdroid_manager:dir search;
allow logd microdroid_manager:file { getattr open read };
diff --git a/microdroid/system/private/microdroid_app.te b/microdroid/system/private/microdroid_app.te
index de1c8d6..de58326 100644
--- a/microdroid/system/private/microdroid_app.te
+++ b/microdroid/system/private/microdroid_app.te
@@ -9,17 +9,9 @@
type microdroid_app, domain, coredomain, microdroid_payload;
type microdroid_app_exec, exec_type, file_type, system_file_type;
-# Talk to binder services (for keystore)
+# Talk to binder services (for diced)
binder_use(microdroid_app);
-# Allow payloads to use keystore
-use_keystore(microdroid_app);
-
-# Allow payloads to use and manage their keys
-allow microdroid_app vm_payload_key:keystore2_key {
- delete
- get_info
- manage_blob
- rebind
- use
-};
+allow microdroid_app dice_node_service:service_manager find;
+binder_call(microdroid_app, diced);
+allow microdroid_app diced:diced { get_attestation_chain derive };
diff --git a/microdroid/system/private/microdroid_manager.te b/microdroid/system/private/microdroid_manager.te
index 736a135..6539e2c 100644
--- a/microdroid/system/private/microdroid_manager.te
+++ b/microdroid/system/private/microdroid_manager.te
@@ -14,6 +14,11 @@
# microdroid_manager verifies DM-verity mounted APK payload
allow microdroid_manager dm_device:blk_file r_file_perms;
+# Allow microdroid_manager to do blkflsbuf on instance disk image. The ioctl
+# requires sys_admin cap as well.
+allowxperm microdroid_manager vd_device:blk_file ioctl BLKFLSBUF;
+allow microdroid_manager self:global_capability_class_set sys_admin;
+
# Allow microdroid_manager to start payload tasks
domain_auto_trans(microdroid_manager, microdroid_app_exec, microdroid_app)
domain_auto_trans(microdroid_manager, compos_exec, compos)
@@ -25,9 +30,6 @@
# Let microdroid_manager kernel-log.
allow microdroid_manager kmsg_device:chr_file w_file_perms;
-# Let microdroid_manager initialize the derived VM secrets.
-set_prop(microdroid_manager, vmsecret_keymint_prop);
-
# Let microdroid_manager read a config file from /mnt/apk (fusefs)
# TODO(b/188400186) remove the below rule
userdebug_or_eng(`
@@ -38,8 +40,13 @@
allow microdroid_manager self:vsock_socket { create_socket_perms_no_ioctl };
# microdroid_manager is using bootstrap bionic
-allow microdroid_manager system_bootstrap_lib_file:dir r_dir_perms;
-allow microdroid_manager system_bootstrap_lib_file:file { execute read open getattr map };
+use_bootstrap_libs(microdroid_manager)
+
+# microdroid_manager can talk to diced over binder
+binder_use(microdroid_manager)
+binder_call(microdroid_manager, diced)
+allow microdroid_manager { dice_node_service dice_maintenance_service }:service_manager find;
+allow microdroid_manager diced:diced { derive demote_self };
# microdroid_manager create /apex/vm-payload-metadata for apexd
# TODO(b/199371341) create a new label for the file so that only microdroid_manager can create it.
diff --git a/microdroid/system/private/property.te b/microdroid/system/private/property.te
index 7911753..01aa5e4 100644
--- a/microdroid/system/private/property.te
+++ b/microdroid/system/private/property.te
@@ -14,19 +14,6 @@
### Neverallow rules
###
-neverallow {
- domain
- -init
- -microdroid_manager
-} vmsecret_keymint_prop:property_service set;
-
-neverallow {
- domain
- -init
- -microdroid_manager
- -hal_keymint_server
-} vmsecret_keymint_prop:file no_rw_file_perms;
-
# microdroid_manager_roothash_prop can only be set by microdroid_manager
# and read by apkdmverity
neverallow {
diff --git a/microdroid/system/private/property_contexts b/microdroid/system/private/property_contexts
index 7b63cae..518ae87 100644
--- a/microdroid/system/private/property_contexts
+++ b/microdroid/system/private/property_contexts
@@ -46,28 +46,21 @@
ro.boottime.apexd-vm u:object_r:boottime_prop:s0 exact int
ro.boottime.apkdmverity u:object_r:boottime_prop:s0 exact int
ro.boottime.authfs_service u:object_r:boottime_prop:s0 exact int
-ro.boottime.hwservicemanager u:object_r:boottime_prop:s0 exact int
ro.boottime.init u:object_r:boottime_prop:s0 exact int
ro.boottime.init.cold_boot_wait u:object_r:boottime_prop:s0 exact int
ro.boottime.init.first_stage u:object_r:boottime_prop:s0 exact int
ro.boottime.init.modules u:object_r:boottime_prop:s0 exact int
ro.boottime.init.selinux u:object_r:boottime_prop:s0 exact int
-ro.boottime.keystore2 u:object_r:boottime_prop:s0 exact int
ro.boottime.logd u:object_r:boottime_prop:s0 exact int
ro.boottime.logd-reinit u:object_r:boottime_prop:s0 exact int
ro.boottime.microdroid_manager u:object_r:boottime_prop:s0 exact int
ro.boottime.servicemanager u:object_r:boottime_prop:s0 exact int
ro.boottime.tombstoned u:object_r:boottime_prop:s0 exact int
ro.boottime.ueventd u:object_r:boottime_prop:s0 exact int
-ro.boottime.vendor.keymint-microdroid u:object_r:boottime_prop:s0 exact int
ro.boottime.zipfuse u:object_r:boottime_prop:s0 exact int
ro.build.fingerprint u:object_r:fingerprint_prop:s0 exact string
-ro.vmsecret.keymint u:object_r:vmsecret_keymint_prop:s0 exact string
-
-hwservicemanager.ready u:object_r:hwservicemanager_prop:s0 exact bool
-
apexd.status u:object_r:apexd_prop:s0 exact enum starting activated ready
ro.apex.updatable u:object_r:apexd_prop:s0 exact bool
@@ -79,8 +72,6 @@
init.svc.apexd-vm u:object_r:init_service_status_private_prop:s0 exact string
init.svc.apkdmverity u:object_r:init_service_status_private_prop:s0 exact string
init.svc.authfs_service u:object_r:init_service_status_private_prop:s0 exact string
-init.svc.hwservicemanager u:object_r:init_service_status_private_prop:s0 exact string
-init.svc.keystore2 u:object_r:init_service_status_private_prop:s0 exact string
init.svc.logd u:object_r:init_service_status_private_prop:s0 exact string
init.svc.logd-reinit u:object_r:init_service_status_private_prop:s0 exact string
init.svc.microdroid_manager u:object_r:init_service_status_private_prop:s0 exact string
@@ -91,8 +82,6 @@
init.svc.adbd u:object_r:init_service_status_prop:s0 exact string
init.svc.tombstoned u:object_r:init_service_status_prop:s0 exact string
-init.svc.vendor.keymint-microdroid u:object_r:vendor_default_prop:s0 exact string
-
ro.boot.adb.enabled u:object_r:bootloader_prop:s0 exact bool
ro.boot.avb_version u:object_r:bootloader_prop:s0 exact string
ro.boot.boot_devices u:object_r:bootloader_prop:s0 exact string
@@ -100,6 +89,7 @@
ro.boot.force_normal_boot u:object_r:bootloader_prop:s0 exact string
ro.boot.hardware u:object_r:bootloader_prop:s0 exact string
ro.boot.logd.enabled u:object_r:bootloader_prop:s0 exact bool
+ro.boot.microdroid.debuggable u:object_r:bootloader_prop:s0 exact bool
ro.boot.slot_suffix u:object_r:bootloader_prop:s0 exact string
ro.boot.vbmeta.avb_version u:object_r:bootloader_prop:s0 exact string
ro.boot.vbmeta.device_state u:object_r:bootloader_prop:s0 exact string
@@ -127,10 +117,6 @@
ro.property_service.version u:object_r:property_service_version_prop:s0 exact int
-keystore.boot_level u:object_r:keystore_listen_prop:s0 exact int
-
-keystore.crash_count u:object_r:keystore_crash_prop:s0 exact int
-
apex_config.done u:object_r:apex_config_prop:s0 exact bool
microdroid_manager.apk_root_hash u:object_r:microdroid_manager_roothash_prop:s0 exact string
diff --git a/microdroid/system/private/security_classes b/microdroid/system/private/security_classes
index 200b030..0d3cc80 100644
--- a/microdroid/system/private/security_classes
+++ b/microdroid/system/private/security_classes
@@ -163,5 +163,8 @@
# Keystore 2.0 key permissions
class keystore2_key # userspace
+# Diced permissions
+class diced # userspace
+
class drmservice # userspace
# FLASK
diff --git a/microdroid/system/private/service_contexts b/microdroid/system/private/service_contexts
index 3489055..9a27306 100644
--- a/microdroid/system/private/service_contexts
+++ b/microdroid/system/private/service_contexts
@@ -1,19 +1,8 @@
-android.hardware.security.keymint.IKeyMintDevice/default u:object_r:hal_keymint_service:s0
-android.hardware.security.keymint.IRemotelyProvisionedComponent/default u:object_r:hal_remotelyprovisionedcomponent_service:s0
-android.hardware.security.secureclock.ISecureClock/default u:object_r:hal_secureclock_service:s0
-android.hardware.security.sharedsecret.ISharedSecret/default u:object_r:hal_sharedsecret_service:s0
-android.system.keystore2.IKeystoreService/default u:object_r:keystore_service:s0
+android.hardware.security.dice.IDiceDevice/default u:object_r:hal_dice_service:s0
adb u:object_r:adb_service:s0
-android.security.apc u:object_r:apc_service:s0
-android.security.authorization u:object_r:authorization_service:s0
-android.security.compat u:object_r:keystore_compat_hal_service:s0
-android.security.identity u:object_r:credstore_service:s0
-android.security.keystore u:object_r:keystore_service:s0
-android.security.legacykeystore u:object_r:legacykeystore_service:s0
-android.security.maintenance u:object_r:keystore_maintenance_service:s0
-android.security.metrics u:object_r:keystore_metrics_service:s0
-android.security.remoteprovisioning u:object_r:remoteprovisioning_service:s0
+android.security.dice.IDiceMaintenance u:object_r:dice_maintenance_service:s0
+android.security.dice.IDiceNode u:object_r:dice_node_service:s0
apexservice u:object_r:apex_service:s0
authfs_service u:object_r:authfs_binder_service:s0
manager u:object_r:service_manager_service:s0
diff --git a/microdroid/system/private/servicemanager.te b/microdroid/system/private/servicemanager.te
index 5dad3c1..d51c827 100644
--- a/microdroid/system/private/servicemanager.te
+++ b/microdroid/system/private/servicemanager.te
@@ -15,7 +15,6 @@
domain
-init
-vendor_init
- -hwservicemanager
}:binder transfer;
allow servicemanager service_contexts_file:file r_file_perms;
@@ -25,3 +24,6 @@
add_service(servicemanager, service_manager_service)
set_prop(servicemanager, ctl_interface_start_prop)
+
+# servicemanager is using bootstrap bionic
+use_bootstrap_libs(servicemanager)
diff --git a/microdroid/system/private/su.te b/microdroid/system/private/su.te
index 55b7308..1196262 100644
--- a/microdroid/system/private/su.te
+++ b/microdroid/system/private/su.te
@@ -6,7 +6,4 @@
# su is also permissive to permit setenforce.
permissive su;
- # Do not audit accesses to keystore2 namespace for the su domain.
- dontaudit su keystore2_key_type:{ keystore2 keystore2_key } *;
-
')
diff --git a/microdroid/system/private/ueventd.te b/microdroid/system/private/ueventd.te
index 8524c18..c7d9fd6 100644
--- a/microdroid/system/private/ueventd.te
+++ b/microdroid/system/private/ueventd.te
@@ -47,8 +47,7 @@
allow ueventd kernel:key search;
# ueventd is using bootstrap bionic
-allow ueventd system_bootstrap_lib_file:dir r_dir_perms;
-allow ueventd system_bootstrap_lib_file:file { execute read open getattr map };
+use_bootstrap_libs(ueventd)
# TODO(b/193118220): find out why this happens.
dontaudit ueventd tmpfs:chr_file { relabelfrom setattr };
diff --git a/microdroid/system/private/zipfuse.te b/microdroid/system/private/zipfuse.te
index da0cd0f..6652e27 100644
--- a/microdroid/system/private/zipfuse.te
+++ b/microdroid/system/private/zipfuse.te
@@ -7,8 +7,7 @@
type zipfuse_exec, exec_type, file_type, system_file_type;
# zipfuse is using bootstrap bionic
-allow zipfuse system_bootstrap_lib_file:dir r_dir_perms;
-allow zipfuse system_bootstrap_lib_file:file { execute read open getattr map };
+use_bootstrap_libs(zipfuse)
# allow basic rules to implement FUSE
allow zipfuse fuse_device:chr_file rw_file_perms;
diff --git a/microdroid/system/public/attributes b/microdroid/system/public/attributes
index 6479c55..e3258ae 100644
--- a/microdroid/system/public/attributes
+++ b/microdroid/system/public/attributes
@@ -298,6 +298,7 @@
hal_attribute(configstore);
hal_attribute(confirmationui);
hal_attribute(contexthub);
+hal_attribute(dice);
hal_attribute(drm);
hal_attribute(evs);
hal_attribute(face);
diff --git a/microdroid/system/public/device.te b/microdroid/system/public/device.te
index c03fb4d..4c008ea 100644
--- a/microdroid/system/public/device.te
+++ b/microdroid/system/public/device.te
@@ -18,6 +18,7 @@
type loop_control_device, dev_type;
type loop_device, dev_type;
type null_device, dev_type, mlstrustedobject;
+type open_dice_device, dev_type;
type owntty_device, dev_type, mlstrustedobject;
type ppp_device, dev_type;
type properties_device, dev_type;
diff --git a/microdroid/system/public/file.te b/microdroid/system/public/file.te
index 5b678ba..d15d9cd 100644
--- a/microdroid/system/public/file.te
+++ b/microdroid/system/public/file.te
@@ -2,7 +2,6 @@
# file types
type adbd_socket, file_type, coredomain_socket;
-type apc_service, service_manager_type;
type anr_data_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
type apex_info_file, file_type;
type apex_mnt_dir, file_type;
@@ -12,9 +11,6 @@
type cgroup_rc_file, file_type;
type extra_apk_file, file_type;
type file_contexts_file, file_type, system_file_type;
-type hwservice_contexts_file, file_type, system_file_type;
-type keystore2_key_contexts_file, file_type, system_file_type;
-type keystore_data_file, file_type, data_file_type, core_data_file_type;
type linkerconfig_file, file_type;
type logd_socket, file_type, mlstrustedobject, coredomain_socket;
type logdr_socket, file_type, mlstrustedobject, coredomain_socket;
diff --git a/microdroid/system/public/hal_dice.te b/microdroid/system/public/hal_dice.te
new file mode 100644
index 0000000..92222c5
--- /dev/null
+++ b/microdroid/system/public/hal_dice.te
@@ -0,0 +1,4 @@
+binder_call(hal_dice_client, hal_dice_server)
+
+hal_attribute_service(hal_dice, hal_dice_service)
+binder_call(hal_dice_server, servicemanager)
diff --git a/microdroid/system/public/hal_keymint.te b/microdroid/system/public/hal_keymint.te
deleted file mode 100644
index 7570188..0000000
--- a/microdroid/system/public/hal_keymint.te
+++ /dev/null
@@ -1,4 +0,0 @@
-binder_call(hal_keymint_client, hal_keymint_server)
-
-hal_attribute_service(hal_keymint, hal_keymint_service)
-binder_call(hal_keymint_server, servicemanager)
diff --git a/microdroid/system/public/hwservicemanager.te b/microdroid/system/public/hwservicemanager.te
deleted file mode 100644
index 5421b11..0000000
--- a/microdroid/system/public/hwservicemanager.te
+++ /dev/null
@@ -1,2 +0,0 @@
-type hwservicemanager, domain, mlstrustedsubject;
-type hwservicemanager_exec, file_type, exec_type, system_file_type;
diff --git a/microdroid/system/public/keystore.te b/microdroid/system/public/keystore.te
deleted file mode 100644
index 295d3d9..0000000
--- a/microdroid/system/public/keystore.te
+++ /dev/null
@@ -1,26 +0,0 @@
-type keystore, domain;
-type keystore_exec, file_type, exec_type, system_file_type;
-
-# keystore daemon
-typeattribute keystore mlstrustedsubject;
-binder_use(keystore)
-binder_service(keystore)
-
-allow keystore keystore_data_file:dir create_dir_perms;
-allow keystore keystore_data_file:notdevfile_class_set create_file_perms;
-allow keystore keystore_exec:file { getattr };
-
-add_service(keystore, keystore_service)
-add_service(keystore, remoteprovisioning_service)
-add_service(keystore, apc_service)
-add_service(keystore, keystore_compat_hal_service)
-add_service(keystore, authorization_service)
-add_service(keystore, keystore_maintenance_service)
-add_service(keystore, keystore_metrics_service)
-add_service(keystore, legacykeystore_service)
-
-# Check SELinux permissions.
-selinux_check_access(keystore)
-
-r_dir_file(keystore, cgroup)
-r_dir_file(keystore, cgroup_v2)
diff --git a/microdroid/system/public/property.te b/microdroid/system/public/property.te
index c62e091..d00a618 100644
--- a/microdroid/system/public/property.te
+++ b/microdroid/system/public/property.te
@@ -29,13 +29,10 @@
type fingerprint_prop, property_type;
type gsid_prop, property_type;
type heapprofd_prop, property_type;
-type hwservicemanager_prop, property_type;
type init_perf_lsm_hooks_prop, property_type;
type init_service_status_private_prop, property_type;
type init_service_status_prop, property_type;
type init_svc_debug_prop, property_type;
-type keystore_crash_prop, property_type;
-type keystore_listen_prop, property_type;
type libc_debug_prop, property_type;
type log_tag_prop, property_type;
type logd_prop, property_type;
@@ -45,7 +42,6 @@
type timezone_prop, property_type;
type usb_control_prop, property_type;
type vendor_default_prop, property_type;
-type vmsecret_keymint_prop, property_type;
type powerctl_prop, property_type;
allow property_type tmpfs:filesystem associate;
diff --git a/microdroid/system/public/statsd.te b/microdroid/system/public/statsd.te
index 5da3ec9..dea7c6b 100644
--- a/microdroid/system/public/statsd.te
+++ b/microdroid/system/public/statsd.te
@@ -15,10 +15,6 @@
allow statsd system_file:file execute_no_trans;
allow statsd toolbox_exec:file rx_file_perms;
-# Allow statsd to interact with keystore to pull atoms
-allow statsd keystore_service:service_manager find;
-binder_call(statsd, keystore)
-
# Allow logd access.
read_logd(statsd)
control_logd(statsd)
diff --git a/microdroid/system/public/su.te b/microdroid/system/public/su.te
index a440c21..e331bf6 100644
--- a/microdroid/system/public/su.te
+++ b/microdroid/system/public/su.te
@@ -39,11 +39,7 @@
dontaudit su property_type:property_service *;
dontaudit su property_type:file *;
dontaudit su service_manager_type:service_manager *;
- dontaudit su hwservice_manager_type:hwservice_manager *;
dontaudit su servicemanager:service_manager list;
- dontaudit su hwservicemanager:hwservice_manager list;
- dontaudit su keystore:keystore_key *;
- dontaudit su keystore:keystore2 *;
dontaudit su domain:drmservice *;
dontaudit su unlabeled:filesystem *;
dontaudit su domain:bpf *;
diff --git a/microdroid/system/public/te_macros b/microdroid/system/public/te_macros
index 1a7aaa4..6db0d70 100644
--- a/microdroid/system/public/te_macros
+++ b/microdroid/system/public/te_macros
@@ -987,3 +987,11 @@
allow $1 gsi_public_metadata_file:file r_file_perms;
allow $1 proc_bootconfig:file r_file_perms;
')
+
+######################################
+# use_bootstrap_libs(domain)
+# Allow domain to use bootstrap bionic libraries in system/lib[64]/bootstrap
+define(`use_bootstrap_libs', `
+ allow $1 system_bootstrap_lib_file:dir r_dir_perms;
+ allow $1 system_bootstrap_lib_file:file { execute read open getattr map };
+')
diff --git a/microdroid/system/public/type.te b/microdroid/system/public/type.te
index 0ee9f89..818ae46 100644
--- a/microdroid/system/public/type.te
+++ b/microdroid/system/public/type.te
@@ -2,24 +2,10 @@
type adb_service, system_server_service, system_api_service, service_manager_type;
type apex_service, service_manager_type;
type authfs_binder_service, service_manager_type;
-type authorization_service, service_manager_type;
-type credstore_service, app_api_service, service_manager_type;
-type default_android_hwservice, hwservice_manager_type, protected_hwservice;
type default_android_service, service_manager_type;
-type hal_keymint_service, protected_service, vendor_service, service_manager_type;
-type hal_remotelyprovisionedcomponent_service, protected_service, vendor_service, service_manager_type;
-type hidl_allocator_hwservice, hwservice_manager_type, coredomain_hwservice;
-type hidl_base_hwservice, hwservice_manager_type;
-type hidl_manager_hwservice, hwservice_manager_type, coredomain_hwservice;
-type hidl_memory_hwservice, hwservice_manager_type, coredomain_hwservice;
-type hidl_token_hwservice, hwservice_manager_type, coredomain_hwservice;
-type hal_keymaster_hwservice, hwservice_manager_type, protected_hwservice;
-type keystore_compat_hal_service, service_manager_type;
-type keystore_maintenance_service, service_manager_type;
-type keystore_metrics_service, service_manager_type;
-type keystore_service, service_manager_type;
-type legacykeystore_service, service_manager_type;
-type remoteprovisioning_service, service_manager_type;
+type dice_maintenance_service, service_manager_type;
+type dice_node_service, service_manager_type;
+type hal_dice_service, protected_service, vendor_service, service_manager_type;
type service_manager_service, service_manager_type;
type system_linker;
type vm_payload_key;
diff --git a/microdroid/system/public/vendor_init.te b/microdroid/system/public/vendor_init.te
index b66caa9..322abe3 100644
--- a/microdroid/system/public/vendor_init.te
+++ b/microdroid/system/public/vendor_init.te
@@ -133,8 +133,7 @@
allow vendor_init self:global_capability_class_set sys_admin;
# vendor_init is using bootstrap bionic
-allow vendor_init system_bootstrap_lib_file:dir r_dir_perms;
-allow vendor_init system_bootstrap_lib_file:file { execute read open getattr map };
+use_bootstrap_libs(vendor_init)
# Get file context
allow vendor_init file_contexts_file:file r_file_perms;
diff --git a/microdroid/vendor/file_contexts b/microdroid/vendor/file_contexts
index 0aa85cf..c86f862 100644
--- a/microdroid/vendor/file_contexts
+++ b/microdroid/vendor/file_contexts
@@ -35,4 +35,4 @@
/bin/install-recovery\.sh u:object_r:vendor_install_recovery_exec:s0
-/bin/hw/android\.hardware\.security\.keymint-service\.microdroid u:object_r:hal_keymint_default_exec:s0
+/bin/hw/android\.hardware\.security\.dice-service\.microdroid u:object_r:hal_dice_default_exec:s0
diff --git a/microdroid/vendor/hal_dice_default.te b/microdroid/vendor/hal_dice_default.te
new file mode 100644
index 0000000..c203550
--- /dev/null
+++ b/microdroid/vendor/hal_dice_default.te
@@ -0,0 +1,10 @@
+type hal_dice_default, domain;
+hal_server_domain(hal_dice_default, hal_dice)
+
+type hal_dice_default_exec, exec_type, vendor_file_type, file_type;
+init_daemon_domain(hal_dice_default)
+
+# hal_dice_default is using bootstrap bionic
+use_bootstrap_libs(hal_dice_default)
+
+allow hal_dice_default open_dice_device:chr_file { read write open map };
diff --git a/microdroid/vendor/hal_keymint_default.te b/microdroid/vendor/hal_keymint_default.te
deleted file mode 100644
index 359ca60..0000000
--- a/microdroid/vendor/hal_keymint_default.te
+++ /dev/null
@@ -1,13 +0,0 @@
-type hal_keymint_default, domain;
-hal_server_domain(hal_keymint_default, hal_keymint)
-
-type hal_keymint_default_exec, exec_type, vendor_file_type, file_type;
-init_daemon_domain(hal_keymint_default)
-
-allow hal_keymint_default keystore:binder transfer;
-allow hal_keymint_default system_lib_file:file execute;
-
-allow logd hal_keymint_default:dir search;
-allow logd hal_keymint_default:file { getattr open read };
-
-get_prop(hal_keymint_default, vmsecret_keymint_prop);
diff --git a/prebuilts/api/31.0/private/zygote.te b/prebuilts/api/31.0/private/zygote.te
index 090e121..743647e 100644
--- a/prebuilts/api/31.0/private/zygote.te
+++ b/prebuilts/api/31.0/private/zygote.te
@@ -112,7 +112,7 @@
# Control cgroups.
allow zygote cgroup:dir create_dir_perms;
-allow zygote cgroup:{ file lnk_file } r_file_perms;
+allow zygote cgroup:{ file lnk_file } { r_file_perms setattr };
allow zygote cgroup_v2:dir create_dir_perms;
allow zygote cgroup_v2:{ file lnk_file } { r_file_perms setattr };
allow zygote self:global_capability_class_set sys_admin;
diff --git a/prebuilts/api/32.0/private/mediaprovider_app.te b/prebuilts/api/32.0/private/mediaprovider_app.te
index 16d0d6d..742da1f 100644
--- a/prebuilts/api/32.0/private/mediaprovider_app.te
+++ b/prebuilts/api/32.0/private/mediaprovider_app.te
@@ -21,6 +21,9 @@
# Talk to the MediaServer service
allow mediaprovider_app mediaserver_service:service_manager find;
+# Talk to the MediaCodec APIs that log media metrics
+allow mediaprovider_app mediametrics_service:service_manager find;
+
# Talk to regular app services
allow mediaprovider_app app_api_service:service_manager find;
diff --git a/private/access_vectors b/private/access_vectors
index fc17c1d..0f8dd5f 100644
--- a/private/access_vectors
+++ b/private/access_vectors
@@ -722,7 +722,9 @@
change_user
clear_ns
clear_uid
+ delete_all_keys
early_boot_ended
+ get_attestation_key
get_auth_token
get_state
list
@@ -732,7 +734,6 @@
report_off_body
reset
unlock
- delete_all_keys
}
class keystore2_key
diff --git a/private/apexd.te b/private/apexd.te
index 9dfe45f..791a4ff 100644
--- a/private/apexd.te
+++ b/private/apexd.te
@@ -126,8 +126,7 @@
binder_call(apexd, vold)
# apexd is using bootstrap bionic
-allow apexd system_bootstrap_lib_file:dir r_dir_perms;
-allow apexd system_bootstrap_lib_file:file { execute read open getattr map };
+use_bootstrap_libs(apexd)
# Allow apexd to be invoked with logwrapper from init during userspace reboot.
allow apexd devpts:chr_file { read write };
diff --git a/private/atrace.te b/private/atrace.te
index cbb5b7c..2ab8c69 100644
--- a/private/atrace.te
+++ b/private/atrace.te
@@ -33,6 +33,7 @@
-installd_service
-iorapd_service
-lpdump_service
+ -mdns_service
-netd_service
-stats_service
-tracingproxy_service
diff --git a/private/automotive_display_service.te b/private/automotive_display_service.te
index d757a52..c909986 100644
--- a/private/automotive_display_service.te
+++ b/private/automotive_display_service.te
@@ -4,7 +4,7 @@
typeattribute automotive_display_service automotive_display_service_server;
-# Allow to add a display service to the manager
+# Allow to add a display service to the hwservicemanager
add_hwservice(automotive_display_service, fwk_automotive_display_hwservice);
# Allow init to launch automotive display service
@@ -36,3 +36,6 @@
# Allow to access EGL files
allow automotive_display_service gpu_device:chr_file rw_file_perms;
allow automotive_display_service gpu_device:dir search;
+
+# Allow to add a service to the servicemanager
+add_service(automotive_display_service, fwk_automotive_display_service);
diff --git a/private/bluetooth.te b/private/bluetooth.te
index 0e0cf7f..5522e32 100644
--- a/private/bluetooth.te
+++ b/private/bluetooth.te
@@ -62,6 +62,7 @@
allow bluetooth system_api_service:service_manager find;
allow bluetooth network_stack_service:service_manager find;
allow bluetooth system_suspend_control_service:service_manager find;
+allow bluetooth hal_audio_service:service_manager find;
# already open bugreport file descriptors may be shared with
# the bluetooth process, from a file in
diff --git a/private/bpfloader.te b/private/bpfloader.te
index 78cd37e..3fbc8dc 100644
--- a/private/bpfloader.te
+++ b/private/bpfloader.te
@@ -1,12 +1,12 @@
-# bpf program loader
-type bpfloader, domain;
type bpfloader_exec, system_file_type, exec_type, file_type;
-typeattribute bpfloader coredomain;
+
+# allow bpfloader to write to the kernel log (starts early)
+allow bpfloader kmsg_device:chr_file w_file_perms;
# These permissions are required to pin ebpf maps & programs.
-allow bpfloader { fs_bpf fs_bpf_tethering }:dir { add_name create search write };
-allow bpfloader { fs_bpf fs_bpf_tethering }:file { create read setattr };
-allow fs_bpf_tethering fs_bpf:filesystem associate;
+allow bpfloader { fs_bpf fs_bpf_tethering fs_bpf_vendor }:dir { add_name create search write };
+allow bpfloader { fs_bpf fs_bpf_tethering fs_bpf_vendor }:file { create read setattr };
+allow { fs_bpf_tethering fs_bpf_vendor } fs_bpf:filesystem associate;
# Allow bpfloader to create bpf maps and programs.
allow bpfloader self:bpf { map_create map_read map_write prog_load prog_run };
@@ -17,29 +17,33 @@
set_prop(bpfloader, bpf_progs_loaded_prop)
+allow bpfloader bpfloader_exec:file execute_no_trans;
+
###
### Neverallow rules
###
# TODO: get rid of init & vendor_init; Note: we don't care about getattr/mounton/search
-neverallow { domain -init -vendor_init } { fs_bpf fs_bpf_tethering }:dir { open read setattr };
-neverallow { domain -bpfloader } { fs_bpf fs_bpf_tethering }:dir { add_name create write };
-neverallow domain { fs_bpf fs_bpf_tethering }:dir ~{ add_name create getattr mounton open read search setattr write };
+neverallow { domain -init -vendor_init } { fs_bpf fs_bpf_tethering fs_bpf_vendor }:dir { open read setattr };
+neverallow { domain -bpfloader } { fs_bpf fs_bpf_tethering fs_bpf_vendor }:dir { add_name create write };
+neverallow domain { fs_bpf fs_bpf_tethering fs_bpf_vendor }:dir ~{ add_name create getattr mounton open read search setattr write };
# TODO: get rid of init & vendor_init
-neverallow { domain -bpfloader -init -vendor_init } { fs_bpf fs_bpf_tethering }:file { map open setattr };
-neverallow { domain -bpfloader } { fs_bpf fs_bpf_tethering }:file create;
+neverallow { domain -bpfloader -init -vendor_init } { fs_bpf fs_bpf_tethering fs_bpf_vendor }:file { map open setattr };
+neverallow { domain -bpfloader } { fs_bpf fs_bpf_tethering fs_bpf_vendor }:file create;
neverallow { domain -bpfloader -gpuservice -init -lmkd -mediaprovider_app -netd -netutils_wrapper -network_stack -system_server -vendor_init } { fs_bpf }:file read;
neverallow { domain -bpfloader -gpuservice -init -lmkd -netd -netutils_wrapper -network_stack -system_server -vendor_init } { fs_bpf_tethering }:file read;
neverallow { domain -bpfloader -gpuservice -netd -netutils_wrapper -network_stack -system_server } { fs_bpf fs_bpf_tethering }:file write;
neverallow domain { fs_bpf fs_bpf_tethering }:file ~{ create map open read setattr write };
neverallow { domain -bpfloader } *:bpf { map_create prog_load };
+
neverallow { domain -bpfloader -gpuservice -mediaprovider_app -netd -netutils_wrapper -network_stack -system_server } *:bpf prog_run;
neverallow { domain -bpfloader -gpuservice -lmkd -mediaprovider_app -netd -network_stack -system_server } *:bpf { map_read map_write };
-
neverallow { domain -bpfloader -init } bpfloader_exec:file { execute execute_no_trans };
+neverallow { coredomain -bpfloader -init } fs_bpf_vendor:file *;
+
neverallow bpfloader *:{ tcp_socket udp_socket rawip_socket } *;
# No domain should be allowed to ptrace bpfloader
diff --git a/private/clatd.te b/private/clatd.te
index da6820c..57eee78 100644
--- a/private/clatd.te
+++ b/private/clatd.te
@@ -4,18 +4,10 @@
net_domain(clatd)
-r_dir_file(clatd, proc_net_type)
-userdebug_or_eng(`
- auditallow clatd proc_net_type:{ dir file lnk_file } { getattr open read };
-')
-
# Access objects inherited from netd.
allow clatd netd:fd use;
-allow clatd netd:fifo_file { read write };
allow clatd netd:packet_socket { read write };
allow clatd netd:rawip_socket { read write };
-allow clatd self:global_capability_class_set { net_admin net_raw setuid setgid };
-
allow clatd self:netlink_route_socket nlmsg_write;
allow clatd tun_device:chr_file rw_file_perms;
diff --git a/private/compat/31.0/31.0.ignore.cil b/private/compat/31.0/31.0.ignore.cil
index 2ae6a5f..29378d4 100644
--- a/private/compat/31.0/31.0.ignore.cil
+++ b/private/compat/31.0/31.0.ignore.cil
@@ -21,13 +21,7 @@
hal_dumpstate_service
hal_graphics_composer_service
hal_health_service
- hal_radio_config_service
- hal_radio_data_service
- hal_radio_messaging_service
- hal_radio_modem_service
- hal_radio_network_service
- hal_radio_sim_service
- hal_radio_voice_service
+ hal_radio_service
hal_sensors_service
hal_system_suspend_service
hal_tv_tuner_service
diff --git a/private/compat/32.0/32.0.ignore.cil b/private/compat/32.0/32.0.ignore.cil
index 43f8136..f1307ad 100644
--- a/private/compat/32.0/32.0.ignore.cil
+++ b/private/compat/32.0/32.0.ignore.cil
@@ -8,7 +8,9 @@
apexd_select_prop
artd_service
attestation_verification_service
+ bluetooth_config_prop
charger_vendor
+ cloudsearch
cloudsearch_service
device_config_nnapi_native_prop
device_config_surface_flinger_native_boot_prop
@@ -16,34 +18,38 @@
dice_node_service
diced
diced_exec
+ fwk_automotive_display_service
extra_free_kbytes
extra_free_kbytes_exec
+ fs_bpf_vendor
gesture_prop
hal_contexthub_service
+ hal_camera_service
hal_dice_service
+ hal_drm_service
hal_dumpstate_service
+ hal_graphics_allocator_service
hal_graphics_composer_service
hal_health_service
+ hal_input_processor_service
hal_ir_service
+ hal_nfc_service
hal_nlinterceptor_service
- hal_radio_config_service
- hal_radio_data_service
- hal_radio_messaging_service
- hal_radio_modem_service
- hal_radio_network_service
- hal_radio_sim_service
- hal_radio_voice_service
+ hal_radio_service
hal_sensors_service
hal_system_suspend_service
hal_tv_tuner_service
+ hal_usb_service
hal_uwb_service
hal_vehicle_service
hal_wifi_hostapd_service
hal_wifi_supplicant_service
locale_service
+ mdns_service
nearby_service
proc_watermark_boost_factor
proc_watermark_scale_factor
+ remotelyprovisionedkeypool_service
resources_manager_service
selection_toolbar_service
snapuserd_proxy_socket
@@ -56,4 +62,5 @@
vendor_vm_data_file
vendor_vm_file
virtual_device_service
- ))
+ wallpaper_effects_generation_service
+))
diff --git a/private/compos_fd_server.te b/private/compos_fd_server.te
index a1a8a64..01504ee 100644
--- a/private/compos_fd_server.te
+++ b/private/compos_fd_server.te
@@ -1,10 +1,6 @@
# Make ART inputs and outputs available to the CompOS VM
type compos_fd_server, domain, coredomain;
-# Allow access to open fds inherited from odrefresh - read inputs, generate outputs
-# TODO(b/209008712): Remove once migration is done.
-allow compos_fd_server odrefresh:fd use;
-
# Allow access to open fds inherited from composd
allow compos_fd_server composd:fd use;
@@ -17,18 +13,14 @@
allow compos_fd_server apex_art_data_file:file create_file_perms;
# Use a pipe to signal readiness
-# TODO(b/205750213): Removed odrefresh when we run odrefresh in the VM
-allow compos_fd_server odrefresh:fifo_file write;
allow compos_fd_server composd:fifo_file write;
# TODO(b/196109647) - remove this when no longer needed by minijail
-allow compos_fd_server odrefresh:fifo_file read;
allow compos_fd_server composd:fifo_file read;
# Create a listening vsock for the VM to connect back to
allow compos_fd_server self:vsock_socket { create_socket_perms_no_ioctl listen accept };
-# Only composd and odrefresh can enter the domain via exec
-# TODO(b/209008712): Remove odrefresh once migration is done.
-neverallow { domain -composd -odrefresh } compos_fd_server:process transition;
+# Only composd can enter the domain via exec
+neverallow { domain -composd } compos_fd_server:process transition;
neverallow * compos_fd_server:process dyntransition;
diff --git a/private/composd.te b/private/composd.te
index dd61e39..5f99a92 100644
--- a/private/composd.te
+++ b/private/composd.te
@@ -5,7 +5,6 @@
init_daemon_domain(composd)
binder_use(composd)
add_service(composd, compos_service)
-add_service(composd, compos_internal_service)
# Call back into system server
binder_call(composd, system_server)
@@ -26,11 +25,6 @@
allow composd apex_compos_data_file:dir create_dir_perms;
allow composd apex_compos_data_file:file create_file_perms;
-# TODO(b/209008712): Remove these when we run odrefresh in the VM
-# Run odrefresh to refresh ART artifacts, and kill it if we need to
-domain_auto_trans(composd, odrefresh_exec, odrefresh)
-allow composd odrefresh:process sigkill;
-
# Run fd_server in its own domain, and send SIGTERM when finished.
domain_auto_trans(composd, fd_server_exec, compos_fd_server)
allow composd compos_fd_server:process signal;
diff --git a/private/coredomain.te b/private/coredomain.te
index f8a61d2..e4c9a52 100644
--- a/private/coredomain.te
+++ b/private/coredomain.te
@@ -76,6 +76,7 @@
userdebug_or_eng(`-profcollectd')
-postinstall_dexopt
-rs # spawned by appdomain, so carryover the exception above
+ userdebug_or_eng(`-simpleperf_boot')
-system_server
-traced_perf
-mediaserver
@@ -121,6 +122,7 @@
-zygote
-heapprofd
userdebug_or_eng(`-profcollectd')
+ userdebug_or_eng(`-simpleperf_boot')
} vendor_overlay_file:file open;
')
@@ -176,6 +178,7 @@
-system_server
-traceur_app
userdebug_or_eng(`-profcollectd')
+ userdebug_or_eng(`-simpleperf_boot')
} debugfs_tracing:file no_rw_file_perms;
# inotifyfs
diff --git a/private/credstore.te b/private/credstore.te
index 8d87e2f..c410d76 100644
--- a/private/credstore.te
+++ b/private/credstore.te
@@ -4,3 +4,9 @@
# talk to Identity Credential
hal_client_domain(credstore, hal_identity)
+
+# talk to keymint, specifically for IRemotelyProvisionedComponent/default
+hal_client_domain(credstore, hal_keymint)
+
+# credstore needs to get keys from the remotely provisioned pool
+allow credstore remotelyprovisionedkeypool_service:service_manager find;
diff --git a/private/crosvm.te b/private/crosvm.te
index 5106f87..426cb28 100644
--- a/private/crosvm.te
+++ b/private/crosvm.te
@@ -7,9 +7,12 @@
# Most other domains shouldn't access /dev/kvm.
neverallow { domain -crosvm -ueventd -shell } kvm_device:chr_file getattr;
-neverallow { domain -crosvm -ueventd -virtualizationservice } kvm_device:chr_file ~getattr;
+neverallow { domain -crosvm -ueventd } kvm_device:chr_file ~getattr;
neverallowxperm { domain -crosvm } kvm_device:chr_file ioctl ~{ KVM_CHECK_EXTENSION };
+# Let crosvm mlock VM memory and page tables.
+allow crosvm self:capability ipc_lock;
+
# Let crosvm create temporary files.
tmpfs_domain(crosvm)
@@ -86,3 +89,10 @@
-app_data_file
userdebug_or_eng(`-shell_data_file')
}:file read;
+
+# Only virtualizationservice can run crosvm
+neverallow {
+ domain
+ -crosvm
+ -virtualizationservice
+} crosvm_exec:file no_x_file_perms;
diff --git a/private/domain.te b/private/domain.te
index ae5b0d7..988bd56 100644
--- a/private/domain.te
+++ b/private/domain.te
@@ -112,6 +112,26 @@
# Allow all processes to check for the existence of the boringssl_self_test_marker files.
allow domain boringssl_self_test_marker:dir search;
+# No domains other than a select few can access the misc_block_device. This
+# block device is reserved for OTA use.
+# Do not assert this rule on userdebug/eng builds, due to some devices using
+# this partition for testing purposes.
+neverallow {
+ domain
+ userdebug_or_eng(`-domain') # exclude debuggable builds
+ -fastbootd
+ -hal_bootctl_server
+ -init
+ -uncrypt
+ -update_engine
+ -vendor_init
+ -vendor_misc_writer
+ -vold
+ -recovery
+ -ueventd
+ -mtectrl
+} misc_block_device:blk_file { append link relabelfrom rename write open read ioctl lock };
+
# Limit ability to ptrace or read sensitive /proc/pid files of processes
# with other UIDs to these allowlisted domains.
neverallow {
@@ -121,6 +141,7 @@
-dumpstate
userdebug_or_eng(`-incidentd')
userdebug_or_eng(`-profcollectd')
+ userdebug_or_eng(`-simpleperf_boot')
-storaged
-system_server
} self:global_capability_class_set sys_ptrace;
@@ -456,6 +477,7 @@
-iorap_inode2filename
-iorap_prefetcherd
-kernel
+ userdebug_or_eng(`-simpleperf_boot')
-traced_perf
-ueventd
} vendor_file:file { no_w_file_perms no_x_file_perms open };
@@ -496,6 +518,7 @@
-heapprofd
userdebug_or_eng(`-profcollectd')
-shell
+ userdebug_or_eng(`-simpleperf_boot')
-system_executes_vendor_violators
-traced_perf # library/binary access for symbolization
-ueventd # reads /vendor/ueventd.rc
@@ -547,6 +570,7 @@
-init
userdebug_or_eng(`-profcollectd')
-vendor_init
+ userdebug_or_eng(`-simpleperf_boot')
-traced_probes
-traced_perf
} proc_kallsyms:file { open read };
diff --git a/private/file_contexts b/private/file_contexts
index 4a04532..ba50376 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -296,7 +296,6 @@
/system/bin/racoon u:object_r:racoon_exec:s0
/system/xbin/su u:object_r:su_exec:s0
/system/bin/dnsmasq u:object_r:dnsmasq_exec:s0
-/system/bin/clatd u:object_r:clatd_exec:s0
/system/bin/linker(64)? u:object_r:system_linker_exec:s0
/system/bin/linkerconfig u:object_r:linkerconfig_exec:s0
/system/bin/bootstrap/linker(64)? u:object_r:system_linker_exec:s0
@@ -309,6 +308,7 @@
/system/bin/lpdumpd u:object_r:lpdumpd_exec:s0
/system/bin/rss_hwm_reset u:object_r:rss_hwm_reset_exec:s0
/system/bin/perfetto u:object_r:perfetto_exec:s0
+/system/bin/mtectrl u:object_r:mtectrl_exec:s0
/system/bin/traced u:object_r:traced_exec:s0
/system/bin/traced_perf u:object_r:traced_perf_exec:s0
/system/bin/traced_probes u:object_r:traced_probes_exec:s0
@@ -365,6 +365,7 @@
/system/bin/stats u:object_r:stats_exec:s0
/system/bin/statsd u:object_r:statsd_exec:s0
/system/bin/bpfloader u:object_r:bpfloader_exec:s0
+/system/bin/btfloader u:object_r:bpfloader_exec:s0
/system/bin/watchdogd u:object_r:watchdogd_exec:s0
/system/bin/apexd u:object_r:apexd_exec:s0
/system/bin/gsid u:object_r:gsid_exec:s0
@@ -375,6 +376,7 @@
/system/bin/snapuserd u:object_r:snapuserd_exec:s0
/system/bin/odsign u:object_r:odsign_exec:s0
/system/bin/vehicle_binding_util u:object_r:vehicle_binding_util_exec:s0
+/system/bin/cardisplayproxyd u:object_r:automotive_display_service_exec:s0
#############################
# Vendor files
diff --git a/private/genfs_contexts b/private/genfs_contexts
index a7cdeb8..f20251d 100644
--- a/private/genfs_contexts
+++ b/private/genfs_contexts
@@ -262,6 +262,7 @@
genfscon tracefs /events/power/clock_set_rate/ u:object_r:debugfs_tracing:s0
genfscon tracefs /events/power/cpu_frequency_limits/ u:object_r:debugfs_tracing:s0
genfscon tracefs /events/power/gpu_frequency/ u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/power/gpu_work_period/ u:object_r:debugfs_tracing:s0
genfscon tracefs /events/power/suspend_resume/ u:object_r:debugfs_tracing:s0
genfscon tracefs /events/cpufreq_interactive/ u:object_r:debugfs_tracing:s0
genfscon tracefs /events/vmscan/mm_vmscan_direct_reclaim_begin/ u:object_r:debugfs_tracing:s0
@@ -326,6 +327,7 @@
genfscon debugfs /tracing/events/power/clock_set_rate/ u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/events/power/cpu_frequency_limits/ u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/events/power/gpu_frequency/ u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/power/gpu_work_period/ u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/events/power/suspend_resume/ u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/events/cpufreq_interactive/ u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/events/vmscan/mm_vmscan_direct_reclaim_begin/ u:object_r:debugfs_tracing:s0
@@ -391,3 +393,4 @@
genfscon binfmt_misc / u:object_r:binfmt_miscfs:s0
genfscon bpf / u:object_r:fs_bpf:s0
genfscon bpf /tethering u:object_r:fs_bpf_tethering:s0
+genfscon bpf /vendor u:object_r:fs_bpf_vendor:s0
diff --git a/private/gmscore_app.te b/private/gmscore_app.te
index 799d7ff..a05f3de 100644
--- a/private/gmscore_app.te
+++ b/private/gmscore_app.te
@@ -5,6 +5,11 @@
app_domain(gmscore_app)
+# TODO(b/217368496): remove this.
+perfetto_producer(gmscore_app)
+can_profile_heap(gmscore_app)
+can_profile_perf(gmscore_app)
+
allow gmscore_app sysfs_type:dir search;
# Read access to /sys/class/net/wlan*/address
r_dir_file(gmscore_app, sysfs_net)
@@ -31,6 +36,12 @@
# Allow GMS core to communicate with statsd.
binder_call(gmscore_app, statsd)
+# Allow GMS core to receive Perfetto traces through the framework
+# (i.e. TracingServiceProxy) and sendfile them into its private directory
+# for reporting when network and battery conditions are appropriate.
+allow gmscore_app perfetto:fd use;
+allow gmscore_app perfetto_traces_data_file:file { read getattr };
+
# Allow GMS core to generate unique hardware IDs
allow gmscore_app keystore:keystore_key gen_unique_id;
allow gmscore_app keystore:keystore2_key gen_unique_id;
diff --git a/private/gpuservice.te b/private/gpuservice.te
index 2e4254c..f20d932 100644
--- a/private/gpuservice.te
+++ b/private/gpuservice.te
@@ -51,11 +51,12 @@
neverallow gpuservice self:perf_event ~{ cpu kernel open write };
# Needed for interact with bpf fs.
+# Write is needed to open read/write bpf maps.
allow gpuservice fs_bpf:dir search;
-allow gpuservice fs_bpf:file read;
+allow gpuservice fs_bpf:file { read write };
-# Needed for enable the bpf program and read the map.
-allow gpuservice bpfloader:bpf { map_read prog_run };
+# Needed for enabling bpf programs and accessing bpf maps (read-only and read/write).
+allow gpuservice bpfloader:bpf { map_read map_write prog_run };
# Needed for getting a prop to ensure bpf programs loaded.
get_prop(gpuservice, bpf_progs_loaded_prop)
diff --git a/private/mtectrl.te b/private/mtectrl.te
new file mode 100644
index 0000000..436dcae
--- /dev/null
+++ b/private/mtectrl.te
@@ -0,0 +1,10 @@
+# mtectrl is a tool to request MTE (Memory Tagging Extensions) from the bootloader.
+type mtectrl, domain, coredomain;
+type mtectrl_exec, system_file_type, exec_type, file_type;
+
+init_daemon_domain(mtectrl)
+
+# mtectrl communicates the request to the bootloader via the misc partition.
+allow mtectrl misc_block_device:blk_file w_file_perms;
+allow mtectrl block_device:dir r_dir_perms;
+read_fstab(mtectrl)
diff --git a/private/netd.te b/private/netd.te
index d87b9a6..a0c8f8f 100644
--- a/private/netd.te
+++ b/private/netd.te
@@ -18,6 +18,7 @@
# in order to invoke side effect of close() on such a socket calling synchronize_rcu()
# TODO: Remove this permission when 4.9 kernel is deprecated.
+# TODO: Remove this after we remove all bpf interactions from netd.
allow netd self:key_socket create;
set_prop(netd, ctl_mdnsd_prop)
diff --git a/private/netutils_wrapper.te b/private/netutils_wrapper.te
index ca3b515..cdc342d 100644
--- a/private/netutils_wrapper.te
+++ b/private/netutils_wrapper.te
@@ -17,6 +17,7 @@
# For netutils (ndc) to be able to talk to netd
allow netutils_wrapper netd_service:service_manager find;
allow netutils_wrapper dnsresolver_service:service_manager find;
+allow netutils_wrapper mdns_service:service_manager find;
binder_use(netutils_wrapper);
binder_call(netutils_wrapper, netd);
diff --git a/private/network_stack.te b/private/network_stack.te
index 09a98b5..2546888 100644
--- a/private/network_stack.te
+++ b/private/network_stack.te
@@ -22,6 +22,7 @@
allow network_stack app_api_service:service_manager find;
allow network_stack dnsresolver_service:service_manager find;
+allow network_stack mdns_service:service_manager find;
allow network_stack netd_service:service_manager find;
allow network_stack network_watchlist_service:service_manager find;
allow network_stack radio_service:service_manager find;
diff --git a/private/odrefresh.te b/private/odrefresh.te
index 9febf45..d716309 100644
--- a/private/odrefresh.te
+++ b/private/odrefresh.te
@@ -45,24 +45,6 @@
get_prop(odrefresh, device_config_runtime_native_prop)
get_prop(odrefresh, device_config_runtime_native_boot_prop)
-# Use inherited stdin/stdout/stderr from composd which exec()'s
-# odrefesh.
-allow odrefresh composd:fd use;
-
-# Run binaries from the CompOS APEX in the same domain
-allow odrefresh system_file:file execute_no_trans;
-
-# Make binder calls back to composd
-binder_use(odrefresh)
-allow odrefresh compos_internal_service:service_manager find;
-binder_call(odrefresh, composd)
-
-# Run fd_server in its own domain
-domain_auto_trans(odrefresh, fd_server_exec, compos_fd_server)
-
-# And kill it via SIGTERM
-allow odrefresh compos_fd_server:process signal;
-
# Do not audit unused resources from parent processes (adb, shell, su).
# These appear to be unnecessary for odrefresh.
dontaudit odrefresh { adbd shell }:fd use;
diff --git a/private/perfetto.te b/private/perfetto.te
index 174855f..5897aed 100644
--- a/private/perfetto.te
+++ b/private/perfetto.te
@@ -22,10 +22,10 @@
allow perfetto perfetto_traces_data_file:dir rw_dir_perms;
allow perfetto perfetto_traces_data_file:file create_file_perms;
-# Allow to access binder to pass the traces to Dropbox.
+# Allow perfetto to access the proxy service for reporting traces.
+allow perfetto tracingproxy_service:service_manager find;
binder_use(perfetto)
binder_call(perfetto, system_server)
-allow perfetto dropbox_service:service_manager find;
# Allow perfetto to read the trace config from /data/misc/perfetto-configs.
# shell and adb can write files into that directory.
@@ -52,6 +52,7 @@
allow perfetto devpts:chr_file rw_file_perms;
# Allow perfetto to ask incidentd to start a report.
+# TODO(lalitm): remove all incidentd rules when proxy service is stable.
allow perfetto incident_service:service_manager find;
binder_call(perfetto, incidentd)
@@ -68,7 +69,31 @@
###
### Neverallow rules
###
-### perfetto should NEVER do any of this
+
+# Disallow anyone else from being able to handle traces except selected system
+# components.
+neverallow {
+ domain
+ -init # The creator of the folder.
+ -perfetto # The owner of the folder.
+ -adbd # For pulling traces.
+ -shell # For devepment purposes.
+ -traced # For write_into_file traces.
+ -dumpstate # For attaching traces to bugreports.
+ -incidentd # For receiving reported traces. TODO(lalitm): remove this.
+ -priv_app # For stating traces for bug-report UI.
+} perfetto_traces_data_file:dir *;
+neverallow {
+ domain
+ -init # The creator of the folder.
+ -perfetto # The owner of the folder.
+ -adbd # For pulling traces.
+ -shell # For devepment purposes.
+ -traced # For write_into_file traces.
+ -incidentd # For receiving reported traces. TODO(lalitm): remove this.
+} perfetto_traces_data_file:file ~{ getattr read };
+
+### perfetto should NEVER do any of the following
# Disallow mapping executable memory (execstack and exec are already disallowed
# globally in domain.te).
diff --git a/private/platform_app.te b/private/platform_app.te
index 9764eab..20c9820 100644
--- a/private/platform_app.te
+++ b/private/platform_app.te
@@ -109,6 +109,10 @@
# Allow platform apps to act as Perfetto producers.
perfetto_producer(platform_app)
+# TODO(b/217368496): remove this.
+can_profile_heap(platform_app)
+can_profile_perf(platform_app)
+
# Allow platform apps to create VMs
virtualizationservice_use(platform_app)
diff --git a/private/priv_app.te b/private/priv_app.te
index 909e676..c7d6ab1 100644
--- a/private/priv_app.te
+++ b/private/priv_app.te
@@ -86,6 +86,13 @@
# Required to traverse the parent dir (/data/misc/perfetto-traces).
allow priv_app perfetto_traces_data_file:dir { search };
+# Allow priv apps (e.g. BetterBug) to receive Perfetto traces through
+# the framework (i.e. TracingServiceProxy) and sendfile them into their private
+# directories for reporting when network and battery conditions are
+# appropriate.
+allow priv_app perfetto:fd use;
+allow priv_app perfetto_traces_data_file:file { read getattr };
+
# Allow verifier to access staged apks.
allow priv_app { apk_tmp_file apk_private_tmp_file }:dir r_dir_perms;
allow priv_app { apk_tmp_file apk_private_tmp_file }:file r_file_perms;
@@ -262,3 +269,6 @@
# Do not follow untrusted app provided symlinks
neverallow priv_app app_data_file:lnk_file { open read getattr };
+
+# Allow reporting off body events to keystore.
+allow priv_app keystore:keystore2 report_off_body;
diff --git a/private/profcollectd.te b/private/profcollectd.te
index f73990e..1dc6849 100644
--- a/private/profcollectd.te
+++ b/private/profcollectd.te
@@ -23,7 +23,7 @@
allow profcollectd vendor_file:dir r_dir_perms;
allow profcollectd vendor_kernel_modules:file r_file_perms;
- # Allow profcollectd to read system bootstrap libs.
+ # Allow profcollectd to read (but not execute) system bootstrap libs.
allow profcollectd system_bootstrap_lib_file:dir search;
allow profcollectd system_bootstrap_lib_file:file r_file_perms;
diff --git a/private/property.te b/private/property.te
index f63beb9..c9c811a 100644
--- a/private/property.te
+++ b/private/property.te
@@ -557,6 +557,7 @@
domain
-init
userdebug_or_eng(`-profcollectd')
+ userdebug_or_eng(`-simpleperf_boot')
userdebug_or_eng(`-traced_probes')
userdebug_or_eng(`-traced_perf')
} {
diff --git a/private/property_contexts b/private/property_contexts
index 5a9f0e8..b8709e8 100644
--- a/private/property_contexts
+++ b/private/property_contexts
@@ -269,7 +269,7 @@
persist.vendor.apex. u:object_r:apexd_select_prop:s0
ro.boot.vendor.apex. u:object_r:apexd_select_prop:s0
-bpf.progs_loaded u:object_r:bpf_progs_loaded_prop:s0
+bpf.progs_loaded u:object_r:bpf_progs_loaded_prop:s0 exact bool
gsid. u:object_r:gsid_prop:s0
ro.gsid. u:object_r:gsid_prop:s0
@@ -464,6 +464,45 @@
persist.bluetooth.btsnooplogmode u:object_r:bluetooth_prop:s0 exact enum empty disabled filtered full
persist.bluetooth.factoryreset u:object_r:bluetooth_prop:s0 exact bool
+bluetooth.hardware.power.operating_voltage_mv u:object_r:bluetooth_config_prop:s0 exact int
+bluetooth.hardware.power.idle_cur_ma u:object_r:bluetooth_config_prop:s0 exact int
+bluetooth.hardware.power.tx_cur_ma u:object_r:bluetooth_config_prop:s0 exact int
+bluetooth.hardware.power.rx_cur_ma u:object_r:bluetooth_config_prop:s0 exact int
+
+bluetooth.framework.support_persisted_state u:object_r:bluetooth_config_prop:s0 exact bool
+bluetooth.framework.adapter_address_validation u:object_r:bluetooth_config_prop:s0 exact bool
+
+bluetooth.device.default_name u:object_r:bluetooth_config_prop:s0 exact string
+bluetooth.device.class_of_device u:object_r:bluetooth_config_prop:s0 exact string
+
+bluetooth.profile.a2dp.sink.enabled u:object_r:bluetooth_config_prop:s0 exact bool
+bluetooth.profile.a2dp.source.enabled u:object_r:bluetooth_config_prop:s0 exact bool
+bluetooth.profile.asha.central.enabled u:object_r:bluetooth_config_prop:s0 exact bool
+bluetooth.profile.avrcp.controller.enabled u:object_r:bluetooth_config_prop:s0 exact bool
+bluetooth.profile.avrcp.target.enabled u:object_r:bluetooth_config_prop:s0 exact bool
+bluetooth.profile.bap.broadcast.assist.enabled u:object_r:bluetooth_config_prop:s0 exact bool
+bluetooth.profile.bap.broadcast.source.enabled u:object_r:bluetooth_config_prop:s0 exact bool
+bluetooth.profile.bap.unicast.server.enabled u:object_r:bluetooth_config_prop:s0 exact bool
+bluetooth.profile.bass.client.enabled u:object_r:bluetooth_config_prop:s0 exact bool
+bluetooth.profile.csip.set_coordinator.enabled u:object_r:bluetooth_config_prop:s0 exact bool
+bluetooth.profile.gatt.enabled u:object_r:bluetooth_config_prop:s0 exact bool
+bluetooth.profile.hap.client.enabled u:object_r:bluetooth_config_prop:s0 exact bool
+bluetooth.profile.hfp.ag.enabled u:object_r:bluetooth_config_prop:s0 exact bool
+bluetooth.profile.hfp.hf.enabled u:object_r:bluetooth_config_prop:s0 exact bool
+bluetooth.profile.hid.device.enabled u:object_r:bluetooth_config_prop:s0 exact bool
+bluetooth.profile.hid.host.enabled u:object_r:bluetooth_config_prop:s0 exact bool
+bluetooth.profile.map.client.enabled u:object_r:bluetooth_config_prop:s0 exact bool
+bluetooth.profile.map.server.enabled u:object_r:bluetooth_config_prop:s0 exact bool
+bluetooth.profile.mcp.server.enabled u:object_r:bluetooth_config_prop:s0 exact bool
+bluetooth.profile.opp.enabled u:object_r:bluetooth_config_prop:s0 exact bool
+bluetooth.profile.pan.nap.enabled u:object_r:bluetooth_config_prop:s0 exact bool
+bluetooth.profile.pan.panu.enabled u:object_r:bluetooth_config_prop:s0 exact bool
+bluetooth.profile.pbap.client.enabled u:object_r:bluetooth_config_prop:s0 exact bool
+bluetooth.profile.pbap.server.enabled u:object_r:bluetooth_config_prop:s0 exact bool
+bluetooth.profile.sap.server.enabled u:object_r:bluetooth_config_prop:s0 exact bool
+bluetooth.profile.tbs.server.enabled u:object_r:bluetooth_config_prop:s0 exact bool
+bluetooth.profile.vc.server.enabled u:object_r:bluetooth_config_prop:s0 exact bool
+
persist.nfc.debug_enabled u:object_r:nfc_prop:s0 exact bool
persist.radio.multisim.config u:object_r:radio_control_prop:s0 exact string
@@ -668,6 +707,7 @@
# shell-only props for ARM memory tagging (MTE).
arm64.memtag. u:object_r:arm64_memtag_prop:s0 prefix string
+persist.arm64.memtag.default u:object_r:arm64_memtag_prop:s0 exact string
net.redirect_socket_calls.hooked u:object_r:socket_hook_prop:s0 exact bool
@@ -697,7 +737,9 @@
ro.boot.verifiedbootstate u:object_r:bootloader_prop:s0 exact string
ro.boot.veritymode u:object_r:bootloader_prop:s0 exact string
# Properties specific to virtualized deployments of Android
+ro.boot.hypervisor.protected_vm.supported u:object_r:hypervisor_prop:s0 exact bool
ro.boot.hypervisor.version u:object_r:hypervisor_prop:s0 exact string
+ro.boot.hypervisor.vm.supported u:object_r:hypervisor_prop:s0 exact bool
# These ro.X properties are set to values of ro.boot.X by property_service.
ro.baseband u:object_r:bootloader_prop:s0 exact string
diff --git a/private/service.te b/private/service.te
index 7e33715..cd2cec6 100644
--- a/private/service.te
+++ b/private/service.te
@@ -1,5 +1,5 @@
+type ambient_context_service, app_api_service, system_server_service, service_manager_type;
type attention_service, system_server_service, service_manager_type;
-type compos_internal_service, service_manager_type;
type compos_service, service_manager_type;
type dynamic_system_service, system_api_service, system_server_service, service_manager_type;
type gsi_service, service_manager_type;
@@ -15,4 +15,5 @@
type statscompanion_service, system_server_service, service_manager_type;
type statsmanager_service, system_api_service, system_server_service, service_manager_type;
type tracingproxy_service, system_server_service, service_manager_type;
+type transparency_service, system_server_service, service_manager_type;
type uce_service, service_manager_type;
diff --git a/private/service_contexts b/private/service_contexts
index 2e79abb..7075f4d 100644
--- a/private/service_contexts
+++ b/private/service_contexts
@@ -3,39 +3,48 @@
android.hardware.automotive.audiocontrol.IAudioControl/default u:object_r:hal_audiocontrol_service:s0
android.hardware.biometrics.face.IFace/default u:object_r:hal_face_service:s0
android.hardware.biometrics.fingerprint.IFingerprint/default u:object_r:hal_fingerprint_service:s0
+android.hardware.bluetooth.audio.IBluetoothAudioProviderFactory/default u:object_r:hal_audio_service:s0
+# The instance here is internal/0 following naming convention for ICameraProvider.
+# It advertises internal camera devices.
+android.hardware.camera.provider.ICameraProvider/internal/0 u:object_r:hal_camera_service:s0
android.hardware.contexthub.IContextHub/default u:object_r:hal_contexthub_service:s0
+android.hardware.drm.IDrmFactory/clearkey u:object_r:hal_drm_service:s0
+android.hardware.drm.ICryptoFactory/clearkey u:object_r:hal_drm_service:s0
android.hardware.dumpstate.IDumpstateDevice/default u:object_r:hal_dumpstate_service:s0
android.hardware.gnss.IGnss/default u:object_r:hal_gnss_service:s0
+android.hardware.graphics.allocator.IAllocator/default u:object_r:hal_graphics_allocator_service:s0
android.hardware.graphics.composer3.IComposer/default u:object_r:hal_graphics_composer_service:s0
android.hardware.health.storage.IStorage/default u:object_r:hal_health_storage_service:s0
android.hardware.health.IHealth/default u:object_r:hal_health_service:s0
android.hardware.identity.IIdentityCredentialStore/default u:object_r:hal_identity_service:s0
+android.hardware.input.processor.IInputProcessor/default u:object_r:hal_input_processor_service:s0
android.hardware.ir.IConsumerIr/default u:object_r:hal_ir_service:s0
android.hardware.light.ILights/default u:object_r:hal_light_service:s0
android.hardware.memtrack.IMemtrack/default u:object_r:hal_memtrack_service:s0
android.hardware.net.nlinterceptor.IInterceptor/default u:object_r:hal_nlinterceptor_service:s0
+android.hardware.nfc.INfc/default u:object_r:hal_nfc_service:s0
android.hardware.oemlock.IOemLock/default u:object_r:hal_oemlock_service:s0
android.hardware.power.IPower/default u:object_r:hal_power_service:s0
android.hardware.power.stats.IPowerStats/default u:object_r:hal_power_stats_service:s0
-android.hardware.radio.config.IRadioConfig/default u:object_r:hal_radio_config_service:s0
-android.hardware.radio.data.IRadioData/slot1 u:object_r:hal_radio_data_service:s0
-android.hardware.radio.data.IRadioData/slot2 u:object_r:hal_radio_data_service:s0
-android.hardware.radio.data.IRadioData/slot3 u:object_r:hal_radio_data_service:s0
-android.hardware.radio.messaging.IRadioMessaging/slot1 u:object_r:hal_radio_messaging_service:s0
-android.hardware.radio.messaging.IRadioMessaging/slot2 u:object_r:hal_radio_messaging_service:s0
-android.hardware.radio.messaging.IRadioMessaging/slot3 u:object_r:hal_radio_messaging_service:s0
-android.hardware.radio.modem.IRadioModem/slot1 u:object_r:hal_radio_modem_service:s0
-android.hardware.radio.modem.IRadioModem/slot2 u:object_r:hal_radio_modem_service:s0
-android.hardware.radio.modem.IRadioModem/slot3 u:object_r:hal_radio_modem_service:s0
-android.hardware.radio.network.IRadioNetwork/slot1 u:object_r:hal_radio_network_service:s0
-android.hardware.radio.network.IRadioNetwork/slot2 u:object_r:hal_radio_network_service:s0
-android.hardware.radio.network.IRadioNetwork/slot3 u:object_r:hal_radio_network_service:s0
-android.hardware.radio.sim.IRadioSim/slot1 u:object_r:hal_radio_sim_service:s0
-android.hardware.radio.sim.IRadioSim/slot2 u:object_r:hal_radio_sim_service:s0
-android.hardware.radio.sim.IRadioSim/slot3 u:object_r:hal_radio_sim_service:s0
-android.hardware.radio.voice.IRadioVoice/slot1 u:object_r:hal_radio_voice_service:s0
-android.hardware.radio.voice.IRadioVoice/slot2 u:object_r:hal_radio_voice_service:s0
-android.hardware.radio.voice.IRadioVoice/slot3 u:object_r:hal_radio_voice_service:s0
+android.hardware.radio.config.IRadioConfig/default u:object_r:hal_radio_service:s0
+android.hardware.radio.data.IRadioData/slot1 u:object_r:hal_radio_service:s0
+android.hardware.radio.data.IRadioData/slot2 u:object_r:hal_radio_service:s0
+android.hardware.radio.data.IRadioData/slot3 u:object_r:hal_radio_service:s0
+android.hardware.radio.messaging.IRadioMessaging/slot1 u:object_r:hal_radio_service:s0
+android.hardware.radio.messaging.IRadioMessaging/slot2 u:object_r:hal_radio_service:s0
+android.hardware.radio.messaging.IRadioMessaging/slot3 u:object_r:hal_radio_service:s0
+android.hardware.radio.modem.IRadioModem/slot1 u:object_r:hal_radio_service:s0
+android.hardware.radio.modem.IRadioModem/slot2 u:object_r:hal_radio_service:s0
+android.hardware.radio.modem.IRadioModem/slot3 u:object_r:hal_radio_service:s0
+android.hardware.radio.network.IRadioNetwork/slot1 u:object_r:hal_radio_service:s0
+android.hardware.radio.network.IRadioNetwork/slot2 u:object_r:hal_radio_service:s0
+android.hardware.radio.network.IRadioNetwork/slot3 u:object_r:hal_radio_service:s0
+android.hardware.radio.sim.IRadioSim/slot1 u:object_r:hal_radio_service:s0
+android.hardware.radio.sim.IRadioSim/slot2 u:object_r:hal_radio_service:s0
+android.hardware.radio.sim.IRadioSim/slot3 u:object_r:hal_radio_service:s0
+android.hardware.radio.voice.IRadioVoice/slot1 u:object_r:hal_radio_service:s0
+android.hardware.radio.voice.IRadioVoice/slot2 u:object_r:hal_radio_service:s0
+android.hardware.radio.voice.IRadioVoice/slot3 u:object_r:hal_radio_service:s0
android.hardware.rebootescrow.IRebootEscrow/default u:object_r:hal_rebootescrow_service:s0
android.hardware.security.dice.IDiceDevice/default u:object_r:hal_dice_service:s0
android.hardware.security.keymint.IKeyMintDevice/default u:object_r:hal_keymint_service:s0
@@ -45,6 +54,7 @@
android.hardware.sensors.ISensors/default u:object_r:hal_sensors_service:s0
android.hardware.soundtrigger3.ISoundTriggerHw/default u:object_r:hal_audio_service:s0
android.hardware.tv.tuner.ITuner/default u:object_r:hal_tv_tuner_service:s0
+android.hardware.usb.IUsb/default u:object_r:hal_usb_service:s0
android.hardware.uwb.IUwb/default u:object_r:hal_uwb_service:s0
android.hardware.vibrator.IVibrator/default u:object_r:hal_vibrator_service:s0
android.hardware.vibrator.IVibratorManager/default u:object_r:hal_vibrator_service:s0
@@ -67,6 +77,7 @@
alarm u:object_r:alarm_service:s0
android.os.UpdateEngineService u:object_r:update_engine_service:s0
android.os.UpdateEngineStableService u:object_r:update_engine_stable_service:s0
+android.frameworks.automotive.display.ICarDisplayProxy/default u:object_r:fwk_automotive_display_service:s0
android.security.apc u:object_r:apc_service:s0
android.security.authorization u:object_r:authorization_service:s0
android.security.compat u:object_r:keystore_compat_hal_service:s0
@@ -78,10 +89,11 @@
android.security.maintenance u:object_r:keystore_maintenance_service:s0
android.security.metrics u:object_r:keystore_metrics_service:s0
android.security.remoteprovisioning u:object_r:remoteprovisioning_service:s0
+android.security.remoteprovisioning.IRemotelyProvisionedKeyPool u:object_r:remotelyprovisionedkeypool_service:s0
android.service.gatekeeper.IGateKeeperService u:object_r:gatekeeper_service:s0
android.system.composd u:object_r:compos_service:s0
-android.system.composd.internal u:object_r:compos_internal_service:s0
android.system.virtualizationservice u:object_r:virtualization_service:s0
+ambient_context u:object_r:ambient_context_service:s0
app_binding u:object_r:app_binding_service:s0
app_hibernation u:object_r:app_hibernation_service:s0
app_integrity u:object_r:app_integrity_service:s0
@@ -112,6 +124,7 @@
cacheinfo u:object_r:cacheinfo_service:s0
carrier_config u:object_r:radio_service:s0
clipboard u:object_r:clipboard_service:s0
+cloudsearch u:object_r:cloudsearch_service:s0
cloudsearch_service u:object_r:cloudsearch_service:s0
com.android.net.IProxyService u:object_r:IProxyService_service:s0
companiondevice u:object_r:companion_device_service:s0
@@ -202,6 +215,7 @@
logd u:object_r:logd_service:s0
looper_stats u:object_r:looper_stats_service:s0
lpdump_service u:object_r:lpdump_service:s0
+mdns u:object_r:mdns_service:s0
media.aaudio u:object_r:audioserver_service:s0
media.audio_flinger u:object_r:audioserver_service:s0
media.audio_policy u:object_r:audioserver_service:s0
@@ -307,6 +321,7 @@
storaged_pri u:object_r:storaged_service:s0
storagestats u:object_r:storagestats_service:s0
SurfaceFlinger u:object_r:surfaceflinger_service:s0
+SurfaceFlingerAIDL u:object_r:surfaceflinger_service:s0
suspend_control u:object_r:system_suspend_control_service:s0
suspend_control_internal u:object_r:system_suspend_control_internal_service:s0
system_config u:object_r:system_config_service:s0
@@ -327,9 +342,10 @@
timezone u:object_r:timezone_service:s0
thermalservice u:object_r:thermal_service:s0
tracing.proxy u:object_r:tracingproxy_service:s0
-translation u:object_r:translation_service:s0
+translation u:object_r:translation_service:s0
+transparency u:object_r:transparency_service:s0
trust u:object_r:trust_service:s0
-tv_iapp u:object_r:tv_iapp_service:s0
+tv_interactive_app u:object_r:tv_iapp_service:s0
tv_input u:object_r:tv_input_service:s0
tv_tuner_resource_mgr u:object_r:tv_tuner_resource_mgr_service:s0
uce u:object_r:uce_service:s0
@@ -350,6 +366,7 @@
vpn_management u:object_r:vpn_management_service:s0
vrmanager u:object_r:vr_manager_service:s0
wallpaper u:object_r:wallpaper_service:s0
+wallpaper_effects_generation u:object_r:wallpaper_effects_generation_service:s0
webviewupdate u:object_r:webviewupdate_service:s0
wifip2p u:object_r:wifip2p_service:s0
wifiscanner u:object_r:wifiscanner_service:s0
diff --git a/private/simpleperf_boot.te b/private/simpleperf_boot.te
new file mode 100644
index 0000000..e71c492
--- /dev/null
+++ b/private/simpleperf_boot.te
@@ -0,0 +1,59 @@
+# Domain used when running /system/bin/simpleperf to record boot-time profiles.
+# It is started by init process. It's only available on userdebug/eng build.
+
+type simpleperf_boot, domain, coredomain, mlstrustedsubject;
+
+# /data/simpleperf_boot_data, used to store boot-time profiles.
+type simpleperf_boot_data_file, file_type;
+
+userdebug_or_eng(`
+ domain_auto_trans(init, simpleperf_exec, simpleperf_boot)
+
+ # simpleperf_boot writes profile data to /data/simpleperf_boot_data.
+ allow simpleperf_boot simpleperf_boot_data_file:file create_file_perms;
+ allow simpleperf_boot simpleperf_boot_data_file:dir rw_dir_perms;
+
+ # Allow simpleperf_boot full use of perf_event_open(2), to enable system wide profiling.
+ allow simpleperf_boot self:perf_event { cpu kernel open read write };
+ allow simpleperf_boot self:global_capability2_class_set perfmon;
+
+ # Allow simpleperf_boot to scan through /proc/pid for all processes.
+ r_dir_file(simpleperf_boot, domain)
+
+ # Allow simpleperf_boot to read executable binaries.
+ allow simpleperf_boot system_file_type:file r_file_perms;
+ allow simpleperf_boot vendor_file_type:file r_file_perms;
+
+ # Allow simpleperf_boot to search for and read kernel modules.
+ allow simpleperf_boot vendor_file:dir r_dir_perms;
+ allow simpleperf_boot vendor_kernel_modules:file r_file_perms;
+
+ # Allow simpleperf_boot to read system bootstrap libs.
+ allow simpleperf_boot system_bootstrap_lib_file:dir search;
+ allow simpleperf_boot system_bootstrap_lib_file:file r_file_perms;
+
+ # Allow simpleperf_boot to access tracefs.
+ allow simpleperf_boot debugfs_tracing:dir r_dir_perms;
+ allow simpleperf_boot debugfs_tracing:file rw_file_perms;
+ allow simpleperf_boot debugfs_tracing_debug:dir r_dir_perms;
+ allow simpleperf_boot debugfs_tracing_debug:file rw_file_perms;
+
+ # Allow simpleperf_boot to write to perf_event_paranoid under /proc.
+ allow simpleperf_boot proc_perf:file write;
+
+ # Allow simpleperf_boot to read process maps.
+ allow simpleperf_boot self:global_capability_class_set sys_ptrace;
+ # Allow simpleperf_boot to read JIT debug info from system_server and zygote.
+ allow simpleperf_boot { system_server zygote }:process ptrace;
+
+ # Allow to temporarily lift the kptr_restrict setting and get kernel start address
+ # by reading /proc/kallsyms, get module start address by reading /proc/modules.
+ set_prop(simpleperf_boot, lower_kptr_restrict_prop)
+ allow simpleperf_boot proc_kallsyms:file r_file_perms;
+ allow simpleperf_boot proc_modules:file r_file_perms;
+
+ # Allow simpleperf_boot to read kernel build id.
+ allow simpleperf_boot sysfs_kernel_notes:file r_file_perms;
+
+ dontaudit simpleperf_boot shell_data_file:dir search;
+')
diff --git a/private/system_app.te b/private/system_app.te
index 460ad4b..77cca3d 100644
--- a/private/system_app.te
+++ b/private/system_app.te
@@ -89,6 +89,7 @@
-installd_service
-iorapd_service
-lpdump_service
+ -mdns_service
-netd_service
-system_suspend_control_internal_service
-system_suspend_control_service
@@ -103,6 +104,7 @@
dumpstate_service
installd_service
iorapd_service
+ mdns_service
netd_service
virtual_touchpad_service
vold_service
@@ -157,6 +159,7 @@
# Settings app writes to /dev/stune/foreground/tasks.
allow system_app cgroup:file w_file_perms;
allow system_app cgroup_v2:file w_file_perms;
+allow system_app cgroup_v2:dir w_dir_perms;
control_logd(system_app)
read_runtime_log_tags(system_app)
diff --git a/private/system_server.te b/private/system_server.te
index d2b4091..79817ef 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -14,6 +14,11 @@
userfaultfd_use(system_server)
+# TODO(b/217368496): remove this.
+perfetto_producer(system_server)
+can_profile_heap(system_server)
+can_profile_perf(system_server)
+
# Create a socket for connections from crash_dump.
type_transition system_server system_data_file:sock_file system_ndebug_socket "ndebugsocket";
@@ -97,7 +102,7 @@
crash_dump
webview_zygote
zygote
-}:process { sigkill signull };
+}:process { getpgid sigkill signull };
# Read /system/bin/app_process.
allow system_server zygote_exec:file r_file_perms;
@@ -296,6 +301,7 @@
hal_client_domain(system_server, hal_graphics_allocator)
hal_client_domain(system_server, hal_health)
hal_client_domain(system_server, hal_input_classifier)
+hal_client_domain(system_server, hal_input_processor)
hal_client_domain(system_server, hal_ir)
hal_client_domain(system_server, hal_light)
hal_client_domain(system_server, hal_memtrack)
@@ -402,7 +408,7 @@
# Check SELinux permissions.
selinux_check_access(system_server)
-allow system_server sysfs_type:dir search;
+allow system_server sysfs_type:dir r_dir_perms;
r_dir_file(system_server, sysfs_android_usb)
allow system_server sysfs_android_usb:file w_file_perms;
@@ -442,6 +448,7 @@
allow system_server adbd_socket:sock_file rw_file_perms;
allow system_server rtc_device:chr_file rw_file_perms;
allow system_server audio_device:dir r_dir_perms;
+allow system_server uhid_device:chr_file rw_file_perms;
# write access to ALSA interfaces (/dev/snd/*) needed for MIDI
allow system_server audio_device:chr_file rw_file_perms;
@@ -525,9 +532,9 @@
allow system_server prereboot_data_file:dir rw_dir_perms;
allow system_server prereboot_data_file:file create_file_perms;
-# Allow dropbox to read /data/misc/perfetto-traces. Only the fd is sent over
+# Allow tracing proxy service to read traces. Only the fd is sent over
# binder.
-allow system_server perfetto_traces_data_file:file read;
+allow system_server perfetto_traces_data_file:file { read getattr };
allow system_server perfetto:fd use;
# Manage /data/backup.
@@ -781,6 +788,9 @@
# Read the net.464xlat.cellular.enabled property (written by init).
get_prop(system_server, net_464xlat_fromvendor_prop)
+# Read hypervisor capabilities ro.boot.hypervisor.*
+get_prop(system_server, hypervisor_prop)
+
# Create a socket for connections from debuggerd.
allow system_server system_ndebug_socket:sock_file create_file_perms;
@@ -868,6 +878,7 @@
allow system_server keystore_maintenance_service:service_manager find;
allow system_server keystore_metrics_service:service_manager find;
allow system_server keystore_service:service_manager find;
+allow system_server mdns_service:service_manager find;
allow system_server mediaserver_service:service_manager find;
allow system_server mediametrics_service:service_manager find;
allow system_server mediaextractor_service:service_manager find;
@@ -917,6 +928,7 @@
clear_ns
clear_uid
get_state
+ list
lock
migrate_any_key
pull_metrics
@@ -1113,6 +1125,8 @@
allow system_server fs_bpf:dir search;
allow system_server fs_bpf:file { read write };
allow system_server bpfloader:bpf { map_read map_write prog_run };
+# in order to invoke side effect of close() on such a socket calling synchronize_rcu()
+allow system_server self:key_socket create;
# ART Profiles.
# Allow system_server to open profile snapshots for read.
diff --git a/private/traced.te b/private/traced.te
index fc9a245..a6e200e 100644
--- a/private/traced.te
+++ b/private/traced.te
@@ -118,4 +118,12 @@
neverallow * traced:process dyntransition;
# Limit the processes that can access tracingproxy_service.
-neverallow { domain -traced -dumpstate -traceur_app -shell -system_server } tracingproxy_service:service_manager find;
+neverallow {
+ domain
+ -traced
+ -dumpstate
+ -traceur_app
+ -shell
+ -system_server
+ -perfetto
+} tracingproxy_service:service_manager find;
diff --git a/private/virtualizationservice.te b/private/virtualizationservice.te
index d304ae6..05e1664 100644
--- a/private/virtualizationservice.te
+++ b/private/virtualizationservice.te
@@ -55,17 +55,21 @@
# Run derive_classpath in our domain
allow virtualizationservice derive_classpath_exec:file rx_file_perms;
allow virtualizationservice apex_mnt_dir:dir r_dir_perms;
+# Ignore harmless denials on /proc/self/fd
+dontaudit virtualizationservice self:dir write;
# Let virtualizationservice to accept vsock connection from the guest VMs
allow virtualizationservice self:vsock_socket { create_socket_perms_no_ioctl listen accept };
-# Allow virtualization to ioctl on dev/kvm only to check if protected VM is supported or not.
-allow virtualizationservice kvm_device:chr_file { open read write };
-allowxperm virtualizationservice kvm_device:chr_file ioctl KVM_CHECK_EXTENSION;
-
# Allow virtualizationservice to read/write its own sysprop. Only the process can do so.
set_prop(virtualizationservice, virtualizationservice_prop)
+# Allow virtualizationservice to inspect hypervisor capabilities.
+get_prop(virtualizationservice, hypervisor_prop)
+
+# Allow writing stats to statsd
+unix_socket_send(virtualizationservice, statsdw, statsd)
+
neverallow {
domain
-init
diff --git a/public/attributes b/public/attributes
index 07eecfc..b97bffc 100644
--- a/public/attributes
+++ b/public/attributes
@@ -347,6 +347,7 @@
hal_attribute(health_storage);
hal_attribute(identity);
hal_attribute(input_classifier);
+hal_attribute(input_processor);
hal_attribute(ir);
hal_attribute(keymaster);
hal_attribute(keymint);
diff --git a/public/bpfloader.te b/public/bpfloader.te
new file mode 100644
index 0000000..81c32ee
--- /dev/null
+++ b/public/bpfloader.te
@@ -0,0 +1 @@
+type bpfloader, domain, coredomain;
diff --git a/public/cameraserver.te b/public/cameraserver.te
index 577a465..d41339a 100644
--- a/public/cameraserver.te
+++ b/public/cameraserver.te
@@ -35,6 +35,7 @@
allow cameraserver surfaceflinger_service:service_manager find;
allow cameraserver hidl_token_hwservice:hwservice_manager find;
+allow cameraserver hal_camera_service:service_manager find;
# Allow to talk with surfaceflinger through unix stream socket
allow cameraserver surfaceflinger:unix_stream_socket { read write };
diff --git a/public/domain.te b/public/domain.te
index e7853ec..50503cd 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -101,6 +101,7 @@
# Public readable properties
get_prop(domain, aaudio_config_prop)
get_prop(domain, arm64_memtag_prop)
+get_prop(domain, bluetooth_config_prop)
get_prop(domain, bootloader_prop)
get_prop(domain, build_odm_prop)
get_prop(domain, build_prop)
@@ -610,25 +611,6 @@
-update_engine
} system_block_device:blk_file { write append };
-# No domains other than a select few can access the misc_block_device. This
-# block device is reserved for OTA use.
-# Do not assert this rule on userdebug/eng builds, due to some devices using
-# this partition for testing purposes.
-neverallow {
- domain
- userdebug_or_eng(`-domain') # exclude debuggable builds
- -fastbootd
- -hal_bootctl_server
- -init
- -uncrypt
- -update_engine
- -vendor_init
- -vendor_misc_writer
- -vold
- -recovery
- -ueventd
-} misc_block_device:blk_file { append link relabelfrom rename write open read ioctl lock };
-
# Only (hw|vnd|)servicemanager should be able to register with binder as the context manager
neverallow { domain -servicemanager -hwservicemanager -vndservicemanager } *:binder set_context_mgr;
# The service managers are only allowed to access their own device node
diff --git a/public/dumpstate.te b/public/dumpstate.te
index b1f186c..3f9a127 100644
--- a/public/dumpstate.te
+++ b/public/dumpstate.te
@@ -147,6 +147,7 @@
dump_hal(hal_graphics_allocator)
dump_hal(hal_light)
dump_hal(hal_neuralnetworks)
+dump_hal(hal_nfc)
dump_hal(hal_thermal)
dump_hal(hal_power)
dump_hal(hal_power_stats)
@@ -253,6 +254,7 @@
-apex_service
-dumpstate_service
-gatekeeper_service
+ -hal_wifi_supplicant_service
-virtual_touchpad_service
-vold_service
-default_android_service
@@ -262,6 +264,7 @@
apex_service
dumpstate_service
gatekeeper_service
+ hal_wifi_supplicant_service
virtual_touchpad_service
vold_service
}:service_manager find;
diff --git a/public/file.te b/public/file.te
index 5850e7d..3545e24 100644
--- a/public/file.te
+++ b/public/file.te
@@ -128,6 +128,7 @@
')
type fs_bpf, fs_type;
type fs_bpf_tethering, fs_type;
+type fs_bpf_vendor, fs_type;
type configfs, fs_type;
# /sys/devices/cs_etm
type sysfs_devices_cs_etm, fs_type, sysfs_type;
diff --git a/public/hal_camera.te b/public/hal_camera.te
index 45fad56..df70ab6 100644
--- a/public/hal_camera.te
+++ b/public/hal_camera.te
@@ -2,7 +2,11 @@
binder_call(hal_camera_client, hal_camera_server)
binder_call(hal_camera_server, hal_camera_client)
+#binder IPC from client to service manager and callbacks
+binder_use(hal_camera_server)
+
hal_attribute_hwservice(hal_camera, hal_camera_hwservice)
+hal_attribute_service(hal_camera, hal_camera_service)
allow hal_camera device:dir r_dir_perms;
allow hal_camera video_device:dir r_dir_perms;
@@ -32,7 +36,7 @@
neverallow hal_camera_server { file_type fs_type }:file execute_no_trans;
# hal_camera should never need network access. Disallow network sockets.
-neverallow hal_camera_server domain:{ tcp_socket udp_socket rawip_socket } *;
+neverallow hal_camera_server { domain userdebug_or_eng(`-su') }:{ tcp_socket udp_socket rawip_socket } *;
# Only camera HAL may directly access the camera hardware
neverallow { halserverdomain -hal_camera_server } camera_device:chr_file *;
diff --git a/public/hal_drm.te b/public/hal_drm.te
index bb1bd91..72fa308 100644
--- a/public/hal_drm.te
+++ b/public/hal_drm.te
@@ -1,8 +1,10 @@
# HwBinder IPC from client to server, and callbacks
+binder_use(hal_drm_server)
binder_call(hal_drm_client, hal_drm_server)
binder_call(hal_drm_server, hal_drm_client)
hal_attribute_hwservice(hal_drm, hal_drm_hwservice)
+hal_attribute_service(hal_drm, hal_drm_service)
allow hal_drm hidl_memory_hwservice:hwservice_manager find;
diff --git a/public/hal_graphics_allocator.te b/public/hal_graphics_allocator.te
index 3ec6b96..b6d5d92 100644
--- a/public/hal_graphics_allocator.te
+++ b/public/hal_graphics_allocator.te
@@ -12,3 +12,8 @@
# allow to run with real-time scheduling policy
allow hal_graphics_allocator self:global_capability_class_set sys_nice;
+
+# IAllocator stable-aidl
+hal_attribute_service(hal_graphics_allocator, hal_graphics_allocator_service)
+binder_call(hal_graphics_allocator_server, servicemanager)
+binder_call(hal_graphics_allocator_client, servicemanager)
diff --git a/public/hal_input_processor.te b/public/hal_input_processor.te
new file mode 100644
index 0000000..77d1d70
--- /dev/null
+++ b/public/hal_input_processor.te
@@ -0,0 +1,5 @@
+# HwBinder IPC from client to server
+binder_call(hal_input_processor_client, hal_input_processor_server)
+binder_call(hal_input_processor_server, servicemanager)
+
+hal_attribute_service(hal_input_processor, hal_input_processor_service)
diff --git a/public/hal_nfc.te b/public/hal_nfc.te
index 7cef4a1..3d0202b 100644
--- a/public/hal_nfc.te
+++ b/public/hal_nfc.te
@@ -1,8 +1,10 @@
# HwBinder IPC from client to server, and callbacks
binder_call(hal_nfc_client, hal_nfc_server)
binder_call(hal_nfc_server, hal_nfc_client)
+binder_call(hal_nfc_server, servicemanager)
hal_attribute_hwservice(hal_nfc, hal_nfc_hwservice)
+hal_attribute_service(hal_nfc, hal_nfc_service)
# Set NFC properties (used by bcm2079x HAL).
set_prop(hal_nfc, nfc_prop)
diff --git a/public/hal_telephony.te b/public/hal_telephony.te
index 8a1fbe5..e21796a 100644
--- a/public/hal_telephony.te
+++ b/public/hal_telephony.te
@@ -3,13 +3,7 @@
binder_call(hal_telephony_server, hal_telephony_client)
hal_attribute_hwservice(hal_telephony, hal_telephony_hwservice)
-hal_attribute_service(hal_telephony, hal_radio_config_service)
-hal_attribute_service(hal_telephony, hal_radio_data_service)
-hal_attribute_service(hal_telephony, hal_radio_messaging_service)
-hal_attribute_service(hal_telephony, hal_radio_modem_service)
-hal_attribute_service(hal_telephony, hal_radio_network_service)
-hal_attribute_service(hal_telephony, hal_radio_sim_service)
-hal_attribute_service(hal_telephony, hal_radio_voice_service)
+hal_attribute_service(hal_telephony, hal_radio_service)
allowxperm hal_telephony_server self:udp_socket ioctl priv_sock_ioctls;
diff --git a/public/hal_usb.te b/public/hal_usb.te
index 38bc49a..45cafaa 100644
--- a/public/hal_usb.te
+++ b/public/hal_usb.te
@@ -2,6 +2,9 @@
binder_call(hal_usb_client, hal_usb_server)
binder_call(hal_usb_server, hal_usb_client)
+hal_attribute_service(hal_usb, hal_usb_service)
+binder_call(hal_usb_server, servicemanager)
+
hal_attribute_hwservice(hal_usb, hal_usb_hwservice)
allow hal_usb self:netlink_kobject_uevent_socket create;
diff --git a/public/hal_wifi_hostapd.te b/public/hal_wifi_hostapd.te
index b508aa5..eeb72ba 100644
--- a/public/hal_wifi_hostapd.te
+++ b/public/hal_wifi_hostapd.te
@@ -5,7 +5,7 @@
hal_attribute_hwservice(hal_wifi_hostapd, hal_wifi_hostapd_hwservice)
hal_attribute_service(hal_wifi_hostapd, hal_wifi_hostapd_service)
-binder_call(hal_wifi_hostapd_server, servicemanager)
+binder_use(hal_wifi_hostapd_server)
allow hal_wifi_hostapd_server dumpstate:fifo_file write;
diff --git a/public/hal_wifi_supplicant.te b/public/hal_wifi_supplicant.te
index b4ff7aa..b531a22 100644
--- a/public/hal_wifi_supplicant.te
+++ b/public/hal_wifi_supplicant.te
@@ -5,8 +5,6 @@
hal_attribute_hwservice(hal_wifi_supplicant, hal_wifi_supplicant_hwservice)
hal_attribute_service(hal_wifi_supplicant, hal_wifi_supplicant_service)
-binder_call(hal_wifi_supplicant_server, servicemanager)
-
# in addition to ioctls allowlisted for all domains, grant hal_wifi_supplicant priv_sock_ioctls.
allowxperm hal_wifi_supplicant self:udp_socket ioctl priv_sock_ioctls;
diff --git a/public/init.te b/public/init.te
index 5c3e4e7..54e3082 100644
--- a/public/init.te
+++ b/public/init.te
@@ -609,8 +609,7 @@
allow init proc_pressure_mem:file { rw_file_perms setattr };
# init is using bootstrap bionic
-allow init system_bootstrap_lib_file:dir r_dir_perms;
-allow init system_bootstrap_lib_file:file { execute read open getattr map };
+use_bootstrap_libs(init)
# stat the root dir of fuse filesystems (for the mount handler)
allow init fuse:dir { search getattr };
diff --git a/public/keystore.te b/public/keystore.te
index 9535491..e1c58a4 100644
--- a/public/keystore.te
+++ b/public/keystore.te
@@ -13,6 +13,7 @@
allow keystore keystore_exec:file { getattr };
add_service(keystore, keystore_service)
+add_service(keystore, remotelyprovisionedkeypool_service)
add_service(keystore, remoteprovisioning_service)
allow keystore sec_key_att_app_id_provider_service:service_manager find;
allow keystore dropbox_service:service_manager find;
diff --git a/public/netd.te b/public/netd.te
index ff0bff6..899df88 100644
--- a/public/netd.te
+++ b/public/netd.te
@@ -87,6 +87,7 @@
binder_use(netd)
add_service(netd, netd_service)
add_service(netd, dnsresolver_service)
+add_service(netd, mdns_service)
allow netd dumpstate:fifo_file { getattr write };
# Allow netd to call into the system server so it can check permissions.
@@ -150,6 +151,16 @@
-netutils_wrapper
} dnsresolver_service:service_manager find;
+# only system_server, dumpstate and network stack app may find mdns service
+neverallow {
+ domain
+ -system_server
+ -dumpstate
+ -network_stack
+ -netd
+ -netutils_wrapper
+} mdns_service:service_manager find;
+
# apps may not interact with netd over binder.
neverallow { appdomain -network_stack } netd:binder call;
neverallow netd { appdomain -network_stack userdebug_or_eng(`-su') }:binder call;
diff --git a/public/property.te b/public/property.te
index 83dfc36..7957f8c 100644
--- a/public/property.te
+++ b/public/property.te
@@ -16,7 +16,6 @@
compatible_property_only(`
# DO NOT ADD ANY PROPERTIES HERE
system_internal_prop(boottime_prop)
- system_internal_prop(bpf_progs_loaded_prop)
system_internal_prop(charger_prop)
system_internal_prop(cold_boot_done_prop)
system_internal_prop(ctl_adbd_prop)
@@ -121,6 +120,7 @@
system_vendor_config_prop(apk_verity_prop)
system_vendor_config_prop(audio_config_prop)
system_vendor_config_prop(bootanim_config_prop)
+system_vendor_config_prop(bluetooth_config_prop)
system_vendor_config_prop(build_config_prop)
system_vendor_config_prop(build_odm_prop)
system_vendor_config_prop(build_vendor_prop)
@@ -181,6 +181,7 @@
system_public_prop(bluetooth_a2dp_offload_prop)
system_public_prop(bluetooth_audio_hal_prop)
system_public_prop(bluetooth_prop)
+system_public_prop(bpf_progs_loaded_prop)
system_public_prop(charger_status_prop)
system_public_prop(ctl_default_prop)
system_public_prop(ctl_interface_start_prop)
@@ -235,7 +236,6 @@
not_compatible_property(`
# DO NOT ADD ANY PROPERTIES HERE
system_public_prop(boottime_prop)
- system_public_prop(bpf_progs_loaded_prop)
system_public_prop(charger_prop)
system_public_prop(cold_boot_done_prop)
system_public_prop(ctl_adbd_prop)
diff --git a/public/service.te b/public/service.te
index 0e9488c..46eaff1 100644
--- a/public/service.te
+++ b/public/service.te
@@ -14,6 +14,7 @@
type drmserver_service, service_manager_type;
type dumpstate_service, service_manager_type;
type fingerprintd_service, service_manager_type;
+type fwk_automotive_display_service, service_manager_type;
type gatekeeper_service, app_api_service, service_manager_type;
type gpu_service, app_api_service, ephemeral_app_api_service, service_manager_type;
type idmap_service, service_manager_type;
@@ -27,6 +28,7 @@
type keystore_service, service_manager_type;
type legacykeystore_service, service_manager_type;
type lpdump_service, service_manager_type;
+type mdns_service, service_manager_type;
type mediaserver_service, service_manager_type;
type mediametrics_service, service_manager_type;
type mediaextractor_service, service_manager_type;
@@ -35,6 +37,7 @@
type netd_service, service_manager_type;
type nfc_service, service_manager_type;
type radio_service, service_manager_type;
+type remotelyprovisionedkeypool_service, service_manager_type;
type remoteprovisioning_service, service_manager_type;
type secure_element_service, service_manager_type;
type service_manager_service, service_manager_type;
@@ -59,7 +62,7 @@
type adb_service, system_api_service, system_server_service, service_manager_type;
type alarm_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type app_binding_service, system_server_service, service_manager_type;
-type app_hibernation_service, system_api_service, system_server_service, service_manager_type;
+type app_hibernation_service, app_api_service, system_api_service, system_server_service, service_manager_type;
type app_integrity_service, system_api_service, system_server_service, service_manager_type;
type app_prediction_service, app_api_service, system_server_service, service_manager_type;
type app_search_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
@@ -157,7 +160,7 @@
type midi_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type mount_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type music_recognition_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type nearby_service, system_server_service, service_manager_type;
+type nearby_service, system_api_service, system_server_service, service_manager_type;
type netpolicy_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type netstats_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type network_management_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
@@ -243,6 +246,7 @@
type vpn_management_service, app_api_service, system_server_service, service_manager_type;
type vr_manager_service, system_server_service, service_manager_type;
type wallpaper_service, app_api_service, system_server_service, service_manager_type;
+type wallpaper_effects_generation_service, app_api_service, system_server_service, service_manager_type;
type webviewupdate_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type wifip2p_service, app_api_service, system_server_service, service_manager_type;
type wifiscanner_service, system_api_service, system_server_service, service_manager_type;
@@ -264,31 +268,30 @@
type hal_audio_service, vendor_service, protected_service, service_manager_type;
type hal_audiocontrol_service, vendor_service, service_manager_type;
type hal_authsecret_service, vendor_service, protected_service, service_manager_type;
+type hal_camera_service, vendor_service, protected_service, service_manager_type;
type hal_contexthub_service, vendor_service, protected_service, service_manager_type;
type hal_dice_service, vendor_service, protected_service, service_manager_type;
+type hal_drm_service, vendor_service, service_manager_type;
type hal_dumpstate_service, vendor_service, protected_service, service_manager_type;
type hal_face_service, vendor_service, protected_service, service_manager_type;
type hal_fingerprint_service, vendor_service, protected_service, service_manager_type;
type hal_gnss_service, vendor_service, protected_service, service_manager_type;
+type hal_graphics_allocator_service, vendor_service, service_manager_type;
type hal_graphics_composer_service, vendor_service, protected_service, service_manager_type;
type hal_health_service, vendor_service, protected_service, service_manager_type;
type hal_health_storage_service, vendor_service, protected_service, service_manager_type;
type hal_identity_service, vendor_service, protected_service, service_manager_type;
+type hal_input_processor_service, vendor_service, protected_service, service_manager_type;
type hal_ir_service, vendor_service, protected_service, service_manager_type;
type hal_keymint_service, vendor_service, protected_service, service_manager_type;
type hal_light_service, vendor_service, protected_service, service_manager_type;
type hal_memtrack_service, vendor_service, protected_service, service_manager_type;
type hal_neuralnetworks_service, vendor_service, service_manager_type;
+type hal_nfc_service, vendor_service, protected_service, service_manager_type;
type hal_oemlock_service, vendor_service, protected_service, service_manager_type;
type hal_power_service, vendor_service, protected_service, service_manager_type;
type hal_power_stats_service, vendor_service, protected_service, service_manager_type;
-type hal_radio_config_service, vendor_service, protected_service, service_manager_type;
-type hal_radio_data_service, vendor_service, protected_service, service_manager_type;
-type hal_radio_messaging_service, vendor_service, protected_service, service_manager_type;
-type hal_radio_modem_service, vendor_service, protected_service, service_manager_type;
-type hal_radio_network_service, vendor_service, protected_service, service_manager_type;
-type hal_radio_sim_service, vendor_service, protected_service, service_manager_type;
-type hal_radio_voice_service, vendor_service, protected_service, service_manager_type;
+type hal_radio_service, vendor_service, protected_service, service_manager_type;
type hal_rebootescrow_service, vendor_service, protected_service, service_manager_type;
type hal_remotelyprovisionedcomponent_service, vendor_service, protected_service, service_manager_type;
type hal_sensors_service, vendor_service, protected_service, service_manager_type;
@@ -296,6 +299,7 @@
type hal_sharedsecret_service, vendor_service, protected_service, service_manager_type;
type hal_system_suspend_service, protected_service, service_manager_type;
type hal_tv_tuner_service, vendor_service, protected_service, service_manager_type;
+type hal_usb_service, vendor_service, protected_service, service_manager_type;
type hal_uwb_service, vendor_service, protected_service, service_manager_type;
type hal_vehicle_service, vendor_service, protected_service, service_manager_type;
type hal_vibrator_service, vendor_service, protected_service, service_manager_type;
diff --git a/public/shell.te b/public/shell.te
index 60e3521..4175c86 100644
--- a/public/shell.te
+++ b/public/shell.te
@@ -85,6 +85,7 @@
-incident_service
-installd_service
-iorapd_service
+ -mdns_service
-netd_service
-system_suspend_control_internal_service
-system_suspend_control_service
diff --git a/public/te_macros b/public/te_macros
index c112cc1..5c3438f 100644
--- a/public/te_macros
+++ b/public/te_macros
@@ -196,6 +196,8 @@
# permission to create a vsock; the client can only connect to VMs
# that it owns.
allow $1 virtualizationservice:vsock_socket { getattr read write };
+# Allow client to inspect hypervisor capabilities
+get_prop($1, hypervisor_prop)
')
#####################################
@@ -1021,3 +1023,11 @@
allow $1 gsi_public_metadata_file:file r_file_perms;
allow $1 proc_bootconfig:file r_file_perms;
')
+
+######################################
+# use_bootstrap_libs(domain)
+# Allow domain to use bootstrap bionic libraries in system/lib[64]/bootstrap
+define(`use_bootstrap_libs', `
+ allow $1 system_bootstrap_lib_file:dir r_dir_perms;
+ allow $1 system_bootstrap_lib_file:file { execute read open getattr map };
+')
diff --git a/public/traceur_app.te b/public/traceur_app.te
index 03c4944..1ab150d 100644
--- a/public/traceur_app.te
+++ b/public/traceur_app.te
@@ -12,6 +12,7 @@
-installd_service
-iorapd_service
-lpdump_service
+ -mdns_service
-netd_service
-virtual_touchpad_service
-vold_service
diff --git a/public/ueventd.te b/public/ueventd.te
index d5d4301..4e3c7c2 100644
--- a/public/ueventd.te
+++ b/public/ueventd.te
@@ -60,8 +60,7 @@
allow ueventd kernel:key search;
# ueventd is using bootstrap bionic
-allow ueventd system_bootstrap_lib_file:dir r_dir_perms;
-allow ueventd system_bootstrap_lib_file:file { execute read open getattr map };
+use_bootstrap_libs(ueventd)
# Allow ueventd to run shell scripts from vendor
allow ueventd vendor_shell_exec:file execute;
diff --git a/public/vendor_init.te b/public/vendor_init.te
index c6e5e82..24d144a 100644
--- a/public/vendor_init.te
+++ b/public/vendor_init.te
@@ -191,8 +191,7 @@
allow vendor_init misc_block_device:blk_file w_file_perms;
# vendor_init is using bootstrap bionic
-allow vendor_init system_bootstrap_lib_file:dir r_dir_perms;
-allow vendor_init system_bootstrap_lib_file:file { execute read open getattr map };
+use_bootstrap_libs(vendor_init)
# allow filesystem tuning
allow vendor_init userdata_sysdev:file create_file_perms;
@@ -220,6 +219,7 @@
set_prop(vendor_init, apk_verity_prop)
set_prop(vendor_init, bluetooth_a2dp_offload_prop)
set_prop(vendor_init, bluetooth_audio_hal_prop)
+set_prop(vendor_init, bluetooth_config_prop)
set_prop(vendor_init, camera2_extensions_prop)
set_prop(vendor_init, camerax_extensions_prop)
set_prop(vendor_init, cpu_variant_prop)
diff --git a/tests/Android.bp b/tests/Android.bp
index 78a631f..8ca952d 100644
--- a/tests/Android.bp
+++ b/tests/Android.bp
@@ -25,34 +25,46 @@
},
}
+python_library_host {
+ name: "mini_cil_parser",
+ srcs: ["mini_parser.py"],
+}
+
+python_library_host {
+ name: "pysepolwrap",
+ srcs: [
+ "fc_sort.py",
+ "policy.py",
+ ],
+}
+
python_binary_host {
name: "treble_sepolicy_tests",
srcs: [
- "fc_sort.py",
- "mini_parser.py",
- "policy.py",
"treble_sepolicy_tests.py",
],
+ libs: [
+ "mini_cil_parser",
+ "pysepolwrap",
+ ],
data: [":libsepolwrap"],
}
python_binary_host {
name: "sepolicy_tests",
srcs: [
- "fc_sort.py",
- "policy.py",
"sepolicy_tests.py",
],
+ libs: ["pysepolwrap"],
data: [":libsepolwrap"],
}
python_binary_host {
name: "searchpolicy",
srcs: [
- "fc_sort.py",
- "policy.py",
"searchpolicy.py",
],
+ libs: ["pysepolwrap"],
required: ["libsepolwrap"],
}
@@ -60,8 +72,8 @@
name: "combine_maps",
srcs: [
"combine_maps.py",
- "mini_parser.py",
],
+ libs: ["mini_cil_parser"],
}
python_binary_host {
diff --git a/tests/policy.py b/tests/policy.py
index 06157fd..60c6962 100644
--- a/tests/policy.py
+++ b/tests/policy.py
@@ -396,7 +396,8 @@
self.__libsepolwrap = lib
def __GenfsDictAdd(self, Dict, buf):
- fs, path, context = buf.split(" ")
+ fs, buf = buf.split(' ', 1)
+ path, context = buf.rsplit(' ', 1)
Type = context.split(":")[2]
if not fs in Dict:
Dict[fs] = {Type}
diff --git a/tools/Android.bp b/tools/Android.bp
index c480dc2..fcf375d 100644
--- a/tools/Android.bp
+++ b/tools/Android.bp
@@ -63,3 +63,10 @@
name: "insertkeys",
srcs: ["insertkeys.py"],
}
+
+python_binary_host {
+ name: "sepolicy_generate_compat",
+ srcs: ["sepolicy_generate_compat.py"],
+ libs: ["mini_cil_parser", "pysepolwrap"],
+ data: [":libsepolwrap"],
+}
diff --git a/tools/sepolicy_generate_compat.py b/tools/sepolicy_generate_compat.py
new file mode 100644
index 0000000..17a4d75
--- /dev/null
+++ b/tools/sepolicy_generate_compat.py
@@ -0,0 +1,376 @@
+#!/usr/bin/env python3
+
+# Copyright 2022 The Android Open Source Project
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+import argparse
+import distutils.ccompiler
+import glob
+import logging
+import mini_parser
+import os
+import policy
+import shutil
+import subprocess
+import sys
+import tempfile
+import zipfile
+"""This tool generates a mapping file for {ver} core sepolicy."""
+
+temp_dir = ''
+compat_cil_template = ";; This file can't be empty.\n"
+ignore_cil_template = """;; new_objects - a collection of types that have been introduced that have no
+;; analogue in older policy. Thus, we do not need to map these types to
+;; previous ones. Add here to pass checkapi tests.
+(type new_objects)
+(typeattribute new_objects)
+(typeattributeset new_objects
+ ( new_objects
+ %s
+ ))
+"""
+
+
+def check_run(cmd, cwd=None):
+ if cwd:
+ logging.debug('Running cmd at %s: %s' % (cwd, cmd))
+ else:
+ logging.debug('Running cmd: %s' % cmd)
+ subprocess.run(cmd, cwd=cwd, check=True)
+
+
+def check_output(cmd):
+ logging.debug('Running cmd: %s' % cmd)
+ return subprocess.run(cmd, check=True, stdout=subprocess.PIPE)
+
+
+def get_android_build_top():
+ ANDROID_BUILD_TOP = os.getenv('ANDROID_BUILD_TOP')
+ if not ANDROID_BUILD_TOP:
+ sys.exit(
+ 'Error: Missing ANDROID_BUILD_TOP env variable. Please run '
+ '\'. build/envsetup.sh; lunch <build target>\'. Exiting script.')
+ return ANDROID_BUILD_TOP
+
+
+def fetch_artifact(branch, build, pattern, destination='.'):
+ """Fetches build artifacts from Android Build server.
+
+ Args:
+ branch: string, branch to pull build artifacts from
+ build: string, build ID or "latest"
+ pattern: string, pattern of build artifact file name
+ destination: string, destination to pull build artifact to
+ """
+ fetch_artifact_path = '/google/data/ro/projects/android/fetch_artifact'
+ cmd = [
+ fetch_artifact_path, '--branch', branch, '--target',
+ 'aosp_arm64-userdebug'
+ ]
+ if build == 'latest':
+ cmd.append('--latest')
+ else:
+ cmd.extend(['--bid', build])
+ cmd.extend([pattern, destination])
+ check_run(cmd)
+
+
+def extract_mapping_file_from_img(img_path, ver, destination='.'):
+ """ Extracts system/etc/selinux/mapping/{ver}.cil from system.img file.
+
+ Args:
+ img_path: string, path to system.img file
+ ver: string, version of designated mapping file
+ destination: string, destination to pull the mapping file to
+
+ Returns:
+ string, path to extracted mapping file
+ """
+
+ cmd = [
+ 'debugfs', '-R',
+ 'cat system/etc/selinux/mapping/10000.0.cil', img_path
+ ]
+ path = os.path.join(destination, '%s.cil' % ver)
+ with open(path, 'wb') as f:
+ logging.debug('Extracting %s.cil to %s' % (ver, destination))
+ f.write(check_output(cmd).stdout.replace(b'10000.0',b'33.0').replace(b'10000_0',b'33_0'))
+ return path
+
+
+def download_mapping_file(branch, build, ver, destination='.'):
+ """ Downloads system/etc/selinux/mapping/{ver}.cil from Android Build server.
+
+ Args:
+ branch: string, branch to pull build artifacts from (e.g. "sc-v2-dev")
+ build: string, build ID or "latest"
+ ver: string, version of designated mapping file (e.g. "32.0")
+ destination: string, destination to pull build artifact to
+
+ Returns:
+ string, path to extracted mapping file
+ """
+ logging.info('Downloading %s mapping file from branch %s build %s...' %
+ (ver, branch, build))
+ artifact_pattern = 'aosp_arm64-img-*.zip'
+ fetch_artifact(branch, build, artifact_pattern, temp_dir)
+
+ # glob must succeed
+ zip_path = glob.glob(os.path.join(temp_dir, artifact_pattern))[0]
+ with zipfile.ZipFile(zip_path) as zip_file:
+ logging.debug('Extracting system.img to %s' % temp_dir)
+ zip_file.extract('system.img', temp_dir)
+
+ system_img_path = os.path.join(temp_dir, 'system.img')
+ return extract_mapping_file_from_img(system_img_path, ver, destination)
+
+
+def build_base_files(target_version):
+ """ Builds needed base policy files from the source code.
+
+ Args:
+ target_version: string, target version to gerenate the mapping file
+
+ Returns:
+ (string, string, string), paths to base policy, old policy, and pub policy
+ cil
+ """
+ logging.info('building base sepolicy files')
+ build_top = get_android_build_top()
+
+ cmd = [
+ 'build/soong/soong_ui.bash',
+ '--make-mode',
+ 'dist',
+ 'base-sepolicy-files-for-mapping',
+ 'TARGET_PRODUCT=aosp_arm64',
+ 'TARGET_BUILD_VARIANT=userdebug',
+ ]
+ check_run(cmd, cwd=build_top)
+
+ dist_dir = os.path.join(build_top, 'out', 'dist')
+ base_policy_path = os.path.join(dist_dir, 'base_plat_sepolicy')
+ old_policy_path = os.path.join(dist_dir,
+ '%s_plat_sepolicy' % target_version)
+ pub_policy_cil_path = os.path.join(dist_dir, 'base_plat_pub_policy.cil')
+
+ return base_policy_path, old_policy_path, pub_policy_cil_path
+
+
+def change_api_level(versioned_type, api_from, api_to):
+ """ Verifies the API version of versioned_type, and changes it to new API level.
+
+ For example, change_api_level("foo_32_0", "32.0", "31.0") will return
+ "foo_31_0".
+
+ Args:
+ versioned_type: string, type with version suffix
+ api_from: string, api version of versioned_type
+ api_to: string, new api version for versioned_type
+
+ Returns:
+ string, a new versioned type
+ """
+ old_suffix = api_from.replace('.', '_')
+ new_suffix = api_to.replace('.', '_')
+ if not versioned_type.endswith(old_suffix):
+ raise ValueError('Version of type %s is different from %s' %
+ (versioned_type, api_from))
+ return versioned_type.removesuffix(old_suffix) + new_suffix
+
+
+def get_args():
+ parser = argparse.ArgumentParser()
+ parser.add_argument(
+ '--branch',
+ required=True,
+ help='Branch to pull build from. e.g. "sc-v2-dev"')
+ parser.add_argument('--build', required=True, help='Build ID, or "latest"')
+ parser.add_argument(
+ '--target-version',
+ required=True,
+ help='Target version of designated mapping file. e.g. "32.0"')
+ parser.add_argument(
+ '--latest-version',
+ required=True,
+ help='Latest version for mapping of newer types. e.g. "31.0"')
+ parser.add_argument(
+ '-v',
+ '--verbose',
+ action='count',
+ default=0,
+ help='Increase output verbosity, e.g. "-v", "-vv".')
+ return parser.parse_args()
+
+
+def main():
+ args = get_args()
+
+ verbosity = min(args.verbose, 2)
+ logging.basicConfig(
+ format='%(levelname)-8s [%(filename)s:%(lineno)d] %(message)s',
+ level=(logging.WARNING, logging.INFO, logging.DEBUG)[verbosity])
+
+ global temp_dir
+ temp_dir = tempfile.mkdtemp()
+
+ try:
+ libpath = os.path.join(
+ os.path.dirname(os.path.realpath(__file__)), 'libsepolwrap' +
+ distutils.ccompiler.new_compiler().shared_lib_extension)
+ if not os.path.exists(libpath):
+ sys.exit(
+ 'Error: libsepolwrap does not exist. Is this binary corrupted?\n'
+ )
+
+ build_top = get_android_build_top()
+ sepolicy_path = os.path.join(build_top, 'system', 'sepolicy')
+
+ # Step 1. Download system/etc/selinux/mapping/{ver}.cil, and remove types/typeattributes
+ mapping_file = download_mapping_file(
+ args.branch, args.build, args.target_version, destination=temp_dir)
+ mapping_file_cil = mini_parser.MiniCilParser(mapping_file)
+ mapping_file_cil.types = set()
+ mapping_file_cil.typeattributes = set()
+
+ # Step 2. Build base policy files and parse latest mapping files
+ base_policy_path, old_policy_path, pub_policy_cil_path = build_base_files(
+ args.target_version)
+ base_policy = policy.Policy(base_policy_path, None, libpath)
+ old_policy = policy.Policy(old_policy_path, None, libpath)
+ pub_policy_cil = mini_parser.MiniCilParser(pub_policy_cil_path)
+
+ all_types = base_policy.GetAllTypes(False)
+ old_all_types = old_policy.GetAllTypes(False)
+ pub_types = pub_policy_cil.types
+
+ # Step 3. Find new types and removed types
+ new_types = pub_types & (all_types - old_all_types)
+ removed_types = (mapping_file_cil.pubtypes - mapping_file_cil.types) & (
+ old_all_types - all_types)
+
+ logging.info('new types: %s' % new_types)
+ logging.info('removed types: %s' % removed_types)
+
+ # Step 4. Map new types and removed types appropriately, based on the latest mapping
+ latest_compat_path = os.path.join(sepolicy_path, 'private', 'compat',
+ args.latest_version)
+ latest_mapping_cil = mini_parser.MiniCilParser(
+ os.path.join(latest_compat_path, args.latest_version + '.cil'))
+ latest_ignore_cil = mini_parser.MiniCilParser(
+ os.path.join(latest_compat_path,
+ args.latest_version + '.ignore.cil'))
+
+ latest_ignored_types = list(latest_ignore_cil.rTypeattributesets.keys())
+ latest_removed_types = latest_mapping_cil.types
+ logging.debug('types ignored in latest policy: %s' %
+ latest_ignored_types)
+ logging.debug('types removed in latest policy: %s' %
+ latest_removed_types)
+
+ target_ignored_types = set()
+ target_removed_types = set()
+ invalid_new_types = set()
+ invalid_mapping_types = set()
+ invalid_removed_types = set()
+
+ logging.info('starting mapping')
+ for new_type in new_types:
+ # Either each new type should be in latest_ignore_cil, or mapped to existing types
+ if new_type in latest_ignored_types:
+ logging.debug('adding %s to ignore' % new_type)
+ target_ignored_types.add(new_type)
+ elif new_type in latest_mapping_cil.rTypeattributesets:
+ latest_mapped_types = latest_mapping_cil.rTypeattributesets[
+ new_type]
+ target_mapped_types = {change_api_level(t, args.latest_version,
+ args.target_version)
+ for t in latest_mapped_types}
+ logging.debug('mapping %s to %s' %
+ (new_type, target_mapped_types))
+
+ for t in target_mapped_types:
+ if t not in mapping_file_cil.typeattributesets:
+ logging.error(
+ 'Cannot find desired type %s in mapping file' % t)
+ invalid_mapping_types.add(t)
+ continue
+ mapping_file_cil.typeattributesets[t].add(new_type)
+ else:
+ logging.error('no mapping information for new type %s' %
+ new_type)
+ invalid_new_types.add(new_type)
+
+ for removed_type in removed_types:
+ # Removed type should be in latest_mapping_cil
+ if removed_type in latest_removed_types:
+ logging.debug('adding %s to removed' % removed_type)
+ target_removed_types.add(removed_type)
+ else:
+ logging.error('no mapping information for removed type %s' %
+ removed_type)
+ invalid_removed_types.add(removed_type)
+
+ error_msg = ''
+
+ if invalid_new_types:
+ error_msg += ('The following new types were not in the latest '
+ 'mapping: %s\n') % sorted(invalid_new_types)
+ if invalid_mapping_types:
+ error_msg += (
+ 'The following existing types were not in the '
+ 'downloaded mapping file: %s\n') % sorted(invalid_mapping_types)
+ if invalid_removed_types:
+ error_msg += ('The following removed types were not in the latest '
+ 'mapping: %s\n') % sorted(invalid_removed_types)
+
+ if error_msg:
+ error_msg += '\n'
+ error_msg += ('Please make sure the source tree and the build ID is'
+ ' up to date.\n')
+ sys.exit(error_msg)
+
+ # Step 5. Write to system/sepolicy/private/compat
+ target_compat_path = os.path.join(sepolicy_path, 'private', 'compat',
+ args.target_version)
+ target_mapping_file = os.path.join(target_compat_path,
+ args.target_version + '.cil')
+ target_compat_file = os.path.join(target_compat_path,
+ args.target_version + '.compat.cil')
+ target_ignore_file = os.path.join(target_compat_path,
+ args.target_version + '.ignore.cil')
+
+ with open(target_mapping_file, 'w') as f:
+ logging.info('writing %s' % target_mapping_file)
+ if removed_types:
+ f.write(';; types removed from current policy\n')
+ f.write('\n'.join(f'(type {x})' for x in sorted(target_removed_types)))
+ f.write('\n\n')
+ f.write(mapping_file_cil.unparse())
+
+ with open(target_compat_file, 'w') as f:
+ logging.info('writing %s' % target_compat_file)
+ f.write(compat_cil_template)
+
+ with open(target_ignore_file, 'w') as f:
+ logging.info('writing %s' % target_ignore_file)
+ f.write(ignore_cil_template %
+ ('\n '.join(sorted(target_ignored_types))))
+ finally:
+ logging.info('Deleting temporary dir: {}'.format(temp_dir))
+ shutil.rmtree(temp_dir)
+
+
+if __name__ == '__main__':
+ main()
diff --git a/treble_sepolicy_tests_for_release.mk b/treble_sepolicy_tests_for_release.mk
index 011001b..6a56d58 100644
--- a/treble_sepolicy_tests_for_release.mk
+++ b/treble_sepolicy_tests_for_release.mk
@@ -85,6 +85,9 @@
$(hide) cat $(PRIVATE_ADDITIONAL_CIL_FILES) >> $@
$(hide) $(HOST_OUT_EXECUTABLES)/secilc -m -M true -G -c $(POLICYVERS) $(PRIVATE_NEVERALLOW_ARG) $@ -o $@ -f /dev/null
+# TODO(b/214336258): move to Soong
+$(call dist-for-goals,base-sepolicy-files-for-mapping,$(built_$(version)_plat_sepolicy):$(version)_plat_sepolicy)
+
$(version)_plat_policy.conf :=
# $(version)_compat - the current plat_sepolicy.cil built with the compatibility file
diff --git a/vendor/file_contexts b/vendor/file_contexts
index 4fc0460..762cf20 100644
--- a/vendor/file_contexts
+++ b/vendor/file_contexts
@@ -10,7 +10,7 @@
/(vendor|system/vendor)/bin/hw/android\.hardware\.automotive\.can@1\.0-service u:object_r:hal_can_socketcan_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.automotive\.evs@1\.[0-9]-service u:object_r:hal_evs_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.automotive\.vehicle@2\.0-((default|emulator)-)*(service|protocan-service) u:object_r:hal_vehicle_default_exec:s0
-/(vendor|system/vendor)/bin/hw/android\.hardware\.automotive\.vehicle@V1-default-service u:object_r:hal_vehicle_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.automotive\.vehicle@V1-(default|emulator)-service u:object_r:hal_vehicle_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.bluetooth@1\.[0-9]+-service u:object_r:hal_bluetooth_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.bluetooth@1\.[0-9]+-service\.btlinux u:object_r:hal_bluetooth_btlinux_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.biometrics\.face@1\.[0-9]+-service\.example u:object_r:hal_face_default_exec:s0
@@ -25,12 +25,14 @@
/(vendor|system/vendor)/bin/hw/android\.hardware\.camera\.provider@2\.[0-9]+-service-lazy_64 u:object_r:hal_camera_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.camera\.provider@2\.[0-9]+-service-lazy u:object_r:hal_camera_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.camera\.provider@2\.[0-9]+-external-service u:object_r:hal_camera_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.camera\.provider@2\.[0-9]+-external-service-lazy u:object_r:hal_camera_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.configstore@1\.[0-9]+-service u:object_r:hal_configstore_default_exec:s0
/(vendor|sustem/vendor)/bin/hw/android\.hardware\.confirmationui@1\.0-service u:object_r:hal_confirmationui_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.contexthub@1\.[0-9]+-service u:object_r:hal_contexthub_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.contexthub-service\.example u:object_r:hal_contexthub_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.drm@1\.0-service u:object_r:hal_drm_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.drm@1\.0-service-lazy u:object_r:hal_drm_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.drm-service\.clearkey(-lazy)? u:object_r:hal_drm_clearkey_aidl_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.cas@1\.[0-2]-service u:object_r:hal_cas_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.cas@1\.[0-2]-service-lazy u:object_r:hal_cas_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.dumpstate@1\.[0-1]-service\.example u:object_r:hal_dumpstate_default_exec:s0
@@ -51,6 +53,7 @@
/(vendor|system/vendor)/bin/hw/android\.hardware\.health\.storage-service\.default u:object_r:hal_health_storage_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.identity-service.example u:object_r:hal_identity_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.input\.classifier@1\.0-service u:object_r:hal_input_classifier_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.input\.processor-service u:object_r:hal_input_processor_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.ir@1\.0-service u:object_r:hal_ir_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.ir-service\.example u:object_r:hal_ir_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.keymaster@3\.0-service u:object_r:hal_keymaster_default_exec:s0
@@ -87,6 +90,7 @@
/(vendor|system/vendor)/bin/hw/android\.hardware\.tv\.tuner@1\.[01]-service u:object_r:hal_tv_tuner_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.tv\.tuner-service\.example u:object_r:hal_tv_tuner_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.usb@1\.0-service u:object_r:hal_usb_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.usb-service\.example u:object_r:hal_usb_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.usb\.gadget@1\.1-service u:object_r:hal_usb_gadget_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.uwb-service u:object_r:hal_uwb_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.vibrator@1\.0-service u:object_r:hal_vibrator_default_exec:s0
diff --git a/vendor/hal_drm_clearkey.te b/vendor/hal_drm_clearkey.te
new file mode 100644
index 0000000..ab474d6
--- /dev/null
+++ b/vendor/hal_drm_clearkey.te
@@ -0,0 +1,6 @@
+type hal_drm_clearkey_aidl, domain;
+type hal_drm_clearkey_aidl_exec, exec_type, vendor_file_type, file_type;
+
+init_daemon_domain(hal_drm_clearkey_aidl)
+
+hal_server_domain(hal_drm_clearkey_aidl, hal_drm)
diff --git a/vendor/hal_identity_default.te b/vendor/hal_identity_default.te
index 7f84687..550db95 100644
--- a/vendor/hal_identity_default.te
+++ b/vendor/hal_identity_default.te
@@ -3,3 +3,8 @@
type hal_identity_default_exec, exec_type, vendor_file_type, file_type;
init_daemon_domain(hal_identity_default)
+
+# We need to get a handle to the IRemotelyProvisionedComponent, and it's hosted by
+# the keymint HAL.
+hal_client_domain(hal_identity_default, hal_keymint)
+
diff --git a/vendor/hal_input_processor_default.te b/vendor/hal_input_processor_default.te
new file mode 100644
index 0000000..33a5c41
--- /dev/null
+++ b/vendor/hal_input_processor_default.te
@@ -0,0 +1,5 @@
+type hal_input_processor_default, domain;
+hal_server_domain(hal_input_processor_default, hal_input_processor)
+
+type hal_input_processor_default_exec, exec_type, vendor_file_type, file_type;
+init_daemon_domain(hal_input_processor_default)
