Merge tag 'android-14.0.0_r50' into leaf-3.2
Android 14.0.0 Release 50 (AP2A.240605.024)
* tag 'android-14.0.0_r50': (129 commits)
Merge "Allow system_server to call ISecretKeeper.deleteAll()" into main am: c9d42b5533 am: 5eb5e47827
Merge "Allow system_server to call IKeystoreMaintenance.deleteAllKeys()" into main am: b584704c28 am: 517deb8862
aconfig_storage: setup RO partitions aconfig storage files SELinux policy
Add rules for Perfetto to be used from system_server
aconfigd: create aconfig daemon selinux policy
Allow virtual camera to use fd's from graphic composer
Revert^2 "Define persist.bootanim.color in platform policy"
Allow shell and adb to read tombstones
Revert "Define persist.bootanim.color in platform policy"
Mark libft2.so and libpng.so installed in /vendor/lib as sphal
Add input_device.config_file.apex property
Introduce vendor_microdroid_file for microdroid vendor image
Grant lockdown integrity to all processes
Vendor API level 202404 is now frozen
misctrl: add a property
Add context that system server can access and perfetto can save traces to
Fix finalization script
Define persist.bootanim.color in platform policy
Allow shell/toolbox for all domains
Reland "[res] Allow accessing idmap files in all zygotes"
...
Change-Id: Iba92ee09c2b4d4f5043afdbe5dbf5aa99ab0648c
diff --git a/Android.bp b/Android.bp
index 1d8e5dd..f5a67cf 100644
--- a/Android.bp
+++ b/Android.bp
@@ -633,6 +633,9 @@
dist: {
targets: ["base-sepolicy-files-for-mapping"],
},
+ permissive_domains_on_user_builds: [
+ "su",
+ ],
}
// policy for recovery
@@ -667,6 +670,9 @@
srcs: [":recovery_sepolicy.cil"],
stem: "sepolicy",
recovery: true,
+ permissive_domains_on_user_builds: [
+ "su",
+ ],
}
//////////////////////////////////
@@ -714,6 +720,7 @@
dist: {
targets: ["base-sepolicy-files-for-mapping"],
},
+ permissive_domains_on_user_builds: ["su"],
}
se_policy_conf {
diff --git a/build/soong/compat_cil.go b/build/soong/compat_cil.go
index baad413..7815c47 100644
--- a/build/soong/compat_cil.go
+++ b/build/soong/compat_cil.go
@@ -216,6 +216,7 @@
Srcs: srcs,
Ignore_neverallow: proptools.BoolPtr(true),
Installable: proptools.BoolPtr(false),
+ Permissive_domains_on_user_builds: []string{"su"},
})
}
diff --git a/prebuilts/api/33.0/private/adbd.te b/prebuilts/api/33.0/private/adbd.te
index 48fa849..971b44c 100644
--- a/prebuilts/api/33.0/private/adbd.te
+++ b/prebuilts/api/33.0/private/adbd.te
@@ -89,6 +89,7 @@
allow adbd vendor_framework_file:file r_file_perms;
# Set service.adb.*, sys.powerctl, and sys.usb.ffs.ready properties.
+set_prop(adbd, adbd_private_prop)
set_prop(adbd, shell_prop)
set_prop(adbd, powerctl_prop)
get_prop(adbd, ffs_config_prop)
diff --git a/prebuilts/api/33.0/private/property.te b/prebuilts/api/33.0/private/property.te
index 41a4c2f..6b1e056 100644
--- a/prebuilts/api/33.0/private/property.te
+++ b/prebuilts/api/33.0/private/property.te
@@ -1,5 +1,6 @@
# Properties used only in /system
system_internal_prop(adbd_prop)
+system_internal_prop(adbd_private_prop)
system_internal_prop(apexd_payload_metadata_prop)
system_internal_prop(ctl_snapuserd_prop)
system_internal_prop(device_config_lmkd_native_prop)
diff --git a/prebuilts/api/33.0/private/property_contexts b/prebuilts/api/33.0/private/property_contexts
index c653445..133c61f 100644
--- a/prebuilts/api/33.0/private/property_contexts
+++ b/prebuilts/api/33.0/private/property_contexts
@@ -47,7 +47,7 @@
persist.simpleperf.profile_app_uid u:object_r:shell_prop:s0
persist.simpleperf.profile_app_expiration_time u:object_r:shell_prop:s0
security.lower_kptr_restrict u:object_r:lower_kptr_restrict_prop:s0
-service.adb.root u:object_r:shell_prop:s0
+service.adb.root u:object_r:adbd_private_prop:s0
service.adb.tls.port u:object_r:adbd_prop:s0
persist.adb.wifi. u:object_r:adbd_prop:s0
persist.adb.tls_server.enable u:object_r:system_adbd_prop:s0
diff --git a/prebuilts/api/34.0/private/adbd.te b/prebuilts/api/34.0/private/adbd.te
index d72d5b1..dccdd60 100644
--- a/prebuilts/api/34.0/private/adbd.te
+++ b/prebuilts/api/34.0/private/adbd.te
@@ -7,10 +7,8 @@
domain_auto_trans(adbd, shell_exec, shell)
-userdebug_or_eng(`
- allow adbd self:process setcurrent;
- allow adbd su:process dyntransition;
-')
+allow adbd self:process setcurrent;
+allow adbd su:process dyntransition;
# When 'adb shell' is executed in recovery mode, adbd explicitly
# switches into shell domain using setcon() because the shell executable
@@ -91,6 +89,7 @@
allow adbd vendor_framework_file:file r_file_perms;
# Set service.adb.*, sys.powerctl, and sys.usb.ffs.ready properties.
+set_prop(adbd, adbd_private_prop)
set_prop(adbd, shell_prop)
set_prop(adbd, powerctl_prop)
get_prop(adbd, ffs_config_prop)
@@ -231,7 +230,6 @@
###
# No transitions from adbd to non-shell, non-crash_dump domains. adbd only ever
-# transitions to the shell domain (except when it crashes). In particular, we
-# never want to see a transition from adbd to su (aka "adb root")
+# transitions to the shell domain (except when it crashes).
neverallow adbd { domain -crash_dump -shell }:process transition;
-neverallow adbd { domain userdebug_or_eng(`-su') recovery_only(`-shell') }:process dyntransition;
+neverallow adbd { domain -su recovery_only(`-shell') }:process dyntransition;
diff --git a/prebuilts/api/34.0/private/apexd.te b/prebuilts/api/34.0/private/apexd.te
index b74d4ee..7feb515 100644
--- a/prebuilts/api/34.0/private/apexd.te
+++ b/prebuilts/api/34.0/private/apexd.te
@@ -198,7 +198,7 @@
# but starting from S it just calls into apexd to prepare /apex for otapreoprt. Once the sepolicies
# around otapreopt_chroot are cleaned up we should be able to remove it from the lists below.
neverallow { domain -apexd -init -otapreopt_chroot } apex_mnt_dir:filesystem { mount unmount };
-neverallow { domain -apexd -init -otapreopt_chroot } apex_mnt_dir:dir { mounton };
+neverallow { domain -apexd -init -otapreopt_chroot -recovery } apex_mnt_dir:dir { mounton };
# Allow for use in postinstall
allow apexd otapreopt_chroot:fd use;
diff --git a/prebuilts/api/34.0/private/domain.te b/prebuilts/api/34.0/private/domain.te
index f98a285..8861689 100644
--- a/prebuilts/api/34.0/private/domain.te
+++ b/prebuilts/api/34.0/private/domain.te
@@ -359,6 +359,7 @@
-zygote
userdebug_or_eng(`-mediaextractor')
userdebug_or_eng(`-mediaswcodec')
+ -recovery
} {
file_type
-system_file_type
@@ -433,6 +434,7 @@
neverallow {
domain
-appdomain
+ -recovery
} {
data_file_type
-apex_art_data_file
diff --git a/prebuilts/api/34.0/private/property.te b/prebuilts/api/34.0/private/property.te
index 5889e57..d8a6b56 100644
--- a/prebuilts/api/34.0/private/property.te
+++ b/prebuilts/api/34.0/private/property.te
@@ -1,5 +1,6 @@
# Properties used only in /system
system_internal_prop(adbd_prop)
+system_internal_prop(adbd_private_prop)
system_internal_prop(apexd_payload_metadata_prop)
system_internal_prop(ctl_snapuserd_prop)
system_internal_prop(device_config_lmkd_native_prop)
diff --git a/prebuilts/api/34.0/private/property_contexts b/prebuilts/api/34.0/private/property_contexts
index da0ea5b..ed42cd2 100644
--- a/prebuilts/api/34.0/private/property_contexts
+++ b/prebuilts/api/34.0/private/property_contexts
@@ -48,7 +48,7 @@
persist.simpleperf.profile_app_uid u:object_r:shell_prop:s0
persist.simpleperf.profile_app_expiration_time u:object_r:shell_prop:s0
security.lower_kptr_restrict u:object_r:lower_kptr_restrict_prop:s0
-service.adb.root u:object_r:shell_prop:s0
+service.adb.root u:object_r:adbd_private_prop:s0
service.adb.tls.port u:object_r:adbd_prop:s0
persist.adb.wifi. u:object_r:adbd_prop:s0
persist.adb.tls_server.enable u:object_r:system_adbd_prop:s0
diff --git a/prebuilts/api/34.0/private/su.te b/prebuilts/api/34.0/private/su.te
index cc00e10..bac0ae0 100644
--- a/prebuilts/api/34.0/private/su.te
+++ b/prebuilts/api/34.0/private/su.te
@@ -1,6 +1,6 @@
-userdebug_or_eng(`
- typeattribute su coredomain;
+typeattribute su coredomain;
+userdebug_or_eng(`
domain_auto_trans(shell, su_exec, su)
# Allow dumpstate to call su on userdebug / eng builds to collect
# additional information.
@@ -22,9 +22,6 @@
# Put the virtmgr command into its domain.
domain_auto_trans(su, virtualizationmanager_exec, virtualizationmanager)
- # su is also permissive to permit setenforce.
- permissive su;
-
app_domain(su)
# Do not audit accesses to keystore2 namespace for the su domain.
@@ -33,3 +30,6 @@
# Allow root to set MTE permissive mode.
set_prop(su, permissive_mte_prop);
')
+
+# su is also permissive to permit setenforce.
+permissive su;
diff --git a/prebuilts/api/34.0/public/domain.te b/prebuilts/api/34.0/public/domain.te
index 1da3f51..c8a2bb6 100644
--- a/prebuilts/api/34.0/public/domain.te
+++ b/prebuilts/api/34.0/public/domain.te
@@ -361,6 +361,7 @@
-init
-ueventd
-vold
+ -recovery
} self:global_capability_class_set mknod;
# No process can map low memory (< CONFIG_LSM_MMAP_MIN_ADDR).
@@ -447,7 +448,7 @@
neverallow domain device:chr_file { open read write };
# Files from cache should never be executed
-neverallow domain { cache_file cache_backup_file cache_private_backup_file cache_recovery_file }:file execute;
+neverallow { domain -recovery } { cache_file cache_backup_file cache_private_backup_file cache_recovery_file }:file execute;
# The test files and executables MUST not be accessible to any domain
neverallow { domain userdebug_or_eng(`-kernel') } nativetest_data_file:file_class_set no_w_file_perms;
@@ -486,8 +487,8 @@
# Don't allow mounting on top of /system files or directories
neverallow * exec_type:dir_file_class_set mounton;
-# Nothing should be writing to files in the rootfs.
-neverallow * rootfs:file { create write setattr relabelto append unlink link rename };
+# Nothing should be writing to files in the rootfs, except recovery.
+neverallow { domain -recovery } rootfs:file { create write setattr relabelto append unlink link rename };
# Restrict context mounts to specific types marked with
# the contextmount_type attribute.
diff --git a/private/adbd.te b/private/adbd.te
index e735222..0719b27 100644
--- a/private/adbd.te
+++ b/private/adbd.te
@@ -7,10 +7,8 @@
domain_auto_trans(adbd, shell_exec, shell)
-userdebug_or_eng(`
- allow adbd self:process setcurrent;
- allow adbd su:process dyntransition;
-')
+allow adbd self:process setcurrent;
+allow adbd su:process dyntransition;
# When 'adb shell' is executed in recovery mode, adbd explicitly
# switches into shell domain using setcon() because the shell executable
@@ -91,6 +89,7 @@
allow adbd vendor_framework_file:file r_file_perms;
# Set service.adb.*, sys.powerctl, and sys.usb.ffs.ready properties.
+set_prop(adbd, adbd_private_prop)
set_prop(adbd, shell_prop)
set_prop(adbd, powerctl_prop)
get_prop(adbd, ffs_config_prop)
@@ -235,7 +234,6 @@
###
# No transitions from adbd to non-shell, non-crash_dump domains. adbd only ever
-# transitions to the shell domain (except when it crashes). In particular, we
-# never want to see a transition from adbd to su (aka "adb root")
+# transitions to the shell domain (except when it crashes).
neverallow adbd { domain -crash_dump -shell }:process transition;
-neverallow adbd { domain userdebug_or_eng(`-su') recovery_only(`-shell') }:process dyntransition;
+neverallow adbd { domain -su recovery_only(`-shell') }:process dyntransition;
diff --git a/private/apexd.te b/private/apexd.te
index b62e6e6..fb67865 100644
--- a/private/apexd.te
+++ b/private/apexd.te
@@ -190,7 +190,7 @@
# but starting from S it just calls into apexd to prepare /apex for otapreoprt. Once the sepolicies
# around otapreopt_chroot are cleaned up we should be able to remove it from the lists below.
neverallow { domain -apexd -init -otapreopt_chroot } apex_mnt_dir:filesystem { mount unmount };
-neverallow { domain -apexd -init -otapreopt_chroot } apex_mnt_dir:dir { mounton };
+neverallow { domain -apexd -init -otapreopt_chroot -recovery } apex_mnt_dir:dir { mounton };
# Allow for use in postinstall
allow apexd otapreopt_chroot:fd use;
diff --git a/private/domain.te b/private/domain.te
index 66bce05..df30182 100644
--- a/private/domain.te
+++ b/private/domain.te
@@ -388,6 +388,7 @@
-zygote
userdebug_or_eng(`-mediaextractor')
userdebug_or_eng(`-mediaswcodec')
+ -recovery
} {
file_type
-system_file_type
@@ -462,6 +463,7 @@
neverallow {
domain
-appdomain
+ -recovery
} {
data_file_type
-apex_art_data_file
diff --git a/private/property.te b/private/property.te
index 2d030ab..ffd9237 100644
--- a/private/property.te
+++ b/private/property.te
@@ -1,5 +1,6 @@
# Properties used only in /system
system_internal_prop(adbd_prop)
+system_internal_prop(adbd_private_prop)
system_internal_prop(apexd_payload_metadata_prop)
system_internal_prop(ctl_snapuserd_prop)
system_internal_prop(crashrecovery_prop)
diff --git a/private/property_contexts b/private/property_contexts
index 1ddde23..b34e975 100644
--- a/private/property_contexts
+++ b/private/property_contexts
@@ -48,7 +48,7 @@
persist.simpleperf.profile_app_uid u:object_r:shell_prop:s0
persist.simpleperf.profile_app_expiration_time u:object_r:shell_prop:s0
security.lower_kptr_restrict u:object_r:lower_kptr_restrict_prop:s0
-service.adb.root u:object_r:shell_prop:s0
+service.adb.root u:object_r:adbd_private_prop:s0
service.adb.tls.port u:object_r:adbd_prop:s0
persist.adb.wifi. u:object_r:adbd_prop:s0
persist.adb.tls_server.enable u:object_r:system_adbd_prop:s0
diff --git a/private/su.te b/private/su.te
index 2e0d10a..acc3804 100644
--- a/private/su.te
+++ b/private/su.te
@@ -1,6 +1,6 @@
-userdebug_or_eng(`
- typeattribute su coredomain;
+typeattribute su coredomain;
+userdebug_or_eng(`
domain_auto_trans(shell, su_exec, su)
# Allow dumpstate to call su on userdebug / eng builds to collect
# additional information.
@@ -23,9 +23,6 @@
# own domain.
virtualizationservice_use(su)
- # su is also permissive to permit setenforce.
- permissive su;
-
app_domain(su)
# Do not audit accesses to keystore2 namespace for the su domain.
@@ -34,3 +31,6 @@
# Allow root to set MTE permissive mode.
set_prop(su, permissive_mte_prop);
')
+
+# su is also permissive to permit setenforce.
+permissive su;
diff --git a/public/domain.te b/public/domain.te
index 0a2a5e5..1b175f3 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -375,6 +375,7 @@
-init
-ueventd
-vold
+ -recovery
} self:global_capability_class_set mknod;
# No process can map low memory (< CONFIG_LSM_MMAP_MIN_ADDR).
@@ -465,7 +466,7 @@
neverallow domain device:chr_file { open read write };
# Files from cache should never be executed
-neverallow domain { cache_file cache_backup_file cache_private_backup_file cache_recovery_file }:file execute;
+neverallow { domain -recovery } { cache_file cache_backup_file cache_private_backup_file cache_recovery_file }:file execute;
# The test files and executables MUST not be accessible to any domain
neverallow { domain userdebug_or_eng(`-kernel') } nativetest_data_file:file_class_set no_w_file_perms;
@@ -504,8 +505,8 @@
# Don't allow mounting on top of /system files or directories
neverallow * exec_type:dir_file_class_set mounton;
-# Nothing should be writing to files in the rootfs.
-neverallow * rootfs:file { create write setattr relabelto append unlink link rename };
+# Nothing should be writing to files in the rootfs, except recovery.
+neverallow { domain -recovery } rootfs:file { create write setattr relabelto append unlink link rename };
# Restrict context mounts to specific types marked with
# the contextmount_type attribute.