Merge "Adding /odm support"
diff --git a/Android.mk b/Android.mk
index 9f101e2..ccddace 100644
--- a/Android.mk
+++ b/Android.mk
@@ -259,6 +259,7 @@
sepolicy_policy.conf := $(intermediates)/policy.conf
$(sepolicy_policy.conf): PRIVATE_MLS_SENS := $(MLS_SENS)
$(sepolicy_policy.conf): PRIVATE_MLS_CATS := $(MLS_CATS)
+$(sepolicy_policy.conf): PRIVATE_TARGET_BUILD_VARIANT := user
$(sepolicy_policy.conf): PRIVATE_TGT_ARCH := $(my_target_arch)
$(sepolicy_policy.conf): PRIVATE_TGT_WITH_ASAN := $(with_asan)
$(sepolicy_policy.conf): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
@@ -291,6 +292,7 @@
reqd_policy_mask.conf := $(intermediates)/reqd_policy_mask.conf
$(reqd_policy_mask.conf): PRIVATE_MLS_SENS := $(MLS_SENS)
$(reqd_policy_mask.conf): PRIVATE_MLS_CATS := $(MLS_CATS)
+$(reqd_policy_mask.conf): PRIVATE_TARGET_BUILD_VARIANT := $(TARGET_BUILD_VARIANT)
$(reqd_policy_mask.conf): PRIVATE_TGT_ARCH := $(my_target_arch)
$(reqd_policy_mask.conf): PRIVATE_TGT_WITH_ASAN := $(with_asan)
$(reqd_policy_mask.conf): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
@@ -318,6 +320,7 @@
plat_pub_policy.conf := $(intermediates)/plat_pub_policy.conf
$(plat_pub_policy.conf): PRIVATE_MLS_SENS := $(MLS_SENS)
$(plat_pub_policy.conf): PRIVATE_MLS_CATS := $(MLS_CATS)
+$(plat_pub_policy.conf): PRIVATE_TARGET_BUILD_VARIANT := $(TARGET_BUILD_VARIANT)
$(plat_pub_policy.conf): PRIVATE_TGT_ARCH := $(my_target_arch)
$(plat_pub_policy.conf): PRIVATE_TGT_WITH_ASAN := $(with_asan)
$(plat_pub_policy.conf): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
@@ -367,6 +370,7 @@
plat_policy.conf := $(intermediates)/plat_policy.conf
$(plat_policy.conf): PRIVATE_MLS_SENS := $(MLS_SENS)
$(plat_policy.conf): PRIVATE_MLS_CATS := $(MLS_CATS)
+$(plat_policy.conf): PRIVATE_TARGET_BUILD_VARIANT := $(TARGET_BUILD_VARIANT)
$(plat_policy.conf): PRIVATE_TGT_ARCH := $(my_target_arch)
$(plat_policy.conf): PRIVATE_TGT_WITH_ASAN := $(with_asan)
$(plat_policy.conf): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
@@ -518,6 +522,7 @@
vendor_policy.conf := $(intermediates)/vendor_policy.conf
$(vendor_policy.conf): PRIVATE_MLS_SENS := $(MLS_SENS)
$(vendor_policy.conf): PRIVATE_MLS_CATS := $(MLS_CATS)
+$(vendor_policy.conf): PRIVATE_TARGET_BUILD_VARIANT := $(TARGET_BUILD_VARIANT)
$(vendor_policy.conf): PRIVATE_TGT_ARCH := $(my_target_arch)
$(vendor_policy.conf): PRIVATE_TGT_WITH_ASAN := $(with_asan)
$(vendor_policy.conf): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
@@ -642,6 +647,7 @@
sepolicy.recovery.conf := $(intermediates)/sepolicy.recovery.conf
$(sepolicy.recovery.conf): PRIVATE_MLS_SENS := $(MLS_SENS)
$(sepolicy.recovery.conf): PRIVATE_MLS_CATS := $(MLS_CATS)
+$(sepolicy.recovery.conf): PRIVATE_TARGET_BUILD_VARIANT := $(TARGET_BUILD_VARIANT)
$(sepolicy.recovery.conf): PRIVATE_TGT_ARCH := $(my_target_arch)
$(sepolicy.recovery.conf): PRIVATE_TGT_WITH_ASAN := $(with_asan)
$(sepolicy.recovery.conf): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
@@ -687,6 +693,7 @@
$(LOCAL_BUILT_MODULE): PRIVATE_MLS_SENS := $(MLS_SENS)
$(LOCAL_BUILT_MODULE): PRIVATE_MLS_CATS := $(MLS_CATS)
+$(LOCAL_BUILT_MODULE): PRIVATE_TARGET_BUILD_VARIANT := user
$(LOCAL_BUILT_MODULE): PRIVATE_TGT_ARCH := $(my_target_arch)
$(LOCAL_BUILT_MODULE): PRIVATE_WITH_ASAN := false
$(LOCAL_BUILT_MODULE): PRIVATE_SEPOLICY_SPLIT := cts
@@ -1301,6 +1308,7 @@
base_plat_policy.conf := $(intermediates)/base_plat_policy.conf
$(base_plat_policy.conf): PRIVATE_MLS_SENS := $(MLS_SENS)
$(base_plat_policy.conf): PRIVATE_MLS_CATS := $(MLS_CATS)
+$(base_plat_policy.conf): PRIVATE_TARGET_BUILD_VARIANT := $(TARGET_BUILD_VARIANT)
$(base_plat_policy.conf): PRIVATE_TGT_ARCH := $(my_target_arch)
$(base_plat_policy.conf): PRIVATE_TGT_WITH_ASAN := $(with_asan)
$(base_plat_policy.conf): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
diff --git a/definitions.mk b/definitions.mk
index 8a8c9c6..4b9e098 100644
--- a/definitions.mk
+++ b/definitions.mk
@@ -4,7 +4,7 @@
@mkdir -p $(dir $@)
$(hide) m4 $(PRIVATE_ADDITIONAL_M4DEFS) \
-D mls_num_sens=$(PRIVATE_MLS_SENS) -D mls_num_cats=$(PRIVATE_MLS_CATS) \
- -D target_build_variant=$(TARGET_BUILD_VARIANT) \
+ -D target_build_variant=$(PRIVATE_TARGET_BUILD_VARIANT) \
-D target_with_dexpreopt=$(WITH_DEXPREOPT) \
-D target_arch=$(PRIVATE_TGT_ARCH) \
-D target_with_asan=$(PRIVATE_TGT_WITH_ASAN) \
diff --git a/private/bpfloader.te b/private/bpfloader.te
index 1caf952..fe3e648 100644
--- a/private/bpfloader.te
+++ b/private/bpfloader.te
@@ -13,8 +13,7 @@
allow bpfloader fs_bpf:file create_file_perms;
allow bpfloader devpts:chr_file { read write };
-# TODO: unknown fd pass denials, need further investigation.
-dontaudit bpfloader netd:fd use;
+allow bpfloader netd:fd use;
# Use pinned bpf map files from netd.
allow bpfloader netd:bpf { map_read map_write };
diff --git a/private/bug_map b/private/bug_map
index 1ff1ffe..9bc5154 100644
--- a/private/bug_map
+++ b/private/bug_map
@@ -3,6 +3,7 @@
crash_dump resourcecache_data_file dir 68319037
crash_dump system_data_file file 68319037
crash_dump vendor_overlay_file dir 68319037
+platform_app nfc_data_file dir 74331887
priv_app sysfs dir 72749888
priv_app sysfs_android_usb file 72749888
priv_app system_data_file dir 72811052
@@ -10,4 +11,3 @@
untrusted_app_25 system_data_file dir 72550646
untrusted_app_27 system_data_file dir 72550646
usbd usbd capability 72472544
-vold system_data_file file 62140539
diff --git a/private/compat/26.0/26.0.ignore.cil b/private/compat/26.0/26.0.ignore.cil
index 3a493e0..4d36d8e 100644
--- a/private/compat/26.0/26.0.ignore.cil
+++ b/private/compat/26.0/26.0.ignore.cil
@@ -3,7 +3,8 @@
;; previous ones. Add here to pass checkapi tests.
(typeattribute new_objects)
(typeattributeset new_objects
- ( adbd_exec
+ ( adb_service
+ adbd_exec
bootloader_boot_reason_prop
blank_screen
blank_screen_exec
@@ -68,6 +69,7 @@
perfprofd_service
property_info
secure_element
+ secure_element_device
secure_element_tmpfs
secure_element_service
slice_service
diff --git a/private/compat/27.0/27.0.ignore.cil b/private/compat/27.0/27.0.ignore.cil
index 99db662..dcd9f88 100644
--- a/private/compat/27.0/27.0.ignore.cil
+++ b/private/compat/27.0/27.0.ignore.cil
@@ -3,7 +3,8 @@
;; previous ones. Add here to pass checkapi tests.
(typeattribute new_objects)
(typeattributeset new_objects
- ( blank_screen
+ ( adb_service
+ blank_screen
blank_screen_exec
blank_screen_tmpfs
bootloader_boot_reason_prop
@@ -52,6 +53,7 @@
perfprofd_service
property_info
secure_element
+ secure_element_device
secure_element_service
secure_element_tmpfs
slice_service
diff --git a/private/file_contexts b/private/file_contexts
index f05d005..e70ca4b 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -321,10 +321,16 @@
#############################
# OEM and ODM files
#
-/odm(/.*)? u:object_r:vendor_file:s0
-/odm/lib(64)?/egl(/.*)? u:object_r:same_process_hal_file:s0
-/odm/lib(64)?/hw u:object_r:vendor_hal_file:s0
-/odm/lib(64)?/vndk-sp(/.*)? u:object_r:vndk_sp_file:s0
+/(odm|vendor/odm)(/.*)? u:object_r:vendor_file:s0
+/(odm|vendor/odm)/lib(64)?/egl(/.*)? u:object_r:same_process_hal_file:s0
+/(odm|vendor/odm)/lib(64)?/hw u:object_r:vendor_hal_file:s0
+/(odm|vendor/odm)/lib(64)?/vndk-sp(/.*)? u:object_r:vndk_sp_file:s0
+/(odm|vendor/odm)/bin/sh u:object_r:vendor_shell_exec:s0
+/(odm|vendor/odm)/etc(/.*)? u:object_r:vendor_configs_file:s0
+/(odm|vendor/odm)/app(/.*)? u:object_r:vendor_app_file:s0
+/(odm|vendor/odm)/priv-app(/.*)? u:object_r:vendor_app_file:s0
+/(odm|vendor/odm)/overlay(/.*)? u:object_r:vendor_overlay_file:s0
+/(odm|vendor/odm)/framework(/.*)? u:object_r:vendor_framework_file:s0
/oem(/.*)? u:object_r:oemfs:s0
diff --git a/private/incidentd.te b/private/incidentd.te
index a887a61..824dece 100644
--- a/private/incidentd.te
+++ b/private/incidentd.te
@@ -31,6 +31,9 @@
# section id 2004, allow reading /sys/devices/system/cpu/cpufreq/all_time_in_state
allow incidentd sysfs_devices_system_cpu:file r_file_perms;
+# section id 2005, allow reading ps dump in full
+allow incidentd domain:process getattr;
+
# section id 2006, allow reading /sys/class/power_supply/bms/battery_type
allow incidentd sysfs_batteryinfo:dir { search };
allow incidentd sysfs_batteryinfo:file r_file_perms;
@@ -42,6 +45,11 @@
# Get process attributes
# TODO allow incidentd domain:process getattr;
+# Read files in /proc
+allow incidentd {
+ proc_stat
+}:file r_file_perms;
+
# Signal java processes to dump their stack and get the results
# TODO allow incidentd { appdomain ephemeral_app system_server }:process signal;
# TODO allow incidentd anr_data_file:dir create_dir_perms;
diff --git a/private/service_contexts b/private/service_contexts
index 71d4845..985444f 100644
--- a/private/service_contexts
+++ b/private/service_contexts
@@ -1,6 +1,7 @@
accessibility u:object_r:accessibility_service:s0
account u:object_r:account_service:s0
activity u:object_r:activity_service:s0
+adb u:object_r:adb_service:s0
alarm u:object_r:alarm_service:s0
android.os.UpdateEngineService u:object_r:update_engine_service:s0
android.security.keystore u:object_r:keystore_service:s0
diff --git a/private/system_server.te b/private/system_server.te
index a512e5d..d1571d6 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -746,8 +746,8 @@
# allow system_server to read the eBPF maps that stores the traffic stats information amd clean up
# the map after snapshot is recorded
-allow system_server fs_bpf:file write;
-allow system_server netd:bpf { map_read map_write };
+allow system_server fs_bpf:file read;
+allow system_server netd:bpf map_read;
# ART Profiles.
# Allow system_server to open profile snapshots for read.
diff --git a/public/device.te b/public/device.te
index 43c89ab..231c839 100644
--- a/public/device.te
+++ b/public/device.te
@@ -39,6 +39,7 @@
type kmsg_debug_device, dev_type;
type null_device, dev_type, mlstrustedobject;
type random_device, dev_type, mlstrustedobject;
+type secure_element_device, dev_type;
type sensors_device, dev_type;
type serial_device, dev_type;
type socket_device, dev_type;
diff --git a/public/property_contexts b/public/property_contexts
index 55fad2e..a58c948 100644
--- a/public/property_contexts
+++ b/public/property_contexts
@@ -67,7 +67,6 @@
persist.dbg.volte_avail_ovr u:object_r:exported3_default_prop:s0 exact int
persist.dbg.vt_avail_ovr u:object_r:exported3_default_prop:s0 exact int
persist.dbg.wfc_avail_ovr u:object_r:exported3_default_prop:s0 exact int
-persist.rcs.supported u:object_r:exported3_default_prop:s0 exact int
persist.sys.dalvik.vm.lib.2 u:object_r:exported2_system_prop:s0 exact string
persist.sys.sf.color_saturation u:object_r:exported2_system_prop:s0 exact string
pm.dexopt.ab-ota u:object_r:exported_pm_prop:s0 exact string
@@ -201,6 +200,7 @@
aaudio.wakeup_delay_usec u:object_r:exported_default_prop:s0 exact int
gsm.sim.operator.numeric u:object_r:exported_radio_prop:s0 exact string
media.mediadrmservice.enable u:object_r:exported_default_prop:s0 exact bool
+persist.rcs.supported u:object_r:exported_default_prop:s0 exact int
rcs.publish.status u:object_r:exported_radio_prop:s0 exact string
ro.board.platform u:object_r:exported_default_prop:s0 exact string
ro.boot.fake_battery u:object_r:exported_default_prop:s0 exact int
diff --git a/public/service.te b/public/service.te
index e13b6d5..ae45987 100644
--- a/public/service.te
+++ b/public/service.te
@@ -37,6 +37,7 @@
type accessibility_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type account_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type activity_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type adb_service, system_server_service, service_manager_type;
type alarm_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type appops_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type appwidget_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
diff --git a/treble_sepolicy_tests_for_release.mk b/treble_sepolicy_tests_for_release.mk
index 22d9c46..ac8c808 100644
--- a/treble_sepolicy_tests_for_release.mk
+++ b/treble_sepolicy_tests_for_release.mk
@@ -19,6 +19,7 @@
$(version)_plat_policy.conf := $(intermediates)/$(version)_plat_policy.conf
$($(version)_plat_policy.conf): PRIVATE_MLS_SENS := $(MLS_SENS)
$($(version)_plat_policy.conf): PRIVATE_MLS_CATS := $(MLS_CATS)
+$($(version)_plat_policy.conf): PRIVATE_TARGET_BUILD_VARIANT := $(TARGET_BUILD_VARIANT)
$($(version)_plat_policy.conf): PRIVATE_TGT_ARCH := $(my_target_arch)
$($(version)_plat_policy.conf): PRIVATE_TGT_WITH_ASAN := $(with_asan)
$($(version)_plat_policy.conf): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
diff --git a/vendor/hal_secure_element_default.te b/vendor/hal_secure_element_default.te
index 86fe0b9..b1a94a1 100644
--- a/vendor/hal_secure_element_default.te
+++ b/vendor/hal_secure_element_default.te
@@ -2,4 +2,6 @@
hal_server_domain(hal_secure_element_default, hal_secure_element)
type hal_secure_element_default_exec, exec_type, vendor_file_type, file_type;
+allow hal_secure_element_default secure_element_device:chr_file rw_file_perms;
+
init_daemon_domain(hal_secure_element_default)