Merge "Revert "Remove the bdev_type and sysfs_block_type SELinux attributes""
diff --git a/private/compat/31.0/31.0.ignore.cil b/private/compat/31.0/31.0.ignore.cil
index 22f6cd8..f80312a 100644
--- a/private/compat/31.0/31.0.ignore.cil
+++ b/private/compat/31.0/31.0.ignore.cil
@@ -32,4 +32,5 @@
sysfs_vendor_sched
vendor_vm_file
vendor_vm_data_file
+ virtual_device_service
))
diff --git a/private/service_contexts b/private/service_contexts
index 1b28ca9..335004e 100644
--- a/private/service_contexts
+++ b/private/service_contexts
@@ -303,6 +303,7 @@
vcn_management u:object_r:vcn_management_service:s0
vibrator u:object_r:vibrator_service:s0
vibrator_manager u:object_r:vibrator_manager_service:s0
+virtualdevice u:object_r:virtual_device_service:s0
virtual_touchpad u:object_r:virtual_touchpad_service:s0
voiceinteraction u:object_r:voiceinteraction_service:s0
vold u:object_r:vold_service:s0
diff --git a/private/untrusted_app_all.te b/private/untrusted_app_all.te
index 98d83af..d6f237c 100644
--- a/private/untrusted_app_all.te
+++ b/private/untrusted_app_all.te
@@ -176,6 +176,15 @@
# the profiler (which would be profiling the app that is sending the signal).
allow untrusted_app_all simpleperf:process signal;
+# Allow running a VM for test/demo purposes. Note that access the service is
+# still guarded with the `android.permission.MANAGE_VIRTUAL_MACHINE`
+# permission. The protection level of the permission is `signature|development`
+# so that it can only be granted to either platform-key signed apps or
+# test-only apps having `android:testOnly="true"` in its manifest.
+userdebug_or_eng(`
+ virtualizationservice_use(untrusted_app_all)
+')
+
with_native_coverage(`
# Allow writing coverage information to /data/misc/trace
allow domain method_trace_data_file:dir create_dir_perms;
diff --git a/private/zygote.te b/private/zygote.te
index f2af506..8e2b15a 100644
--- a/private/zygote.te
+++ b/private/zygote.te
@@ -230,6 +230,11 @@
# Allow zygote to read /apex/apex-info-list.xml
allow zygote apex_info_file:file r_file_perms;
+# Allow zygote to canonicalize vendor APEX paths. This is used when zygote is checking the
+# preinstalled path of APEXes that contain runtime resource overlays for the 'android' package.
+allow zygote vendor_apex_file:dir { getattr search };
+allow zygote vendor_apex_file:file { getattr };
+
###
### neverallow rules
###
diff --git a/public/service.te b/public/service.te
index d333175..ef24657 100644
--- a/public/service.te
+++ b/public/service.te
@@ -231,6 +231,7 @@
type vcn_management_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type vibrator_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type vibrator_manager_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type virtual_device_service, system_api_service, system_server_service, service_manager_type;
type voiceinteraction_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type vpn_management_service, app_api_service, system_server_service, service_manager_type;
type vr_manager_service, system_server_service, service_manager_type;