build-emulator: fully treblize emulator image
Install emulator specific binaries and libraries
to vendor partition; update selinux; add vndk.
BUG: 37511975
Test: build user build, launch emualtor, run CTS.
Change-Id: I7f5317d52e552367a1390789fe7ce6e0955ba8de
Merged-In: I70f58947e98b41b195d77b4347d2efdc09348392
diff --git a/target/board/generic/sepolicy/adbd.te b/target/board/generic/sepolicy/adbd.te
new file mode 100644
index 0000000..9546c1a
--- /dev/null
+++ b/target/board/generic/sepolicy/adbd.te
@@ -0,0 +1 @@
+set_prop(adbd, ctl_mdnsd_prop);
diff --git a/target/board/generic/sepolicy/audioserver.te b/target/board/generic/sepolicy/audioserver.te
new file mode 100644
index 0000000..c3c4a3a
--- /dev/null
+++ b/target/board/generic/sepolicy/audioserver.te
@@ -0,0 +1 @@
+allow audioserver bootanim:binder call;
diff --git a/target/board/generic/sepolicy/bootanim.te b/target/board/generic/sepolicy/bootanim.te
index b4b1eef..4be1c8a 100644
--- a/target/board/generic/sepolicy/bootanim.te
+++ b/target/board/generic/sepolicy/bootanim.te
@@ -1,4 +1,5 @@
allow bootanim self:process execmem;
allow bootanim ashmem_device:chr_file execute;
-
+#TODO: This can safely be ignored until b/62954877 is fixed
+dontaudit bootanim system_data_file:dir read;
set_prop(bootanim, qemu_prop)
diff --git a/target/board/generic/sepolicy/cameraserver.te b/target/board/generic/sepolicy/cameraserver.te
new file mode 100644
index 0000000..6cf5d6a
--- /dev/null
+++ b/target/board/generic/sepolicy/cameraserver.te
@@ -0,0 +1,2 @@
+allow cameraserver system_file:dir { open read };
+allow cameraserver hal_allocator:fd use;
diff --git a/target/board/generic/sepolicy/file.te b/target/board/generic/sepolicy/file.te
index 6fad80a..f4ae9e4 100644
--- a/target/board/generic/sepolicy/file.te
+++ b/target/board/generic/sepolicy/file.te
@@ -1 +1 @@
-type qemud_socket, file_type;
+type sysfs_writable, fs_type, sysfs_type, mlstrustedobject;
diff --git a/target/board/generic/sepolicy/file_contexts b/target/board/generic/sepolicy/file_contexts
index d86a63b..f550f4d 100644
--- a/target/board/generic/sepolicy/file_contexts
+++ b/target/board/generic/sepolicy/file_contexts
@@ -7,15 +7,29 @@
/dev/block/vda u:object_r:system_block_device:s0
/dev/block/vdb u:object_r:cache_block_device:s0
/dev/block/vdc u:object_r:userdata_block_device:s0
+/dev/block/vdd u:object_r:metadata_block_device:s0
+/dev/block/vde u:object_r:system_block_device:s0
/dev/goldfish_pipe u:object_r:qemu_device:s0
/dev/goldfish_sync u:object_r:qemu_device:s0
/dev/qemu_.* u:object_r:qemu_device:s0
-/dev/socket/qemud u:object_r:qemud_socket:s0
/dev/ttyGF[0-9]* u:object_r:serial_device:s0
/dev/ttyS2 u:object_r:console_device:s0
-/system/bin/qemud u:object_r:qemud_exec:s0
-/system/etc/init.goldfish.sh u:object_r:goldfish_setup_exec:s0
-/system/vendor/bin/init.ranchu-core.sh u:object_r:goldfish_setup_exec:s0
-/system/vendor/bin/init.ranchu-net.sh u:object_r:goldfish_setup_exec:s0
-/system/bin/qemu-props u:object_r:qemu_props_exec:s0
+/sys/qemu_trace(/.*)? u:object_r:sysfs_writable:s0
+/vendor/bin/init\.ranchu-core\.sh u:object_r:goldfish_setup_exec:s0
+/vendor/bin/init\.ranchu-net\.sh u:object_r:goldfish_setup_exec:s0
+/vendor/bin/qemu-props u:object_r:qemu_props_exec:s0
+
+/vendor/bin/hw/android\.hardware\.drm@1\.0-service\.widevine u:object_r:hal_drm_widevine_exec:s0
+
+/vendor/lib(64)?/hw/gralloc\.ranchu\.so u:object_r:same_process_hal_file:s0
+/vendor/lib(64)?/libEGL_emulation\.so u:object_r:same_process_hal_file:s0
+/vendor/lib(64)?/libGLESv1_CM_emulation\.so u:object_r:same_process_hal_file:s0
+/vendor/lib(64)?/libGLESv2_emulation\.so u:object_r:same_process_hal_file:s0
+/vendor/lib(64)?/libEGL_swiftshader\.so u:object_r:same_process_hal_file:s0
+/vendor/lib(64)?/libGLESv1_CM_swiftshader\.so u:object_r:same_process_hal_file:s0
+/vendor/lib(64)?/libGLESv2_swiftshader\.so u:object_r:same_process_hal_file:s0
+/vendor/lib(64)?/libOpenglSystemCommon\.so u:object_r:same_process_hal_file:s0
+/vendor/lib(64)?/lib_renderControl_enc\.so u:object_r:same_process_hal_file:s0
+/vendor/lib(64)?/libGLESv1_enc\.so u:object_r:same_process_hal_file:s0
+/vendor/lib(64)?/libGLESv2_enc\.so u:object_r:same_process_hal_file:s0
diff --git a/target/board/generic/sepolicy/goldfish_setup.te b/target/board/generic/sepolicy/goldfish_setup.te
index 78d20fc..bcd49bd 100644
--- a/target/board/generic/sepolicy/goldfish_setup.te
+++ b/target/board/generic/sepolicy/goldfish_setup.te
@@ -1,29 +1,12 @@
# goldfish-setup service: runs init.goldfish.sh script
type goldfish_setup, domain;
-type goldfish_setup_exec, exec_type, file_type;
+type goldfish_setup_exec, vendor_file_type, exec_type, file_type;
init_daemon_domain(goldfish_setup)
-# Inherit open file to shell (interpreter) for script.
-allow goldfish_setup shell_exec:file rx_file_perms;
-
-# Run ifconfig, route commands to configure interfaces and routes.
-allow goldfish_setup system_file:file execute_no_trans;
-allow goldfish_setup toolbox_exec:file rx_file_perms;
allow goldfish_setup self:capability { net_admin net_raw };
-allow goldfish_setup self:udp_socket create_socket_perms;
+allow goldfish_setup self:udp_socket { create ioctl };
+allow goldfish_setup vendor_toolbox_exec:file execute_no_trans;
allowxperm goldfish_setup self:udp_socket ioctl priv_sock_ioctls;
-
-wakelock_use(goldfish_setup)
-net_domain(goldfish_setup)
-
-# Set net.eth0.dns*, debug.sf.nobootanimation
-set_prop(goldfish_setup, system_prop)
-set_prop(goldfish_setup, debug_prop)
-
-# Set ro.radio.noril
-set_prop(goldfish_setup, radio_noril_prop)
-
-# Stop ril-daemon service (by setting ctl.stop to ril-daemon, which
-# transforms to a permission check on ctl.ril-daemon).
-set_prop(goldfish_setup, ctl_rildaemon_prop)
+wakelock_use(goldfish_setup);
+allow goldfish_setup vendor_shell_exec:file { rx_file_perms };
diff --git a/target/board/generic/sepolicy/hal_drm_widevine.te b/target/board/generic/sepolicy/hal_drm_widevine.te
new file mode 100644
index 0000000..c1a63ca
--- /dev/null
+++ b/target/board/generic/sepolicy/hal_drm_widevine.te
@@ -0,0 +1,11 @@
+# define SELinux domain
+type hal_drm_widevine, domain;
+hal_server_domain(hal_drm_widevine, hal_drm)
+
+type hal_drm_widevine_exec, exec_type, vendor_file_type, file_type;
+init_daemon_domain(hal_drm_widevine)
+
+allow hal_drm mediacodec:fd use;
+allow hal_drm { appdomain -isolated_app }:fd use;
+
+hal_client_domain(hal_drm_widevine, hal_graphics_composer);
diff --git a/target/board/generic/sepolicy/hal_gnss_default.te b/target/board/generic/sepolicy/hal_gnss_default.te
index 0dd3d03..ddc68cc 100644
--- a/target/board/generic/sepolicy/hal_gnss_default.te
+++ b/target/board/generic/sepolicy/hal_gnss_default.te
@@ -1,3 +1 @@
-#============= hal_gnss_default ==============
-allow hal_gnss_default vndbinder_device:chr_file { ioctl open read write };
-
+vndbinder_use(hal_gnss_default);
diff --git a/target/board/generic/sepolicy/hal_graphics_composer_default.te b/target/board/generic/sepolicy/hal_graphics_composer_default.te
index 034bdef..40ecda6 100644
--- a/target/board/generic/sepolicy/hal_graphics_composer_default.te
+++ b/target/board/generic/sepolicy/hal_graphics_composer_default.te
@@ -1,3 +1 @@
-#============= hal_graphics_composer_default ==============
-allow hal_graphics_composer_default vndbinder_device:chr_file { ioctl open read write };
-
+vndbinder_use(hal_graphics_composer_default);
diff --git a/target/board/generic/sepolicy/init.te b/target/board/generic/sepolicy/init.te
index 3aa81d1..84a4e8d 100644
--- a/target/board/generic/sepolicy/init.te
+++ b/target/board/generic/sepolicy/init.te
@@ -1 +1,2 @@
allow init tmpfs:lnk_file create_file_perms;
+dontaudit init kernel:system module_request;
diff --git a/target/board/generic/sepolicy/mediacodec.te b/target/board/generic/sepolicy/mediacodec.te
new file mode 100644
index 0000000..acf4e59
--- /dev/null
+++ b/target/board/generic/sepolicy/mediacodec.te
@@ -0,0 +1 @@
+allow mediacodec system_file:dir { open read };
diff --git a/target/board/generic/sepolicy/netd.te b/target/board/generic/sepolicy/netd.te
index 2b002ec..09a28b9 100644
--- a/target/board/generic/sepolicy/netd.te
+++ b/target/board/generic/sepolicy/netd.te
@@ -1 +1,3 @@
dontaudit netd self:capability sys_module;
+#TODO: This can safely be ignored until b/62954877 is fixed
+dontaudit netd kernel:system module_request;
diff --git a/target/board/generic/sepolicy/priv_app.te b/target/board/generic/sepolicy/priv_app.te
new file mode 100644
index 0000000..3d16f32
--- /dev/null
+++ b/target/board/generic/sepolicy/priv_app.te
@@ -0,0 +1,5 @@
+#TODO: b/62908025
+dontaudit priv_app firstboot_prop:file { getattr open };
+dontaudit priv_app device:dir { open read };
+dontaudit priv_app proc_interrupts:file { getattr open read };
+dontaudit priv_app proc_modules:file { getattr open read };
diff --git a/target/board/generic/sepolicy/qemu_props.te b/target/board/generic/sepolicy/qemu_props.te
index d5571fd..0f5ec8c 100644
--- a/target/board/generic/sepolicy/qemu_props.te
+++ b/target/board/generic/sepolicy/qemu_props.te
@@ -1,12 +1,9 @@
# qemu-props service: Sets system properties on boot.
type qemu_props, domain;
-type qemu_props_exec, exec_type, file_type;
+type qemu_props_exec, vendor_file_type, exec_type, file_type;
init_daemon_domain(qemu_props)
-# Set properties.
set_prop(qemu_props, qemu_prop)
set_prop(qemu_props, dalvik_prop)
-set_prop(qemu_props, config_prop)
-set_prop(qemu_props, opengles_prop)
set_prop(qemu_props, qemu_cmdline)
diff --git a/target/board/generic/sepolicy/qemud.te b/target/board/generic/sepolicy/qemud.te
deleted file mode 100644
index eee21c4..0000000
--- a/target/board/generic/sepolicy/qemud.te
+++ /dev/null
@@ -1,8 +0,0 @@
-# qemu support daemon
-type qemud, domain;
-type qemud_exec, exec_type, file_type;
-
-init_daemon_domain(qemud)
-
-# Access /dev/ttyS1 and /dev/ttyGF1.
-allow qemud serial_device:chr_file rw_file_perms;
diff --git a/target/board/generic/sepolicy/rild.te b/target/board/generic/sepolicy/rild.te
deleted file mode 100644
index e148b6c..0000000
--- a/target/board/generic/sepolicy/rild.te
+++ /dev/null
@@ -1 +0,0 @@
-unix_socket_connect(rild, qemud, qemud)
diff --git a/target/board/generic/sepolicy/system_server.te b/target/board/generic/sepolicy/system_server.te
index f9e277b..9063095 100644
--- a/target/board/generic/sepolicy/system_server.te
+++ b/target/board/generic/sepolicy/system_server.te
@@ -1,3 +1,2 @@
-unix_socket_connect(system_server, qemud, qemud)
get_prop(system_server, opengles_prop)
get_prop(system_server, radio_noril_prop)
diff --git a/target/board/generic/sepolicy/vold.te b/target/board/generic/sepolicy/vold.te
new file mode 100644
index 0000000..5f3bdd4
--- /dev/null
+++ b/target/board/generic/sepolicy/vold.te
@@ -0,0 +1 @@
+dontaudit vold kernel:system module_request;
diff --git a/target/board/generic/sepolicy/zygote.te b/target/board/generic/sepolicy/zygote.te
index a90f02b..e97d895 100644
--- a/target/board/generic/sepolicy/zygote.te
+++ b/target/board/generic/sepolicy/zygote.te
@@ -1 +1,4 @@
set_prop(zygote, qemu_prop)
+# TODO (b/63631799) fix this access
+# Suppress denials to storage. Webview zygote should not be accessing.
+dontaudit webview_zygote mnt_expand_file:dir getattr;
diff --git a/target/product/emulator.mk b/target/product/emulator.mk
index 5a5fb8e..a9a5306 100644
--- a/target/product/emulator.mk
+++ b/target/product/emulator.mk
@@ -36,11 +36,13 @@
libGLESv2_emulation \
libGLESv1_enc \
qemu-props \
- qemud \
camera.goldfish \
camera.goldfish.jpeg \
camera.ranchu \
camera.ranchu.jpeg \
+ keystore.goldfish \
+ keystore.ranchu \
+ gatekeeper.ranchu \
lights.goldfish \
gps.goldfish \
gps.ranchu \
@@ -62,7 +64,9 @@
android.hardware.graphics.mapper@2.0-impl \
hwcomposer.goldfish \
hwcomposer.ranchu \
+ sh_vendor \
vintf \
+ toybox_vendor \
CarrierConfig
PRODUCT_PACKAGES += \
@@ -72,40 +76,80 @@
android.hardware.soundtrigger@2.0-impl
PRODUCT_PACKAGES += \
- android.hardware.keymaster@3.0-impl \
- android.hardware.keymaster@3.0-service
+ android.hardware.keymaster@3.0-impl \
+ android.hardware.keymaster@3.0-service
PRODUCT_PACKAGES += \
android.hardware.gnss@1.0-service \
android.hardware.gnss@1.0-impl
PRODUCT_PACKAGES += \
- android.hardware.sensors@1.0-impl \
- android.hardware.sensors@1.0-service
+ android.hardware.sensors@1.0-impl \
+ android.hardware.sensors@1.0-service
+
+PRODUCT_PACKAGES += \
+ android.hardware.drm@1.0-service \
+ android.hardware.drm@1.0-impl
PRODUCT_PACKAGES += \
android.hardware.power@1.0-service \
android.hardware.power@1.0-impl
-# camera service treble disable until all backwards compat is complete
-PRODUCT_PROPERTY_OVERRIDES += \
- camera.disable_treble=1
+PRODUCT_PACKAGES += \
+ camera.device@1.0-impl \
+ android.hardware.camera.provider@2.4-service \
+ android.hardware.camera.provider@2.4-impl \
+
+PRODUCT_PACKAGES += \
+ android.hardware.gatekeeper@1.0-impl \
+ android.hardware.gatekeeper@1.0-service
+
+# need this for gles libraries to load properly
+# after moving to /vendor/lib/
+PRODUCT_PACKAGES += \
+ android.hardware.renderscript@1.0.vndk-sp\
+ android.hardware.graphics.allocator@2.0.vndk-sp\
+ android.hardware.graphics.mapper@2.0.vndk-sp\
+ android.hardware.graphics.common@1.0.vndk-sp\
+ libhwbinder.vndk-sp\
+ libbase.vndk-sp\
+ libcutils.vndk-sp\
+ libhardware.vndk-sp\
+ libhidlbase.vndk-sp\
+ libhidltransport.vndk-sp\
+ libutils.vndk-sp\
+ libc++.vndk-sp\
+ libRS_internal.vndk-sp\
+ libRSDriver.vndk-sp\
+ libRSCpuRef.vndk-sp\
+ libbcinfo.vndk-sp\
+ libblas.vndk-sp\
+ libft2.vndk-sp\
+ libpng.vndk-sp\
+ libcompiler_rt.vndk-sp\
+ libbacktrace.vndk-sp\
+ libunwind.vndk-sp\
+ libunwindstack.vndk-sp\
+ liblzma.vndk-sp\
+ libz.vndk-sp\
+
PRODUCT_COPY_FILES += \
- device/generic/goldfish/fstab.goldfish:root/fstab.goldfish \
- device/generic/goldfish/init.goldfish.rc:root/init.goldfish.rc \
- device/generic/goldfish/init.goldfish.sh:system/etc/init.goldfish.sh \
device/generic/goldfish/init.ranchu-core.sh:$(TARGET_COPY_OUT_VENDOR)/bin/init.ranchu-core.sh \
device/generic/goldfish/init.ranchu-net.sh:$(TARGET_COPY_OUT_VENDOR)/bin/init.ranchu-net.sh \
device/generic/goldfish/init.ranchu.rc:root/init.ranchu.rc \
- device/generic/goldfish/ueventd.goldfish.rc:root/ueventd.goldfish.rc \
- device/generic/goldfish/init.ranchu.rc:root/init.ranchu.rc \
device/generic/goldfish/fstab.ranchu:root/fstab.ranchu \
+ device/generic/goldfish/fstab.ranchu.early:root/fstab.ranchu.early \
device/generic/goldfish/ueventd.ranchu.rc:root/ueventd.ranchu.rc \
device/generic/goldfish/manifest.xml:$(TARGET_COPY_OUT_VENDOR)/manifest.xml \
device/generic/goldfish/input/goldfish_rotary.idc:system/usr/idc/goldfish_rotary.idc \
+ device/generic/goldfish/manifest.xml:$(TARGET_COPY_OUT_VENDOR)/manifest.xml \
+ device/generic/goldfish/data/etc/permissions/privapp-permissions-goldfish.xml:system/etc/permissions/privapp-permissions-goldfish.xml \
+ device/generic/goldfish/data/etc/config.ini:config.ini \
frameworks/native/data/etc/android.hardware.usb.accessory.xml:system/etc/permissions/android.hardware.usb.accessory.xml
PRODUCT_PACKAGE_OVERLAYS := device/generic/goldfish/overlay
PRODUCT_CHARACTERISTICS := emulator
+
+PRODUCT_FULL_TREBLE_OVERRIDE := true