From 660e460e8c20fd36be7860551906a40a49b100f9 Mon Sep 17 00:00:00 2001 From: Brian Lindahl Date: Tue, 26 Sep 2023 12:53:21 -0600 Subject: [PATCH 1/4] Allow for server-side configuration of libstagefright Relaxation of SELinux policies to allow users of libstagefright and MediaCodec to be able to query server-side configurable flags. Bug: 301372559 Bug: 301250938 Bug: 308043377 Fixes: 308043377 Test: run cts -m CtsSecurityHostTestCases Change-Id: I72670ee42c268dd5747c2411d25959d366dd972c Merged-In: I95aa6772a40599636d109d6960c2898e44648c9b (cherry picked from commit 1b32bccc1a4cd073a5c3f5d71d810904f97e11a9) --- prebuilts/api/31.0/public/domain.te | 4 ++++ prebuilts/api/31.0/public/property.te | 2 +- prebuilts/api/32.0/public/domain.te | 4 ++++ prebuilts/api/32.0/public/property.te | 2 +- prebuilts/api/33.0/public/domain.te | 4 ++++ prebuilts/api/33.0/public/property.te | 2 +- public/domain.te | 4 ++++ 7 files changed, 19 insertions(+), 3 deletions(-) diff --git a/prebuilts/api/31.0/public/domain.te b/prebuilts/api/31.0/public/domain.te index 799a2f1c57..38266cd20d 100644 --- a/prebuilts/api/31.0/public/domain.te +++ b/prebuilts/api/31.0/public/domain.te @@ -353,6 +353,10 @@ with_asan(`allow domain system_asan_options_file:file r_file_perms;') allow domain apex_mnt_dir:dir { getattr search }; allow domain apex_mnt_dir:lnk_file r_file_perms; +# Allow everyone to read media server-configurable flags, so that libstagefright can be +# configured using server-configurable flags +get_prop(domain, device_config_media_native_prop) + ### ### neverallow rules ### diff --git a/prebuilts/api/31.0/public/property.te b/prebuilts/api/31.0/public/property.te index 1d3f358fd3..57b6ad6063 100644 --- a/prebuilts/api/31.0/public/property.te +++ b/prebuilts/api/31.0/public/property.te @@ -8,7 +8,6 @@ system_internal_prop(bootloader_boot_reason_prop) system_internal_prop(device_config_activity_manager_native_boot_prop) system_internal_prop(device_config_boot_count_prop) system_internal_prop(device_config_input_native_boot_prop) -system_internal_prop(device_config_media_native_prop) system_internal_prop(device_config_netd_native_prop) system_internal_prop(device_config_reset_performed_prop) system_internal_prop(firstboot_prop) @@ -65,6 +64,7 @@ system_restricted_prop(bq_config_prop) system_restricted_prop(build_bootimage_prop) system_restricted_prop(build_prop) system_restricted_prop(charger_status_prop) +system_restricted_prop(device_config_media_native_prop) system_restricted_prop(device_config_runtime_native_boot_prop) system_restricted_prop(device_config_runtime_native_prop) system_restricted_prop(fingerprint_prop) diff --git a/prebuilts/api/32.0/public/domain.te b/prebuilts/api/32.0/public/domain.te index 799a2f1c57..38266cd20d 100644 --- a/prebuilts/api/32.0/public/domain.te +++ b/prebuilts/api/32.0/public/domain.te @@ -353,6 +353,10 @@ with_asan(`allow domain system_asan_options_file:file r_file_perms;') allow domain apex_mnt_dir:dir { getattr search }; allow domain apex_mnt_dir:lnk_file r_file_perms; +# Allow everyone to read media server-configurable flags, so that libstagefright can be +# configured using server-configurable flags +get_prop(domain, device_config_media_native_prop) + ### ### neverallow rules ### diff --git a/prebuilts/api/32.0/public/property.te b/prebuilts/api/32.0/public/property.te index 2b2af6d19c..f019b2304c 100644 --- a/prebuilts/api/32.0/public/property.te +++ b/prebuilts/api/32.0/public/property.te @@ -8,7 +8,6 @@ system_internal_prop(bootloader_boot_reason_prop) system_internal_prop(device_config_activity_manager_native_boot_prop) system_internal_prop(device_config_boot_count_prop) system_internal_prop(device_config_input_native_boot_prop) -system_internal_prop(device_config_media_native_prop) system_internal_prop(device_config_netd_native_prop) system_internal_prop(device_config_reset_performed_prop) system_internal_prop(firstboot_prop) @@ -65,6 +64,7 @@ system_restricted_prop(bq_config_prop) system_restricted_prop(build_bootimage_prop) system_restricted_prop(build_prop) system_restricted_prop(charger_status_prop) +system_restricted_prop(device_config_media_native_prop) system_restricted_prop(device_config_runtime_native_boot_prop) system_restricted_prop(device_config_runtime_native_prop) system_restricted_prop(fingerprint_prop) diff --git a/prebuilts/api/33.0/public/domain.te b/prebuilts/api/33.0/public/domain.te index de529f5d88..f491f152bc 100644 --- a/prebuilts/api/33.0/public/domain.te +++ b/prebuilts/api/33.0/public/domain.te @@ -359,6 +359,10 @@ with_asan(`allow domain system_asan_options_file:file r_file_perms;') allow domain apex_mnt_dir:dir { getattr search }; allow domain apex_mnt_dir:lnk_file r_file_perms; +# Allow everyone to read media server-configurable flags, so that libstagefright can be +# configured using server-configurable flags +get_prop(domain, device_config_media_native_prop) + ### ### neverallow rules ### diff --git a/prebuilts/api/33.0/public/property.te b/prebuilts/api/33.0/public/property.te index b8e111bf51..6bd8c073c9 100644 --- a/prebuilts/api/33.0/public/property.te +++ b/prebuilts/api/33.0/public/property.te @@ -8,7 +8,6 @@ system_internal_prop(bootloader_boot_reason_prop) system_internal_prop(device_config_activity_manager_native_boot_prop) system_internal_prop(device_config_boot_count_prop) system_internal_prop(device_config_input_native_boot_prop) -system_internal_prop(device_config_media_native_prop) system_internal_prop(device_config_netd_native_prop) system_internal_prop(device_config_reset_performed_prop) system_internal_prop(firstboot_prop) @@ -64,6 +63,7 @@ system_restricted_prop(boottime_public_prop) system_restricted_prop(bq_config_prop) system_restricted_prop(build_bootimage_prop) system_restricted_prop(build_prop) +system_restricted_prop(device_config_media_native_prop) system_restricted_prop(device_config_nnapi_native_prop) system_restricted_prop(device_config_runtime_native_boot_prop) system_restricted_prop(device_config_runtime_native_prop) diff --git a/public/domain.te b/public/domain.te index 1da3f51a96..0b0642104a 100644 --- a/public/domain.te +++ b/public/domain.te @@ -334,6 +334,10 @@ with_asan(`allow domain system_asan_options_file:file r_file_perms;') allow domain apex_mnt_dir:dir { getattr search }; allow domain apex_mnt_dir:lnk_file r_file_perms; +# Allow everyone to read media server-configurable flags, so that libstagefright can be +# configured using server-configurable flags +get_prop(domain, device_config_media_native_prop) + ### ### neverallow rules ### From 728e475da02a5cfb3a40532032ae614c81b1c206 Mon Sep 17 00:00:00 2001 From: Avichal Rakesh Date: Tue, 12 Dec 2023 09:37:28 -0800 Subject: [PATCH 2/4] Allow more AIDL Camera Provider versions The current sepolicy only allows V1 of AIDL CameraProvider services. This CL updates the regex to allow for future versions as well. Bug: 314912354 Test: Verified by vendor Change-Id: I80351a8bb7c2538c4ad1e0d418ea7a718d60be05 --- vendor/file_contexts | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/vendor/file_contexts b/vendor/file_contexts index 9929d7df2d..8e4ddb5df9 100644 --- a/vendor/file_contexts +++ b/vendor/file_contexts @@ -30,12 +30,12 @@ /(vendor|system/vendor)/bin/hw/android\.hardware\.boot-service.default u:object_r:hal_bootctl_default_exec:s0 /(vendor|system/vendor)/bin/hw/android\.hardware\.broadcastradio@\d+\.\d+-service u:object_r:hal_broadcastradio_default_exec:s0 /(vendor|system/vendor)/bin/hw/android\.hardware\.broadcastradio-service.default u:object_r:hal_broadcastradio_default_exec:s0 -/(vendor|system/vendor)/bin/hw/android\.hardware\.camera\.provider(@2\.[0-9]+|-V1)-service_64 u:object_r:hal_camera_default_exec:s0 -/(vendor|system/vendor)/bin/hw/android\.hardware\.camera\.provider(@2\.[0-9]+|-V1)-service u:object_r:hal_camera_default_exec:s0 -/(vendor|system/vendor)/bin/hw/android\.hardware\.camera\.provider(@2\.[0-9]+|-V1)-service-lazy_64 u:object_r:hal_camera_default_exec:s0 -/(vendor|system/vendor)/bin/hw/android\.hardware\.camera\.provider(@2\.[0-9]+|-V1)-service-lazy u:object_r:hal_camera_default_exec:s0 -/(vendor|system/vendor)/bin/hw/android\.hardware\.camera\.provider(@2\.[0-9]+|-V1)-external-service u:object_r:hal_camera_default_exec:s0 -/(vendor|system/vendor)/bin/hw/android\.hardware\.camera\.provider(@2\.[0-9]+|-V1)-external-service-lazy u:object_r:hal_camera_default_exec:s0 +/(vendor|system/vendor)/bin/hw/android\.hardware\.camera\.provider(@2\.[0-9]+|-V[0-9]+)-service_64 u:object_r:hal_camera_default_exec:s0 +/(vendor|system/vendor)/bin/hw/android\.hardware\.camera\.provider(@2\.[0-9]+|-V[0-9]+)-service u:object_r:hal_camera_default_exec:s0 +/(vendor|system/vendor)/bin/hw/android\.hardware\.camera\.provider(@2\.[0-9]+|-V[0-9]+)-service-lazy_64 u:object_r:hal_camera_default_exec:s0 +/(vendor|system/vendor)/bin/hw/android\.hardware\.camera\.provider(@2\.[0-9]+|-V[0-9]+)-service-lazy u:object_r:hal_camera_default_exec:s0 +/(vendor|system/vendor)/bin/hw/android\.hardware\.camera\.provider(@2\.[0-9]+|-V[0-9]+)-external-service u:object_r:hal_camera_default_exec:s0 +/(vendor|system/vendor)/bin/hw/android\.hardware\.camera\.provider(@2\.[0-9]+|-V[0-9]+)-external-service-lazy u:object_r:hal_camera_default_exec:s0 /(vendor|system/vendor)/bin/hw/android\.hardware\.configstore@1\.[0-9]+-service u:object_r:hal_configstore_default_exec:s0 /(vendor|sustem/vendor)/bin/hw/android\.hardware\.confirmationui@1\.0-service u:object_r:hal_confirmationui_default_exec:s0 /(vendor|system/vendor)/bin/hw/android\.hardware\.contexthub@1\.[0-9]+-service u:object_r:hal_contexthub_default_exec:s0 From 65af65df106880b8d41605a7e6371f5efa07e068 Mon Sep 17 00:00:00 2001 From: Andrea Zilio Date: Tue, 12 Dec 2023 23:55:16 +0000 Subject: [PATCH 3/4] Allow pm.archiving.enabled to be read by priv apps. Test: Presubmit Bug: 314160630 Change-Id: Ibf844ce8a44244d0791490ae6c5df91039f4e9a7 --- private/priv_app.te | 3 +++ 1 file changed, 3 insertions(+) diff --git a/private/priv_app.te b/private/priv_app.te index cadefe1703..536c9d4cef 100644 --- a/private/priv_app.te +++ b/private/priv_app.te @@ -293,3 +293,6 @@ neverallow priv_app *:{ # Allow priv apps to report off body events to keystore2. allow priv_app keystore:keystore2 report_off_body; + +# Allow priv_apps to check if archiving is enabled +get_prop(priv_app, pm_archiving_enabled_prop) From fd0efeb043f85dae7befae47769144d785f149da Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Maciej=20=C5=BBenczykowski?= Date: Fri, 8 Dec 2023 09:30:54 +0000 Subject: [PATCH 4/4] sepolicy: grant network_stack CAP_WAKE_ALARM MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit It is effectively an oversight that bluetooth has this but network stack does not. This prevents the network stack process from (for example) using timerfd_create with CLOCK_{REAL,BOOT}TIME_ALARM, without trampolining through parts of the mainline module which are shipped as part of the system server. See: https://man7.org/linux/man-pages/man2/timerfd_create.2.html Bug: 316171727 Test: TreeHugger Signed-off-by: Maciej Żenczykowski Change-Id: Iba95c80f830784a587fa4df6867a99bcb96ace79 --- private/network_stack.te | 2 ++ 1 file changed, 2 insertions(+) diff --git a/private/network_stack.te b/private/network_stack.te index 8e09be8533..7587c1f465 100644 --- a/private/network_stack.te +++ b/private/network_stack.te @@ -13,6 +13,8 @@ allow network_stack self:global_capability_class_set { net_raw }; +allow network_stack self:global_capability2_class_set wake_alarm; + # Allow access to net_admin ioctl, DHCP server uses SIOCSARP allowxperm network_stack self:udp_socket ioctl priv_sock_ioctls;