Snap for 9549188 from 72eb49e1fa0c9e158c817287bd7f9a18b101826d to mainline-uwb-release
Change-Id: I4ca8284922c032653371f56beab3ddeb123a42b6
diff --git a/prebuilts/api/30.0/public/attributes b/prebuilts/api/30.0/public/attributes
index 19623af..0c91692 100644
--- a/prebuilts/api/30.0/public/attributes
+++ b/prebuilts/api/30.0/public/attributes
@@ -91,15 +91,19 @@
# All properties defined by /system.
attribute system_property_type;
+expandattribute system_property_type false;
# All /system-defined properties used only in /system.
attribute system_internal_property_type;
+expandattribute system_internal_property_type false;
# All /system-defined properties which can't be written outside /system.
attribute system_restricted_property_type;
+expandattribute system_restricted_property_type false;
# All /system-defined properties with no restrictions.
attribute system_public_property_type;
+expandattribute system_public_property_type false;
# All properties defined by /product.
# Currently there are no enforcements between /system and /product, so for now
@@ -111,15 +115,19 @@
# All properties defined by /vendor.
attribute vendor_property_type;
+expandattribute vendor_property_type false;
# All /vendor-defined properties used only in /vendor.
attribute vendor_internal_property_type;
+expandattribute vendor_internal_property_type false;
# All /vendor-defined properties which can't be written outside /vendor.
attribute vendor_restricted_property_type;
+expandattribute vendor_restricted_property_type false;
# All /vendor-defined properties with no restrictions.
attribute vendor_public_property_type;
+expandattribute vendor_public_property_type false;
# All service_manager types created by system_server
attribute system_server_service;
diff --git a/prebuilts/api/31.0/private/mediatranscoding.te b/prebuilts/api/31.0/private/mediatranscoding.te
index 2a43cf9..073e81d 100644
--- a/prebuilts/api/31.0/private/mediatranscoding.te
+++ b/prebuilts/api/31.0/private/mediatranscoding.te
@@ -19,6 +19,7 @@
hal_client_domain(mediatranscoding, hal_configstore)
hal_client_domain(mediatranscoding, hal_omx)
hal_client_domain(mediatranscoding, hal_codec2)
+hal_client_domain(mediatranscoding, hal_allocator)
allow mediatranscoding mediaserver_service:service_manager find;
allow mediatranscoding mediametrics_service:service_manager find;
diff --git a/prebuilts/api/31.0/private/property.te b/prebuilts/api/31.0/private/property.te
index 29f4f1a..e72693a 100644
--- a/prebuilts/api/31.0/private/property.te
+++ b/prebuilts/api/31.0/private/property.te
@@ -395,10 +395,12 @@
# Allow the shell to set MTE props, so that non-root users with adb shell
# access can control the settings on their device.
+# Allow system apps to set MTE props, so Developer Options can set them.
neverallow {
domain
-init
-shell
+ -system_app
} {
arm64_memtag_prop
}:property_service set;
diff --git a/prebuilts/api/31.0/private/system_app.te b/prebuilts/api/31.0/private/system_app.te
index 239686e..41fac62 100644
--- a/prebuilts/api/31.0/private/system_app.te
+++ b/prebuilts/api/31.0/private/system_app.te
@@ -34,6 +34,7 @@
allow system_app icon_file:file r_file_perms;
# Write to properties
+set_prop(system_app, arm64_memtag_prop)
set_prop(system_app, bluetooth_a2dp_offload_prop)
set_prop(system_app, bluetooth_audio_hal_prop)
set_prop(system_app, bluetooth_prop)
diff --git a/prebuilts/api/32.0/private/mediatranscoding.te b/prebuilts/api/32.0/private/mediatranscoding.te
index 2a43cf9..073e81d 100644
--- a/prebuilts/api/32.0/private/mediatranscoding.te
+++ b/prebuilts/api/32.0/private/mediatranscoding.te
@@ -19,6 +19,7 @@
hal_client_domain(mediatranscoding, hal_configstore)
hal_client_domain(mediatranscoding, hal_omx)
hal_client_domain(mediatranscoding, hal_codec2)
+hal_client_domain(mediatranscoding, hal_allocator)
allow mediatranscoding mediaserver_service:service_manager find;
allow mediatranscoding mediametrics_service:service_manager find;
diff --git a/prebuilts/api/32.0/private/property.te b/prebuilts/api/32.0/private/property.te
index 587cf5e..77e1a7d 100644
--- a/prebuilts/api/32.0/private/property.te
+++ b/prebuilts/api/32.0/private/property.te
@@ -396,10 +396,12 @@
# Allow the shell to set MTE props, so that non-root users with adb shell
# access can control the settings on their device.
+# Allow system apps to set MTE props, so Developer Options can set them.
neverallow {
domain
-init
-shell
+ -system_app
} {
arm64_memtag_prop
}:property_service set;
diff --git a/prebuilts/api/32.0/private/system_app.te b/prebuilts/api/32.0/private/system_app.te
index 239686e..41fac62 100644
--- a/prebuilts/api/32.0/private/system_app.te
+++ b/prebuilts/api/32.0/private/system_app.te
@@ -34,6 +34,7 @@
allow system_app icon_file:file r_file_perms;
# Write to properties
+set_prop(system_app, arm64_memtag_prop)
set_prop(system_app, bluetooth_a2dp_offload_prop)
set_prop(system_app, bluetooth_audio_hal_prop)
set_prop(system_app, bluetooth_prop)
diff --git a/prebuilts/api/33.0/private/app_zygote.te b/prebuilts/api/33.0/private/app_zygote.te
index 8a62341..8aa288e 100644
--- a/prebuilts/api/33.0/private/app_zygote.te
+++ b/prebuilts/api/33.0/private/app_zygote.te
@@ -159,6 +159,7 @@
neverallow app_zygote {
domain
-app_zygote
+ -prng_seeder
userdebug_or_eng(`-su')
userdebug_or_eng(`-heapprofd')
userdebug_or_eng(`-traced_perf')
diff --git a/prebuilts/api/33.0/private/compat/32.0/32.0.cil b/prebuilts/api/33.0/private/compat/32.0/32.0.cil
index a99b628..d916a13 100644
--- a/prebuilts/api/33.0/private/compat/32.0/32.0.cil
+++ b/prebuilts/api/33.0/private/compat/32.0/32.0.cil
@@ -1378,6 +1378,7 @@
(typeattributeset build_config_prop_32_0 (build_config_prop))
(typeattributeset build_odm_prop_32_0 (build_odm_prop))
(typeattributeset build_prop_32_0 (build_prop))
+(typeattributeset build_prop_32_0 (userdebug_or_eng_prop))
(typeattributeset build_vendor_prop_32_0 (build_vendor_prop))
(typeattributeset cache_backup_file_32_0 (cache_backup_file))
(typeattributeset cache_block_device_32_0 (cache_block_device))
diff --git a/prebuilts/api/33.0/private/compat/32.0/32.0.ignore.cil b/prebuilts/api/33.0/private/compat/32.0/32.0.ignore.cil
index a07f5ae..a23374b 100644
--- a/prebuilts/api/33.0/private/compat/32.0/32.0.ignore.cil
+++ b/prebuilts/api/33.0/private/compat/32.0/32.0.ignore.cil
@@ -58,6 +58,7 @@
mdns_service
nearby_service
persist_wm_debug_prop
+ prng_seeder
proc_watermark_boost_factor
proc_watermark_scale_factor
remotelyprovisionedkeypool_service
diff --git a/prebuilts/api/33.0/private/domain.te b/prebuilts/api/33.0/private/domain.te
index 2ef688c..bcb9d52 100644
--- a/prebuilts/api/33.0/private/domain.te
+++ b/prebuilts/api/33.0/private/domain.te
@@ -112,6 +112,9 @@
# Allow all processes to check for the existence of the boringssl_self_test_marker files.
allow domain boringssl_self_test_marker:dir search;
+# Allow all processes to connect to PRNG seeder daemon.
+unix_socket_connect(domain, prng_seeder, prng_seeder)
+
# No domains other than a select few can access the misc_block_device. This
# block device is reserved for OTA use.
# Do not assert this rule on userdebug/eng builds, due to some devices using
@@ -496,6 +499,7 @@
-logd # Logging by writing to logd Unix domain socket is public API
-netd # netdomain needs this
-mdnsd # netdomain needs this
+ -prng_seeder # Any process using libcrypto needs this
userdebug_or_eng(`-su') # communications with su are permitted only on userdebug or eng builds
-init
-tombstoned # linker to tombstoned
diff --git a/prebuilts/api/33.0/private/file.te b/prebuilts/api/33.0/private/file.te
index c4ee2aa..cf9ea02 100644
--- a/prebuilts/api/33.0/private/file.te
+++ b/prebuilts/api/33.0/private/file.te
@@ -115,3 +115,8 @@
# /dev/selinux/test - used to verify that apex sepolicy is loaded and
# property labeled.
type sepolicy_test_file, file_type;
+
+# Filesystem entry for for PRNG seeder socket. Processes require
+# write permission on this to connect, and needs to be mlstrustedobject
+# in to satisfy MLS constraints for trusted domains.
+type prng_seeder_socket, file_type, coredomain_socket, mlstrustedobject;
diff --git a/prebuilts/api/33.0/private/file_contexts b/prebuilts/api/33.0/private/file_contexts
index e21c18c..65baa5d 100644
--- a/prebuilts/api/33.0/private/file_contexts
+++ b/prebuilts/api/33.0/private/file_contexts
@@ -149,6 +149,7 @@
/dev/socket/pdx/system/vr/display/manager u:object_r:pdx_display_manager_endpoint_socket:s0
/dev/socket/pdx/system/vr/display/screenshot u:object_r:pdx_display_screenshot_endpoint_socket:s0
/dev/socket/pdx/system/vr/display/vsync u:object_r:pdx_display_vsync_endpoint_socket:s0
+/dev/socket/prng_seeder u:object_r:prng_seeder_socket:s0
/dev/socket/property_service u:object_r:property_socket:s0
/dev/socket/racoon u:object_r:racoon_socket:s0
/dev/socket/recovery u:object_r:recovery_socket:s0
@@ -220,6 +221,7 @@
/system/bin/bcc u:object_r:rs_exec:s0
/system/bin/blank_screen u:object_r:blank_screen_exec:s0
/system/bin/boringssl_self_test(32|64) u:object_r:boringssl_self_test_exec:s0
+/system/bin/prng_seeder u:object_r:prng_seeder_exec:s0
/system/bin/charger u:object_r:charger_exec:s0
/system/bin/canhalconfigurator u:object_r:canhalconfigurator_exec:s0
/system/bin/e2fsdroid u:object_r:e2fs_exec:s0
diff --git a/prebuilts/api/33.0/private/init.te b/prebuilts/api/33.0/private/init.te
index 997a184..17e25f8 100644
--- a/prebuilts/api/33.0/private/init.te
+++ b/prebuilts/api/33.0/private/init.te
@@ -108,6 +108,9 @@
# Allow accessing /sys/kernel/tracing/instances/bootreceiver to set up tracing.
allow init debugfs_bootreceiver_tracing:file w_file_perms;
+# PRNG seeder daemon socket is created and listened on by init before forking.
+allow init prng_seeder:unix_stream_socket { create bind listen };
+
# Devices with kernels where CONFIG_HIST_TRIGGERS isn't enabled will
# attempt to write a non exisiting 'synthetic_events' file, when setting
# up synthetic events. This is a no-op in tracefs.
diff --git a/prebuilts/api/33.0/private/prng_seeder.te b/prebuilts/api/33.0/private/prng_seeder.te
new file mode 100644
index 0000000..299e37b
--- /dev/null
+++ b/prebuilts/api/33.0/private/prng_seeder.te
@@ -0,0 +1,17 @@
+# PRNG seeder daemon
+# Started from early init, maintains a FIPS approved DRBG which it periodically reseeds from
+# /dev/hw_random. When BoringSSL (libcrypto) in other processes needs seeding data for its
+# internal DRBGs it will connect to /dev/socket/prng_seeder and the daemon will write a
+# fixed size block of entropy then disconnect. No other IO is performed.
+typeattribute prng_seeder coredomain;
+
+# mlstrustedsubject required in order to allow connections from trusted app domains.
+typeattribute prng_seeder mlstrustedsubject;
+
+type prng_seeder_exec, system_file_type, exec_type, file_type;
+init_daemon_domain(prng_seeder)
+
+# Socket open and listen are performed by init.
+allow prng_seeder prng_seeder:unix_stream_socket { read write getattr accept };
+allow prng_seeder hw_random_device:chr_file { read open };
+allow prng_seeder kmsg_debug_device:chr_file { w_file_perms getattr ioctl };
diff --git a/prebuilts/api/33.0/private/property_contexts b/prebuilts/api/33.0/private/property_contexts
index 1b2360d..b8ed3a9 100644
--- a/prebuilts/api/33.0/private/property_contexts
+++ b/prebuilts/api/33.0/private/property_contexts
@@ -807,7 +807,7 @@
ro.actionable_compatible_property.enabled u:object_r:build_prop:s0 exact bool
-ro.debuggable u:object_r:build_prop:s0 exact bool
+ro.debuggable u:object_r:userdebug_or_eng_prop:s0 exact bool
ro.treble.enabled u:object_r:build_prop:s0 exact bool
@@ -834,7 +834,7 @@
ro.system.build.version.sdk u:object_r:build_prop:s0 exact int
ro.adb.secure u:object_r:build_prop:s0 exact bool
-ro.secure u:object_r:build_prop:s0 exact int
+ro.secure u:object_r:userdebug_or_eng_prop:s0 exact int
ro.product.system_ext.brand u:object_r:build_prop:s0 exact string
ro.product.system_ext.device u:object_r:build_prop:s0 exact string
diff --git a/prebuilts/api/33.0/private/untrusted_app_25.te b/prebuilts/api/33.0/private/untrusted_app_25.te
index 4235d7e..b40fad0 100644
--- a/prebuilts/api/33.0/private/untrusted_app_25.te
+++ b/prebuilts/api/33.0/private/untrusted_app_25.te
@@ -52,3 +52,6 @@
# allow sending RTM_GETNEIGH{TBL} messages.
allow untrusted_app_25 self:netlink_route_socket nlmsg_getneigh;
auditallow untrusted_app_25 self:netlink_route_socket nlmsg_getneigh;
+
+# Allow hidden build props
+get_prop({ untrusted_app_25 userdebug_or_eng(`-untrusted_app_25') }, userdebug_or_eng_prop)
diff --git a/prebuilts/api/33.0/private/untrusted_app_27.te b/prebuilts/api/33.0/private/untrusted_app_27.te
index c747af1..dd9b4a8 100644
--- a/prebuilts/api/33.0/private/untrusted_app_27.te
+++ b/prebuilts/api/33.0/private/untrusted_app_27.te
@@ -40,3 +40,6 @@
# allow sending RTM_GETNEIGH{TBL} messages.
allow untrusted_app_27 self:netlink_route_socket nlmsg_getneigh;
auditallow untrusted_app_27 self:netlink_route_socket nlmsg_getneigh;
+
+# Allow hidden build props
+get_prop({ untrusted_app_27 userdebug_or_eng(`-untrusted_app_27') }, userdebug_or_eng_prop)
diff --git a/prebuilts/api/33.0/private/untrusted_app_29.te b/prebuilts/api/33.0/private/untrusted_app_29.te
index 6bb2606..0cc2bea 100644
--- a/prebuilts/api/33.0/private/untrusted_app_29.te
+++ b/prebuilts/api/33.0/private/untrusted_app_29.te
@@ -18,3 +18,6 @@
# allow sending RTM_GETNEIGH{TBL} messages.
allow untrusted_app_29 self:netlink_route_socket nlmsg_getneigh;
auditallow untrusted_app_29 self:netlink_route_socket nlmsg_getneigh;
+
+# Allow hidden build props
+get_prop({ untrusted_app_29 userdebug_or_eng(`-untrusted_app_29') }, userdebug_or_eng_prop)
diff --git a/prebuilts/api/33.0/private/untrusted_app_30.te b/prebuilts/api/33.0/private/untrusted_app_30.te
index e0a71ef..7b23be7 100644
--- a/prebuilts/api/33.0/private/untrusted_app_30.te
+++ b/prebuilts/api/33.0/private/untrusted_app_30.te
@@ -20,3 +20,6 @@
# allow sending RTM_GETNEIGH{TBL} messages.
allow untrusted_app_30 self:netlink_route_socket nlmsg_getneigh;
auditallow untrusted_app_30 self:netlink_route_socket nlmsg_getneigh;
+
+# Allow hidden build props
+get_prop({ untrusted_app_30 userdebug_or_eng(`-untrusted_app_30') }, userdebug_or_eng_prop)
diff --git a/prebuilts/api/33.0/public/domain.te b/prebuilts/api/33.0/public/domain.te
index 8e1fcf7..46e9456 100644
--- a/prebuilts/api/33.0/public/domain.te
+++ b/prebuilts/api/33.0/public/domain.te
@@ -129,6 +129,7 @@
get_prop(domain, socket_hook_prop)
get_prop(domain, surfaceflinger_prop)
get_prop(domain, telephony_status_prop)
+get_prop({domain -untrusted_app_all userdebug_or_eng(`-isolated_app -ephemeral_app') }, userdebug_or_eng_prop)
get_prop(domain, vendor_socket_hook_prop)
get_prop(domain, vndk_prop)
get_prop(domain, vold_status_prop)
@@ -421,6 +422,7 @@
# Only the kernel hwrng thread should be able to read from the HW RNG.
neverallow {
domain
+ -prng_seeder # PRNG seeder daemon periodically reseeds itself from HW RNG
-shell # For CTS, restricted to just getattr in shell.te
-ueventd # To create the /dev/hw_random file
} hw_random_device:chr_file *;
@@ -563,6 +565,7 @@
neverallow { domain -init } aac_drc_prop:property_service set;
neverallow { domain -init } build_prop:property_service set;
+neverallow { domain -init } userdebug_or_eng_prop:property_service set;
# Do not allow reading device's serial number from system properties except form
# a few allowed domains.
diff --git a/prebuilts/api/33.0/public/hal_configstore.te b/prebuilts/api/33.0/public/hal_configstore.te
index 069da47..23b04c9 100644
--- a/prebuilts/api/33.0/public/hal_configstore.te
+++ b/prebuilts/api/33.0/public/hal_configstore.te
@@ -31,6 +31,7 @@
domain
-hal_configstore_server
-logd
+ -prng_seeder
userdebug_or_eng(`-su')
-tombstoned
userdebug_or_eng(`-heapprofd')
diff --git a/prebuilts/api/33.0/public/prng_seeder.te b/prebuilts/api/33.0/public/prng_seeder.te
new file mode 100644
index 0000000..7438452
--- /dev/null
+++ b/prebuilts/api/33.0/public/prng_seeder.te
@@ -0,0 +1,2 @@
+# PRNG seeder daemon
+type prng_seeder, domain;
diff --git a/prebuilts/api/33.0/public/property.te b/prebuilts/api/33.0/public/property.te
index a235634..c3bfde6 100644
--- a/prebuilts/api/33.0/public/property.te
+++ b/prebuilts/api/33.0/public/property.te
@@ -71,6 +71,7 @@
system_restricted_prop(fingerprint_prop)
system_restricted_prop(gwp_asan_prop)
system_restricted_prop(hal_instrumentation_prop)
+system_restricted_prop(userdebug_or_eng_prop)
system_restricted_prop(hypervisor_prop)
system_restricted_prop(init_service_status_prop)
system_restricted_prop(libc_debug_prop)
diff --git a/prebuilts/api/33.0/public/vendor_init.te b/prebuilts/api/33.0/public/vendor_init.te
index b7302d4..74e2340 100644
--- a/prebuilts/api/33.0/public/vendor_init.te
+++ b/prebuilts/api/33.0/public/vendor_init.te
@@ -280,7 +280,8 @@
###
# Vendor init shouldn't communicate with any vendor process, nor most system processes.
-neverallow_establish_socket_comms(vendor_init, { domain -init -logd -su -vendor_init });
+neverallow_establish_socket_comms(vendor_init, {
+ domain -init -logd -prng_seeder -su -vendor_init });
# The vendor_init domain is only entered via an exec based transition from the
# init domain, never via setcon().
diff --git a/private/app_zygote.te b/private/app_zygote.te
index 8a62341..8aa288e 100644
--- a/private/app_zygote.te
+++ b/private/app_zygote.te
@@ -159,6 +159,7 @@
neverallow app_zygote {
domain
-app_zygote
+ -prng_seeder
userdebug_or_eng(`-su')
userdebug_or_eng(`-heapprofd')
userdebug_or_eng(`-traced_perf')
diff --git a/private/compat/32.0/32.0.cil b/private/compat/32.0/32.0.cil
index a99b628..d916a13 100644
--- a/private/compat/32.0/32.0.cil
+++ b/private/compat/32.0/32.0.cil
@@ -1378,6 +1378,7 @@
(typeattributeset build_config_prop_32_0 (build_config_prop))
(typeattributeset build_odm_prop_32_0 (build_odm_prop))
(typeattributeset build_prop_32_0 (build_prop))
+(typeattributeset build_prop_32_0 (userdebug_or_eng_prop))
(typeattributeset build_vendor_prop_32_0 (build_vendor_prop))
(typeattributeset cache_backup_file_32_0 (cache_backup_file))
(typeattributeset cache_block_device_32_0 (cache_block_device))
diff --git a/private/compat/32.0/32.0.ignore.cil b/private/compat/32.0/32.0.ignore.cil
index a07f5ae..a23374b 100644
--- a/private/compat/32.0/32.0.ignore.cil
+++ b/private/compat/32.0/32.0.ignore.cil
@@ -58,6 +58,7 @@
mdns_service
nearby_service
persist_wm_debug_prop
+ prng_seeder
proc_watermark_boost_factor
proc_watermark_scale_factor
remotelyprovisionedkeypool_service
diff --git a/private/domain.te b/private/domain.te
index 2ef688c..bcb9d52 100644
--- a/private/domain.te
+++ b/private/domain.te
@@ -112,6 +112,9 @@
# Allow all processes to check for the existence of the boringssl_self_test_marker files.
allow domain boringssl_self_test_marker:dir search;
+# Allow all processes to connect to PRNG seeder daemon.
+unix_socket_connect(domain, prng_seeder, prng_seeder)
+
# No domains other than a select few can access the misc_block_device. This
# block device is reserved for OTA use.
# Do not assert this rule on userdebug/eng builds, due to some devices using
@@ -496,6 +499,7 @@
-logd # Logging by writing to logd Unix domain socket is public API
-netd # netdomain needs this
-mdnsd # netdomain needs this
+ -prng_seeder # Any process using libcrypto needs this
userdebug_or_eng(`-su') # communications with su are permitted only on userdebug or eng builds
-init
-tombstoned # linker to tombstoned
diff --git a/private/file.te b/private/file.te
index c4ee2aa..cf9ea02 100644
--- a/private/file.te
+++ b/private/file.te
@@ -115,3 +115,8 @@
# /dev/selinux/test - used to verify that apex sepolicy is loaded and
# property labeled.
type sepolicy_test_file, file_type;
+
+# Filesystem entry for for PRNG seeder socket. Processes require
+# write permission on this to connect, and needs to be mlstrustedobject
+# in to satisfy MLS constraints for trusted domains.
+type prng_seeder_socket, file_type, coredomain_socket, mlstrustedobject;
diff --git a/private/file_contexts b/private/file_contexts
index e21c18c..65baa5d 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -149,6 +149,7 @@
/dev/socket/pdx/system/vr/display/manager u:object_r:pdx_display_manager_endpoint_socket:s0
/dev/socket/pdx/system/vr/display/screenshot u:object_r:pdx_display_screenshot_endpoint_socket:s0
/dev/socket/pdx/system/vr/display/vsync u:object_r:pdx_display_vsync_endpoint_socket:s0
+/dev/socket/prng_seeder u:object_r:prng_seeder_socket:s0
/dev/socket/property_service u:object_r:property_socket:s0
/dev/socket/racoon u:object_r:racoon_socket:s0
/dev/socket/recovery u:object_r:recovery_socket:s0
@@ -220,6 +221,7 @@
/system/bin/bcc u:object_r:rs_exec:s0
/system/bin/blank_screen u:object_r:blank_screen_exec:s0
/system/bin/boringssl_self_test(32|64) u:object_r:boringssl_self_test_exec:s0
+/system/bin/prng_seeder u:object_r:prng_seeder_exec:s0
/system/bin/charger u:object_r:charger_exec:s0
/system/bin/canhalconfigurator u:object_r:canhalconfigurator_exec:s0
/system/bin/e2fsdroid u:object_r:e2fs_exec:s0
diff --git a/private/init.te b/private/init.te
index 997a184..17e25f8 100644
--- a/private/init.te
+++ b/private/init.te
@@ -108,6 +108,9 @@
# Allow accessing /sys/kernel/tracing/instances/bootreceiver to set up tracing.
allow init debugfs_bootreceiver_tracing:file w_file_perms;
+# PRNG seeder daemon socket is created and listened on by init before forking.
+allow init prng_seeder:unix_stream_socket { create bind listen };
+
# Devices with kernels where CONFIG_HIST_TRIGGERS isn't enabled will
# attempt to write a non exisiting 'synthetic_events' file, when setting
# up synthetic events. This is a no-op in tracefs.
diff --git a/private/prng_seeder.te b/private/prng_seeder.te
new file mode 100644
index 0000000..299e37b
--- /dev/null
+++ b/private/prng_seeder.te
@@ -0,0 +1,17 @@
+# PRNG seeder daemon
+# Started from early init, maintains a FIPS approved DRBG which it periodically reseeds from
+# /dev/hw_random. When BoringSSL (libcrypto) in other processes needs seeding data for its
+# internal DRBGs it will connect to /dev/socket/prng_seeder and the daemon will write a
+# fixed size block of entropy then disconnect. No other IO is performed.
+typeattribute prng_seeder coredomain;
+
+# mlstrustedsubject required in order to allow connections from trusted app domains.
+typeattribute prng_seeder mlstrustedsubject;
+
+type prng_seeder_exec, system_file_type, exec_type, file_type;
+init_daemon_domain(prng_seeder)
+
+# Socket open and listen are performed by init.
+allow prng_seeder prng_seeder:unix_stream_socket { read write getattr accept };
+allow prng_seeder hw_random_device:chr_file { read open };
+allow prng_seeder kmsg_debug_device:chr_file { w_file_perms getattr ioctl };
diff --git a/private/property_contexts b/private/property_contexts
index 1b2360d..b8ed3a9 100644
--- a/private/property_contexts
+++ b/private/property_contexts
@@ -807,7 +807,7 @@
ro.actionable_compatible_property.enabled u:object_r:build_prop:s0 exact bool
-ro.debuggable u:object_r:build_prop:s0 exact bool
+ro.debuggable u:object_r:userdebug_or_eng_prop:s0 exact bool
ro.treble.enabled u:object_r:build_prop:s0 exact bool
@@ -834,7 +834,7 @@
ro.system.build.version.sdk u:object_r:build_prop:s0 exact int
ro.adb.secure u:object_r:build_prop:s0 exact bool
-ro.secure u:object_r:build_prop:s0 exact int
+ro.secure u:object_r:userdebug_or_eng_prop:s0 exact int
ro.product.system_ext.brand u:object_r:build_prop:s0 exact string
ro.product.system_ext.device u:object_r:build_prop:s0 exact string
diff --git a/private/untrusted_app_25.te b/private/untrusted_app_25.te
index 4235d7e..b40fad0 100644
--- a/private/untrusted_app_25.te
+++ b/private/untrusted_app_25.te
@@ -52,3 +52,6 @@
# allow sending RTM_GETNEIGH{TBL} messages.
allow untrusted_app_25 self:netlink_route_socket nlmsg_getneigh;
auditallow untrusted_app_25 self:netlink_route_socket nlmsg_getneigh;
+
+# Allow hidden build props
+get_prop({ untrusted_app_25 userdebug_or_eng(`-untrusted_app_25') }, userdebug_or_eng_prop)
diff --git a/private/untrusted_app_27.te b/private/untrusted_app_27.te
index c747af1..dd9b4a8 100644
--- a/private/untrusted_app_27.te
+++ b/private/untrusted_app_27.te
@@ -40,3 +40,6 @@
# allow sending RTM_GETNEIGH{TBL} messages.
allow untrusted_app_27 self:netlink_route_socket nlmsg_getneigh;
auditallow untrusted_app_27 self:netlink_route_socket nlmsg_getneigh;
+
+# Allow hidden build props
+get_prop({ untrusted_app_27 userdebug_or_eng(`-untrusted_app_27') }, userdebug_or_eng_prop)
diff --git a/private/untrusted_app_29.te b/private/untrusted_app_29.te
index 6bb2606..0cc2bea 100644
--- a/private/untrusted_app_29.te
+++ b/private/untrusted_app_29.te
@@ -18,3 +18,6 @@
# allow sending RTM_GETNEIGH{TBL} messages.
allow untrusted_app_29 self:netlink_route_socket nlmsg_getneigh;
auditallow untrusted_app_29 self:netlink_route_socket nlmsg_getneigh;
+
+# Allow hidden build props
+get_prop({ untrusted_app_29 userdebug_or_eng(`-untrusted_app_29') }, userdebug_or_eng_prop)
diff --git a/private/untrusted_app_30.te b/private/untrusted_app_30.te
index e0a71ef..7b23be7 100644
--- a/private/untrusted_app_30.te
+++ b/private/untrusted_app_30.te
@@ -20,3 +20,6 @@
# allow sending RTM_GETNEIGH{TBL} messages.
allow untrusted_app_30 self:netlink_route_socket nlmsg_getneigh;
auditallow untrusted_app_30 self:netlink_route_socket nlmsg_getneigh;
+
+# Allow hidden build props
+get_prop({ untrusted_app_30 userdebug_or_eng(`-untrusted_app_30') }, userdebug_or_eng_prop)
diff --git a/public/domain.te b/public/domain.te
index 8e1fcf7..46e9456 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -129,6 +129,7 @@
get_prop(domain, socket_hook_prop)
get_prop(domain, surfaceflinger_prop)
get_prop(domain, telephony_status_prop)
+get_prop({domain -untrusted_app_all userdebug_or_eng(`-isolated_app -ephemeral_app') }, userdebug_or_eng_prop)
get_prop(domain, vendor_socket_hook_prop)
get_prop(domain, vndk_prop)
get_prop(domain, vold_status_prop)
@@ -421,6 +422,7 @@
# Only the kernel hwrng thread should be able to read from the HW RNG.
neverallow {
domain
+ -prng_seeder # PRNG seeder daemon periodically reseeds itself from HW RNG
-shell # For CTS, restricted to just getattr in shell.te
-ueventd # To create the /dev/hw_random file
} hw_random_device:chr_file *;
@@ -563,6 +565,7 @@
neverallow { domain -init } aac_drc_prop:property_service set;
neverallow { domain -init } build_prop:property_service set;
+neverallow { domain -init } userdebug_or_eng_prop:property_service set;
# Do not allow reading device's serial number from system properties except form
# a few allowed domains.
diff --git a/public/hal_configstore.te b/public/hal_configstore.te
index 069da47..23b04c9 100644
--- a/public/hal_configstore.te
+++ b/public/hal_configstore.te
@@ -31,6 +31,7 @@
domain
-hal_configstore_server
-logd
+ -prng_seeder
userdebug_or_eng(`-su')
-tombstoned
userdebug_or_eng(`-heapprofd')
diff --git a/public/prng_seeder.te b/public/prng_seeder.te
new file mode 100644
index 0000000..7438452
--- /dev/null
+++ b/public/prng_seeder.te
@@ -0,0 +1,2 @@
+# PRNG seeder daemon
+type prng_seeder, domain;
diff --git a/public/property.te b/public/property.te
index a235634..c3bfde6 100644
--- a/public/property.te
+++ b/public/property.te
@@ -71,6 +71,7 @@
system_restricted_prop(fingerprint_prop)
system_restricted_prop(gwp_asan_prop)
system_restricted_prop(hal_instrumentation_prop)
+system_restricted_prop(userdebug_or_eng_prop)
system_restricted_prop(hypervisor_prop)
system_restricted_prop(init_service_status_prop)
system_restricted_prop(libc_debug_prop)
diff --git a/public/vendor_init.te b/public/vendor_init.te
index b7302d4..74e2340 100644
--- a/public/vendor_init.te
+++ b/public/vendor_init.te
@@ -280,7 +280,8 @@
###
# Vendor init shouldn't communicate with any vendor process, nor most system processes.
-neverallow_establish_socket_comms(vendor_init, { domain -init -logd -su -vendor_init });
+neverallow_establish_socket_comms(vendor_init, {
+ domain -init -logd -prng_seeder -su -vendor_init });
# The vendor_init domain is only entered via an exec based transition from the
# init domain, never via setcon().