Merge "Changes in SELinux Policy for CSS API" into main
diff --git a/Android.bp b/Android.bp
index 6c8fa2a..88107cc 100644
--- a/Android.bp
+++ b/Android.bp
@@ -103,6 +103,7 @@
// policy and subsequent removal of CIL policy that should not be exported.
se_policy_conf {
name: "reqd_policy_mask.conf",
+ defaults: ["se_policy_conf_flags_defaults"],
srcs: reqd_mask_policy,
installable: false,
}
@@ -138,6 +139,7 @@
//
se_policy_conf {
name: "pub_policy.conf",
+ defaults: ["se_policy_conf_flags_defaults"],
srcs: plat_public_policy +
system_ext_public_policy +
product_public_policy +
@@ -157,6 +159,7 @@
se_policy_conf {
name: "system_ext_pub_policy.conf",
+ defaults: ["se_policy_conf_flags_defaults"],
srcs: plat_public_policy +
system_ext_public_policy +
reqd_mask_policy,
@@ -175,6 +178,7 @@
se_policy_conf {
name: "plat_pub_policy.conf",
+ defaults: ["se_policy_conf_flags_defaults"],
srcs: plat_public_policy +
reqd_mask_policy,
installable: false,
@@ -195,6 +199,7 @@
// currently being attributized.
se_policy_conf {
name: "plat_sepolicy.conf",
+ defaults: ["se_policy_conf_flags_defaults"],
srcs: plat_public_policy +
plat_private_policy,
installable: false,
@@ -210,6 +215,7 @@
// userdebug_plat_policy.conf - the userdebug version plat_sepolicy.cil
se_policy_conf {
name: "userdebug_plat_sepolicy.conf",
+ defaults: ["se_policy_conf_flags_defaults"],
srcs: plat_public_policy +
plat_private_policy,
build_variant: "userdebug",
@@ -260,6 +266,7 @@
// policy which will ship with the device. System_ext policy is not attributized
se_policy_conf {
name: "system_ext_sepolicy.conf",
+ defaults: ["se_policy_conf_flags_defaults"],
srcs: plat_public_policy +
plat_private_policy +
system_ext_public_policy +
@@ -280,6 +287,7 @@
// which will ship with the device. Product policy is not attributized
se_policy_conf {
name: "product_sepolicy.conf",
+ defaults: ["se_policy_conf_flags_defaults"],
srcs: plat_public_policy +
plat_private_policy +
system_ext_public_policy +
@@ -348,6 +356,7 @@
// policy and the platform public policy files in order to use checkpolicy.
se_policy_conf {
name: "vendor_sepolicy.conf",
+ defaults: ["se_policy_conf_flags_defaults"],
srcs: plat_public_policy +
system_ext_public_policy +
product_public_policy +
@@ -389,6 +398,7 @@
// policy and the platform public policy files in order to use checkpolicy.
se_policy_conf {
name: "odm_sepolicy.conf",
+ defaults: ["se_policy_conf_flags_defaults"],
srcs: plat_public_policy +
system_ext_public_policy +
product_public_policy +
@@ -598,6 +608,7 @@
// policy for recovery
se_policy_conf {
name: "recovery_sepolicy.conf",
+ defaults: ["se_policy_conf_flags_defaults"],
srcs: plat_public_policy +
plat_private_policy +
system_ext_public_policy +
@@ -634,6 +645,7 @@
//////////////////////////////////
se_policy_conf {
name: "general_sepolicy.conf",
+ defaults: ["se_policy_conf_flags_defaults"],
srcs: plat_public_policy +
plat_private_policy,
build_variant: "user",
@@ -650,6 +662,7 @@
//////////////////////////////////
se_policy_conf {
name: "base_plat_sepolicy.conf",
+ defaults: ["se_policy_conf_flags_defaults"],
srcs: plat_public_policy +
plat_private_policy,
build_variant: "user",
@@ -675,6 +688,7 @@
se_policy_conf {
name: "base_product_sepolicy.conf",
+ defaults: ["se_policy_conf_flags_defaults"],
srcs: plat_public_policy +
plat_private_policy +
system_ext_public_policy +
@@ -704,6 +718,7 @@
se_policy_conf {
name: "base_plat_pub_policy.conf",
+ defaults: ["se_policy_conf_flags_defaults"],
srcs: plat_public_policy +
reqd_mask_policy,
build_variant: "user",
@@ -723,6 +738,7 @@
se_policy_conf {
name: "base_product_pub_policy.conf",
+ defaults: ["se_policy_conf_flags_defaults"],
srcs: plat_public_policy +
system_ext_public_policy +
product_public_policy +
@@ -770,6 +786,7 @@
se_neverallow_test {
name: "sepolicy_neverallows",
+ defaults: ["se_policy_conf_flags_defaults"],
srcs: plat_public_policy +
plat_private_policy +
system_ext_public_policy +
@@ -816,3 +833,45 @@
"-p $(location :precompiled_sepolicy) && " +
"touch $(out)",
}
+
+//////////////////////////////////
+// TestDevTypeViolations can't run on old devices (V or before)
+//////////////////////////////////
+
+soong_config_module_type {
+ name: "dev_type_test_genrule",
+ module_type: "genrule",
+ config_namespace: "ANDROID",
+ bool_variables: ["CHECK_DEV_TYPE_VIOLATIONS"],
+ properties: ["cmd"],
+}
+
+dev_type_test_genrule {
+ name: "sepolicy_dev_type_test",
+ srcs: [
+ ":plat_file_contexts",
+ ":vendor_file_contexts",
+ ":system_ext_file_contexts",
+ ":product_file_contexts",
+ ":odm_file_contexts",
+ ":precompiled_sepolicy",
+ ],
+ tools: ["sepolicy_tests"],
+ out: ["sepolicy_dev_type_test"],
+ soong_config_variables: {
+ CHECK_DEV_TYPE_VIOLATIONS: {
+ cmd: "$(location sepolicy_tests) " +
+ "-f $(location :plat_file_contexts) " +
+ "-f $(location :vendor_file_contexts) " +
+ "-f $(location :system_ext_file_contexts) " +
+ "-f $(location :product_file_contexts) " +
+ "-f $(location :odm_file_contexts) " +
+ "-p $(location :precompiled_sepolicy) " +
+ "-t TestDevTypeViolations && " +
+ "touch $(out)",
+ conditions_default: {
+ cmd: "touch $(out)",
+ },
+ },
+ },
+}
diff --git a/Android.mk b/Android.mk
index 384c416..2e327c2 100644
--- a/Android.mk
+++ b/Android.mk
@@ -240,6 +240,7 @@
# genrule modules aren't installable, so LOCAL_REQUIRED_MODULES doesn't work.
# Instead, use LOCAL_ADDITIONAL_DEPENDENCIES with intermediate output
LOCAL_ADDITIONAL_DEPENDENCIES += $(call intermediates-dir-for,ETC,sepolicy_test)/sepolicy_test
+LOCAL_ADDITIONAL_DEPENDENCIES += $(call intermediates-dir-for,ETC,sepolicy_dev_type_test)/sepolicy_dev_type_test
LOCAL_REQUIRED_MODULES += \
$(addprefix treble_sepolicy_tests_,$(PLATFORM_SEPOLICY_COMPAT_VERSIONS)) \
@@ -444,15 +445,13 @@
# The file_contexts.bin is built in the following way:
# 1. Collect all file_contexts files in THIS repository and process them with
# m4 into a tmp file called file_contexts.local.tmp.
-# 2. Collect all file_contexts files from LOCAL_FILE_CONTEXTS of installed
-# modules with m4 with a tmp file called file_contexts.modules.tmp.
-# 3. Collect all device specific file_contexts files and process them with m4
+# 2. Collect all device specific file_contexts files and process them with m4
# into a tmp file called file_contexts.device.tmp.
-# 4. Run checkfc -e (allow no device fc entries ie empty) and fc_sort on
+# 3. Run checkfc -e (allow no device fc entries ie empty) and fc_sort on
# file_contexts.device.tmp and output to file_contexts.device.sorted.tmp.
-# 5. Concatenate file_contexts.local.tmp, file_contexts.modules.tmp and
-# file_contexts.device.sorted.tmp into file_contexts.concat.tmp.
-# 6. Run checkfc and sefcontext_compile on file_contexts.concat.tmp to produce
+# 4. Concatenate file_contexts.local.tmp and file_contexts.device.sorted.tmp
+# into file_contexts.concat.tmp.
+# 5. Run checkfc and sefcontext_compile on file_contexts.concat.tmp to produce
# file_contexts.bin.
#
# Note: That a newline file is placed between each file_context file found to
@@ -488,10 +487,6 @@
file_contexts.local.tmp := $(intermediates)/file_contexts.local.tmp
$(call merge-fc-files,$(local_fc_files),$(file_contexts.local.tmp))
-# The rule for file_contexts.modules.tmp is defined in build/make/core/Makefile.
-# it gathers LOCAL_FILE_CONTEXTS from product_MODULES
-file_contexts.modules.tmp := $(intermediates)/file_contexts.modules.tmp
-
device_fc_files += $(call intermediates-dir-for,ETC,vendor_file_contexts)/vendor_file_contexts
ifdef BOARD_ODM_SEPOLICY_DIRS
@@ -515,8 +510,7 @@
file_contexts.concat.tmp := $(intermediates)/file_contexts.concat.tmp
$(call merge-fc-files,\
- $(file_contexts.local.tmp) $(file_contexts.modules.tmp) $(file_contexts.device.sorted.tmp),\
- $(file_contexts.concat.tmp))
+ $(file_contexts.local.tmp) $(file_contexts.device.sorted.tmp),$(file_contexts.concat.tmp))
$(LOCAL_BUILT_MODULE): PRIVATE_SEPOLICY := $(built_sepolicy)
$(LOCAL_BUILT_MODULE): $(file_contexts.concat.tmp) $(built_sepolicy) $(HOST_OUT_EXECUTABLES)/sefcontext_compile $(HOST_OUT_EXECUTABLES)/checkfc
@@ -530,7 +524,6 @@
file_contexts.device.sorted.tmp :=
file_contexts.device.tmp :=
file_contexts.local.tmp :=
-file_contexts.modules.tmp :=
##################################
# Tests for Treble compatibility of current platform policy and vendor policy of
diff --git a/apex/Android.bp b/apex/Android.bp
index 21054fc..04fd5f6 100644
--- a/apex/Android.bp
+++ b/apex/Android.bp
@@ -205,11 +205,10 @@
],
}
-filegroup {
+file_contexts {
name: "com.android.virt-file_contexts",
- srcs: [
- "com.android.virt-file_contexts",
- ],
+ defaults: ["contexts_flags_defaults"],
+ srcs: ["com.android.virt-file_contexts"],
}
filegroup {
diff --git a/apex/com.android.art-file_contexts b/apex/com.android.art-file_contexts
index ada6c3b..83d081a 100644
--- a/apex/com.android.art-file_contexts
+++ b/apex/com.android.art-file_contexts
@@ -9,4 +9,5 @@
/bin/dexoptanalyzer u:object_r:dexoptanalyzer_exec:s0
/bin/odrefresh u:object_r:odrefresh_exec:s0
/bin/profman u:object_r:profman_exec:s0
+/bin/oatdump u:object_r:oatdump_exec:s0
/lib(64)?(/.*)? u:object_r:system_lib_file:s0
diff --git a/apex/com.android.virt-file_contexts b/apex/com.android.virt-file_contexts
index afe9f51..78720aa 100644
--- a/apex/com.android.virt-file_contexts
+++ b/apex/com.android.virt-file_contexts
@@ -3,4 +3,6 @@
/bin/fd_server u:object_r:fd_server_exec:s0
/bin/virtmgr u:object_r:virtualizationmanager_exec:s0
/bin/virtualizationservice u:object_r:virtualizationservice_exec:s0
-/bin/vfio_handler u:object_r:vfio_handler_exec:s0
+is_flag_enabled(RELEASE_AVF_ENABLE_DEVICE_ASSIGNMENT, `
+ /bin/vfio_handler u:object_r:vfio_handler_exec:s0
+')
diff --git a/apex/com.android.webview.bootstrap-file_contexts b/apex/com.android.webview.bootstrap-file_contexts
new file mode 100644
index 0000000..9398505
--- /dev/null
+++ b/apex/com.android.webview.bootstrap-file_contexts
@@ -0,0 +1 @@
+(/.*)? u:object_r:system_file:s0
diff --git a/build/soong/Android.bp b/build/soong/Android.bp
index 83b31b4..0abfdf6 100644
--- a/build/soong/Android.bp
+++ b/build/soong/Android.bp
@@ -35,6 +35,7 @@
"build_files.go",
"cil_compat_map.go",
"compat_cil.go",
+ "flags.go",
"mac_permissions.go",
"policy.go",
"selinux.go",
diff --git a/build/soong/compat_cil.go b/build/soong/compat_cil.go
index 1f7901b..baad413 100644
--- a/build/soong/compat_cil.go
+++ b/build/soong/compat_cil.go
@@ -129,6 +129,7 @@
// current policy.
func compatTestFactory() android.SingletonModule {
f := &compatTestModule{}
+ f.AddProperties(&f.properties)
android.InitAndroidModule(f)
android.AddLoadHook(f, func(ctx android.LoadHookContext) {
f.loadHook(ctx)
@@ -138,6 +139,10 @@
type compatTestModule struct {
android.SingletonModuleBase
+ properties struct {
+ // Default modules for conf
+ Defaults []string
+ }
compatTestTimestamp android.ModuleOutPath
}
@@ -157,6 +162,10 @@
":se_build_files{.reqd_mask}",
},
Installable: proptools.BoolPtr(false),
+ }, &struct {
+ Defaults []string
+ }{
+ Defaults: f.properties.Defaults,
})
ctx.CreateModule(policyCilFactory, &nameProperties{
diff --git a/build/soong/flags.go b/build/soong/flags.go
new file mode 100644
index 0000000..b1aebac
--- /dev/null
+++ b/build/soong/flags.go
@@ -0,0 +1,54 @@
+// Copyright (C) 2023 The Android Open Source Project
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package selinux
+
+import (
+ "android/soong/android"
+)
+
+type flagsProperties struct {
+ // List of flags to be passed to M4 macro.
+ Flags []string
+}
+
+type flaggableModule interface {
+ android.Module
+ flagModuleBase() *flaggableModuleBase
+ getBuildFlags(ctx android.ModuleContext) map[string]string
+}
+
+type flaggableModuleBase struct {
+ properties flagsProperties
+}
+
+func initFlaggableModule(m flaggableModule) {
+ base := m.flagModuleBase()
+ m.AddProperties(&base.properties)
+}
+
+func (f *flaggableModuleBase) flagModuleBase() *flaggableModuleBase {
+ return f
+}
+
+// getBuildFlags returns a map from flag names to flag values.
+func (f *flaggableModuleBase) getBuildFlags(ctx android.ModuleContext) map[string]string {
+ ret := make(map[string]string)
+ for _, flag := range android.SortedUniqueStrings(f.properties.Flags) {
+ if val, ok := ctx.Config().GetBuildFlag(flag); ok {
+ ret[flag] = val
+ }
+ }
+ return ret
+}
diff --git a/build/soong/policy.go b/build/soong/policy.go
index 0793e2a..9d87275 100644
--- a/build/soong/policy.go
+++ b/build/soong/policy.go
@@ -58,6 +58,7 @@
func init() {
android.RegisterModuleType("se_policy_conf", policyConfFactory)
+ android.RegisterModuleType("se_policy_conf_defaults", policyConfDefaultFactory)
android.RegisterModuleType("se_policy_cil", policyCilFactory)
android.RegisterModuleType("se_policy_binary", policyBinaryFactory)
}
@@ -93,6 +94,8 @@
type policyConf struct {
android.ModuleBase
+ android.DefaultableModuleBase
+ flaggableModuleBase
properties policyConfProperties
@@ -100,12 +103,35 @@
installPath android.InstallPath
}
+var _ flaggableModule = (*policyConf)(nil)
+
// se_policy_conf merges collection of policy files into a policy.conf file to be processed by
// checkpolicy.
func policyConfFactory() android.Module {
c := &policyConf{}
c.AddProperties(&c.properties)
+ initFlaggableModule(c)
android.InitAndroidArchModule(c, android.DeviceSupported, android.MultilibCommon)
+ android.InitDefaultableModule(c)
+ return c
+}
+
+type policyConfDefaults struct {
+ android.ModuleBase
+ android.DefaultsModuleBase
+}
+
+// se_policy_conf_defaults provides a set of properties that can be inherited by other
+// se_policy_conf_defaults modules. A module can use the properties from a se_policy_conf_defaults
+// using `defaults: ["<:default_module_name>"]`. Properties of both modules are merged (when
+// possible) by prepending the default module's values to the depending module's values.
+func policyConfDefaultFactory() android.Module {
+ c := &policyConfDefaults{}
+ c.AddProperties(
+ &policyConfProperties{},
+ &flagsProperties{},
+ )
+ android.InitDefaultsModule(c)
return c
}
@@ -216,6 +242,7 @@
return findPolicyConfOrder(srcs[x].Base()) < findPolicyConfOrder(srcs[y].Base())
})
+ flags := c.getBuildFlags(ctx)
rule.Command().Tool(ctx.Config().PrebuiltBuildTool(ctx, "m4")).
Flag("--fatal-warnings").
FlagForEachArg("-D ", ctx.DeviceConfig().SepolicyM4Defs()).
@@ -234,6 +261,7 @@
FlagWithArg("-D target_requires_insecure_execmem_for_swiftshader=", strconv.FormatBool(ctx.DeviceConfig().RequiresInsecureExecmemForSwiftshader())).
FlagWithArg("-D target_enforce_debugfs_restriction=", c.enforceDebugfsRestrictions(ctx)).
FlagWithArg("-D target_recovery=", strconv.FormatBool(c.isTargetRecovery())).
+ Flags(flagsToM4Macros(flags)).
Flag("-s").
Inputs(srcs).
Text("> ").Output(conf)
@@ -242,10 +270,6 @@
return conf
}
-func (c *policyConf) DepsMutator(ctx android.BottomUpMutatorContext) {
- // do nothing
-}
-
func (c *policyConf) GenerateAndroidBuildActions(ctx android.ModuleContext) {
if !c.installable() {
c.SkipInstall()
diff --git a/build/soong/selinux.go b/build/soong/selinux.go
index 5fbe01eb..f811231 100644
--- a/build/soong/selinux.go
+++ b/build/soong/selinux.go
@@ -40,3 +40,13 @@
return android.PathForModuleOut(ctx, ctx.Config().DeviceName()).Join(ctx, paths...)
}
+
+// flagsToM4Macros converts given map to a list of M4's -D parameters to guard te files and contexts
+// files.
+func flagsToM4Macros(flags map[string]string) []string {
+ flagMacros := []string{}
+ for _, flag := range android.SortedKeys(flags) {
+ flagMacros = append(flagMacros, "-D target_flag_"+flag+"="+flags[flag])
+ }
+ return flagMacros
+}
diff --git a/build/soong/selinux_contexts.go b/build/soong/selinux_contexts.go
index de7355c..5cc9c70 100644
--- a/build/soong/selinux_contexts.go
+++ b/build/soong/selinux_contexts.go
@@ -17,7 +17,6 @@
import (
"fmt"
"io"
- "os"
"github.com/google/blueprint"
"github.com/google/blueprint/proptools"
@@ -59,6 +58,8 @@
type selinuxContextsModule struct {
android.ModuleBase
+ android.DefaultableModuleBase
+ flaggableModuleBase
properties selinuxContextsProperties
seappProperties seappProperties
@@ -68,6 +69,8 @@
installPath android.InstallPath
}
+var _ flaggableModule = (*selinuxContextsModule)(nil)
+
var (
reuseContextsDepTag = dependencyTag{name: "reuseContexts"}
syspropLibraryDepTag = dependencyTag{name: "sysprop_library"}
@@ -76,6 +79,7 @@
func init() {
pctx.HostBinToolVariable("fc_sort", "fc_sort")
+ android.RegisterModuleType("contexts_defaults", contextsDefaultsFactory)
android.RegisterModuleType("file_contexts", fileFactory)
android.RegisterModuleType("hwservice_contexts", hwServiceFactory)
android.RegisterModuleType("property_contexts", propertyFactory)
@@ -155,13 +159,35 @@
&m.properties,
&m.seappProperties,
)
+ initFlaggableModule(m)
android.InitAndroidArchModule(m, android.DeviceSupported, android.MultilibCommon)
+ android.InitDefaultableModule(m)
android.AddLoadHook(m, func(ctx android.LoadHookContext) {
m.selinuxContextsHook(ctx)
})
return m
}
+type contextsDefaults struct {
+ android.ModuleBase
+ android.DefaultsModuleBase
+}
+
+// contexts_defaults provides a set of properties that can be inherited by other contexts modules.
+// (file_contexts, property_contexts, seapp_contexts, etc.) A module can use the properties from a
+// contexts_defaults using `defaults: ["<:default_module_name>"]`. Properties of both modules are
+// erged (when possible) by prepending the default module's values to the depending module's values.
+func contextsDefaultsFactory() android.Module {
+ m := &contextsDefaults{}
+ m.AddProperties(
+ &selinuxContextsProperties{},
+ &seappProperties{},
+ &flagsProperties{},
+ )
+ android.InitDefaultsModule(m)
+ return m
+}
+
func (m *selinuxContextsModule) selinuxContextsHook(ctx android.LoadHookContext) {
// TODO: clean this up to use build/soong/android/variable.go after b/79249983
var srcs []string
@@ -245,10 +271,12 @@
inputsWithNewline = append(inputsWithNewline, input, newlineFile)
}
+ flags := m.getBuildFlags(ctx)
rule.Command().
Tool(ctx.Config().PrebuiltBuildTool(ctx, "m4")).
Text("--fatal-warnings -s").
FlagForEachArg("-D", ctx.DeviceConfig().SepolicyM4Defs()).
+ Flags(flagsToM4Macros(flags)).
Inputs(inputsWithNewline).
FlagWithOutput("> ", builtContext)
@@ -309,7 +337,7 @@
return m.buildGeneralContexts(ctx, inputs)
}
-func (m *selinuxContextsModule) checkVendorPropertyNamespace(ctx android.ModuleContext, inputs android.Paths) android.Paths {
+func (m *selinuxContextsModule) checkVendorPropertyNamespace(ctx android.ModuleContext, input android.Path) android.Path {
shippingApiLevel := ctx.DeviceConfig().ShippingApiLevel()
ApiLevelR := android.ApiLevelOrPanic(ctx, "R")
@@ -350,37 +378,33 @@
}
}
- var ret android.Paths
- for _, input := range inputs {
- cmd := rule.Command().
- BuiltTool("check_prop_prefix").
- FlagWithInput("--property-contexts ", input).
- FlagForEachArg("--allowed-property-prefix ", proptools.ShellEscapeList(allowedPropertyPrefixes)). // contains shell special character '$'
- FlagForEachArg("--allowed-context-prefix ", allowedContextPrefixes)
+ cmd := rule.Command().
+ BuiltTool("check_prop_prefix").
+ FlagWithInput("--property-contexts ", input).
+ FlagForEachArg("--allowed-property-prefix ", proptools.ShellEscapeList(allowedPropertyPrefixes)). // contains shell special character '$'
+ FlagForEachArg("--allowed-context-prefix ", allowedContextPrefixes)
- if !ctx.DeviceConfig().BuildBrokenVendorPropertyNamespace() {
- cmd.Flag("--strict")
- }
-
- out := pathForModuleOut(ctx, "namespace_checked").Join(ctx, input.String())
- rule.Command().Text("cp -f").Input(input).Output(out)
- ret = append(ret, out)
+ if !ctx.DeviceConfig().BuildBrokenVendorPropertyNamespace() {
+ cmd.Flag("--strict")
}
+
+ out := pathForModuleOut(ctx, ctx.ModuleName()+"_namespace_checked")
+ rule.Command().Text("cp -f").Input(input).Output(out)
rule.Build("check_namespace", "checking namespace of "+ctx.ModuleName())
- return ret
+ return out
}
func (m *selinuxContextsModule) buildPropertyContexts(ctx android.ModuleContext, inputs android.Paths) android.Path {
// vendor/odm properties are enforced for devices launching with Android Q or later. So, if
// vendor/odm, make sure that only vendor/odm properties exist.
+ builtCtxFile := m.buildGeneralContexts(ctx, inputs)
+
shippingApiLevel := ctx.DeviceConfig().ShippingApiLevel()
ApiLevelQ := android.ApiLevelOrPanic(ctx, "Q")
if (ctx.SocSpecific() || ctx.DeviceSpecific()) && shippingApiLevel.GreaterThanOrEqualTo(ApiLevelQ) {
- inputs = m.checkVendorPropertyNamespace(ctx, inputs)
+ builtCtxFile = m.checkVendorPropertyNamespace(ctx, builtCtxFile)
}
- builtCtxFile := m.buildGeneralContexts(ctx, inputs)
-
var apiFiles android.Paths
ctx.VisitDirectDepsWithTag(syspropLibraryDepTag, func(c android.Module) {
i, ok := c.(interface{ CurrentSyspropApiFile() android.OptionalPath })
@@ -429,23 +453,39 @@
func (m *selinuxContextsModule) buildSeappContexts(ctx android.ModuleContext, inputs android.Paths) android.Path {
neverallowFile := pathForModuleOut(ctx, "neverallow")
- ret := pathForModuleOut(ctx, m.stem())
+ ret := pathForModuleOut(ctx, "checkseapp", m.stem())
+ // Step 1. Generate a M4 processed neverallow file
+ flags := m.getBuildFlags(ctx)
+ m4NeverallowFile := pathForModuleOut(ctx, "neverallow.m4out")
rule := android.NewRuleBuilder(pctx, ctx)
- rule.Command().Text("(grep").
+ rule.Command().
+ Tool(ctx.Config().PrebuiltBuildTool(ctx, "m4")).
+ Flag("--fatal-warnings").
+ FlagForEachArg("-D", ctx.DeviceConfig().SepolicyM4Defs()).
+ Flags(flagsToM4Macros(flags)).
+ Inputs(android.PathsForModuleSrc(ctx, m.seappProperties.Neverallow_files)).
+ FlagWithOutput("> ", m4NeverallowFile)
+
+ rule.Temporary(m4NeverallowFile)
+ rule.Command().
+ Text("( grep").
Flag("-ihe").
Text("'^neverallow'").
- Inputs(android.PathsForModuleSrc(ctx, m.seappProperties.Neverallow_files)).
- Text(os.DevNull). // to make grep happy even when Neverallow_files is empty
+ Input(m4NeverallowFile).
Text(">").
Output(neverallowFile).
- Text("|| true)") // to make ninja happy even when result is empty
+ Text("|| true )") // to make ninja happy even when result is empty
+ // Step 2. Generate a M4 processed contexts file
+ builtCtx := m.buildGeneralContexts(ctx, inputs)
+
+ // Step 3. checkseapp
rule.Temporary(neverallowFile)
checkCmd := rule.Command().BuiltTool("checkseapp").
FlagWithInput("-p ", android.PathForModuleSrc(ctx, proptools.String(m.seappProperties.Sepolicy))).
FlagWithOutput("-o ", ret).
- Inputs(inputs).
+ Input(builtCtx).
Input(neverallowFile)
if m.shouldCheckCoredomain(ctx) {
diff --git a/build/soong/sepolicy_freeze.go b/build/soong/sepolicy_freeze.go
index 385d6af..e1e8956 100644
--- a/build/soong/sepolicy_freeze.go
+++ b/build/soong/sepolicy_freeze.go
@@ -45,18 +45,16 @@
freezeTestTimestamp android.ModuleOutPath
}
-func (f *freezeTestModule) shouldSkip(ctx android.EarlyModuleContext) bool {
- platformVersion := ctx.DeviceConfig().PlatformSepolicyVersion()
- totVersion := ctx.DeviceConfig().TotSepolicyVersion()
-
- return platformVersion == totVersion
+func (f *freezeTestModule) shouldRunTest(ctx android.EarlyModuleContext) bool {
+ val, _ := ctx.Config().GetBuildFlag("RELEASE_BOARD_API_LEVEL_FROZEN")
+ return val == "true"
}
func (f *freezeTestModule) loadHook(ctx android.LoadHookContext) {
extraDirs := ctx.DeviceConfig().SepolicyFreezeTestExtraDirs()
extraPrebuiltDirs := ctx.DeviceConfig().SepolicyFreezeTestExtraPrebuiltDirs()
- if f.shouldSkip(ctx) {
+ if !f.shouldRunTest(ctx) {
if len(extraDirs) > 0 || len(extraPrebuiltDirs) > 0 {
ctx.ModuleErrorf("SEPOLICY_FREEZE_TEST_EXTRA_DIRS or SEPOLICY_FREEZE_TEST_EXTRA_PREBUILT_DIRS cannot be set before system/sepolicy freezes.")
return
@@ -76,7 +74,7 @@
}
func (f *freezeTestModule) DepsMutator(ctx android.BottomUpMutatorContext) {
- if f.shouldSkip(ctx) {
+ if !f.shouldRunTest(ctx) {
return
}
@@ -118,7 +116,7 @@
func (f *freezeTestModule) GenerateAndroidBuildActions(ctx android.ModuleContext) {
f.freezeTestTimestamp = android.PathForModuleOut(ctx, "freeze_test")
- if f.shouldSkip(ctx) {
+ if !f.shouldRunTest(ctx) {
// we still build a rule to prevent possible regression
android.WriteFileRule(ctx, f.freezeTestTimestamp, ";; no freeze tests needed before system/sepolicy freezes")
return
diff --git a/build/soong/sepolicy_neverallow.go b/build/soong/sepolicy_neverallow.go
index fc47ab3..6e159e9 100644
--- a/build/soong/sepolicy_neverallow.go
+++ b/build/soong/sepolicy_neverallow.go
@@ -29,6 +29,9 @@
}
type neverallowTestProperties struct {
+ // Default modules for conf
+ Defaults []string
+
// Policy files to be tested.
Srcs []string `android:"path"`
}
@@ -79,6 +82,10 @@
Srcs: n.properties.Srcs,
Build_variant: proptools.StringPtr("user"),
Installable: proptools.BoolPtr(false),
+ }, &struct {
+ Defaults []string
+ }{
+ Defaults: n.properties.Defaults,
})
sepolicyAnalyzeConf := n.sepolicyAnalyzeConfModuleName()
@@ -89,6 +96,10 @@
Build_variant: proptools.StringPtr("user"),
Exclude_build_test: proptools.BoolPtr(true),
Installable: proptools.BoolPtr(false),
+ }, &struct {
+ Defaults []string
+ }{
+ Defaults: n.properties.Defaults,
})
}
diff --git a/build/soong/service_fuzzer_bindings.go b/build/soong/service_fuzzer_bindings.go
index ff2b9c7..31c6bf1 100644
--- a/build/soong/service_fuzzer_bindings.go
+++ b/build/soong/service_fuzzer_bindings.go
@@ -51,6 +51,9 @@
"android.hardware.broadcastradio.IBroadcastRadio/amfm": EXCEPTION_NO_FUZZER,
"android.hardware.broadcastradio.IBroadcastRadio/dab": EXCEPTION_NO_FUZZER,
"android.hardware.bluetooth.IBluetoothHci/default": EXCEPTION_NO_FUZZER,
+ "android.hardware.bluetooth.finder.IBluetoothFinder/default": EXCEPTION_NO_FUZZER,
+ "android.hardware.bluetooth.ranging.IBluetoothChannelSounding/default": EXCEPTION_NO_FUZZER,
+ "android.hardware.bluetooth.lmp_event.IBluetoothLmpEvent/default": EXCEPTION_NO_FUZZER,
"android.hardware.camera.provider.ICameraProvider/internal/0": EXCEPTION_NO_FUZZER,
"android.hardware.camera.provider.ICameraProvider/virtual/0": EXCEPTION_NO_FUZZER,
"android.hardware.cas.IMediaCasService/default": EXCEPTION_NO_FUZZER,
@@ -70,6 +73,7 @@
"android.hardware.input.processor.IInputProcessor/default": EXCEPTION_NO_FUZZER,
"android.hardware.ir.IConsumerIr/default": EXCEPTION_NO_FUZZER,
"android.hardware.light.ILights/default": EXCEPTION_NO_FUZZER,
+ "android.hardware.macsec.IMacsecPskPlugin/default": EXCEPTION_NO_FUZZER,
"android.hardware.media.c2.IComponentStore/default": EXCEPTION_NO_FUZZER,
"android.hardware.media.c2.IComponentStore/software": []string{"libcodec2-aidl-fuzzer"},
"android.hardware.memtrack.IMemtrack/default": EXCEPTION_NO_FUZZER,
@@ -114,10 +118,12 @@
"android.hardware.secure_element.ISecureElement/SIM1": EXCEPTION_NO_FUZZER,
"android.hardware.secure_element.ISecureElement/SIM2": EXCEPTION_NO_FUZZER,
"android.hardware.secure_element.ISecureElement/SIM3": EXCEPTION_NO_FUZZER,
- "android.hardware.security.authgraph.IAuthGraphKeyExchange/nonsecure": EXCEPTION_NO_FUZZER,
+ "android.hardware.security.authgraph.IAuthGraphKeyExchange/nonsecure": []string{"android.hardware.authgraph-service.nonsecure_fuzzer"},
"android.hardware.security.dice.IDiceDevice/default": EXCEPTION_NO_FUZZER,
"android.hardware.security.keymint.IKeyMintDevice/default": EXCEPTION_NO_FUZZER,
"android.hardware.security.keymint.IRemotelyProvisionedComponent/default": EXCEPTION_NO_FUZZER,
+ "android.hardware.security.secretkeeper.ISecretkeeper/default": EXCEPTION_NO_FUZZER,
+ "android.hardware.security.secretkeeper.ISecretkeeper/nonsecure": []string{"android.hardware.security.secretkeeper-service.nonsecure_fuzzer"},
"android.hardware.security.secureclock.ISecureClock/default": EXCEPTION_NO_FUZZER,
"android.hardware.security.sharedsecret.ISharedSecret/default": EXCEPTION_NO_FUZZER,
"android.hardware.sensors.ISensors/default": EXCEPTION_NO_FUZZER,
@@ -143,6 +149,7 @@
"android.frameworks.location.altitude.IAltitudeService/default": EXCEPTION_NO_FUZZER,
"android.frameworks.sensorservice.ISensorManager/default": []string{"libsensorserviceaidl_fuzzer"},
"android.frameworks.stats.IStats/default": EXCEPTION_NO_FUZZER,
+ "android.frameworks.vibrator.IVibratorControlService/default": EXCEPTION_NO_FUZZER,
"android.se.omapi.ISecureElementService/default": EXCEPTION_NO_FUZZER,
"android.system.keystore2.IKeystoreService/default": EXCEPTION_NO_FUZZER,
"android.system.net.netd.INetd/default": []string{"netd_hw_service_fuzzer"},
@@ -151,6 +158,7 @@
"account": EXCEPTION_NO_FUZZER,
"activity": EXCEPTION_NO_FUZZER,
"activity_task": EXCEPTION_NO_FUZZER,
+ "adaptive_auth": EXCEPTION_NO_FUZZER,
"adb": EXCEPTION_NO_FUZZER,
"adservices_manager": EXCEPTION_NO_FUZZER,
"aidl_lazy_test_1": EXCEPTION_NO_FUZZER,
@@ -175,6 +183,7 @@
"android.service.gatekeeper.IGateKeeperService": []string{"gatekeeperd_service_fuzzer"},
"android.system.composd": EXCEPTION_NO_FUZZER,
// TODO(b/294158658): add fuzzer
+ "android.hardware.security.keymint.IRemotelyProvisionedComponent/avf": EXCEPTION_NO_FUZZER,
"android.system.virtualizationservice": EXCEPTION_NO_FUZZER,
"android.system.virtualizationservice_internal.IVfioHandler": EXCEPTION_NO_FUZZER,
"ambient_context": EXCEPTION_NO_FUZZER,
@@ -256,6 +265,7 @@
"dumpstate": EXCEPTION_NO_FUZZER,
"dynamic_system": EXCEPTION_NO_FUZZER,
"econtroller": EXCEPTION_NO_FUZZER,
+ "ecm_enhanced_confirmation": EXCEPTION_NO_FUZZER,
"emergency_affordance": EXCEPTION_NO_FUZZER,
"euicc_card_controller": EXCEPTION_NO_FUZZER,
"external_vibrator_service": EXCEPTION_NO_FUZZER,
@@ -309,10 +319,10 @@
"logd": EXCEPTION_NO_FUZZER,
"looper_stats": EXCEPTION_NO_FUZZER,
"lpdump_service": EXCEPTION_NO_FUZZER,
- "mdns": []string{"mdns_service_fuzzer"},
+ "mdns": EXCEPTION_NO_FUZZER,
"media.aaudio": EXCEPTION_NO_FUZZER,
- "media.audio_flinger": EXCEPTION_NO_FUZZER,
- "media.audio_policy": EXCEPTION_NO_FUZZER,
+ "media.audio_flinger": []string{"audioflinger_aidl_fuzzer"},
+ "media.audio_policy": []string{"audiopolicy_aidl_fuzzer"},
"media.camera": []string{"camera_service_aidl_fuzzer"},
"media.camera.proxy": EXCEPTION_NO_FUZZER,
"media.log": EXCEPTION_NO_FUZZER,
@@ -411,7 +421,7 @@
"slice": EXCEPTION_NO_FUZZER,
"smartspace": EXCEPTION_NO_FUZZER,
"speech_recognition": EXCEPTION_NO_FUZZER,
- "stats": EXCEPTION_NO_FUZZER,
+ "stats": []string{"statsd_service_fuzzer"},
"statsbootstrap": EXCEPTION_NO_FUZZER,
"statscompanion": EXCEPTION_NO_FUZZER,
"statsmanager": EXCEPTION_NO_FUZZER,
@@ -447,6 +457,7 @@
"translation": EXCEPTION_NO_FUZZER,
"transparency": EXCEPTION_NO_FUZZER,
"trust": EXCEPTION_NO_FUZZER,
+ "tv_ad": EXCEPTION_NO_FUZZER,
"tv_interactive_app": EXCEPTION_NO_FUZZER,
"tv_input": EXCEPTION_NO_FUZZER,
"tv_tuner_resource_mgr": EXCEPTION_NO_FUZZER,
@@ -460,11 +471,10 @@
"uwb": EXCEPTION_NO_FUZZER,
"vcn_management": EXCEPTION_NO_FUZZER,
"vibrator": EXCEPTION_NO_FUZZER,
- "vibrator_control": EXCEPTION_NO_FUZZER,
"vibrator_manager": EXCEPTION_NO_FUZZER,
"virtualdevice": EXCEPTION_NO_FUZZER,
"virtualdevice_native": EXCEPTION_NO_FUZZER,
- "virtual_camera_service": EXCEPTION_NO_FUZZER,
+ "virtual_camera": EXCEPTION_NO_FUZZER,
"virtual_touchpad": EXCEPTION_NO_FUZZER,
"voiceinteraction": EXCEPTION_NO_FUZZER,
"vold": []string{"vold_native_service_fuzzer"},
diff --git a/compat/Android.bp b/compat/Android.bp
index 9768eb1..2c6239f 100644
--- a/compat/Android.bp
+++ b/compat/Android.bp
@@ -429,6 +429,7 @@
se_compat_test {
name: "sepolicy_compat_test",
+ defaults: ["se_policy_conf_flags_defaults"],
}
se_build_files {
diff --git a/contexts/Android.bp b/contexts/Android.bp
index 914232a..464c772 100644
--- a/contexts/Android.bp
+++ b/contexts/Android.bp
@@ -70,6 +70,7 @@
file_contexts {
name: "plat_file_contexts",
+ defaults: ["contexts_flags_defaults"],
srcs: [":file_contexts_files{.plat_private}"],
product_variables: {
address_sanitize: {
@@ -83,6 +84,7 @@
file_contexts {
name: "plat_file_contexts.recovery",
+ defaults: ["contexts_flags_defaults"],
srcs: [":file_contexts_files{.plat_private}"],
stem: "plat_file_contexts",
product_variables: {
@@ -98,6 +100,7 @@
file_contexts {
name: "vendor_file_contexts",
+ defaults: ["contexts_flags_defaults"],
srcs: [
":file_contexts_files{.plat_vendor}",
":file_contexts_files{.vendor}",
@@ -108,6 +111,7 @@
file_contexts {
name: "vendor_file_contexts.recovery",
+ defaults: ["contexts_flags_defaults"],
srcs: [
":file_contexts_files{.plat_vendor}",
":file_contexts_files{.vendor}",
@@ -119,12 +123,14 @@
file_contexts {
name: "system_ext_file_contexts",
+ defaults: ["contexts_flags_defaults"],
srcs: [":file_contexts_files{.system_ext_private}"],
system_ext_specific: true,
}
file_contexts {
name: "system_ext_file_contexts.recovery",
+ defaults: ["contexts_flags_defaults"],
srcs: [":file_contexts_files{.system_ext_private}"],
stem: "system_ext_file_contexts",
recovery: true,
@@ -132,12 +138,14 @@
file_contexts {
name: "product_file_contexts",
+ defaults: ["contexts_flags_defaults"],
srcs: [":file_contexts_files{.product_private}"],
product_specific: true,
}
file_contexts {
name: "product_file_contexts.recovery",
+ defaults: ["contexts_flags_defaults"],
srcs: [":file_contexts_files{.product_private}"],
stem: "product_file_contexts",
recovery: true,
@@ -145,6 +153,7 @@
file_contexts {
name: "odm_file_contexts",
+ defaults: ["contexts_flags_defaults"],
srcs: [":file_contexts_files{.odm}"],
device_specific: true,
fc_sort: true,
@@ -152,6 +161,7 @@
file_contexts {
name: "odm_file_contexts.recovery",
+ defaults: ["contexts_flags_defaults"],
srcs: [":file_contexts_files{.odm}"],
stem: "odm_file_contexts",
recovery: true,
@@ -160,23 +170,27 @@
hwservice_contexts {
name: "plat_hwservice_contexts",
+ defaults: ["contexts_flags_defaults"],
srcs: [":hwservice_contexts_files{.plat_private}"],
}
hwservice_contexts {
name: "system_ext_hwservice_contexts",
+ defaults: ["contexts_flags_defaults"],
srcs: [":hwservice_contexts_files{.system_ext_private}"],
system_ext_specific: true,
}
hwservice_contexts {
name: "product_hwservice_contexts",
+ defaults: ["contexts_flags_defaults"],
srcs: [":hwservice_contexts_files{.product_private}"],
product_specific: true,
}
hwservice_contexts {
name: "vendor_hwservice_contexts",
+ defaults: ["contexts_flags_defaults"],
srcs: [
":hwservice_contexts_files{.plat_vendor}",
":hwservice_contexts_files{.vendor}",
@@ -187,17 +201,20 @@
hwservice_contexts {
name: "odm_hwservice_contexts",
+ defaults: ["contexts_flags_defaults"],
srcs: [":hwservice_contexts_files{.odm}"],
device_specific: true,
}
property_contexts {
name: "plat_property_contexts",
+ defaults: ["contexts_flags_defaults"],
srcs: [":property_contexts_files{.plat_private}"],
}
property_contexts {
name: "plat_property_contexts.recovery",
+ defaults: ["contexts_flags_defaults"],
srcs: [":property_contexts_files{.plat_private}"],
stem: "plat_property_contexts",
recovery: true,
@@ -205,6 +222,7 @@
property_contexts {
name: "system_ext_property_contexts",
+ defaults: ["contexts_flags_defaults"],
srcs: [":property_contexts_files{.system_ext_private}"],
system_ext_specific: true,
recovery_available: true,
@@ -212,6 +230,7 @@
property_contexts {
name: "product_property_contexts",
+ defaults: ["contexts_flags_defaults"],
srcs: [":property_contexts_files{.product_private}"],
product_specific: true,
recovery_available: true,
@@ -219,6 +238,7 @@
property_contexts {
name: "vendor_property_contexts",
+ defaults: ["contexts_flags_defaults"],
srcs: [
":property_contexts_files{.plat_vendor}",
":property_contexts_files{.vendor}",
@@ -230,6 +250,7 @@
property_contexts {
name: "odm_property_contexts",
+ defaults: ["contexts_flags_defaults"],
srcs: [":property_contexts_files{.odm}"],
device_specific: true,
recovery_available: true,
@@ -237,11 +258,13 @@
service_contexts {
name: "plat_service_contexts",
+ defaults: ["contexts_flags_defaults"],
srcs: [":service_contexts_files{.plat_private}"],
}
service_contexts {
name: "plat_service_contexts.recovery",
+ defaults: ["contexts_flags_defaults"],
srcs: [":service_contexts_files{.plat_private}"],
stem: "plat_service_contexts",
recovery: true,
@@ -249,6 +272,7 @@
service_contexts {
name: "system_ext_service_contexts",
+ defaults: ["contexts_flags_defaults"],
srcs: [":service_contexts_files{.system_ext_private}"],
system_ext_specific: true,
recovery_available: true,
@@ -256,6 +280,7 @@
service_contexts {
name: "product_service_contexts",
+ defaults: ["contexts_flags_defaults"],
srcs: [":service_contexts_files{.product_private}"],
product_specific: true,
recovery_available: true,
@@ -263,6 +288,7 @@
service_contexts {
name: "vendor_service_contexts",
+ defaults: ["contexts_flags_defaults"],
srcs: [
":service_contexts_files{.plat_vendor}",
":service_contexts_files{.vendor}",
@@ -274,6 +300,7 @@
service_contexts {
name: "odm_service_contexts",
+ defaults: ["contexts_flags_defaults"],
srcs: [
":service_contexts_files{.odm}",
],
@@ -283,23 +310,27 @@
keystore2_key_contexts {
name: "plat_keystore2_key_contexts",
+ defaults: ["contexts_flags_defaults"],
srcs: [":keystore2_key_contexts_files{.plat_private}"],
}
keystore2_key_contexts {
name: "system_keystore2_key_contexts",
+ defaults: ["contexts_flags_defaults"],
srcs: [":keystore2_key_contexts_files{.system_ext_private}"],
system_ext_specific: true,
}
keystore2_key_contexts {
name: "product_keystore2_key_contexts",
+ defaults: ["contexts_flags_defaults"],
srcs: [":keystore2_key_contexts_files{.product_private}"],
product_specific: true,
}
keystore2_key_contexts {
name: "vendor_keystore2_key_contexts",
+ defaults: ["contexts_flags_defaults"],
srcs: [
":keystore2_key_contexts_files{.plat_vendor}",
":keystore2_key_contexts_files{.vendor}",
@@ -310,12 +341,14 @@
seapp_contexts {
name: "plat_seapp_contexts",
+ defaults: ["contexts_flags_defaults"],
srcs: [":seapp_contexts_files{.plat_private}"],
sepolicy: ":precompiled_sepolicy",
}
seapp_contexts {
name: "system_ext_seapp_contexts",
+ defaults: ["contexts_flags_defaults"],
srcs: [":seapp_contexts_files{.system_ext_private}"],
neverallow_files: [":seapp_contexts_files{.plat_private}"],
system_ext_specific: true,
@@ -324,6 +357,7 @@
seapp_contexts {
name: "product_seapp_contexts",
+ defaults: ["contexts_flags_defaults"],
srcs: [":seapp_contexts_files{.product_private}"],
neverallow_files: [
":seapp_contexts_files{.plat_private}",
@@ -335,6 +369,7 @@
seapp_contexts {
name: "vendor_seapp_contexts",
+ defaults: ["contexts_flags_defaults"],
srcs: [
":seapp_contexts_files{.plat_vendor}",
":seapp_contexts_files{.vendor}",
@@ -351,6 +386,7 @@
seapp_contexts {
name: "odm_seapp_contexts",
+ defaults: ["contexts_flags_defaults"],
srcs: [
":seapp_contexts_files{.odm}",
],
@@ -365,6 +401,7 @@
vndservice_contexts {
name: "vndservice_contexts",
+ defaults: ["contexts_flags_defaults"],
srcs: [
":vndservice_contexts_files{.plat_vendor}",
":vndservice_contexts_files{.vendor}",
diff --git a/contexts/plat_file_contexts_test b/contexts/plat_file_contexts_test
index 50d9de4..f75312a 100644
--- a/contexts/plat_file_contexts_test
+++ b/contexts/plat_file_contexts_test
@@ -150,6 +150,8 @@
/dev/gnss10 gnss_device
/dev/graphics graphics_device
/dev/graphics/test graphics_device
+/dev/hidraw0 hidraw_device
+/dev/hidraw1 hidraw_device
/dev/hw_random hw_random_device
/dev/hwbinder hwbinder_device
/dev/input input_device
@@ -198,6 +200,9 @@
/dev/socket/mdns mdns_socket
/dev/socket/mdnsd mdnsd_socket
/dev/socket/mtpd mtpd_socket
+/dev/socket/ot-daemon/ ot_daemon_socket
+/dev/socket/ot-daemon/thread-wpan ot_daemon_socket
+/dev/socket/ot-daemon/100 ot_daemon_socket
/dev/socket/pdx/system/buffer_hub pdx_bufferhub_dir
/dev/socket/pdx/system/buffer_hub/client pdx_bufferhub_client_endpoint_socket
/dev/socket/pdx/system/performance pdx_performance_dir
@@ -538,6 +543,8 @@
/vendor/framework/test vendor_framework_file
/system/vendor/framework vendor_framework_file
/system/vendor/framework/test vendor_framework_file
+/vendor/etc/avf/microdroid vendor_microdroid_file
+/vendor/etc/avf/microdroid/test vendor_microdroid_file
/vendor/apex vendor_apex_file
/vendor/apex/test vendor_apex_file
@@ -911,8 +918,10 @@
/data/misc/apexdata/com.android.permission/test apex_system_server_data_file
/data/misc/apexdata/com.android.scheduling apex_system_server_data_file
/data/misc/apexdata/com.android.scheduling/test apex_system_server_data_file
-/data/misc/apexdata/com.android.tethering apex_system_server_data_file
-/data/misc/apexdata/com.android.tethering/test apex_system_server_data_file
+/data/misc/apexdata/com.android.tethering apex_tethering_data_file
+/data/misc/apexdata/com.android.tethering/test apex_tethering_data_file
+/data/misc/apexdata/com.android.tethering/threadnetwork apex_tethering_data_file
+/data/misc/apexdata/com.android.tethering/threadnetwork/test apex_tethering_data_file
/data/misc/apexdata/com.android.uwb apex_system_server_data_file
/data/misc/apexdata/com.android.uwb/test apex_system_server_data_file
/data/misc/apexdata/com.android.wifi apex_system_server_data_file
@@ -973,6 +982,8 @@
/data/misc/net/test net_data_file
/data/misc/network_watchlist network_watchlist_data_file
/data/misc/network_watchlist/test network_watchlist_data_file
+/data/misc/telephonyconfig radio_data_file
+/data/misc/telephonyconfig/test radio_data_file
/data/misc/nfc/logs nfc_logs_data_file
/data/misc/nfc/logs/test nfc_logs_data_file
/data/misc/odrefresh odrefresh_data_file
@@ -1013,8 +1024,6 @@
/data/misc/systemkeys/test systemkeys_data_file
/data/misc/textclassifier textclassifier_data_file
/data/misc/textclassifier/test textclassifier_data_file
-/data/misc/threadnetwork threadnetwork_data_file
-/data/misc/threadnetwork/test threadnetwork_data_file
/data/misc/train-info stats_data_file
/data/misc/train-info/test stats_data_file
/data/misc/user misc_user_data_file
@@ -1265,3 +1274,7 @@
/product/bin/otapreopt_script postinstall_exec
/system/bin/otapreopt postinstall_dexopt_exec
/product/bin/otapreopt postinstall_dexopt_exec
+/data/misc/uprobestats-configs uprobestats_configs_data_file
+/data/misc/uprobestats-configs/test uprobestats_configs_data_file
+
+/tmp shell_data_file
diff --git a/flagging/Android.bp b/flagging/Android.bp
new file mode 100644
index 0000000..55e116b
--- /dev/null
+++ b/flagging/Android.bp
@@ -0,0 +1,38 @@
+// Copyright (C) 2023 The Android Open Source Project
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+// This file contains a list of flags for sepolicy.
+se_policy_conf_defaults {
+ name: "se_policy_conf_flags_defaults",
+ srcs: [":sepolicy_flagging_macros"],
+ flags: [
+ "RELEASE_AVF_ENABLE_DEVICE_ASSIGNMENT",
+ "RELEASE_HARDWARE_BLUETOOTH_RANGING_SERVICE",
+ ],
+}
+
+contexts_defaults {
+ name: "contexts_flags_defaults",
+ srcs: [":sepolicy_flagging_macros"],
+ neverallow_files: [":sepolicy_flagging_macros"], // for seapp_contexts
+ flags: [
+ "RELEASE_AVF_ENABLE_DEVICE_ASSIGNMENT",
+ "RELEASE_HARDWARE_BLUETOOTH_RANGING_SERVICE",
+ ],
+}
+
+filegroup {
+ name: "sepolicy_flagging_macros",
+ srcs: ["te_macros"],
+}
diff --git a/flagging/te_macros b/flagging/te_macros
new file mode 100644
index 0000000..3464502
--- /dev/null
+++ b/flagging/te_macros
@@ -0,0 +1,9 @@
+####################################
+# is_flag_enabled(flag, rules)
+# SELinux rules which apply only if given feature is turned on
+define(`is_flag_enabled', `ifelse(target_flag_$1, `true', `$2')')
+
+####################################
+# is_flag_disabled(flag, rules)
+# SELinux rules which apply only if given feature is turned off
+define(`is_flag_disabled', `ifelse(target_flag_$1, `true', , `$2')')
diff --git a/microdroid/system/private/genfs_contexts b/microdroid/system/private/genfs_contexts
index f55711e..13ce685 100644
--- a/microdroid/system/private/genfs_contexts
+++ b/microdroid/system/private/genfs_contexts
@@ -7,6 +7,9 @@
genfscon proc /buddyinfo u:object_r:proc_buddyinfo:s0
genfscon proc /cmdline u:object_r:proc_cmdline:s0
genfscon proc /config.gz u:object_r:config_gz:s0
+genfscon proc /device-tree/avf u:object_r:proc_dt_avf:s0
+genfscon proc /device-tree/chosen/avf,new-instance u:object_r:proc_dt_avf:s0
+genfscon proc /device-tree/chosen/avf,strict-boot u:object_r:proc_dt_avf:s0
genfscon proc /diskstats u:object_r:proc_diskstats:s0
genfscon proc /filesystems u:object_r:proc_filesystems:s0
genfscon proc /interrupts u:object_r:proc_interrupts:s0
diff --git a/microdroid/system/private/init.te b/microdroid/system/private/init.te
index 896590d..c83bcdb 100644
--- a/microdroid/system/private/init.te
+++ b/microdroid/system/private/init.te
@@ -435,3 +435,8 @@
# PRNG seeder daemon socket is created and listened on by init before forking.
allow init prng_seeder:unix_stream_socket { create bind listen };
+
+# Allow init to load vendor modules
+r_dir_file(init, vendor_kernel_modules)
+allow init self:capability sys_module;
+allow init vendor_kernel_modules:system module_load;
diff --git a/microdroid/system/private/init_debug_policy.te b/microdroid/system/private/init_debug_policy.te
index 33b8917..384f5d5 100644
--- a/microdroid/system/private/init_debug_policy.te
+++ b/microdroid/system/private/init_debug_policy.te
@@ -27,6 +27,5 @@
set_prop(init_debug_policy, init_debug_policy_prop)
# Allow init_debug_policy to read AVF debug policy
-allow init_debug_policy sysfs_dt_avf:dir search;
-allow init_debug_policy sysfs_dt_avf:file { open read };
-
+r_dir_file(init_debug_policy, proc_dt_avf)
+r_dir_file(init_debug_policy, sysfs_dt_avf)
diff --git a/microdroid/system/private/microdroid_manager.te b/microdroid/system/private/microdroid_manager.te
index 2aed367..d1a5c6f 100644
--- a/microdroid/system/private/microdroid_manager.te
+++ b/microdroid/system/private/microdroid_manager.te
@@ -18,7 +18,8 @@
allow microdroid_manager dm_device:blk_file r_file_perms;
# microdroid_manager can query AVF flags in the device tree
-allow microdroid_manager sysfs_dt_avf:file r_file_perms;
+r_dir_file(microdroid_manager, proc_dt_avf)
+r_dir_file(microdroid_manager, sysfs_dt_avf)
# Read config from the open-dice driver.
allow microdroid_manager open_dice_device:chr_file rw_file_perms;
@@ -123,10 +124,6 @@
# Allow microdroid_manager to write kmsg_debug (stdio_to_kmsg).
allow microdroid_manager kmsg_debug_device:chr_file w_file_perms;
-# Allow microdroid_manager to read AVF debug policy
-allow microdroid_manager sysfs_dt_avf:dir search;
-allow microdroid_manager sysfs_dt_avf:file { open read };
-
# Domains other than microdroid can't write extra_apks
neverallow { domain -microdroid_manager -init -vendor_init } extra_apk_file:file no_w_file_perms;
neverallow { domain -microdroid_manager -init -vendor_init } extra_apk_file:dir no_w_dir_perms;
diff --git a/microdroid/system/private/microdroid_payload.te b/microdroid/system/private/microdroid_payload.te
index 5d4a73c..e4315a2 100644
--- a/microdroid/system/private/microdroid_payload.te
+++ b/microdroid/system/private/microdroid_payload.te
@@ -57,6 +57,9 @@
allow microdroid_payload encryptedstore_file:dir create_dir_perms;
allow microdroid_payload encryptedstore_file:file create_file_perms;
+# Payload can access devices labeled as payload accessible.
+allow microdroid_payload payload_accessible_device:chr_file rw_file_perms;
+
# Never allow microdroid_payload to connect to vsock
neverallow microdroid_payload self:vsock_socket connect;
diff --git a/microdroid/system/public/device.te b/microdroid/system/public/device.te
index 1a64b62..dfae6f9 100644
--- a/microdroid/system/public/device.te
+++ b/microdroid/system/public/device.te
@@ -12,6 +12,7 @@
type null_device, dev_type;
type open_dice_device, dev_type;
type owntty_device, dev_type;
+type payload_accessible_device, dev_type;
type properties_device, dev_type;
type properties_serial, dev_type;
type property_info, dev_type;
diff --git a/microdroid/system/public/file.te b/microdroid/system/public/file.te
index d53de79..201a07e 100644
--- a/microdroid/system/public/file.te
+++ b/microdroid/system/public/file.te
@@ -37,6 +37,7 @@
type vendor_configs_file, file_type, vendor_file_type;
type vendor_data_file, file_type, data_file_type;
type vendor_file, file_type, vendor_file_type;
+type vendor_kernel_modules, vendor_file_type, file_type;
type vendor_service_contexts_file, vendor_file_type, file_type;
type vm_payload_service_socket, file_type, coredomain_socket;
type traced_consumer_socket, file_type, coredomain_socket;
@@ -83,6 +84,7 @@
type proc_dirty, fs_type, proc_type;
type proc_diskstats, fs_type, proc_type;
type proc_drop_caches, fs_type, proc_type;
+type proc_dt_avf, fs_type, proc_type;
type proc_extra_free_kbytes, fs_type, proc_type;
type proc_filesystems, fs_type, proc_type;
type proc_hostname, fs_type, proc_type;
diff --git a/prebuilts/api/33.0/private/gmscore_app.te b/prebuilts/api/33.0/private/gmscore_app.te
index 8795798..d615d9b 100644
--- a/prebuilts/api/33.0/private/gmscore_app.te
+++ b/prebuilts/api/33.0/private/gmscore_app.te
@@ -46,6 +46,7 @@
dontaudit gmscore_app exec_type:file r_file_perms;
dontaudit gmscore_app device:dir r_dir_perms;
dontaudit gmscore_app fs_bpf:dir r_dir_perms;
+dontaudit gmscore_app kernel:security *;
dontaudit gmscore_app net_dns_prop:file r_file_perms;
dontaudit gmscore_app proc:file r_file_perms;
dontaudit gmscore_app proc_interrupts:file r_file_perms;
diff --git a/prebuilts/api/33.0/public/vold.te b/prebuilts/api/33.0/public/vold.te
index 53b2c49..b49f25f 100644
--- a/prebuilts/api/33.0/public/vold.te
+++ b/prebuilts/api/33.0/public/vold.te
@@ -328,6 +328,7 @@
neverallow vold {
domain
-hal_health_storage_server
+ -hal_keymaster_server
-system_suspend_server
-hal_bootctl_server
-hwservicemanager
diff --git a/prebuilts/api/34.0/private/attributes b/prebuilts/api/34.0/private/attributes
index 77143a3..fe50b0d 100644
--- a/prebuilts/api/34.0/private/attributes
+++ b/prebuilts/api/34.0/private/attributes
@@ -13,4 +13,5 @@
# All SDK sandbox domains
attribute sdk_sandbox_all;
-
+# The SDK sandbox domains for the current SDK level.
+attribute sdk_sandbox_current;
diff --git a/prebuilts/api/34.0/private/compat/33.0/33.0.ignore.cil b/prebuilts/api/34.0/private/compat/33.0/33.0.ignore.cil
index 069d06a..201c565 100644
--- a/prebuilts/api/34.0/private/compat/33.0/33.0.ignore.cil
+++ b/prebuilts/api/34.0/private/compat/33.0/33.0.ignore.cil
@@ -82,4 +82,5 @@
hal_can_controller_service
zoned_block_device
future_pm_prop
+ vfio_device
))
diff --git a/prebuilts/api/34.0/private/dex2oat.te b/prebuilts/api/34.0/private/dex2oat.te
index ea9ab9c..6ada2e2 100644
--- a/prebuilts/api/34.0/private/dex2oat.te
+++ b/prebuilts/api/34.0/private/dex2oat.te
@@ -82,7 +82,7 @@
# Allow dex2oat access to /postinstall/apex.
allow dex2oat postinstall_apex_mnt_dir:dir { getattr search };
-allow dex2oat postinstall_apex_mnt_dir:file r_file_perms;
+allow dex2oat postinstall_apex_mnt_dir:{ file lnk_file } r_file_perms;
# Allow dex2oat access to files in /data/ota.
allow dex2oat ota_data_file:dir ra_dir_perms;
diff --git a/prebuilts/api/34.0/private/fastbootd.te b/prebuilts/api/34.0/private/fastbootd.te
index 7dc1741..a189d23 100644
--- a/prebuilts/api/34.0/private/fastbootd.te
+++ b/prebuilts/api/34.0/private/fastbootd.te
@@ -42,6 +42,7 @@
# Mount /metadata to interact with Virtual A/B snapshots.
allow fastbootd labeledfs:filesystem { mount unmount };
+ set_prop(fastbootd, boottime_prop)
# Needed for reading boot properties.
allow fastbootd proc_bootconfig:file r_file_perms;
diff --git a/prebuilts/api/34.0/private/gmscore_app.te b/prebuilts/api/34.0/private/gmscore_app.te
index 46b90c6..b662f4f 100644
--- a/prebuilts/api/34.0/private/gmscore_app.te
+++ b/prebuilts/api/34.0/private/gmscore_app.te
@@ -46,6 +46,7 @@
dontaudit gmscore_app exec_type:file r_file_perms;
dontaudit gmscore_app device:dir r_dir_perms;
dontaudit gmscore_app fs_bpf:dir r_dir_perms;
+dontaudit gmscore_app kernel:security *;
dontaudit gmscore_app net_dns_prop:file r_file_perms;
dontaudit gmscore_app proc:file r_file_perms;
dontaudit gmscore_app proc_interrupts:file r_file_perms;
diff --git a/prebuilts/api/34.0/private/gsid.te b/prebuilts/api/34.0/private/gsid.te
index e795cea..9391016 100644
--- a/prebuilts/api/34.0/private/gsid.te
+++ b/prebuilts/api/34.0/private/gsid.te
@@ -150,7 +150,7 @@
allow gsid {
gsi_data_file
ota_image_data_file
-}:dir rw_dir_perms;
+}:dir create_dir_perms;
allow gsid {
gsi_data_file
ota_image_data_file
diff --git a/prebuilts/api/34.0/private/otapreopt_chroot.te b/prebuilts/api/34.0/private/otapreopt_chroot.te
index ea9d4ee..73e170b 100644
--- a/prebuilts/api/34.0/private/otapreopt_chroot.te
+++ b/prebuilts/api/34.0/private/otapreopt_chroot.te
@@ -36,9 +36,10 @@
# Allow otapreopt_chroot to read the persist.apexd.verity_on_system system property.
get_prop(otapreopt_chroot, apexd_prop)
-# Allow otapreopt to use file descriptors from update-engine. It will
-# close them immediately.
+# Allow otapreopt to use file descriptors from update-engine and the postinstall
+# script. It will read dexopt commands from stdin and write progress to stdout.
allow otapreopt_chroot postinstall:fd use;
+allow otapreopt_chroot postinstall:fifo_file { read write getattr };
allow otapreopt_chroot update_engine:fd use;
allow otapreopt_chroot update_engine:fifo_file write;
diff --git a/prebuilts/api/34.0/private/property_contexts b/prebuilts/api/34.0/private/property_contexts
index 2c7557f..da0ea5b 100644
--- a/prebuilts/api/34.0/private/property_contexts
+++ b/prebuilts/api/34.0/private/property_contexts
@@ -1426,9 +1426,6 @@
# Hostname for the remote provisioning server a device should communicate with
remote_provisioning.hostname u:object_r:remote_prov_prop:s0 exact string
-# Indicates the system should use rkpd instead of RemoteProvisioner
-remote_provisioning.enable_rkpd u:object_r:remote_prov_prop:s0 exact bool
-
# Broadcast boot stages, which keystore listens to
keystore.boot_level u:object_r:keystore_listen_prop:s0 exact int
diff --git a/prebuilts/api/34.0/private/sdk_sandbox_34.te b/prebuilts/api/34.0/private/sdk_sandbox_34.te
index d45da88..bb15057 100644
--- a/prebuilts/api/34.0/private/sdk_sandbox_34.te
+++ b/prebuilts/api/34.0/private/sdk_sandbox_34.te
@@ -3,89 +3,7 @@
###
### This file defines the security policy for the sdk sandbox processes
### for targetSdkVersion=34.
-type sdk_sandbox_34, domain, coredomain, sdk_sandbox_all;
+type sdk_sandbox_34, domain, coredomain, sdk_sandbox_all, sdk_sandbox_current;
net_domain(sdk_sandbox_34)
app_domain(sdk_sandbox_34)
-
-# Allow finding services. This is different from ephemeral_app policy.
-# Adding services manually to the allowlist is preferred hence app_api_service is not used.
-allow sdk_sandbox_34 {
- activity_service
- activity_task_service
- appops_service
- audio_service
- audioserver_service
- batteryproperties_service
- batterystats_service
- cameraserver_service
- connectivity_service
- connmetrics_service
- deviceidle_service
- display_service
- dropbox_service
- ephemeral_app_api_service
- font_service
- game_service
- gpu_service
- graphicsstats_service
- hardware_properties_service
- hint_service
- imms_service
- input_method_service
- input_service
- IProxyService_service
- ipsec_service
- launcherapps_service
- legacy_permission_service
- light_service
- locale_service
- media_communication_service
- mediadrmserver_service
- mediaextractor_service
- mediametrics_service
- media_projection_service
- media_router_service
- mediaserver_service
- media_session_service
- memtrackproxy_service
- midi_service
- netpolicy_service
- netstats_service
- network_management_service
- notification_service
- package_service
- permission_checker_service
- permission_service
- permissionmgr_service
- platform_compat_service
- power_service
- procstats_service
- radio_service
- registry_service
- restrictions_service
- rttmanager_service
- search_service
- selection_toolbar_service
- sensor_privacy_service
- sensorservice_service
- servicediscovery_service
- settings_service
- speech_recognition_service
- statusbar_service
- storagestats_service
- surfaceflinger_service
- telecom_service
- tethering_service
- textclassification_service
- textservices_service
- texttospeech_service
- thermal_service
- translation_service
- tv_iapp_service
- tv_input_service
- uimode_service
- vcn_management_service
- webviewupdate_service
-}:service_manager find;
-
diff --git a/prebuilts/api/34.0/private/sdk_sandbox_audit.te b/prebuilts/api/34.0/private/sdk_sandbox_audit.te
new file mode 100644
index 0000000..bb531ca
--- /dev/null
+++ b/prebuilts/api/34.0/private/sdk_sandbox_audit.te
@@ -0,0 +1,34 @@
+###
+### SDK Sandbox process.
+###
+### This file defines the audit sdk sandbox security policy for
+### the set of restrictions proposed for the next SDK level.
+###
+### The sdk_sandbox_audit domain has the same rules as the
+### sdk_sandbox_current domain and additional auditing rules
+### for the accesses we are considering forbidding in the upcoming
+### sdk_sandbox_next domain.
+type sdk_sandbox_audit, domain, coredomain, sdk_sandbox_all, sdk_sandbox_current;
+
+net_domain(sdk_sandbox_audit)
+app_domain(sdk_sandbox_audit)
+
+# Auditallow rules for accesses that are currently allowed but we
+# might remove in the future.
+
+auditallow sdk_sandbox_audit {
+ cameraserver_service
+ ephemeral_app_api_service
+ mediadrmserver_service
+ radio_service
+}:service_manager find;
+
+auditallow sdk_sandbox_audit {
+ property_type
+ -system_property_type
+}:file rw_file_perms;
+
+auditallow sdk_sandbox_audit {
+ property_type
+ -system_property_type
+}:dir rw_dir_perms;
diff --git a/prebuilts/api/34.0/private/sdk_sandbox_current.te b/prebuilts/api/34.0/private/sdk_sandbox_current.te
new file mode 100644
index 0000000..55e5bc1
--- /dev/null
+++ b/prebuilts/api/34.0/private/sdk_sandbox_current.te
@@ -0,0 +1,87 @@
+###
+### SDK Sandbox process.
+###
+### This file defines the security policy for the sdk sandbox processes
+### for the current SDK level.
+
+# Allow finding services. This is different from ephemeral_app policy.
+# Adding services manually to the allowlist is preferred hence app_api_service is not used.
+allow sdk_sandbox_current {
+ activity_service
+ activity_task_service
+ appops_service
+ audio_service
+ audioserver_service
+ batteryproperties_service
+ batterystats_service
+ cameraserver_service
+ connectivity_service
+ connmetrics_service
+ deviceidle_service
+ display_service
+ dropbox_service
+ ephemeral_app_api_service
+ font_service
+ game_service
+ gpu_service
+ graphicsstats_service
+ hardware_properties_service
+ hint_service
+ imms_service
+ input_method_service
+ input_service
+ IProxyService_service
+ ipsec_service
+ launcherapps_service
+ legacy_permission_service
+ light_service
+ locale_service
+ media_communication_service
+ mediadrmserver_service
+ mediaextractor_service
+ mediametrics_service
+ media_projection_service
+ media_router_service
+ mediaserver_service
+ media_session_service
+ memtrackproxy_service
+ midi_service
+ netpolicy_service
+ netstats_service
+ network_management_service
+ notification_service
+ package_service
+ permission_checker_service
+ permission_service
+ permissionmgr_service
+ platform_compat_service
+ power_service
+ procstats_service
+ radio_service
+ registry_service
+ restrictions_service
+ rttmanager_service
+ search_service
+ selection_toolbar_service
+ sensor_privacy_service
+ sensorservice_service
+ servicediscovery_service
+ settings_service
+ speech_recognition_service
+ statusbar_service
+ storagestats_service
+ surfaceflinger_service
+ telecom_service
+ tethering_service
+ textclassification_service
+ textservices_service
+ texttospeech_service
+ thermal_service
+ translation_service
+ tv_iapp_service
+ tv_input_service
+ uimode_service
+ vcn_management_service
+ webviewupdate_service
+}:service_manager find;
+
diff --git a/prebuilts/api/34.0/private/seapp_contexts b/prebuilts/api/34.0/private/seapp_contexts
index 4454bd7..8f3cae9 100644
--- a/prebuilts/api/34.0/private/seapp_contexts
+++ b/prebuilts/api/34.0/private/seapp_contexts
@@ -13,6 +13,7 @@
# fromRunAs (boolean)
# isIsolatedComputeApp (boolean)
# isSdkSandboxNext (boolean)
+# isSdkSandboxAudit (boolean)
#
# All specified input selectors in an entry must match (i.e. logical AND).
# An unspecified string or boolean selector with no default will match any
@@ -48,9 +49,19 @@
# with user=_isolated. This selector should not be used unless it is intended
# to provide isolated processes with relaxed security restrictions.
#
+# The sdk_sandbox_next and sdk_sandbox_audit domains are special domains for the
+# SDK sandbox process. sdk_sandbox_next defines the set of restrictions proposed
+# for the upcoming dessert release. sdk_sandbox_audit uses the same restrictions
+# as the current dessert release, with additional auditing rules for the accesses
+# we are considering forbidding in the upcoming release.
+#
# isSdkSandboxNext=true means sdk sandbox processes will get
# sdk_sandbox_next sepolicy applied to them.
#
+# isSdkSandboxAudit=true means sdk sandbox processes will get
+# sdk_sandbox_audit sepolicy applied to them.
+# An unspecified isSdkSandboxAudit defaults to false.
+#
# Precedence: entries are compared using the following rules, in the order shown
# (see external/selinux/libselinux/src/android/android_platform.c,
# seapp_context_cmp()).
@@ -171,6 +182,7 @@
user=_isolated isIsolatedComputeApp=true domain=isolated_compute_app levelFrom=user
user=_sdksandbox domain=sdk_sandbox_34 type=sdk_sandbox_data_file levelFrom=all
user=_sdksandbox isSdkSandboxNext=true domain=sdk_sandbox_next type=sdk_sandbox_data_file levelFrom=all
+user=_sdksandbox isSdkSandboxAudit=true domain=sdk_sandbox_audit type=sdk_sandbox_data_file levelFrom=all
user=_app seinfo=app_zygote domain=app_zygote levelFrom=user
user=_app seinfo=media domain=mediaprovider type=app_data_file levelFrom=user
user=_app seinfo=platform domain=platform_app type=app_data_file levelFrom=user
diff --git a/prebuilts/api/34.0/private/service.te b/prebuilts/api/34.0/private/service.te
index 3717150..98be17d 100644
--- a/prebuilts/api/34.0/private/service.te
+++ b/prebuilts/api/34.0/private/service.te
@@ -4,6 +4,7 @@
type compos_service, service_manager_type;
type communal_service, app_api_service, system_server_service, service_manager_type;
type dynamic_system_service, system_api_service, system_server_service, service_manager_type;
+type feature_flags_service, app_api_service, system_server_service, service_manager_type;
type gsi_service, service_manager_type;
type incidentcompanion_service, app_api_service, system_api_service, system_server_service, service_manager_type;
type logcat_service, system_server_service, service_manager_type;
diff --git a/prebuilts/api/34.0/private/service_contexts b/prebuilts/api/34.0/private/service_contexts
index 3bb9c85..553a71d 100644
--- a/prebuilts/api/34.0/private/service_contexts
+++ b/prebuilts/api/34.0/private/service_contexts
@@ -226,6 +226,7 @@
external_vibrator_service u:object_r:external_vibrator_service:s0
ethernet u:object_r:ethernet_service:s0
face u:object_r:face_service:s0
+feature_flags u:object_r:feature_flags_service:s0
file_integrity u:object_r:file_integrity_service:s0
fingerprint u:object_r:fingerprint_service:s0
font u:object_r:font_service:s0
diff --git a/private/app.te b/private/app.te
index 19cb2e0..b5bb474 100644
--- a/private/app.te
+++ b/private/app.te
@@ -137,18 +137,21 @@
neverallow appdomain tombstone_data_file:file ~{ getattr read };
# Execute the shell or other system executables.
-allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox_all } shell_exec:file rx_file_perms;
-allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox_all } toolbox_exec:file rx_file_perms;
-not_full_treble(`allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox_all } vendor_file:file x_file_perms;')
+allow { appdomain -ephemeral_app -sdk_sandbox_all } shell_exec:file rx_file_perms;
+allow { appdomain -ephemeral_app -sdk_sandbox_all } toolbox_exec:file rx_file_perms;
+not_full_treble(`allow { appdomain -ephemeral_app -sdk_sandbox_all } vendor_file:file x_file_perms;')
# Allow apps access to /vendor/app except for privileged
# apps which cannot be in /vendor.
-r_dir_file({ appdomain -isolated_app_all -ephemeral_app -sdk_sandbox_all }, vendor_app_file)
-allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox_all } vendor_app_file:file execute;
+r_dir_file({ appdomain -ephemeral_app -sdk_sandbox_all }, vendor_app_file)
+allow { appdomain -ephemeral_app -sdk_sandbox_all } vendor_app_file:file execute;
# Perform binder IPC to sdk sandbox.
binder_call(appdomain, sdk_sandbox_all)
+# Allow apps to communicate via binder with virtual camera service.
+binder_call(appdomain, virtual_camera)
+
# Allow access to external storage; we have several visible mount points under /storage
# and symlinks to primary storage at places like /storage/sdcard0 and /mnt/user/0/primary
allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox_all } storage_file:dir r_dir_perms;
@@ -173,7 +176,7 @@
allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox_all } usbaccessory_device:chr_file { read write getattr };
#logd access
-control_logd({ appdomain -isolated_app_all -ephemeral_app -sdk_sandbox_all })
+control_logd({ appdomain -ephemeral_app -sdk_sandbox_all })
# application inherit logd write socket (urge is to deprecate this long term)
allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox_all } keystore:keystore2_key { delete use get_info rebind update };
@@ -312,16 +315,16 @@
allow appdomain {vendor_public_framework_file vendor_public_lib_file}:file { execute read open getattr map };
# Read/write wallpaper file (opened by system).
-allow { appdomain -isolated_app_all } wallpaper_file:file { getattr read write map };
+allow appdomain wallpaper_file:file { getattr read write map };
# Read/write cached ringtones (opened by system).
-allow { appdomain -isolated_app_all } ringtone_file:file { getattr read write map };
+allow appdomain ringtone_file:file { getattr read write map };
# Read ShortcutManager icon files (opened by system).
-allow { appdomain -isolated_app_all } shortcut_manager_icons:file { getattr read map };
+allow appdomain shortcut_manager_icons:file { getattr read map };
# Read icon file (opened by system).
-allow { appdomain -isolated_app_all } icon_file:file { getattr read map };
+allow appdomain icon_file:file { getattr read map };
# Old stack dumping scheme : append to a global trace file (/data/anr/traces.txt).
#
diff --git a/private/app_neverallows.te b/private/app_neverallows.te
index ea10df5..5ea924a 100644
--- a/private/app_neverallows.te
+++ b/private/app_neverallows.te
@@ -295,3 +295,6 @@
# anon_inode usages like userfaultfd and io_uring. This prevents us from
# creating a more fine-grained neverallow policy for each anon_inode usage.
neverallow all_untrusted_apps domain:anon_inode *;
+
+# Do not allow untrusted app access to hidraw devices.
+neverallow all_untrusted_apps hidraw_device:chr_file *;
diff --git a/private/bootanim.te b/private/bootanim.te
index 2b3c807..f63a230 100644
--- a/private/bootanim.te
+++ b/private/bootanim.te
@@ -18,3 +18,6 @@
# Allow accessing /data/misc/bootanim
r_dir_file(bootanim, bootanim_data_file)
+
+# Allow accessing vendor apex for EGL/GLES
+allow bootanim vendor_apex_metadata_file:dir r_dir_perms;
diff --git a/private/bpfloader.te b/private/bpfloader.te
index 0ad2c6b..be6f77c 100644
--- a/private/bpfloader.te
+++ b/private/bpfloader.te
@@ -41,7 +41,7 @@
neverallow { domain -bpfloader -netd -network_stack -system_server } fs_bpf_netd_readonly:file { getattr read };
neverallow { domain -bpfloader -netd -netutils_wrapper -network_stack -system_server } fs_bpf_netd_shared:file { getattr read };
neverallow { domain -bpfloader -network_stack } fs_bpf_tethering:file { getattr read };
-neverallow { domain -bpfloader -uprobestats } fs_bpf_uprobe_private:file { getattr read };
+neverallow { domain -bpfloader -uprobestats } fs_bpf_uprobestats:file { getattr read };
neverallow { domain -bpfloader -gpuservice -netd -netutils_wrapper -network_stack -system_server -uprobestats } { bpffs_type -fs_bpf_vendor }:file write;
neverallow { domain -bpfloader } bpffs_type:lnk_file ~read;
@@ -68,7 +68,7 @@
neverallow { domain -bpfloader -gpuservice -lmkd -mediaprovider_app -netd -network_stack -system_server -uprobestats } *:bpf { map_read map_write };
neverallow { domain -bpfloader -init } bpfloader_exec:file { execute execute_no_trans };
-neverallow { coredomain -bpfloader } fs_bpf_vendor:file *;
+neverallow { coredomain -bpfloader -netd -netutils_wrapper } fs_bpf_vendor:file *;
neverallow bpfloader *:{ tcp_socket udp_socket rawip_socket } *;
diff --git a/private/bug_map b/private/bug_map
index 3a78a40..172d9a7 100644
--- a/private/bug_map
+++ b/private/bug_map
@@ -19,10 +19,7 @@
mediaprovider cache_file blk_file b/77925342
mediaprovider mnt_media_rw_file dir b/77925342
mediaprovider shell_data_file dir b/77925342
-mediaprovider_app device_config_media_native_prop file b/308043377
mediaswcodec ashmem_device chr_file b/142679232
-nfc device_config_media_native_prop file b/308043377
-platform_app device_config_media_native_prop file b/308043377
platform_app nfc_data_file dir b/74331887
platform_app system_data_file dir b/306090533
system_server overlayfs_file file b/142390309
diff --git a/private/compat/33.0/33.0.ignore.cil b/private/compat/33.0/33.0.ignore.cil
index ea4ed5d..352aecf 100644
--- a/private/compat/33.0/33.0.ignore.cil
+++ b/private/compat/33.0/33.0.ignore.cil
@@ -88,4 +88,5 @@
hal_can_controller_service
zoned_block_device
future_pm_prop
+ vfio_device
))
diff --git a/private/compat/34.0/34.0.cil b/private/compat/34.0/34.0.cil
index aa8a56c..595d53e 100644
--- a/private/compat/34.0/34.0.cil
+++ b/private/compat/34.0/34.0.cil
@@ -1,3 +1,10 @@
+;; types removed from current policy
+(type racoon)
+(type racoon_exec)
+(type mtp_exec)
+(type ppp_device)
+(type ppp_exec)
+
;; mapping information from ToT policy's types to 34.0 policy's types.
(expandtypeattribute (DockObserver_service_34_0) true)
(expandtypeattribute (IProxyService_service_34_0) true)
diff --git a/private/compat/34.0/34.0.ignore.cil b/private/compat/34.0/34.0.ignore.cil
index 16164e5..e19da6c 100644
--- a/private/compat/34.0/34.0.ignore.cil
+++ b/private/compat/34.0/34.0.ignore.cil
@@ -10,21 +10,33 @@
dtbo_block_device
ota_build_prop
snapuserd_log_data_file
+ fwk_vibrator_control_service
+ ecm_enhanced_confirmation_service
hal_authgraph_service
- vibrator_control_service
+ hal_graphics_mapper_service
+ hal_secretkeeper_service
hal_codec2_service
+ hal_macsec_service
+ hal_remotelyprovisionedcomponent_avf_service
hal_threadnetwork_service
+ hidl_memory_prop
+ hidraw_device
virtual_camera_service
ot_daemon_service
+ ot_daemon_socket
+ pm_archiving_enabled_prop
remote_auth_service
security_state_service
+ setupwizard_mode_prop
sysfs_sync_on_suspend
+ tv_ad_service
threadnetwork_service
device_config_aconfig_flags_prop
- proc_memhealth
virtual_device_native_service
next_boot_prop
binderfs_logs_stats
drm_forcel3_prop
proc_percpu_pagelist_high_fraction
+ vendor_microdroid_file
+ threadnetwork_config_prop
))
diff --git a/private/coredomain.te b/private/coredomain.te
index f9b47df..5442ea3 100644
--- a/private/coredomain.te
+++ b/private/coredomain.te
@@ -15,6 +15,7 @@
get_prop(coredomain, radio_control_prop)
get_prop(coredomain, rollback_test_prop)
get_prop(coredomain, setupwizard_prop)
+get_prop(coredomain, setupwizard_mode_prop)
get_prop(coredomain, sqlite_log_prop)
get_prop(coredomain, storagemanager_config_prop)
get_prop(coredomain, surfaceflinger_color_prop)
@@ -150,7 +151,7 @@
-apexd
-init
-ueventd
- -vfio_handler
+ is_flag_enabled(RELEASE_AVF_ENABLE_DEVICE_ASSIGNMENT, `-vfio_handler')
-vold
} sysfs:file no_rw_file_perms;
diff --git a/private/crash_dump.te b/private/crash_dump.te
index 6cc1828..27baaff 100644
--- a/private/crash_dump.te
+++ b/private/crash_dump.te
@@ -32,6 +32,10 @@
allow crash_dump apex_art_data_file:dir { getattr search };
allow crash_dump apex_art_data_file:file r_file_perms;
+# Allow crash dump to read bootstrap libraries
+allow crash_dump system_bootstrap_lib_file:dir { getattr search };
+allow crash_dump system_bootstrap_lib_file:file r_file_perms;
+
# Read Vendor APEX directories
allow crash_dump vendor_apex_metadata_file:dir { getattr search };
diff --git a/private/crosvm.te b/private/crosvm.te
index afcaa3d..6ad3727 100644
--- a/private/crosvm.te
+++ b/private/crosvm.te
@@ -27,7 +27,7 @@
# Let crosvm read the composite disk images (virtualizationservice_data_file), APEXes
# (staging_data_file), APKs (apk_data_file and shell_data_file where the latter is for test apks in
-# /data/local/tmp), and instance.img (app_data_file).
+# /data/local/tmp), instance.img (app_data_file), and microdroid vendor image (vendor_microdroid_file).
# Allow crosvm to read the instance image of the service VM saved in apex_virt_data_file.
# Note that the open permission is not given as the files are passed as file descriptors.
allow crosvm {
@@ -39,13 +39,20 @@
apex_compos_data_file
apex_virt_data_file
shell_data_file
+ vendor_microdroid_file
}:file { getattr read ioctl lock };
# Allow searching the directory where the composite disk images are.
allow crosvm virtualizationservice_data_file:dir search;
-# Allow crosvm to mlock guest memory.
-allow crosvm self:capability ipc_lock;
+# When running a VM as root we get spurious capability denials.
+# Suppress them.
+userdebug_or_eng(`
+ dontaudit crosvm self:capability ipc_lock;
+')
+
+# Allow crosvm to tune for performance.
+allow crosvm self:global_capability_class_set sys_nice;
# Let crosvm access its control socket as created by VS.
# read, write, getattr: listener socket polling
@@ -126,6 +133,7 @@
# These types are not required for crosvm, but the access is granted to globally in domain.te
# thus should be exempted here.
-vendor_configs_file
+ -vendor_microdroid_file
-vndk_sp_file
-vendor_task_profiles_file
}:file *;
diff --git a/private/domain.te b/private/domain.te
index 0861fa5..2f107dd 100644
--- a/private/domain.te
+++ b/private/domain.te
@@ -610,6 +610,7 @@
-vendor_apex_file
-vendor_apex_metadata_file
-vendor_configs_file
+ -vendor_microdroid_file
-vendor_service_contexts_file
-vendor_framework_file
-vendor_idc_file
diff --git a/private/dumpstate.te b/private/dumpstate.te
index 18924ca..6798667 100644
--- a/private/dumpstate.te
+++ b/private/dumpstate.te
@@ -59,6 +59,12 @@
# Allow dumpstate to talk to automotive_display_service over binder
binder_call(dumpstate, automotive_display_service)
+# Allow dumpstate to talk to virtual_camera service over binder
+binder_call(dumpstate, virtual_camera)
+
+# Allow dumpstate to talk to ot_daemon service over binder
+binder_call(dumpstate, ot_daemon)
+
# Collect metrics on boot time created by init
get_prop(dumpstate, boottime_prop)
@@ -67,6 +73,8 @@
mediatranscoding
statsd
netd
+ virtual_camera
+ ot_daemon
}:process signal;
# Only allow dumpstate to dump Keystore on debuggable builds.
@@ -87,6 +95,7 @@
# Read files in /proc
allow dumpstate {
+ config_gz
proc_net_tcp_udp
proc_pid_max
}:file r_file_perms;
diff --git a/private/file.te b/private/file.te
index f4c3e2d..450fe2c 100644
--- a/private/file.te
+++ b/private/file.te
@@ -8,7 +8,7 @@
type fs_bpf_netd_readonly, fs_type, bpffs_type;
type fs_bpf_netd_shared, fs_type, bpffs_type;
type fs_bpf_loader, fs_type, bpffs_type;
-type fs_bpf_uprobe_private, fs_type, bpffs_type;
+type fs_bpf_uprobestats, fs_type, bpffs_type;
# /data/misc/storaged
type storaged_data_file, file_type, data_file_type, core_data_file_type;
@@ -28,6 +28,12 @@
# /data/misc/perfetto-configs for perfetto configs
type perfetto_configs_data_file, file_type, data_file_type, core_data_file_type;
+# /data/misc/uprobestats-configs for uprobestats configs
+type uprobestats_configs_data_file, file_type, data_file_type, core_data_file_type;
+
+# /apex/com.android.art/bin/oatdump
+type oatdump_exec, system_file_type, exec_type, file_type;
+
# /data/misc_{ce/de}/<user>/sdksandbox root data directory for sdk sandbox processes
type sdk_sandbox_system_data_file, file_type, data_file_type, core_data_file_type;
# /data/misc_{ce/de}/<user>/sdksandbox/<app-name>/* subdirectory for sdk sandbox processes
@@ -71,12 +77,14 @@
# /data/misc/apexdata/com.android.virt
type apex_virt_data_file, file_type, data_file_type, core_data_file_type, apex_data_file_type;
+# /data/misc/apexdata/com.android.tethering
+type apex_tethering_data_file, file_type, data_file_type, core_data_file_type, apex_data_file_type;
+
# legacy labels for various /data/misc[_ce|_de]/*/apexdata directories - retained
# for backward compatibility b/217581286
type apex_appsearch_data_file, file_type, data_file_type, core_data_file_type, apex_data_file_type;
type apex_permission_data_file, file_type, data_file_type, core_data_file_type, apex_data_file_type;
type apex_scheduling_data_file, file_type, data_file_type, core_data_file_type, apex_data_file_type;
-type apex_tethering_data_file, file_type, data_file_type, core_data_file_type, apex_data_file_type;
type apex_wifi_data_file, file_type, data_file_type, core_data_file_type, apex_data_file_type;
# /data/font/files
@@ -128,11 +136,9 @@
# in to satisfy MLS constraints for trusted domains.
type prng_seeder_socket, file_type, coredomain_socket, mlstrustedobject;
-# /data/misc/threadnetwork
-type threadnetwork_data_file, file_type, data_file_type, core_data_file_type;
-
-# /sys/firmware/devicetree/base/avf
+# /proc/device-tree/avf and /sys/firmware/devicetree/base/avf
type sysfs_dt_avf, fs_type, sysfs_type;
+type proc_dt_avf, fs_type, proc_type;
# Type for /system/fonts/font_fallback.xm
type system_font_fallback_file, system_file_type, file_type;
diff --git a/private/file_contexts b/private/file_contexts
index 2481c07..cba5660 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -1,4 +1,25 @@
###########################################
+# Entries in this file describe the security context associated with a file
+# path. They are used when building the device image, to include the security
+# context within the extended file attributes of the file system. They are also
+# used at runtime when calling restorecon.
+#
+# Entries are merged with other file_contexts from other partitions (e.g.,
+# vendor or odm, see the full list at libselinux/src/android/android.c).
+#
+# The entries are evaluated by the following rules:
+# - Static entries (that is, not using regular expressions) are always
+# evaluated first.
+# - The first matching entry is used.
+# - Entries are evaluated from the bottom to the top.
+#
+# Based on these rules, it is recommended that the less specific entries appear
+# first. For instance:
+# /dev(/.*)? u:object_r:device:s0
+# /dev/block(/.*)? u:object_r:block_device:s0
+# /dev/block/my_dev u:object_r:my_dev:s0
+#
+
# Root
/ u:object_r:rootfs:s0
@@ -33,6 +54,7 @@
/sys u:object_r:sysfs:s0
/apex u:object_r:apex_mnt_dir:s0
/bootstrap-apex u:object_r:apex_mnt_dir:s0
+/tmp u:object_r:shell_data_file:s0
# Postinstall directories
/postinstall u:object_r:postinstall_mnt_dir:s0
@@ -106,6 +128,7 @@
/dev/fuse u:object_r:fuse_device:s0
/dev/gnss[0-9]+ u:object_r:gnss_device:s0
/dev/graphics(/.*)? u:object_r:graphics_device:s0
+/dev/hidraw[0-9]+ u:object_r:hidraw_device:s0
/dev/hw_random u:object_r:hw_random_device:s0
/dev/hwbinder u:object_r:hwbinder_device:s0
/dev/input(/.*)? u:object_r:input_device:s0
@@ -118,7 +141,6 @@
/dev/pmsg0 u:object_r:pmsg_device:s0
/dev/pn544 u:object_r:nfc_device:s0
/dev/port u:object_r:port_device:s0
-/dev/ppp u:object_r:ppp_device:s0
/dev/ptmx u:object_r:ptmx_device:s0
/dev/pvrsrvkm u:object_r:gpu_device:s0
/dev/kmsg u:object_r:kmsg_device:s0
@@ -143,7 +165,7 @@
/dev/socket/statsdw u:object_r:statsdw_socket:s0
/dev/socket/mdns u:object_r:mdns_socket:s0
/dev/socket/mdnsd u:object_r:mdnsd_socket:s0
-/dev/socket/mtpd u:object_r:mtpd_socket:s0
+/dev/socket/ot-daemon(/.*)? u:object_r:ot_daemon_socket:s0
/dev/socket/pdx/system/buffer_hub u:object_r:pdx_bufferhub_dir:s0
/dev/socket/pdx/system/buffer_hub/client u:object_r:pdx_bufferhub_client_endpoint_socket:s0
/dev/socket/pdx/system/performance u:object_r:pdx_performance_dir:s0
@@ -156,7 +178,6 @@
/dev/socket/prng_seeder u:object_r:prng_seeder_socket:s0
/dev/socket/property_service u:object_r:property_socket:s0
/dev/socket/property_service_for_system u:object_r:property_socket:s0
-/dev/socket/racoon u:object_r:racoon_socket:s0
/dev/socket/recovery u:object_r:recovery_socket:s0
/dev/socket/rild u:object_r:rild_socket:s0
/dev/socket/rild-debug u:object_r:rild_debug_socket:s0
@@ -296,9 +317,6 @@
/system/bin/dhcpcd u:object_r:dhcp_exec:s0
/system/bin/dhcpcd-6\.8\.2 u:object_r:dhcp_exec:s0
/system/bin/dmesgd u:object_r:dmesgd_exec:s0
-/system/bin/mtpd u:object_r:mtp_exec:s0
-/system/bin/pppd u:object_r:ppp_exec:s0
-/system/bin/racoon u:object_r:racoon_exec:s0
/system/xbin/su u:object_r:su_exec:s0
/system/bin/dnsmasq u:object_r:dnsmasq_exec:s0
/system/bin/linker(64)? u:object_r:system_linker_exec:s0
@@ -391,6 +409,7 @@
/(vendor|system/vendor)/etc(/.*)? u:object_r:vendor_configs_file:s0
/(vendor|system/vendor)/etc/cgroups\.json u:object_r:vendor_cgroup_desc_file:s0
/(vendor|system/vendor)/etc/task_profiles\.json u:object_r:vendor_task_profiles_file:s0
+/(vendor|system/vendor)/etc/avf/microdroid(/.*)? u:object_r:vendor_microdroid_file:s0
/(vendor|system/vendor)/lib(64)?/egl(/.*)? u:object_r:same_process_hal_file:s0
@@ -601,7 +620,7 @@
/data/misc/apexdata/com\.android\.virt(/.*)? u:object_r:apex_virt_data_file:s0
/data/misc/apexdata/com\.android\.permission(/.*)? u:object_r:apex_system_server_data_file:s0
/data/misc/apexdata/com\.android\.scheduling(/.*)? u:object_r:apex_system_server_data_file:s0
-/data/misc/apexdata/com\.android\.tethering(/.*)? u:object_r:apex_system_server_data_file:s0
+/data/misc/apexdata/com\.android\.tethering(/.*)? u:object_r:apex_tethering_data_file:s0
/data/misc/apexdata/com\.android\.uwb(/.*)? u:object_r:apex_system_server_data_file:s0
/data/misc/apexdata/com\.android\.wifi(/.*)? u:object_r:apex_system_server_data_file:s0
/data/misc/apexrollback(/.*)? u:object_r:apex_rollback_data_file:s0
@@ -633,6 +652,7 @@
/data/misc/media(/.*)? u:object_r:media_data_file:s0
/data/misc/net(/.*)? u:object_r:net_data_file:s0
/data/misc/network_watchlist(/.*)? u:object_r:network_watchlist_data_file:s0
+/data/misc/telephonyconfig(/.*)? u:object_r:radio_data_file:s0
/data/misc/nfc/logs(/.*)? u:object_r:nfc_logs_data_file:s0
/data/misc/odrefresh(/.*)? u:object_r:odrefresh_data_file:s0
/data/misc/odsign(/.*)? u:object_r:odsign_data_file:s0
@@ -640,6 +660,7 @@
/data/misc/perfetto-traces(/.*)? u:object_r:perfetto_traces_data_file:s0
/data/misc/perfetto-traces/bugreport(.*)? u:object_r:perfetto_traces_bugreport_data_file:s0
/data/misc/perfetto-configs(/.*)? u:object_r:perfetto_configs_data_file:s0
+/data/misc/uprobestats-configs(/.*)? u:object_r:uprobestats_configs_data_file:s0
/data/misc/prereboot(/.*)? u:object_r:prereboot_data_file:s0
/data/misc/profcollectd(/.*)? u:object_r:profcollectd_data_file:s0
/data/misc/radio(/.*)? u:object_r:radio_core_data_file:s0
@@ -653,7 +674,6 @@
/data/misc/stats-metadata(/.*)? u:object_r:stats_data_file:s0
/data/misc/systemkeys(/.*)? u:object_r:systemkeys_data_file:s0
/data/misc/textclassifier(/.*)? u:object_r:textclassifier_data_file:s0
-/data/misc/threadnetwork(/.*)? u:object_r:threadnetwork_data_file:s0
/data/misc/train-info(/.*)? u:object_r:stats_data_file:s0
/data/misc/user(/.*)? u:object_r:misc_user_data_file:s0
/data/misc/virtualizationservice(/.*)? u:object_r:virtualizationservice_data_file:s0
@@ -741,16 +761,7 @@
# Expanded data files
#
/mnt/expand u:object_r:mnt_expand_file:s0
-# CAREFUL: the two system_data_file patterns below can't be replaced with one
-# pattern "/mnt/expand/[^/]+(/.*)?", since SELinux would prioritize that over
-# "/mnt/expand/[^/]+/user". This is because when a path is matched by two
-# patterns that contain regex meta-characters, SELinux just chooses the longer
-# pattern (or the later pattern if the patterns are the same length), rather
-# than the pattern containing fewer regex meta-characters. Splitting the
-# pattern into "/mnt/expand/[^/]+" and "/mnt/expand/[^/]+/.*" works around this
-# problem, except for 1-character filenames which we aren't using.
-/mnt/expand/[^/]+ u:object_r:system_data_file:s0
-/mnt/expand/[^/]+/.* u:object_r:system_data_file:s0
+/mnt/expand/[^/]+(/.*)? u:object_r:system_data_file:s0
/mnt/expand/[^/]+/app(/.*)? u:object_r:apk_data_file:s0
/mnt/expand/[^/]+/app/[^/]+/oat(/.*)? u:object_r:dalvikcache_data_file:s0
# /mnt/expand/..../app/[randomStringA]/[packageName]-[randomStringB]/base.apk layout
diff --git a/private/genfs_contexts b/private/genfs_contexts
index 41c60df..e4baeee 100644
--- a/private/genfs_contexts
+++ b/private/genfs_contexts
@@ -8,6 +8,7 @@
genfscon proc /cmdline u:object_r:proc_cmdline:s0
genfscon proc /config.gz u:object_r:config_gz:s0
genfscon proc /cpu/alignment u:object_r:proc_cpu_alignment:s0
+genfscon proc /device-tree/avf u:object_r:proc_dt_avf:s0
genfscon proc /diskstats u:object_r:proc_diskstats:s0
genfscon proc /filesystems u:object_r:proc_filesystems:s0
genfscon proc /interrupts u:object_r:proc_interrupts:s0
@@ -19,7 +20,6 @@
genfscon proc /locks u:object_r:proc_locks:s0
genfscon proc /lowmemorykiller u:object_r:proc_lowmemorykiller:s0
genfscon proc /meminfo u:object_r:proc_meminfo:s0
-genfscon proc /memhealth u:object_r:proc_memhealth:s0
genfscon proc /misc u:object_r:proc_misc:s0
genfscon proc /modules u:object_r:proc_modules:s0
genfscon proc /mounts u:object_r:proc_mounts:s0
@@ -419,4 +419,4 @@
genfscon bpf /netd_shared u:object_r:fs_bpf_netd_shared:s0
genfscon bpf /tethering u:object_r:fs_bpf_tethering:s0
genfscon bpf /vendor u:object_r:fs_bpf_vendor:s0
-genfscon bpf /uprobe_private u:object_r:fs_bpf_uprobe_private:s0
+genfscon bpf /uprobestats u:object_r:fs_bpf_uprobestats:s0
diff --git a/private/hal_allocator_default.te b/private/hal_allocator_default.te
index 7aa28aa..6ab7eb8 100644
--- a/private/hal_allocator_default.te
+++ b/private/hal_allocator_default.te
@@ -3,3 +3,6 @@
type hal_allocator_default_exec, system_file_type, exec_type, file_type;
init_daemon_domain(hal_allocator_default)
+
+# to force stop the service when it's not supported
+set_prop(hal_allocator_default, hidl_memory_prop)
diff --git a/private/isolated_app_all.te b/private/isolated_app_all.te
index 189d064..1ffcabe 100644
--- a/private/isolated_app_all.te
+++ b/private/isolated_app_all.te
@@ -32,6 +32,9 @@
# suppress denials to /data/local/tmp
dontaudit isolated_app_all shell_data_file:dir search;
+# Allow to read (but not open) staged apks.
+allow isolated_app_all { apk_tmp_file apk_private_tmp_file }:file { read getattr };
+
#####
##### Neverallow
#####
diff --git a/private/keys.conf b/private/keys.conf
index 18c1a8c..fc50ef3 100644
--- a/private/keys.conf
+++ b/private/keys.conf
@@ -23,6 +23,9 @@
[@NETWORK_STACK]
ALL : $MAINLINE_SEPOLICY_DEV_CERTIFICATES/networkstack.x509.pem
+[@NFC]
+ALL : $MAINLINE_SEPOLICY_DEV_CERTIFICATES/nfc.x509.pem
+
[@SHARED]
ALL : $DEFAULT_SYSTEM_DEV_CERTIFICATE/shared.x509.pem
diff --git a/private/keystore.te b/private/keystore.te
index 73961ac..b81ccfa 100644
--- a/private/keystore.te
+++ b/private/keystore.te
@@ -11,6 +11,11 @@
# talk to keymint
hal_client_domain(keystore, hal_keymint)
+# Ignore keystore attempts to access the AVF RKP Hal but keystore is not suppose to
+# access it.
+# TODO(b/312427637): Investigate the reason and fix the denial.
+dontaudit keystore hal_remotelyprovisionedcomponent_avf_service:service_manager { find };
+
# This is used for the ConfirmationUI async callback.
allow keystore platform_app:binder call;
diff --git a/private/mac_permissions.xml b/private/mac_permissions.xml
index c9a9aca..fa8ffcf 100644
--- a/private/mac_permissions.xml
+++ b/private/mac_permissions.xml
@@ -69,4 +69,9 @@
<signer signature="@NETWORK_STACK" >
<seinfo value="network_stack" />
</signer>
+
+ <!-- NFC key in AOSP -->
+ <signer signature="@NFC" >
+ <seinfo value="nfc" />
+ </signer>
</policy>
diff --git a/private/mediaserver.te b/private/mediaserver.te
index 92ec40d..5fc13a8 100644
--- a/private/mediaserver.te
+++ b/private/mediaserver.te
@@ -29,3 +29,7 @@
allow mediaserver stats_service:service_manager find;
allow mediaserver statsmanager_service:service_manager find;
binder_call(mediaserver, statsd)
+
+# Allow mediaserver to communicate with Surface provided
+# by virtual camera.
+binder_call(mediaserver, virtual_camera)
diff --git a/private/mtp.te b/private/mtp.te
deleted file mode 100644
index 732e111..0000000
--- a/private/mtp.te
+++ /dev/null
@@ -1,3 +0,0 @@
-typeattribute mtp coredomain;
-
-init_daemon_domain(mtp)
diff --git a/private/netd.te b/private/netd.te
index 8be8212..6d1c10c 100644
--- a/private/netd.te
+++ b/private/netd.te
@@ -6,9 +6,9 @@
# Allow netd to spawn dnsmasq in it's own domain
domain_auto_trans(netd, dnsmasq_exec, dnsmasq)
-allow netd { fs_bpf fs_bpf_netd_readonly fs_bpf_netd_shared }:dir search;
-allow netd { fs_bpf fs_bpf_netd_readonly fs_bpf_netd_shared }:file { getattr read };
-allow netd { fs_bpf fs_bpf_netd_shared }:file write;
+allow netd { fs_bpf fs_bpf_netd_readonly fs_bpf_netd_shared fs_bpf_vendor }:dir search;
+allow netd { fs_bpf fs_bpf_netd_readonly fs_bpf_netd_shared fs_bpf_vendor }:file { getattr read };
+allow netd { fs_bpf fs_bpf_netd_shared }:file write;
# give netd permission to setup iptables rule with xt_bpf, attach program to cgroup, and read/write
# the map created by bpfloader
diff --git a/private/netutils_wrapper.te b/private/netutils_wrapper.te
index 01f1915..a26181f 100644
--- a/private/netutils_wrapper.te
+++ b/private/netutils_wrapper.te
@@ -25,9 +25,9 @@
# For vendor code that update the iptables rules at runtime. They need to reload
# the whole chain including the xt_bpf rules. They need to access to the pinned
# program when reloading the rule.
-allow netutils_wrapper { fs_bpf fs_bpf_netd_shared }:dir search;
-allow netutils_wrapper { fs_bpf fs_bpf_netd_shared }:file { getattr read };
-allow netutils_wrapper { fs_bpf }:file write;
+allow netutils_wrapper { fs_bpf fs_bpf_netd_shared fs_bpf_vendor }:dir search;
+allow netutils_wrapper { fs_bpf fs_bpf_netd_shared fs_bpf_vendor }:file { getattr read };
+allow netutils_wrapper { fs_bpf }:file write;
allow netutils_wrapper bpfloader:bpf prog_run;
# For /data/misc/net access to ndc and ip
diff --git a/private/network_stack.te b/private/network_stack.te
index 84c8d4d..7587c1f 100644
--- a/private/network_stack.te
+++ b/private/network_stack.te
@@ -13,6 +13,8 @@
net_raw
};
+allow network_stack self:global_capability2_class_set wake_alarm;
+
# Allow access to net_admin ioctl, DHCP server uses SIOCSARP
allowxperm network_stack self:udp_socket ioctl priv_sock_ioctls;
@@ -43,7 +45,6 @@
binder_call(network_stack, netd);
# in order to invoke side effect of close() on such a socket calling synchronize_rcu()
-# TODO: Remove this permission when 4.9 kernel is deprecated.
allow network_stack self:key_socket create;
# Java's Os.close() in libcore/luni/src/main/java/libcore/io/BlockGuardOs.java;l=100
# calls if (fd.isSocket$()) if (isLingerSocket(fd)) ...
diff --git a/private/ot_daemon.te b/private/ot_daemon.te
index 066d3d5..341fa9c 100644
--- a/private/ot_daemon.te
+++ b/private/ot_daemon.te
@@ -12,10 +12,13 @@
# Allow the ot_daemon to use the net domain.
net_domain(ot_daemon)
-# Allow the ot_daemon to access the folder "/data/misc/threadnetwork".
-allow ot_daemon threadnetwork_data_file:dir rw_dir_perms;
-allow ot_daemon threadnetwork_data_file:file create_file_perms;
-allow ot_daemon threadnetwork_data_file:sock_file {create unlink};
+# Allow ot_daemon to find /data/misc/apexdata/com.android.tethering
+allow ot_daemon apex_module_data_file:dir search;
+
+# Allow the ot_daemon to access files and subdirectories under
+# /data/misc/apexdata/com\.android\.tethering
+allow ot_daemon apex_tethering_data_file:dir {create rw_dir_perms};
+allow ot_daemon apex_tethering_data_file:file create_file_perms;
# Allow OT daemon to read/write the Thread tunnel interface
allow ot_daemon tun_device:chr_file {read write};
@@ -32,3 +35,7 @@
# Allow OT daemon to write to statsd
unix_socket_send(ot_daemon, statsdw, statsd)
+
+# For collecting bugreports.
+allow ot_daemon dumpstate:fd use;
+allow ot_daemon dumpstate:fifo_file write;
diff --git a/private/ppp.te b/private/ppp.te
deleted file mode 100644
index 968b221..0000000
--- a/private/ppp.te
+++ /dev/null
@@ -1,3 +0,0 @@
-typeattribute ppp coredomain;
-
-domain_auto_trans(mtp, ppp_exec, ppp)
diff --git a/private/priv_app.te b/private/priv_app.te
index cadefe1..536c9d4 100644
--- a/private/priv_app.te
+++ b/private/priv_app.te
@@ -293,3 +293,6 @@
# Allow priv apps to report off body events to keystore2.
allow priv_app keystore:keystore2 report_off_body;
+
+# Allow priv_apps to check if archiving is enabled
+get_prop(priv_app, pm_archiving_enabled_prop)
diff --git a/private/property.te b/private/property.te
index e1b42a0..38e69bb 100644
--- a/private/property.te
+++ b/private/property.te
@@ -2,6 +2,7 @@
system_internal_prop(adbd_prop)
system_internal_prop(apexd_payload_metadata_prop)
system_internal_prop(ctl_snapuserd_prop)
+system_internal_prop(crashrecovery_prop)
system_internal_prop(device_config_core_experiments_team_internal_prop)
system_internal_prop(device_config_lmkd_native_prop)
system_internal_prop(device_config_mglru_native_prop)
@@ -27,6 +28,7 @@
system_internal_prop(keystore_listen_prop)
system_internal_prop(last_boot_reason_prop)
system_internal_prop(localization_prop)
+system_internal_prop(logd_auditrate_prop)
system_internal_prop(lower_kptr_restrict_prop)
system_internal_prop(net_464xlat_fromvendor_prop)
system_internal_prop(net_connectivity_prop)
@@ -44,6 +46,7 @@
system_internal_prop(system_adbd_prop)
system_internal_prop(timezone_metadata_prop)
system_internal_prop(traced_perf_enabled_prop)
+system_internal_prop(uprobestats_start_with_config_prop)
system_internal_prop(tuner_server_ctl_prop)
system_internal_prop(userspace_reboot_log_prop)
system_internal_prop(userspace_reboot_test_prop)
@@ -58,6 +61,8 @@
system_internal_prop(hypervisor_pvmfw_prop)
system_internal_prop(hypervisor_virtualizationmanager_prop)
system_internal_prop(game_manager_config_prop)
+system_internal_prop(hidl_memory_prop)
+system_internal_prop(suspend_debug_prop)
# Properties which can't be written outside system
system_restricted_prop(device_config_virtualization_framework_native_prop)
@@ -339,8 +344,26 @@
} {
suspend_prop
}:property_service set;
+
+ neverallow {
+ domain
+ -init
+ } {
+ suspend_debug_prop
+ }:property_service set;
+
+ neverallow {
+ domain
+ -init
+ -dumpstate
+ userdebug_or_eng(`-system_suspend')
+ } {
+ suspend_debug_prop
+ }:file no_rw_file_perms;
')
+dontaudit system_suspend suspend_debug_prop:file r_file_perms;
+
compatible_property_only(`
# Neverallow coredomain to set vendor properties
neverallow {
@@ -605,6 +628,12 @@
neverallow {
domain
-init
+ -vendor_init
+} setupwizard_mode_prop:property_service set;
+
+neverallow {
+ domain
+ -init
} setupwizard_prop:property_service set;
# ro.product.property_source_order is useless after initialization of ro.product.* props.
@@ -704,3 +733,10 @@
-system_app
-device_as_webcam
} usb_uvc_enabled_prop:file no_rw_file_perms;
+
+neverallow {
+ domain
+ -init
+ -vendor_init
+} pm_archiving_enabled_prop:property_service set;
+
diff --git a/private/property_contexts b/private/property_contexts
index 69e4ec2..a798d11 100644
--- a/private/property_contexts
+++ b/private/property_contexts
@@ -62,6 +62,7 @@
logd. u:object_r:logd_prop:s0
persist.logd. u:object_r:logd_prop:s0
ro.logd. u:object_r:logd_prop:s0
+persist.logd.audit.rate u:object_r:logd_auditrate_prop:s0
persist.logd.security u:object_r:device_logging_prop:s0
persist.logd.logpersistd u:object_r:logpersistd_logging_prop:s0
logd.logpersistd u:object_r:logpersistd_logging_prop:s0
@@ -86,6 +87,7 @@
traced.lazy. u:object_r:traced_lazy_prop:s0
persist.heapprofd.enable u:object_r:heapprofd_enabled_prop:s0
persist.traced_perf.enable u:object_r:traced_perf_enabled_prop:s0
+uprobestats.start_with_config u:object_r:uprobestats_start_with_config_prop:s0
persist.vendor.debug.wifi. u:object_r:persist_vendor_debug_wifi_prop:s0
persist.vendor.overlay. u:object_r:overlay_prop:s0
ril.cdma.inecmmode u:object_r:radio_cdma_ecm_prop:s0 exact bool
@@ -117,6 +119,9 @@
suspend.short_suspend_backoff_enabled u:object_r:suspend_prop:s0 exact bool
suspend.disable_sync_on_suspend u:object_r:suspend_prop:s0 exact bool
+# Suspend service debug properties
+suspend.debug.wakestats_log.enabled u:object_r:suspend_debug_prop:s0 exact bool
+
# Fastbootd protocol control property
fastbootd.protocol u:object_r:fastbootd_protocol_prop:s0 exact enum usb tcp
@@ -231,6 +236,9 @@
# hwservicemanager properties
hwservicemanager. u:object_r:hwservicemanager_prop:s0
+# hidl_memory properties to intentionally force a shutdown
+hidl_memory. u:object_r:hidl_memory_prop:s0
+
# Common default properties for vendor, odm, vendor_dlkm, and odm_dlkm.
init.svc.odm. u:object_r:vendor_default_prop:s0
init.svc.vendor. u:object_r:vendor_default_prop:s0
@@ -338,6 +346,10 @@
ro.virtual_ab.io_uring.enabled u:object_r:virtual_ab_prop:s0 exact bool
ro.virtual_ab.compression.threads u:object_r:virtual_ab_prop:s0 exact bool
ro.virtual_ab.batch_writes u:object_r:virtual_ab_prop:s0 exact bool
+# OEMs can set this prop at build time to configure how many seconds to delay
+# merge after installing a Virtual AB OTA. The default behavior is to start
+# merge immediately.
+ro.virtual_ab.merge_delay_seconds u:object_r:virtual_ab_prop:s0 exact int
snapuserd.ready u:object_r:snapuserd_prop:s0 exact bool
snapuserd.proxy_ready u:object_r:snapuserd_prop:s0 exact bool
snapuserd.test.dm.snapshots u:object_r:snapuserd_prop:s0 exact bool
@@ -529,6 +541,7 @@
persist.bluetooth.a2dp_offload.cap u:object_r:bluetooth_a2dp_offload_prop:s0 exact string
persist.bluetooth.a2dp_offload.disabled u:object_r:bluetooth_a2dp_offload_prop:s0 exact bool
+persist.bluetooth.leaudio_offload.disabled u:object_r:bluetooth_a2dp_offload_prop:s0 exact bool
persist.bluetooth.bluetooth_audio_hal.disabled u:object_r:bluetooth_audio_hal_prop:s0 exact bool
persist.bluetooth.btsnoopenable u:object_r:exported_bluetooth_prop:s0 exact bool
persist.bluetooth.btsnoopdefaultmode u:object_r:bluetooth_prop:s0 exact enum empty disabled filtered full
@@ -618,6 +631,8 @@
bluetooth.core.le.vendor_capabilities.enabled u:object_r:bluetooth_config_prop:s0 exact bool
bluetooth.sco.disable_enhanced_connection u:object_r:bluetooth_config_prop:s0 exact bool
+bluetooth.sco.managed_by_audio u:object_r:bluetooth_config_prop:s0 exact bool
+bluetooth.core.le.dsa_transport_preference u:object_r:bluetooth_config_prop:s0 exact string
persist.nfc.debug_enabled u:object_r:nfc_prop:s0 exact bool
persist.nfc.vendor_debug_enabled u:object_r:nfc_prop:s0 exact bool
@@ -728,6 +743,7 @@
ro.lmk.log_stats u:object_r:lmkd_config_prop:s0 exact bool
ro.lmk.low u:object_r:lmkd_config_prop:s0 exact int
ro.lmk.medium u:object_r:lmkd_config_prop:s0 exact int
+ro.lmk.pressure_after_kill_min_score u:object_r:lmkd_config_prop:s0 exact int
ro.lmk.psi_partial_stall_ms u:object_r:lmkd_config_prop:s0 exact int
ro.lmk.psi_complete_stall_ms u:object_r:lmkd_config_prop:s0 exact int
ro.lmk.stall_limit_critical u:object_r:lmkd_config_prop:s0 exact int
@@ -862,9 +878,8 @@
persist.libc.debug.gwp_asan. u:object_r:gwp_asan_prop:s0 prefix string
# shell-only props for ARM memory tagging (MTE).
-arm64.memtag. u:object_r:arm64_memtag_prop:s0 prefix string
-persist.arm64.memtag.default u:object_r:arm64_memtag_prop:s0 exact string
-persist.arm64.memtag.app_default u:object_r:arm64_memtag_prop:s0 exact string
+arm64.memtag. u:object_r:arm64_memtag_prop:s0 prefix string
+persist.arm64.memtag. u:object_r:arm64_memtag_prop:s0 prefix string
net.redirect_socket_calls.hooked u:object_r:socket_hook_prop:s0 exact bool
@@ -1133,9 +1148,11 @@
ro.product.device_for_attestation u:object_r:build_attestation_prop:s0 exact string
ro.product.manufacturer_for_attestation u:object_r:build_attestation_prop:s0 exact string
-# GRF property for the first api level of the vendor partition
+# Vendor API level properties for the vFRC and GRF
ro.board.first_api_level u:object_r:build_vendor_prop:s0 exact int
ro.board.api_level u:object_r:build_vendor_prop:s0 exact int
+ro.board.api_frozen u:object_r:build_vendor_prop:s0 exact bool
+ro.llndk.api_level u:object_r:build_prop:s0 exact int
ro.vendor.api_level u:object_r:build_vendor_prop:s0 exact int
# Boot image build props set by /{second_stage_resources/,}boot/etc/build.prop
@@ -1285,6 +1302,7 @@
wifi.concurrent.interface u:object_r:wifi_hal_prop:s0 exact string
wifi.direct.interface u:object_r:wifi_hal_prop:s0 exact string
wifi.interface u:object_r:wifi_hal_prop:s0 exact string
+wifi.interface. u:object_r:wifi_hal_prop:s0 prefix string
wlan.driver.status u:object_r:wifi_hal_prop:s0 exact enum ok unloaded
ro.boot.wificountrycode u:object_r:wifi_config_prop:s0 exact string
@@ -1430,6 +1448,8 @@
ro.cpuvulkan.version u:object_r:graphics_config_prop:s0 exact int
+ro.vulkan.apex u:object_r:graphics_config_prop:s0 exact string
+
# surfaceflinger-settable
graphics.display.kernel_idle_timer.enabled u:object_r:surfaceflinger_display_prop:s0 exact bool
@@ -1480,6 +1500,8 @@
ro.setupwizard.rotation_locked u:object_r:setupwizard_prop:s0 exact bool
ro.setupwizard.wifi_on_exit u:object_r:setupwizard_prop:s0 exact bool
+ro.setupwizard.mode u:object_r:setupwizard_mode_prop:s0 exact string
+
setupwizard.enable_assist_gesture_training u:object_r:setupwizard_prop:s0 exact bool
setupwizard.feature.avoid_duplicate_tos u:object_r:setupwizard_prop:s0 exact bool
setupwizard.feature.baseline_setupwizard_enabled u:object_r:setupwizard_prop:s0 exact bool
@@ -1533,8 +1555,13 @@
persist.vendor.face.virtual.strength u:object_r:virtual_face_hal_prop:s0 exact string
persist.vendor.face.virtual.enrollments u:object_r:virtual_face_hal_prop:s0 exact string
persist.vendor.face.virtual.features u:object_r:virtual_face_hal_prop:s0 exact string
+persist.vendor.face.virtual.lockout_enable u:object_r:virtual_face_hal_prop:s0 exact bool
+persist.vendor.face.virtual.lockout_timed_enable u:object_r:virtual_face_hal_prop:s0 exact bool
+persist.vendor.face.virtual.lockout_timed_threshold u:object_r:virtual_face_hal_prop:s0 exact int
+persist.vendor.face.virtual.lockout_timed_duration u:object_r:virtual_face_hal_prop:s0 exact int
+persist.vendor.face.virtual.lockout_permanent_threshold u:object_r:virtual_face_hal_prop:s0 exact int
+vendor.face.virtual.no_human_face_detected u:object_r:virtual_face_hal_prop:s0 exact bool
vendor.face.virtual.enrollment_hit u:object_r:virtual_face_hal_prop:s0 exact int
-vendor.face.virtual.operation_start_enroll_latency u:object_r:virtual_face_hal_prop:s0 exact int
vendor.face.virtual.next_enrollment u:object_r:virtual_face_hal_prop:s0 exact string
vendor.face.virtual.authenticator_id u:object_r:virtual_face_hal_prop:s0 exact int
vendor.face.virtual.challenge u:object_r:virtual_face_hal_prop:s0 exact int
@@ -1542,8 +1569,9 @@
vendor.face.virtual.operation_authenticate_fails u:object_r:virtual_face_hal_prop:s0 exact bool
vendor.face.virtual.operation_detect_interaction_fails u:object_r:virtual_face_hal_prop:s0 exact bool
vendor.face.virtual.operation_enroll_fails u:object_r:virtual_face_hal_prop:s0 exact bool
-vendor.face.virtual.operation_authenticate_latency u:object_r:virtual_face_hal_prop:s0 exact int
-vendor.face.virtual.operation_detect_interaction_latency u:object_r:virtual_face_hal_prop:s0 exact int
+vendor.face.virtual.operation_authenticate_latency u:object_r:virtual_face_hal_prop:s0 exact string
+vendor.face.virtual.operation_detect_interaction_latency u:object_r:virtual_face_hal_prop:s0 exact string
+vendor.face.virtual.operation_enroll_latency u:object_r:virtual_face_hal_prop:s0 exact string
vendor.face.virtual.operation_authenticate_duration u:object_r:virtual_face_hal_prop:s0 exact int
# properties for the virtual Fingerprint HAL
@@ -1595,5 +1623,22 @@
# Properties for sensor service
sensors.aosp_low_power_sensor_fusion.maximum_rate u:object_r:sensors_config_prop:s0 exact uint
-# Propertues for game manager service
+# Properties for game manager service
persist.graphics.game_default_frame_rate.enabled u:object_r:game_manager_config_prop:s0 exact bool
+
+# Properties for app archiving
+pm.archiving.enabled u:object_r:pm_archiving_enabled_prop:s0 exact bool
+
+# Properties for ThreadNetworkService
+threadnetwork.country_code u:object_r:threadnetwork_config_prop:s0 exact string
+
+# Properties for crashrecovery
+crashrecovery.attempting_factory_reset u:object_r:crashrecovery_prop:s0 exact bool
+crashrecovery.attempting_reboot u:object_r:crashrecovery_prop:s0 exact bool
+crashrecovery.boot_mitigation_count u:object_r:crashrecovery_prop:s0 exact int
+crashrecovery.boot_mitigation_start u:object_r:crashrecovery_prop:s0 exact int
+crashrecovery.max_rescue_level_attempted u:object_r:crashrecovery_prop:s0 exact int
+crashrecovery.rescue_boot_count u:object_r:crashrecovery_prop:s0 exact int
+crashrecovery.rescue_boot_start u:object_r:crashrecovery_prop:s0 exact int
+persist.crashrecovery.enable_rescue u:object_r:crashrecovery_prop:s0 exact bool
+persist.crashrecovery.last_factory_reset u:object_r:crashrecovery_prop:s0 exact int
diff --git a/private/racoon.te b/private/racoon.te
deleted file mode 100644
index 42ea7c9..0000000
--- a/private/racoon.te
+++ /dev/null
@@ -1,3 +0,0 @@
-typeattribute racoon coredomain;
-
-init_daemon_domain(racoon)
diff --git a/private/remount.te b/private/remount.te
index 4dd94a5..5ef7fac 100644
--- a/private/remount.te
+++ b/private/remount.te
@@ -12,4 +12,14 @@
# Allow searching for /metadata/gsi/remount/lp_metadata.
allow remount { metadata_file gsi_metadata_file_type }:dir search;
+
+ # Allow remount to flip the overlayfs bit in the super partition.
+ # This requires being able to read fstab, find /dev/block/by-name/super,
+ # and read-write super.
+ r_dir_file(remount, sysfs_dt_firmware_android)
+ allow remount proc_bootconfig:file r_file_perms;
+ allow remount proc_cmdline:file r_file_perms;
+ allow remount block_device:dir r_dir_perms;
+ allow remount super_block_device_type:blk_file rw_file_perms;
+ allowxperm remount super_block_device_type:blk_file ioctl { BLKIOMIN BLKALIGNOFF };
')
diff --git a/private/rkpd_app.te b/private/rkpd_app.te
index 509a96e..e7809e9 100644
--- a/private/rkpd_app.te
+++ b/private/rkpd_app.te
@@ -9,6 +9,7 @@
# RKPD needs to be able to call the remote provisioning HALs
hal_client_domain(rkpdapp, hal_keymint)
+hal_client_domain(rkpdapp, hal_remotelyprovisionedcomponent_avf)
# Grant access to certain system properties related to RKP
get_prop(rkpdapp, device_config_remote_key_provisioning_native_prop)
diff --git a/private/seapp_contexts b/private/seapp_contexts
index 74701df..2219631 100644
--- a/private/seapp_contexts
+++ b/private/seapp_contexts
@@ -56,6 +56,12 @@
# as the current dessert release, with additional auditing rules for the accesses
# we are considering forbidding in the upcoming release.
#
+# The sdk_sandbox_next and sdk_sandbox_audit domains are special domains for the
+# SDK sandbox process. sdk_sandbox_next defines the set of restrictions proposed
+# for the upcoming dessert release. sdk_sandbox_audit uses the same restrictions
+# as the current dessert release, with additional auditing rules for the accesses
+# we are considering forbidding in the upcoming release.
+#
# isSdkSandboxNext=true means sdk sandbox processes will get
# sdk_sandbox_next sepolicy applied to them.
# An unspecified isSdkSandboxNext defaults to false.
@@ -64,6 +70,10 @@
# sdk_sandbox_audit sepolicy applied to them.
# An unspecified isSdkSandboxAudit defaults to false.
#
+# isSdkSandboxAudit=true means sdk sandbox processes will get
+# sdk_sandbox_audit sepolicy applied to them.
+# An unspecified isSdkSandboxAudit defaults to false.
+#
# Precedence: entries are compared using the following rules, in the order shown
# (see external/selinux/libselinux/src/android/android_platform.c,
# seapp_context_cmp()).
@@ -172,10 +182,11 @@
user=_app seinfo=platform name=com.android.traceur domain=traceur_app type=app_data_file levelFrom=all
user=system seinfo=platform domain=system_app type=system_app_data_file
user=system seinfo=platform isPrivApp=true name=com.android.DeviceAsWebcam domain=device_as_webcam type=system_app_data_file levelFrom=all
-user=system seinfo=platform isPrivApp=true name=com.android.virtualcamera domain=virtual_camera type=app_data_file levelFrom=all
user=bluetooth seinfo=bluetooth domain=bluetooth type=bluetooth_data_file
user=network_stack seinfo=network_stack domain=network_stack type=radio_data_file
+# NFC stack signed with platform cert needed for maintaining backwards comptibility for -next release config.
user=nfc seinfo=platform domain=nfc type=nfc_data_file
+user=nfc seinfo=nfc domain=nfc type=nfc_data_file
user=secure_element seinfo=platform domain=secure_element levelFrom=all
user=radio seinfo=platform domain=radio type=radio_data_file
user=shared_relro domain=shared_relro levelFrom=all
diff --git a/private/service.te b/private/service.te
index 861afb3..36d6ccf 100644
--- a/private/service.te
+++ b/private/service.te
@@ -1,6 +1,7 @@
+type adaptive_auth_service, system_server_service, service_manager_type;
type ambient_context_service, app_api_service, system_server_service, service_manager_type;
type attention_service, system_server_service, service_manager_type;
-type bg_install_control_service, system_server_service, service_manager_type;
+type bg_install_control_service, system_api_service, system_server_service, service_manager_type;
type compos_service, service_manager_type;
type communal_service, app_api_service, system_server_service, service_manager_type;
type dynamic_system_service, system_api_service, system_server_service, service_manager_type;
@@ -21,6 +22,10 @@
type statsmanager_service, system_api_service, system_server_service, service_manager_type;
type tracingproxy_service, system_server_service, service_manager_type;
type transparency_service, system_server_service, service_manager_type;
-type vfio_handler_service, service_manager_type;
+
+is_flag_enabled(RELEASE_AVF_ENABLE_DEVICE_ASSIGNMENT, `
+ type vfio_handler_service, service_manager_type;
+')
+
type uce_service, service_manager_type;
-type wearable_sensing_service, system_api_service, system_server_service, service_manager_type;
+type wearable_sensing_service, app_api_service, system_server_service, service_manager_type;
diff --git a/private/service_contexts b/private/service_contexts
index 2473733..5099097 100644
--- a/private/service_contexts
+++ b/private/service_contexts
@@ -2,6 +2,7 @@
android.frameworks.location.altitude.IAltitudeService/default u:object_r:fwk_altitude_service:s0
android.frameworks.stats.IStats/default u:object_r:fwk_stats_service:s0
android.frameworks.sensorservice.ISensorManager/default u:object_r:fwk_sensor_service:s0
+android.frameworks.vibrator.IVibratorControlService/default u:object_r:fwk_vibrator_control_service:s0
android.hardware.audio.core.IConfig/default u:object_r:hal_audio_service:s0
# 'default' IModule is equivalent to 'primary' in HIDL
android.hardware.audio.core.IModule/default u:object_r:hal_audio_service:s0
@@ -28,6 +29,11 @@
android.hardware.biometrics.fingerprint.IFingerprint/default u:object_r:hal_fingerprint_service:s0
android.hardware.biometrics.fingerprint.IFingerprint/virtual u:object_r:hal_fingerprint_service:s0
android.hardware.bluetooth.IBluetoothHci/default u:object_r:hal_bluetooth_service:s0
+android.hardware.bluetooth.finder.IBluetoothFinder/default u:object_r:hal_bluetooth_service:s0
+is_flag_enabled(RELEASE_HARDWARE_BLUETOOTH_RANGING_SERVICE, `
+ android.hardware.bluetooth.ranging.IBluetoothChannelSounding/default u:object_r:hal_bluetooth_service:s0
+')
+android.hardware.bluetooth.lmp_event.IBluetoothLmpEvent/default u:object_r:hal_bluetooth_service:s0
android.hardware.bluetooth.audio.IBluetoothAudioProviderFactory/default u:object_r:hal_audio_service:s0
android.hardware.broadcastradio.IBroadcastRadio/amfm u:object_r:hal_broadcastradio_service:s0
android.hardware.broadcastradio.IBroadcastRadio/dab u:object_r:hal_broadcastradio_service:s0
@@ -51,6 +57,7 @@
android.hardware.input.processor.IInputProcessor/default u:object_r:hal_input_processor_service:s0
android.hardware.ir.IConsumerIr/default u:object_r:hal_ir_service:s0
android.hardware.light.ILights/default u:object_r:hal_light_service:s0
+android.hardware.macsec.IMacsecPskPlugin/default u:object_r:hal_macsec_service:s0
android.hardware.media.c2.IComponentStore/default u:object_r:hal_codec2_service:s0
android.hardware.media.c2.IComponentStore/software u:object_r:hal_codec2_service:s0
android.hardware.memtrack.IMemtrack/default u:object_r:hal_memtrack_service:s0
@@ -92,6 +99,7 @@
android.hardware.security.authgraph.IAuthGraphKeyExchange/nonsecure u:object_r:hal_authgraph_service:s0
android.hardware.security.keymint.IKeyMintDevice/default u:object_r:hal_keymint_service:s0
android.hardware.security.keymint.IRemotelyProvisionedComponent/default u:object_r:hal_remotelyprovisionedcomponent_service:s0
+android.hardware.security.keymint.IRemotelyProvisionedComponent/avf u:object_r:hal_remotelyprovisionedcomponent_avf_service:s0
android.hardware.gatekeeper.IGatekeeper/default u:object_r:hal_gatekeeper_service:s0
android.hardware.security.secureclock.ISecureClock/default u:object_r:hal_secureclock_service:s0
android.hardware.security.sharedsecret.ISharedSecret/default u:object_r:hal_sharedsecret_service:s0
@@ -121,6 +129,8 @@
android.hardware.secure_element.ISecureElement/SIM1 u:object_r:hal_secure_element_service:s0
android.hardware.secure_element.ISecureElement/SIM2 u:object_r:hal_secure_element_service:s0
android.hardware.secure_element.ISecureElement/SIM3 u:object_r:hal_secure_element_service:s0
+android.hardware.security.secretkeeper.ISecretkeeper/default u:object_r:hal_secretkeeper_service:s0
+android.hardware.security.secretkeeper.ISecretkeeper/nonsecure u:object_r:hal_secretkeeper_service:s0
android.system.keystore2.IKeystoreService/default u:object_r:keystore_service:s0
android.system.net.netd.INetd/default u:object_r:system_net_netd_service:s0
android.system.suspend.ISystemSuspend/default u:object_r:hal_system_suspend_service:s0
@@ -129,6 +139,7 @@
account u:object_r:account_service:s0
activity u:object_r:activity_service:s0
activity_task u:object_r:activity_task_service:s0
+adaptive_auth u:object_r:adaptive_auth_service:s0
adb u:object_r:adb_service:s0
adservices_manager u:object_r:adservices_manager_service:s0
aidl_lazy_test_1 u:object_r:aidl_lazy_test_service:s0
@@ -151,7 +162,9 @@
android.service.gatekeeper.IGateKeeperService u:object_r:gatekeeper_service:s0
android.system.composd u:object_r:compos_service:s0
android.system.virtualizationservice u:object_r:virtualization_service:s0
-android.system.virtualizationservice_internal.IVfioHandler u:object_r:vfio_handler_service:s0
+is_flag_enabled(RELEASE_AVF_ENABLE_DEVICE_ASSIGNMENT, `
+ android.system.virtualizationservice_internal.IVfioHandler u:object_r:vfio_handler_service:s0
+')
ambient_context u:object_r:ambient_context_service:s0
app_binding u:object_r:app_binding_service:s0
app_hibernation u:object_r:app_hibernation_service:s0
@@ -231,6 +244,7 @@
dumpstate u:object_r:dumpstate_service:s0
dynamic_system u:object_r:dynamic_system_service:s0
econtroller u:object_r:radio_service:s0
+ecm_enhanced_confirmation u:object_r:ecm_enhanced_confirmation_service:s0
emergency_affordance u:object_r:emergency_affordance_service:s0
euicc_card_controller u:object_r:radio_service:s0
external_vibrator_service u:object_r:external_vibrator_service:s0
@@ -423,6 +437,7 @@
translation u:object_r:translation_service:s0
transparency u:object_r:transparency_service:s0
trust u:object_r:trust_service:s0
+tv_ad u:object_r:tv_ad_service:s0
tv_interactive_app u:object_r:tv_iapp_service:s0
tv_input u:object_r:tv_input_service:s0
tv_tuner_resource_mgr u:object_r:tv_tuner_resource_mgr_service:s0
@@ -436,8 +451,8 @@
uwb u:object_r:uwb_service:s0
vcn_management u:object_r:vcn_management_service:s0
vibrator u:object_r:vibrator_service:s0
-vibrator_control u:object_r:vibrator_control_service:s0
vibrator_manager u:object_r:vibrator_manager_service:s0
+virtual_camera u:object_r:virtual_camera_service:s0
virtualdevice u:object_r:virtual_device_service:s0
virtualdevice_native u:object_r:virtual_device_native_service:s0
virtual_touchpad u:object_r:virtual_touchpad_service:s0
diff --git a/private/shell.te b/private/shell.te
index aa6bef8..bfcd5ac 100644
--- a/private/shell.te
+++ b/private/shell.te
@@ -132,6 +132,9 @@
allow shell self:perf_event { open read write kernel };
neverallow shell self:perf_event ~{ open read write kernel };
+# Allow shell to read microdroid vendor image
+r_dir_file(shell, vendor_microdroid_file)
+
# Allow shell to read /apex/apex-info-list.xml and the vendor apexes
allow shell apex_info_file:file r_file_perms;
allow shell vendor_apex_file:file r_file_perms;
@@ -156,6 +159,8 @@
# Allow shell to start/stop traced via the persist.traced.enable
# property (which also takes care of /data/misc initialization).
set_prop(shell, traced_enabled_prop)
+# adjust SELinux audit rates
+set_prop(shell, logd_auditrate_prop)
# adjust is_loggable properties
userdebug_or_eng(`set_prop(shell, log_prop)')
# logpersist script
@@ -253,3 +258,5 @@
# Allow shell to read the build properties for attestation feature
get_prop(shell, build_attestation_prop)
+# Allow shell to execute oatdump.
+allow shell oatdump_exec:file rx_file_perms;
diff --git a/private/snapuserd.te b/private/snapuserd.te
index 8cd9e63..3752e01 100644
--- a/private/snapuserd.te
+++ b/private/snapuserd.te
@@ -33,6 +33,9 @@
allow snapuserd snapuserd_socket:unix_stream_socket { accept listen getattr read write };
allow snapuserd snapuserd_proxy_socket:sock_file write;
+# Required for setting GID to system while calling SetTaskProfile() API
+allow snapuserd self:global_capability_class_set { setgid };
+
# This arises due to first-stage init opening /dev/null without F_CLOEXEC
# (see SetStdioToDevNull in init). When we fork() and execveat() snapuserd
# again, the descriptor leaks into the new process.
diff --git a/private/statsd.te b/private/statsd.te
index 59948ff..051b99e 100644
--- a/private/statsd.te
+++ b/private/statsd.te
@@ -28,3 +28,10 @@
# Allow statsd to read its system properties
get_prop(statsd, device_config_statsd_native_prop)
get_prop(statsd, device_config_statsd_native_boot_prop)
+
+# Allow statsd to write uprobestats configs.
+allow statsd uprobestats_configs_data_file:dir rw_dir_perms;
+allow statsd uprobestats_configs_data_file:file create_file_perms;
+
+# Allow statsd to trigger uprobestats via property.
+set_prop(statsd, uprobestats_start_with_config_prop);
diff --git a/private/su.te b/private/su.te
index cc00e10..2e0d10a 100644
--- a/private/su.te
+++ b/private/su.te
@@ -19,8 +19,9 @@
# Put the perfetto command into its domain so it is the same on user, userdebug and eng.
domain_auto_trans(su, perfetto_exec, perfetto)
- # Put the virtmgr command into its domain.
- domain_auto_trans(su, virtualizationmanager_exec, virtualizationmanager)
+ # Allow accessing virtualization (e.g. via the vm command) - ensures virtmgr runs in its
+ # own domain.
+ virtualizationservice_use(su)
# su is also permissive to permit setenforce.
permissive su;
diff --git a/private/system_app.te b/private/system_app.te
index 06b0feb..338d852 100644
--- a/private/system_app.te
+++ b/private/system_app.te
@@ -83,6 +83,12 @@
# Allow system apps to interact with incidentd
binder_call(system_app, incidentd)
+# Allow system apps (Settings) to call into update_engine
+# in order to apply update to switch from 4k kernel to 16K and vice-versa
+binder_use(system_app)
+allow system_app update_engine_stable_service:service_manager find;
+binder_call(system_app, update_engine)
+
# Allow system app to interact with Dumpstate HAL
hal_client_domain(system_app, hal_dumpstate)
@@ -118,7 +124,8 @@
# suppress denials caused by debugfs_tracing
dontaudit system_app debugfs_tracing:file rw_file_perms;
-# Ignore access to zram when Debug.getMemInfo is called.
+# Ignore access to memory properties for Settings.
+dontaudit system_app proc_pagetypeinfo:file r_file_perms;
dontaudit system_app sysfs_zram:dir search;
allow system_app keystore:keystore2_key {
@@ -158,12 +165,18 @@
allow system_app system_server:udp_socket {
connect getattr read recvfrom sendto write getopt setopt };
+# allow system apps to read game manager related sysrops
+get_prop(system_app, game_manager_config_prop)
+
# Settings app reads ro.oem_unlock_supported
get_prop(system_app, oem_unlock_prop)
# Settings app reads ro.usb.uvc.enabled
get_prop(system_app, usb_uvc_enabled_prop)
+# Settings and Launcher apps read pm.archiving.enabled
+get_prop(system_app, pm_archiving_enabled_prop)
+
###
### Neverallow rules
###
@@ -180,3 +193,5 @@
# system_app should be the only domain writing the adaptive haptics prop
neverallow { domain -init -system_app } adaptive_haptics_prop:property_service set;
+# system_app should be the only domain writing the force l3 prop
+neverallow { domain -init -system_app } drm_forcel3_prop:property_service set;
diff --git a/private/system_server.te b/private/system_server.te
index 3d49a65..9ea2e9f 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -260,9 +260,7 @@
# Talk to init and various daemons via sockets.
unix_socket_connect(system_server, lmkd, lmkd)
-unix_socket_connect(system_server, mtpd, mtp)
unix_socket_connect(system_server, zygote, zygote)
-unix_socket_connect(system_server, racoon, racoon)
unix_socket_connect(system_server, uncrypt, uncrypt)
# Allow system_server to write to statsd.
@@ -298,9 +296,11 @@
binder_call(system_server, statsd)
binder_call(system_server, storaged)
binder_call(system_server, update_engine)
+binder_call(system_server, virtual_camera)
binder_call(system_server, vold)
binder_call(system_server, logd)
binder_call(system_server, wificond)
+binder_call(system_server, uprobestats)
binder_service(system_server)
# Use HALs
@@ -308,6 +308,7 @@
hal_client_domain(system_server, hal_audio)
hal_client_domain(system_server, hal_authgraph)
hal_client_domain(system_server, hal_authsecret)
+hal_client_domain(system_server, hal_bluetooth)
hal_client_domain(system_server, hal_broadcastradio)
hal_client_domain(system_server, hal_codec2)
hal_client_domain(system_server, hal_configstore)
@@ -329,6 +330,7 @@
hal_client_domain(system_server, hal_power)
hal_client_domain(system_server, hal_power_stats)
hal_client_domain(system_server, hal_rebootescrow)
+hal_client_domain(system_server, hal_remotelyprovisionedcomponent_avf)
hal_client_domain(system_server, hal_sensors)
hal_client_domain(system_server, hal_tetheroffload)
hal_client_domain(system_server, hal_thermal)
@@ -371,6 +373,7 @@
# This is derived from the list that system server defines as interesting native processes
# to dump during ANRs or watchdog aborts, defined in NATIVE_STACKS_OF_INTEREST in
# frameworks/base/services/core/java/com/android/server/Watchdog.java.
+ artd
audioserver
cameraserver
drmserver
@@ -386,6 +389,7 @@
mediatuner
netd
sdcardd
+ servicemanager
statsd
surfaceflinger
vold
@@ -478,6 +482,8 @@
allow system_server rtc_device:chr_file rw_file_perms;
allow system_server audio_device:dir r_dir_perms;
allow system_server uhid_device:chr_file rw_file_perms;
+allow system_server hidraw_device:dir r_dir_perms;
+allow system_server hidraw_device:chr_file rw_file_perms;
# write access to ALSA interfaces (/dev/snd/*) needed for MIDI
allow system_server audio_device:chr_file rw_file_perms;
@@ -730,6 +736,7 @@
set_prop(system_server, locale_prop)
set_prop(system_server, timezone_metadata_prop)
set_prop(system_server, timezone_prop)
+set_prop(system_server, crashrecovery_prop)
userdebug_or_eng(`set_prop(system_server, wifi_log_prop)')
userdebug_or_eng(`set_prop(system_server, system_user_mode_emulation_prop)')
@@ -1132,7 +1139,6 @@
allow system_server dmabuf_system_secure_heap_device:chr_file r_file_perms;
r_dir_file(system_server, proc_asound)
-r_dir_file(system_server, proc_memhealth)
r_dir_file(system_server, proc_net_type)
r_dir_file(system_server, proc_qtaguid_stat)
allow system_server {
@@ -1185,6 +1191,9 @@
allow system_server bpfloader:bpf { map_read map_write prog_run };
# in order to invoke side effect of close() on such a socket calling synchronize_rcu()
allow system_server self:key_socket create;
+# Java's Os.close() in libcore/luni/src/main/java/libcore/io/BlockGuardOs.java;l=100
+# calls if (fd.isSocket$()) if (isLingerSocket(fd)) ...
+dontaudit system_server self:key_socket getopt;
# Allow system_server to start clatd in its own domain and kill it.
domain_auto_trans(system_server, clatd_exec, clatd)
@@ -1408,19 +1417,19 @@
# These are modules where the code runs in system_server, so we need full access.
allow system_server apex_system_server_data_file:dir create_dir_perms;
allow system_server apex_system_server_data_file:file create_file_perms;
+allow system_server apex_tethering_data_file:dir create_dir_perms;
+allow system_server apex_tethering_data_file:file create_file_perms;
# Legacy labels that we still need to support (b/217581286)
allow system_server {
apex_appsearch_data_file
apex_permission_data_file
apex_scheduling_data_file
- apex_tethering_data_file
apex_wifi_data_file
}:dir create_dir_perms;
allow system_server {
apex_appsearch_data_file
apex_permission_data_file
apex_scheduling_data_file
- apex_tethering_data_file
apex_wifi_data_file
}:file create_file_perms;
@@ -1555,3 +1564,22 @@
# Allow GameManagerService to read and write persist.graphics.game_default_frame_rate.enabled
set_prop(system_server, game_manager_config_prop)
+# ThreadNetworkService reads Thread Network properties
+get_prop(system_server, threadnetwork_config_prop)
+
+# Do not allow any domain other than init and system server to set the property
+neverallow {
+ domain
+ -init
+ -vendor_init
+ -dumpstate
+ -system_server
+} threadnetwork_config_prop:file no_rw_file_perms;
+
+# Allow system server to read pm.archiving.enabled prop
+# TODO(azilio): Remove system property after archiving testing is completed.
+get_prop(system_server, pm_archiving_enabled_prop)
+
+# Do not allow any domain other than init or system server to get or set the property
+neverallow { domain -init -system_server } crashrecovery_prop:property_service set;
+neverallow { domain -init -dumpstate -system_server } crashrecovery_prop:file no_rw_file_perms;
diff --git a/private/system_suspend.te b/private/system_suspend.te
index 683d913..a525866 100644
--- a/private/system_suspend.te
+++ b/private/system_suspend.te
@@ -22,6 +22,11 @@
# Access to suspend_hal system properties
get_prop(system_suspend, suspend_prop)
+# Access to system_suspend debug system properties
+userdebug_or_eng(`
+ get_prop(system_suspend, suspend_debug_prop)
+')
+
# To call BTAA registered callbacks
allow system_suspend bluetooth:binder call;
diff --git a/private/traced_probes.te b/private/traced_probes.te
index 0d68fa3..003e992 100644
--- a/private/traced_probes.te
+++ b/private/traced_probes.te
@@ -84,6 +84,9 @@
proc_vmstat
proc_stat
proc_buddyinfo
+ proc_pressure_cpu
+ proc_pressure_io
+ proc_pressure_mem
}:file r_file_perms;
# Allow access to read /sys/class/devfreq/ and /$DEVICE/cur_freq files
diff --git a/private/update_engine.te b/private/update_engine.te
index c9511f7..862a62a 100644
--- a/private/update_engine.te
+++ b/private/update_engine.te
@@ -22,6 +22,10 @@
# Allow update_engine to call the callback function provided by GKI update hook.
binder_call(update_engine, gki_apex_prepostinstall)
+# Allow update_engine to call the callback function by settings app
+# for the kernel update triggered using 16k developer option
+binder_call(update_engine, system_app)
+
# Allow to communicate with the snapuserd service, for dm-user snapshots.
allow update_engine snapuserd:unix_stream_socket connectto;
allow update_engine snapuserd_socket:sock_file write;
diff --git a/private/uprobestats.te b/private/uprobestats.te
index f2a4ae3..f6dd906 100644
--- a/private/uprobestats.te
+++ b/private/uprobestats.te
@@ -4,13 +4,34 @@
type uprobestats_exec, system_file_type, exec_type, file_type;
-# Allow uprobestats to be invoked by statsd.
-domain_auto_trans(statsd, uprobestats_exec, uprobestats)
+# Allow init to start uprobestats.
+init_daemon_domain(uprobestats)
-allow uprobestats fs_bpf_uprobe_private:file { read write };
-allow uprobestats fs_bpf_uprobe_private:dir search;
+allow uprobestats fs_bpf_uprobestats:file { read write };
+allow uprobestats fs_bpf_uprobestats:dir search;
allow uprobestats bpfloader:bpf { map_read map_write prog_run };
allow uprobestats self:capability2 perfmon;
allow uprobestats self:perf_event { cpu open write };
allow uprobestats sysfs_uprobe:file { open read };
allow uprobestats sysfs_uprobe:dir { search };
+
+# Allow uprobestats to popen oatdump.
+allow uprobestats oatdump_exec:file rx_file_perms;
+
+# Allow uprobestats to write atoms to statsd
+unix_socket_send(uprobestats, statsdw, statsd)
+
+# For registration with system server as a process observer.
+binder_use(uprobestats)
+allow uprobestats activity_service:service_manager find;
+binder_call(uprobestats, system_server);
+
+# Allow uprobestats to talk to native package manager
+allow uprobestats package_native_service:service_manager find;
+
+# Allow uprobestats to scan /proc/<pid>/cmdline.
+r_dir_file(uprobestats, { domain -appdomain })
+
+# Allow uprobestats to manage its own config files.
+allow uprobestats uprobestats_configs_data_file:dir rw_dir_perms;
+allow uprobestats uprobestats_configs_data_file:file { r_file_perms unlink };
diff --git a/private/vfio_handler.te b/private/vfio_handler.te
index 1b553e9..963809e 100644
--- a/private/vfio_handler.te
+++ b/private/vfio_handler.te
@@ -1,35 +1,37 @@
-# vfio_handler is a helper service for VFIO tasks, like binding platform devices to VFIO driver.
-# vfio_handler is separate from virtualizationservice as VFIO tasks require root.
-type vfio_handler, domain, coredomain;
-type vfio_handler_exec, system_file_type, exec_type, file_type;
+is_flag_enabled(RELEASE_AVF_ENABLE_DEVICE_ASSIGNMENT, `
+ # vfio_handler is a helper service for VFIO tasks, like binding platform devices to VFIO driver.
+ # vfio_handler is separate from virtualizationservice as VFIO tasks require root.
+ type vfio_handler, domain, coredomain;
+ type vfio_handler_exec, system_file_type, exec_type, file_type;
-# When init runs a file labelled with vfio_handler_exec, run it in the vfio_handler domain.
-init_daemon_domain(vfio_handler)
+ # When init runs a file labelled with vfio_handler_exec, run it in the vfio_handler domain.
+ init_daemon_domain(vfio_handler)
-# Let the vfio_handler domain register the vfio_handler_service with ServiceManager.
-add_service(vfio_handler, vfio_handler_service)
+ # Let the vfio_handler domain register the vfio_handler_service with ServiceManager.
+ add_service(vfio_handler, vfio_handler_service)
-# Let the vfio_handler domain use Binder.
-binder_use(vfio_handler)
+ # Let the vfio_handler domain use Binder.
+ binder_use(vfio_handler)
-# Allow vfio_handler to check if VFIO is supported
-allow vfio_handler vfio_device:chr_file getattr;
-allow vfio_handler vfio_device:dir r_dir_perms;
+ # Allow vfio_handler to check if VFIO is supported
+ allow vfio_handler vfio_device:chr_file getattr;
+ allow vfio_handler vfio_device:dir r_dir_perms;
-# Allow vfio_handler to bind/unbind platform devices
-allow vfio_handler sysfs:dir r_dir_perms;
-allow vfio_handler sysfs:file rw_file_perms;
+ # Allow vfio_handler to bind/unbind platform devices
+ allow vfio_handler sysfs:dir r_dir_perms;
+ allow vfio_handler sysfs:file rw_file_perms;
-# Allow vfio_handler to write to VM DTBO via a file created by virtualizationservice.
-allow vfio_handler virtualizationservice:fd use;
-allow vfio_handler virtualizationservice_data_file:file write;
+ # Allow vfio_handler to write to VM DTBO via a file created by virtualizationservice.
+ allow vfio_handler virtualizationservice:fd use;
+ allow vfio_handler virtualizationservice_data_file:file write;
-# vfio_handler can only use fd from virtualizationservice, and can't open files itself
-neverallow vfio_handler virtualizationservice_data_file:file { open create };
+ # vfio_handler can only use fd from virtualizationservice, and cannot open files itself
+ neverallow vfio_handler virtualizationservice_data_file:file { open create };
-# Allow vfio_handler to search /dev/block for accessing dtbo.img
-allow vfio_handler block_device:dir search;
-allow vfio_handler dtbo_block_device:blk_file r_file_perms;
+ # Allow vfio_handler to search /dev/block for accessing dtbo.img
+ allow vfio_handler block_device:dir search;
+ allow vfio_handler dtbo_block_device:blk_file r_file_perms;
-# Only vfio_handler can add vfio_handler_service
-neverallow { domain -vfio_handler } vfio_handler_service:service_manager add;
+ # Only vfio_handler can add vfio_handler_service
+ neverallow { domain -vfio_handler } vfio_handler_service:service_manager add;
+') # is_flag_enabled(RELEASE_AVF_ENABLE_DEVICE_ASSIGNMENT)
diff --git a/private/virtual_camera.te b/private/virtual_camera.te
index 765a59f..dde98c0 100644
--- a/private/virtual_camera.te
+++ b/private/virtual_camera.te
@@ -9,6 +9,21 @@
# hal_server_domain(virtual_camera, hal_camera) macro but only the rules that
# we actually need from halserverdomain and hal_camera_server:
binder_use(virtual_camera)
+binder_call(virtual_camera, cameraserver)
+binder_call(virtual_camera, system_server)
+
+# Allow virtual_camera to communicate with
+# mediaserver (required for using Surface originating
+# from virtual camera in mediaserver).
+binder_call(virtual_camera, mediaserver)
+
+# Required for the codecs to be able to decode
+# video into surface provided by virtual camera.
+hal_client_domain(virtual_camera, hal_codec2)
+hal_client_domain(virtual_camera, hal_omx)
+
+# Allow virtualCamera to call apps via binder.
+binder_call(virtual_camera, appdomain)
# Allow virtual_camera to use fd from apps
allow virtual_camera { appdomain -isolated_app }:fd use;
@@ -18,3 +33,14 @@
# Allow virtual_camera to map graphic buffers
hal_client_domain(virtual_camera, hal_graphics_allocator)
+
+# Allow virtual_camera to use GPU
+allow virtual_camera gpu_device:chr_file rw_file_perms;
+allow virtual_camera gpu_device:dir r_dir_perms;
+
+# For collecting bugreports.
+allow virtual_camera dumpstate:fd use;
+allow virtual_camera dumpstate:fifo_file write;
+
+# Needed for permission checks.
+allow virtual_camera permission_service:service_manager find;
diff --git a/private/virtualizationmanager.te b/private/virtualizationmanager.te
index d6f0e19..3aaff5b 100644
--- a/private/virtualizationmanager.te
+++ b/private/virtualizationmanager.te
@@ -83,9 +83,13 @@
allow virtualizationmanager tombstone_data_file:file { append getattr };
allow virtualizationmanager tombstoned:fd use;
-# Allow virtualizationmanager to read AVF debug policy
-allow virtualizationmanager sysfs_dt_avf:dir search;
-allow virtualizationmanager sysfs_dt_avf:file { open read };
+# Allow virtualizationmanager to read file system DT for VM reference DT and AVF debug policy
+r_dir_file(virtualizationmanager, proc_dt_avf)
+r_dir_file(virtualizationmanager, sysfs_dt_avf)
+
+# virtualizationmanager to be client of secretkeeper HAL. It ferries SecretManagement messages
+# from pVM to HAL.
+hal_client_domain(virtualizationmanager, hal_secretkeeper);
# Let virtualizationmanager open test artifacts under /data/local/tmp with file path.
# (e.g. custom debug policy)
@@ -94,9 +98,21 @@
allow virtualizationmanager shell_data_file:file open;
')
+# Allow virtualizationmanager to read microdroid related files in vendor partition
+r_dir_file(virtualizationmanager, vendor_microdroid_file)
+
+# Do not allow writing vendor_microdroid_file from any process.
+neverallow { domain recovery_only(`userdebug_or_eng(`-fastbootd')') } vendor_microdroid_file:dir no_w_dir_perms;
+neverallow { domain recovery_only(`userdebug_or_eng(`-fastbootd')') } vendor_microdroid_file:file no_w_file_perms;
+
# Allow reading files under /proc/[crosvm pid]/, for collecting CPU & memory usage inside VM.
r_dir_file(virtualizationmanager, crosvm);
# For debug purposes we try to get the canonical path from /proc/self/fd/N. That triggers
# a harmless denial for CompOS log files, so ignore that.
dontaudit virtualizationmanager apex_module_data_file:dir search;
+
+is_flag_enabled(RELEASE_AVF_ENABLE_DEVICE_ASSIGNMENT, `
+ # virtualizationmanager holds references to bound devices, returned from vfio_handler
+ binder_call(virtualizationmanager, vfio_handler)
+')
diff --git a/private/virtualizationservice.te b/private/virtualizationservice.te
index 93cd04c..972f376 100644
--- a/private/virtualizationservice.te
+++ b/private/virtualizationservice.te
@@ -15,14 +15,24 @@
# Let the virtualizationservice domain register the virtualization_service with ServiceManager.
add_service(virtualizationservice, virtualization_service)
-# Let virtualizationservice find and communicate with vfio_handler.
-allow virtualizationservice vfio_handler_service:service_manager find;
-binder_call(virtualizationservice, vfio_handler)
+is_flag_enabled(RELEASE_AVF_ENABLE_DEVICE_ASSIGNMENT, `
+ # Let virtualizationservice find and communicate with vfio_handler.
+ allow virtualizationservice vfio_handler_service:service_manager find;
+ binder_call(virtualizationservice, vfio_handler)
+')
+
+# Allow the virtualizationservice domain to serve a remotely provisioned component for
+# pVM remote attestation.
+hal_server_domain(virtualizationservice, hal_remotelyprovisionedcomponent_avf)
# Allow calling into the system server to find "permission_service".
binder_call(virtualizationservice, system_server)
allow virtualizationservice permission_service:service_manager find;
+# Allow virtualizationservice to retrieve the remotely provisioned keys from rkpd.
+binder_call(virtualizationservice, remote_provisioning_service)
+allow virtualizationservice remote_provisioning_service:service_manager find;
+
# Let virtualizationservice remove memlock rlimit of virtualizationmanager. This is necessary
# to mlock VM memory and page tables.
allow virtualizationservice self:capability sys_resource;
@@ -97,5 +107,7 @@
-virtualizationservice
}:process setrlimit;
-# Only virtualizationservice can communicate to vfio_handler
-neverallow { domain -virtualizationservice -servicemanager } vfio_handler:binder call;
+is_flag_enabled(RELEASE_AVF_ENABLE_DEVICE_ASSIGNMENT, `
+ # Only virtualizationservice and virtualizationmanager can communicate to vfio_handler
+ neverallow { domain -virtualizationmanager -virtualizationservice -servicemanager } vfio_handler:binder call;
+')
diff --git a/public/app.te b/public/app.te
index a45149f..b539913 100644
--- a/public/app.te
+++ b/public/app.te
@@ -110,9 +110,6 @@
apk_data_file:dir_file_class_set
{ create write setattr relabelfrom relabelto append unlink link rename };
neverallow { appdomain -platform_app }
- apk_tmp_file:dir_file_class_set
- { create write setattr relabelfrom relabelto append unlink link rename };
-neverallow { appdomain -platform_app }
apk_private_data_file:dir_file_class_set
{ create write setattr relabelfrom relabelto append unlink link rename };
neverallow { appdomain -platform_app }
@@ -139,11 +136,15 @@
{ create write setattr relabelfrom relabelto append unlink link rename };
# access tmp apk files
-neverallow { appdomain -untrusted_app_all -platform_app -priv_app }
+neverallow { appdomain -platform_app }
+ apk_tmp_file:dir_file_class_set
+ { create write setattr relabelfrom relabelto append unlink link rename };
+
+neverallow { appdomain -untrusted_app_all -platform_app -priv_app -isolated_app_all }
{ apk_tmp_file apk_private_tmp_file }:dir_file_class_set *;
-neverallow untrusted_app_all { apk_tmp_file apk_private_tmp_file }:{ devfile_class_set dir fifo_file lnk_file sock_file } *;
-neverallow untrusted_app_all { apk_tmp_file apk_private_tmp_file }:file ~{ getattr read };
+neverallow { untrusted_app_all isolated_app_all } { apk_tmp_file apk_private_tmp_file }:{ devfile_class_set dir fifo_file lnk_file sock_file } *;
+neverallow { untrusted_app_all isolated_app_all } { apk_tmp_file apk_private_tmp_file }:file ~{ getattr read };
# Access to factory files.
neverallow appdomain efs_file:dir_file_class_set write;
diff --git a/public/attributes b/public/attributes
index a5d666e..759b773 100644
--- a/public/attributes
+++ b/public/attributes
@@ -365,6 +365,7 @@
hal_attribute(keymint);
hal_attribute(light);
hal_attribute(lowpan);
+hal_attribute(macsec);
hal_attribute(memtrack);
hal_attribute(neuralnetworks);
hal_attribute(nfc);
@@ -375,6 +376,8 @@
hal_attribute(power_stats);
hal_attribute(rebootescrow);
hal_attribute(remoteaccess);
+hal_attribute(secretkeeper);
+hal_attribute(remotelyprovisionedcomponent_avf);
hal_attribute(secure_element);
hal_attribute(sensors);
hal_attribute(telephony);
diff --git a/public/device.te b/public/device.te
index 4a824c9..f842d33 100644
--- a/public/device.te
+++ b/public/device.te
@@ -64,6 +64,7 @@
type properties_device, dev_type;
type properties_serial, dev_type;
type property_info, dev_type;
+type hidraw_device, dev_type;
# All devices have a uart for the hci
# attach service. The uart dev node
diff --git a/public/domain.te b/public/domain.te
index ec8b247..d630a24 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -337,6 +337,10 @@
allow domain apex_mnt_dir:dir { getattr search };
allow domain apex_mnt_dir:lnk_file r_file_perms;
+# Allow everyone to read media server-configurable flags, so that libstagefright can be
+# configured using server-configurable flags
+get_prop(domain, device_config_media_native_prop)
+
###
### neverallow rules
###
diff --git a/public/dumpstate.te b/public/dumpstate.te
index 496d95974..549e6c6 100644
--- a/public/dumpstate.te
+++ b/public/dumpstate.te
@@ -178,6 +178,7 @@
dump_hal(hal_power)
dump_hal(hal_power_stats)
dump_hal(hal_rebootescrow)
+dump_hal(hal_secretkeeper)
dump_hal(hal_sensors)
dump_hal(hal_thermal)
dump_hal(hal_vehicle)
diff --git a/public/file.te b/public/file.te
index 091c557..32c0cd8 100644
--- a/public/file.te
+++ b/public/file.te
@@ -48,7 +48,6 @@
type proc_lowmemorykiller, fs_type, proc_type;
type proc_max_map_count, fs_type, proc_type;
type proc_meminfo, fs_type, proc_type;
-type proc_memhealth, fs_type, proc_type;
type proc_misc, fs_type, proc_type;
type proc_modules, fs_type, proc_type;
type proc_mounts, fs_type, proc_type;
@@ -255,6 +254,9 @@
# Type for all vendor public libraries for system. These libs should only be exposed to
# system. ABI stability of these libs is vendor's responsibility.
type vendor_public_framework_file, vendor_file_type, file_type;
+# Type for all microdroid related files in the vendor partition.
+# Files having this type should be read-only.
+type vendor_microdroid_file, vendor_file_type, file_type;
# Input configuration
type vendor_keylayout_file, vendor_file_type, file_type;
@@ -536,6 +538,7 @@
type mdnsd_socket, file_type, coredomain_socket, mlstrustedobject;
type misc_logd_file, coredomain_socket, file_type, data_file_type, core_data_file_type;
type mtpd_socket, file_type, coredomain_socket;
+type ot_daemon_socket, file_type, coredomain_socket;
type property_socket, file_type, coredomain_socket, mlstrustedobject;
type racoon_socket, file_type, coredomain_socket;
type recovery_socket, file_type, coredomain_socket;
diff --git a/public/hal_codec2.te b/public/hal_codec2.te
index f05e00a..0bdcc23 100644
--- a/public/hal_codec2.te
+++ b/public/hal_codec2.te
@@ -26,3 +26,7 @@
allow hal_codec2_client ion_device:chr_file r_file_perms;
+# codec2 aidl graphic buffer allocation waitable object
+allow hal_codec2_server su:fifo_file read;
+allow hal_codec2_server mediaserver:fifo_file read;
+allow hal_codec2_server { appdomain -isolated_app_all }:fifo_file read;
diff --git a/public/hal_graphics_allocator.te b/public/hal_graphics_allocator.te
index 35a19de..39ba46e 100644
--- a/public/hal_graphics_allocator.te
+++ b/public/hal_graphics_allocator.te
@@ -3,6 +3,7 @@
hal_attribute_hwservice(hal_graphics_allocator, hal_graphics_allocator_hwservice)
allow hal_graphics_allocator_client hal_graphics_mapper_hwservice:hwservice_manager find;
+allow hal_graphics_allocator_client hal_graphics_mapper_service:service_manager find;
allow hal_graphics_allocator_client same_process_hal_file:file { execute read open getattr map };
# GPU device access
diff --git a/public/hal_macsec.te b/public/hal_macsec.te
new file mode 100644
index 0000000..27225db
--- /dev/null
+++ b/public/hal_macsec.te
@@ -0,0 +1,7 @@
+# Binder IPC from client to server, and callbacks
+binder_call(hal_macsec_client, hal_macsec_server)
+binder_call(hal_macsec_server, hal_macsec_client)
+
+hal_attribute_service(hal_macsec, hal_macsec_service)
+
+binder_use(hal_macsec_server)
diff --git a/public/hal_neverallows.te b/public/hal_neverallows.te
index e77ea9d..621a0b8 100644
--- a/public/hal_neverallows.te
+++ b/public/hal_neverallows.te
@@ -33,6 +33,7 @@
# TODO(b/196225233): Remove hal_uwb_vendor_server
-hal_uwb_vendor_server
-hal_nlinterceptor_server
+ -hal_bluetooth_server
} domain:{ udp_socket rawip_socket } *;
neverallow {
@@ -45,6 +46,7 @@
-hal_wifi_supplicant_server
-hal_telephony_server
-hal_nlinterceptor_server
+ -hal_bluetooth_server
} {
domain
userdebug_or_eng(`-su')
diff --git a/public/hal_remotelyprovisionedcomponent_avf.te b/public/hal_remotelyprovisionedcomponent_avf.te
new file mode 100644
index 0000000..8cc7ce5
--- /dev/null
+++ b/public/hal_remotelyprovisionedcomponent_avf.te
@@ -0,0 +1,8 @@
+# allow binder connection from client to server
+binder_call(hal_remotelyprovisionedcomponent_avf_client, hal_remotelyprovisionedcomponent_avf_server)
+
+# allow client to find the service, allow server to register the service
+hal_attribute_service(hal_remotelyprovisionedcomponent_avf, hal_remotelyprovisionedcomponent_avf_service)
+
+# allow binder communication from server to service_manager
+binder_use(hal_remotelyprovisionedcomponent_avf_server)
diff --git a/public/hal_secretkeeper.te b/public/hal_secretkeeper.te
new file mode 100644
index 0000000..359159f
--- /dev/null
+++ b/public/hal_secretkeeper.te
@@ -0,0 +1,12 @@
+# Domains for the Secretkeeper HAL, which provides secure (tamper evident, rollback protected)
+# storage of secrets guarded by DICE policies.
+binder_call(hal_secretkeeper_client, hal_secretkeeper_server)
+
+hal_attribute_service(hal_secretkeeper, hal_secretkeeper_service)
+
+binder_use(hal_secretkeeper_server)
+binder_use(hal_secretkeeper_client)
+
+# The Secretkeeper HAL service needs to communicate with a trusted application running
+# in the TEE, which is represented by the tee_device permission.
+allow hal_secretkeeper_server tee_device:chr_file rw_file_perms;
diff --git a/public/hal_vibrator.te b/public/hal_vibrator.te
index 85b8e8c..6909ff2 100644
--- a/public/hal_vibrator.te
+++ b/public/hal_vibrator.te
@@ -14,4 +14,4 @@
allow hal_vibrator sysfs_vibrator:dir search;
# Allow HAL vibrator to control some parameters of a vibration, such as scaling.
-allow hal_vibrator vibrator_control_service:service_manager find;
+allow hal_vibrator fwk_vibrator_control_service:service_manager find;
diff --git a/public/init.te b/public/init.te
index 29dd42d..47b8603 100644
--- a/public/init.te
+++ b/public/init.te
@@ -105,6 +105,7 @@
vendor_file
postinstall_mnt_dir
mirror_data_file
+ shell_data_file
}:dir mounton;
# Mount bpf fs on sys/fs/bpf
diff --git a/public/mediaswcodec.te b/public/mediaswcodec.te
index b3b26c1..dc45500 100644
--- a/public/mediaswcodec.te
+++ b/public/mediaswcodec.te
@@ -11,6 +11,9 @@
hal_client_domain(mediaswcodec, hal_allocator)
hal_client_domain(mediaswcodec, hal_graphics_allocator)
+# get aac_drc_* properties
+get_prop(mediaswcodec, aac_drc_prop)
+
crash_dump_fallback(mediaswcodec)
# mediaswcodec_server should never execute any executable without a
diff --git a/public/mtp.te b/public/mtp.te
index add63c0..4f3ce9a 100644
--- a/public/mtp.te
+++ b/public/mtp.te
@@ -1,11 +1,2 @@
# vpn tunneling protocol manager
type mtp, domain;
-type mtp_exec, system_file_type, exec_type, file_type;
-
-net_domain(mtp)
-
-# pptp policy
-allow mtp self:{ socket pppox_socket } create_socket_perms_no_ioctl;
-allow mtp self:global_capability_class_set net_raw;
-allow mtp ppp:process signal;
-allow mtp vpn_data_file:dir search;
diff --git a/public/ppp.te b/public/ppp.te
index b736def..29900ea 100644
--- a/public/ppp.te
+++ b/public/ppp.te
@@ -1,23 +1,2 @@
# Point to Point Protocol daemon
type ppp, domain;
-type ppp_device, dev_type;
-type ppp_exec, system_file_type, exec_type, file_type;
-
-net_domain(ppp)
-
-r_dir_file(ppp, proc_net_type)
-
-allow ppp mtp:{ socket pppox_socket } rw_socket_perms;
-
-# ioctls needed for VPN.
-allowxperm ppp self:udp_socket ioctl priv_sock_ioctls;
-allowxperm ppp mtp:{ socket pppox_socket } ioctl ppp_ioctls;
-
-allow ppp mtp:unix_dgram_socket rw_socket_perms;
-allow ppp ppp_device:chr_file rw_file_perms;
-allow ppp self:global_capability_class_set net_admin;
-allow ppp system_file:file rx_file_perms;
-not_full_treble(`allow ppp vendor_file:file rx_file_perms;')
-allow ppp vpn_data_file:dir w_dir_perms;
-allow ppp vpn_data_file:file create_file_perms;
-allow ppp mtp:fd use;
diff --git a/public/property.te b/public/property.te
index 1a5b105..c513434 100644
--- a/public/property.te
+++ b/public/property.te
@@ -181,6 +181,7 @@
system_vendor_config_prop(suspend_prop)
system_vendor_config_prop(systemsound_config_prop)
system_vendor_config_prop(telephony_config_prop)
+system_vendor_config_prop(threadnetwork_config_prop)
system_vendor_config_prop(tombstone_config_prop)
system_vendor_config_prop(usb_config_prop)
system_vendor_config_prop(userspace_reboot_config_prop)
@@ -197,6 +198,8 @@
system_vendor_config_prop(dck_prop)
system_vendor_config_prop(tuner_config_prop)
system_vendor_config_prop(usb_uvc_enabled_prop)
+system_vendor_config_prop(setupwizard_mode_prop)
+system_vendor_config_prop(pm_archiving_enabled_prop)
# Properties with no restrictions
system_public_prop(adbd_config_prop)
diff --git a/public/racoon.te b/public/racoon.te
deleted file mode 100644
index b0383f0..0000000
--- a/public/racoon.te
+++ /dev/null
@@ -1,27 +0,0 @@
-# IKE key management daemon
-type racoon, domain;
-type racoon_exec, system_file_type, exec_type, file_type;
-
-typeattribute racoon mlstrustedsubject;
-
-net_domain(racoon)
-allowxperm racoon self:udp_socket ioctl { SIOCSIFFLAGS SIOCSIFADDR SIOCSIFNETMASK };
-
-binder_use(racoon)
-
-allow racoon tun_device:chr_file r_file_perms;
-allowxperm racoon tun_device:chr_file ioctl TUNSETIFF;
-allow racoon cgroup:dir { add_name create };
-allow racoon cgroup_v2:dir { add_name create };
-
-allow racoon self:key_socket create_socket_perms_no_ioctl;
-allow racoon self:tun_socket create_socket_perms_no_ioctl;
-allow racoon self:global_capability_class_set { net_admin net_bind_service net_raw };
-
-# XXX: should we give ip-up-vpn its own label (currently racoon domain)
-allow racoon system_file:file rx_file_perms;
-not_full_treble(`allow racoon vendor_file:file rx_file_perms;')
-allow racoon vpn_data_file:file create_file_perms;
-allow racoon vpn_data_file:dir w_dir_perms;
-
-use_keystore(racoon)
diff --git a/public/service.te b/public/service.te
index 4b6ef4c..a221956 100644
--- a/public/service.te
+++ b/public/service.te
@@ -118,7 +118,8 @@
type diskstats_service, system_api_service, system_server_service, service_manager_type;
type display_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type domain_verification_service, app_api_service, system_server_service, service_manager_type;
-type color_display_service, system_api_service, system_server_service, service_manager_type;
+type color_display_service, app_api_service, system_api_service, system_server_service, service_manager_type;
+type ecm_enhanced_confirmation_service, app_api_service, system_server_service, service_manager_type;
type external_vibrator_service, system_server_service, service_manager_type;
type file_integrity_service, app_api_service, system_server_service, service_manager_type;
type font_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
@@ -137,6 +138,7 @@
type fwk_altitude_service, system_server_service, service_manager_type;
type fwk_stats_service, app_api_service, system_server_service, service_manager_type;
type fwk_sensor_service, system_server_service, service_manager_type;
+type fwk_vibrator_control_service, system_server_service, service_manager_type;
type game_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type gfxinfo_service, system_api_service, system_server_service, service_manager_type;
type gnss_time_update_service, system_server_service, service_manager_type;
@@ -213,7 +215,7 @@
type search_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type search_ui_service, app_api_service, system_server_service, service_manager_type;
type sec_key_att_app_id_provider_service, app_api_service, system_server_service, service_manager_type;
-type security_state_service, system_server_service, service_manager_type;
+type security_state_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type selection_toolbar_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type sensorservice_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type sensor_privacy_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
@@ -244,6 +246,7 @@
type timezonedetector_service, app_api_service, system_server_service, service_manager_type;
type translation_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type trust_service, app_api_service, system_server_service, service_manager_type;
+type tv_ad_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type tv_iapp_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type tv_input_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type tv_tuner_resource_mgr_service, app_api_service, system_server_service, service_manager_type;
@@ -255,7 +258,6 @@
type user_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type uwb_service, app_api_service, system_server_service, service_manager_type;
type vcn_management_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type vibrator_control_service, system_server_service, service_manager_type;
type vibrator_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type vibrator_manager_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type virtual_device_service, app_api_service, system_server_service, service_manager_type;
@@ -302,6 +304,7 @@
type hal_gnss_service, protected_service, hal_service_type, service_manager_type;
type hal_graphics_allocator_service, hal_service_type, service_manager_type;
type hal_graphics_composer_service, protected_service, hal_service_type, service_manager_type;
+type hal_graphics_mapper_service, hal_service_type, service_manager_type;
type hal_health_service, protected_service, hal_service_type, service_manager_type;
type hal_health_storage_service, protected_service, hal_service_type, service_manager_type;
type hal_identity_service, protected_service, hal_service_type, service_manager_type;
@@ -310,6 +313,7 @@
type hal_ivn_service, protected_service, hal_service_type, service_manager_type;
type hal_keymint_service, protected_service, hal_service_type, service_manager_type;
type hal_light_service, protected_service, hal_service_type, service_manager_type;
+type hal_macsec_service, protected_service, hal_service_type, service_manager_type;
type hal_memtrack_service, protected_service, hal_service_type, service_manager_type;
type hal_neuralnetworks_service, hal_service_type, service_manager_type;
type hal_nfc_service, protected_service, hal_service_type, service_manager_type;
@@ -319,8 +323,10 @@
type hal_radio_service, protected_service, hal_service_type, service_manager_type;
type hal_rebootescrow_service, protected_service, hal_service_type, service_manager_type;
type hal_remoteaccess_service, protected_service, hal_service_type, service_manager_type;
+type hal_remotelyprovisionedcomponent_avf_service, protected_service, hal_service_type, service_manager_type;
type hal_remotelyprovisionedcomponent_service, protected_service, hal_service_type, service_manager_type;
type hal_sensors_service, protected_service, hal_service_type, service_manager_type;
+type hal_secretkeeper_service, protected_service, hal_service_type, service_manager_type;
type hal_secureclock_service, protected_service, hal_service_type, service_manager_type;
type hal_secure_element_service, protected_service, hal_service_type, service_manager_type;
type hal_sharedsecret_service, protected_service, hal_service_type, service_manager_type;
diff --git a/public/su.te b/public/su.te
index 2887740..a893cdb 100644
--- a/public/su.te
+++ b/public/su.te
@@ -90,6 +90,7 @@
typeattribute su hal_oemlock_client;
typeattribute su hal_power_client;
typeattribute su hal_rebootescrow_client;
+ typeattribute su hal_secretkeeper_client;
typeattribute su hal_secure_element_client;
typeattribute su hal_sensors_client;
typeattribute su hal_telephony_client;
diff --git a/public/te_macros b/public/te_macros
index d2f4406..6d7533a 100644
--- a/public/te_macros
+++ b/public/te_macros
@@ -186,13 +186,13 @@
# Transition to virtualizationmanager when the client executes it.
domain_auto_trans($1, virtualizationmanager_exec, virtualizationmanager)
# Allow virtualizationmanager to communicate over UDS with the client.
-allow { virtualizationmanager crosvm } $1:unix_stream_socket { getattr read write };
+allow { virtualizationmanager crosvm } $1:unix_stream_socket { ioctl getattr read write };
# Let the client pass file descriptors to virtualizationmanager and on to crosvm.
allow { virtualizationmanager crosvm } $1:fd use;
# Let the client use file descriptors created by virtualizationmanager.
allow $1 virtualizationmanager:fd use;
# Allow piping console log to the client
-allow { virtualizationmanager crosvm } $1:fifo_file { getattr read write };
+allow { virtualizationmanager crosvm } $1:fifo_file { ioctl getattr read write };
# Allow client to read/write vsock created by virtualizationmanager to communicate with the VM
# that it created. Notice that we do not grant permission to create a vsock;
# the client can only connect to VMs that it owns.
diff --git a/public/update_engine.te b/public/update_engine.te
index f879013..6f79902 100644
--- a/public/update_engine.te
+++ b/public/update_engine.te
@@ -73,3 +73,7 @@
allow update_engine snapshotctl_log_data_file:dir rw_dir_perms;
allow update_engine snapshotctl_log_data_file:file create_file_perms;
')
+
+# Allow determining filesystems available on system.
+# Needed for checking if overlayfs is enabled
+allow update_engine proc_filesystems:file r_file_perms;
diff --git a/public/vold.te b/public/vold.te
index c0fdf50..ad6ef83 100644
--- a/public/vold.te
+++ b/public/vold.te
@@ -338,6 +338,7 @@
neverallow vold {
domain
-hal_health_storage_server
+ -hal_keymaster_server
-system_suspend_server
-hal_bootctl_server
-hwservicemanager
diff --git a/tests/apex_sepolicy_tests.py b/tests/apex_sepolicy_tests.py
index 3c51b67..ab01745 100644
--- a/tests/apex_sepolicy_tests.py
+++ b/tests/apex_sepolicy_tests.py
@@ -59,10 +59,11 @@
Matcher = Is | Glob | Regex
@dataclass
-class AllowRead:
- """Rule checking if scontext can read the entity"""
+class AllowPerm:
+ """Rule checking if scontext has 'perm' to the entity"""
tclass: str
scontext: set[str]
+ perm: str
@dataclass
@@ -71,7 +72,12 @@
pass
-Rule = AllowRead | ResolveType
+Rule = AllowPerm | ResolveType
+
+
+# Helper for 'read'
+def AllowRead(tclass, scontext):
+ return AllowPerm(tclass, scontext, 'read')
def match_path(path: str, matcher: Matcher) -> bool:
@@ -89,17 +95,17 @@
"""Returns error message if scontext can't read the target"""
errors = []
match rule:
- case AllowRead(tclass, scontext):
+ case AllowPerm(tclass, scontext, perm):
# Test every source in scontext(set)
for s in scontext:
te_rules = list(pol.QueryTERule(scontext={s},
tcontext={tcontext},
tclass={tclass},
- perms={'read'}))
+ perms={perm}))
if len(te_rules) > 0:
continue # no errors
- errors.append(f"Error: {path}: {s} can't read. (tcontext={tcontext})")
+ errors.append(f"Error: {path}: {s} can't {perm}. (tcontext={tcontext})")
case ResolveType():
if tcontext not in pol.GetAllTypes(False):
errors.append(f"Error: {path}: tcontext({tcontext}) is unknown")
@@ -122,7 +128,7 @@
(Glob('./etc/vintf/*.xml'), AllowRead('file', {'servicemanager', 'apexd'})),
# ./ and apex_manifest.pb
(Is('./apex_manifest.pb'), AllowRead('file', {'linkerconfig', 'apexd'})),
- (Is('./'), AllowRead('dir', {'linkerconfig', 'apexd'})),
+ (Is('./'), AllowPerm('dir', {'linkerconfig', 'apexd'}, 'search')),
# linker.config.pb
(Is('./etc/linker.config.pb'), AllowRead('file', {'linkerconfig'})),
]
diff --git a/tests/apex_sepolicy_tests_test.py b/tests/apex_sepolicy_tests_test.py
index 6e719ed..3fee43d 100644
--- a/tests/apex_sepolicy_tests_test.py
+++ b/tests/apex_sepolicy_tests_test.py
@@ -96,7 +96,7 @@
self.assert_error('./etc/linker.config.pb u:object_r:vendor_file:s0',
r'Error: .*linkerconfig.* can\'t read')
self.assert_error('./ u:object_r:apex_data_file:s0',
- r'Error: .*linkerconfig.* can\'t read')
+ r'Error: .*linkerconfig.* can\'t search')
def test_unknown_label(self):
self.assert_error('./bin/hw/foo u:object_r:foo_exec:s0',
diff --git a/tests/check_prop_prefix.py b/tests/check_prop_prefix.py
index 68511ce..13a7b99 100644
--- a/tests/check_prop_prefix.py
+++ b/tests/check_prop_prefix.py
@@ -76,7 +76,7 @@
print('%d violations found:' % len(violations))
print('\n'.join(violations))
print('******************************')
- print('%s contains properties which are not properly namespaced.' % args.property_contexts)
+ print("vendor's and odm's property_contexts MUST use ONLY vendor-prefixed properties.")
print('This is enforced by VTS, so please fix such offending properties.')
if args.allowed_property_prefix:
print('Allowed property prefixes for %s: %s' % (args.property_contexts, args.allowed_property_prefix))
diff --git a/tests/policy.py b/tests/policy.py
index 8fc2ef7..98133b7 100644
--- a/tests/policy.py
+++ b/tests/policy.py
@@ -146,9 +146,9 @@
# DoNotMatchPrefix have the attribute Attr.
# For example assert that all types in /sys, and not in /sys/kernel/debugfs
# have the sysfs_type attribute.
- def AssertPathTypesHaveAttr(self, MatchPrefix, DoNotMatchPrefix, Attr):
+ def AssertPathTypesHaveAttr(self, MatchPrefix, DoNotMatchPrefix, Attr, ExcludedTypes = []):
# Query policy for the types associated with Attr
- TypesPol = self.QueryTypeAttribute(Attr, True)
+ TypesPol = self.QueryTypeAttribute(Attr, True) | set(ExcludedTypes)
# Search file_contexts to find paths/types that should be associated with
# Attr.
PathTypes = self.__GetTypesAndFilesByFilePathPrefix(MatchPrefix, DoNotMatchPrefix)
diff --git a/tests/sepolicy_tests.py b/tests/sepolicy_tests.py
index 4ef161b..1df8231 100644
--- a/tests/sepolicy_tests.py
+++ b/tests/sepolicy_tests.py
@@ -190,6 +190,7 @@
"hal_graphics_allocator_hwservice":["hwservice_manager"],
"hal_graphics_allocator_server":["binder", "service_manager"],
"hal_graphics_mapper_hwservice":["hwservice_manager"],
+ "hal_graphics_mapper_service":["service_manager"],
"hal_neuralnetworks": ["binder", "fd"],
"hal_neuralnetworks_service": ["service_manager"],
"hal_neuralnetworks_hwservice":["hwservice_manager"],
@@ -265,6 +266,22 @@
"\"-isolated_app_all\". Violations are shown as the following: \n") + ret
return ret
+def TestDevTypeViolations(pol):
+ exceptions = [
+ "/dev/socket",
+ ]
+ exceptionTypes = [
+ "boringssl_self_test_marker", # /dev/boringssl/selftest
+ "cgroup_rc_file", # /dev/cgroup.rc
+ "dev_cpu_variant", # /dev/cpu_variant:{arch}
+ "fscklogs", # /dev/fscklogs
+ "properties_serial", # /dev/__properties__/properties_serial
+ "property_info", # /dev/__properties__/property_info
+ "runtime_event_log_tags_file", # /dev/event-log-tags
+ ]
+ return pol.AssertPathTypesHaveAttr(["/dev"], exceptions,
+ "dev_type", exceptionTypes)
+
###
# extend OptionParser to allow the same option flag to be used multiple times.
# This is used to allow multiple file_contexts files and tests to be
@@ -298,6 +315,7 @@
"TestCoredomainViolations",
"TestViolatorAttributes",
"TestIsolatedAttributeConsistency",
+ "TestDevTypeViolations",
]
def do_main(libpath):
@@ -366,6 +384,10 @@
if options.test is None or "TestIsolatedAttributeConsistency" in options.test:
results += TestIsolatedAttributeConsistency(test_policy)
+ # dev type test won't be run as default
+ if options.test and "TestDevTypeViolations" in options.test:
+ results += TestDevTypeViolations(pol)
+
if len(results) > 0:
sys.exit(results)
diff --git a/vendor/file_contexts b/vendor/file_contexts
index 5bae6c5..60e0339 100644
--- a/vendor/file_contexts
+++ b/vendor/file_contexts
@@ -19,6 +19,9 @@
/(vendor|system/vendor)/bin/hw/android\.hardware\.bluetooth@1\.[0-9]+-service u:object_r:hal_bluetooth_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.bluetooth@1\.[0-9]+-service\.btlinux u:object_r:hal_bluetooth_btlinux_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.bluetooth-service.default u:object_r:hal_bluetooth_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.bluetooth\.finder-service\.default u:object_r:hal_bluetooth_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.bluetooth\.ranging-service\.default u:object_r:hal_bluetooth_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.bluetooth\.lmp_event-service\.default u:object_r:hal_bluetooth_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.biometrics\.face@1\.[0-9]+-service\.example u:object_r:hal_face_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.biometrics\.face-service\.example u:object_r:hal_face_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.biometrics\.fingerprint@2\.1-service u:object_r:hal_fingerprint_default_exec:s0
@@ -28,12 +31,12 @@
/(vendor|system/vendor)/bin/hw/android\.hardware\.boot-service.default u:object_r:hal_bootctl_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.broadcastradio@\d+\.\d+-service u:object_r:hal_broadcastradio_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.broadcastradio-service.default u:object_r:hal_broadcastradio_default_exec:s0
-/(vendor|system/vendor)/bin/hw/android\.hardware\.camera\.provider(@2\.[0-9]+|-V1)-service_64 u:object_r:hal_camera_default_exec:s0
-/(vendor|system/vendor)/bin/hw/android\.hardware\.camera\.provider(@2\.[0-9]+|-V1)-service u:object_r:hal_camera_default_exec:s0
-/(vendor|system/vendor)/bin/hw/android\.hardware\.camera\.provider(@2\.[0-9]+|-V1)-service-lazy_64 u:object_r:hal_camera_default_exec:s0
-/(vendor|system/vendor)/bin/hw/android\.hardware\.camera\.provider(@2\.[0-9]+|-V1)-service-lazy u:object_r:hal_camera_default_exec:s0
-/(vendor|system/vendor)/bin/hw/android\.hardware\.camera\.provider(@2\.[0-9]+|-V1)-external-service u:object_r:hal_camera_default_exec:s0
-/(vendor|system/vendor)/bin/hw/android\.hardware\.camera\.provider(@2\.[0-9]+|-V1)-external-service-lazy u:object_r:hal_camera_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.camera\.provider(@2\.[0-9]+|-V[0-9]+)-service_64 u:object_r:hal_camera_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.camera\.provider(@2\.[0-9]+|-V[0-9]+)-service u:object_r:hal_camera_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.camera\.provider(@2\.[0-9]+|-V[0-9]+)-service-lazy_64 u:object_r:hal_camera_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.camera\.provider(@2\.[0-9]+|-V[0-9]+)-service-lazy u:object_r:hal_camera_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.camera\.provider(@2\.[0-9]+|-V[0-9]+)-external-service u:object_r:hal_camera_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.camera\.provider(@2\.[0-9]+|-V[0-9]+)-external-service-lazy u:object_r:hal_camera_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.configstore@1\.[0-9]+-service u:object_r:hal_configstore_default_exec:s0
/(vendor|sustem/vendor)/bin/hw/android\.hardware\.confirmationui@1\.0-service u:object_r:hal_confirmationui_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.contexthub@1\.[0-9]+-service u:object_r:hal_contexthub_default_exec:s0
@@ -76,6 +79,7 @@
/(vendor|system/vendor)/bin/hw/android\.hardware\.light@2\.0-service-lazy u:object_r:hal_light_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.lights-service\.example u:object_r:hal_light_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.lowpan@1\.0-service u:object_r:hal_lowpan_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.macsec-service u:object_r:hal_macsec_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.media\.c2-default-service u:object_r:mediacodec_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.memtrack@1\.0-service u:object_r:hal_memtrack_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.memtrack-service.example u:object_r:hal_memtrack_default_exec:s0
@@ -99,6 +103,7 @@
/(vendor|system/vendor)/bin/hw/android\.hardware\.secure_element-service.example u:object_r:hal_secure_element_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.security\.authgraph-service\.nonsecure u:object_r:hal_authgraph_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.security\.keymint-service u:object_r:hal_keymint_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.security\.secretkeeper-service.nonsecure u:object_r:hal_secretkeeper_default_exec:s0
/(vendor|system/vendor)/bin/hw/rild u:object_r:rild_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.tetheroffload-service\.example u:object_r:hal_tetheroffload_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.thermal@1\.[01]-service u:object_r:hal_thermal_default_exec:s0
@@ -126,6 +131,7 @@
/(vendor|system/vendor)/bin/hw/android\.hardware\.wifi-service-lazy u:object_r:hal_wifi_default_exec:s0
/(vendor|system/vendor)/bin/hw/hostapd u:object_r:hal_wifi_hostapd_default_exec:s0
/(vendor|system/vendor)/bin/hw/wpa_supplicant u:object_r:hal_wifi_supplicant_default_exec:s0
+/(vendor|system/vendor)/bin/hw/wpa_supplicant_macsec u:object_r:wpa_supplicant_macsec_exec:s0
/(vendor|system/vendor)/bin/install-recovery\.sh u:object_r:vendor_install_recovery_exec:s0
/(vendor|system/vendor)/bin/ot-rcp u:object_r:ot_rcp_exec:s0
/(vendor|system/vendor)/bin/vndservicemanager u:object_r:vndservicemanager_exec:s0
@@ -169,7 +175,7 @@
/(vendor|system/vendor)/lib(64)?/android\.hardware\.graphics\.mapper@4\.0\.so u:object_r:same_process_hal_file:s0
/(vendor|system/vendor)/lib(64)?/android\.hardware\.renderscript@1\.0\.so u:object_r:same_process_hal_file:s0
/(vendor|system/vendor)/lib(64)?/android\.hidl\.memory\.token@1\.0\.so u:object_r:same_process_hal_file:s0
-/(vendor|system/vendor)/lib(64)?/android\.hidl\.memory@1\.0-impl\.so u:object_r:same_process_hal_file:s0
+/(vendor|system/vendor)/lib(64)?/hw/android\.hidl\.memory@1\.0-impl\.so u:object_r:same_process_hal_file:s0
/(vendor|system/vendor)/lib(64)?/android\.hidl\.memory@1\.0\.so u:object_r:same_process_hal_file:s0
/(vendor|system/vendor)/lib(64)?/android\.hidl\.safe_union@1\.0\.so u:object_r:same_process_hal_file:s0
/(vendor|system/vendor)/lib(64)?/libRSCpuRef\.so u:object_r:same_process_hal_file:s0
diff --git a/vendor/hal_face_default.te b/vendor/hal_face_default.te
index 66ce40c..3d608cd 100644
--- a/vendor/hal_face_default.te
+++ b/vendor/hal_face_default.te
@@ -7,4 +7,9 @@
# android.frameworks.sensorservice through libsensorndkbridge
allow hal_face_default fwk_sensor_service:service_manager find;
-set_prop(hal_face_default, virtual_face_hal_prop)
+# virtual_face_hal_prop is only for debuggable builds
+userdebug_or_eng(`set_prop(hal_face_default, virtual_face_hal_prop)');
+neverallow { domain -init -dumpstate userdebug_or_eng(`-hal_face_default') not_compatible_property(`-vendor_init') } virtual_face_hal_prop:file no_rw_file_perms;
+neverallow { domain -init userdebug_or_eng(`-hal_face_default') not_compatible_property(`-vendor_init') } virtual_face_hal_prop:property_service set;
+
+
diff --git a/vendor/hal_macsec_default.te b/vendor/hal_macsec_default.te
new file mode 100644
index 0000000..19b3d16
--- /dev/null
+++ b/vendor/hal_macsec_default.te
@@ -0,0 +1,8 @@
+type hal_macsec_default, domain;
+hal_server_domain(hal_macsec_default, hal_macsec)
+
+type hal_macsec_default_exec, exec_type, vendor_file_type, file_type;
+init_daemon_domain(hal_macsec_default)
+
+# Allow registering with service manager.
+binder_call(hal_macsec_default, servicemanager)
diff --git a/vendor/hal_secretkeeper_default.te b/vendor/hal_secretkeeper_default.te
new file mode 100644
index 0000000..50f4ac1
--- /dev/null
+++ b/vendor/hal_secretkeeper_default.te
@@ -0,0 +1,5 @@
+type hal_secretkeeper_default, domain;
+hal_server_domain(hal_secretkeeper_default, hal_secretkeeper)
+
+type hal_secretkeeper_default_exec, exec_type, vendor_file_type, file_type;
+init_daemon_domain(hal_secretkeeper_default)
diff --git a/vendor/wpa_supplicant_macsec.te b/vendor/wpa_supplicant_macsec.te
new file mode 100644
index 0000000..1b90ac7
--- /dev/null
+++ b/vendor/wpa_supplicant_macsec.te
@@ -0,0 +1,28 @@
+# wpa supplicant macsec or equivalent
+type wpa_supplicant_macsec, domain;
+type wpa_supplicant_macsec_exec, exec_type, vendor_file_type, file_type;
+init_daemon_domain(wpa_supplicant_macsec)
+
+net_domain(wpa_supplicant_macsec)
+
+# Allow wpa_supplicant to configure nl80211
+allow wpa_supplicant_macsec proc_net_type:file write;
+
+# in addition to ioctls allowlisted for all domains, grant wpa_supplicant_macsec priv_sock_ioctls.
+allowxperm wpa_supplicant_macsec self:udp_socket ioctl priv_sock_ioctls;
+
+r_dir_file(wpa_supplicant_macsec, sysfs_type)
+r_dir_file(wpa_supplicant_macsec, proc_net_type)
+
+allow wpa_supplicant_macsec self:global_capability_class_set { setuid net_admin setgid net_raw };
+allow wpa_supplicant_macsec cgroup:dir create_dir_perms;
+allow wpa_supplicant_macsec cgroup_v2:dir create_dir_perms;
+allow wpa_supplicant_macsec self:netlink_route_socket nlmsg_write;
+allow wpa_supplicant_macsec self:netlink_socket create_socket_perms_no_ioctl;
+allow wpa_supplicant_macsec self:netlink_generic_socket create_socket_perms_no_ioctl;
+allow wpa_supplicant_macsec self:packet_socket create_socket_perms;
+allowxperm wpa_supplicant_macsec self:packet_socket ioctl { unpriv_sock_ioctls priv_sock_ioctls unpriv_tty_ioctls };
+
+binder_use(wpa_supplicant_macsec)
+hal_client_domain(wpa_supplicant_macsec, hal_macsec)
+