Merge "Allow keystore to monitor and read APEX info" into main
diff --git a/apex/Android.bp b/apex/Android.bp
index 37400dd..66f8ef3 100644
--- a/apex/Android.bp
+++ b/apex/Android.bp
@@ -253,6 +253,13 @@
}
filegroup {
+ name: "com.android.bt-file_contexts",
+ srcs: [
+ "com.android.bt-file_contexts",
+ ],
+}
+
+filegroup {
name: "com.android.car.framework-file_contexts",
srcs: [
"com.android.car.framework-file_contexts",
diff --git a/apex/com.android.bluetooth-file_contexts b/apex/com.android.bt-file_contexts
similarity index 100%
rename from apex/com.android.bluetooth-file_contexts
rename to apex/com.android.bt-file_contexts
diff --git a/microdroid/system/private/apexd.te b/microdroid/system/private/apexd.te
index 275a455..8c331d0 100644
--- a/microdroid/system/private/apexd.te
+++ b/microdroid/system/private/apexd.te
@@ -92,6 +92,9 @@
# apexd can set apexd sysprop
set_prop(apexd, apexd_prop)
+# apexd can set apex.all.ready sysprop
+set_prop(apexd, apex_ready_prop)
+
# Allow apexd to stop itself
set_prop(apexd, ctl_apexd_prop)
diff --git a/microdroid/system/private/property_contexts b/microdroid/system/private/property_contexts
index 2bd5a22..803e25e 100644
--- a/microdroid/system/private/property_contexts
+++ b/microdroid/system/private/property_contexts
@@ -58,6 +58,7 @@
apexd.status u:object_r:apexd_prop:s0 exact enum starting activated ready
ro.apex.updatable u:object_r:apexd_prop:s0 exact bool
+apex.all.ready u:object_r:apex_ready_prop:s0 exact bool
ro.cold_boot_done u:object_r:cold_boot_done_prop:s0 exact bool
diff --git a/microdroid/system/public/property.te b/microdroid/system/public/property.te
index 7db53d0..18dab10 100644
--- a/microdroid/system/public/property.te
+++ b/microdroid/system/public/property.te
@@ -2,6 +2,7 @@
type apex_config_prop, property_type;
type apexd_payload_metadata_prop, property_type;
type apexd_prop, property_type;
+type apex_ready_prop, property_type;
type arm64_memtag_prop, property_type;
type bootloader_prop, property_type;
type boottime_prop, property_type;
diff --git a/private/compat/202404/202404.ignore.cil b/private/compat/202404/202404.ignore.cil
index 0bf3f7e..4430364 100644
--- a/private/compat/202404/202404.ignore.cil
+++ b/private/compat/202404/202404.ignore.cil
@@ -10,6 +10,7 @@
fstype_prop
binderfs_logs_transactions
binderfs_logs_transaction_history
+ proc_compaction_proactiveness
proc_cgroups
ranging_service
supervision_service
@@ -22,7 +23,6 @@
media_quality_service
advanced_protection_service
sysfs_firmware_acpi_tables
- dynamic_instrumentation_service
intrusion_detection_service
wifi_mainline_supplicant_service
))
diff --git a/private/installd.te b/private/installd.te
index 55e962a..50c378a 100644
--- a/private/installd.te
+++ b/private/installd.te
@@ -226,6 +226,13 @@
allow installd storage_area_key_file:file unlink;
')
+# Allow installd to delete the terminal app's data file.
+# `virtualizationservice_data_file` was used for a while, but it needs to be
+# deleted when terminal feature is disabled.
+# TODO(b/383026786): Remove this rule once the there is no
+# `virtualizationservice_data_file` in terminal app anymore..
+allow installd virtualizationservice_data_file:file unlink;
+
###
### Neverallow rules
###
diff --git a/private/property.te b/private/property.te
index 525754f..92e244d 100644
--- a/private/property.te
+++ b/private/property.te
@@ -112,6 +112,7 @@
system_vendor_config_prop(avf_virtualizationservice_prop)
system_vendor_config_prop(high_barometer_quality_prop)
system_vendor_config_prop(prefetch_boot_prop)
+system_vendor_config_prop(widevine_sys_vendor_prop)
typeattribute log_prop log_property_type;
typeattribute log_tag_prop log_property_type;
diff --git a/private/property_contexts b/private/property_contexts
index 974c040..6b0cbfa 100644
--- a/private/property_contexts
+++ b/private/property_contexts
@@ -1789,6 +1789,13 @@
trusty.security_vm.enabled u:object_r:trusty_security_vm_sys_vendor_prop:s0 exact bool
trusty.security_vm.keymint.enabled u:object_r:trusty_security_vm_sys_vendor_prop:s0 exact bool
+# Properties that allows vendors to enable Trusty widevine VM features
+# Enable Widevine VM
+trusty.widevine_vm.enabled u:object_r:widevine_sys_vendor_prop:s0 exact bool
+# Sets the path used by Widevine HALs to find correct library for the widevine
+# service provider location
+widevine.liboemcrypto.path u:object_r:widevine_sys_vendor_prop:s0 exact string
+
# Properties for mmd
mmd. u:object_r:mmd_prop:s0
mmd.enabled_aconfig u:object_r:mmd_prop:s0 exact bool
diff --git a/private/seapp_contexts b/private/seapp_contexts
index ce49fc4..25ed1ba 100644
--- a/private/seapp_contexts
+++ b/private/seapp_contexts
@@ -224,4 +224,3 @@
user=_app isPrivApp=true name=com.android.virtualization.vmlauncher domain=vmlauncher_app type=privapp_data_file levelFrom=all
user=_app isPrivApp=true name=com.google.android.virtualization.vmlauncher domain=vmlauncher_app type=privapp_data_file levelFrom=all
user=_app isPrivApp=true name=com.android.virtualization.terminal domain=vmlauncher_app type=privapp_data_file levelFrom=all
-user=_app isPrivApp=true name=com.google.android.virtualization.terminal domain=vmlauncher_app type=privapp_data_file levelFrom=all
diff --git a/private/service.te b/private/service.te
index 7e89300..dde4bd2 100644
--- a/private/service.te
+++ b/private/service.te
@@ -62,6 +62,7 @@
type uce_service, service_manager_type;
type wearable_sensing_service, app_api_service, system_server_service, service_manager_type;
type wifi_mainline_supplicant_service, service_manager_type;
+type dynamic_instrumentation_service, app_api_service, system_server_service, service_manager_type;
###
### Neverallow rules
diff --git a/private/service_contexts b/private/service_contexts
index 1478e93..2e050eb 100644
--- a/private/service_contexts
+++ b/private/service_contexts
@@ -188,9 +188,7 @@
app_binding u:object_r:app_binding_service:s0
app_function u:object_r:app_function_service:s0
app_hibernation u:object_r:app_hibernation_service:s0
-starting_at_board_api(202504, `
- dynamic_instrumentation u:object_r:dynamic_instrumentation_service:s0
-')
+dynamic_instrumentation u:object_r:dynamic_instrumentation_service:s0
app_integrity u:object_r:app_integrity_service:s0
app_prediction u:object_r:app_prediction_service:s0
app_search u:object_r:app_search_service:s0
diff --git a/private/tradeinmode.te b/private/tradeinmode.te
index dca1bc1..99035f8 100644
--- a/private/tradeinmode.te
+++ b/private/tradeinmode.te
@@ -22,6 +22,7 @@
get_prop(tradeinmode, odsign_prop)
get_prop(tradeinmode, build_attestation_prop)
get_prop(tradeinmode, adbd_tradeinmode_prop)
+set_prop(tradeinmode, powerctl_prop)
# Needed to start activities through "am".
binder_call(tradeinmode, system_server)
diff --git a/private/uprobestats.te b/private/uprobestats.te
index c55f23d..d778126 100644
--- a/private/uprobestats.te
+++ b/private/uprobestats.te
@@ -24,9 +24,7 @@
# For registration with system server as a process observer.
binder_use(uprobestats)
allow uprobestats activity_service:service_manager find;
-starting_at_board_api(202504, `
- allow uprobestats dynamic_instrumentation_service:service_manager find;
-')
+allow uprobestats dynamic_instrumentation_service:service_manager find;
binder_call(uprobestats, system_server);
# Allow uprobestats to talk to native package manager
diff --git a/public/service.te b/public/service.te
index 854ceef..312c592 100644
--- a/public/service.te
+++ b/public/service.te
@@ -75,9 +75,6 @@
type app_function_service, app_api_service, system_server_service, service_manager_type;
')
type app_hibernation_service, app_api_service, system_api_service, system_server_service, service_manager_type;
-starting_at_board_api(202504, `
- type dynamic_instrumentation_service, app_api_service, system_server_service, service_manager_type;
-')
type app_integrity_service, system_api_service, system_server_service, service_manager_type;
type app_prediction_service, app_api_service, system_server_service, service_manager_type;
type app_search_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
diff --git a/tests/sepolicy_freeze_test.py b/tests/sepolicy_freeze_test.py
index b9b935c..fa05eb1 100644
--- a/tests/sepolicy_freeze_test.py
+++ b/tests/sepolicy_freeze_test.py
@@ -48,10 +48,6 @@
removed_attributes = prebuilt_policy.typeattributes - current_policy.typeattributes
added_attributes = current_policy.typeattributes - prebuilt_policy.typeattributes
- # TODO(b/330670954): remove this once all internal references are removed.
- if "proc_compaction_proactiveness" in added_types:
- added_types.remove("proc_compaction_proactiveness")
-
if removed_types:
results += "The following public types were removed:\n" + ", ".join(removed_types) + "\n"
diff --git a/tools/finalize-vintf-resources.sh b/tools/finalize-vintf-resources.sh
index cdf82f1..3f3def6 100755
--- a/tools/finalize-vintf-resources.sh
+++ b/tools/finalize-vintf-resources.sh
@@ -30,6 +30,22 @@
cat > "$prebuilt_dir/Android.bp" <<EOF
// Automatically generated file, do not edit!
se_policy_conf {
+ name: "${ver}_reqd_policy_mask.conf",
+ defaults: ["se_policy_conf_flags_defaults"],
+ srcs: reqd_mask_policy,
+ installable: false,
+ build_variant: "user",
+ board_api_level: "${ver}",
+}
+
+se_policy_cil {
+ name: "${ver}_reqd_policy_mask.cil",
+ src: ":${ver}_reqd_policy_mask.conf",
+ secilc_check: false,
+ installable: false,
+}
+
+se_policy_conf {
name: "${ver}_plat_pub_policy.conf",
defaults: ["se_policy_conf_flags_defaults"],
srcs: [
@@ -38,12 +54,13 @@
],
installable: false,
build_variant: "user",
+ board_api_level: "${ver}",
}
se_policy_cil {
name: "${ver}_plat_pub_policy.cil",
src: ":${ver}_plat_pub_policy.conf",
- filter_out: [":reqd_policy_mask.cil"],
+ filter_out: [":${ver}_reqd_policy_mask.cil"],
secilc_check: false,
installable: false,
}
@@ -59,16 +76,25 @@
],
installable: false,
build_variant: "user",
+ board_api_level: "${ver}",
}
se_policy_cil {
name: "${ver}_product_pub_policy.cil",
src: ":${ver}_product_pub_policy.conf",
- filter_out: [":reqd_policy_mask.cil"],
+ filter_out: [":${ver}_reqd_policy_mask.cil"],
secilc_check: false,
installable: false,
}
+se_versioned_policy {
+ name: "${ver}_plat_pub_versioned.cil",
+ base: ":${ver}_product_pub_policy.cil",
+ target_policy: ":${ver}_product_pub_policy.cil",
+ version: "${ver}",
+ installable: false,
+}
+
se_policy_conf {
name: "${ver}_plat_policy.conf",
defaults: ["se_policy_conf_flags_defaults"],
diff --git a/vendor/file_contexts b/vendor/file_contexts
index 66ac4ec..220fbd2 100644
--- a/vendor/file_contexts
+++ b/vendor/file_contexts
@@ -14,7 +14,7 @@
/(vendor|system/vendor)/bin/hw/android\.hardware\.automotive\.evs(.*)? u:object_r:hal_evs_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.automotive\.ivn@V1-(.*)-service u:object_r:hal_ivn_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.automotive\.vehicle@2\.0-((default|emulator)-)*(service|protocan-service) u:object_r:hal_vehicle_default_exec:s0
-/(vendor|system/vendor)/bin/hw/android\.hardware\.automotive\.vehicle@V[1-3]-(default|emulator)-service u:object_r:hal_vehicle_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.automotive\.vehicle@V[0-9]+-(default|emulator)-service u:object_r:hal_vehicle_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.automotive\.remoteaccess@V[1-2]-(.*)-service u:object_r:hal_remoteaccess_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.bluetooth@1\.[0-9]+-service u:object_r:hal_bluetooth_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.bluetooth@1\.[0-9]+-service\.btlinux u:object_r:hal_bluetooth_btlinux_exec:s0