Merge "Add virtualization_maintenance_service" into main
diff --git a/contexts/plat_file_contexts_test b/contexts/plat_file_contexts_test
index 3c02a3d..e002b15 100644
--- a/contexts/plat_file_contexts_test
+++ b/contexts/plat_file_contexts_test
@@ -995,10 +995,12 @@
/data/misc/odsign/test odsign_data_file
/data/misc/odsign/metrics odsign_metrics_file
/data/misc/odsign/metrics/test odsign_metrics_file
-/data/misc/perfetto-traces/bugreport perfetto_traces_bugreport_data_file
-/data/misc/perfetto-traces/bugreport/test perfetto_traces_bugreport_data_file
+/data/misc/perfetto-traces/bugreport perfetto_traces_bugreport_data_file
+/data/misc/perfetto-traces/bugreport/test perfetto_traces_bugreport_data_file
/data/misc/perfetto-traces perfetto_traces_data_file
/data/misc/perfetto-traces/test perfetto_traces_data_file
+/data/misc/perfetto-traces/profiling perfetto_traces_profiling_data_file
+/data/misc/perfetto-traces/profiling/test perfetto_traces_profiling_data_file
/data/misc/perfetto-configs perfetto_configs_data_file
/data/misc/perfetto-configs/test perfetto_configs_data_file
/data/misc/prereboot prereboot_data_file
diff --git a/private/app_zygote.te b/private/app_zygote.te
index e3869cd..b51f633 100644
--- a/private/app_zygote.te
+++ b/private/app_zygote.te
@@ -93,6 +93,10 @@
# Allow app_zygote to access odsign verification status
get_prop(app_zygote, odsign_prop)
+# /data/resource-cache
+allow app_zygote resourcecache_data_file:file r_file_perms;
+allow app_zygote resourcecache_data_file:dir r_dir_perms;
+
#####
##### Neverallow
#####
diff --git a/private/domain.te b/private/domain.te
index 2f107dd..3454fd1 100644
--- a/private/domain.te
+++ b/private/domain.te
@@ -179,6 +179,35 @@
# Allow all processes to connect to PRNG seeder daemon.
unix_socket_connect(domain, prng_seeder, prng_seeder)
+# Allow calls to system(3), popen(3), ...
+allow {
+ domain
+ # Except domains that explicitly neverallow it.
+ -kernel
+ -init
+ -vendor_init
+ -app_zygote
+ -webview_zygote
+ -system_server
+ -artd
+ -audioserver
+ -cameraserver
+ -mediadrmserver
+ -mediaextractor
+ -mediametrics
+ -mediaserver
+ -mediatuner
+ -mediatranscoding
+ -ueventd
+ -hal_audio_server
+ -hal_camera_server
+ -hal_cas_server
+ -hal_codec2_server
+ -hal_configstore_server
+ -hal_drm_server
+ -hal_omx_server
+} {shell_exec toolbox_exec}:file rx_file_perms;
+
# No domains other than a select few can access the misc_block_device. This
# block device is reserved for OTA use.
# Do not assert this rule on userdebug/eng builds, due to some devices using
diff --git a/private/file.te b/private/file.te
index 450fe2c..24c118a 100644
--- a/private/file.te
+++ b/private/file.te
@@ -25,6 +25,9 @@
# /data/misc/perfetto-traces/bugreport for perfetto traces for bugreports.
type perfetto_traces_bugreport_data_file, file_type, data_file_type, core_data_file_type;
+# /data/misc/perfetto-traces/profiling for perfetto traces from profiling apis.
+type perfetto_traces_profiling_data_file, file_type, data_file_type, core_data_file_type;
+
# /data/misc/perfetto-configs for perfetto configs
type perfetto_configs_data_file, file_type, data_file_type, core_data_file_type;
diff --git a/private/file_contexts b/private/file_contexts
index 3a65d81..5e234f7 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -660,9 +660,10 @@
/data/misc/odrefresh(/.*)? u:object_r:odrefresh_data_file:s0
/data/misc/odsign(/.*)? u:object_r:odsign_data_file:s0
/data/misc/odsign/metrics(/.*)? u:object_r:odsign_metrics_file:s0
-/data/misc/perfetto-traces(/.*)? u:object_r:perfetto_traces_data_file:s0
-/data/misc/perfetto-traces/bugreport(.*)? u:object_r:perfetto_traces_bugreport_data_file:s0
-/data/misc/perfetto-configs(/.*)? u:object_r:perfetto_configs_data_file:s0
+/data/misc/perfetto-traces(/.*)? u:object_r:perfetto_traces_data_file:s0
+/data/misc/perfetto-traces/bugreport(.*)? u:object_r:perfetto_traces_bugreport_data_file:s0
+/data/misc/perfetto-traces/profiling(/.*)? u:object_r:perfetto_traces_profiling_data_file:s0
+/data/misc/perfetto-configs(/.*)? u:object_r:perfetto_configs_data_file:s0
/data/misc/uprobestats-configs(/.*)? u:object_r:uprobestats_configs_data_file:s0
/data/misc/prereboot(/.*)? u:object_r:prereboot_data_file:s0
/data/misc/profcollectd(/.*)? u:object_r:profcollectd_data_file:s0
diff --git a/private/perfetto.te b/private/perfetto.te
index aae61a6..d0088ef 100644
--- a/private/perfetto.te
+++ b/private/perfetto.te
@@ -26,6 +26,10 @@
allow perfetto perfetto_traces_bugreport_data_file:file create_file_perms;
allow perfetto perfetto_traces_bugreport_data_file:dir rw_dir_perms;
+# Allow to write and unlink traces into /data/misc/perfetto-traces/profiling.
+allow perfetto perfetto_traces_profiling_data_file:dir rw_dir_perms;
+allow perfetto perfetto_traces_profiling_data_file:file create_file_perms;
+
# Allow perfetto to access the proxy service for reporting traces.
allow perfetto tracingproxy_service:service_manager find;
binder_use(perfetto)
@@ -86,6 +90,7 @@
-dumpstate # For attaching traces to bugreports.
-incidentd # For receiving reported traces. TODO(lalitm): remove this.
-priv_app # For stating traces for bug-report UI.
+ -system_server # For accessing traces started by profiling apis.
} perfetto_traces_data_file:dir *;
neverallow {
domain
@@ -122,14 +127,20 @@
-vendor_data_file
-perfetto_traces_data_file
-perfetto_traces_bugreport_data_file
+ -perfetto_traces_profiling_data_file
-perfetto_configs_data_file
with_native_coverage(`-method_trace_data_file')
}:dir *;
-neverallow perfetto { system_data_file -perfetto_traces_data_file }:dir ~{ getattr search };
+neverallow perfetto {
+ system_data_file
+ -perfetto_traces_data_file
+ -perfetto_traces_profiling_data_file
+}:dir ~{ getattr search };
neverallow perfetto {
data_file_type
-perfetto_traces_data_file
-perfetto_traces_bugreport_data_file
+ -perfetto_traces_profiling_data_file
-perfetto_configs_data_file
with_native_coverage(`-method_trace_data_file')
}:file ~write;
diff --git a/private/system_server.te b/private/system_server.te
index 62f1791..5b0caaa 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -582,6 +582,11 @@
domain_auto_trans(system_server, perfetto_exec, perfetto);
allow system_server perfetto:fifo_file { read write };
+# Allow system server to manage perfetto traces for ProfilingService.
+allow system_server perfetto_traces_profiling_data_file:dir rw_dir_perms;
+allow system_server perfetto_traces_profiling_data_file:file { rw_file_perms unlink };
+allow system_server perfetto_traces_data_file:dir search;
+
# Manage /data/backup.
allow system_server backup_data_file:dir create_dir_perms;
allow system_server backup_data_file:file create_file_perms;
@@ -1302,6 +1307,9 @@
neverallow system_server { domain -clatd -crash_dump -perfetto }:process transition;
neverallow system_server *:process dyntransition;
+# Ensure that system_server doesn't access anything but search in perfetto_traces_data_file:dir.
+neverallow system_server perfetto_traces_data_file:dir ~search;
+
# Only allow crash_dump to connect to system_ndebug_socket.
neverallow { domain -init -system_server -crash_dump } system_ndebug_socket:sock_file { open write };
diff --git a/private/virtualizationservice.te b/private/virtualizationservice.te
index f8aa413..ee288f2 100644
--- a/private/virtualizationservice.te
+++ b/private/virtualizationservice.te
@@ -62,8 +62,9 @@
virtualizationservice_use(virtualizationservice)
# Allow virtualizationservice to read and write in the apex data directory
-# /data/misc/apexdata/com.android.virt
-allow virtualizationservice apex_module_data_file:dir search;
+# /data/misc/apexdata/com.android.virt. Also allow checking of the parent directory
+# (needed for SQLite database creation).
+allow virtualizationservice apex_module_data_file:dir { search getattr };
allow virtualizationservice apex_virt_data_file:dir create_dir_perms;
allow virtualizationservice apex_virt_data_file:file create_file_perms;
diff --git a/private/webview_zygote.te b/private/webview_zygote.te
index 0556950..1e32c1f 100644
--- a/private/webview_zygote.te
+++ b/private/webview_zygote.te
@@ -93,6 +93,10 @@
# Allow webview_zygote to access odsign verification status
get_prop(zygote, odsign_prop)
+# /data/resource-cache
+allow webview_zygote resourcecache_data_file:file r_file_perms;
+allow webview_zygote resourcecache_data_file:dir r_dir_perms;
+
#####
##### Neverallow
#####