Merge "webview: Add cgroup setattr of file permission" into main
diff --git a/apex/com.android.virt-file_contexts b/apex/com.android.virt-file_contexts
index 9c13bd5..afe9f51 100644
--- a/apex/com.android.virt-file_contexts
+++ b/apex/com.android.virt-file_contexts
@@ -3,3 +3,4 @@
/bin/fd_server u:object_r:fd_server_exec:s0
/bin/virtmgr u:object_r:virtualizationmanager_exec:s0
/bin/virtualizationservice u:object_r:virtualizationservice_exec:s0
+/bin/vfio_handler u:object_r:vfio_handler_exec:s0
diff --git a/build/soong/service_fuzzer_bindings.go b/build/soong/service_fuzzer_bindings.go
index f7e67d8..5e0aae1 100644
--- a/build/soong/service_fuzzer_bindings.go
+++ b/build/soong/service_fuzzer_bindings.go
@@ -170,7 +170,9 @@
"android.security.metrics": EXCEPTION_NO_FUZZER,
"android.service.gatekeeper.IGateKeeperService": []string{"gatekeeperd_service_fuzzer"},
"android.system.composd": EXCEPTION_NO_FUZZER,
+ // TODO(b/294158658): add fuzzer
"android.system.virtualizationservice": EXCEPTION_NO_FUZZER,
+ "android.system.virtualizationservice_internal.IVfioHandler": EXCEPTION_NO_FUZZER,
"ambient_context": EXCEPTION_NO_FUZZER,
"app_binding": EXCEPTION_NO_FUZZER,
"app_hibernation": EXCEPTION_NO_FUZZER,
@@ -178,6 +180,7 @@
"app_prediction": EXCEPTION_NO_FUZZER,
"app_search": EXCEPTION_NO_FUZZER,
"apexservice": EXCEPTION_NO_FUZZER,
+ "archive": EXCEPTION_NO_FUZZER,
"attestation_verification": EXCEPTION_NO_FUZZER,
"blob_store": EXCEPTION_NO_FUZZER,
"gsiservice": EXCEPTION_NO_FUZZER,
@@ -341,6 +344,7 @@
"oem_lock": EXCEPTION_NO_FUZZER,
"ondevicepersonalization_system_service": EXCEPTION_NO_FUZZER,
"otadexopt": EXCEPTION_NO_FUZZER,
+ "ot_daemon": []string{"ot_daemon_service_fuzzer"},
"overlay": EXCEPTION_NO_FUZZER,
"pac_proxy": EXCEPTION_NO_FUZZER,
"package": EXCEPTION_NO_FUZZER,
@@ -368,6 +372,7 @@
"rcs": EXCEPTION_NO_FUZZER,
"reboot_readiness": EXCEPTION_NO_FUZZER,
"recovery": EXCEPTION_NO_FUZZER,
+ "remote_auth": EXCEPTION_NO_FUZZER,
"remote_provisioning": EXCEPTION_NO_FUZZER,
"resolver": EXCEPTION_NO_FUZZER,
"resources": EXCEPTION_NO_FUZZER,
diff --git a/private/compat/34.0/34.0.cil b/private/compat/34.0/34.0.cil
index 80d48da..aa8a56c 100644
--- a/private/compat/34.0/34.0.cil
+++ b/private/compat/34.0/34.0.cil
@@ -1604,7 +1604,7 @@
(typeattributeset default_android_vndservice_34_0 (default_android_vndservice))
(typeattributeset default_prop_34_0 (default_prop))
(typeattributeset dev_cpu_variant_34_0 (dev_cpu_variant))
-(typeattributeset device_34_0 (device))
+(typeattributeset device_34_0 (device vfio_device))
(typeattributeset device_config_activity_manager_native_boot_prop_34_0 (device_config_activity_manager_native_boot_prop))
(typeattributeset device_config_boot_count_prop_34_0 (device_config_boot_count_prop))
(typeattributeset device_config_camera_native_prop_34_0 (device_config_camera_native_prop))
diff --git a/private/compat/34.0/34.0.ignore.cil b/private/compat/34.0/34.0.ignore.cil
index 47d6719..7558604 100644
--- a/private/compat/34.0/34.0.ignore.cil
+++ b/private/compat/34.0/34.0.ignore.cil
@@ -5,8 +5,11 @@
(typeattribute new_objects)
(typeattributeset new_objects
( new_objects
+ archive_service
ota_build_prop
snapuserd_log_data_file
hal_threadnetwork_service
virtual_camera_service
+ ot_daemon_service
+ remote_auth_service
))
diff --git a/private/coredomain.te b/private/coredomain.te
index 83930a5..f9b47df 100644
--- a/private/coredomain.te
+++ b/private/coredomain.te
@@ -150,6 +150,7 @@
-apexd
-init
-ueventd
+ -vfio_handler
-vold
} sysfs:file no_rw_file_perms;
diff --git a/private/crosvm.te b/private/crosvm.te
index 8a6bd24..2d9a688 100644
--- a/private/crosvm.te
+++ b/private/crosvm.te
@@ -84,7 +84,7 @@
# crosvm tries to read serial device, including the write-only pipe from virtualizationmanager (to
# forward console/log to the host logcat).
# crosvm only needs write permission, so dontaudit read
-dontaudit crosvm virtualizationmanager:fifo_file read;
+dontaudit crosvm virtualizationmanager:fifo_file { read getattr };
# Required for crosvm to start gdb-server to enable debugging of guest kernel.
allow crosvm self:tcp_socket { bind create read setopt write accept listen };
@@ -92,6 +92,14 @@
allow crosvm adbd:unix_stream_socket ioctl;
allow crosvm node:tcp_socket node_bind;
+# Allow crosvm to interact to VFIO device
+allow crosvm vfio_device:chr_file rw_file_perms;
+allow crosvm vfio_device:dir r_dir_perms;
+
+# Allow crosvm to access VM DTBO via a file created by virtualizationmanager.
+allow crosvm virtualizationmanager:fd use;
+allow crosvm virtualizationservice_data_file:file read;
+
# Don't allow crosvm to open files that it doesn't own.
# This is important because a malicious application could try to start a VM with a composite disk
# image referring by name to files which it doesn't have permission to open, trying to get crosvm to
diff --git a/private/file_contexts b/private/file_contexts
index 0bae96e..544d051 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -32,6 +32,7 @@
/second_stage_resources u:object_r:tmpfs:s0
/sys u:object_r:sysfs:s0
/apex u:object_r:apex_mnt_dir:s0
+/bootstrap-apex u:object_r:apex_mnt_dir:s0
# Postinstall directories
/postinstall u:object_r:postinstall_mnt_dir:s0
@@ -190,6 +191,7 @@
/dev/urandom u:object_r:random_device:s0
/dev/usb_accessory u:object_r:usbaccessory_device:s0
/dev/v4l-touch[0-9]* u:object_r:input_device:s0
+/dev/vfio(/.*)? u:object_r:vfio_device:s0
/dev/vhost-vsock u:object_r:kvm_device:s0
/dev/video[0-9]* u:object_r:video_device:s0
/dev/vndbinder u:object_r:vndbinder_device:s0
diff --git a/private/ot_daemon.te b/private/ot_daemon.te
index b22ff90..cdf5486 100644
--- a/private/ot_daemon.te
+++ b/private/ot_daemon.te
@@ -17,4 +17,12 @@
allow ot_daemon threadnetwork_data_file:file create_file_perms;
allow ot_daemon threadnetwork_data_file:sock_file {create unlink};
+# Allow OT daemon to read/write the Thread tunnel interface
+allow ot_daemon tun_device:chr_file {read write};
+
hal_client_domain(ot_daemon, hal_threadnetwork)
+
+# Only ot_daemon can publish the binder service
+binder_use(ot_daemon)
+add_service(ot_daemon, ot_daemon_service)
+binder_call(ot_daemon, system_server)
diff --git a/private/otapreopt_chroot.te b/private/otapreopt_chroot.te
index ea9d4ee..73e170b 100644
--- a/private/otapreopt_chroot.te
+++ b/private/otapreopt_chroot.te
@@ -36,9 +36,10 @@
# Allow otapreopt_chroot to read the persist.apexd.verity_on_system system property.
get_prop(otapreopt_chroot, apexd_prop)
-# Allow otapreopt to use file descriptors from update-engine. It will
-# close them immediately.
+# Allow otapreopt to use file descriptors from update-engine and the postinstall
+# script. It will read dexopt commands from stdin and write progress to stdout.
allow otapreopt_chroot postinstall:fd use;
+allow otapreopt_chroot postinstall:fifo_file { read write getattr };
allow otapreopt_chroot update_engine:fd use;
allow otapreopt_chroot update_engine:fifo_file write;
diff --git a/private/property_contexts b/private/property_contexts
index 3400597..32b5eee 100644
--- a/private/property_contexts
+++ b/private/property_contexts
@@ -1143,6 +1143,7 @@
ro.crypto.type u:object_r:vold_status_prop:s0 exact enum block file managed none
ro.property_service.version u:object_r:property_service_version_prop:s0 exact int
+ro.property_service.async_persist_writes u:object_r:build_config_prop:s0 exact bool
ro.vendor.redirect_socket_calls u:object_r:vendor_socket_hook_prop:s0 exact bool
diff --git a/private/runas_app.te b/private/runas_app.te
index a5f47f4..9142a19 100644
--- a/private/runas_app.te
+++ b/private/runas_app.te
@@ -30,3 +30,6 @@
# processes, but not the whole system.
allow runas_app self:perf_event { open read write kernel };
neverallow runas_app self:perf_event ~{ open read write kernel };
+
+# Suppress bionic loader denial /data/local/tests directories.
+dontaudit runas_app shell_test_data_file:dir search;
diff --git a/private/service.te b/private/service.te
index f07400b..ccb9e17 100644
--- a/private/service.te
+++ b/private/service.te
@@ -21,4 +21,5 @@
type statsmanager_service, system_api_service, system_server_service, service_manager_type;
type tracingproxy_service, system_server_service, service_manager_type;
type transparency_service, system_server_service, service_manager_type;
+type vfio_handler_service, service_manager_type;
type uce_service, service_manager_type;
diff --git a/private/service_contexts b/private/service_contexts
index 94f913d..c5d8082 100644
--- a/private/service_contexts
+++ b/private/service_contexts
@@ -147,6 +147,7 @@
android.service.gatekeeper.IGateKeeperService u:object_r:gatekeeper_service:s0
android.system.composd u:object_r:compos_service:s0
android.system.virtualizationservice u:object_r:virtualization_service:s0
+android.system.virtualizationservice_internal.IVfioHandler u:object_r:vfio_handler_service:s0
ambient_context u:object_r:ambient_context_service:s0
app_binding u:object_r:app_binding_service:s0
app_hibernation u:object_r:app_hibernation_service:s0
@@ -154,6 +155,7 @@
app_prediction u:object_r:app_prediction_service:s0
app_search u:object_r:app_search_service:s0
apexservice u:object_r:apex_service:s0
+archive u:object_r:archive_service:s0
attestation_verification u:object_r:attestation_verification_service:s0
blob_store u:object_r:blob_store_service:s0
gsiservice u:object_r:gsi_service:s0
@@ -317,6 +319,7 @@
oem_lock u:object_r:oem_lock_service:s0
ondevicepersonalization_system_service u:object_r:ondevicepersonalization_system_service:s0
otadexopt u:object_r:otadexopt_service:s0
+ot_daemon u:object_r:ot_daemon_service:s0
overlay u:object_r:overlay_service:s0
pac_proxy u:object_r:pac_proxy_service:s0
package u:object_r:package_service:s0
@@ -344,6 +347,7 @@
rcs u:object_r:radio_service:s0
reboot_readiness u:object_r:reboot_readiness_service:s0
recovery u:object_r:recovery_service:s0
+remote_auth u:object_r:remote_auth_service:s0
remote_provisioning u:object_r:remote_provisioning_service:s0
resolver u:object_r:resolver_service:s0
resources u:object_r:resources_manager_service:s0
diff --git a/private/system_server.te b/private/system_server.te
index c7190b5..dc6d322 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -296,6 +296,7 @@
binder_call(system_server, installd)
binder_call(system_server, incidentd)
binder_call(system_server, netd)
+binder_call(system_server, ot_daemon)
userdebug_or_eng(`binder_call(system_server, profcollectd)')
binder_call(system_server, statsd)
binder_call(system_server, storaged)
@@ -954,6 +955,7 @@
allow system_server mediatuner_service:service_manager find;
allow system_server netd_service:service_manager find;
allow system_server nfc_service:service_manager find;
+allow system_server ot_daemon_service:service_manager find;
allow system_server radio_service:service_manager find;
allow system_server stats_service:service_manager find;
allow system_server storaged_service:service_manager find;
diff --git a/private/vfio_handler.te b/private/vfio_handler.te
new file mode 100644
index 0000000..2a0bd37
--- /dev/null
+++ b/private/vfio_handler.te
@@ -0,0 +1,31 @@
+# vfio_handler is a helper service for VFIO tasks, like binding platform devices to VFIO driver.
+# vfio_handler is separate from virtualizationservice as VFIO tasks require root.
+type vfio_handler, domain, coredomain;
+type vfio_handler_exec, system_file_type, exec_type, file_type;
+
+# When init runs a file labelled with vfio_handler_exec, run it in the vfio_handler domain.
+init_daemon_domain(vfio_handler)
+
+# Let the vfio_handler domain register the vfio_handler_service with ServiceManager.
+add_service(vfio_handler, vfio_handler_service)
+
+# Let the vfio_handler domain use Binder.
+binder_use(vfio_handler)
+
+# Allow vfio_handler to check if VFIO is supported
+allow vfio_handler vfio_device:chr_file getattr;
+allow vfio_handler vfio_device:dir r_dir_perms;
+
+# Allow vfio_handler to bind/unbind platform devices
+allow vfio_handler sysfs:dir r_dir_perms;
+allow vfio_handler sysfs:file rw_file_perms;
+
+# Allow vfio_handler to write to VM DTBO via a file created by virtualizationmanager.
+allow vfio_handler virtualizationmanager:fd use;
+allow vfio_handler virtualizationservice_data_file:file write;
+
+# vfio_handler can only use fd from virtualizationmanager, and can't open files itself
+neverallow vfio_handler virtualizationservice_data_file:file { open create };
+
+# Only vfio_handler can add vfio_handler_service
+neverallow { domain -vfio_handler } vfio_handler_service:service_manager add;
diff --git a/private/virtualizationservice.te b/private/virtualizationservice.te
index 561e778..14662fa 100644
--- a/private/virtualizationservice.te
+++ b/private/virtualizationservice.te
@@ -15,6 +15,10 @@
# Let the virtualizationservice domain register the virtualization_service with ServiceManager.
add_service(virtualizationservice, virtualization_service)
+# Let virtualizationservice find and communicate with vfio_handler.
+allow virtualizationservice vfio_handler_service:service_manager find;
+binder_call(virtualizationservice, vfio_handler)
+
# Allow calling into the system server to find "permission_service".
binder_call(virtualizationservice, system_server)
allow virtualizationservice permission_service:service_manager find;
@@ -31,6 +35,7 @@
# directories, it needs the permission to unlink the files created by virtualizationmanager.
allow virtualizationservice virtualizationservice_data_file:dir create_dir_perms;
allow virtualizationservice virtualizationservice_data_file:{ file sock_file } unlink;
+allow virtualizationservice virtualizationservice_data_file:file write;
# Allow to use fd (e.g. /dev/pts/0) inherited from adbd so that we can redirect output from
# crosvm to the console
@@ -54,6 +59,13 @@
allow virtualizationservice tombstone_data_file:file { append getattr };
allow virtualizationservice tombstoned:fd use;
+# Allow virtualizationservice to check if VFIO is supported
+allow virtualizationservice vfio_device:chr_file getattr;
+allow virtualizationservice vfio_device:dir r_dir_perms;
+
+# Allow virtualizationservice to access VM DTBO via a file created by virtualizationmanager.
+allow virtualizationservice virtualizationmanager:fd use;
+
neverallow {
domain
-init
@@ -72,3 +84,6 @@
-virtualizationmanager
-virtualizationservice
}:process setrlimit;
+
+# Only virtualizationservice can communicate to vfio_handler
+neverallow { domain -virtualizationservice -servicemanager } vfio_handler:binder call;
diff --git a/private/vold.te b/private/vold.te
index 957e5d0..4256ac3 100644
--- a/private/vold.te
+++ b/private/vold.te
@@ -7,6 +7,10 @@
domain_auto_trans(vold, sdcardd_exec, sdcardd);
domain_auto_trans(vold, fuseblkd_untrusted_exec, fuseblkd_untrusted);
+# Switch to e2fs domain when running mkfs.ext4 to format a partition
+domain_auto_trans(vold, e2fs_exec, e2fs);
+
+
# For a handful of probing tools, we choose an even more restrictive
# domain when working with untrusted block devices
domain_trans(vold, blkid_exec, blkid);
diff --git a/private/vold_prepare_subdirs.te b/private/vold_prepare_subdirs.te
index ddb2828..0dcbe50 100644
--- a/private/vold_prepare_subdirs.te
+++ b/private/vold_prepare_subdirs.te
@@ -53,6 +53,12 @@
allow vold_prepare_subdirs user_profile_data_file:dir { search getattr relabelfrom };
allow vold_prepare_subdirs user_profile_root_file:dir { search getattr relabelfrom relabelto };
+# vold_prepare_subdirs asks apex_service for the list of APEXes
+# to prepapre apexdata dirs.
+binder_use(vold_prepare_subdirs)
+binder_call(vold_prepare_subdirs, apexd)
+allow vold_prepare_subdirs apex_service:service_manager find;
+
# Migrate legacy labels to apex_system_server_data_file (b/217581286)
allow vold_prepare_subdirs {
apex_appsearch_data_file
diff --git a/public/apexd.te b/public/apexd.te
index 53bc569..0b8073e 100644
--- a/public/apexd.te
+++ b/public/apexd.te
@@ -5,7 +5,7 @@
binder_use(apexd)
add_service(apexd, apex_service)
-neverallow { domain -init -apexd -system_server -update_engine } apex_service:service_manager find;
-neverallow { domain -init -apexd -system_server -servicemanager -update_engine } apexd:binder call;
+neverallow { domain -init -apexd -system_server -update_engine -vold_prepare_subdirs} apex_service:service_manager find;
+neverallow { domain -init -apexd -system_server -servicemanager -update_engine -vold_prepare_subdirs} apexd:binder call;
neverallow { domain userdebug_or_eng(`-crash_dump') } apexd:process ptrace;
diff --git a/public/device.te b/public/device.te
index fa29256..36299d3 100644
--- a/public/device.te
+++ b/public/device.te
@@ -129,3 +129,6 @@
# Root disk file for disk tunables
type rootdisk_sysdev, dev_type;
+
+# vfio device
+type vfio_device, dev_type;
diff --git a/public/e2fs.te b/public/e2fs.te
index 6bce10f..973abb9 100644
--- a/public/e2fs.te
+++ b/public/e2fs.te
@@ -9,6 +9,12 @@
allow e2fs metadata_block_device:blk_file rw_file_perms;
allow e2fs dm_device:blk_file rw_file_perms;
allow e2fs zoned_block_device:blk_file rw_file_perms;
+# Vold needs to capture mkfs.ext4's output
+allow e2fs vold:fd use;
+# Need to be able to format a partition
+allow e2fs sysfs_dm:dir r_dir_perms;
+allow e2fs sysfs_dm:file r_file_perms;
+
allowxperm e2fs { userdata_block_device metadata_block_device dm_device zoned_block_device }:blk_file ioctl {
BLKSECDISCARD BLKDISCARD BLKPBSZGET BLKDISCARDZEROES BLKROGET BLKREPORTZONE BLKRESETZONE
};
diff --git a/public/service.te b/public/service.te
index fa19abc..e2e9abc 100644
--- a/public/service.te
+++ b/public/service.te
@@ -37,6 +37,7 @@
type netd_service, service_manager_type;
type nfc_service, service_manager_type;
type ondevicepersonalization_system_service, system_api_service, system_server_service, service_manager_type;
+type ot_daemon_service, service_manager_type;
type radio_service, service_manager_type;
type secure_element_service, service_manager_type;
type service_manager_service, service_manager_type;
@@ -70,6 +71,7 @@
type app_search_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type appops_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type appwidget_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type archive_service, app_api_service, system_server_service, service_manager_type;
type assetatlas_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type attestation_verification_service, app_api_service, system_server_service, service_manager_type;
type audio_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
@@ -197,6 +199,7 @@
type reboot_readiness_service, app_api_service, system_server_service, service_manager_type;
type recovery_service, system_server_service, service_manager_type;
type registry_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type remote_auth_service, app_api_service, system_server_service, service_manager_type;
type remote_provisioning_service, system_server_service, service_manager_type;
type resources_manager_service, system_api_service, system_server_service, service_manager_type;
type restrictions_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;