From 4561fcb76c63eb8aecdb67a7ee0600ef5e2009c7 Mon Sep 17 00:00:00 2001 From: Paul Crowley Date: Mon, 16 Sep 2019 10:00:52 -0700 Subject: [PATCH 01/19] Allow toolbox to rm -rf /data/per_boot Bug: 140882488 Test: create files and dirs in /data/per_boot, check they're removed. Cherry-Picked-From: 859f9211d802e1c210ccf15674c3bd6dc60c3681 Cherry-Picked-From: 2367ba358f0ec0c0c591e3e2feadabf891f38eef Merged-In: Idf0ba09cbe51cbff6a7b2a464c4651a1f7fcf343 Change-Id: Idf0ba09cbe51cbff6a7b2a464c4651a1f7fcf343 --- prebuilts/api/29.0/public/domain.te | 2 +- prebuilts/api/29.0/public/toolbox.te | 4 ++++ public/domain.te | 2 +- public/toolbox.te | 4 ++++ 4 files changed, 10 insertions(+), 2 deletions(-) diff --git a/prebuilts/api/29.0/public/domain.te b/prebuilts/api/29.0/public/domain.te index 987bb9f2d..f34870181 100644 --- a/prebuilts/api/29.0/public/domain.te +++ b/prebuilts/api/29.0/public/domain.te @@ -1154,6 +1154,7 @@ neverallow { -system_server -system_app -init + -toolbox # TODO(b/141108496) We want to remove toolbox -installd # for relabelfrom and unlink, check for this in explicit neverallow -vold_prepare_subdirs # For unlink with_asan(`-asan_extract') @@ -1407,4 +1408,3 @@ neverallow { -hal_codec2_server -hal_omx_server } hal_codec2_hwservice:hwservice_manager add; - diff --git a/prebuilts/api/29.0/public/toolbox.te b/prebuilts/api/29.0/public/toolbox.te index 19cc3b6fe..fcf0ec34b 100644 --- a/prebuilts/api/29.0/public/toolbox.te +++ b/prebuilts/api/29.0/public/toolbox.te @@ -22,3 +22,7 @@ allow toolbox swap_block_device:blk_file rw_file_perms; neverallow { domain -init } toolbox:process transition; neverallow * toolbox:process dyntransition; neverallow toolbox { file_type fs_type -toolbox_exec}:file entrypoint; + +# rm -rf directories in /data +allow toolbox system_data_file:dir { rmdir rw_dir_perms }; +allow toolbox system_data_file:file { getattr unlink }; diff --git a/public/domain.te b/public/domain.te index 987bb9f2d..f34870181 100644 --- a/public/domain.te +++ b/public/domain.te @@ -1154,6 +1154,7 @@ neverallow { -system_server -system_app -init + -toolbox # TODO(b/141108496) We want to remove toolbox -installd # for relabelfrom and unlink, check for this in explicit neverallow -vold_prepare_subdirs # For unlink with_asan(`-asan_extract') @@ -1407,4 +1408,3 @@ neverallow { -hal_codec2_server -hal_omx_server } hal_codec2_hwservice:hwservice_manager add; - diff --git a/public/toolbox.te b/public/toolbox.te index 19cc3b6fe..fcf0ec34b 100644 --- a/public/toolbox.te +++ b/public/toolbox.te @@ -22,3 +22,7 @@ allow toolbox swap_block_device:blk_file rw_file_perms; neverallow { domain -init } toolbox:process transition; neverallow * toolbox:process dyntransition; neverallow toolbox { file_type fs_type -toolbox_exec}:file entrypoint; + +# rm -rf directories in /data +allow toolbox system_data_file:dir { rmdir rw_dir_perms }; +allow toolbox system_data_file:file { getattr unlink }; From 03b5fb7f46c40b9795ccfe8c2929c39523b54c80 Mon Sep 17 00:00:00 2001 From: David Anderson Date: Fri, 25 Oct 2019 15:11:58 -0700 Subject: [PATCH 02/19] Add fastbootd to the sys_rawio whitelist. A similar problem was previously encountered with the boot control HAL in bug 118011561. The HAL may need access to emmc to implement set_active commands. fastbootd uses the boot control HAL in passthru mode when in recovery, so by extension, it needs this exception as well. Bug: 140367894 Test: fastbootd can use sys_rawio Change-Id: I1040e314a58eae8a516a2e999e9d4e2aa51786e7 (cherry picked from commit 74affd140396b74840e5dd8018b423ffcbe25a18) Bug: 144659183 --- private/domain.te | 1 + 1 file changed, 1 insertion(+) diff --git a/private/domain.te b/private/domain.te index 209eeb0dd..1d26761d6 100644 --- a/private/domain.te +++ b/private/domain.te @@ -312,4 +312,5 @@ neverallow { -uncrypt -tee -hal_bootctl_server + -fastbootd } self:global_capability_class_set sys_rawio; From 9dc17d30c7f5ad420322349ab70621b2d126c526 Mon Sep 17 00:00:00 2001 From: Yiming Jing Date: Mon, 20 Apr 2020 14:20:39 -0700 Subject: [PATCH 03/19] Remove duplicate neverallow for hal_audio_server A vendor has an audio HAL implementation for Android Automotive that controls amplifiers with tcp sockets. This violates a neverallow rule in 'public/hal_audio.te': neverallow hal_audio_server domain:{ tcp_socket udp_socket rawip_socket } *; This rule prevents any audio HAL server from accessing sockets; But public/hal_neverallows.te, line 19 exempts HAL servers on automotive devices; because in a car it is common to have external modules accessible over in-vehicle networks. Therefore, the existing neverallow rule in hal_audio.te is a duplicate; and this CL removes this rule. Vendors on automotive devices should refer to 'vendor/hal_audio_default.te', by (1) creating a new type; (2) associating the type with the 'hal_automotive_socket_exemption' attribute. Bug: 150400684 Fix: 158855492 Test: tested with the following rules in 'vendor/hal_audio_default.te' Test: type harmon_amplifier, domain; Test: typeattribute hal_audio_default hal_automotive_socket_exemption; Test: allow hal_audio_default harmon_amplifier:tcp_socket connect; Test: m -j should compile sepolicy without complaints Change-Id: I517b050d0582d08f94f35ba815a030121385f319 (cherry picked from commit 6067b53d4f05564e857e99448a0b92d645634f8a) --- public/hal_audio.te | 4 ---- 1 file changed, 4 deletions(-) diff --git a/public/hal_audio.te b/public/hal_audio.te index bb9eec42c..2ce953afd 100644 --- a/public/hal_audio.te +++ b/public/hal_audio.te @@ -27,10 +27,6 @@ vndbinder_use(hal_audio) # Should never execute any executable without a domain transition neverallow hal_audio_server { file_type fs_type }:file execute_no_trans; -# Should never need network access. -# Disallow network sockets. -neverallow hal_audio_server domain:{ tcp_socket udp_socket rawip_socket } *; - # Only audio HAL may directly access the audio hardware neverallow { halserverdomain -hal_audio_server -hal_omx_server } audio_device:chr_file *; From 32ac94c0f275ef7d1e887153d33d0e83cd939b1f Mon Sep 17 00:00:00 2001 From: Inseob Kim Date: Tue, 15 Sep 2020 12:22:44 +0900 Subject: [PATCH 04/19] Set expandattribute false for property attributes To prevent these from being optimized away. Bug: 161083890 Test: m selinux_policy Change-Id: Ic587df21390f6ca553bf6be9ba77685f8c048ebf Merged-In: Ic587df21390f6ca553bf6be9ba77685f8c048ebf (cherry picked from commit 2eb0396cb41634e66323fcc2b0912ec26211afcb) --- public/attributes | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/public/attributes b/public/attributes index 19623afd6..0c91692bc 100644 --- a/public/attributes +++ b/public/attributes @@ -91,15 +91,19 @@ attribute extended_core_property_type; # All properties defined by /system. attribute system_property_type; +expandattribute system_property_type false; # All /system-defined properties used only in /system. attribute system_internal_property_type; +expandattribute system_internal_property_type false; # All /system-defined properties which can't be written outside /system. attribute system_restricted_property_type; +expandattribute system_restricted_property_type false; # All /system-defined properties with no restrictions. attribute system_public_property_type; +expandattribute system_public_property_type false; # All properties defined by /product. # Currently there are no enforcements between /system and /product, so for now @@ -111,15 +115,19 @@ define(`product_public_type', `system_public_property_type') # All properties defined by /vendor. attribute vendor_property_type; +expandattribute vendor_property_type false; # All /vendor-defined properties used only in /vendor. attribute vendor_internal_property_type; +expandattribute vendor_internal_property_type false; # All /vendor-defined properties which can't be written outside /vendor. attribute vendor_restricted_property_type; +expandattribute vendor_restricted_property_type false; # All /vendor-defined properties with no restrictions. attribute vendor_public_property_type; +expandattribute vendor_public_property_type false; # All service_manager types created by system_server attribute system_server_service; From fa3b250ad1acabe7131c14c24a129839a0dead10 Mon Sep 17 00:00:00 2001 From: Satoshi Niwa Date: Thu, 24 Sep 2020 10:43:09 +0900 Subject: [PATCH 05/19] Set expandattribute false for property attributes in prebuilts To prevent these from being optimized away. (Follow-up CL for aosp/1427751 ) Bug: 161083890 Test: atest CtsSecurityHostTestCases Change-Id: I11669b1643671f386c53136de0b7adea2b43bc28 --- prebuilts/api/30.0/public/attributes | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/prebuilts/api/30.0/public/attributes b/prebuilts/api/30.0/public/attributes index 19623afd6..0c91692bc 100644 --- a/prebuilts/api/30.0/public/attributes +++ b/prebuilts/api/30.0/public/attributes @@ -91,15 +91,19 @@ attribute extended_core_property_type; # All properties defined by /system. attribute system_property_type; +expandattribute system_property_type false; # All /system-defined properties used only in /system. attribute system_internal_property_type; +expandattribute system_internal_property_type false; # All /system-defined properties which can't be written outside /system. attribute system_restricted_property_type; +expandattribute system_restricted_property_type false; # All /system-defined properties with no restrictions. attribute system_public_property_type; +expandattribute system_public_property_type false; # All properties defined by /product. # Currently there are no enforcements between /system and /product, so for now @@ -111,15 +115,19 @@ define(`product_public_type', `system_public_property_type') # All properties defined by /vendor. attribute vendor_property_type; +expandattribute vendor_property_type false; # All /vendor-defined properties used only in /vendor. attribute vendor_internal_property_type; +expandattribute vendor_internal_property_type false; # All /vendor-defined properties which can't be written outside /vendor. attribute vendor_restricted_property_type; +expandattribute vendor_restricted_property_type false; # All /vendor-defined properties with no restrictions. attribute vendor_public_property_type; +expandattribute vendor_public_property_type false; # All service_manager types created by system_server attribute system_server_service; From 621e3e3acef3836a48d6e9c93d8c7f3baf005c91 Mon Sep 17 00:00:00 2001 From: Jeongik Cha Date: Thu, 23 Apr 2020 23:38:43 +0900 Subject: [PATCH 06/19] [RESTRICT AUTOMERGE] mediaserver, mediaextractor, drmserver: allow vendor_overlay_file MediaPlayer cannot load a video from RRO packages. So, add allow rules which is necessary to play the video. Bug: 154795779 Test: check if MediaPlayer can load a video in RRO Change-Id: I06eed146b6e70a548b6b4f4faf56ba2bccd68140 (cherry picked from commit 832a8a9389e63dfbd7de6c4ced72a8ecce23ef92) --- private/coredomain.te | 2 +- public/drmserver.te | 3 +++ public/mediaextractor.te | 3 +++ public/mediaserver.te | 3 +++ 4 files changed, 10 insertions(+), 1 deletion(-) diff --git a/private/coredomain.te b/private/coredomain.te index 169f6b249..705483bf6 100644 --- a/private/coredomain.te +++ b/private/coredomain.te @@ -82,7 +82,7 @@ full_treble_only(` -webview_zygote -zygote userdebug_or_eng(`-heapprofd') - } vendor_overlay_file:file r_file_perms; + } vendor_overlay_file:file open; ') # Core domains are not permitted to use kernel interfaces which are not diff --git a/public/drmserver.te b/public/drmserver.te index b7b641c18..b7d40577d 100644 --- a/public/drmserver.te +++ b/public/drmserver.te @@ -48,6 +48,9 @@ allow drmserver radio_data_file:file { read getattr map }; allow drmserver oemfs:dir search; allow drmserver oemfs:file r_file_perms; +# overlay package access +allow drmserver vendor_overlay_file:file { read map }; + add_service(drmserver, drmserver_service) allow drmserver permission_service:service_manager find; diff --git a/public/mediaextractor.te b/public/mediaextractor.te index 4bedb0f06..859ec9c3b 100644 --- a/public/mediaextractor.te +++ b/public/mediaextractor.te @@ -34,6 +34,9 @@ allow mediaextractor apk_data_file:file { read getattr }; allow mediaextractor asec_apk_file:file { read getattr }; allow mediaextractor ringtone_file:file { read getattr }; +# overlay package access +allow mediaextractor vendor_overlay_file:file { read map }; + # scan extractor library directory to dynamically load extractors allow mediaextractor system_file:dir { read open }; diff --git a/public/mediaserver.te b/public/mediaserver.te index 70d0a55b2..8672eacde 100644 --- a/public/mediaserver.te +++ b/public/mediaserver.te @@ -131,6 +131,9 @@ allow mediaserver system_server:fd use; # b/120491318 allow mediaserver to access void:fd allow mediaserver vold:fd use; +# overlay package access +allow mediaserver vendor_overlay_file:file { read getattr map }; + hal_client_domain(mediaserver, hal_allocator) ### From 380766429303a99d85a58cd4c26f0ed6c9d984eb Mon Sep 17 00:00:00 2001 From: Sergej Salnikov Date: Wed, 27 Jan 2021 10:05:33 +0000 Subject: [PATCH 07/19] [RESTRICT AUTOMERGE] Update prebuilt sepolicy Updating sepolicy in aosp/1561695, accordingly, update prebuilt dir as well Bug: 154795779 Change-Id: I7c5885e709cf07137a393bde19e19ad5c1f92953 --- prebuilts/api/29.0/private/coredomain.te | 2 +- prebuilts/api/29.0/public/drmserver.te | 3 +++ prebuilts/api/29.0/public/mediaextractor.te | 3 +++ prebuilts/api/29.0/public/mediaserver.te | 3 +++ 4 files changed, 10 insertions(+), 1 deletion(-) diff --git a/prebuilts/api/29.0/private/coredomain.te b/prebuilts/api/29.0/private/coredomain.te index 169f6b249..705483bf6 100644 --- a/prebuilts/api/29.0/private/coredomain.te +++ b/prebuilts/api/29.0/private/coredomain.te @@ -82,7 +82,7 @@ full_treble_only(` -webview_zygote -zygote userdebug_or_eng(`-heapprofd') - } vendor_overlay_file:file r_file_perms; + } vendor_overlay_file:file open; ') # Core domains are not permitted to use kernel interfaces which are not diff --git a/prebuilts/api/29.0/public/drmserver.te b/prebuilts/api/29.0/public/drmserver.te index b7b641c18..b7d40577d 100644 --- a/prebuilts/api/29.0/public/drmserver.te +++ b/prebuilts/api/29.0/public/drmserver.te @@ -48,6 +48,9 @@ allow drmserver radio_data_file:file { read getattr map }; allow drmserver oemfs:dir search; allow drmserver oemfs:file r_file_perms; +# overlay package access +allow drmserver vendor_overlay_file:file { read map }; + add_service(drmserver, drmserver_service) allow drmserver permission_service:service_manager find; diff --git a/prebuilts/api/29.0/public/mediaextractor.te b/prebuilts/api/29.0/public/mediaextractor.te index 4bedb0f06..859ec9c3b 100644 --- a/prebuilts/api/29.0/public/mediaextractor.te +++ b/prebuilts/api/29.0/public/mediaextractor.te @@ -34,6 +34,9 @@ allow mediaextractor apk_data_file:file { read getattr }; allow mediaextractor asec_apk_file:file { read getattr }; allow mediaextractor ringtone_file:file { read getattr }; +# overlay package access +allow mediaextractor vendor_overlay_file:file { read map }; + # scan extractor library directory to dynamically load extractors allow mediaextractor system_file:dir { read open }; diff --git a/prebuilts/api/29.0/public/mediaserver.te b/prebuilts/api/29.0/public/mediaserver.te index 70d0a55b2..8672eacde 100644 --- a/prebuilts/api/29.0/public/mediaserver.te +++ b/prebuilts/api/29.0/public/mediaserver.te @@ -131,6 +131,9 @@ allow mediaserver system_server:fd use; # b/120491318 allow mediaserver to access void:fd allow mediaserver vold:fd use; +# overlay package access +allow mediaserver vendor_overlay_file:file { read getattr map }; + hal_client_domain(mediaserver, hal_allocator) ### From 3cfbe228527ab8be8308c5e61a10b4f0d0eb93f1 Mon Sep 17 00:00:00 2001 From: Kilyoung Shin Date: Thu, 28 Oct 2021 10:21:46 -0700 Subject: [PATCH 08/19] Grant permission for mediatranscoding hal_allocator for GSI image Bug: 203839961 Test: run cts -m CtsMediaTranscodingTestCases -t android.media.mediatranscoding.cts.MediaTranscodingManagerTest#testAddingClientUids Signed-off-by: Kilyoung Shin Change-Id: If44653f436d4e5dcbd040af24f03b09ae8e7ac05 --- private/mediatranscoding.te | 1 + 1 file changed, 1 insertion(+) diff --git a/private/mediatranscoding.te b/private/mediatranscoding.te index 2a43cf9b5..073e81d78 100644 --- a/private/mediatranscoding.te +++ b/private/mediatranscoding.te @@ -19,6 +19,7 @@ hal_client_domain(mediatranscoding, hal_graphics_allocator) hal_client_domain(mediatranscoding, hal_configstore) hal_client_domain(mediatranscoding, hal_omx) hal_client_domain(mediatranscoding, hal_codec2) +hal_client_domain(mediatranscoding, hal_allocator) allow mediatranscoding mediaserver_service:service_manager find; allow mediatranscoding mediametrics_service:service_manager find; From 4042fa5dec50b926dcdc14f874e24f35ec50bf57 Mon Sep 17 00:00:00 2001 From: Florian Mayer Date: Tue, 21 Dec 2021 12:06:31 -0800 Subject: [PATCH 09/19] [MTE] Allow system_app to write memtag property. (cherry picked from commit 39f29f758ebeb4d7a5edc6151d8b24c815cd99aa) (we need this cherry picked on android12-tests-dev to allow OEMs to backport the associated feature without violating the neverallow CTS) Bug: 206895651 Merged-In: I6463965c094b9b3c4f3f70929a09e109ee9c84b9 Change-Id: I6463965c094b9b3c4f3f70929a09e109ee9c84b9 --- private/property.te | 2 ++ private/system_app.te | 1 + 2 files changed, 3 insertions(+) diff --git a/private/property.te b/private/property.te index 29f4f1a0f..e72693a38 100644 --- a/private/property.te +++ b/private/property.te @@ -395,10 +395,12 @@ neverallow { # Allow the shell to set MTE props, so that non-root users with adb shell # access can control the settings on their device. +# Allow system apps to set MTE props, so Developer Options can set them. neverallow { domain -init -shell + -system_app } { arm64_memtag_prop }:property_service set; diff --git a/private/system_app.te b/private/system_app.te index 239686e67..41fac622b 100644 --- a/private/system_app.te +++ b/private/system_app.te @@ -34,6 +34,7 @@ allow system_app wallpaper_file:file r_file_perms; allow system_app icon_file:file r_file_perms; # Write to properties +set_prop(system_app, arm64_memtag_prop) set_prop(system_app, bluetooth_a2dp_offload_prop) set_prop(system_app, bluetooth_audio_hal_prop) set_prop(system_app, bluetooth_prop) From 949e1d0a768668955e1940c3092996bf23663092 Mon Sep 17 00:00:00 2001 From: Florian Mayer Date: Wed, 19 Jan 2022 15:19:20 -0800 Subject: [PATCH 10/19] Add policy for command line tool to control MTE boot state. Bug: 206895651 (cherry picked from commit 23173455ab48bbc1cc1e394717369e99e7175179) (we need this cherry picked on android12-tests-dev to allow OEMs to backport the associated feature without violating the neverallow CTS) Merged-In: I2e84193668dcdf24bde1c7e12b3cfd8a03954a16 Change-Id: I2e84193668dcdf24bde1c7e12b3cfd8a03954a16 --- private/compat/30.0/30.0.ignore.cil | 1 + private/file_contexts | 1 + private/mtectrl.te | 9 +++++++++ public/domain.te | 1 + public/mtectrl.te | 1 + 5 files changed, 13 insertions(+) create mode 100644 private/mtectrl.te create mode 100644 public/mtectrl.te diff --git a/private/compat/30.0/30.0.ignore.cil b/private/compat/30.0/30.0.ignore.cil index 0c36aed13..dd8cc7f6d 100644 --- a/private/compat/30.0/30.0.ignore.cil +++ b/private/compat/30.0/30.0.ignore.cil @@ -86,6 +86,7 @@ memtrackproxy_service mm_events_config_prop music_recognition_service + mtectrl nfc_logs_data_file odrefresh odrefresh_exec diff --git a/private/file_contexts b/private/file_contexts index 351cd7c5f..6730c25a3 100644 --- a/private/file_contexts +++ b/private/file_contexts @@ -304,6 +304,7 @@ /system/bin/lpdumpd u:object_r:lpdumpd_exec:s0 /system/bin/rss_hwm_reset u:object_r:rss_hwm_reset_exec:s0 /system/bin/perfetto u:object_r:perfetto_exec:s0 +/system/bin/mtectrl u:object_r:mtectrl_exec:s0 /system/bin/traced u:object_r:traced_exec:s0 /system/bin/traced_perf u:object_r:traced_perf_exec:s0 /system/bin/traced_probes u:object_r:traced_probes_exec:s0 diff --git a/private/mtectrl.te b/private/mtectrl.te new file mode 100644 index 000000000..a89edda03 --- /dev/null +++ b/private/mtectrl.te @@ -0,0 +1,9 @@ +# mtectrl is a tool to request MTE (Memory Tagging Extensions) from the bootloader. +type mtectrl_exec, system_file_type, exec_type, file_type; + +init_daemon_domain(mtectrl) + +# mtectrl communicates the request to the bootloader via the misc partition. +allow mtectrl misc_block_device:blk_file w_file_perms; +allow mtectrl block_device:dir r_dir_perms; +read_fstab(mtectrl) diff --git a/public/domain.te b/public/domain.te index 799a2f1c5..5c7c18cce 100644 --- a/public/domain.te +++ b/public/domain.te @@ -627,6 +627,7 @@ neverallow { -vold -recovery -ueventd + -mtectrl } misc_block_device:blk_file { append link relabelfrom rename write open read ioctl lock }; # Only (hw|vnd|)servicemanager should be able to register with binder as the context manager diff --git a/public/mtectrl.te b/public/mtectrl.te new file mode 100644 index 000000000..2fb8a960c --- /dev/null +++ b/public/mtectrl.te @@ -0,0 +1 @@ +type mtectrl, domain, coredomain; From 6f135387c42114781bbd31b936b26f10ad4bd4ca Mon Sep 17 00:00:00 2001 From: Kevin Rocard Date: Mon, 31 Jan 2022 16:05:28 +0000 Subject: [PATCH 11/19] Grant permission for mediatranscoding hal_allocator for OMX platforms This is a port of If44653f436d4e5dcbd040af24f03b09ae8e7ac05 which made this change to prebuilts/api/31.0/private/mediatranscoding.te. This is required to pass CTS test. Test: run cts -m CtsMediaTranscodingTestCases -t android.media.mediatranscoding.cts.MediaTranscodingManagerTest#testAddingClientUids Bug: 207821225 Bug: 213141904 Change-Id: Iefe9f326572976e230eeeec74e612b6e20b31887 --- prebuilts/api/31.0/private/mediatranscoding.te | 1 + 1 file changed, 1 insertion(+) diff --git a/prebuilts/api/31.0/private/mediatranscoding.te b/prebuilts/api/31.0/private/mediatranscoding.te index 2a43cf9b5..073e81d78 100644 --- a/prebuilts/api/31.0/private/mediatranscoding.te +++ b/prebuilts/api/31.0/private/mediatranscoding.te @@ -19,6 +19,7 @@ hal_client_domain(mediatranscoding, hal_graphics_allocator) hal_client_domain(mediatranscoding, hal_configstore) hal_client_domain(mediatranscoding, hal_omx) hal_client_domain(mediatranscoding, hal_codec2) +hal_client_domain(mediatranscoding, hal_allocator) allow mediatranscoding mediaserver_service:service_manager find; allow mediatranscoding mediametrics_service:service_manager find; From feae69915277a13372d0044fb7b555f71f0f7d1f Mon Sep 17 00:00:00 2001 From: Inseob Kim Date: Wed, 26 Jan 2022 08:45:17 +0900 Subject: [PATCH 12/19] Move mtectrl to private Because mtectrl is a system internal domain, and we don't need to expose the type to vendor. Bug: 206895651 Test: build and boot Change-Id: Idb5c4a4c6f175e338722971944bf08ba99835476 Merged-In: Idb5c4a4c6f175e338722971944bf08ba99835476 --- private/compat/30.0/30.0.ignore.cil | 1 - private/domain.te | 20 ++++++++++++++++++++ private/mtectrl.te | 1 + public/domain.te | 20 -------------------- public/mtectrl.te | 1 - 5 files changed, 21 insertions(+), 22 deletions(-) delete mode 100644 public/mtectrl.te diff --git a/private/compat/30.0/30.0.ignore.cil b/private/compat/30.0/30.0.ignore.cil index dd8cc7f6d..0c36aed13 100644 --- a/private/compat/30.0/30.0.ignore.cil +++ b/private/compat/30.0/30.0.ignore.cil @@ -86,7 +86,6 @@ memtrackproxy_service mm_events_config_prop music_recognition_service - mtectrl nfc_logs_data_file odrefresh odrefresh_exec diff --git a/private/domain.te b/private/domain.te index b91d36d85..ad8beccc9 100644 --- a/private/domain.te +++ b/private/domain.te @@ -112,6 +112,26 @@ allow domain linkerconfig_file:file r_file_perms; # Allow all processes to check for the existence of the boringssl_self_test_marker files. allow domain boringssl_self_test_marker:dir search; +# No domains other than a select few can access the misc_block_device. This +# block device is reserved for OTA use. +# Do not assert this rule on userdebug/eng builds, due to some devices using +# this partition for testing purposes. +neverallow { + domain + userdebug_or_eng(`-domain') # exclude debuggable builds + -fastbootd + -hal_bootctl_server + -init + -uncrypt + -update_engine + -vendor_init + -vendor_misc_writer + -vold + -recovery + -ueventd + -mtectrl +} misc_block_device:blk_file { append link relabelfrom rename write open read ioctl lock }; + # Limit ability to ptrace or read sensitive /proc/pid files of processes # with other UIDs to these allowlisted domains. neverallow { diff --git a/private/mtectrl.te b/private/mtectrl.te index a89edda03..436dcae55 100644 --- a/private/mtectrl.te +++ b/private/mtectrl.te @@ -1,4 +1,5 @@ # mtectrl is a tool to request MTE (Memory Tagging Extensions) from the bootloader. +type mtectrl, domain, coredomain; type mtectrl_exec, system_file_type, exec_type, file_type; init_daemon_domain(mtectrl) diff --git a/public/domain.te b/public/domain.te index 5c7c18cce..9d0c46d4d 100644 --- a/public/domain.te +++ b/public/domain.te @@ -610,26 +610,6 @@ neverallow { -update_engine } system_block_device:blk_file { write append }; -# No domains other than a select few can access the misc_block_device. This -# block device is reserved for OTA use. -# Do not assert this rule on userdebug/eng builds, due to some devices using -# this partition for testing purposes. -neverallow { - domain - userdebug_or_eng(`-domain') # exclude debuggable builds - -fastbootd - -hal_bootctl_server - -init - -uncrypt - -update_engine - -vendor_init - -vendor_misc_writer - -vold - -recovery - -ueventd - -mtectrl -} misc_block_device:blk_file { append link relabelfrom rename write open read ioctl lock }; - # Only (hw|vnd|)servicemanager should be able to register with binder as the context manager neverallow { domain -servicemanager -hwservicemanager -vndservicemanager } *:binder set_context_mgr; # The service managers are only allowed to access their own device node diff --git a/public/mtectrl.te b/public/mtectrl.te deleted file mode 100644 index 2fb8a960c..000000000 --- a/public/mtectrl.te +++ /dev/null @@ -1 +0,0 @@ -type mtectrl, domain, coredomain; From 8f3ad6ce1c1eeb6a46e039a201899a39c4c53f49 Mon Sep 17 00:00:00 2001 From: Florian Mayer Date: Tue, 8 Mar 2022 01:49:54 +0000 Subject: [PATCH 13/19] RESTRICT AUTOMERGE Revert "Move mtectrl to private" Revert submission 1959735 Reason for revert: b/220807329 Reverted Changes: Idb5c4a4c6:Move mtectrl to private I2e8419366:Add policy for command line tool to control MTE bo... Change-Id: I663113df93fe9fec597ad346a1d07888b068c20e --- private/compat/30.0/30.0.ignore.cil | 1 + private/domain.te | 20 -------------------- private/mtectrl.te | 1 - public/domain.te | 20 ++++++++++++++++++++ public/mtectrl.te | 1 + 5 files changed, 22 insertions(+), 21 deletions(-) create mode 100644 public/mtectrl.te diff --git a/private/compat/30.0/30.0.ignore.cil b/private/compat/30.0/30.0.ignore.cil index 0c36aed13..dd8cc7f6d 100644 --- a/private/compat/30.0/30.0.ignore.cil +++ b/private/compat/30.0/30.0.ignore.cil @@ -86,6 +86,7 @@ memtrackproxy_service mm_events_config_prop music_recognition_service + mtectrl nfc_logs_data_file odrefresh odrefresh_exec diff --git a/private/domain.te b/private/domain.te index ad8beccc9..b91d36d85 100644 --- a/private/domain.te +++ b/private/domain.te @@ -112,26 +112,6 @@ allow domain linkerconfig_file:file r_file_perms; # Allow all processes to check for the existence of the boringssl_self_test_marker files. allow domain boringssl_self_test_marker:dir search; -# No domains other than a select few can access the misc_block_device. This -# block device is reserved for OTA use. -# Do not assert this rule on userdebug/eng builds, due to some devices using -# this partition for testing purposes. -neverallow { - domain - userdebug_or_eng(`-domain') # exclude debuggable builds - -fastbootd - -hal_bootctl_server - -init - -uncrypt - -update_engine - -vendor_init - -vendor_misc_writer - -vold - -recovery - -ueventd - -mtectrl -} misc_block_device:blk_file { append link relabelfrom rename write open read ioctl lock }; - # Limit ability to ptrace or read sensitive /proc/pid files of processes # with other UIDs to these allowlisted domains. neverallow { diff --git a/private/mtectrl.te b/private/mtectrl.te index 436dcae55..a89edda03 100644 --- a/private/mtectrl.te +++ b/private/mtectrl.te @@ -1,5 +1,4 @@ # mtectrl is a tool to request MTE (Memory Tagging Extensions) from the bootloader. -type mtectrl, domain, coredomain; type mtectrl_exec, system_file_type, exec_type, file_type; init_daemon_domain(mtectrl) diff --git a/public/domain.te b/public/domain.te index 9d0c46d4d..5c7c18cce 100644 --- a/public/domain.te +++ b/public/domain.te @@ -610,6 +610,26 @@ neverallow { -update_engine } system_block_device:blk_file { write append }; +# No domains other than a select few can access the misc_block_device. This +# block device is reserved for OTA use. +# Do not assert this rule on userdebug/eng builds, due to some devices using +# this partition for testing purposes. +neverallow { + domain + userdebug_or_eng(`-domain') # exclude debuggable builds + -fastbootd + -hal_bootctl_server + -init + -uncrypt + -update_engine + -vendor_init + -vendor_misc_writer + -vold + -recovery + -ueventd + -mtectrl +} misc_block_device:blk_file { append link relabelfrom rename write open read ioctl lock }; + # Only (hw|vnd|)servicemanager should be able to register with binder as the context manager neverallow { domain -servicemanager -hwservicemanager -vndservicemanager } *:binder set_context_mgr; # The service managers are only allowed to access their own device node diff --git a/public/mtectrl.te b/public/mtectrl.te new file mode 100644 index 000000000..2fb8a960c --- /dev/null +++ b/public/mtectrl.te @@ -0,0 +1 @@ +type mtectrl, domain, coredomain; From edef6c2e58731a035c193326808d71bd0773f11f Mon Sep 17 00:00:00 2001 From: Florian Mayer Date: Tue, 8 Mar 2022 01:49:54 +0000 Subject: [PATCH 14/19] RESTRICT AUTOMERGE Revert "Add policy for command line tool to control MTE boot state." Revert submission 1959735 Reason for revert: b/220807329 Reverted Changes: Idb5c4a4c6:Move mtectrl to private I2e8419366:Add policy for command line tool to control MTE bo... Change-Id: Ic679c2dab411f70bd26cf8da213c49473a243896 --- private/compat/30.0/30.0.ignore.cil | 1 - private/file_contexts | 1 - private/mtectrl.te | 9 --------- public/domain.te | 1 - public/mtectrl.te | 1 - 5 files changed, 13 deletions(-) delete mode 100644 private/mtectrl.te delete mode 100644 public/mtectrl.te diff --git a/private/compat/30.0/30.0.ignore.cil b/private/compat/30.0/30.0.ignore.cil index dd8cc7f6d..0c36aed13 100644 --- a/private/compat/30.0/30.0.ignore.cil +++ b/private/compat/30.0/30.0.ignore.cil @@ -86,7 +86,6 @@ memtrackproxy_service mm_events_config_prop music_recognition_service - mtectrl nfc_logs_data_file odrefresh odrefresh_exec diff --git a/private/file_contexts b/private/file_contexts index 6730c25a3..351cd7c5f 100644 --- a/private/file_contexts +++ b/private/file_contexts @@ -304,7 +304,6 @@ /system/bin/lpdumpd u:object_r:lpdumpd_exec:s0 /system/bin/rss_hwm_reset u:object_r:rss_hwm_reset_exec:s0 /system/bin/perfetto u:object_r:perfetto_exec:s0 -/system/bin/mtectrl u:object_r:mtectrl_exec:s0 /system/bin/traced u:object_r:traced_exec:s0 /system/bin/traced_perf u:object_r:traced_perf_exec:s0 /system/bin/traced_probes u:object_r:traced_probes_exec:s0 diff --git a/private/mtectrl.te b/private/mtectrl.te deleted file mode 100644 index a89edda03..000000000 --- a/private/mtectrl.te +++ /dev/null @@ -1,9 +0,0 @@ -# mtectrl is a tool to request MTE (Memory Tagging Extensions) from the bootloader. -type mtectrl_exec, system_file_type, exec_type, file_type; - -init_daemon_domain(mtectrl) - -# mtectrl communicates the request to the bootloader via the misc partition. -allow mtectrl misc_block_device:blk_file w_file_perms; -allow mtectrl block_device:dir r_dir_perms; -read_fstab(mtectrl) diff --git a/public/domain.te b/public/domain.te index 5c7c18cce..799a2f1c5 100644 --- a/public/domain.te +++ b/public/domain.te @@ -627,7 +627,6 @@ neverallow { -vold -recovery -ueventd - -mtectrl } misc_block_device:blk_file { append link relabelfrom rename write open read ioctl lock }; # Only (hw|vnd|)servicemanager should be able to register with binder as the context manager diff --git a/public/mtectrl.te b/public/mtectrl.te deleted file mode 100644 index 2fb8a960c..000000000 --- a/public/mtectrl.te +++ /dev/null @@ -1 +0,0 @@ -type mtectrl, domain, coredomain; From 654cd21c3016191dd00e62bb11fda7371390904c Mon Sep 17 00:00:00 2001 From: Florian Mayer Date: Tue, 8 Mar 2022 01:49:54 +0000 Subject: [PATCH 15/19] RESTRICT AUTOMERGE Revert "Move mtectrl to private" Revert submission 1959735 Reason for revert: b/220807329 Reverted Changes: Idb5c4a4c6:Move mtectrl to private I2e8419366:Add policy for command line tool to control MTE bo... Change-Id: I663113df93fe9fec597ad346a1d07888b068c20e --- private/compat/30.0/30.0.ignore.cil | 1 + private/domain.te | 20 -------------------- private/mtectrl.te | 1 - public/domain.te | 20 ++++++++++++++++++++ public/mtectrl.te | 1 + 5 files changed, 22 insertions(+), 21 deletions(-) create mode 100644 public/mtectrl.te diff --git a/private/compat/30.0/30.0.ignore.cil b/private/compat/30.0/30.0.ignore.cil index e4acfe8a4..ce6c22d7d 100644 --- a/private/compat/30.0/30.0.ignore.cil +++ b/private/compat/30.0/30.0.ignore.cil @@ -87,6 +87,7 @@ memtrackproxy_service mm_events_config_prop music_recognition_service + mtectrl nfc_logs_data_file odrefresh odrefresh_exec diff --git a/private/domain.te b/private/domain.te index ad8beccc9..b91d36d85 100644 --- a/private/domain.te +++ b/private/domain.te @@ -112,26 +112,6 @@ allow domain linkerconfig_file:file r_file_perms; # Allow all processes to check for the existence of the boringssl_self_test_marker files. allow domain boringssl_self_test_marker:dir search; -# No domains other than a select few can access the misc_block_device. This -# block device is reserved for OTA use. -# Do not assert this rule on userdebug/eng builds, due to some devices using -# this partition for testing purposes. -neverallow { - domain - userdebug_or_eng(`-domain') # exclude debuggable builds - -fastbootd - -hal_bootctl_server - -init - -uncrypt - -update_engine - -vendor_init - -vendor_misc_writer - -vold - -recovery - -ueventd - -mtectrl -} misc_block_device:blk_file { append link relabelfrom rename write open read ioctl lock }; - # Limit ability to ptrace or read sensitive /proc/pid files of processes # with other UIDs to these allowlisted domains. neverallow { diff --git a/private/mtectrl.te b/private/mtectrl.te index 436dcae55..a89edda03 100644 --- a/private/mtectrl.te +++ b/private/mtectrl.te @@ -1,5 +1,4 @@ # mtectrl is a tool to request MTE (Memory Tagging Extensions) from the bootloader. -type mtectrl, domain, coredomain; type mtectrl_exec, system_file_type, exec_type, file_type; init_daemon_domain(mtectrl) diff --git a/public/domain.te b/public/domain.te index 9d0c46d4d..5c7c18cce 100644 --- a/public/domain.te +++ b/public/domain.te @@ -610,6 +610,26 @@ neverallow { -update_engine } system_block_device:blk_file { write append }; +# No domains other than a select few can access the misc_block_device. This +# block device is reserved for OTA use. +# Do not assert this rule on userdebug/eng builds, due to some devices using +# this partition for testing purposes. +neverallow { + domain + userdebug_or_eng(`-domain') # exclude debuggable builds + -fastbootd + -hal_bootctl_server + -init + -uncrypt + -update_engine + -vendor_init + -vendor_misc_writer + -vold + -recovery + -ueventd + -mtectrl +} misc_block_device:blk_file { append link relabelfrom rename write open read ioctl lock }; + # Only (hw|vnd|)servicemanager should be able to register with binder as the context manager neverallow { domain -servicemanager -hwservicemanager -vndservicemanager } *:binder set_context_mgr; # The service managers are only allowed to access their own device node diff --git a/public/mtectrl.te b/public/mtectrl.te new file mode 100644 index 000000000..2fb8a960c --- /dev/null +++ b/public/mtectrl.te @@ -0,0 +1 @@ +type mtectrl, domain, coredomain; From fdee5eddfa3998986dc0739fe308a87c46a85a50 Mon Sep 17 00:00:00 2001 From: Florian Mayer Date: Wed, 22 Jun 2022 00:43:03 +0000 Subject: [PATCH 16/19] RESTRICT AUTOMERGE Revert "Add policy for command line tool to control MTE boot state. am: 949e1d0a76" This reverts commit 069435505e292bb6d96a7f37b1c6d68c0a754033. Reason for revert: b/236099211 Change-Id: Ia3538caebdf7ccea943a16c594a3ff6a645014a2 --- private/compat/30.0/30.0.ignore.cil | 1 - private/file_contexts | 1 - private/mtectrl.te | 9 --------- public/domain.te | 1 - public/mtectrl.te | 1 - 5 files changed, 13 deletions(-) delete mode 100644 private/mtectrl.te delete mode 100644 public/mtectrl.te diff --git a/private/compat/30.0/30.0.ignore.cil b/private/compat/30.0/30.0.ignore.cil index ce6c22d7d..e4acfe8a4 100644 --- a/private/compat/30.0/30.0.ignore.cil +++ b/private/compat/30.0/30.0.ignore.cil @@ -87,7 +87,6 @@ memtrackproxy_service mm_events_config_prop music_recognition_service - mtectrl nfc_logs_data_file odrefresh odrefresh_exec diff --git a/private/file_contexts b/private/file_contexts index e4d4b7086..0330d888d 100644 --- a/private/file_contexts +++ b/private/file_contexts @@ -304,7 +304,6 @@ /system/bin/lpdumpd u:object_r:lpdumpd_exec:s0 /system/bin/rss_hwm_reset u:object_r:rss_hwm_reset_exec:s0 /system/bin/perfetto u:object_r:perfetto_exec:s0 -/system/bin/mtectrl u:object_r:mtectrl_exec:s0 /system/bin/traced u:object_r:traced_exec:s0 /system/bin/traced_perf u:object_r:traced_perf_exec:s0 /system/bin/traced_probes u:object_r:traced_probes_exec:s0 diff --git a/private/mtectrl.te b/private/mtectrl.te deleted file mode 100644 index a89edda03..000000000 --- a/private/mtectrl.te +++ /dev/null @@ -1,9 +0,0 @@ -# mtectrl is a tool to request MTE (Memory Tagging Extensions) from the bootloader. -type mtectrl_exec, system_file_type, exec_type, file_type; - -init_daemon_domain(mtectrl) - -# mtectrl communicates the request to the bootloader via the misc partition. -allow mtectrl misc_block_device:blk_file w_file_perms; -allow mtectrl block_device:dir r_dir_perms; -read_fstab(mtectrl) diff --git a/public/domain.te b/public/domain.te index 5c7c18cce..799a2f1c5 100644 --- a/public/domain.te +++ b/public/domain.te @@ -627,7 +627,6 @@ neverallow { -vold -recovery -ueventd - -mtectrl } misc_block_device:blk_file { append link relabelfrom rename write open read ioctl lock }; # Only (hw|vnd|)servicemanager should be able to register with binder as the context manager diff --git a/public/mtectrl.te b/public/mtectrl.te deleted file mode 100644 index 2fb8a960c..000000000 --- a/public/mtectrl.te +++ /dev/null @@ -1 +0,0 @@ -type mtectrl, domain, coredomain; From 5de1b2096d2f1729c536d3ea3592217613a2d456 Mon Sep 17 00:00:00 2001 From: Florian Mayer Date: Tue, 30 Aug 2022 13:18:01 -0700 Subject: [PATCH 17/19] Update prebuilts to fix sepolicy_freeze_test Bug: 243820875 Change-Id: I34e06a54a649e37b6ec051d20bf4cf904f69fd5e --- prebuilts/api/31.0/private/property.te | 2 ++ prebuilts/api/31.0/private/system_app.te | 1 + 2 files changed, 3 insertions(+) diff --git a/prebuilts/api/31.0/private/property.te b/prebuilts/api/31.0/private/property.te index 29f4f1a0f..e72693a38 100644 --- a/prebuilts/api/31.0/private/property.te +++ b/prebuilts/api/31.0/private/property.te @@ -395,10 +395,12 @@ neverallow { # Allow the shell to set MTE props, so that non-root users with adb shell # access can control the settings on their device. +# Allow system apps to set MTE props, so Developer Options can set them. neverallow { domain -init -shell + -system_app } { arm64_memtag_prop }:property_service set; diff --git a/prebuilts/api/31.0/private/system_app.te b/prebuilts/api/31.0/private/system_app.te index 239686e67..41fac622b 100644 --- a/prebuilts/api/31.0/private/system_app.te +++ b/prebuilts/api/31.0/private/system_app.te @@ -34,6 +34,7 @@ allow system_app wallpaper_file:file r_file_perms; allow system_app icon_file:file r_file_perms; # Write to properties +set_prop(system_app, arm64_memtag_prop) set_prop(system_app, bluetooth_a2dp_offload_prop) set_prop(system_app, bluetooth_audio_hal_prop) set_prop(system_app, bluetooth_prop) From f99eeb6bd902bca52afcbfb0444df4b22c7259cf Mon Sep 17 00:00:00 2001 From: Florian Mayer Date: Tue, 30 Aug 2022 13:15:22 -0700 Subject: [PATCH 18/19] Update prebuilts to fix sepolicy_freeze_test Bug: 243820875 Change-Id: I99c09ff00c1b47e9bc4e8175c9b3e34c7851d25d --- prebuilts/api/31.0/private/property.te | 2 ++ prebuilts/api/31.0/private/system_app.te | 1 + prebuilts/api/32.0/private/property.te | 2 ++ prebuilts/api/32.0/private/system_app.te | 1 + 4 files changed, 6 insertions(+) diff --git a/prebuilts/api/31.0/private/property.te b/prebuilts/api/31.0/private/property.te index 587cf5e2f..77e1a7d26 100644 --- a/prebuilts/api/31.0/private/property.te +++ b/prebuilts/api/31.0/private/property.te @@ -396,10 +396,12 @@ neverallow { # Allow the shell to set MTE props, so that non-root users with adb shell # access can control the settings on their device. +# Allow system apps to set MTE props, so Developer Options can set them. neverallow { domain -init -shell + -system_app } { arm64_memtag_prop }:property_service set; diff --git a/prebuilts/api/31.0/private/system_app.te b/prebuilts/api/31.0/private/system_app.te index 239686e67..41fac622b 100644 --- a/prebuilts/api/31.0/private/system_app.te +++ b/prebuilts/api/31.0/private/system_app.te @@ -34,6 +34,7 @@ allow system_app wallpaper_file:file r_file_perms; allow system_app icon_file:file r_file_perms; # Write to properties +set_prop(system_app, arm64_memtag_prop) set_prop(system_app, bluetooth_a2dp_offload_prop) set_prop(system_app, bluetooth_audio_hal_prop) set_prop(system_app, bluetooth_prop) diff --git a/prebuilts/api/32.0/private/property.te b/prebuilts/api/32.0/private/property.te index 587cf5e2f..77e1a7d26 100644 --- a/prebuilts/api/32.0/private/property.te +++ b/prebuilts/api/32.0/private/property.te @@ -396,10 +396,12 @@ neverallow { # Allow the shell to set MTE props, so that non-root users with adb shell # access can control the settings on their device. +# Allow system apps to set MTE props, so Developer Options can set them. neverallow { domain -init -shell + -system_app } { arm64_memtag_prop }:property_service set; diff --git a/prebuilts/api/32.0/private/system_app.te b/prebuilts/api/32.0/private/system_app.te index 239686e67..41fac622b 100644 --- a/prebuilts/api/32.0/private/system_app.te +++ b/prebuilts/api/32.0/private/system_app.te @@ -34,6 +34,7 @@ allow system_app wallpaper_file:file r_file_perms; allow system_app icon_file:file r_file_perms; # Write to properties +set_prop(system_app, arm64_memtag_prop) set_prop(system_app, bluetooth_a2dp_offload_prop) set_prop(system_app, bluetooth_audio_hal_prop) set_prop(system_app, bluetooth_prop) From db3507dffc1c204b32fd5ec4895db1df55dc671b Mon Sep 17 00:00:00 2001 From: sophiez Date: Tue, 6 Sep 2022 17:58:12 +0000 Subject: [PATCH 19/19] Update prebuilts to fix sepolicy_freeze_test Bug: 243820875 Test: refactoring CL. Existing unit tests still pass. Change-Id: I516aed92ad1c7cb4de796844402b3456dc625f94 --- prebuilts/api/32.0/private/mediatranscoding.te | 1 + 1 file changed, 1 insertion(+) diff --git a/prebuilts/api/32.0/private/mediatranscoding.te b/prebuilts/api/32.0/private/mediatranscoding.te index 2a43cf9b5..073e81d78 100644 --- a/prebuilts/api/32.0/private/mediatranscoding.te +++ b/prebuilts/api/32.0/private/mediatranscoding.te @@ -19,6 +19,7 @@ hal_client_domain(mediatranscoding, hal_graphics_allocator) hal_client_domain(mediatranscoding, hal_configstore) hal_client_domain(mediatranscoding, hal_omx) hal_client_domain(mediatranscoding, hal_codec2) +hal_client_domain(mediatranscoding, hal_allocator) allow mediatranscoding mediaserver_service:service_manager find; allow mediatranscoding mediametrics_service:service_manager find;