Merge "Convert selinux_policy_system to Android.bp" into main
diff --git a/contexts/plat_file_contexts_test b/contexts/plat_file_contexts_test
index e535f6a..7bda60c 100644
--- a/contexts/plat_file_contexts_test
+++ b/contexts/plat_file_contexts_test
@@ -486,6 +486,7 @@
/system/bin/android.automotive.evs.manager@1.99 evsmanagerd_exec
/system/bin/uprobestats uprobestats_exec
/system/bin/trace_redactor trace_redactor_exec
+/system/bin/bert_collector bert_collector_exec
/vendor vendor_file
/vendor/does_not_exist vendor_file
@@ -778,8 +779,8 @@
/system/system_ext/bin/canhalconfigurator canhalconfigurator_exec
/system/system_ext/bin/canhalconfigurator-aidl canhalconfigurator_exec
-/system_ext/bin/custom_vm_setup custom_vm_setup_exec
-/system/system_ext/bin/custom_vm_setup custom_vm_setup_exec
+/system_ext/bin/linux_vm_setup linux_vm_setup_exec
+/system/system_ext/bin/linux_vm_setup linux_vm_setup_exec
/system_ext/lib system_lib_file
/system_ext/lib/does_not_exist system_lib_file
diff --git a/private/apexd.te b/private/apexd.te
index c87c5ef..450b563 100644
--- a/private/apexd.te
+++ b/private/apexd.te
@@ -191,6 +191,9 @@
# Allow apexd to write to statsd.
unix_socket_send(apexd, statsdw, statsd)
+# Allow apexd to call
+allow apexd statsbootstrap_service:service_manager find;
+binder_call(apexd, system_server) # system_server serves statsbootstrap_service
###
### Neverallow rules
diff --git a/private/bert_collector.te b/private/bert_collector.te
new file mode 100644
index 0000000..b11bd76
--- /dev/null
+++ b/private/bert_collector.te
@@ -0,0 +1,12 @@
+type bert_collector, domain, coredomain;
+type bert_collector_exec, system_file_type, exec_type, file_type;
+
+init_daemon_domain(bert_collector)
+
+r_dir_file(bert_collector, sysfs_firmware_acpi_tables)
+
+binder_use(bert_collector)
+binder_call(bert_collector, system_server)
+
+allow bert_collector dropbox_service:service_manager find;
+allow bert_collector proc_version:file r_file_perms;
diff --git a/private/compat/202404/202404.ignore.cil b/private/compat/202404/202404.ignore.cil
index 787531a..9ac4963 100644
--- a/private/compat/202404/202404.ignore.cil
+++ b/private/compat/202404/202404.ignore.cil
@@ -20,4 +20,5 @@
virtual_face
virtual_face_exec
advanced_protection_service
+ sysfs_firmware_acpi_tables
))
diff --git a/private/custom_vm_setup.te b/private/custom_vm_setup.te
deleted file mode 100644
index c14f5e0..0000000
--- a/private/custom_vm_setup.te
+++ /dev/null
@@ -1,6 +0,0 @@
-type custom_vm_setup, domain, coredomain;
-type custom_vm_setup_exec, system_file_type, exec_type, file_type;
-
-is_flag_enabled(RELEASE_AVF_SUPPORT_CUSTOM_VM_WITH_PARAVIRTUALIZED_DEVICES, `
- init_daemon_domain(custom_vm_setup)
-')
diff --git a/private/file.te b/private/file.te
index 70b8523..662d5cc 100644
--- a/private/file.te
+++ b/private/file.te
@@ -182,6 +182,9 @@
# Type for /sys/kernel/mm/pgsize_migration/enabled
type sysfs_pgsize_migration, fs_type, sysfs_type;
+# /sys/firmware/acpi/tables
+type sysfs_firmware_acpi_tables, fs_type, sysfs_type;
+
# Allow files to be created in their appropriate filesystems.
allow fs_type self:filesystem associate;
allow cgroup tmpfs:filesystem associate;
diff --git a/private/file_contexts b/private/file_contexts
index e26fb4e..496e954 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -408,6 +408,7 @@
/system/bin/evsmanagerd u:object_r:evsmanagerd_exec:s0
/system/bin/android\.automotive\.evs\.manager@1\.[0-9]+ u:object_r:evsmanagerd_exec:s0
/system/bin/uprobestats u:object_r:uprobestats_exec:s0
+/system/bin/bert_collector u:object_r:bert_collector_exec:s0
#############################
# Vendor files
@@ -535,7 +536,7 @@
/(system_ext|system/system_ext)/bin/hwservicemanager u:object_r:hwservicemanager_exec:s0
/(system_ext|system/system_ext)/bin/hw/android\.hidl\.allocator@1\.0-service u:object_r:hal_allocator_default_exec:s0
-/(system_ext|system/system_ext)/bin/custom_vm_setup u:object_r:custom_vm_setup_exec:s0
+/(system_ext|system/system_ext)/bin/linux_vm_setup u:object_r:linux_vm_setup_exec:s0
/(system_ext|system/system_ext)/bin/canhalconfigurator(-aidl)? u:object_r:canhalconfigurator_exec:s0
diff --git a/private/genfs_contexts b/private/genfs_contexts
index b8b7247..e300d78 100644
--- a/private/genfs_contexts
+++ b/private/genfs_contexts
@@ -149,6 +149,7 @@
genfscon sysfs /devices/virtual/net u:object_r:sysfs_net:s0
genfscon sysfs /devices/virtual/switch u:object_r:sysfs_switch:s0
genfscon sysfs /devices/virtual/wakeup u:object_r:sysfs_wakeup:s0
+genfscon sysfs /firmware/acpi/tables u:object_r:sysfs_firmware_acpi_tables:s0
genfscon sysfs /firmware/devicetree/base/avf u:object_r:sysfs_dt_avf:s0
genfscon sysfs /firmware/devicetree/base/firmware/android u:object_r:sysfs_dt_firmware_android:s0
genfscon sysfs /fs/ext4/features u:object_r:sysfs_fs_ext4_features:s0
diff --git a/private/keystore.te b/private/keystore.te
index 44503a1..3a1c242 100644
--- a/private/keystore.te
+++ b/private/keystore.te
@@ -58,7 +58,6 @@
add_service(keystore, keystore_service)
allow keystore sec_key_att_app_id_provider_service:service_manager find;
-allow keystore dropbox_service:service_manager find;
allow keystore remote_provisioning_service:service_manager find;
allow keystore rkp_cert_processor_service:service_manager find;
diff --git a/private/linux_vm_setup.te b/private/linux_vm_setup.te
new file mode 100644
index 0000000..ba483e8
--- /dev/null
+++ b/private/linux_vm_setup.te
@@ -0,0 +1,6 @@
+type linux_vm_setup, domain, coredomain;
+type linux_vm_setup_exec, system_file_type, exec_type, file_type;
+
+is_flag_enabled(RELEASE_AVF_SUPPORT_CUSTOM_VM_WITH_PARAVIRTUALIZED_DEVICES, `
+ init_daemon_domain(linux_vm_setup)
+')
diff --git a/private/property.te b/private/property.te
index fb5251f..40beca5 100644
--- a/private/property.te
+++ b/private/property.te
@@ -19,6 +19,7 @@
system_internal_prop(device_config_swcodec_native_prop)
system_internal_prop(device_config_tethering_u_or_later_native_prop)
system_internal_prop(dmesgd_start_prop)
+system_internal_prop(bert_collector_start_prop)
system_internal_prop(fastbootd_protocol_prop)
system_internal_prop(gsid_prop)
system_internal_prop(init_perf_lsm_hooks_prop)
diff --git a/private/property_contexts b/private/property_contexts
index f7e81fd..999a69a 100644
--- a/private/property_contexts
+++ b/private/property_contexts
@@ -870,6 +870,8 @@
dmesgd.start u:object_r:dmesgd_start_prop:s0 exact bool
+acpi.bert_collector.start u:object_r:bert_collector_start_prop:s0 exact bool
+
odsign.key.done u:object_r:odsign_prop:s0 exact bool
odsign.verification.done u:object_r:odsign_prop:s0 exact bool
odsign.verification.success u:object_r:odsign_prop:s0 exact bool
@@ -1013,6 +1015,7 @@
ro.build.date.utc u:object_r:build_prop:s0 exact int
ro.build.description u:object_r:build_prop:s0 exact string
ro.build.display.id u:object_r:build_prop:s0 exact string
+ro.build.critical_issues.fixed_issues.long_list u:object_r:build_prop:s0 exact string
ro.build.flavor u:object_r:build_prop:s0 exact string
ro.build.host u:object_r:build_prop:s0 exact string
ro.build.id u:object_r:build_prop:s0 exact string
diff --git a/private/shell.te b/private/shell.te
index 18e3462..a6e9975 100644
--- a/private/shell.te
+++ b/private/shell.te
@@ -479,7 +479,7 @@
allow shell vendor_shell_exec:file rx_file_perms;
is_flag_enabled(RELEASE_AVF_SUPPORT_CUSTOM_VM_WITH_PARAVIRTUALIZED_DEVICES, `
- allow shell custom_vm_setup_exec:file { entrypoint r_file_perms };
+ allow shell linux_vm_setup_exec:file { entrypoint r_file_perms };
')
# Everything is labeled as rootfs in recovery mode. Allow shell to