Merge "selinux setup for files under /metadata/aconfig dir" into main
diff --git a/Android.bp b/Android.bp
index 88107cc..1d8e5dd 100644
--- a/Android.bp
+++ b/Android.bp
@@ -337,6 +337,36 @@
product_specific: true,
}
+// HACK to support vendor blobs using 1000000.0
+// TODO(b/314010177): remove after new ToT (202404) fully propagates
+se_versioned_policy {
+ name: "plat_mapping_file_1000000.0",
+ base: ":plat_pub_policy.cil",
+ mapping: true,
+ version: "1000000.0",
+ relative_install_path: "mapping", // install to /system/etc/selinux/mapping
+}
+
+se_versioned_policy {
+ name: "system_ext_mapping_file_1000000.0",
+ base: ":system_ext_pub_policy.cil",
+ mapping: true,
+ version: "1000000.0",
+ filter_out: [":plat_mapping_file"],
+ relative_install_path: "mapping", // install to /system_ext/etc/selinux/mapping
+ system_ext_specific: true,
+}
+
+se_versioned_policy {
+ name: "product_mapping_file_1000000.0",
+ base: ":pub_policy.cil",
+ mapping: true,
+ version: "1000000.0",
+ filter_out: [":plat_mapping_file", ":system_ext_mapping_file"],
+ relative_install_path: "mapping", // install to /product/etc/selinux/mapping
+ product_specific: true,
+}
+
//////////////////////////////////
// vendor/odm sepolicy
//////////////////////////////////
diff --git a/Android.mk b/Android.mk
index 2e327c2..37acb75 100644
--- a/Android.mk
+++ b/Android.mk
@@ -210,6 +210,12 @@
plat_sepolicy.cil \
secilc \
+# HACK to support vendor blobs using 1000000.0
+# TODO(b/314010177): remove after new ToT (202404) fully propagates
+ifneq (true,$(BOARD_API_LEVEL_FROZEN))
+LOCAL_REQUIRED_MODULES += plat_mapping_file_1000000.0
+endif
+
ifneq ($(PRODUCT_PRECOMPILED_SEPOLICY),false)
LOCAL_REQUIRED_MODULES += plat_sepolicy_and_mapping.sha256
endif
@@ -248,10 +254,10 @@
endif # SELINUX_IGNORE_NEVERALLOWS
endif # with_asan
-ifneq ($(PLATFORM_SEPOLICY_VERSION),$(TOT_SEPOLICY_VERSION))
+ifeq ($(BOARD_API_LEVEL_FROZEN),true)
LOCAL_REQUIRED_MODULES += \
se_freeze_test
-endif # ($(PLATFORM_SEPOLICY_VERSION),$(TOT_SEPOLICY_VERSION))
+endif
include $(BUILD_PHONY_PACKAGE)
@@ -278,6 +284,12 @@
LOCAL_REQUIRED_MODULES += \
system_ext_mapping_file
+# HACK to support vendor blobs using 1000000.0
+# TODO(b/314010177): remove after new ToT (202404) fully propagates
+ifneq (true,$(BOARD_API_LEVEL_FROZEN))
+LOCAL_REQUIRED_MODULES += system_ext_mapping_file_1000000.0
+endif
+
system_ext_compat_files := $(call build_policy, $(sepolicy_compat_files), $(SYSTEM_EXT_PRIVATE_POLICY))
LOCAL_REQUIRED_MODULES += $(addprefix system_ext_, $(notdir $(system_ext_compat_files)))
@@ -326,6 +338,12 @@
LOCAL_REQUIRED_MODULES += \
product_mapping_file
+# HACK to support vendor blobs using 1000000.0
+# TODO(b/314010177): remove after new ToT (202404) fully propagates
+ifneq (true,$(BOARD_API_LEVEL_FROZEN))
+LOCAL_REQUIRED_MODULES += product_mapping_file_1000000.0
+endif
+
product_compat_files := $(call build_policy, $(sepolicy_compat_files), $(PRODUCT_PRIVATE_POLICY))
LOCAL_REQUIRED_MODULES += $(addprefix product_, $(notdir $(product_compat_files)))
diff --git a/private/app.te b/private/app.te
index b5bb474..1ef6ceb 100644
--- a/private/app.te
+++ b/private/app.te
@@ -146,6 +146,9 @@
r_dir_file({ appdomain -ephemeral_app -sdk_sandbox_all }, vendor_app_file)
allow { appdomain -ephemeral_app -sdk_sandbox_all } vendor_app_file:file execute;
+# Allow apps to read microdroid related files in vendor partition for CTS purpose.
+r_dir_file({ appdomain -isolated_app_all -ephemeral_app -sdk_sandbox_all }, vendor_microdroid_file)
+
# Perform binder IPC to sdk sandbox.
binder_call(appdomain, sdk_sandbox_all)
diff --git a/private/app_neverallows.te b/private/app_neverallows.te
index 5ea924a..ab8b8d5 100644
--- a/private/app_neverallows.te
+++ b/private/app_neverallows.te
@@ -258,6 +258,9 @@
# Only privileged apps may find the incident service
neverallow all_untrusted_apps incident_service:service_manager find;
+# Only privileged apps may find stats service
+neverallow all_untrusted_apps stats_service:service_manager find;
+
# Do not allow untrusted app to read hidden system proprerties.
# We do not include in the exclusions other normally untrusted applications such as mediaprovider
# due to the specific logging use cases.
diff --git a/private/stats.te b/private/stats.te
index 5790faa..6261303 100644
--- a/private/stats.te
+++ b/private/stats.te
@@ -33,28 +33,3 @@
# Allow statsd to call back to stats with status updates.
binder_call(statsd, stats)
-###
-### neverallow rules
-###
-
-neverallow {
- domain
- -dumpstate
- -gmscore_app
- -gpuservice
- -incidentd
- -keystore
- -mediametrics
- -mediaserver
- -platform_app
- -priv_app
- -rkpdapp
- -shell
- -stats
- -statsd
- -surfaceflinger
- -system_app
- -system_server
- -traceur_app
- -traced_probes
-} stats_service:service_manager find;