Snap for 8953554 from 67c34c43ef2f39696a811b19a33256269d7c98e3 to mainline-tzdata4-release
Change-Id: I86513b1e725f1ac8ade0423bd995f87440ea823b
diff --git a/apex/Android.bp b/apex/Android.bp
index 8f11771..dda949f 100644
--- a/apex/Android.bp
+++ b/apex/Android.bp
@@ -21,6 +21,8 @@
default_applicable_licenses: ["system_sepolicy_license"],
}
+// TODO(b/236681553): Remove com.android.bluetooth-file_contexts
+
filegroup {
name: "apex_file_contexts_files",
srcs: ["*-file_contexts"],
diff --git a/apex/com.android.btservices-file_contexts b/apex/com.android.btservices-file_contexts
new file mode 100644
index 0000000..f6b21da
--- /dev/null
+++ b/apex/com.android.btservices-file_contexts
@@ -0,0 +1,2 @@
+(/.*)? u:object_r:system_file:s0
+/lib(64)?(/.*) u:object_r:system_lib_file:s0
diff --git a/mac_permissions.mk b/mac_permissions.mk
index dbdf144..ad17b8f 100644
--- a/mac_permissions.mk
+++ b/mac_permissions.mk
@@ -22,7 +22,7 @@
$(hide) $(M4) --fatal-warnings -s $(PRIVATE_ADDITIONAL_M4DEFS) $(PRIVATE_KEYS) > $@
# Should be synced with keys.conf.
-all_plat_keys := platform sdk_sandbox media networkstack shared testkey
+all_plat_keys := platform sdk_sandbox media networkstack shared testkey bluetooth
all_plat_keys := $(all_plat_keys:%=$(dir $(DEFAULT_SYSTEM_DEV_CERTIFICATE))/%.x509.pem)
$(LOCAL_BUILT_MODULE): PRIVATE_MAC_PERMS_FILES := $(all_plat_mac_perms_files)
diff --git a/prebuilts/api/33.0/private/app.te b/prebuilts/api/33.0/private/app.te
index b7da601..86180b0 100644
--- a/prebuilts/api/33.0/private/app.te
+++ b/prebuilts/api/33.0/private/app.te
@@ -75,6 +75,11 @@
# Access to /mnt/media_rw/<vol> (limited by DAC to apps with external_storage gid)
allow { appdomain -sdk_sandbox } mnt_media_rw_file:dir search;
+# allow apps to use UDP sockets provided by the system server but not
+# modify them other than to connect
+allow appdomain system_server:udp_socket {
+ connect getattr read recvfrom sendto write getopt setopt };
+
neverallow appdomain system_server:udp_socket {
accept append bind create ioctl listen lock name_bind
relabelfrom relabelto setattr shutdown };
diff --git a/prebuilts/api/33.0/private/bluetooth.te b/prebuilts/api/33.0/private/bluetooth.te
index d548e80..0b001e2 100644
--- a/prebuilts/api/33.0/private/bluetooth.te
+++ b/prebuilts/api/33.0/private/bluetooth.te
@@ -46,6 +46,9 @@
allow bluetooth proc_filesystems:file r_file_perms;
get_prop(bluetooth, incremental_prop)
+# For Bluetooth to check security logging state
+get_prop(bluetooth, device_logging_prop)
+
# Allow write access to bluetooth specific properties
set_prop(bluetooth, binder_cache_bluetooth_server_prop);
neverallow { domain -bluetooth -init }
diff --git a/prebuilts/api/33.0/private/bpfloader.te b/prebuilts/api/33.0/private/bpfloader.te
index d7b27b5..54cc916 100644
--- a/prebuilts/api/33.0/private/bpfloader.te
+++ b/prebuilts/api/33.0/private/bpfloader.te
@@ -6,9 +6,9 @@
allow bpfloader kmsg_device:chr_file w_file_perms;
# These permissions are required to pin ebpf maps & programs.
-allow bpfloader { fs_bpf fs_bpf_tethering fs_bpf_vendor }:dir { add_name create search write };
-allow bpfloader { fs_bpf fs_bpf_tethering fs_bpf_vendor }:file { create read setattr };
-allow { fs_bpf_tethering fs_bpf_vendor } fs_bpf:filesystem associate;
+allow bpfloader bpffs_type:dir { add_name create remove_name search write };
+allow bpfloader bpffs_type:file { create read rename setattr };
+allow { bpffs_type -fs_bpf } fs_bpf:filesystem associate;
# Allow bpfloader to create bpf maps and programs.
allow bpfloader self:bpf { map_create map_read map_write prog_load prog_run };
@@ -26,17 +26,21 @@
###
# TODO: get rid of init & vendor_init; Note: we don't care about getattr/mounton/search
-neverallow { domain -init -vendor_init } { fs_bpf fs_bpf_tethering fs_bpf_vendor }:dir { open read setattr };
-neverallow { domain -bpfloader } { fs_bpf fs_bpf_tethering fs_bpf_vendor }:dir { add_name create write };
-neverallow domain { fs_bpf fs_bpf_tethering fs_bpf_vendor }:dir ~{ add_name create getattr mounton open read search setattr write };
+neverallow { domain -init -vendor_init } bpffs_type:dir { open read setattr };
+neverallow { domain -bpfloader } bpffs_type:dir { add_name create remove_name write };
+neverallow domain bpffs_type:dir ~{ add_name create getattr mounton open read remove_name search setattr write };
# TODO: get rid of init & vendor_init
-neverallow { domain -bpfloader -init -vendor_init } { fs_bpf fs_bpf_tethering fs_bpf_vendor }:file { map open setattr };
-neverallow { domain -bpfloader } { fs_bpf fs_bpf_tethering fs_bpf_vendor }:file create;
-neverallow { domain -bpfloader -gpuservice -init -lmkd -mediaprovider_app -netd -netutils_wrapper -network_stack -system_server -vendor_init } { fs_bpf }:file read;
-neverallow { domain -bpfloader -gpuservice -init -lmkd -netd -netutils_wrapper -network_stack -system_server -vendor_init } { fs_bpf_tethering }:file read;
-neverallow { domain -bpfloader -gpuservice -netd -netutils_wrapper -network_stack -system_server } { fs_bpf fs_bpf_tethering }:file write;
-neverallow domain { fs_bpf fs_bpf_tethering }:file ~{ create map open read setattr write };
+neverallow { domain -bpfloader -init -vendor_init } bpffs_type:file { map open setattr };
+neverallow { domain -bpfloader } bpffs_type:file { create rename };
+neverallow { domain -bpfloader -gpuservice -init -lmkd -mediaprovider_app -netd -netutils_wrapper -system_server -vendor_init } fs_bpf:file read;
+neverallow { domain -bpfloader -init -network_stack -vendor_init } fs_bpf_net_private:file read;
+neverallow { domain -bpfloader -init -network_stack -system_server -vendor_init } fs_bpf_net_shared:file read;
+neverallow { domain -bpfloader -init -netd -network_stack -system_server -vendor_init } fs_bpf_netd_readonly:file read;
+neverallow { domain -bpfloader -init -netd -netutils_wrapper -network_stack -system_server -vendor_init } fs_bpf_netd_shared:file read;
+neverallow { domain -bpfloader -init -network_stack -vendor_init } fs_bpf_tethering:file read;
+neverallow { domain -bpfloader -gpuservice -netd -netutils_wrapper -network_stack -system_server } { bpffs_type -fs_bpf_vendor }:file write;
+neverallow domain bpffs_type:file ~{ create map open read rename setattr write };
neverallow { domain -bpfloader } *:bpf { map_create prog_load };
diff --git a/prebuilts/api/33.0/private/compat/32.0/32.0.ignore.cil b/prebuilts/api/33.0/private/compat/32.0/32.0.ignore.cil
index 94a8fea..a07f5ae 100644
--- a/prebuilts/api/33.0/private/compat/32.0/32.0.ignore.cil
+++ b/prebuilts/api/33.0/private/compat/32.0/32.0.ignore.cil
@@ -27,6 +27,7 @@
evsmanagerd_service
extra_free_kbytes
extra_free_kbytes_exec
+ framework_status_prop
fs_bpf_vendor
game_mode_intervention_list_file
gesture_prop
diff --git a/prebuilts/api/33.0/private/file.te b/prebuilts/api/33.0/private/file.te
index 4161dc9..c4ee2aa 100644
--- a/prebuilts/api/33.0/private/file.te
+++ b/prebuilts/api/33.0/private/file.te
@@ -1,6 +1,13 @@
# /proc/config.gz
type config_gz, fs_type, proc_type;
+# /sys/fs/bpf/<dir> for mainline tethering use
+# TODO: move S+ fs_bpf_tethering here from public/file.te
+type fs_bpf_net_private, fs_type, bpffs_type;
+type fs_bpf_net_shared, fs_type, bpffs_type;
+type fs_bpf_netd_readonly, fs_type, bpffs_type;
+type fs_bpf_netd_shared, fs_type, bpffs_type;
+
# /data/misc/storaged
type storaged_data_file, file_type, data_file_type, core_data_file_type;
diff --git a/prebuilts/api/33.0/private/genfs_contexts b/prebuilts/api/33.0/private/genfs_contexts
index 1c604fc..6578470 100644
--- a/prebuilts/api/33.0/private/genfs_contexts
+++ b/prebuilts/api/33.0/private/genfs_contexts
@@ -395,5 +395,9 @@
genfscon usbfs / u:object_r:usbfs:s0
genfscon binfmt_misc / u:object_r:binfmt_miscfs:s0
genfscon bpf / u:object_r:fs_bpf:s0
+genfscon bpf /net_private u:object_r:fs_bpf_net_private:s0
+genfscon bpf /net_shared u:object_r:fs_bpf_net_shared:s0
+genfscon bpf /netd_readonly u:object_r:fs_bpf_netd_readonly:s0
+genfscon bpf /netd_shared u:object_r:fs_bpf_netd_shared:s0
genfscon bpf /tethering u:object_r:fs_bpf_tethering:s0
genfscon bpf /vendor u:object_r:fs_bpf_vendor:s0
diff --git a/prebuilts/api/33.0/private/gmscore_app.te b/prebuilts/api/33.0/private/gmscore_app.te
index 2198c15..8795798 100644
--- a/prebuilts/api/33.0/private/gmscore_app.te
+++ b/prebuilts/api/33.0/private/gmscore_app.te
@@ -5,11 +5,6 @@
app_domain(gmscore_app)
-# TODO(b/217368496): remove this.
-perfetto_producer(gmscore_app)
-can_profile_heap(gmscore_app)
-can_profile_perf(gmscore_app)
-
allow gmscore_app sysfs_type:dir search;
# Read access to /sys/block/zram*/mm_stat
r_dir_file(gmscore_app, sysfs_zram)
diff --git a/prebuilts/api/33.0/private/netd.te b/prebuilts/api/33.0/private/netd.te
index 30dcd08..4aa288b 100644
--- a/prebuilts/api/33.0/private/netd.te
+++ b/prebuilts/api/33.0/private/netd.te
@@ -6,6 +6,10 @@
# Allow netd to spawn dnsmasq in it's own domain
domain_auto_trans(netd, dnsmasq_exec, dnsmasq)
+allow netd { fs_bpf fs_bpf_netd_readonly fs_bpf_netd_shared }:dir search;
+allow netd { fs_bpf fs_bpf_netd_readonly fs_bpf_netd_shared }:file read;
+allow netd { fs_bpf fs_bpf_netd_shared }:file write;
+
# give netd permission to setup iptables rule with xt_bpf, attach program to cgroup, and read/write
# the map created by bpfloader
allow netd bpfloader:bpf { prog_run map_read map_write };
diff --git a/prebuilts/api/33.0/private/netutils_wrapper.te b/prebuilts/api/33.0/private/netutils_wrapper.te
index af0360f..900b35c 100644
--- a/prebuilts/api/33.0/private/netutils_wrapper.te
+++ b/prebuilts/api/33.0/private/netutils_wrapper.te
@@ -25,7 +25,9 @@
# For vendor code that update the iptables rules at runtime. They need to reload
# the whole chain including the xt_bpf rules. They need to access to the pinned
# program when reloading the rule.
-allow netutils_wrapper fs_bpf:file { read write };
+allow netutils_wrapper { fs_bpf fs_bpf_netd_shared }:dir search;
+allow netutils_wrapper { fs_bpf fs_bpf_netd_shared }:file read;
+allow netutils_wrapper { fs_bpf }:file write;
allow netutils_wrapper bpfloader:bpf prog_run;
# For /data/misc/net access to ndc and ip
diff --git a/prebuilts/api/33.0/private/network_stack.te b/prebuilts/api/33.0/private/network_stack.te
index b105938..3cdf884 100644
--- a/prebuilts/api/33.0/private/network_stack.te
+++ b/prebuilts/api/33.0/private/network_stack.te
@@ -22,6 +22,14 @@
# Monitor neighbors via netlink.
allow network_stack self:netlink_route_socket nlmsg_write;
+# Use netlink uevent sockets.
+allow network_stack self:netlink_kobject_uevent_socket create_socket_perms_no_ioctl;
+
+# give network_stack the same netlink permissions as netd
+allow network_stack self:netlink_nflog_socket create_socket_perms_no_ioctl;
+allow network_stack self:netlink_socket create_socket_perms_no_ioctl;
+allow network_stack self:netlink_generic_socket create_socket_perms_no_ioctl;
+
allow network_stack app_api_service:service_manager find;
allow network_stack dnsresolver_service:service_manager find;
allow network_stack mdns_service:service_manager find;
@@ -52,12 +60,57 @@
allow network_stack self:netlink_netfilter_socket create_socket_perms_no_ioctl;
allow network_stack network_stack_service:service_manager find;
# allow Tethering(network_stack process) to run/update/read the eBPF maps to offload tethering traffic by eBPF.
-allow network_stack { fs_bpf fs_bpf_tethering }:dir search;
-allow network_stack { fs_bpf fs_bpf_tethering }:file { read write };
+allow network_stack { fs_bpf_net_private fs_bpf_net_shared fs_bpf_netd_readonly fs_bpf_netd_shared fs_bpf_tethering }:dir search;
+allow network_stack { fs_bpf_net_private fs_bpf_net_shared fs_bpf_netd_readonly fs_bpf_netd_shared fs_bpf_tethering }:file { read write };
allow network_stack bpfloader:bpf { map_read map_write prog_run };
-# Only the bpfloader and the network_stack should ever touch 'fs_bpf_tethering' programs/maps.
+# Use XFRM (IPsec) netlink sockets
+allow network_stack self:netlink_xfrm_socket { create_socket_perms_no_ioctl nlmsg_write nlmsg_read };
+
+# tun device used for 3rd party vpn apps and test network manager
+allow network_stack tun_device:chr_file rw_file_perms;
+allowxperm network_stack tun_device:chr_file ioctl { TUNGETIFF TUNSETIFF TUNSETLINK TUNSETCARRIER };
+
+############### NEVER ALLOW RULES
+# This place is as good as any for these rules,
+# and it is probably the most appropriate because
+# network_stack itself is entirely mainline code.
+#
# Unfortunately init/vendor_init have all sorts of extra privs
+
+# T+: Only the bpfloader and the network_stack should ever touch 'fs_bpf_net_private' programs/maps.
+neverallow { domain -bpfloader -init -network_stack -vendor_init } fs_bpf_net_private:dir ~getattr;
+neverallow { domain -bpfloader -init -network_stack -vendor_init } fs_bpf_net_private:file *;
+
+neverallow { domain -bpfloader -network_stack } fs_bpf_net_private:dir ~{ getattr open read search setattr };
+neverallow { domain -bpfloader -network_stack } fs_bpf_net_private:file ~{ map open read setattr };
+
+# T+: Only the bpfloader, network_stack and system_server should ever touch 'fs_bpf_net_shared' programs/maps.
+neverallow { domain -bpfloader -init -network_stack -system_server -vendor_init } fs_bpf_net_shared:dir ~getattr;
+neverallow { domain -bpfloader -init -network_stack -system_server -vendor_init } fs_bpf_net_shared:file *;
+
+neverallow { domain -bpfloader -network_stack -system_server } fs_bpf_net_shared:dir ~{ getattr open read search setattr };
+neverallow { domain -bpfloader -network_stack -system_server } fs_bpf_net_shared:file ~{ map open read setattr };
+
+# T+: Only the bpfloader, netd, network_stack and system_server should ever touch 'fs_bpf_netd_readonly' programs/maps.
+# netd's access should be readonly
+neverallow { domain -bpfloader -init -netd -network_stack -system_server -vendor_init } fs_bpf_netd_readonly:dir ~getattr;
+neverallow { domain -bpfloader -init -netd -network_stack -system_server -vendor_init } fs_bpf_netd_readonly:file *;
+neverallow netd fs_bpf_netd_readonly:file write;
+
+neverallow { domain -bpfloader -netd -network_stack -system_server } fs_bpf_netd_readonly:dir ~{ getattr open read search setattr };
+neverallow { domain -bpfloader -netd -network_stack -system_server } fs_bpf_netd_readonly:file ~{ map open read setattr };
+
+# T+: Only the bpfloader, netd, netutils_wrapper, network_stack and system_server should ever touch 'fs_bpf_netd_shared' programs/maps.
+# netutils_wrapper requires access to be able to run iptables and only needs readonly access
+neverallow { domain -bpfloader -init -netd -netutils_wrapper -network_stack -system_server -vendor_init } fs_bpf_netd_shared:dir ~getattr;
+neverallow { domain -bpfloader -init -netd -netutils_wrapper -network_stack -system_server -vendor_init } fs_bpf_netd_shared:file *;
+neverallow netutils_wrapper fs_bpf_netd_shared:file write;
+
+neverallow { domain -bpfloader -netd -netutils_wrapper -network_stack -system_server } fs_bpf_netd_shared:dir ~{ getattr open read search setattr };
+neverallow { domain -bpfloader -netd -netutils_wrapper -network_stack -system_server } fs_bpf_netd_shared:file ~{ map open read setattr };
+
+# S+: Only the bpfloader and the network_stack should ever touch 'fs_bpf_tethering' programs/maps.
neverallow { domain -bpfloader -init -network_stack -vendor_init } fs_bpf_tethering:dir ~getattr;
neverallow { domain -bpfloader -init -network_stack -vendor_init } fs_bpf_tethering:file *;
diff --git a/prebuilts/api/33.0/private/platform_app.te b/prebuilts/api/33.0/private/platform_app.te
index b723633..6112ae0 100644
--- a/prebuilts/api/33.0/private/platform_app.te
+++ b/prebuilts/api/33.0/private/platform_app.te
@@ -113,10 +113,6 @@
# Allow platform apps to act as Perfetto producers.
perfetto_producer(platform_app)
-# TODO(b/217368496): remove this.
-can_profile_heap(platform_app)
-can_profile_perf(platform_app)
-
# Allow platform apps to create VMs
virtualizationservice_use(platform_app)
diff --git a/prebuilts/api/33.0/private/property_contexts b/prebuilts/api/33.0/private/property_contexts
index f19a60a..1b2360d 100644
--- a/prebuilts/api/33.0/private/property_contexts
+++ b/prebuilts/api/33.0/private/property_contexts
@@ -1205,6 +1205,9 @@
framework_watchdog.fatal_count u:object_r:framework_watchdog_config_prop:s0 exact int
framework_watchdog.fatal_window.second u:object_r:framework_watchdog_config_prop:s0 exact int
+# Framework configuration properties.
+framework.pause_bg_animations.enabled u:object_r:framework_status_prop:s0 exact bool
+
gsm.operator.iso-country u:object_r:telephony_status_prop:s0 exact string
gsm.sim.operator.iso-country u:object_r:telephony_status_prop:s0 exact string
gsm.sim.operator.numeric u:object_r:telephony_status_prop:s0 exact string
diff --git a/prebuilts/api/33.0/private/remote_prov_app.te b/prebuilts/api/33.0/private/remote_prov_app.te
index 43b69d2..f49eb63 100644
--- a/prebuilts/api/33.0/private/remote_prov_app.te
+++ b/prebuilts/api/33.0/private/remote_prov_app.te
@@ -10,5 +10,6 @@
allow remote_prov_app {
app_api_service
+ mediametrics_service
remoteprovisioning_service
}:service_manager find;
diff --git a/prebuilts/api/33.0/private/sdk_sandbox.te b/prebuilts/api/33.0/private/sdk_sandbox.te
index 193ab51..20d3adf 100644
--- a/prebuilts/api/33.0/private/sdk_sandbox.te
+++ b/prebuilts/api/33.0/private/sdk_sandbox.te
@@ -164,10 +164,19 @@
domain
-init
-installd
+ -system_server
+ -vold_prepare_subdirs
+} sdk_sandbox_system_data_file:dir { relabelfrom };
+
+neverallow {
+ domain
+ -init
+ -installd
-sdk_sandbox
-system_server
-vold_prepare_subdirs
-} sdk_sandbox_system_data_file:dir { create_dir_perms relabelfrom relabelto };
+ -zygote
+} sdk_sandbox_system_data_file:dir { create_dir_perms relabelto };
# sdk_sandbox only needs to traverse through the sdk_sandbox_system_data_file
neverallow sdk_sandbox sdk_sandbox_system_data_file:dir ~{ getattr search };
diff --git a/prebuilts/api/33.0/private/surfaceflinger.te b/prebuilts/api/33.0/private/surfaceflinger.te
index 123fc69..bb16f20 100644
--- a/prebuilts/api/33.0/private/surfaceflinger.te
+++ b/prebuilts/api/33.0/private/surfaceflinger.te
@@ -74,13 +74,9 @@
allow surfaceflinger wm_trace_data_file:file { getattr setattr create w_file_perms };
')
-# Allow userspace tracing via perfetto.
+# Needed to register as a Perfetto producer.
perfetto_producer(surfaceflinger)
-# Allow to be profiled by performance tools.
-can_profile_heap(surfaceflinger)
-can_profile_perf(surfaceflinger)
-
# Use socket supplied by adbd, for cmd gpu vkjson etc.
allow surfaceflinger adbd:unix_stream_socket { read write getattr };
diff --git a/prebuilts/api/33.0/private/system_app.te b/prebuilts/api/33.0/private/system_app.te
index 01956f4..77cca3d 100644
--- a/prebuilts/api/33.0/private/system_app.te
+++ b/prebuilts/api/33.0/private/system_app.te
@@ -176,10 +176,6 @@
# Allow system apps to act as Perfetto producers.
perfetto_producer(system_app)
-# TODO(b/217368496): remove this.
-can_profile_heap(system_app)
-can_profile_perf(system_app)
-
###
### Neverallow rules
###
diff --git a/prebuilts/api/33.0/private/system_server.te b/prebuilts/api/33.0/private/system_server.te
index ba097f2..0f72c7f 100644
--- a/prebuilts/api/33.0/private/system_server.te
+++ b/prebuilts/api/33.0/private/system_server.te
@@ -15,11 +15,6 @@
userfaultfd_use(system_server)
-# TODO(b/217368496): remove this.
-perfetto_producer(system_server)
-can_profile_heap(system_server)
-can_profile_perf(system_server)
-
# Create a socket for connections from crash_dump.
type_transition system_server system_data_file:sock_file system_ndebug_socket "ndebugsocket";
@@ -159,11 +154,14 @@
allow system_server self:netlink_netfilter_socket create_socket_perms_no_ioctl;
# Create/use netlink_tcpdiag_socket for looking up connection UIDs for VPN apps.
-allow system_server self:netlink_tcpdiag_socket { create_socket_perms_no_ioctl nlmsg_read };
+allow system_server self:netlink_tcpdiag_socket
+ { create_socket_perms_no_ioctl nlmsg_read nlmsg_write };
# Use netlink uevent sockets.
allow system_server self:netlink_kobject_uevent_socket create_socket_perms_no_ioctl;
+allow system_server self:netlink_nflog_socket create_socket_perms_no_ioctl;
+
# Use generic netlink sockets.
allow system_server self:netlink_socket create_socket_perms_no_ioctl;
allow system_server self:netlink_generic_socket create_socket_perms_no_ioctl;
@@ -180,6 +178,9 @@
# Set and get routes directly via netlink.
allow system_server self:netlink_route_socket nlmsg_write;
+# Use XFRM (IPsec) netlink sockets
+allow system_server self:netlink_xfrm_socket { create_socket_perms_no_ioctl nlmsg_write nlmsg_read };
+
# Kill apps.
allow system_server appdomain:process { getpgid sigkill signal };
# signull allowed for kill(pid, 0) existence test.
@@ -472,9 +473,9 @@
# write access to ALSA interfaces (/dev/snd/*) needed for MIDI
allow system_server audio_device:chr_file rw_file_perms;
-# tun device used for 3rd party vpn apps
+# tun device used for 3rd party vpn apps and test network manager
allow system_server tun_device:chr_file rw_file_perms;
-allowxperm system_server tun_device:chr_file ioctl { TUNGETIFF TUNSETIFF };
+allowxperm system_server tun_device:chr_file ioctl { TUNGETIFF TUNSETIFF TUNSETLINK TUNSETCARRIER };
# Manage data/ota_package
allow system_server ota_package_file:dir rw_dir_perms;
@@ -1148,7 +1149,8 @@
# allow system_server to read the eBPF maps that stores the traffic stats information and update
# the map after snapshot is recorded, and to read, update and run the maps and programs used for
# time in state accounting
-allow system_server fs_bpf:file { read write };
+allow system_server { fs_bpf fs_bpf_net_shared fs_bpf_netd_readonly fs_bpf_netd_shared }:dir search;
+allow system_server { fs_bpf fs_bpf_net_shared fs_bpf_netd_readonly fs_bpf_netd_shared }:file { read write };
allow system_server bpfloader:bpf { map_read map_write prog_run };
# in order to invoke side effect of close() on such a socket calling synchronize_rcu()
allow system_server self:key_socket create;
diff --git a/prebuilts/api/33.0/private/zygote.te b/prebuilts/api/33.0/private/zygote.te
index c5ba180..41245c2 100644
--- a/prebuilts/api/33.0/private/zygote.te
+++ b/prebuilts/api/33.0/private/zygote.te
@@ -62,9 +62,10 @@
# Bind mount on /data/data and mounted volumes
allow zygote { system_data_file mnt_expand_file }:dir mounton;
-# Relabel /data/user /data/user_de and /data/data
+# Relabel /data/user /data/user_de /data/data and /data/misc_{ce,de}/<user-id>/sdksandbox
allow zygote tmpfs:{ dir lnk_file } relabelfrom;
allow zygote system_data_file:{ dir lnk_file } relabelto;
+allow zygote sdk_sandbox_system_data_file:dir { search relabelto };
# Zygote opens /mnt/expand to mount CE DE storage on each vol
allow zygote mnt_expand_file:dir { open read search relabelto };
@@ -94,6 +95,7 @@
app_data_file_type
system_data_file
mnt_expand_file
+ sdk_sandbox_system_data_file
}:dir getattr;
# Allow zygote to create JIT memory.
diff --git a/prebuilts/api/33.0/public/app.te b/prebuilts/api/33.0/public/app.te
index da24012..de3d0ca 100644
--- a/prebuilts/api/33.0/public/app.te
+++ b/prebuilts/api/33.0/public/app.te
@@ -53,7 +53,8 @@
# These messages are broadcast messages from the kernel to userspace.
# Do not allow the writing of netlink messages, which has been a source
# of rooting vulns in the past.
-neverallow appdomain domain:netlink_kobject_uevent_socket { write append };
+neverallow { appdomain -network_stack }
+ domain:netlink_kobject_uevent_socket { write append };
# Sockets under /dev/socket that are not specifically typed.
neverallow appdomain socket_device:sock_file write;
diff --git a/prebuilts/api/33.0/public/attributes b/prebuilts/api/33.0/public/attributes
index 906dbcd..742264a 100644
--- a/prebuilts/api/33.0/public/attributes
+++ b/prebuilts/api/33.0/public/attributes
@@ -10,6 +10,9 @@
# TODO(b/202520796) Remove this attribute once the sc-dev branch stops using it.
attribute bdev_type;
+# Attribute for all bpf filesystem subtypes.
+attribute bpffs_type;
+
# All types used for processes.
attribute domain;
diff --git a/prebuilts/api/33.0/public/domain.te b/prebuilts/api/33.0/public/domain.te
index 6258c7a..8e1fcf7 100644
--- a/prebuilts/api/33.0/public/domain.te
+++ b/prebuilts/api/33.0/public/domain.te
@@ -116,6 +116,7 @@
get_prop(domain, exported_secure_prop)
get_prop(domain, exported_system_prop)
get_prop(domain, fingerprint_prop)
+get_prop(domain, framework_status_prop)
get_prop(domain, gwp_asan_prop)
get_prop(domain, hal_instrumentation_prop)
get_prop(domain, hw_timeout_multiplier_prop)
diff --git a/prebuilts/api/33.0/public/dumpstate.te b/prebuilts/api/33.0/public/dumpstate.te
index 2c75f30..47b63e6 100644
--- a/prebuilts/api/33.0/public/dumpstate.te
+++ b/prebuilts/api/33.0/public/dumpstate.te
@@ -112,6 +112,9 @@
sysfs_zram
}:file r_file_perms;
+# Ignore other file access under /sys.
+dontaudit dumpstate sysfs:file r_file_perms;
+
# Other random bits of data we want to collect
no_debugfs_restriction(`
allow dumpstate debugfs:file r_file_perms;
diff --git a/prebuilts/api/33.0/public/file.te b/prebuilts/api/33.0/public/file.te
index 9d333f5..2bfa282 100644
--- a/prebuilts/api/33.0/public/file.te
+++ b/prebuilts/api/33.0/public/file.te
@@ -129,9 +129,10 @@
userdebug_or_eng(`
typeattribute sysfs_vendor_sched mlstrustedobject;
')
-type fs_bpf, fs_type;
-type fs_bpf_tethering, fs_type;
-type fs_bpf_vendor, fs_type;
+type fs_bpf, fs_type, bpffs_type;
+# TODO: S+ fs_bpf_tethering (used by mainline) should be private
+type fs_bpf_tethering, fs_type, bpffs_type;
+type fs_bpf_vendor, fs_type, bpffs_type;
type configfs, fs_type;
# /sys/devices/cs_etm
type sysfs_devices_cs_etm, fs_type, sysfs_type;
diff --git a/prebuilts/api/33.0/public/ioctl_defines b/prebuilts/api/33.0/public/ioctl_defines
index 51cce4e..d46e485 100644
--- a/prebuilts/api/33.0/public/ioctl_defines
+++ b/prebuilts/api/33.0/public/ioctl_defines
@@ -2438,6 +2438,7 @@
define(`TUNGETSNDBUF', `0x800454d3')
define(`TUNGETVNETHDRSZ', `0x800454d7')
define(`TUNGETVNETLE', `0x800454dd')
+define(`TUNSETCARRIER', `0x400454e2')
define(`TUNSETDEBUG', `0x400454c9')
define(`TUNSETGROUP', `0x400454ce')
define(`TUNSETIFF', `0x400454ca')
diff --git a/prebuilts/api/33.0/public/netd.te b/prebuilts/api/33.0/public/netd.te
index 64b4c7d..7c7655e 100644
--- a/prebuilts/api/33.0/public/netd.te
+++ b/prebuilts/api/33.0/public/netd.te
@@ -64,8 +64,6 @@
r_dir_file(netd, cgroup_v2)
-allow netd fs_bpf:file { read write };
-
# TODO: netd previously thought it needed these permissions to do WiFi related
# work. However, after all the WiFi stuff is gone, we still need them.
# Why?
diff --git a/prebuilts/api/33.0/public/property.te b/prebuilts/api/33.0/public/property.te
index b18f142..a235634 100644
--- a/prebuilts/api/33.0/public/property.te
+++ b/prebuilts/api/33.0/public/property.te
@@ -199,6 +199,7 @@
system_public_prop(exported_overlay_prop)
system_public_prop(exported_pm_prop)
system_public_prop(ffs_control_prop)
+system_public_prop(framework_status_prop)
system_public_prop(gesture_prop)
system_public_prop(hal_dumpstate_config_prop)
system_public_prop(sota_prop)
diff --git a/private/app.te b/private/app.te
index b7da601..86180b0 100644
--- a/private/app.te
+++ b/private/app.te
@@ -75,6 +75,11 @@
# Access to /mnt/media_rw/<vol> (limited by DAC to apps with external_storage gid)
allow { appdomain -sdk_sandbox } mnt_media_rw_file:dir search;
+# allow apps to use UDP sockets provided by the system server but not
+# modify them other than to connect
+allow appdomain system_server:udp_socket {
+ connect getattr read recvfrom sendto write getopt setopt };
+
neverallow appdomain system_server:udp_socket {
accept append bind create ioctl listen lock name_bind
relabelfrom relabelto setattr shutdown };
diff --git a/private/bluetooth.te b/private/bluetooth.te
index d548e80..0b001e2 100644
--- a/private/bluetooth.te
+++ b/private/bluetooth.te
@@ -46,6 +46,9 @@
allow bluetooth proc_filesystems:file r_file_perms;
get_prop(bluetooth, incremental_prop)
+# For Bluetooth to check security logging state
+get_prop(bluetooth, device_logging_prop)
+
# Allow write access to bluetooth specific properties
set_prop(bluetooth, binder_cache_bluetooth_server_prop);
neverallow { domain -bluetooth -init }
diff --git a/private/bpfloader.te b/private/bpfloader.te
index d7b27b5..54cc916 100644
--- a/private/bpfloader.te
+++ b/private/bpfloader.te
@@ -6,9 +6,9 @@
allow bpfloader kmsg_device:chr_file w_file_perms;
# These permissions are required to pin ebpf maps & programs.
-allow bpfloader { fs_bpf fs_bpf_tethering fs_bpf_vendor }:dir { add_name create search write };
-allow bpfloader { fs_bpf fs_bpf_tethering fs_bpf_vendor }:file { create read setattr };
-allow { fs_bpf_tethering fs_bpf_vendor } fs_bpf:filesystem associate;
+allow bpfloader bpffs_type:dir { add_name create remove_name search write };
+allow bpfloader bpffs_type:file { create read rename setattr };
+allow { bpffs_type -fs_bpf } fs_bpf:filesystem associate;
# Allow bpfloader to create bpf maps and programs.
allow bpfloader self:bpf { map_create map_read map_write prog_load prog_run };
@@ -26,17 +26,21 @@
###
# TODO: get rid of init & vendor_init; Note: we don't care about getattr/mounton/search
-neverallow { domain -init -vendor_init } { fs_bpf fs_bpf_tethering fs_bpf_vendor }:dir { open read setattr };
-neverallow { domain -bpfloader } { fs_bpf fs_bpf_tethering fs_bpf_vendor }:dir { add_name create write };
-neverallow domain { fs_bpf fs_bpf_tethering fs_bpf_vendor }:dir ~{ add_name create getattr mounton open read search setattr write };
+neverallow { domain -init -vendor_init } bpffs_type:dir { open read setattr };
+neverallow { domain -bpfloader } bpffs_type:dir { add_name create remove_name write };
+neverallow domain bpffs_type:dir ~{ add_name create getattr mounton open read remove_name search setattr write };
# TODO: get rid of init & vendor_init
-neverallow { domain -bpfloader -init -vendor_init } { fs_bpf fs_bpf_tethering fs_bpf_vendor }:file { map open setattr };
-neverallow { domain -bpfloader } { fs_bpf fs_bpf_tethering fs_bpf_vendor }:file create;
-neverallow { domain -bpfloader -gpuservice -init -lmkd -mediaprovider_app -netd -netutils_wrapper -network_stack -system_server -vendor_init } { fs_bpf }:file read;
-neverallow { domain -bpfloader -gpuservice -init -lmkd -netd -netutils_wrapper -network_stack -system_server -vendor_init } { fs_bpf_tethering }:file read;
-neverallow { domain -bpfloader -gpuservice -netd -netutils_wrapper -network_stack -system_server } { fs_bpf fs_bpf_tethering }:file write;
-neverallow domain { fs_bpf fs_bpf_tethering }:file ~{ create map open read setattr write };
+neverallow { domain -bpfloader -init -vendor_init } bpffs_type:file { map open setattr };
+neverallow { domain -bpfloader } bpffs_type:file { create rename };
+neverallow { domain -bpfloader -gpuservice -init -lmkd -mediaprovider_app -netd -netutils_wrapper -system_server -vendor_init } fs_bpf:file read;
+neverallow { domain -bpfloader -init -network_stack -vendor_init } fs_bpf_net_private:file read;
+neverallow { domain -bpfloader -init -network_stack -system_server -vendor_init } fs_bpf_net_shared:file read;
+neverallow { domain -bpfloader -init -netd -network_stack -system_server -vendor_init } fs_bpf_netd_readonly:file read;
+neverallow { domain -bpfloader -init -netd -netutils_wrapper -network_stack -system_server -vendor_init } fs_bpf_netd_shared:file read;
+neverallow { domain -bpfloader -init -network_stack -vendor_init } fs_bpf_tethering:file read;
+neverallow { domain -bpfloader -gpuservice -netd -netutils_wrapper -network_stack -system_server } { bpffs_type -fs_bpf_vendor }:file write;
+neverallow domain bpffs_type:file ~{ create map open read rename setattr write };
neverallow { domain -bpfloader } *:bpf { map_create prog_load };
diff --git a/private/compat/32.0/32.0.ignore.cil b/private/compat/32.0/32.0.ignore.cil
index 94a8fea..a07f5ae 100644
--- a/private/compat/32.0/32.0.ignore.cil
+++ b/private/compat/32.0/32.0.ignore.cil
@@ -27,6 +27,7 @@
evsmanagerd_service
extra_free_kbytes
extra_free_kbytes_exec
+ framework_status_prop
fs_bpf_vendor
game_mode_intervention_list_file
gesture_prop
diff --git a/private/file.te b/private/file.te
index 4161dc9..c4ee2aa 100644
--- a/private/file.te
+++ b/private/file.te
@@ -1,6 +1,13 @@
# /proc/config.gz
type config_gz, fs_type, proc_type;
+# /sys/fs/bpf/<dir> for mainline tethering use
+# TODO: move S+ fs_bpf_tethering here from public/file.te
+type fs_bpf_net_private, fs_type, bpffs_type;
+type fs_bpf_net_shared, fs_type, bpffs_type;
+type fs_bpf_netd_readonly, fs_type, bpffs_type;
+type fs_bpf_netd_shared, fs_type, bpffs_type;
+
# /data/misc/storaged
type storaged_data_file, file_type, data_file_type, core_data_file_type;
diff --git a/private/genfs_contexts b/private/genfs_contexts
index 1c604fc..6578470 100644
--- a/private/genfs_contexts
+++ b/private/genfs_contexts
@@ -395,5 +395,9 @@
genfscon usbfs / u:object_r:usbfs:s0
genfscon binfmt_misc / u:object_r:binfmt_miscfs:s0
genfscon bpf / u:object_r:fs_bpf:s0
+genfscon bpf /net_private u:object_r:fs_bpf_net_private:s0
+genfscon bpf /net_shared u:object_r:fs_bpf_net_shared:s0
+genfscon bpf /netd_readonly u:object_r:fs_bpf_netd_readonly:s0
+genfscon bpf /netd_shared u:object_r:fs_bpf_netd_shared:s0
genfscon bpf /tethering u:object_r:fs_bpf_tethering:s0
genfscon bpf /vendor u:object_r:fs_bpf_vendor:s0
diff --git a/private/gmscore_app.te b/private/gmscore_app.te
index 2198c15..8795798 100644
--- a/private/gmscore_app.te
+++ b/private/gmscore_app.te
@@ -5,11 +5,6 @@
app_domain(gmscore_app)
-# TODO(b/217368496): remove this.
-perfetto_producer(gmscore_app)
-can_profile_heap(gmscore_app)
-can_profile_perf(gmscore_app)
-
allow gmscore_app sysfs_type:dir search;
# Read access to /sys/block/zram*/mm_stat
r_dir_file(gmscore_app, sysfs_zram)
diff --git a/private/netd.te b/private/netd.te
index 30dcd08..4aa288b 100644
--- a/private/netd.te
+++ b/private/netd.te
@@ -6,6 +6,10 @@
# Allow netd to spawn dnsmasq in it's own domain
domain_auto_trans(netd, dnsmasq_exec, dnsmasq)
+allow netd { fs_bpf fs_bpf_netd_readonly fs_bpf_netd_shared }:dir search;
+allow netd { fs_bpf fs_bpf_netd_readonly fs_bpf_netd_shared }:file read;
+allow netd { fs_bpf fs_bpf_netd_shared }:file write;
+
# give netd permission to setup iptables rule with xt_bpf, attach program to cgroup, and read/write
# the map created by bpfloader
allow netd bpfloader:bpf { prog_run map_read map_write };
diff --git a/private/netutils_wrapper.te b/private/netutils_wrapper.te
index af0360f..900b35c 100644
--- a/private/netutils_wrapper.te
+++ b/private/netutils_wrapper.te
@@ -25,7 +25,9 @@
# For vendor code that update the iptables rules at runtime. They need to reload
# the whole chain including the xt_bpf rules. They need to access to the pinned
# program when reloading the rule.
-allow netutils_wrapper fs_bpf:file { read write };
+allow netutils_wrapper { fs_bpf fs_bpf_netd_shared }:dir search;
+allow netutils_wrapper { fs_bpf fs_bpf_netd_shared }:file read;
+allow netutils_wrapper { fs_bpf }:file write;
allow netutils_wrapper bpfloader:bpf prog_run;
# For /data/misc/net access to ndc and ip
diff --git a/private/network_stack.te b/private/network_stack.te
index b105938..3cdf884 100644
--- a/private/network_stack.te
+++ b/private/network_stack.te
@@ -22,6 +22,14 @@
# Monitor neighbors via netlink.
allow network_stack self:netlink_route_socket nlmsg_write;
+# Use netlink uevent sockets.
+allow network_stack self:netlink_kobject_uevent_socket create_socket_perms_no_ioctl;
+
+# give network_stack the same netlink permissions as netd
+allow network_stack self:netlink_nflog_socket create_socket_perms_no_ioctl;
+allow network_stack self:netlink_socket create_socket_perms_no_ioctl;
+allow network_stack self:netlink_generic_socket create_socket_perms_no_ioctl;
+
allow network_stack app_api_service:service_manager find;
allow network_stack dnsresolver_service:service_manager find;
allow network_stack mdns_service:service_manager find;
@@ -52,12 +60,57 @@
allow network_stack self:netlink_netfilter_socket create_socket_perms_no_ioctl;
allow network_stack network_stack_service:service_manager find;
# allow Tethering(network_stack process) to run/update/read the eBPF maps to offload tethering traffic by eBPF.
-allow network_stack { fs_bpf fs_bpf_tethering }:dir search;
-allow network_stack { fs_bpf fs_bpf_tethering }:file { read write };
+allow network_stack { fs_bpf_net_private fs_bpf_net_shared fs_bpf_netd_readonly fs_bpf_netd_shared fs_bpf_tethering }:dir search;
+allow network_stack { fs_bpf_net_private fs_bpf_net_shared fs_bpf_netd_readonly fs_bpf_netd_shared fs_bpf_tethering }:file { read write };
allow network_stack bpfloader:bpf { map_read map_write prog_run };
-# Only the bpfloader and the network_stack should ever touch 'fs_bpf_tethering' programs/maps.
+# Use XFRM (IPsec) netlink sockets
+allow network_stack self:netlink_xfrm_socket { create_socket_perms_no_ioctl nlmsg_write nlmsg_read };
+
+# tun device used for 3rd party vpn apps and test network manager
+allow network_stack tun_device:chr_file rw_file_perms;
+allowxperm network_stack tun_device:chr_file ioctl { TUNGETIFF TUNSETIFF TUNSETLINK TUNSETCARRIER };
+
+############### NEVER ALLOW RULES
+# This place is as good as any for these rules,
+# and it is probably the most appropriate because
+# network_stack itself is entirely mainline code.
+#
# Unfortunately init/vendor_init have all sorts of extra privs
+
+# T+: Only the bpfloader and the network_stack should ever touch 'fs_bpf_net_private' programs/maps.
+neverallow { domain -bpfloader -init -network_stack -vendor_init } fs_bpf_net_private:dir ~getattr;
+neverallow { domain -bpfloader -init -network_stack -vendor_init } fs_bpf_net_private:file *;
+
+neverallow { domain -bpfloader -network_stack } fs_bpf_net_private:dir ~{ getattr open read search setattr };
+neverallow { domain -bpfloader -network_stack } fs_bpf_net_private:file ~{ map open read setattr };
+
+# T+: Only the bpfloader, network_stack and system_server should ever touch 'fs_bpf_net_shared' programs/maps.
+neverallow { domain -bpfloader -init -network_stack -system_server -vendor_init } fs_bpf_net_shared:dir ~getattr;
+neverallow { domain -bpfloader -init -network_stack -system_server -vendor_init } fs_bpf_net_shared:file *;
+
+neverallow { domain -bpfloader -network_stack -system_server } fs_bpf_net_shared:dir ~{ getattr open read search setattr };
+neverallow { domain -bpfloader -network_stack -system_server } fs_bpf_net_shared:file ~{ map open read setattr };
+
+# T+: Only the bpfloader, netd, network_stack and system_server should ever touch 'fs_bpf_netd_readonly' programs/maps.
+# netd's access should be readonly
+neverallow { domain -bpfloader -init -netd -network_stack -system_server -vendor_init } fs_bpf_netd_readonly:dir ~getattr;
+neverallow { domain -bpfloader -init -netd -network_stack -system_server -vendor_init } fs_bpf_netd_readonly:file *;
+neverallow netd fs_bpf_netd_readonly:file write;
+
+neverallow { domain -bpfloader -netd -network_stack -system_server } fs_bpf_netd_readonly:dir ~{ getattr open read search setattr };
+neverallow { domain -bpfloader -netd -network_stack -system_server } fs_bpf_netd_readonly:file ~{ map open read setattr };
+
+# T+: Only the bpfloader, netd, netutils_wrapper, network_stack and system_server should ever touch 'fs_bpf_netd_shared' programs/maps.
+# netutils_wrapper requires access to be able to run iptables and only needs readonly access
+neverallow { domain -bpfloader -init -netd -netutils_wrapper -network_stack -system_server -vendor_init } fs_bpf_netd_shared:dir ~getattr;
+neverallow { domain -bpfloader -init -netd -netutils_wrapper -network_stack -system_server -vendor_init } fs_bpf_netd_shared:file *;
+neverallow netutils_wrapper fs_bpf_netd_shared:file write;
+
+neverallow { domain -bpfloader -netd -netutils_wrapper -network_stack -system_server } fs_bpf_netd_shared:dir ~{ getattr open read search setattr };
+neverallow { domain -bpfloader -netd -netutils_wrapper -network_stack -system_server } fs_bpf_netd_shared:file ~{ map open read setattr };
+
+# S+: Only the bpfloader and the network_stack should ever touch 'fs_bpf_tethering' programs/maps.
neverallow { domain -bpfloader -init -network_stack -vendor_init } fs_bpf_tethering:dir ~getattr;
neverallow { domain -bpfloader -init -network_stack -vendor_init } fs_bpf_tethering:file *;
diff --git a/private/platform_app.te b/private/platform_app.te
index b723633..6112ae0 100644
--- a/private/platform_app.te
+++ b/private/platform_app.te
@@ -113,10 +113,6 @@
# Allow platform apps to act as Perfetto producers.
perfetto_producer(platform_app)
-# TODO(b/217368496): remove this.
-can_profile_heap(platform_app)
-can_profile_perf(platform_app)
-
# Allow platform apps to create VMs
virtualizationservice_use(platform_app)
diff --git a/private/property_contexts b/private/property_contexts
index f19a60a..1b2360d 100644
--- a/private/property_contexts
+++ b/private/property_contexts
@@ -1205,6 +1205,9 @@
framework_watchdog.fatal_count u:object_r:framework_watchdog_config_prop:s0 exact int
framework_watchdog.fatal_window.second u:object_r:framework_watchdog_config_prop:s0 exact int
+# Framework configuration properties.
+framework.pause_bg_animations.enabled u:object_r:framework_status_prop:s0 exact bool
+
gsm.operator.iso-country u:object_r:telephony_status_prop:s0 exact string
gsm.sim.operator.iso-country u:object_r:telephony_status_prop:s0 exact string
gsm.sim.operator.numeric u:object_r:telephony_status_prop:s0 exact string
diff --git a/private/remote_prov_app.te b/private/remote_prov_app.te
index 43b69d2..f49eb63 100644
--- a/private/remote_prov_app.te
+++ b/private/remote_prov_app.te
@@ -10,5 +10,6 @@
allow remote_prov_app {
app_api_service
+ mediametrics_service
remoteprovisioning_service
}:service_manager find;
diff --git a/private/sdk_sandbox.te b/private/sdk_sandbox.te
index 193ab51..20d3adf 100644
--- a/private/sdk_sandbox.te
+++ b/private/sdk_sandbox.te
@@ -164,10 +164,19 @@
domain
-init
-installd
+ -system_server
+ -vold_prepare_subdirs
+} sdk_sandbox_system_data_file:dir { relabelfrom };
+
+neverallow {
+ domain
+ -init
+ -installd
-sdk_sandbox
-system_server
-vold_prepare_subdirs
-} sdk_sandbox_system_data_file:dir { create_dir_perms relabelfrom relabelto };
+ -zygote
+} sdk_sandbox_system_data_file:dir { create_dir_perms relabelto };
# sdk_sandbox only needs to traverse through the sdk_sandbox_system_data_file
neverallow sdk_sandbox sdk_sandbox_system_data_file:dir ~{ getattr search };
diff --git a/private/surfaceflinger.te b/private/surfaceflinger.te
index 123fc69..bb16f20 100644
--- a/private/surfaceflinger.te
+++ b/private/surfaceflinger.te
@@ -74,13 +74,9 @@
allow surfaceflinger wm_trace_data_file:file { getattr setattr create w_file_perms };
')
-# Allow userspace tracing via perfetto.
+# Needed to register as a Perfetto producer.
perfetto_producer(surfaceflinger)
-# Allow to be profiled by performance tools.
-can_profile_heap(surfaceflinger)
-can_profile_perf(surfaceflinger)
-
# Use socket supplied by adbd, for cmd gpu vkjson etc.
allow surfaceflinger adbd:unix_stream_socket { read write getattr };
diff --git a/private/system_app.te b/private/system_app.te
index 01956f4..77cca3d 100644
--- a/private/system_app.te
+++ b/private/system_app.te
@@ -176,10 +176,6 @@
# Allow system apps to act as Perfetto producers.
perfetto_producer(system_app)
-# TODO(b/217368496): remove this.
-can_profile_heap(system_app)
-can_profile_perf(system_app)
-
###
### Neverallow rules
###
diff --git a/private/system_server.te b/private/system_server.te
index ba097f2..0f72c7f 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -15,11 +15,6 @@
userfaultfd_use(system_server)
-# TODO(b/217368496): remove this.
-perfetto_producer(system_server)
-can_profile_heap(system_server)
-can_profile_perf(system_server)
-
# Create a socket for connections from crash_dump.
type_transition system_server system_data_file:sock_file system_ndebug_socket "ndebugsocket";
@@ -159,11 +154,14 @@
allow system_server self:netlink_netfilter_socket create_socket_perms_no_ioctl;
# Create/use netlink_tcpdiag_socket for looking up connection UIDs for VPN apps.
-allow system_server self:netlink_tcpdiag_socket { create_socket_perms_no_ioctl nlmsg_read };
+allow system_server self:netlink_tcpdiag_socket
+ { create_socket_perms_no_ioctl nlmsg_read nlmsg_write };
# Use netlink uevent sockets.
allow system_server self:netlink_kobject_uevent_socket create_socket_perms_no_ioctl;
+allow system_server self:netlink_nflog_socket create_socket_perms_no_ioctl;
+
# Use generic netlink sockets.
allow system_server self:netlink_socket create_socket_perms_no_ioctl;
allow system_server self:netlink_generic_socket create_socket_perms_no_ioctl;
@@ -180,6 +178,9 @@
# Set and get routes directly via netlink.
allow system_server self:netlink_route_socket nlmsg_write;
+# Use XFRM (IPsec) netlink sockets
+allow system_server self:netlink_xfrm_socket { create_socket_perms_no_ioctl nlmsg_write nlmsg_read };
+
# Kill apps.
allow system_server appdomain:process { getpgid sigkill signal };
# signull allowed for kill(pid, 0) existence test.
@@ -472,9 +473,9 @@
# write access to ALSA interfaces (/dev/snd/*) needed for MIDI
allow system_server audio_device:chr_file rw_file_perms;
-# tun device used for 3rd party vpn apps
+# tun device used for 3rd party vpn apps and test network manager
allow system_server tun_device:chr_file rw_file_perms;
-allowxperm system_server tun_device:chr_file ioctl { TUNGETIFF TUNSETIFF };
+allowxperm system_server tun_device:chr_file ioctl { TUNGETIFF TUNSETIFF TUNSETLINK TUNSETCARRIER };
# Manage data/ota_package
allow system_server ota_package_file:dir rw_dir_perms;
@@ -1148,7 +1149,8 @@
# allow system_server to read the eBPF maps that stores the traffic stats information and update
# the map after snapshot is recorded, and to read, update and run the maps and programs used for
# time in state accounting
-allow system_server fs_bpf:file { read write };
+allow system_server { fs_bpf fs_bpf_net_shared fs_bpf_netd_readonly fs_bpf_netd_shared }:dir search;
+allow system_server { fs_bpf fs_bpf_net_shared fs_bpf_netd_readonly fs_bpf_netd_shared }:file { read write };
allow system_server bpfloader:bpf { map_read map_write prog_run };
# in order to invoke side effect of close() on such a socket calling synchronize_rcu()
allow system_server self:key_socket create;
diff --git a/private/zygote.te b/private/zygote.te
index c5ba180..41245c2 100644
--- a/private/zygote.te
+++ b/private/zygote.te
@@ -62,9 +62,10 @@
# Bind mount on /data/data and mounted volumes
allow zygote { system_data_file mnt_expand_file }:dir mounton;
-# Relabel /data/user /data/user_de and /data/data
+# Relabel /data/user /data/user_de /data/data and /data/misc_{ce,de}/<user-id>/sdksandbox
allow zygote tmpfs:{ dir lnk_file } relabelfrom;
allow zygote system_data_file:{ dir lnk_file } relabelto;
+allow zygote sdk_sandbox_system_data_file:dir { search relabelto };
# Zygote opens /mnt/expand to mount CE DE storage on each vol
allow zygote mnt_expand_file:dir { open read search relabelto };
@@ -94,6 +95,7 @@
app_data_file_type
system_data_file
mnt_expand_file
+ sdk_sandbox_system_data_file
}:dir getattr;
# Allow zygote to create JIT memory.
diff --git a/public/app.te b/public/app.te
index da24012..de3d0ca 100644
--- a/public/app.te
+++ b/public/app.te
@@ -53,7 +53,8 @@
# These messages are broadcast messages from the kernel to userspace.
# Do not allow the writing of netlink messages, which has been a source
# of rooting vulns in the past.
-neverallow appdomain domain:netlink_kobject_uevent_socket { write append };
+neverallow { appdomain -network_stack }
+ domain:netlink_kobject_uevent_socket { write append };
# Sockets under /dev/socket that are not specifically typed.
neverallow appdomain socket_device:sock_file write;
diff --git a/public/attributes b/public/attributes
index 906dbcd..742264a 100644
--- a/public/attributes
+++ b/public/attributes
@@ -10,6 +10,9 @@
# TODO(b/202520796) Remove this attribute once the sc-dev branch stops using it.
attribute bdev_type;
+# Attribute for all bpf filesystem subtypes.
+attribute bpffs_type;
+
# All types used for processes.
attribute domain;
diff --git a/public/domain.te b/public/domain.te
index 6258c7a..8e1fcf7 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -116,6 +116,7 @@
get_prop(domain, exported_secure_prop)
get_prop(domain, exported_system_prop)
get_prop(domain, fingerprint_prop)
+get_prop(domain, framework_status_prop)
get_prop(domain, gwp_asan_prop)
get_prop(domain, hal_instrumentation_prop)
get_prop(domain, hw_timeout_multiplier_prop)
diff --git a/public/dumpstate.te b/public/dumpstate.te
index 2c75f30..47b63e6 100644
--- a/public/dumpstate.te
+++ b/public/dumpstate.te
@@ -112,6 +112,9 @@
sysfs_zram
}:file r_file_perms;
+# Ignore other file access under /sys.
+dontaudit dumpstate sysfs:file r_file_perms;
+
# Other random bits of data we want to collect
no_debugfs_restriction(`
allow dumpstate debugfs:file r_file_perms;
diff --git a/public/file.te b/public/file.te
index 9d333f5..2bfa282 100644
--- a/public/file.te
+++ b/public/file.te
@@ -129,9 +129,10 @@
userdebug_or_eng(`
typeattribute sysfs_vendor_sched mlstrustedobject;
')
-type fs_bpf, fs_type;
-type fs_bpf_tethering, fs_type;
-type fs_bpf_vendor, fs_type;
+type fs_bpf, fs_type, bpffs_type;
+# TODO: S+ fs_bpf_tethering (used by mainline) should be private
+type fs_bpf_tethering, fs_type, bpffs_type;
+type fs_bpf_vendor, fs_type, bpffs_type;
type configfs, fs_type;
# /sys/devices/cs_etm
type sysfs_devices_cs_etm, fs_type, sysfs_type;
diff --git a/public/ioctl_defines b/public/ioctl_defines
index 51cce4e..d46e485 100644
--- a/public/ioctl_defines
+++ b/public/ioctl_defines
@@ -2438,6 +2438,7 @@
define(`TUNGETSNDBUF', `0x800454d3')
define(`TUNGETVNETHDRSZ', `0x800454d7')
define(`TUNGETVNETLE', `0x800454dd')
+define(`TUNSETCARRIER', `0x400454e2')
define(`TUNSETDEBUG', `0x400454c9')
define(`TUNSETGROUP', `0x400454ce')
define(`TUNSETIFF', `0x400454ca')
diff --git a/public/netd.te b/public/netd.te
index 64b4c7d..7c7655e 100644
--- a/public/netd.te
+++ b/public/netd.te
@@ -64,8 +64,6 @@
r_dir_file(netd, cgroup_v2)
-allow netd fs_bpf:file { read write };
-
# TODO: netd previously thought it needed these permissions to do WiFi related
# work. However, after all the WiFi stuff is gone, we still need them.
# Why?
diff --git a/public/property.te b/public/property.te
index b18f142..a235634 100644
--- a/public/property.te
+++ b/public/property.te
@@ -199,6 +199,7 @@
system_public_prop(exported_overlay_prop)
system_public_prop(exported_pm_prop)
system_public_prop(ffs_control_prop)
+system_public_prop(framework_status_prop)
system_public_prop(gesture_prop)
system_public_prop(hal_dumpstate_config_prop)
system_public_prop(sota_prop)
diff --git a/tests/sepolicy_tests.py b/tests/sepolicy_tests.py
index 0a87a13..e940681 100644
--- a/tests/sepolicy_tests.py
+++ b/tests/sepolicy_tests.py
@@ -18,7 +18,8 @@
import policy
import re
import sys
-import distutils.ccompiler
+
+SHARED_LIB_EXTENSION = '.dylib' if sys.platform == 'darwin' else '.so'
#############################################################
# Tests
@@ -44,6 +45,9 @@
return pol.AssertPathTypesHaveAttr(partitions, exceptions, "system_file_type")
+def TestBpffsTypeViolations(pol):
+ return pol.AssertGenfsFilesystemTypesHaveAttr("bpf", "bpffs_type")
+
def TestProcTypeViolations(pol):
return pol.AssertGenfsFilesystemTypesHaveAttr("proc", "proc_type")
@@ -128,6 +132,7 @@
Option.take_action(self, action, dest, opt, value, values, parser)
Tests = [
+ "TestBpffsTypeViolations",
"TestDataTypeViolators",
"TestProcTypeViolations",
"TestSysfsTypeViolations",
@@ -154,7 +159,7 @@
(options, args) = parser.parse_args()
libpath = os.path.join(os.path.dirname(os.path.realpath(__file__)),
- "libsepolwrap" + distutils.ccompiler.new_compiler().shared_lib_extension)
+ "libsepolwrap" + SHARED_LIB_EXTENSION)
if not os.path.exists(libpath):
sys.exit("Error: libsepolwrap does not exist. Is this binary corrupted?\n")
@@ -175,6 +180,8 @@
results = ""
# If an individual test is not specified, run all tests.
+ if options.test is None or "TestBpffsTypeViolations" in options.test:
+ results += TestBpffsTypeViolations(pol)
if options.test is None or "TestDataTypeViolations" in options.test:
results += TestDataTypeViolations(pol)
if options.test is None or "TestProcTypeViolations" in options.test:
diff --git a/tests/treble_sepolicy_tests.py b/tests/treble_sepolicy_tests.py
index a3bf661..64a9e95 100644
--- a/tests/treble_sepolicy_tests.py
+++ b/tests/treble_sepolicy_tests.py
@@ -20,9 +20,9 @@
from policy import MatchPathPrefix
import re
import sys
-import distutils.ccompiler
DEBUG=False
+SHARED_LIB_EXTENSION = '.dylib' if sys.platform == 'darwin' else '.so'
'''
Use file_contexts and policy to verify Treble requirements
@@ -375,7 +375,7 @@
parser.usage)
libpath = os.path.join(os.path.dirname(os.path.realpath(__file__)),
- "libsepolwrap" + distutils.ccompiler.new_compiler().shared_lib_extension)
+ "libsepolwrap" + SHARED_LIB_EXTENSION)
if not os.path.exists(libpath):
sys.exit("Error: libsepolwrap does not exist. Is this binary corrupted?\n")
