diff --git a/recipes-core/toybox/toybox_%.bbappend b/recipes-core/toybox/toybox_%.bbappend
new file mode 100644
index 0000000000000000000000000000000000000000..7eb0d04ec10ef5fb16ad360593502854072566db
--- /dev/null
+++ b/recipes-core/toybox/toybox_%.bbappend
@@ -0,0 +1,11 @@
+inherit enable-selinux
+
+PACKAGECONFIG[selinux] = "--enable-selinux,--disable-selinux,libselinux"
+
+do_configure:append() {
+ # Enable selinux by turning off TOYBOX_LSM_NONE and replacing with TOYBOX_SELINUX
+ # This enables functionality such as ls -Z and ps -Z.
+ sed -e 's/CONFIG_TOYBOX_LSM_NONE=y/# CONFIG_TOYBOX_LSM_NONE is not set/' -i .config
+ sed -e 's/# CONFIG_TOYBOX_SELINUX is not set/CONFIG_TOYBOX_SELINUX=y/' -i .config
+}
+
diff --git a/recipes-security/sepolicy/neo/apps/pulseaudio.te b/recipes-security/sepolicy/neo/apps/pulseaudio.te
index 7051db7b312db912455a989fb8c2f132dc4d1d72..ebf03c70f0cf4bebc8149769c795a47732498fcd 100644
--- a/recipes-security/sepolicy/neo/apps/pulseaudio.te
+++ b/recipes-security/sepolicy/neo/apps/pulseaudio.te
@@ -12,6 +12,7 @@ gen_require(`
type socket_device_t;
type system_dmabuf_device_t;
type vendor_dmabuf_audioml_heap_device_t;
+ type btapp_t;
')
user_data_files_type(audio_data_file_t);
@@ -27,3 +28,7 @@ userdebug_or_eng(`
')
allow pulseaudio_t unconfined_t:unix_stream_socket connectto;
')
+
+#Usecase to inetract with bt-app service for audio stream
+
+allow pulseaudio_t btapp_t:unix_stream_socket { connectto };
diff --git a/recipes-security/sepolicy/neo/device/qbt.fc b/recipes-security/sepolicy/neo/device/qbt.fc
new file mode 100644
index 0000000000000000000000000000000000000000..09995735fc1aa7980c046726a0ccfa5d47b8ccf6
--- /dev/null
+++ b/recipes-security/sepolicy/neo/device/qbt.fc
@@ -0,0 +1,35 @@
+# Copyright (c) 2018,2020 The Linux Foundation. All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions are
+# met:
+# * Redistributions of source code must retain the above copyright
+# notice, this list of conditions and the following disclaimer.
+# * Redistributions in binary form must reproduce the above
+# copyright notice, this list of conditions and the following
+# disclaimer in the documentation and/or other materials provided
+# with the distribution.
+# * Neither the name of The Linux Foundation nor the names of its
+# contributors may be used to endorse or promote products derived
+# from this software without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
+# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
+# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
+# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
+# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
+# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+#Changes from Qualcomm Innovation Center, Inc. are provided under the following license:
+#Copyright (c) 2024 Qualcomm Innovation Center, Inc. All rights reserved.
+#SPDX-License-Identifier: BSD-3-Clause-Clear
+
+/dev/btpower -c gen_context(system_u:object_r:bt_device_t,s0)
+/dev/ttyHS0 -c gen_context(system_u:object_r:ttyHS0_device_t,s0)
+/dev/socket/ble_gap_socket -s gen_context(system_u:object_r:bt_app_sock_t,s0)
+/dev/socket/ble_wbds_socket -s gen_context(system_u:object_r:bt_app_sock_t,s0)
diff --git a/recipes-security/sepolicy/neo/device/qbt.if b/recipes-security/sepolicy/neo/device/qbt.if
new file mode 100644
index 0000000000000000000000000000000000000000..f9f056be0266a0f183a12363c512a35c69c272d4
--- /dev/null
+++ b/recipes-security/sepolicy/neo/device/qbt.if
@@ -0,0 +1,32 @@
+# Copyright (c) 2018 The Linux Foundation. All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions are
+# met:
+# * Redistributions of source code must retain the above copyright
+# notice, this list of conditions and the following disclaimer.
+# * Redistributions in binary form must reproduce the above
+# copyright notice, this list of conditions and the following
+# disclaimer in the documentation and/or other materials provided
+# with the distribution.
+# * Neither the name of The Linux Foundation nor the names of its
+# contributors may be used to endorse or promote products derived
+# from this software without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
+# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
+# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
+# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
+# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
+# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+#Changes from Qualcomm Innovation Center, Inc. are provided under the following license:
+#Copyright (c) 2024 Qualcomm Innovation Center, Inc. All rights reserved.
+#SPDX-License-Identifier: BSD-3-Clause-Clear
+
+## <summary>Bluetooth daemonization changes interface</summary>
diff --git a/recipes-security/sepolicy/neo/device/qbt.te b/recipes-security/sepolicy/neo/device/qbt.te
new file mode 100644
index 0000000000000000000000000000000000000000..dd0e1a6d396fa6662276ef57c284f8c5c68d3c58
--- /dev/null
+++ b/recipes-security/sepolicy/neo/device/qbt.te
@@ -0,0 +1,94 @@
+# Copyright (c) 2018,2020 The Linux Foundation. All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions are
+# met:
+# * Redistributions of source code must retain the above copyright
+# notice, this list of conditions and the following disclaimer.
+# * Redistributions in binary form must reproduce the above
+# copyright notice, this list of conditions and the following
+# disclaimer in the documentation and/or other materials provided
+# with the distribution.
+# * Neither the name of The Linux Foundation nor the names of its
+# contributors may be used to endorse or promote products derived
+# from this software without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
+# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
+# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
+# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
+# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
+# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+#Changes from Qualcomm Innovation Center, Inc. are provided under the following license:
+#Copyright (c) 2024 Qualcomm Innovation Center, Inc. All rights reserved.
+#SPDX-License-Identifier: BSD-3-Clause-Clear
+
+files_read_config_files(btapp_t);
+
+gen_require(`
+ type system_dbusd_var_run_t;
+ type system_dbusd_t;
+ type pmsg_device_t;
+ type socket_device_t;
+ type leprop_sock_t;
+ type leprop_t;
+ type syslogd_var_run_t;
+ type data_t;
+ type bluetooth_conf_t;
+ type pulseaudio_t;
+ type device_t;
+ type unreserved_port_t;
+ type firmware_t;
+ type node_t;
+ type mount_t;
+ type pulseaudio_var_run_t;
+')
+
+type bt_device_t;
+dev_node(bt_device_t);
+rw_chr_files_pattern(btapp_t, device_t, bt_device_t);
+
+type ttyHS0_device_t;
+dev_node(ttyHS0_device_t);
+allow btapp_t ttyHS0_device_t:chr_file manage_chr_file_perms; #/dev/ttyHS0
+
+type bt_app_sock_t;
+dev_node(bt_app_sock_t);
+manage_sock_files_pattern(btapp_t, bt_app_sock_t, bt_app_sock_t);
+
+read_files_pattern(btapp_t, firmware_t, firmware_t);
+manage_sock_files_pattern(btapp_t, socket_device_t, socket_device_t);
+manage_sock_files_pattern(btapp_t, data_t, data_t);
+rw_sock_files_pattern(btapp_t, pulseaudio_var_run_t, pulseaudio_var_run_t);
+kernel_read_system_state(btapp_t);
+leprop_rw_props(btapp_t);
+corenet_tcp_bind_all_unreserved_ports(btapp_t);
+corenet_tcp_bind_generic_node(btapp_t);
+
+allow btapp_t self:tcp_socket create_stream_socket_perms;
+allow btapp_t self:unix_stream_socket { accept listen };
+
+allow btapp_t system_dbusd_var_run_t:dir search; #/run/dbus
+allow btapp_t system_dbusd_var_run_t:sock_file write;
+allow btapp_t system_dbusd_t:unix_stream_socket connectto;
+
+allow btapp_t bluetooth_conf_t:file rw_file_perms;
+allow btapp_t pulseaudio_t:unix_stream_socket { connectto sendto };
+
+## for DBus
+ifdef(`init_systemd', `
+ dbus_connect_system_bus(btapp_t)
+ dbus_send_system_bus(btapp_t)
+')
+
+allow btapp_t bt_data_t:sock_file {create unlink write };
+data_filetrans(btapp_t, bt_data_t, { file dir })
+manage_user_data_files(btapp_t, bt_data_t)
+allow mount_t bt_data_t:sock_file manage_sock_file_perms;
+allow btapp_t bluetooth_conf_t:sock_file {create unlink write };
diff --git a/recipes-security/sepolicy/neo/device/weston.te b/recipes-security/sepolicy/neo/device/weston.te
index 17bc033cc25a351b643ba7e5b1d1c8e7f2ea2dc8..7782b4241b165ee5f76ddd1fd697d1c20722a27c 100644
--- a/recipes-security/sepolicy/neo/device/weston.te
+++ b/recipes-security/sepolicy/neo/device/weston.te
@@ -27,7 +27,7 @@
# Changes from Qualcomm Innovation Center are provided under the following license:
#
-# Copyright (c) 2022 Qualcomm Innovation Center, Inc. All rights reserved.
+# Copyright (c) 2022, 2024 Qualcomm Innovation Center, Inc. All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted (subject to the limitations in the
@@ -108,6 +108,12 @@ gen_require(`
type home_root_t;
type user_home_dir_t;
type user_tmpfs_t;
+ type device_t;
+ type vendor_dmabuf_system_heap_device_t;
+ type sysfs_cpu_capacity;
+ type sysfs_cpu_present;
+ type gpumodel_t;
+ type pmsg_device_t;
')
dontaudit weston_t self:capability { setuid sys_admin } ;
@@ -147,6 +153,7 @@ files_type(weston_usr_t);
allow weston_t weston_usr_t:dir search_dir_perms;
allow weston_t weston_usr_t:file read_file_perms;
+mls_file_read_all_levels(weston_t);
allow weston_t self:capability kill;
allow weston_t brightness_t:file rw_file_perms;
allow weston_t etc_t:file read_file_perms;
@@ -179,18 +186,26 @@ allow weston_t socket_device_t:dir manage_dir_perms;
allow weston_t socket_device_t:file manage_file_perms;
allow weston_t socket_device_t:sock_file manage_sock_file_perms;
allow weston_t user_tmpfs_t:file { map rw_file_perms };
+allow weston_t device_t:dir search;
+allow weston_t vendor_dmabuf_system_heap_device_t:chr_file read_chr_file_perms;
+allow weston_t sysfs_cpu_capacity:file read_file_perms;
+allow weston_t sysfs_cpu_present:file read_file_perms;
+allow weston_t gpumodel_t:file read_file_perms;
+allow weston_t pmsg_device_t:chr_file write_chr_file_perms;
userdebug_or_eng(`
gen_require(`
type trace_marker_t;
type tracefs_t;
type debugfs_t;
+ type adbd_t;
')
allow weston_t debugfs_t:dir search;
allow weston_t trace_marker_t:file { write open };
allow weston_t tracefs_t:dir search;
allow weston_t tty_device_t:chr_file manage_chr_file_perms; #/dev/tty
+ allow weston_t adbd_t:unix_stream_socket { connectto create_stream_socket_perms };
')
manage_qmmf_data_files(weston_t)
diff --git a/recipes-security/sepolicy/neo/system/mount.te b/recipes-security/sepolicy/neo/system/mount.te
index df0205fc24e6194d26053cc8994e30de57e63674..c1d3db1f81e1b73b01993d054422bd2355b8fd05 100644
--- a/recipes-security/sepolicy/neo/system/mount.te
+++ b/recipes-security/sepolicy/neo/system/mount.te
@@ -69,6 +69,7 @@ gen_require(`
type hwfde_conf_file_t;
type lib_t;
type overlay_t;
+ type systemd_unit_t;
')
permissive mount_t;
@@ -85,3 +86,4 @@ allow mount_t lib_t:filesystem relabelfrom;
allow mount_t overlay_t:chr_file { create link rename unlink };
allow mount_t var_t:chr_file unlink;
allow mount_t data_t:sock_file { create unlink };
+allow mount_t systemd_unit_t:lnk_file { getattr read };
diff --git a/recipes-security/sepolicy/neo/system/systemd.te b/recipes-security/sepolicy/neo/system/systemd.te
index 6c77514452bf037138d7432e29395f5c77b89853..b2ed6d95a3bafb20aae6b39fec54120caa00aabb 100644
--- a/recipes-security/sepolicy/neo/system/systemd.te
+++ b/recipes-security/sepolicy/neo/system/systemd.te
@@ -48,6 +48,7 @@ gen_require(`
type proc_t;
type lib_t;
type tracefs_t;
+ type udev_t;
')
allow systemd_modules_load_t kernel_t:unix_dgram_socket sendto;
@@ -85,7 +86,7 @@ allow systemd_modules_load_t syslogd_t:unix_dgram_socket sendto;
allow systemd_modules_load_t etc_t:file read_file_perms;
modutils_read_module_deps(systemd_modules_load_t);
-allow systemd_modules_load_t self:capability sys_module;
+allow systemd_modules_load_t self:capability { sys_module sys_admin };
allow systemd_modules_load_t var_run_t:dir { read_file_perms getattr search };
allow systemd_modules_load_t debugfs_t:dir search;
allow systemd_modules_load_t modules_object_t:system module_load;
@@ -116,3 +117,6 @@ allow systemd_update_done_t kernel_t:unix_dgram_socket sendto;
#/lib/modules mount point denials for system_module_load_t
allow systemd_modules_load_t initrc_var_run_t:lnk_file read_lnk_file_perms;
allow systemd_modules_load_t lib_t:system module_load;
+
+allow udev_t configfs_t:file { read open };
+allow udev_t lib_t:system module_load;
diff --git a/recipes-security/sepolicy/vm/libcontainer/platform_container.if b/recipes-security/sepolicy/vm/libcontainer/platform_container.if
index efd3519a63ad621b5eee346a3dcfdf8ca51c969f..fd09c2a139fc3e35e56b5ae2276f6ef5fb4a8197 100644
--- a/recipes-security/sepolicy/vm/libcontainer/platform_container.if
+++ b/recipes-security/sepolicy/vm/libcontainer/platform_container.if
@@ -30,7 +30,7 @@ interface(`platform_container_domain_type',`
can_exec($1, $2)
- # TODO: Any way to fine-tune this?
+ # needed until all containers using user namespaced /dev/kmsg
mls_file_read_all_levels($1)
mls_file_write_all_levels($1)
# for bind-mounting when using the libminijail default option
@@ -41,9 +41,8 @@ interface(`platform_container_domain_type',`
domtrans_pattern(platform_launcher_domain, $2, $1)
')
-########################################
## <summary>
-## Allow bind mounting of a node
+## Allow specified type to be bind-mounted by the platform
## </summary>
## <param name="domain">
## <summary>
@@ -51,16 +50,28 @@ interface(`platform_container_domain_type',`
## </summary>
## </param>
## <param name="target">
-## <summary>
-## File type to allow
-## </summary>
+## <summary>
+## Type allowed to be bind-mounted
+## </summary>
## </param>
-## <param name="class">
-## <summary>
-## File class to allow
-## </summary>
+## <param name="filetype">
+## <summary>
+## The object being bind-mounted
+## </summary>
## </param>
#
interface(`platform_container_bind_mount',`
+ gen_require(`
+ attribute platform_launcher_domain;
+ type supervisor_t;
+ ')
+
+ # for non user-namespaces
allow $1 $2:$3 { getattr relabelto };
+
+ # for user namespaces
+ allow platform_launcher_domain $2:$3 getattr;
+ allow supervisor_t $2:$3 { getattr relabelto };
+ # allow creation of the target mountpoint regardless of filetype
+ allow supervisor_t $2:file { create_file_perms read mounton };
')
diff --git a/recipes-security/sepolicy/vm/libcontainer/platform_container.te b/recipes-security/sepolicy/vm/libcontainer/platform_container.te
index 8092f079a06a717178465f8ee666daedc559d221..006b5e43b9063b898f7601e19a66f0e4a9854426 100644
--- a/recipes-security/sepolicy/vm/libcontainer/platform_container.te
+++ b/recipes-security/sepolicy/vm/libcontainer/platform_container.te
@@ -35,6 +35,9 @@ allow platform_container_domain tvmmink_sock_t:sock_file write;
# Redirect all TVMRoot logs to adb logcat
# no user variant support for bind mounts, so always allow the mount. But
# writes should be behind the macro
+gen_require(`
+ type kmsg_device_t;
+')
platform_container_bind_mount(platform_container_domain, kmsg_device_t, chr_file)
userdebug_or_eng(`
dev_write_kmsg(platform_container_domain)
diff --git a/recipes-security/sepolicy/vm/libcontainer/supervisor.te b/recipes-security/sepolicy/vm/libcontainer/supervisor.te
index b4d2f854993e091abcfabd4d3e9aa7d812c584d8..01fab992fdd9dfe8d1670ed0aea175963f88ae7f 100644
--- a/recipes-security/sepolicy/vm/libcontainer/supervisor.te
+++ b/recipes-security/sepolicy/vm/libcontainer/supervisor.te
@@ -6,7 +6,7 @@ policy_module(supervisor, 1.0)
type supervisor_t;
type supervisor_exec_t;
-init_vendor_domain(supervisor_t, supervisor_exec_t)
+init_daemon_domain(supervisor_t, supervisor_exec_t)
type supervisor_sock_t;
dev_node(supervisor_sock_t)
@@ -33,12 +33,11 @@ type supervisor_tmp_t;
files_type(supervisor_tmp_t)
files_tmp_filetrans(supervisor_t, supervisor_tmp_t, dir)
manage_dirs_pattern(supervisor_t, tmp_t, supervisor_tmp_t)
-allow supervisor_t supervisor_tmp_t:dir { mounton search getattr };
allow supervisor_t tmpfs_t:filesystem { mount unmount };
-# tmpfs_t rules needed until util-linux 2.39 rootcontext=@target support
-manage_files_pattern(supervisor_t, tmp_t, tmpfs_t)
-manage_dirs_pattern(supervisor_t, tmp_t, tmpfs_t)
-allow supervisor_t tmpfs_t:dir mounton;
+allow supervisor_t supervisor_tmp_t:dir { mounton relabelfrom };
+fs_tmpfs_filetrans(supervisor_t, supervisor_tmp_t, dir)
+manage_chr_files_pattern(supervisor_t, supervisor_tmp_t, supervisor_tmp_t)
+allow supervisor_t supervisor_tmp_t:chr_file relabelfrom;
corecmd_exec_shell(supervisor_t)
# Supervisor doesn't care about the shell environment
@@ -47,21 +46,20 @@ gen_require(`
')
dontaudit supervisor_t home_root_t:dir { search getattr };
-allow supervisor_t self:capability { sys_admin sys_ptrace sys_chroot chown };
+# dac_override is required because the supervisor needs to fix dac permissions
+# whether root is allowed to access the file or not.
+allow supervisor_t self:capability { sys_admin sys_ptrace sys_chroot chown mknod fowner dac_override };
allow supervisor_t self:cap_userns { sys_admin sys_ptrace };
+# covered by dac_override
+dontaudit supervisor_t self:capability dac_read_search;
-# TODO: Replace with a more sophisticated way
gen_require(`
type device_t;
- type smcinvoke_device_t;
- type kmsg_device_t;
')
-allow supervisor_t {
- device_t
-}:dir { mounton getattr };
-allow supervisor_t {
- smcinvoke_device_t
- kmsg_device_t
-}:chr_file getattr;
+allow supervisor_t device_t:dir { mounton getattr relabelto rmdir write add_name relabelfrom create setattr };
+allow supervisor_t device_t:chr_file { create relabelfrom setattr };
+
# for /dev/kmsg
mls_file_read_all_levels(supervisor_t)
+mls_file_upgrade(supervisor_t)
+mls_file_downgrade(supervisor_t)
diff --git a/recipes-security/sepolicy/vm/test/containertest.te b/recipes-security/sepolicy/vm/test/containertest.te
index 8ecf698b79b4190cb8c0f5b144007d9091b3ea80..9cfdcfe6426f95e0f235b88d13e72ca3c7ad7e81 100644
--- a/recipes-security/sepolicy/vm/test/containertest.te
+++ b/recipes-security/sepolicy/vm/test/containertest.te
@@ -16,6 +16,7 @@ type containertest_t;
type containertest_exec_t;
platform_container_domain_type(containertest_t, containertest_exec_t)
domtrans_pattern(launchertest_t, containertest_exec_t, containertest_t)
+role system_r types containertest_t;
userdebug_or_eng(`
# launchertest_t
@@ -48,6 +49,8 @@ userdebug_or_eng(`
allow launchertest_t launchertest_tmpfs_t:chr_file manage_chr_file_perms;
allow launchertest_t launchertest_tmpfs_t:dir manage_dir_perms;
allow launchertest_t launchertest_tmpfs_t:lnk_file create;
+
+ # required for /dev/kmsg
mls_file_read_all_levels(launchertest_t)
# Memfd testing - copy elf contents to tmpfs and transition
@@ -66,26 +69,19 @@ userdebug_or_eng(`
# TODO: Is this common? only saw this for one test
can_exec(containertest_t, launchertest_tmpfs_t)
- # /dev/dri
- dev_rw_dri(containertest_t)
- mls_file_read_all_levels(containertest_t)
- mls_file_write_all_levels(containertest_t)
-
- # /dev/socket/letzd
- optional_policy(`
- gen_require(`
- type socket_device_t;
- type letzd_sock_t;
- ')
- allow containertest_t socket_device_t:dir { getattr search };
- allow containertest_t letzd_sock_t:sock_file getattr;
- ')
-
# Inspect process list. Not all containers will care about this
kernel_list_proc(containertest_t)
corecmd_exec_shell(containertest_t)
# /mnt/test.txt (mount namespace test)
+ gen_require(`
+ type mount_t;
+ ')
allow containertest_t tmpfs_t:file { read write create open };
+ mount_domtrans(containertest_t)
+ allow containertest_t mount_t:process2 nnp_transition;
+ allow mount_t self:cap_userns sys_admin;
+ kernel_read_system_state(containertest_t)
+
# Memfd testing
can_exec(containertest_t, tmpfs_t)
@@ -107,6 +103,13 @@ userdebug_or_eng(`
vendor_kernel_load_exempt(containertest_t)
kernel_load_module(containertest_t)
- # Redirect to /dev/kmsg
- mls_file_write_all_levels(launchertest_t)
+ # bind mounts
+ gen_require(`
+ type socket_device_t;
+ type tvmmink_sock_t;
+ type vendor_virtio_mem_device_t;
+ ')
+ platform_container_bind_mount(containertest_t, socket_device_t, dir);
+ platform_container_bind_mount(containertest_t, tvmmink_sock_t, sock_file);
+ platform_container_bind_mount(containertest_t, vendor_virtio_mem_device_t, chr_file);
') # userdebug_or_eng
diff --git a/recipes-security/sepolicy/vm/tvmmink/tvmprelauncher.te b/recipes-security/sepolicy/vm/tvmmink/tvmprelauncher.te
index fa56c88d4f6969516c568fcdbd20ae9018bbf9d6..259211e9991ea335a3cb08d6ab98c567bfb44832 100644
--- a/recipes-security/sepolicy/vm/tvmmink/tvmprelauncher.te
+++ b/recipes-security/sepolicy/vm/tvmmink/tvmprelauncher.te
@@ -46,3 +46,9 @@ gen_require(`
type tvmmink_t;
')
neverallow { domain -tvmprelauncher_t -tvmmink_t } tvmprelauncher_sock_t:sock_file rw_sock_file_perms;
+
+gen_require(`
+ type socket_device_t;
+')
+platform_container_bind_mount(tvmprelauncher_t, smcinvoke_device_t, chr_file)
+platform_container_bind_mount(tvmprelauncher_t, socket_device_t, dir)