diff --git a/microdroid/system/private/bug_map b/microdroid/system/private/bug_map index 5b042ae4c..e69de29bb 100644 --- a/microdroid/system/private/bug_map +++ b/microdroid/system/private/bug_map @@ -1,35 +0,0 @@ -dnsmasq netd fifo_file b/77868789 -dnsmasq netd unix_stream_socket b/77868789 -gmscore_app system_data_file dir b/146166941 -init app_data_file file b/77873135 -init cache_file blk_file b/77873135 -init logpersist file b/77873135 -init nativetest_data_file dir b/77873135 -init pstorefs dir b/77873135 -init shell_data_file dir b/77873135 -init shell_data_file file b/77873135 -init shell_data_file lnk_file b/77873135 -init shell_data_file sock_file b/77873135 -init system_data_file chr_file b/77873135 -isolated_app privapp_data_file dir b/119596573 -isolated_app app_data_file dir b/120394782 -mediaextractor app_data_file file b/77923736 -mediaextractor radio_data_file file b/77923736 -mediaprovider cache_file blk_file b/77925342 -mediaprovider mnt_media_rw_file dir b/77925342 -mediaprovider shell_data_file dir b/77925342 -mediaswcodec ashmem_device chr_file b/142679232 -netd priv_app unix_stream_socket b/77870037 -netd untrusted_app unix_stream_socket b/77870037 -netd untrusted_app_25 unix_stream_socket b/77870037 -netd untrusted_app_27 unix_stream_socket b/77870037 -netd untrusted_app_29 unix_stream_socket b/77870037 -platform_app nfc_data_file dir b/74331887 -system_server crash_dump process b/73128755 -system_server overlayfs_file file b/142390309 -system_server sdcardfs file b/77856826 -system_server zygote process b/77856826 -untrusted_app untrusted_app netlink_route_socket b/155595000 -vold system_data_file file b/124108085 -zygote untrusted_app_25 process b/77925912 -zygote labeledfs filesystem b/170748799 diff --git a/microdroid/system/private/domain.te b/microdroid/system/private/domain.te index a8fff907a..fbc9c75f3 100644 --- a/microdroid/system/private/domain.te +++ b/microdroid/system/private/domain.te @@ -185,10 +185,6 @@ allowxperm domain devpts:chr_file ioctl unpriv_tty_ioctls; # named pipes, and named sockets). We start off with a safe set. allowxperm domain { file_type fs_type domain dev_type }:{ dir notdevfile_class_set blk_file } ioctl { FIOCLEX FIONCLEX }; -# If a domain has ioctl access to tun_device, it must clearly enumerate the -# ioctls used. Safe defaults are listed below. -allowxperm domain tun_device:chr_file ioctl { FIOCLEX FIONCLEX }; - # Allow a process to make a determination whether a file descriptor # for a plain file or pipe (fifo_file) is a tty. Note that granting # this allowlist to domain does not grant the ioctl permission to @@ -229,8 +225,6 @@ allow domain cgroup_v2:dir search; allow { domain } cgroup_v2:dir w_dir_perms; allow { domain } cgroup_v2:file w_file_perms; -allow domain cgroup_rc_file:dir search; -allow domain cgroup_rc_file:file r_file_perms; allow domain task_profiles_file:file r_file_perms; allow domain task_profiles_api_file:file r_file_perms; @@ -533,12 +527,6 @@ neverallow domain { neverallow domain cgroup:file create; neverallow domain cgroup_v2:file create; -# Only apps targetting < Q are allowed to open /dev/ashmem directly. -# Apps must use ASharedMemory NDK API. Native code must use libcutils API. -neverallow { - domain -} ashmem_device:chr_file open; - neverallow { domain -init -vendor_init -traced_probes } debugfs_tracing_printk_formats:file *; # Linux lockdown "integrity" level is enforced for user builds. diff --git a/microdroid/system/private/file.te b/microdroid/system/private/file.te index a06a9cf65..c6ed65435 100644 --- a/microdroid/system/private/file.te +++ b/microdroid/system/private/file.te @@ -1,7 +1,6 @@ allow fs_type self:filesystem associate; allow cgroup tmpfs:filesystem associate; allow cgroup_v2 tmpfs:filesystem associate; -allow cgroup_rc_file tmpfs:filesystem associate; allow debugfs_type { debugfs debugfs_tracing debugfs_tracing_debug }:filesystem associate; allow dev_type tmpfs:filesystem associate; allow encryptedstore_file encryptedstore_fs:filesystem associate; diff --git a/microdroid/system/private/file_contexts b/microdroid/system/private/file_contexts index fa81c905a..34986807e 100644 --- a/microdroid/system/private/file_contexts +++ b/microdroid/system/private/file_contexts @@ -32,8 +32,6 @@ # Devices # /dev(/.*)? u:object_r:device:s0 -/dev/ashmem u:object_r:ashmem_device:s0 -/dev/ashmem(.*)? u:object_r:ashmem_libcutils_device:s0 /dev/block(/.*)? u:object_r:block_device:s0 /dev/block/dm-[0-9]+ u:object_r:dm_device:s0 /dev/block/loop[0-9]* u:object_r:loop_device:s0 @@ -41,14 +39,8 @@ /dev/block/ram[0-9]* u:object_r:ram_device:s0 /dev/block/zram[0-9]* u:object_r:ram_device:s0 /dev/console u:object_r:console_device:s0 -/dev/dma_heap(/.*)? u:object_r:dmabuf_heap_device:s0 -/dev/dma_heap/system u:object_r:dmabuf_system_heap_device:s0 -/dev/dma_heap/system-uncached u:object_r:dmabuf_system_heap_device:s0 -/dev/dma_heap/system-secure(.*) u:object_r:dmabuf_system_secure_heap_device:s0 /dev/dm-user(/.*)? u:object_r:dm_user_device:s0 /dev/device-mapper u:object_r:dm_device:s0 -/dev/event-log-tags u:object_r:runtime_event_log_tags_file:s0 -/dev/cgroup_info(/.*)? u:object_r:cgroup_rc_file:s0 /dev/fuse u:object_r:fuse_device:s0 /dev/hvc0 u:object_r:serial_device:s0 /dev/hvc1 u:object_r:serial_device:s0 @@ -59,7 +51,6 @@ /dev/ptmx u:object_r:ptmx_device:s0 /dev/kmsg u:object_r:kmsg_device:s0 /dev/kmsg_debug u:object_r:kmsg_debug_device:s0 -/dev/kvm u:object_r:kvm_device:s0 /dev/null u:object_r:null_device:s0 /dev/open-dice0 u:object_r:open_dice_device:s0 /dev/random u:object_r:random_device:s0 @@ -73,17 +64,10 @@ /dev/socket/vm_payload_service u:object_r:vm_payload_service_socket:s0 /dev/socket/traced_consumer u:object_r:traced_consumer_socket:s0 /dev/socket/traced_producer u:object_r:traced_producer_socket:s0 -/dev/sys/block/by-name/userdata(/.*)? u:object_r:userdata_sysdev:s0 -/dev/sys/fs/by-name/userdata(/.*)? u:object_r:userdata_sysdev:s0 /dev/tty u:object_r:owntty_device:s0 /dev/tty[0-9]* u:object_r:tty_device:s0 /dev/ttyS[0-9]* u:object_r:serial_device:s0 -/dev/tun u:object_r:tun_device:s0 -/dev/uhid u:object_r:uhid_device:s0 -/dev/uinput u:object_r:uhid_device:s0 -/dev/uio[0-9]* u:object_r:uio_device:s0 /dev/urandom u:object_r:random_device:s0 -/dev/vhost-vsock u:object_r:kvm_device:s0 /dev/vsock u:object_r:vsock_device:s0 /dev/zero u:object_r:zero_device:s0 /dev/__properties__ u:object_r:properties_device:s0 diff --git a/microdroid/system/private/init.te b/microdroid/system/private/init.te index 5ad30e5b7..408418c1e 100644 --- a/microdroid/system/private/init.te +++ b/microdroid/system/private/init.te @@ -27,7 +27,6 @@ allow init vd_device:blk_file relabelto; allow init { dev_type -hw_random_device - -kvm_device }:chr_file setattr; # /dev/__null__ node created by init. @@ -40,9 +39,6 @@ allow init property_type:file { append create getattr map open read relabelto re # /dev/__properties__/property_info allow init properties_device:file create_file_perms; allow init property_info:file relabelto; -# /dev/event-log-tags -allow init device:file relabelfrom; -allow init runtime_event_log_tags_file:file { open write setattr relabelto create }; # /dev/socket allow init { device socket_device dm_user_device }:dir relabelto; # Relabel /dev nodes created in first stage init: /dev/console, /dev/null, /dev/ptmx, /dev/random @@ -114,7 +110,6 @@ allow init tmpfs:dir create_dir_perms; allow init tmpfs:dir mounton; allow init cgroup:dir create_dir_perms; allow init cgroup:file rw_file_perms; -allow init cgroup_rc_file:file rw_file_perms; allow init cgroup_desc_file:file r_file_perms; allow init cgroup_desc_api_file:file r_file_perms; allow init cgroup_v2:dir { mounton create_dir_perms}; @@ -181,7 +176,6 @@ allow init { file_type -apex_info_file -exec_type - -runtime_event_log_tags_file -shell_data_file -system_file_type -vendor_file_type diff --git a/microdroid/system/private/shell.te b/microdroid/system/private/shell.te index d6c3c0d38..038be00e6 100644 --- a/microdroid/system/private/shell.te +++ b/microdroid/system/private/shell.te @@ -1,8 +1,5 @@ typeattribute shell coredomain; -# allow shell input injection -allow shell uhid_device:chr_file rw_file_perms; - # Perform SELinux access checks, needed for CTS selinux_check_access(shell) selinux_check_context(shell) diff --git a/microdroid/system/public/device.te b/microdroid/system/public/device.te index 8c6f777f9..1a64b629c 100644 --- a/microdroid/system/public/device.te +++ b/microdroid/system/public/device.te @@ -1,24 +1,17 @@ -type ashmem_device, dev_type; -type ashmem_libcutils_device, dev_type; type block_device, dev_type; type console_device, dev_type; type device, dev_type, fs_type; type dm_device, dev_type; type dm_user_device, dev_type; -type dmabuf_heap_device, dev_type, dmabuf_heap_device_type; -type dmabuf_system_heap_device, dev_type, dmabuf_heap_device_type; -type dmabuf_system_secure_heap_device, dev_type, dmabuf_heap_device_type; type fuse_device, dev_type; type hw_random_device, dev_type; type kmsg_debug_device, dev_type; type kmsg_device, dev_type; -type kvm_device, dev_type; type loop_control_device, dev_type; type loop_device, dev_type; type null_device, dev_type; type open_dice_device, dev_type; type owntty_device, dev_type; -type ppp_device, dev_type; type properties_device, dev_type; type properties_serial, dev_type; type property_info, dev_type; @@ -30,10 +23,6 @@ type serial_device, dev_type; type log_device, dev_type; type socket_device, dev_type; type tty_device, dev_type; -type tun_device, dev_type; -type uhid_device, dev_type; -type uio_device, dev_type; -type userdata_sysdev, dev_type; type vd_device, dev_type; type vsock_device, dev_type; type zero_device, dev_type; diff --git a/microdroid/system/public/file.te b/microdroid/system/public/file.te index d9a6e4441..d53de79a8 100644 --- a/microdroid/system/public/file.te +++ b/microdroid/system/public/file.te @@ -8,14 +8,12 @@ type authfs_data_file, file_type, data_file_type, core_data_file_type; type authfs_service_socket, file_type, coredomain_socket; type cgroup_desc_api_file, file_type, system_file_type; type cgroup_desc_file, file_type, system_file_type; -type cgroup_rc_file, file_type; type extra_apk_file, file_type; type file_contexts_file, file_type, system_file_type; type linkerconfig_file, file_type; type nativetest_data_file, file_type, data_file_type, core_data_file_type; type property_contexts_file, file_type, system_file_type; type property_socket, file_type, coredomain_socket; -type runtime_event_log_tags_file, file_type; type sepolicy_file, file_type, system_file_type; type service_contexts_file, file_type, system_file_type; type shell_data_file, file_type, data_file_type, core_data_file_type; diff --git a/microdroid/system/public/vendor_init.te b/microdroid/system/public/vendor_init.te index fa5db036b..3db899a5d 100644 --- a/microdroid/system/public/vendor_init.te +++ b/microdroid/system/public/vendor_init.te @@ -49,7 +49,6 @@ allow vendor_init unlabeled:{ dir notdevfile_class_set } { getattr relabelfrom } allow vendor_init { file_type -exec_type - -runtime_event_log_tags_file -system_file_type -unlabeled -vendor_file_type @@ -144,6 +143,5 @@ allow vendor_init self:capability sys_nice; # chown/chmod on devices, e.g. /dev/ttyHS0 allow vendor_init { dev_type - -kvm_device -hw_random_device }:chr_file setattr;