Merge "Revert^2 "Relax neverallows for vendor to use /system/bin/sh"" into main
diff --git a/contexts/plat_file_contexts_test b/contexts/plat_file_contexts_test
index f75312a..3c02a3d 100644
--- a/contexts/plat_file_contexts_test
+++ b/contexts/plat_file_contexts_test
@@ -653,6 +653,9 @@
/oem oemfs
/oem/does_not_exist oemfs
+/oem/media/bootanimation.zip bootanim_oem_file
+/oem/media/shutdownanimation.zip bootanim_oem_file
+/oem/media/userspace-reboot.zip bootanim_oem_file
/oem/overlay vendor_overlay_file
/oem/overlay/does_not_exist vendor_overlay_file
@@ -1215,6 +1218,12 @@
/metadata metadata_file
/metadata/test metadata_file
+/metadata/aconfig aconfig_storage_metadata_file
+/metadata/aconfig/test aconfig_storage_metadata_file
+/metadata/aconfig/flags aconfig_storage_flags_metadata_file
+/metadata/aconfig/flags/test aconfig_storage_flags_metadata_file
+/metadata/aconfig/boot aconfig_storage_metadata_file
+/metadata/aconfig/boot/test aconfig_storage_metadata_file
/metadata/apex apex_metadata_file
/metadata/apex/test apex_metadata_file
/metadata/vold vold_metadata_file
diff --git a/private/app_neverallows.te b/private/app_neverallows.te
index 5ea924a..ab8b8d5 100644
--- a/private/app_neverallows.te
+++ b/private/app_neverallows.te
@@ -258,6 +258,9 @@
# Only privileged apps may find the incident service
neverallow all_untrusted_apps incident_service:service_manager find;
+# Only privileged apps may find stats service
+neverallow all_untrusted_apps stats_service:service_manager find;
+
# Do not allow untrusted app to read hidden system proprerties.
# We do not include in the exclusions other normally untrusted applications such as mediaprovider
# due to the specific logging use cases.
diff --git a/private/audioserver.te b/private/audioserver.te
index 7a5e8bc..74d5e88 100644
--- a/private/audioserver.te
+++ b/private/audioserver.te
@@ -105,3 +105,4 @@
# Allow reading audio config props, e.g. af.fast_track_multiplier
get_prop(audioserver, audio_config_prop)
+get_prop(audioserver, system_audio_config_prop)
diff --git a/private/compat/34.0/34.0.cil b/private/compat/34.0/34.0.cil
index 595d53e..7d80433 100644
--- a/private/compat/34.0/34.0.cil
+++ b/private/compat/34.0/34.0.cil
@@ -2099,7 +2099,7 @@
(typeattributeset null_device_34_0 (null_device))
(typeattributeset oem_lock_service_34_0 (oem_lock_service))
(typeattributeset oem_unlock_prop_34_0 (oem_unlock_prop))
-(typeattributeset oemfs_34_0 (oemfs))
+(typeattributeset oemfs_34_0 (oemfs bootanim_oem_file))
(typeattributeset ondevicepersonalization_system_service_34_0 (ondevicepersonalization_system_service))
(typeattributeset ota_data_file_34_0 (ota_data_file))
(typeattributeset ota_metadata_file_34_0 (ota_metadata_file))
diff --git a/private/compat/34.0/34.0.ignore.cil b/private/compat/34.0/34.0.ignore.cil
index 1de001e..351d647 100644
--- a/private/compat/34.0/34.0.ignore.cil
+++ b/private/compat/34.0/34.0.ignore.cil
@@ -43,4 +43,6 @@
vendor_microdroid_file
threadnetwork_config_prop
profiling_service
+ aconfig_storage_metadata_file
+ aconfig_storage_flags_metadata_file
))
diff --git a/private/file_contexts b/private/file_contexts
index cba5660..3a65d81 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -457,6 +457,9 @@
/oem(/.*)? u:object_r:oemfs:s0
/oem/overlay(/.*)? u:object_r:vendor_overlay_file:s0
+/oem/media/bootanimation.zip u:object_r:bootanim_oem_file:s0
+/oem/media/shutdownanimation.zip u:object_r:bootanim_oem_file:s0
+/oem/media/userspace-reboot.zip u:object_r:bootanim_oem_file:s0
# The precompiled monolithic sepolicy will be under /odm only when
# BOARD_USES_ODMIMAGE is true: a separate odm.img is built.
@@ -855,6 +858,8 @@
/metadata/userspacereboot(/.*)? u:object_r:userspace_reboot_metadata_file:s0
/metadata/watchdog(/.*)? u:object_r:watchdog_metadata_file:s0
/metadata/repair-mode(/.*)? u:object_r:repair_mode_metadata_file:s0
+/metadata/aconfig(/.*)? u:object_r:aconfig_storage_metadata_file:s0
+/metadata/aconfig/flags(/.*)? u:object_r:aconfig_storage_flags_metadata_file:s0
#############################
# asec containers
diff --git a/private/gpuservice.te b/private/gpuservice.te
index 297a876..5638543 100644
--- a/private/gpuservice.te
+++ b/private/gpuservice.te
@@ -25,15 +25,14 @@
allow gpuservice graphics_device:dir search;
allow gpuservice graphics_device:chr_file rw_file_perms;
-# Needed for dumpsys pipes.
-allow gpuservice shell:fifo_file write;
+# Allow shell access
+allow gpuservice adbd:fd use;
+allow gpuservice adbd:unix_stream_socket { getattr read write };
+allow gpuservice shell:fifo_file { getattr read write };
# Needed for perfetto producer.
perfetto_producer(gpuservice)
-# Use socket supplied by adbd, for cmd gpu vkjson etc.
-allow gpuservice adbd:unix_stream_socket { read write getattr };
-
# Needed for interactive shell
allow gpuservice devpts:chr_file { read write getattr };
diff --git a/private/mediaprovider_app.te b/private/mediaprovider_app.te
index 7ad8feb..064d0d9 100644
--- a/private/mediaprovider_app.te
+++ b/private/mediaprovider_app.te
@@ -73,3 +73,6 @@
# bpfprog access for FUSE BPF
allow mediaprovider_app fs_bpf:file read;
allow mediaprovider_app bpfloader:bpf { map_read map_write prog_run };
+
+# boot animations on oem are stored with specific label
+allow mediaprovider_app bootanim_oem_file:file r_file_perms;
diff --git a/private/property.te b/private/property.te
index 38e69bb..d21df55 100644
--- a/private/property.te
+++ b/private/property.te
@@ -44,6 +44,7 @@
system_internal_prop(setupwizard_prop)
system_internal_prop(snapuserd_prop)
system_internal_prop(system_adbd_prop)
+system_internal_prop(system_audio_config_prop)
system_internal_prop(timezone_metadata_prop)
system_internal_prop(traced_perf_enabled_prop)
system_internal_prop(uprobestats_start_with_config_prop)
diff --git a/private/property_contexts b/private/property_contexts
index c5f679e..568bdc1 100644
--- a/private/property_contexts
+++ b/private/property_contexts
@@ -418,6 +418,11 @@
# USB devices can be connected to audio system at a certain time
ro.audio.multi_usb_mode u:object_r:audio_config_prop:s0 exact bool
+# Boolean property used in libaudiohal@aidl to check if the SoC vendor
+# provides an implementation of IHalAdapterVendorExtension interface.
+# See b/323989070 for the discussion why this approach was chosen.
+ro.audio.ihaladaptervendorextension_enabled u:object_r:system_audio_config_prop:s0 exact bool
+
persist.config.calibration_fac u:object_r:camera_calibration_prop:s0 exact string
config.disable_cameraservice u:object_r:camera_config_prop:s0 exact bool
diff --git a/private/stats.te b/private/stats.te
index 5790faa..6261303 100644
--- a/private/stats.te
+++ b/private/stats.te
@@ -33,28 +33,3 @@
# Allow statsd to call back to stats with status updates.
binder_call(statsd, stats)
-###
-### neverallow rules
-###
-
-neverallow {
- domain
- -dumpstate
- -gmscore_app
- -gpuservice
- -incidentd
- -keystore
- -mediametrics
- -mediaserver
- -platform_app
- -priv_app
- -rkpdapp
- -shell
- -stats
- -statsd
- -surfaceflinger
- -system_app
- -system_server
- -traceur_app
- -traced_probes
-} stats_service:service_manager find;
diff --git a/private/system_server.te b/private/system_server.te
index e5ade71..b58315d 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -1456,6 +1456,9 @@
allow system_server watchdog_metadata_file:dir rw_dir_perms;
allow system_server watchdog_metadata_file:file create_file_perms;
+allow system_server aconfig_storage_flags_metadata_file:dir rw_dir_perms;
+allow system_server aconfig_storage_flags_metadata_file:file create_file_perms;
+
allow system_server repair_mode_metadata_file:dir rw_dir_perms;
allow system_server repair_mode_metadata_file:file create_file_perms;
@@ -1512,6 +1515,11 @@
neverallow { domain -init -system_server } userspace_reboot_metadata_file:dir *;
neverallow { domain -init -system_server } userspace_reboot_metadata_file:file no_rw_file_perms;
+# Only system server should access /metadata/aconfig
+# TODO: add storage daemon to neverallow exception when it is introduced
+neverallow { domain -init -system_server } aconfig_storage_flags_metadata_file:dir *;
+neverallow { domain -init -system_server } aconfig_storage_flags_metadata_file:file no_rw_file_perms;
+
# Allow systemserver to read/write the invalidation property
set_prop(system_server, binder_cache_system_server_prop)
neverallow { domain -system_server -init }
diff --git a/public/bootanim.te b/public/bootanim.te
index a9616b7..239393c 100644
--- a/public/bootanim.te
+++ b/public/bootanim.te
@@ -17,7 +17,9 @@
allow bootanim sysfs_gpu:file r_file_perms;
# /oem access
-r_dir_file(bootanim, oemfs);
+allow bootanim oemfs:dir r_dir_perms;
+# boot animations on oem are stored with specific label
+allow bootanim bootanim_oem_file:file r_file_perms;
allow bootanim audio_device:dir r_dir_perms;
allow bootanim audio_device:chr_file rw_file_perms;
diff --git a/public/domain.te b/public/domain.te
index 030e8a9..755b4b2 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -341,6 +341,12 @@
# configured using server-configurable flags
get_prop(domain, device_config_media_native_prop)
+# Allow everyone to read from flag value boot snapshot files and general pb files
+# The boot copy of the flag value files serves flag read traffic for all processes, thus
+# needs to be readable by everybody. Also, the metadata directory will contain pb file
+# that records where flag storage files are, so also needs to be readable by everbody.
+allow domain { aconfig_storage_metadata_file }:file r_file_perms;
+
###
### neverallow rules
###
@@ -623,6 +629,11 @@
neverallow vndservicemanager binder_device:chr_file no_rw_file_perms;
neverallow vndservicemanager hwbinder_device:chr_file no_rw_file_perms;
+# Do not allow write access to the general aconfig pb file and boot flag value files except init
+# TODO: need to add storage daemon into this exception list once it is created
+neverallow { domain -init } aconfig_storage_metadata_file:dir *;
+neverallow { domain -init } aconfig_storage_metadata_file:file no_w_file_perms;
+
full_treble_only(`
# Vendor apps are permited to use only stable public services. If they were to use arbitrary
# services which can change any time framework/core is updated, breakage is likely.
diff --git a/public/file.te b/public/file.te
index 32c0cd8..209fdb1 100644
--- a/public/file.te
+++ b/public/file.te
@@ -229,6 +229,8 @@
type linkerconfig_file, file_type;
# Control files under /data/incremental
type incremental_control_file, file_type, data_file_type, core_data_file_type;
+# /oem/media/bootanimation.zip|shutdownanimation.zip|userspace-reboot.zip
+type bootanim_oem_file, file_type, system_file_type;
# Default type for directories search for
# HAL implementations
@@ -295,6 +297,10 @@
type watchdog_metadata_file, file_type;
# Repair mode files within /metadata/repair-mode
type repair_mode_metadata_file, file_type;
+# Aconfig storage file
+type aconfig_storage_metadata_file, file_type;
+# Aconfig storage flag value persistent copy
+type aconfig_storage_flags_metadata_file, file_type;
# Type for /dev/cpu_variant:.*.
type dev_cpu_variant, file_type;
diff --git a/public/mediaserver.te b/public/mediaserver.te
index 367012c..9b86c86 100644
--- a/public/mediaserver.te
+++ b/public/mediaserver.te
@@ -98,6 +98,9 @@
allow mediaserver oemfs:dir search;
allow mediaserver oemfs:file r_file_perms;
+# /oem boot animation file
+allow mediaserver bootanim_oem_file:file r_file_perms;
+
# /vendor apk access
allow mediaserver vendor_app_file:file { read map getattr };
diff --git a/public/vendor_init.te b/public/vendor_init.te
index a9d1b5d..7a74e7c 100644
--- a/public/vendor_init.te
+++ b/public/vendor_init.te
@@ -62,6 +62,8 @@
-gsi_metadata_file_type
-apex_metadata_file
-userspace_reboot_metadata_file
+ -aconfig_storage_metadata_file
+ -aconfig_storage_flags_metadata_file
}:dir { create search getattr open read setattr ioctl write add_name remove_name rmdir relabelfrom };
allow vendor_init unlabeled:{ dir notdevfile_class_set } { getattr relabelfrom };
@@ -83,6 +85,8 @@
-apex_metadata_file
-apex_info_file
-userspace_reboot_metadata_file
+ -aconfig_storage_metadata_file
+ -aconfig_storage_flags_metadata_file
enforce_debugfs_restriction(`-debugfs_type')
}:file { create getattr open read write setattr relabelfrom unlink map };
@@ -101,6 +105,8 @@
-gsi_metadata_file_type
-apex_metadata_file
-userspace_reboot_metadata_file
+ -aconfig_storage_metadata_file
+ -aconfig_storage_flags_metadata_file
}:{ sock_file fifo_file } { create getattr open read setattr relabelfrom unlink };
allow vendor_init {
@@ -119,6 +125,8 @@
-gsi_metadata_file_type
-apex_metadata_file
-userspace_reboot_metadata_file
+ -aconfig_storage_metadata_file
+ -aconfig_storage_flags_metadata_file
}:lnk_file { create getattr setattr relabelfrom unlink };
allow vendor_init {
@@ -136,6 +144,8 @@
-gsi_metadata_file_type
-apex_metadata_file
-userspace_reboot_metadata_file
+ -aconfig_storage_metadata_file
+ -aconfig_storage_flags_metadata_file
}:dir_file_class_set relabelto;
allow vendor_init dev_type:dir create_dir_perms;