From 4b7c912d0e347166ce07eabeda220b0ddc8eaf8c Mon Sep 17 00:00:00 2001 From: Songchun Fan Date: Tue, 28 Apr 2020 13:24:54 -0700 Subject: [PATCH 01/15] [rvc] Define vendor-specific property ro.incremental.enable [already merged in master and AOSP] Make ro.incremental.enable a vendor-specific property. Allow system_server and vold to read this property. Test: manual BUG: 155212902 BUG: 155958929 Merged-In: I8ff8837af635fa8e7b5bb02e5f6de5ac15b5023b Change-Id: Id432390023de232deb4cc4d0ff3fb73904093b60 (cherry picked from commit 5974c8b5383b28cd656a34d29cfde45b1f34c4a0) --- prebuilts/api/30.0/private/compat/29.0/29.0.ignore.cil | 1 + prebuilts/api/30.0/private/property_contexts | 3 +++ prebuilts/api/30.0/private/system_server.te | 3 +++ prebuilts/api/30.0/public/property.te | 1 + prebuilts/api/30.0/public/vendor_init.te | 1 + prebuilts/api/30.0/public/vold.te | 1 + private/compat/29.0/29.0.ignore.cil | 1 + private/property_contexts | 3 +++ private/system_server.te | 3 +++ public/property.te | 1 + public/vendor_init.te | 1 + public/vold.te | 1 + 12 files changed, 20 insertions(+) diff --git a/prebuilts/api/30.0/private/compat/29.0/29.0.ignore.cil b/prebuilts/api/30.0/private/compat/29.0/29.0.ignore.cil index cb07e469b..1cdfce0ee 100644 --- a/prebuilts/api/30.0/private/compat/29.0/29.0.ignore.cil +++ b/prebuilts/api/30.0/private/compat/29.0/29.0.ignore.cil @@ -59,6 +59,7 @@ hal_tv_tuner_hwservice hal_vibrator_service incremental_control_file + incremental_prop incremental_service init_perf_lsm_hooks_prop init_svc_debug_prop diff --git a/prebuilts/api/30.0/private/property_contexts b/prebuilts/api/30.0/private/property_contexts index a6ea90a5b..1a5471f49 100644 --- a/prebuilts/api/30.0/private/property_contexts +++ b/prebuilts/api/30.0/private/property_contexts @@ -253,6 +253,9 @@ persist.sys.userspace_reboot.log. u:object_r:userspace_reboot_log_prop:s0 # history size. ro.lib_gui.frame_event_history_size u:object_r:bq_config_prop:s0 +# Property to enable incremental feature +ro.incremental.enable u:object_r:incremental_prop:s0 + # Properties to configure userspace reboot. init.userspace_reboot.is_supported u:object_r:userspace_reboot_config_prop:s0 exact bool init.userspace_reboot.sigkill.timeoutmillis u:object_r:userspace_reboot_config_prop:s0 exact int diff --git a/prebuilts/api/30.0/private/system_server.te b/prebuilts/api/30.0/private/system_server.te index 26f81a0cb..8c7afab84 100644 --- a/prebuilts/api/30.0/private/system_server.te +++ b/prebuilts/api/30.0/private/system_server.te @@ -678,6 +678,9 @@ get_prop(system_server, apk_verity_prop) # Read wifi.interface get_prop(system_server, wifi_prop) +# Read the vendor property that indicates if Incremental features is enabled +get_prop(system_server, incremental_prop) + # Create a socket for connections from debuggerd. allow system_server system_ndebug_socket:sock_file create_file_perms; diff --git a/prebuilts/api/30.0/public/property.te b/prebuilts/api/30.0/public/property.te index f0fe69f7f..5bc1af2f8 100644 --- a/prebuilts/api/30.0/public/property.te +++ b/prebuilts/api/30.0/public/property.te @@ -120,6 +120,7 @@ system_vendor_config_prop(exported_config_prop) system_vendor_config_prop(exported_default_prop) system_vendor_config_prop(exported3_default_prop) system_vendor_config_prop(graphics_config_prop) +system_vendor_config_prop(incremental_prop) system_vendor_config_prop(media_variant_prop) system_vendor_config_prop(storage_config_prop) system_vendor_config_prop(userspace_reboot_config_prop) diff --git a/prebuilts/api/30.0/public/vendor_init.te b/prebuilts/api/30.0/public/vendor_init.te index 59058e2e5..12a360eb8 100644 --- a/prebuilts/api/30.0/public/vendor_init.te +++ b/prebuilts/api/30.0/public/vendor_init.te @@ -228,6 +228,7 @@ set_prop(vendor_init, exported2_system_prop) set_prop(vendor_init, exported2_vold_prop) set_prop(vendor_init, exported3_default_prop) set_prop(vendor_init, exported3_radio_prop) +set_prop(vendor_init, incremental_prop) set_prop(vendor_init, lmkd_prop) set_prop(vendor_init, logd_prop) set_prop(vendor_init, log_tag_prop) diff --git a/prebuilts/api/30.0/public/vold.te b/prebuilts/api/30.0/public/vold.te index a112de011..1d125d3aa 100644 --- a/prebuilts/api/30.0/public/vold.te +++ b/prebuilts/api/30.0/public/vold.te @@ -202,6 +202,7 @@ set_prop(vold, ota_prop) set_prop(vold, boottime_prop) set_prop(vold, boottime_public_prop) get_prop(vold, storage_config_prop) +get_prop(vold, incremental_prop) # ASEC allow vold asec_image_file:file create_file_perms; diff --git a/private/compat/29.0/29.0.ignore.cil b/private/compat/29.0/29.0.ignore.cil index cb07e469b..1cdfce0ee 100644 --- a/private/compat/29.0/29.0.ignore.cil +++ b/private/compat/29.0/29.0.ignore.cil @@ -59,6 +59,7 @@ hal_tv_tuner_hwservice hal_vibrator_service incremental_control_file + incremental_prop incremental_service init_perf_lsm_hooks_prop init_svc_debug_prop diff --git a/private/property_contexts b/private/property_contexts index a6ea90a5b..1a5471f49 100644 --- a/private/property_contexts +++ b/private/property_contexts @@ -253,6 +253,9 @@ persist.sys.userspace_reboot.log. u:object_r:userspace_reboot_log_prop:s0 # history size. ro.lib_gui.frame_event_history_size u:object_r:bq_config_prop:s0 +# Property to enable incremental feature +ro.incremental.enable u:object_r:incremental_prop:s0 + # Properties to configure userspace reboot. init.userspace_reboot.is_supported u:object_r:userspace_reboot_config_prop:s0 exact bool init.userspace_reboot.sigkill.timeoutmillis u:object_r:userspace_reboot_config_prop:s0 exact int diff --git a/private/system_server.te b/private/system_server.te index 26f81a0cb..8c7afab84 100644 --- a/private/system_server.te +++ b/private/system_server.te @@ -678,6 +678,9 @@ get_prop(system_server, apk_verity_prop) # Read wifi.interface get_prop(system_server, wifi_prop) +# Read the vendor property that indicates if Incremental features is enabled +get_prop(system_server, incremental_prop) + # Create a socket for connections from debuggerd. allow system_server system_ndebug_socket:sock_file create_file_perms; diff --git a/public/property.te b/public/property.te index f0fe69f7f..5bc1af2f8 100644 --- a/public/property.te +++ b/public/property.te @@ -120,6 +120,7 @@ system_vendor_config_prop(exported_config_prop) system_vendor_config_prop(exported_default_prop) system_vendor_config_prop(exported3_default_prop) system_vendor_config_prop(graphics_config_prop) +system_vendor_config_prop(incremental_prop) system_vendor_config_prop(media_variant_prop) system_vendor_config_prop(storage_config_prop) system_vendor_config_prop(userspace_reboot_config_prop) diff --git a/public/vendor_init.te b/public/vendor_init.te index 59058e2e5..12a360eb8 100644 --- a/public/vendor_init.te +++ b/public/vendor_init.te @@ -228,6 +228,7 @@ set_prop(vendor_init, exported2_system_prop) set_prop(vendor_init, exported2_vold_prop) set_prop(vendor_init, exported3_default_prop) set_prop(vendor_init, exported3_radio_prop) +set_prop(vendor_init, incremental_prop) set_prop(vendor_init, lmkd_prop) set_prop(vendor_init, logd_prop) set_prop(vendor_init, log_tag_prop) diff --git a/public/vold.te b/public/vold.te index a112de011..1d125d3aa 100644 --- a/public/vold.te +++ b/public/vold.te @@ -202,6 +202,7 @@ set_prop(vold, ota_prop) set_prop(vold, boottime_prop) set_prop(vold, boottime_public_prop) get_prop(vold, storage_config_prop) +get_prop(vold, incremental_prop) # ASEC allow vold asec_image_file:file create_file_perms; From 0bee12090002d036bf34e18f877f8b6fa5d34fae Mon Sep 17 00:00:00 2001 From: Calin Juravle Date: Mon, 13 Jul 2020 18:53:38 -0700 Subject: [PATCH 02/15] Fix sepolicy for secondary dex files dexoptanalyzer need read access on the secondary dex files and of the main apk files in order to successfully evaluate and optimize them. Example of denial: audit(0.0:30): avc: denied { read } for path="/data/app/~~Zux_isdY0NBkRWPp01oAVg==/com.example.secondaryrepro-wH9zezMSCzIjcKdIMtrw7A==/base.apk" dev="vdc" ino=40966 scontext=u:r:dexoptanalyzer:s0 tcontext=u:object_r:apk_data_file:s0 tclass=file permissive=0 app=com.example.secondaryrepro Test: adb shell cmd package compile -r bg-dexopt --secondary-dex app Bug: 160471235 Bug: 160351055 Merged-In: Id0bda5237d3ce1620d4f6ee89595836b4e1f3abf Change-Id: Id0bda5237d3ce1620d4f6ee89595836b4e1f3abf --- prebuilts/api/30.0/private/coredomain.te | 2 ++ prebuilts/api/30.0/private/dexoptanalyzer.te | 4 ++++ private/coredomain.te | 2 ++ private/dexoptanalyzer.te | 4 ++++ 4 files changed, 12 insertions(+) diff --git a/prebuilts/api/30.0/private/coredomain.te b/prebuilts/api/30.0/private/coredomain.te index ab731f122..86e800962 100644 --- a/prebuilts/api/30.0/private/coredomain.te +++ b/prebuilts/api/30.0/private/coredomain.te @@ -22,6 +22,7 @@ full_treble_only(` coredomain -appdomain -dex2oat + -dexoptanalyzer -idmap -init -installd @@ -38,6 +39,7 @@ full_treble_only(` coredomain -appdomain -dex2oat + -dexoptanalyzer -idmap -init -installd diff --git a/prebuilts/api/30.0/private/dexoptanalyzer.te b/prebuilts/api/30.0/private/dexoptanalyzer.te index 1f9246230..a2b2b018d 100644 --- a/prebuilts/api/30.0/private/dexoptanalyzer.te +++ b/prebuilts/api/30.0/private/dexoptanalyzer.te @@ -3,6 +3,10 @@ type dexoptanalyzer, domain, coredomain, mlstrustedsubject; type dexoptanalyzer_exec, system_file_type, exec_type, file_type; type dexoptanalyzer_tmpfs, file_type; +r_dir_file(dexoptanalyzer, apk_data_file) +# Access to /vendor/app +r_dir_file(dexoptanalyzer, vendor_app_file) + # Reading an APK opens a ZipArchive, which unpack to tmpfs. # Use tmpfs_domain() which will give tmpfs files created by dexoptanalyzer their # own label, which differs from other labels created by other processes. diff --git a/private/coredomain.te b/private/coredomain.te index ab731f122..86e800962 100644 --- a/private/coredomain.te +++ b/private/coredomain.te @@ -22,6 +22,7 @@ full_treble_only(` coredomain -appdomain -dex2oat + -dexoptanalyzer -idmap -init -installd @@ -38,6 +39,7 @@ full_treble_only(` coredomain -appdomain -dex2oat + -dexoptanalyzer -idmap -init -installd diff --git a/private/dexoptanalyzer.te b/private/dexoptanalyzer.te index 1f9246230..a2b2b018d 100644 --- a/private/dexoptanalyzer.te +++ b/private/dexoptanalyzer.te @@ -3,6 +3,10 @@ type dexoptanalyzer, domain, coredomain, mlstrustedsubject; type dexoptanalyzer_exec, system_file_type, exec_type, file_type; type dexoptanalyzer_tmpfs, file_type; +r_dir_file(dexoptanalyzer, apk_data_file) +# Access to /vendor/app +r_dir_file(dexoptanalyzer, vendor_app_file) + # Reading an APK opens a ZipArchive, which unpack to tmpfs. # Use tmpfs_domain() which will give tmpfs files created by dexoptanalyzer their # own label, which differs from other labels created by other processes. From 9443b2eee0a9ab10836501bac1e131b62d410ed2 Mon Sep 17 00:00:00 2001 From: Alan Stokes Date: Thu, 16 Jul 2020 10:42:58 +0100 Subject: [PATCH 03/15] Constrain getattr for app data directories. This seems to have been omitted inadvertently. Bug: 161356067 Test: Verified test app can no longer call stat() Change-Id: I6bffa9d2932a221823648ab01b58437d5bf6e194 --- prebuilts/api/30.0/private/mls | 2 +- private/mls | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/prebuilts/api/30.0/private/mls b/prebuilts/api/30.0/private/mls index 9690440e8..08d4e1f94 100644 --- a/prebuilts/api/30.0/private/mls +++ b/prebuilts/api/30.0/private/mls @@ -54,7 +54,7 @@ mlsconstrain dir_file_class_set { create relabelfrom relabelto } # Only constrain open, not read/write. # Also constrain other forms of manipulation, e.g. chmod/chown, unlink, rename, etc. # Subject must dominate object unless the subject is trusted. -mlsconstrain dir { open search setattr rename add_name remove_name reparent rmdir } +mlsconstrain dir { open search getattr setattr rename add_name remove_name reparent rmdir } ( (t2 != app_data_file and t2 != privapp_data_file ) or l1 dom l2 or t1 == mlstrustedsubject); mlsconstrain { file sock_file } { open setattr unlink link rename } ( (t2 != app_data_file and t2 != privapp_data_file and t2 != appdomain_tmpfs) or l1 dom l2 or t1 == mlstrustedsubject); diff --git a/private/mls b/private/mls index 9690440e8..08d4e1f94 100644 --- a/private/mls +++ b/private/mls @@ -54,7 +54,7 @@ mlsconstrain dir_file_class_set { create relabelfrom relabelto } # Only constrain open, not read/write. # Also constrain other forms of manipulation, e.g. chmod/chown, unlink, rename, etc. # Subject must dominate object unless the subject is trusted. -mlsconstrain dir { open search setattr rename add_name remove_name reparent rmdir } +mlsconstrain dir { open search getattr setattr rename add_name remove_name reparent rmdir } ( (t2 != app_data_file and t2 != privapp_data_file ) or l1 dom l2 or t1 == mlstrustedsubject); mlsconstrain { file sock_file } { open setattr unlink link rename } ( (t2 != app_data_file and t2 != privapp_data_file and t2 != appdomain_tmpfs) or l1 dom l2 or t1 == mlstrustedsubject); From 6a8d1bee1ce9c6728cbe729e359041992fa13433 Mon Sep 17 00:00:00 2001 From: Martijn Coenen Date: Tue, 4 Aug 2020 12:09:38 +0200 Subject: [PATCH 04/15] Add policy for LOOP_CONFIGURE ioctl. This is a new ioctl for configuring loop devices, and is used by apexd. Bug: 148607611 Bug: 161575393 Test: boot on device with/without LOOP_CONFIGURE Change-Id: I9ef940c7c9f91eb32a01e68b858169c140d15d0f --- prebuilts/api/30.0/private/apexd.te | 1 + prebuilts/api/30.0/public/ioctl_defines | 1 + private/apexd.te | 1 + public/ioctl_defines | 1 + 4 files changed, 4 insertions(+) diff --git a/prebuilts/api/30.0/private/apexd.te b/prebuilts/api/30.0/private/apexd.te index 9e702dd91..7c7ddc6dc 100644 --- a/prebuilts/api/30.0/private/apexd.te +++ b/prebuilts/api/30.0/private/apexd.te @@ -37,6 +37,7 @@ allowxperm apexd loop_device:blk_file ioctl { LOOP_SET_DIRECT_IO LOOP_CLR_FD BLKFLSBUF + LOOP_CONFIGURE }; # allow apexd to access /dev/block allow apexd block_device:dir r_dir_perms; diff --git a/prebuilts/api/30.0/public/ioctl_defines b/prebuilts/api/30.0/public/ioctl_defines index 4cc3bba51..558dd926c 100644 --- a/prebuilts/api/30.0/public/ioctl_defines +++ b/prebuilts/api/30.0/public/ioctl_defines @@ -1370,6 +1370,7 @@ define(`LOGGER_GET_VERSION', `0x0000ae05') define(`LOGGER_SET_VERSION', `0x0000ae06') define(`LOOP_CHANGE_FD', `0x00004c06') define(`LOOP_CLR_FD', `0x00004c01') +define(`LOOP_CONFIGURE', `0x00004c0a') define(`LOOP_CTL_ADD', `0x00004c80') define(`LOOP_CTL_GET_FREE', `0x00004c82') define(`LOOP_CTL_REMOVE', `0x00004c81') diff --git a/private/apexd.te b/private/apexd.te index 9e702dd91..7c7ddc6dc 100644 --- a/private/apexd.te +++ b/private/apexd.te @@ -37,6 +37,7 @@ allowxperm apexd loop_device:blk_file ioctl { LOOP_SET_DIRECT_IO LOOP_CLR_FD BLKFLSBUF + LOOP_CONFIGURE }; # allow apexd to access /dev/block allow apexd block_device:dir r_dir_perms; diff --git a/public/ioctl_defines b/public/ioctl_defines index 4cc3bba51..558dd926c 100644 --- a/public/ioctl_defines +++ b/public/ioctl_defines @@ -1370,6 +1370,7 @@ define(`LOGGER_GET_VERSION', `0x0000ae05') define(`LOGGER_SET_VERSION', `0x0000ae06') define(`LOOP_CHANGE_FD', `0x00004c06') define(`LOOP_CLR_FD', `0x00004c01') +define(`LOOP_CONFIGURE', `0x00004c0a') define(`LOOP_CTL_ADD', `0x00004c80') define(`LOOP_CTL_GET_FREE', `0x00004c82') define(`LOOP_CTL_REMOVE', `0x00004c81') From 15f64fc5f839d9ac2cd91f28ef9a9787805b4c8b Mon Sep 17 00:00:00 2001 From: JaeMan Date: Tue, 7 Jul 2020 15:49:34 +0000 Subject: [PATCH 05/15] Add ro.vendor.build.version.sdk to property_contexts At b/160209547, it is needed to read ro.vendor.build.version.sdk prop to determine whether skipping test or not based on vendor image's release version. But ro.vendor.build.version.sdk is not added to property_contexts and failed to read that prop in tests. So, added ro.vendor.build.version.sdk to property_contexts for checking vendor image's release version in test. Bug: 160209547 Test: m selinux_policy Change-Id: I4a7b91029c0ea6bb3c4cf2b12469f392f3a77559 Merged-In: I86bcfa632de61c5805e42aea3a1f232ae4ad080e (cherry picked from 65cecec142df8b3d6594f5c4dc72e6fc2d9e35a5) --- prebuilts/api/30.0/public/property_contexts | 1 + public/property_contexts | 1 + 2 files changed, 2 insertions(+) diff --git a/prebuilts/api/30.0/public/property_contexts b/prebuilts/api/30.0/public/property_contexts index f985200e0..6a99e3ffb 100644 --- a/prebuilts/api/30.0/public/property_contexts +++ b/prebuilts/api/30.0/public/property_contexts @@ -401,6 +401,7 @@ ro.vendor.build.date u:object_r:exported_default_prop:s0 exact string ro.vendor.build.date.utc u:object_r:exported_default_prop:s0 exact int ro.vendor.build.fingerprint u:object_r:exported_default_prop:s0 exact string ro.vendor.build.version.incremental u:object_r:exported_default_prop:s0 exact string +ro.vendor.build.version.sdk u:object_r:exported_default_prop:s0 exact int ro.vndk.lite u:object_r:vndk_prop:s0 exact bool ro.vndk.version u:object_r:vndk_prop:s0 exact string ro.vts.coverage u:object_r:exported_default_prop:s0 exact int diff --git a/public/property_contexts b/public/property_contexts index f985200e0..6a99e3ffb 100644 --- a/public/property_contexts +++ b/public/property_contexts @@ -401,6 +401,7 @@ ro.vendor.build.date u:object_r:exported_default_prop:s0 exact string ro.vendor.build.date.utc u:object_r:exported_default_prop:s0 exact int ro.vendor.build.fingerprint u:object_r:exported_default_prop:s0 exact string ro.vendor.build.version.incremental u:object_r:exported_default_prop:s0 exact string +ro.vendor.build.version.sdk u:object_r:exported_default_prop:s0 exact int ro.vndk.lite u:object_r:vndk_prop:s0 exact bool ro.vndk.version u:object_r:vndk_prop:s0 exact string ro.vts.coverage u:object_r:exported_default_prop:s0 exact int From 8422c454344a7532edc73a53ebf2311d9b964fd2 Mon Sep 17 00:00:00 2001 From: Treehugger Robot Date: Tue, 4 Aug 2020 18:46:35 +0000 Subject: [PATCH 06/15] Merge "Allow dumpstate to dump auto hal servers" am: 142d16a964 am: ce2c6fd783 am: 828a7bad6e am: a71f8aec29 Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1381029 Allow dumpstate to dump auto hal servers audiocontrol_hal, vehicle_hal and evs_hal were added to dump_util.cpp in b/148098383. But the coresponding dumpstate.te is not updated to relfect the changes, causing denials when dumpstate attempts to dump auto hal servers. This CL updates dumpstate.te to allow dumpstate to access auto hal servers. Bug: 162537916 Bug: 162771359 Test: sesearch -A -s dumpstate -t hal_audiocontrol_server -p signal sepolicy Test: sesearch -A -s dumpstate -t hal_vehicle_server -p signal sepolicy Test: sesearch -A -s dumpstate -t hal_evs_server -p signal sepolicy Change-Id: I43c27c8dcd55a0e9cb1684e2f765fe70f9e4c2fd (cherry picked from commit 215cc95c3e69435a9d651c400d25b044c61c18a3) --- prebuilts/api/30.0/public/dumpstate.te | 3 +++ public/dumpstate.te | 3 +++ 2 files changed, 6 insertions(+) diff --git a/prebuilts/api/30.0/public/dumpstate.te b/prebuilts/api/30.0/public/dumpstate.te index 8d99a3cd3..0609d928b 100644 --- a/prebuilts/api/30.0/public/dumpstate.te +++ b/prebuilts/api/30.0/public/dumpstate.te @@ -76,10 +76,12 @@ allow dumpstate { # This list comes from hal_interfaces_to_dump in dumputils/dump_utils.c hal_audio_server + hal_audiocontrol_server hal_bluetooth_server hal_camera_server hal_codec2_server hal_drm_server + hal_evs_server hal_face_server hal_fingerprint_server hal_graphics_allocator_server @@ -91,6 +93,7 @@ allow dumpstate { hal_power_stats_server hal_sensors_server hal_thermal_server + hal_vehicle_server hal_vr_server system_suspend_server }:process signal; diff --git a/public/dumpstate.te b/public/dumpstate.te index 8d99a3cd3..0609d928b 100644 --- a/public/dumpstate.te +++ b/public/dumpstate.te @@ -76,10 +76,12 @@ allow dumpstate { # This list comes from hal_interfaces_to_dump in dumputils/dump_utils.c hal_audio_server + hal_audiocontrol_server hal_bluetooth_server hal_camera_server hal_codec2_server hal_drm_server + hal_evs_server hal_face_server hal_fingerprint_server hal_graphics_allocator_server @@ -91,6 +93,7 @@ allow dumpstate { hal_power_stats_server hal_sensors_server hal_thermal_server + hal_vehicle_server hal_vr_server system_suspend_server }:process signal; From 56f6527cd329825ccb9c4cea7b66d3b479338bc5 Mon Sep 17 00:00:00 2001 From: linpeter Date: Thu, 9 Jul 2020 20:23:12 +0800 Subject: [PATCH 07/15] sepolicy: remove hal_light_severice exception Bug: 148154485 test: build pass, HBM switch Change-Id: I775ee6015b03817ed1394f3b6c306f4b5153190e Merged-In: I775ee6015b03817ed1394f3b6c306f4b5153190e --- public/domain.te | 1 - 1 file changed, 1 deletion(-) diff --git a/public/domain.te b/public/domain.te index f23e832f1..8223dbe78 100644 --- a/public/domain.te +++ b/public/domain.te @@ -664,7 +664,6 @@ full_treble_only(` -audioserver_service # TODO(b/36783122) remove exemptions below once app_api_service is fixed -cameraserver_service -drmserver_service - -hal_light_service # TODO(b/148154485) remove once all violators are gone -credstore_service -keystore_service -mediadrmserver_service From 8f6b03cae7f8af510b2e2d51f60f9fa5d0229aed Mon Sep 17 00:00:00 2001 From: Marco Ballesio Date: Wed, 27 May 2020 14:10:39 -0700 Subject: [PATCH 08/15] sepolicy support for cgroup v2 cgroup v2 is going to be used for freezer v2 support. The cgroup v2 hiearchy will be mounted by init under /sys/fs/cgroup hence proper access rights are necessary for sysfs. After mounting, the cgroup v2 kernfs will use the label cgroup_v2 and system_manager will handle the freezer Bug: 154548692 Test: verified that the freezer works as expected after applying this patch Change-Id: Idfb3f6e77b60dad032d1e306d2f9b58cd5775960 Merged-In: Idfb3f6e77b60dad032d1e306d2f9b58cd5775960 --- prebuilts/api/30.0/private/compat/29.0/29.0.cil | 1 + prebuilts/api/30.0/private/compat/29.0/29.0.ignore.cil | 1 + prebuilts/api/30.0/private/genfs_contexts | 2 +- prebuilts/api/30.0/private/system_server.te | 2 ++ prebuilts/api/30.0/public/file.te | 4 ++-- prebuilts/api/30.0/public/init.te | 2 +- prebuilts/api/30.0/public/netd.te | 2 +- private/compat/29.0/29.0.cil | 1 + private/compat/29.0/29.0.ignore.cil | 1 + private/genfs_contexts | 2 +- private/system_server.te | 2 ++ public/file.te | 4 ++-- public/init.te | 2 +- public/netd.te | 2 +- 14 files changed, 18 insertions(+), 10 deletions(-) diff --git a/prebuilts/api/30.0/private/compat/29.0/29.0.cil b/prebuilts/api/30.0/private/compat/29.0/29.0.cil index 5231498e1..d59242b88 100644 --- a/prebuilts/api/30.0/private/compat/29.0/29.0.cil +++ b/prebuilts/api/30.0/private/compat/29.0/29.0.cil @@ -1,5 +1,6 @@ ;; types removed from current policy (type ashmemd) +(type cgroup_bpf) (type hal_wifi_offload_hwservice) (type install_recovery) (type install_recovery_exec) diff --git a/prebuilts/api/30.0/private/compat/29.0/29.0.ignore.cil b/prebuilts/api/30.0/private/compat/29.0/29.0.ignore.cil index fdea691ea..3b016a33c 100644 --- a/prebuilts/api/30.0/private/compat/29.0/29.0.ignore.cil +++ b/prebuilts/api/30.0/private/compat/29.0/29.0.ignore.cil @@ -29,6 +29,7 @@ boringssl_self_test bq_config_prop cacheinfo_service + cgroup_v2 charger_prop cold_boot_done_prop credstore diff --git a/prebuilts/api/30.0/private/genfs_contexts b/prebuilts/api/30.0/private/genfs_contexts index 89232bc01..f00705a57 100644 --- a/prebuilts/api/30.0/private/genfs_contexts +++ b/prebuilts/api/30.0/private/genfs_contexts @@ -103,7 +103,7 @@ genfscon fusectl / u:object_r:fusectlfs:s0 # selinuxfs booleans can be individually labeled. genfscon selinuxfs / u:object_r:selinuxfs:s0 genfscon cgroup / u:object_r:cgroup:s0 -genfscon cgroup2 / u:object_r:cgroup_bpf:s0 +genfscon cgroup2 / u:object_r:cgroup_v2:s0 # sysfs labels can be set by userspace. genfscon sysfs / u:object_r:sysfs:s0 genfscon sysfs /devices/system/cpu u:object_r:sysfs_devices_system_cpu:s0 diff --git a/prebuilts/api/30.0/private/system_server.te b/prebuilts/api/30.0/private/system_server.te index 66c46ed97..5d8277069 100644 --- a/prebuilts/api/30.0/private/system_server.te +++ b/prebuilts/api/30.0/private/system_server.te @@ -893,6 +893,8 @@ allow system_server preloads_media_file:dir { r_dir_perms write remove_name rmdi r_dir_file(system_server, cgroup) allow system_server ion_device:chr_file r_file_perms; +allow system_server cgroup_v2:dir r_dir_perms; +allow system_server cgroup_v2:file rw_file_perms; r_dir_file(system_server, proc_asound) r_dir_file(system_server, proc_net_type) diff --git a/prebuilts/api/30.0/public/file.te b/prebuilts/api/30.0/public/file.te index 91257e237..3b7877b90 100644 --- a/prebuilts/api/30.0/public/file.te +++ b/prebuilts/api/30.0/public/file.te @@ -77,7 +77,7 @@ type proc_zoneinfo, fs_type, proc_type; type selinuxfs, fs_type, mlstrustedobject; type fusectlfs, fs_type; type cgroup, fs_type, mlstrustedobject; -type cgroup_bpf, fs_type; +type cgroup_v2, fs_type; type sysfs, fs_type, sysfs_type, mlstrustedobject; type sysfs_android_usb, fs_type, sysfs_type; type sysfs_uio, sysfs_type, fs_type; @@ -523,7 +523,7 @@ type vndservice_contexts_file, file_type; # Allow files to be created in their appropriate filesystems. allow fs_type self:filesystem associate; allow cgroup tmpfs:filesystem associate; -allow cgroup_bpf tmpfs:filesystem associate; +allow cgroup_v2 tmpfs:filesystem associate; allow cgroup_rc_file tmpfs:filesystem associate; allow sysfs_type sysfs:filesystem associate; allow debugfs_type { debugfs debugfs_tracing debugfs_tracing_debug }:filesystem associate; diff --git a/prebuilts/api/30.0/public/init.te b/prebuilts/api/30.0/public/init.te index 403b4c5e6..5a23e45f4 100644 --- a/prebuilts/api/30.0/public/init.te +++ b/prebuilts/api/30.0/public/init.te @@ -96,7 +96,7 @@ allow init { postinstall_mnt_dir mirror_data_file }:dir mounton; -allow init cgroup_bpf:dir { create mounton }; +allow init cgroup_v2:dir { mounton create_dir_perms }; # Mount bpf fs on sys/fs/bpf allow init fs_bpf:dir mounton; diff --git a/prebuilts/api/30.0/public/netd.te b/prebuilts/api/30.0/public/netd.te index 8005406d6..01862e271 100644 --- a/prebuilts/api/30.0/public/netd.te +++ b/prebuilts/api/30.0/public/netd.te @@ -60,7 +60,7 @@ allow netd sysfs_net:file w_file_perms; # TODO: added to match above sysfs rule. Remove me? allow netd sysfs_usb:file write; -r_dir_file(netd, cgroup_bpf) +r_dir_file(netd, cgroup_v2) allow netd fs_bpf:dir search; allow netd fs_bpf:file { read write }; diff --git a/private/compat/29.0/29.0.cil b/private/compat/29.0/29.0.cil index 5231498e1..d59242b88 100644 --- a/private/compat/29.0/29.0.cil +++ b/private/compat/29.0/29.0.cil @@ -1,5 +1,6 @@ ;; types removed from current policy (type ashmemd) +(type cgroup_bpf) (type hal_wifi_offload_hwservice) (type install_recovery) (type install_recovery_exec) diff --git a/private/compat/29.0/29.0.ignore.cil b/private/compat/29.0/29.0.ignore.cil index fdea691ea..3b016a33c 100644 --- a/private/compat/29.0/29.0.ignore.cil +++ b/private/compat/29.0/29.0.ignore.cil @@ -29,6 +29,7 @@ boringssl_self_test bq_config_prop cacheinfo_service + cgroup_v2 charger_prop cold_boot_done_prop credstore diff --git a/private/genfs_contexts b/private/genfs_contexts index 89232bc01..f00705a57 100644 --- a/private/genfs_contexts +++ b/private/genfs_contexts @@ -103,7 +103,7 @@ genfscon fusectl / u:object_r:fusectlfs:s0 # selinuxfs booleans can be individually labeled. genfscon selinuxfs / u:object_r:selinuxfs:s0 genfscon cgroup / u:object_r:cgroup:s0 -genfscon cgroup2 / u:object_r:cgroup_bpf:s0 +genfscon cgroup2 / u:object_r:cgroup_v2:s0 # sysfs labels can be set by userspace. genfscon sysfs / u:object_r:sysfs:s0 genfscon sysfs /devices/system/cpu u:object_r:sysfs_devices_system_cpu:s0 diff --git a/private/system_server.te b/private/system_server.te index 66c46ed97..5d8277069 100644 --- a/private/system_server.te +++ b/private/system_server.te @@ -893,6 +893,8 @@ allow system_server preloads_media_file:dir { r_dir_perms write remove_name rmdi r_dir_file(system_server, cgroup) allow system_server ion_device:chr_file r_file_perms; +allow system_server cgroup_v2:dir r_dir_perms; +allow system_server cgroup_v2:file rw_file_perms; r_dir_file(system_server, proc_asound) r_dir_file(system_server, proc_net_type) diff --git a/public/file.te b/public/file.te index 91257e237..3b7877b90 100644 --- a/public/file.te +++ b/public/file.te @@ -77,7 +77,7 @@ type proc_zoneinfo, fs_type, proc_type; type selinuxfs, fs_type, mlstrustedobject; type fusectlfs, fs_type; type cgroup, fs_type, mlstrustedobject; -type cgroup_bpf, fs_type; +type cgroup_v2, fs_type; type sysfs, fs_type, sysfs_type, mlstrustedobject; type sysfs_android_usb, fs_type, sysfs_type; type sysfs_uio, sysfs_type, fs_type; @@ -523,7 +523,7 @@ type vndservice_contexts_file, file_type; # Allow files to be created in their appropriate filesystems. allow fs_type self:filesystem associate; allow cgroup tmpfs:filesystem associate; -allow cgroup_bpf tmpfs:filesystem associate; +allow cgroup_v2 tmpfs:filesystem associate; allow cgroup_rc_file tmpfs:filesystem associate; allow sysfs_type sysfs:filesystem associate; allow debugfs_type { debugfs debugfs_tracing debugfs_tracing_debug }:filesystem associate; diff --git a/public/init.te b/public/init.te index 403b4c5e6..5a23e45f4 100644 --- a/public/init.te +++ b/public/init.te @@ -96,7 +96,7 @@ allow init { postinstall_mnt_dir mirror_data_file }:dir mounton; -allow init cgroup_bpf:dir { create mounton }; +allow init cgroup_v2:dir { mounton create_dir_perms }; # Mount bpf fs on sys/fs/bpf allow init fs_bpf:dir mounton; diff --git a/public/netd.te b/public/netd.te index 8005406d6..01862e271 100644 --- a/public/netd.te +++ b/public/netd.te @@ -60,7 +60,7 @@ allow netd sysfs_net:file w_file_perms; # TODO: added to match above sysfs rule. Remove me? allow netd sysfs_usb:file write; -r_dir_file(netd, cgroup_bpf) +r_dir_file(netd, cgroup_v2) allow netd fs_bpf:dir search; allow netd fs_bpf:file { read write }; From de065facd84cc1de727be1be91dc9989690fc468 Mon Sep 17 00:00:00 2001 From: Marco Ballesio Date: Tue, 25 Aug 2020 15:08:19 -0700 Subject: [PATCH 09/15] sepolicy: allow system_server to write to cgroup_v2 During boot, system_server will need to write to files under /sys/fs/cgroup/freezer. Change the cgroup_v2 policy to allow this operation. Test: booted device with change, verified that files are properly accessed. Bug: 154548692 Change-Id: I2ccc112c8870129cb1b8312023b54268312efcca Merged-In: I2ccc112c8870129cb1b8312023b54268312efcca --- prebuilts/api/30.0/private/system_server.te | 2 +- private/system_server.te | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/prebuilts/api/30.0/private/system_server.te b/prebuilts/api/30.0/private/system_server.te index 5d8277069..56bb67a51 100644 --- a/prebuilts/api/30.0/private/system_server.te +++ b/prebuilts/api/30.0/private/system_server.te @@ -893,7 +893,7 @@ allow system_server preloads_media_file:dir { r_dir_perms write remove_name rmdi r_dir_file(system_server, cgroup) allow system_server ion_device:chr_file r_file_perms; -allow system_server cgroup_v2:dir r_dir_perms; +allow system_server cgroup_v2:dir rw_dir_perms; allow system_server cgroup_v2:file rw_file_perms; r_dir_file(system_server, proc_asound) diff --git a/private/system_server.te b/private/system_server.te index 5d8277069..56bb67a51 100644 --- a/private/system_server.te +++ b/private/system_server.te @@ -893,7 +893,7 @@ allow system_server preloads_media_file:dir { r_dir_perms write remove_name rmdi r_dir_file(system_server, cgroup) allow system_server ion_device:chr_file r_file_perms; -allow system_server cgroup_v2:dir r_dir_perms; +allow system_server cgroup_v2:dir rw_dir_perms; allow system_server cgroup_v2:file rw_file_perms; r_dir_file(system_server, proc_asound) From a33ac30dd3f51e950c1d5b1cbdb22bdaaa45e336 Mon Sep 17 00:00:00 2001 From: Alex Hong Date: Wed, 26 Aug 2020 16:51:34 +0800 Subject: [PATCH 10/15] Add the missing labels for dalvik properties Bug: 162791243 Bug: 159833646 Test: Flash SELinux modules and the device can boot to home $ adb shell getprop -Z | grep dalvik [dalvik.vm.restore-dex2oat-cpu-set]: [u:object_r:exported_dalvik_prop:s0] [dalvik.vm.restore-dex2oat-threads]: [u:object_r:exported_dalvik_prop:s0] Change-Id: Ie73dc57c714a37b778cebc4d41bee27a8e925396 Merged-In: Ie73dc57c714a37b778cebc4d41bee27a8e925396 --- prebuilts/api/30.0/public/property_contexts | 2 ++ public/property_contexts | 2 ++ 2 files changed, 4 insertions(+) diff --git a/prebuilts/api/30.0/public/property_contexts b/prebuilts/api/30.0/public/property_contexts index 7684535bd..4607ef325 100644 --- a/prebuilts/api/30.0/public/property_contexts +++ b/prebuilts/api/30.0/public/property_contexts @@ -67,6 +67,8 @@ dalvik.vm.method-trace-file-siz u:object_r:exported_dalvik_prop:s0 exact int dalvik.vm.method-trace-stream u:object_r:exported_dalvik_prop:s0 exact bool dalvik.vm.profilesystemserver u:object_r:exported_dalvik_prop:s0 exact bool dalvik.vm.profilebootclasspath u:object_r:exported_dalvik_prop:s0 exact bool +dalvik.vm.restore-dex2oat-cpu-set u:object_r:exported_dalvik_prop:s0 exact string +dalvik.vm.restore-dex2oat-threads u:object_r:exported_dalvik_prop:s0 exact int dalvik.vm.usejit u:object_r:exported_dalvik_prop:s0 exact bool dalvik.vm.usejitprofiles u:object_r:exported_dalvik_prop:s0 exact bool dalvik.vm.zygote.max-boot-retry u:object_r:exported_dalvik_prop:s0 exact int diff --git a/public/property_contexts b/public/property_contexts index 7684535bd..4607ef325 100644 --- a/public/property_contexts +++ b/public/property_contexts @@ -67,6 +67,8 @@ dalvik.vm.method-trace-file-siz u:object_r:exported_dalvik_prop:s0 exact int dalvik.vm.method-trace-stream u:object_r:exported_dalvik_prop:s0 exact bool dalvik.vm.profilesystemserver u:object_r:exported_dalvik_prop:s0 exact bool dalvik.vm.profilebootclasspath u:object_r:exported_dalvik_prop:s0 exact bool +dalvik.vm.restore-dex2oat-cpu-set u:object_r:exported_dalvik_prop:s0 exact string +dalvik.vm.restore-dex2oat-threads u:object_r:exported_dalvik_prop:s0 exact int dalvik.vm.usejit u:object_r:exported_dalvik_prop:s0 exact bool dalvik.vm.usejitprofiles u:object_r:exported_dalvik_prop:s0 exact bool dalvik.vm.zygote.max-boot-retry u:object_r:exported_dalvik_prop:s0 exact int From 062ea395c3028a7652cf8a4c6ec144887ef8f3d5 Mon Sep 17 00:00:00 2001 From: Alex Hong Date: Wed, 26 Aug 2020 16:51:34 +0800 Subject: [PATCH 11/15] Add the missing labels for dalvik properties Conflicts: public/property_contexts Bug: 162791243 Bug: 159833646 Test: Flash SELinux modules and the device can boot to home $ adb shell getprop -Z | grep dalvik [dalvik.vm.restore-dex2oat-cpu-set]: [u:object_r:exported_dalvik_prop:s0] [dalvik.vm.restore-dex2oat-threads]: [u:object_r:exported_dalvik_prop:s0] Change-Id: Ie73dc57c714a37b778cebc4d41bee27a8e925396 --- prebuilts/api/30.0/public/property_contexts | 2 ++ 1 file changed, 2 insertions(+) diff --git a/prebuilts/api/30.0/public/property_contexts b/prebuilts/api/30.0/public/property_contexts index 40f68899e..57167d150 100644 --- a/prebuilts/api/30.0/public/property_contexts +++ b/prebuilts/api/30.0/public/property_contexts @@ -67,6 +67,8 @@ dalvik.vm.method-trace-file-siz u:object_r:exported_dalvik_prop:s0 exact int dalvik.vm.method-trace-stream u:object_r:exported_dalvik_prop:s0 exact bool dalvik.vm.profilesystemserver u:object_r:exported_dalvik_prop:s0 exact bool dalvik.vm.profilebootclasspath u:object_r:exported_dalvik_prop:s0 exact bool +dalvik.vm.restore-dex2oat-cpu-set u:object_r:exported_dalvik_prop:s0 exact string +dalvik.vm.restore-dex2oat-threads u:object_r:exported_dalvik_prop:s0 exact int dalvik.vm.usejit u:object_r:exported_dalvik_prop:s0 exact bool dalvik.vm.usejitprofiles u:object_r:exported_dalvik_prop:s0 exact bool dalvik.vm.zygote.max-boot-retry u:object_r:exported_dalvik_prop:s0 exact int From e756e983bb6481359038509d4a0efbcab45dacb9 Mon Sep 17 00:00:00 2001 From: Marco Ballesio Date: Thu, 27 Aug 2020 09:42:03 -0700 Subject: [PATCH 12/15] sepolicy: rename cgroup_v2 back to cgroup_bpf The type name change from cgroup_bpf into cgroup_v2 caused http://b/166064067. Rename back to cgroup_bpf. Bug: 166064067 Test: compiled and booted on a sunfish. Manually tested network and app freezer Change-Id: Ib39eb104e73d6dca3b1f61b108a3deeea31ff880 Merged-In: Idfb3f6e77b60dad032d1e306d2f9b58cd5775960 --- prebuilts/api/30.0/private/compat/29.0/29.0.cil | 1 - prebuilts/api/30.0/private/compat/29.0/29.0.ignore.cil | 1 - prebuilts/api/30.0/private/genfs_contexts | 2 +- prebuilts/api/30.0/private/system_server.te | 4 ++-- prebuilts/api/30.0/public/file.te | 4 ++-- prebuilts/api/30.0/public/init.te | 2 +- prebuilts/api/30.0/public/netd.te | 2 +- private/compat/29.0/29.0.cil | 1 - private/compat/29.0/29.0.ignore.cil | 1 - private/genfs_contexts | 2 +- private/system_server.te | 4 ++-- public/file.te | 4 ++-- public/init.te | 2 +- public/netd.te | 2 +- 14 files changed, 14 insertions(+), 18 deletions(-) diff --git a/prebuilts/api/30.0/private/compat/29.0/29.0.cil b/prebuilts/api/30.0/private/compat/29.0/29.0.cil index d59242b88..5231498e1 100644 --- a/prebuilts/api/30.0/private/compat/29.0/29.0.cil +++ b/prebuilts/api/30.0/private/compat/29.0/29.0.cil @@ -1,6 +1,5 @@ ;; types removed from current policy (type ashmemd) -(type cgroup_bpf) (type hal_wifi_offload_hwservice) (type install_recovery) (type install_recovery_exec) diff --git a/prebuilts/api/30.0/private/compat/29.0/29.0.ignore.cil b/prebuilts/api/30.0/private/compat/29.0/29.0.ignore.cil index 3b016a33c..fdea691ea 100644 --- a/prebuilts/api/30.0/private/compat/29.0/29.0.ignore.cil +++ b/prebuilts/api/30.0/private/compat/29.0/29.0.ignore.cil @@ -29,7 +29,6 @@ boringssl_self_test bq_config_prop cacheinfo_service - cgroup_v2 charger_prop cold_boot_done_prop credstore diff --git a/prebuilts/api/30.0/private/genfs_contexts b/prebuilts/api/30.0/private/genfs_contexts index f00705a57..89232bc01 100644 --- a/prebuilts/api/30.0/private/genfs_contexts +++ b/prebuilts/api/30.0/private/genfs_contexts @@ -103,7 +103,7 @@ genfscon fusectl / u:object_r:fusectlfs:s0 # selinuxfs booleans can be individually labeled. genfscon selinuxfs / u:object_r:selinuxfs:s0 genfscon cgroup / u:object_r:cgroup:s0 -genfscon cgroup2 / u:object_r:cgroup_v2:s0 +genfscon cgroup2 / u:object_r:cgroup_bpf:s0 # sysfs labels can be set by userspace. genfscon sysfs / u:object_r:sysfs:s0 genfscon sysfs /devices/system/cpu u:object_r:sysfs_devices_system_cpu:s0 diff --git a/prebuilts/api/30.0/private/system_server.te b/prebuilts/api/30.0/private/system_server.te index 56bb67a51..d9d789825 100644 --- a/prebuilts/api/30.0/private/system_server.te +++ b/prebuilts/api/30.0/private/system_server.te @@ -893,8 +893,8 @@ allow system_server preloads_media_file:dir { r_dir_perms write remove_name rmdi r_dir_file(system_server, cgroup) allow system_server ion_device:chr_file r_file_perms; -allow system_server cgroup_v2:dir rw_dir_perms; -allow system_server cgroup_v2:file rw_file_perms; +allow system_server cgroup_bpf:dir rw_dir_perms; +allow system_server cgroup_bpf:file rw_file_perms; r_dir_file(system_server, proc_asound) r_dir_file(system_server, proc_net_type) diff --git a/prebuilts/api/30.0/public/file.te b/prebuilts/api/30.0/public/file.te index 3b7877b90..91257e237 100644 --- a/prebuilts/api/30.0/public/file.te +++ b/prebuilts/api/30.0/public/file.te @@ -77,7 +77,7 @@ type proc_zoneinfo, fs_type, proc_type; type selinuxfs, fs_type, mlstrustedobject; type fusectlfs, fs_type; type cgroup, fs_type, mlstrustedobject; -type cgroup_v2, fs_type; +type cgroup_bpf, fs_type; type sysfs, fs_type, sysfs_type, mlstrustedobject; type sysfs_android_usb, fs_type, sysfs_type; type sysfs_uio, sysfs_type, fs_type; @@ -523,7 +523,7 @@ type vndservice_contexts_file, file_type; # Allow files to be created in their appropriate filesystems. allow fs_type self:filesystem associate; allow cgroup tmpfs:filesystem associate; -allow cgroup_v2 tmpfs:filesystem associate; +allow cgroup_bpf tmpfs:filesystem associate; allow cgroup_rc_file tmpfs:filesystem associate; allow sysfs_type sysfs:filesystem associate; allow debugfs_type { debugfs debugfs_tracing debugfs_tracing_debug }:filesystem associate; diff --git a/prebuilts/api/30.0/public/init.te b/prebuilts/api/30.0/public/init.te index 5a23e45f4..cc51a2b72 100644 --- a/prebuilts/api/30.0/public/init.te +++ b/prebuilts/api/30.0/public/init.te @@ -96,7 +96,7 @@ allow init { postinstall_mnt_dir mirror_data_file }:dir mounton; -allow init cgroup_v2:dir { mounton create_dir_perms }; +allow init cgroup_bpf:dir { mounton create_dir_perms }; # Mount bpf fs on sys/fs/bpf allow init fs_bpf:dir mounton; diff --git a/prebuilts/api/30.0/public/netd.te b/prebuilts/api/30.0/public/netd.te index 01862e271..8005406d6 100644 --- a/prebuilts/api/30.0/public/netd.te +++ b/prebuilts/api/30.0/public/netd.te @@ -60,7 +60,7 @@ allow netd sysfs_net:file w_file_perms; # TODO: added to match above sysfs rule. Remove me? allow netd sysfs_usb:file write; -r_dir_file(netd, cgroup_v2) +r_dir_file(netd, cgroup_bpf) allow netd fs_bpf:dir search; allow netd fs_bpf:file { read write }; diff --git a/private/compat/29.0/29.0.cil b/private/compat/29.0/29.0.cil index d59242b88..5231498e1 100644 --- a/private/compat/29.0/29.0.cil +++ b/private/compat/29.0/29.0.cil @@ -1,6 +1,5 @@ ;; types removed from current policy (type ashmemd) -(type cgroup_bpf) (type hal_wifi_offload_hwservice) (type install_recovery) (type install_recovery_exec) diff --git a/private/compat/29.0/29.0.ignore.cil b/private/compat/29.0/29.0.ignore.cil index 3b016a33c..fdea691ea 100644 --- a/private/compat/29.0/29.0.ignore.cil +++ b/private/compat/29.0/29.0.ignore.cil @@ -29,7 +29,6 @@ boringssl_self_test bq_config_prop cacheinfo_service - cgroup_v2 charger_prop cold_boot_done_prop credstore diff --git a/private/genfs_contexts b/private/genfs_contexts index f00705a57..89232bc01 100644 --- a/private/genfs_contexts +++ b/private/genfs_contexts @@ -103,7 +103,7 @@ genfscon fusectl / u:object_r:fusectlfs:s0 # selinuxfs booleans can be individually labeled. genfscon selinuxfs / u:object_r:selinuxfs:s0 genfscon cgroup / u:object_r:cgroup:s0 -genfscon cgroup2 / u:object_r:cgroup_v2:s0 +genfscon cgroup2 / u:object_r:cgroup_bpf:s0 # sysfs labels can be set by userspace. genfscon sysfs / u:object_r:sysfs:s0 genfscon sysfs /devices/system/cpu u:object_r:sysfs_devices_system_cpu:s0 diff --git a/private/system_server.te b/private/system_server.te index 56bb67a51..d9d789825 100644 --- a/private/system_server.te +++ b/private/system_server.te @@ -893,8 +893,8 @@ allow system_server preloads_media_file:dir { r_dir_perms write remove_name rmdi r_dir_file(system_server, cgroup) allow system_server ion_device:chr_file r_file_perms; -allow system_server cgroup_v2:dir rw_dir_perms; -allow system_server cgroup_v2:file rw_file_perms; +allow system_server cgroup_bpf:dir rw_dir_perms; +allow system_server cgroup_bpf:file rw_file_perms; r_dir_file(system_server, proc_asound) r_dir_file(system_server, proc_net_type) diff --git a/public/file.te b/public/file.te index 3b7877b90..91257e237 100644 --- a/public/file.te +++ b/public/file.te @@ -77,7 +77,7 @@ type proc_zoneinfo, fs_type, proc_type; type selinuxfs, fs_type, mlstrustedobject; type fusectlfs, fs_type; type cgroup, fs_type, mlstrustedobject; -type cgroup_v2, fs_type; +type cgroup_bpf, fs_type; type sysfs, fs_type, sysfs_type, mlstrustedobject; type sysfs_android_usb, fs_type, sysfs_type; type sysfs_uio, sysfs_type, fs_type; @@ -523,7 +523,7 @@ type vndservice_contexts_file, file_type; # Allow files to be created in their appropriate filesystems. allow fs_type self:filesystem associate; allow cgroup tmpfs:filesystem associate; -allow cgroup_v2 tmpfs:filesystem associate; +allow cgroup_bpf tmpfs:filesystem associate; allow cgroup_rc_file tmpfs:filesystem associate; allow sysfs_type sysfs:filesystem associate; allow debugfs_type { debugfs debugfs_tracing debugfs_tracing_debug }:filesystem associate; diff --git a/public/init.te b/public/init.te index 5a23e45f4..cc51a2b72 100644 --- a/public/init.te +++ b/public/init.te @@ -96,7 +96,7 @@ allow init { postinstall_mnt_dir mirror_data_file }:dir mounton; -allow init cgroup_v2:dir { mounton create_dir_perms }; +allow init cgroup_bpf:dir { mounton create_dir_perms }; # Mount bpf fs on sys/fs/bpf allow init fs_bpf:dir mounton; diff --git a/public/netd.te b/public/netd.te index 01862e271..8005406d6 100644 --- a/public/netd.te +++ b/public/netd.te @@ -60,7 +60,7 @@ allow netd sysfs_net:file w_file_perms; # TODO: added to match above sysfs rule. Remove me? allow netd sysfs_usb:file write; -r_dir_file(netd, cgroup_v2) +r_dir_file(netd, cgroup_bpf) allow netd fs_bpf:dir search; allow netd fs_bpf:file { read write }; From 623f3f5cef8b04155189c470cc14cbf579af13e8 Mon Sep 17 00:00:00 2001 From: Calin Juravle Date: Mon, 13 Jul 2020 18:53:38 -0700 Subject: [PATCH 13/15] Fix sepolicy for secondary dex files dexoptanalyzer need read access on the secondary dex files and of the main apk files in order to successfully evaluate and optimize them. Example of denial: audit(0.0:30): avc: denied { read } for path="/data/app/~~Zux_isdY0NBkRWPp01oAVg==/com.example.secondaryrepro-wH9zezMSCzIjcKdIMtrw7A==/base.apk" dev="vdc" ino=40966 scontext=u:r:dexoptanalyzer:s0 tcontext=u:object_r:apk_data_file:s0 tclass=file permissive=0 app=com.example.secondaryrepro Test: adb shell cmd package compile -r bg-dexopt --secondary-dex app Bug: 160471235 Bug: 160351055 Merged-In: Id0bda5237d3ce1620d4f6ee89595836b4e1f3abf Change-Id: Id0bda5237d3ce1620d4f6ee89595836b4e1f3abf (cherry picked from commit 0bee12090002d036bf34e18f877f8b6fa5d34fae) --- prebuilts/api/30.0/private/coredomain.te | 2 ++ prebuilts/api/30.0/private/dexoptanalyzer.te | 4 ++++ private/coredomain.te | 2 ++ private/dexoptanalyzer.te | 4 ++++ 4 files changed, 12 insertions(+) diff --git a/prebuilts/api/30.0/private/coredomain.te b/prebuilts/api/30.0/private/coredomain.te index ab731f122..86e800962 100644 --- a/prebuilts/api/30.0/private/coredomain.te +++ b/prebuilts/api/30.0/private/coredomain.te @@ -22,6 +22,7 @@ full_treble_only(` coredomain -appdomain -dex2oat + -dexoptanalyzer -idmap -init -installd @@ -38,6 +39,7 @@ full_treble_only(` coredomain -appdomain -dex2oat + -dexoptanalyzer -idmap -init -installd diff --git a/prebuilts/api/30.0/private/dexoptanalyzer.te b/prebuilts/api/30.0/private/dexoptanalyzer.te index 1f9246230..a2b2b018d 100644 --- a/prebuilts/api/30.0/private/dexoptanalyzer.te +++ b/prebuilts/api/30.0/private/dexoptanalyzer.te @@ -3,6 +3,10 @@ type dexoptanalyzer, domain, coredomain, mlstrustedsubject; type dexoptanalyzer_exec, system_file_type, exec_type, file_type; type dexoptanalyzer_tmpfs, file_type; +r_dir_file(dexoptanalyzer, apk_data_file) +# Access to /vendor/app +r_dir_file(dexoptanalyzer, vendor_app_file) + # Reading an APK opens a ZipArchive, which unpack to tmpfs. # Use tmpfs_domain() which will give tmpfs files created by dexoptanalyzer their # own label, which differs from other labels created by other processes. diff --git a/private/coredomain.te b/private/coredomain.te index ab731f122..86e800962 100644 --- a/private/coredomain.te +++ b/private/coredomain.te @@ -22,6 +22,7 @@ full_treble_only(` coredomain -appdomain -dex2oat + -dexoptanalyzer -idmap -init -installd @@ -38,6 +39,7 @@ full_treble_only(` coredomain -appdomain -dex2oat + -dexoptanalyzer -idmap -init -installd diff --git a/private/dexoptanalyzer.te b/private/dexoptanalyzer.te index 1f9246230..a2b2b018d 100644 --- a/private/dexoptanalyzer.te +++ b/private/dexoptanalyzer.te @@ -3,6 +3,10 @@ type dexoptanalyzer, domain, coredomain, mlstrustedsubject; type dexoptanalyzer_exec, system_file_type, exec_type, file_type; type dexoptanalyzer_tmpfs, file_type; +r_dir_file(dexoptanalyzer, apk_data_file) +# Access to /vendor/app +r_dir_file(dexoptanalyzer, vendor_app_file) + # Reading an APK opens a ZipArchive, which unpack to tmpfs. # Use tmpfs_domain() which will give tmpfs files created by dexoptanalyzer their # own label, which differs from other labels created by other processes. From b88423d59152a17f026e8656135b81d6907aba24 Mon Sep 17 00:00:00 2001 From: Marco Ballesio Date: Tue, 1 Sep 2020 17:24:55 -0700 Subject: [PATCH 14/15] sepolicy: restrict BINDER_FREEZE to system_server BINDER_FREEZE is used to block ipc transactions to frozen processes, so only system_server must be allowed to use it. Bug: 143717177 Test: manually verified that attempts to use BINDER_FREEZE by processes other than system_server receive a sepolicy denial Test: verified that system_server can enable/disable the freezer in binder Change-Id: I0fae3585c6ec409809e8085c1cc9862be4755889 Merged-In: I0fae3585c6ec409809e8085c1cc9862be4755889 --- prebuilts/api/30.0/private/system_server.te | 7 +++++++ prebuilts/api/30.0/public/domain.te | 4 ++++ prebuilts/api/30.0/public/ioctl_defines | 4 ++++ prebuilts/api/30.0/public/ioctl_macros | 8 ++++++++ private/system_server.te | 7 +++++++ public/domain.te | 4 ++++ public/ioctl_defines | 4 ++++ public/ioctl_macros | 8 ++++++++ 8 files changed, 46 insertions(+) diff --git a/prebuilts/api/30.0/private/system_server.te b/prebuilts/api/30.0/private/system_server.te index d9d789825..dab09982e 100644 --- a/prebuilts/api/30.0/private/system_server.te +++ b/prebuilts/api/30.0/private/system_server.te @@ -973,6 +973,9 @@ get_prop(system_server, time_prop) # on low memory kills. get_prop(system_server, system_lmk_prop) +# Only system server can access BINDER_FREEZE +allowxperm system_server binder_device:chr_file ioctl { BINDER_FREEZE }; + ### ### Neverallow rules ### @@ -1172,3 +1175,7 @@ neverallow system_server self:perf_event ~{ open write cpu kernel }; # Do not allow any domain other than init or system server to set the property neverallow { domain -init -system_server } socket_hook_prop:property_service set; + +# BINDER_FREEZE is used to block ipc transactions to frozen processes, so it +# can be accessed by system_server only (b/143717177) +neverallowxperm { domain -system_server } binder_device:chr_file ioctl { BINDER_FREEZE }; diff --git a/prebuilts/api/30.0/public/domain.te b/prebuilts/api/30.0/public/domain.te index 8cb495037..e1ca737ce 100644 --- a/prebuilts/api/30.0/public/domain.te +++ b/prebuilts/api/30.0/public/domain.te @@ -80,6 +80,10 @@ allow domain ashmem_libcutils_device:chr_file rw_file_perms; # /dev/binder can be accessed by ... everyone! :) allow { domain -hwservicemanager -vndservicemanager } binder_device:chr_file rw_file_perms; +# Restrict binder ioctls to an allowlist. Additional ioctl commands may be +# added to individual domains, but this sets safe defaults for all processes. +allowxperm domain binder_device:chr_file ioctl unpriv_binder_ioctls; + # /dev/binderfs needs to be accessed by everyone too! allow domain binderfs:dir { getattr search }; allow domain binderfs_logs_proc:dir search; diff --git a/prebuilts/api/30.0/public/ioctl_defines b/prebuilts/api/30.0/public/ioctl_defines index 558dd926c..e31868aa6 100644 --- a/prebuilts/api/30.0/public/ioctl_defines +++ b/prebuilts/api/30.0/public/ioctl_defines @@ -132,7 +132,11 @@ define(`BC_RELEASE', `0x40046306') define(`BC_REPLY', `0x40406301') define(`BC_REQUEST_DEATH_NOTIFICATION', `0x400c630e') define(`BC_TRANSACTION', `0x40406300') +define(`BINDER_FREEZE', `0x400c620e') +define(`BINDER_GET_NODE_DEBUG_INFO', `0xc018620b') +define(`BINDER_GET_NODE_INFO_FOR_REF', `0xc018620c') define(`BINDER_SET_CONTEXT_MGR', `0x40046207') +define(`BINDER_SET_CONTEXT_MGR_EXT', `0x4018620d') define(`BINDER_SET_IDLE_PRIORITY', `0x40046206') define(`BINDER_SET_IDLE_TIMEOUT', `0x40086203') define(`BINDER_SET_MAX_THREADS', `0x40046205') diff --git a/prebuilts/api/30.0/public/ioctl_macros b/prebuilts/api/30.0/public/ioctl_macros index 5cbfae53f..45389620d 100644 --- a/prebuilts/api/30.0/public/ioctl_macros +++ b/prebuilts/api/30.0/public/ioctl_macros @@ -66,3 +66,11 @@ PPPIOCGASYNCMAP PPPIOCSFLAGS PPPIOCGFLAGS PPPIOCGCALLINFO PPPIOCBUNDLE PPPIOCGMPFLAGS PPPIOCSMPFLAGS PPPIOCSMPMTU PPPIOCSMPMRU PPPIOCGCOMPRESSORS PPPIOCSCOMPRESSOR PPPIOCGIFNAME }') + +# unprivileged binder ioctls +define(`unpriv_binder_ioctls', `{ +BINDER_WRITE_READ BINDER_SET_IDLE_TIMEOUT BINDER_SET_MAX_THREADS +BINDER_SET_IDLE_PRIORITY BINDER_SET_CONTEXT_MGR BINDER_THREAD_EXIT +BINDER_VERSION BINDER_GET_NODE_DEBUG_INFO BINDER_GET_NODE_INFO_FOR_REF +BINDER_SET_CONTEXT_MGR_EXT +}') diff --git a/private/system_server.te b/private/system_server.te index d9d789825..dab09982e 100644 --- a/private/system_server.te +++ b/private/system_server.te @@ -973,6 +973,9 @@ get_prop(system_server, time_prop) # on low memory kills. get_prop(system_server, system_lmk_prop) +# Only system server can access BINDER_FREEZE +allowxperm system_server binder_device:chr_file ioctl { BINDER_FREEZE }; + ### ### Neverallow rules ### @@ -1172,3 +1175,7 @@ neverallow system_server self:perf_event ~{ open write cpu kernel }; # Do not allow any domain other than init or system server to set the property neverallow { domain -init -system_server } socket_hook_prop:property_service set; + +# BINDER_FREEZE is used to block ipc transactions to frozen processes, so it +# can be accessed by system_server only (b/143717177) +neverallowxperm { domain -system_server } binder_device:chr_file ioctl { BINDER_FREEZE }; diff --git a/public/domain.te b/public/domain.te index 8cb495037..e1ca737ce 100644 --- a/public/domain.te +++ b/public/domain.te @@ -80,6 +80,10 @@ allow domain ashmem_libcutils_device:chr_file rw_file_perms; # /dev/binder can be accessed by ... everyone! :) allow { domain -hwservicemanager -vndservicemanager } binder_device:chr_file rw_file_perms; +# Restrict binder ioctls to an allowlist. Additional ioctl commands may be +# added to individual domains, but this sets safe defaults for all processes. +allowxperm domain binder_device:chr_file ioctl unpriv_binder_ioctls; + # /dev/binderfs needs to be accessed by everyone too! allow domain binderfs:dir { getattr search }; allow domain binderfs_logs_proc:dir search; diff --git a/public/ioctl_defines b/public/ioctl_defines index 558dd926c..e31868aa6 100644 --- a/public/ioctl_defines +++ b/public/ioctl_defines @@ -132,7 +132,11 @@ define(`BC_RELEASE', `0x40046306') define(`BC_REPLY', `0x40406301') define(`BC_REQUEST_DEATH_NOTIFICATION', `0x400c630e') define(`BC_TRANSACTION', `0x40406300') +define(`BINDER_FREEZE', `0x400c620e') +define(`BINDER_GET_NODE_DEBUG_INFO', `0xc018620b') +define(`BINDER_GET_NODE_INFO_FOR_REF', `0xc018620c') define(`BINDER_SET_CONTEXT_MGR', `0x40046207') +define(`BINDER_SET_CONTEXT_MGR_EXT', `0x4018620d') define(`BINDER_SET_IDLE_PRIORITY', `0x40046206') define(`BINDER_SET_IDLE_TIMEOUT', `0x40086203') define(`BINDER_SET_MAX_THREADS', `0x40046205') diff --git a/public/ioctl_macros b/public/ioctl_macros index 5cbfae53f..45389620d 100644 --- a/public/ioctl_macros +++ b/public/ioctl_macros @@ -66,3 +66,11 @@ PPPIOCGASYNCMAP PPPIOCSFLAGS PPPIOCGFLAGS PPPIOCGCALLINFO PPPIOCBUNDLE PPPIOCGMPFLAGS PPPIOCSMPFLAGS PPPIOCSMPMTU PPPIOCSMPMRU PPPIOCGCOMPRESSORS PPPIOCSCOMPRESSOR PPPIOCGIFNAME }') + +# unprivileged binder ioctls +define(`unpriv_binder_ioctls', `{ +BINDER_WRITE_READ BINDER_SET_IDLE_TIMEOUT BINDER_SET_MAX_THREADS +BINDER_SET_IDLE_PRIORITY BINDER_SET_CONTEXT_MGR BINDER_THREAD_EXIT +BINDER_VERSION BINDER_GET_NODE_DEBUG_INFO BINDER_GET_NODE_INFO_FOR_REF +BINDER_SET_CONTEXT_MGR_EXT +}') From 63322ae7e63b0250b77527258098239c9070d27f Mon Sep 17 00:00:00 2001 From: Marco Ballesio Date: Fri, 11 Sep 2020 14:27:45 -0700 Subject: [PATCH 15/15] sepolicy: allow system server for BINDER_GET_FROZEN_INFO the new ioctl allows system server to verfiry the state of a frozen binder inderface before unfreezing a process. Bug: 143717177 Test: verified ActivityManager could access the ioctl Change-Id: Id9d90d072ce997ed20faa918ec68f1110e2bac8f Merged-In: Id9d90d072ce997ed20faa918ec68f1110e2bac8f --- prebuilts/api/30.0/private/system_server.te | 8 +++++--- prebuilts/api/30.0/public/ioctl_defines | 1 + private/system_server.te | 8 +++++--- public/ioctl_defines | 1 + 4 files changed, 12 insertions(+), 6 deletions(-) diff --git a/prebuilts/api/30.0/private/system_server.te b/prebuilts/api/30.0/private/system_server.te index dab09982e..213b3c80f 100644 --- a/prebuilts/api/30.0/private/system_server.te +++ b/prebuilts/api/30.0/private/system_server.te @@ -973,8 +973,8 @@ get_prop(system_server, time_prop) # on low memory kills. get_prop(system_server, system_lmk_prop) -# Only system server can access BINDER_FREEZE -allowxperm system_server binder_device:chr_file ioctl { BINDER_FREEZE }; +# Only system server can access BINDER_FREEZE and BINDER_GET_FROZEN_INFO +allowxperm system_server binder_device:chr_file ioctl { BINDER_FREEZE BINDER_GET_FROZEN_INFO }; ### ### Neverallow rules @@ -1178,4 +1178,6 @@ neverallow { domain -init -system_server } socket_hook_prop:property_service set # BINDER_FREEZE is used to block ipc transactions to frozen processes, so it # can be accessed by system_server only (b/143717177) -neverallowxperm { domain -system_server } binder_device:chr_file ioctl { BINDER_FREEZE }; +# BINDER_GET_FROZEN_INFO is used by system_server to determine the state of a frozen binder +# interface +neverallowxperm { domain -system_server } binder_device:chr_file ioctl { BINDER_FREEZE BINDER_GET_FROZEN_INFO }; diff --git a/prebuilts/api/30.0/public/ioctl_defines b/prebuilts/api/30.0/public/ioctl_defines index e31868aa6..6e2ed6505 100644 --- a/prebuilts/api/30.0/public/ioctl_defines +++ b/prebuilts/api/30.0/public/ioctl_defines @@ -133,6 +133,7 @@ define(`BC_REPLY', `0x40406301') define(`BC_REQUEST_DEATH_NOTIFICATION', `0x400c630e') define(`BC_TRANSACTION', `0x40406300') define(`BINDER_FREEZE', `0x400c620e') +define(`BINDER_GET_FROZEN_INFO', `0xc00c620f') define(`BINDER_GET_NODE_DEBUG_INFO', `0xc018620b') define(`BINDER_GET_NODE_INFO_FOR_REF', `0xc018620c') define(`BINDER_SET_CONTEXT_MGR', `0x40046207') diff --git a/private/system_server.te b/private/system_server.te index dab09982e..213b3c80f 100644 --- a/private/system_server.te +++ b/private/system_server.te @@ -973,8 +973,8 @@ get_prop(system_server, time_prop) # on low memory kills. get_prop(system_server, system_lmk_prop) -# Only system server can access BINDER_FREEZE -allowxperm system_server binder_device:chr_file ioctl { BINDER_FREEZE }; +# Only system server can access BINDER_FREEZE and BINDER_GET_FROZEN_INFO +allowxperm system_server binder_device:chr_file ioctl { BINDER_FREEZE BINDER_GET_FROZEN_INFO }; ### ### Neverallow rules @@ -1178,4 +1178,6 @@ neverallow { domain -init -system_server } socket_hook_prop:property_service set # BINDER_FREEZE is used to block ipc transactions to frozen processes, so it # can be accessed by system_server only (b/143717177) -neverallowxperm { domain -system_server } binder_device:chr_file ioctl { BINDER_FREEZE }; +# BINDER_GET_FROZEN_INFO is used by system_server to determine the state of a frozen binder +# interface +neverallowxperm { domain -system_server } binder_device:chr_file ioctl { BINDER_FREEZE BINDER_GET_FROZEN_INFO }; diff --git a/public/ioctl_defines b/public/ioctl_defines index e31868aa6..6e2ed6505 100644 --- a/public/ioctl_defines +++ b/public/ioctl_defines @@ -133,6 +133,7 @@ define(`BC_REPLY', `0x40406301') define(`BC_REQUEST_DEATH_NOTIFICATION', `0x400c630e') define(`BC_TRANSACTION', `0x40406300') define(`BINDER_FREEZE', `0x400c620e') +define(`BINDER_GET_FROZEN_INFO', `0xc00c620f') define(`BINDER_GET_NODE_DEBUG_INFO', `0xc018620b') define(`BINDER_GET_NODE_INFO_FOR_REF', `0xc018620c') define(`BINDER_SET_CONTEXT_MGR', `0x40046207')