Merge "Remove mounton from app and web zygote" into main
diff --git a/apex/com.android.art-file_contexts b/apex/com.android.art-file_contexts
index 83d081a..14b68ad 100644
--- a/apex/com.android.art-file_contexts
+++ b/apex/com.android.art-file_contexts
@@ -6,6 +6,7 @@
/bin/art_exec u:object_r:art_exec_exec:s0
/bin/artd u:object_r:artd_exec:s0
/bin/dex2oat(32|64)? u:object_r:dex2oat_exec:s0
+/bin/dexopt_chroot_setup u:object_r:dexopt_chroot_setup_exec:s0
/bin/dexoptanalyzer u:object_r:dexoptanalyzer_exec:s0
/bin/odrefresh u:object_r:odrefresh_exec:s0
/bin/profman u:object_r:profman_exec:s0
diff --git a/apex/com.android.art.debug-file_contexts b/apex/com.android.art.debug-file_contexts
index a3fc35d..3af8dc2 100644
--- a/apex/com.android.art.debug-file_contexts
+++ b/apex/com.android.art.debug-file_contexts
@@ -6,6 +6,7 @@
/bin/art_exec u:object_r:art_exec_exec:s0
/bin/artd u:object_r:artd_exec:s0
/bin/dex2oat(d)?(32|64)? u:object_r:dex2oat_exec:s0
+/bin/dexopt_chroot_setup u:object_r:dexopt_chroot_setup_exec:s0
/bin/dexoptanalyzer(d)? u:object_r:dexoptanalyzer_exec:s0
/bin/odrefresh u:object_r:odrefresh_exec:s0
/bin/profman(d)? u:object_r:profman_exec:s0
diff --git a/build/soong/service_fuzzer_bindings.go b/build/soong/service_fuzzer_bindings.go
index 7f1f0be..726f0ab 100644
--- a/build/soong/service_fuzzer_bindings.go
+++ b/build/soong/service_fuzzer_bindings.go
@@ -199,7 +199,8 @@
"gsiservice": EXCEPTION_NO_FUZZER,
"appops": EXCEPTION_NO_FUZZER,
"appwidget": EXCEPTION_NO_FUZZER,
- "artd": EXCEPTION_NO_FUZZER,
+ "artd": []string{"artd_fuzzer"},
+ "artd_pre_reboot": []string{"artd_fuzzer"},
"assetatlas": EXCEPTION_NO_FUZZER,
"attention": EXCEPTION_NO_FUZZER,
"audio": EXCEPTION_NO_FUZZER,
@@ -234,6 +235,7 @@
"content_capture": EXCEPTION_NO_FUZZER,
"content_suggestions": EXCEPTION_NO_FUZZER,
"contexthub": EXCEPTION_NO_FUZZER,
+ "contextual_search": EXCEPTION_NO_FUZZER,
"country_detector": EXCEPTION_NO_FUZZER,
"coverage": EXCEPTION_NO_FUZZER,
"cpuinfo": EXCEPTION_NO_FUZZER,
@@ -250,6 +252,7 @@
"device_lock": EXCEPTION_NO_FUZZER,
"device_state": EXCEPTION_NO_FUZZER,
"devicestoragemonitor": EXCEPTION_NO_FUZZER,
+ "dexopt_chroot_setup": []string{"dexopt_chroot_setup_fuzzer"},
"diskstats": EXCEPTION_NO_FUZZER,
"display": EXCEPTION_NO_FUZZER,
"dnsresolver": []string{"resolv_service_fuzzer"},
@@ -380,6 +383,7 @@
"processinfo": EXCEPTION_NO_FUZZER,
"procstats": EXCEPTION_NO_FUZZER,
"profcollectd": EXCEPTION_NO_FUZZER,
+ "profiling_service": EXCEPTION_NO_FUZZER,
"radio.phonesubinfo": EXCEPTION_NO_FUZZER,
"radio.phone": EXCEPTION_NO_FUZZER,
"radio.sms": EXCEPTION_NO_FUZZER,
@@ -406,6 +410,7 @@
"security_state": EXCEPTION_NO_FUZZER,
"sec_key_att_app_id_provider": EXCEPTION_NO_FUZZER,
"selection_toolbar": EXCEPTION_NO_FUZZER,
+ "sensitive_content_protection_service": EXCEPTION_NO_FUZZER,
"sensorservice": EXCEPTION_NO_FUZZER,
"sensor_privacy": EXCEPTION_NO_FUZZER,
"serial": EXCEPTION_NO_FUZZER,
diff --git a/private/artd.te b/private/artd.te
index acab397..f8e79fb 100644
--- a/private/artd.te
+++ b/private/artd.te
@@ -7,6 +7,7 @@
# Allow artd to publish a binder service and make binder calls.
binder_use(artd)
add_service(artd, artd_service)
+add_service(artd, artd_pre_reboot_service)
allow artd dumpstate:fifo_file { getattr write };
allow artd dumpstate:fd use;
diff --git a/private/compat/34.0/34.0.ignore.cil b/private/compat/34.0/34.0.ignore.cil
index b9dfe5a..1de001e 100644
--- a/private/compat/34.0/34.0.ignore.cil
+++ b/private/compat/34.0/34.0.ignore.cil
@@ -6,12 +6,16 @@
(typeattributeset new_objects
( new_objects
archive_service
+ artd_pre_reboot_service
+ contextual_search_service
+ dexopt_chroot_setup_service
dtbo_block_device
ota_build_prop
snapuserd_log_data_file
fwk_vibrator_control_service
ecm_enhanced_confirmation_service
hal_authgraph_service
+ hal_graphics_mapper_service
hal_secretkeeper_service
hal_codec2_service
hal_macsec_service
@@ -25,6 +29,7 @@
pm_archiving_enabled_prop
remote_auth_service
security_state_service
+ sensitive_content_protection_service
setupwizard_mode_prop
sysfs_sync_on_suspend
tv_ad_service
@@ -37,4 +42,5 @@
proc_percpu_pagelist_high_fraction
vendor_microdroid_file
threadnetwork_config_prop
+ profiling_service
))
diff --git a/private/crosvm.te b/private/crosvm.te
index 6cd3969..6ad3727 100644
--- a/private/crosvm.te
+++ b/private/crosvm.te
@@ -45,6 +45,15 @@
# Allow searching the directory where the composite disk images are.
allow crosvm virtualizationservice_data_file:dir search;
+# When running a VM as root we get spurious capability denials.
+# Suppress them.
+userdebug_or_eng(`
+ dontaudit crosvm self:capability ipc_lock;
+')
+
+# Allow crosvm to tune for performance.
+allow crosvm self:global_capability_class_set sys_nice;
+
# Let crosvm access its control socket as created by VS.
# read, write, getattr: listener socket polling
# accept: listener socket accepting new connection
diff --git a/private/dexopt_chroot_setup.te b/private/dexopt_chroot_setup.te
new file mode 100644
index 0000000..f7bd17a
--- /dev/null
+++ b/private/dexopt_chroot_setup.te
@@ -0,0 +1,23 @@
+type dexopt_chroot_setup, domain, coredomain;
+type dexopt_chroot_setup_exec, system_file_type, exec_type, file_type;
+type dexopt_chroot_setup_tmpfs, file_type;
+
+# Allow dexopt_chroot_setup to publish a binder service and make binder calls.
+binder_use(dexopt_chroot_setup)
+add_service(dexopt_chroot_setup, dexopt_chroot_setup_service)
+allow dexopt_chroot_setup dumpstate:fifo_file { getattr write };
+allow dexopt_chroot_setup dumpstate:fd use;
+
+init_daemon_domain(dexopt_chroot_setup)
+
+# Use tmpfs_domain() which will give tmpfs files created by dexopt_chroot_setup their
+# own label, which differs from other labels created by other processes.
+# This allows to distinguish in policy files created by dexopt_chroot_setup vs other
+# processes.
+tmpfs_domain(dexopt_chroot_setup)
+
+# libart (mark_compact.cc) has some intialization code that touches the cache
+# info file and userfaultfd.
+allow dexopt_chroot_setup apex_module_data_file:dir { getattr search };
+r_dir_file(dexopt_chroot_setup, apex_art_data_file)
+userfaultfd_use(dexopt_chroot_setup)
diff --git a/private/property_contexts b/private/property_contexts
index aa15633..c5f679e 100644
--- a/private/property_contexts
+++ b/private/property_contexts
@@ -410,6 +410,9 @@
# Boolean property used in AudioService to configure whether
# to enable head tracking for spatial audio
ro.audio.headtracking_enabled u:object_r:audio_config_prop:s0 exact bool
+# Boolean property used in AudioPolicyManager to configure whether
+# to enable spatialization for stereo channel mask
+ro.audio.stereo_spatialization_enabled u:object_r:audio_config_prop:s0 exact bool
# Boolean property used in UsbAlsaManager to decide if only one or multiple
# USB devices can be connected to audio system at a certain time
@@ -1152,7 +1155,7 @@
ro.board.first_api_level u:object_r:build_vendor_prop:s0 exact int
ro.board.api_level u:object_r:build_vendor_prop:s0 exact int
ro.board.api_frozen u:object_r:build_vendor_prop:s0 exact bool
-ro.llndk.api_level u:object_r:build_vendor_prop:s0 exact int
+ro.llndk.api_level u:object_r:build_prop:s0 exact int
ro.vendor.api_level u:object_r:build_vendor_prop:s0 exact int
# Boot image build props set by /{second_stage_resources/,}boot/etc/build.prop
diff --git a/private/service_contexts b/private/service_contexts
index 863ffde..82af95e 100644
--- a/private/service_contexts
+++ b/private/service_contexts
@@ -179,6 +179,7 @@
appops u:object_r:appops_service:s0
appwidget u:object_r:appwidget_service:s0
artd u:object_r:artd_service:s0
+artd_pre_reboot u:object_r:artd_pre_reboot_service:s0
assetatlas u:object_r:assetatlas_service:s0
attention u:object_r:attention_service:s0
audio u:object_r:audio_service:s0
@@ -214,6 +215,7 @@
content_capture u:object_r:content_capture_service:s0
content_suggestions u:object_r:content_suggestions_service:s0
contexthub u:object_r:contexthub_service:s0
+contextual_search u:object_r:contextual_search_service:s0
country_detector u:object_r:country_detector_service:s0
coverage u:object_r:coverage_service:s0
cpuinfo u:object_r:cpuinfo_service:s0
@@ -229,6 +231,7 @@
device_lock u:object_r:devicelock_service:s0
device_state u:object_r:device_state_service:s0
devicestoragemonitor u:object_r:devicestoragemonitor_service:s0
+dexopt_chroot_setup u:object_r:dexopt_chroot_setup_service:s0
diskstats u:object_r:diskstats_service:s0
display u:object_r:display_service:s0
dnsresolver u:object_r:dnsresolver_service:s0
@@ -355,6 +358,7 @@
pinner u:object_r:pinner_service:s0
powerstats u:object_r:powerstats_service:s0
power u:object_r:power_service:s0
+profiling_service u:object_r:profiling_service:s0
print u:object_r:print_service:s0
processinfo u:object_r:processinfo_service:s0
procstats u:object_r:procstats_service:s0
@@ -385,6 +389,7 @@
sec_key_att_app_id_provider u:object_r:sec_key_att_app_id_provider_service:s0
security_state u:object_r:security_state_service:s0
selection_toolbar u:object_r:selection_toolbar_service:s0
+sensitive_content_protection_service u:object_r:sensitive_content_protection_service:s0
sensorservice u:object_r:sensorservice_service:s0
sensor_privacy u:object_r:sensor_privacy_service:s0
serial u:object_r:serial_service:s0
diff --git a/private/system_server.te b/private/system_server.te
index 9ea2e9f..7836695 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -283,6 +283,7 @@
binder_call(system_server, artd)
binder_call(system_server, binderservicedomain)
binder_call(system_server, composd)
+binder_call(system_server, dexopt_chroot_setup)
binder_call(system_server, dumpstate)
binder_call(system_server, fingerprintd)
binder_call(system_server, gatekeeperd)
@@ -940,12 +941,14 @@
add_service(system_server, system_server_service);
allow system_server artd_service:service_manager find;
+allow system_server artd_pre_reboot_service:service_manager find;
allow system_server audioserver_service:service_manager find;
allow system_server authorization_service:service_manager find;
allow system_server batteryproperties_service:service_manager find;
allow system_server cameraserver_service:service_manager find;
allow system_server compos_service:service_manager find;
allow system_server dataloader_manager_service:service_manager find;
+allow system_server dexopt_chroot_setup_service:service_manager find;
allow system_server dnsresolver_service:service_manager find;
allow system_server drmserver_service:service_manager find;
allow system_server dumpstate_service:service_manager find;
diff --git a/public/bootanim.te b/public/bootanim.te
index 9c7a0ee..a9616b7 100644
--- a/public/bootanim.te
+++ b/public/bootanim.te
@@ -17,8 +17,7 @@
allow bootanim sysfs_gpu:file r_file_perms;
# /oem access
-allow bootanim oemfs:dir search;
-allow bootanim oemfs:file r_file_perms;
+r_dir_file(bootanim, oemfs);
allow bootanim audio_device:dir r_dir_perms;
allow bootanim audio_device:chr_file rw_file_perms;
diff --git a/public/hal_graphics_allocator.te b/public/hal_graphics_allocator.te
index 35a19de..39ba46e 100644
--- a/public/hal_graphics_allocator.te
+++ b/public/hal_graphics_allocator.te
@@ -3,6 +3,7 @@
hal_attribute_hwservice(hal_graphics_allocator, hal_graphics_allocator_hwservice)
allow hal_graphics_allocator_client hal_graphics_mapper_hwservice:hwservice_manager find;
+allow hal_graphics_allocator_client hal_graphics_mapper_service:service_manager find;
allow hal_graphics_allocator_client same_process_hal_file:file { execute read open getattr map };
# GPU device access
diff --git a/public/service.te b/public/service.te
index 5c63e9e..a6f854a 100644
--- a/public/service.te
+++ b/public/service.te
@@ -2,6 +2,7 @@
type apc_service, service_manager_type;
type apex_service, service_manager_type;
type artd_service, service_manager_type;
+type artd_pre_reboot_service, service_manager_type;
type audioserver_service, service_manager_type, isolated_compute_allowed_service;
type authorization_service, service_manager_type;
type batteryproperties_service, app_api_service, ephemeral_app_api_service, service_manager_type;
@@ -10,6 +11,7 @@
type fwk_camera_service, service_manager_type;
type default_android_service, service_manager_type;
type device_config_updatable_service, system_api_service, system_server_service,service_manager_type;
+type dexopt_chroot_setup_service, service_manager_type;
type dnsresolver_service, service_manager_type;
type drmserver_service, service_manager_type;
type dumpstate_service, service_manager_type;
@@ -38,6 +40,7 @@
type nfc_service, service_manager_type;
type ondevicepersonalization_system_service, system_api_service, system_server_service, service_manager_type;
type ot_daemon_service, service_manager_type;
+type profiling_service, app_api_service, system_server_service, service_manager_type;
type radio_service, service_manager_type;
type secure_element_service, service_manager_type;
type service_manager_service, service_manager_type;
@@ -89,6 +92,7 @@
type clipboard_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type cloudsearch_service, app_api_service, system_server_service, service_manager_type;
type contexthub_service, app_api_service, system_server_service, service_manager_type;
+type contextual_search_service, app_api_service, system_server_service, service_manager_type;
type crossprofileapps_service, app_api_service, system_server_service, service_manager_type;
type IProxyService_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type companion_device_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
@@ -216,6 +220,7 @@
type sec_key_att_app_id_provider_service, app_api_service, system_server_service, service_manager_type;
type security_state_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type selection_toolbar_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type sensitive_content_protection_service, app_api_service, system_server_service, service_manager_type;
type sensorservice_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type sensor_privacy_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type serial_service, system_api_service, system_server_service, service_manager_type;
@@ -303,6 +308,7 @@
type hal_gnss_service, protected_service, hal_service_type, service_manager_type;
type hal_graphics_allocator_service, hal_service_type, service_manager_type;
type hal_graphics_composer_service, protected_service, hal_service_type, service_manager_type;
+type hal_graphics_mapper_service, hal_service_type, service_manager_type;
type hal_health_service, protected_service, hal_service_type, service_manager_type;
type hal_health_storage_service, protected_service, hal_service_type, service_manager_type;
type hal_identity_service, protected_service, hal_service_type, service_manager_type;
diff --git a/tests/apex_sepolicy_tests.py b/tests/apex_sepolicy_tests.py
index ab01745..26082cb 100644
--- a/tests/apex_sepolicy_tests.py
+++ b/tests/apex_sepolicy_tests.py
@@ -56,7 +56,16 @@
pattern: str
-Matcher = Is | Glob | Regex
+@dataclass
+class BinaryFile:
+ pass
+
+
+Matcher = Is | Glob | Regex | BinaryFile
+
+
+# predicate functions for Func matcher
+
@dataclass
class AllowPerm:
@@ -72,7 +81,13 @@
pass
-Rule = AllowPerm | ResolveType
+@dataclass
+class NotAnyOf:
+ """Rule checking if entity is not labelled as any of the given labels"""
+ labels: set[str]
+
+
+Rule = AllowPerm | ResolveType | NotAnyOf
# Helper for 'read'
@@ -89,6 +104,8 @@
return pathlib.PurePath(path).match(pattern)
case Regex(pattern):
return re.match(pattern, path)
+ case BinaryFile:
+ return path.startswith('./bin/') and not path.endswith('/')
def check_rule(pol, path: str, tcontext: str, rule: Rule) -> List[str]:
@@ -109,6 +126,9 @@
case ResolveType():
if tcontext not in pol.GetAllTypes(False):
errors.append(f"Error: {path}: tcontext({tcontext}) is unknown")
+ case NotAnyOf(labels):
+ if tcontext in labels:
+ errors.append(f"Error: {path}: can't be labelled as '{tcontext}'")
return errors
@@ -118,6 +138,8 @@
generic_rules = [
+ # binaries should be executable
+ (BinaryFile, NotAnyOf({'vendor_file'})),
# permissions
(Is('./etc/permissions/'), AllowRead('dir', {'system_server'})),
(Glob('./etc/permissions/*.xml'), AllowRead('file', {'system_server'})),
diff --git a/tests/apex_sepolicy_tests_test.py b/tests/apex_sepolicy_tests_test.py
index 3fee43d..727a023 100644
--- a/tests/apex_sepolicy_tests_test.py
+++ b/tests/apex_sepolicy_tests_test.py
@@ -102,5 +102,11 @@
self.assert_error('./bin/hw/foo u:object_r:foo_exec:s0',
r'Error: \./bin/hw/foo: tcontext\(foo_exec\) is unknown')
+ def test_binaries(self):
+ self.assert_ok('./bin/init u:object_r:init_exec:s0')
+ self.assert_ok('./bin/hw/svc u:object_r:init_exec:s0')
+ self.assert_error('./bin/hw/svc u:object_r:vendor_file:s0',
+ r"Error: .*svc: can\'t be labelled as \'vendor_file\'")
+
if __name__ == '__main__':
unittest.main(verbosity=2)
diff --git a/tests/sepolicy_tests.py b/tests/sepolicy_tests.py
index 7a341cb..1df8231 100644
--- a/tests/sepolicy_tests.py
+++ b/tests/sepolicy_tests.py
@@ -190,6 +190,7 @@
"hal_graphics_allocator_hwservice":["hwservice_manager"],
"hal_graphics_allocator_server":["binder", "service_manager"],
"hal_graphics_mapper_hwservice":["hwservice_manager"],
+ "hal_graphics_mapper_service":["service_manager"],
"hal_neuralnetworks": ["binder", "fd"],
"hal_neuralnetworks_service": ["service_manager"],
"hal_neuralnetworks_hwservice":["hwservice_manager"],