Merge "authfs - remove getattr perm for fd pass"
diff --git a/apex/Android.bp b/apex/Android.bp
index 8be5aa1..faff4a6 100644
--- a/apex/Android.bp
+++ b/apex/Android.bp
@@ -237,3 +237,10 @@
"com.android.extservices-file_contexts",
],
}
+
+filegroup {
+ name: "com.android.car.framework-file_contexts",
+ srcs: [
+ "com.android.car.framework-file_contexts",
+ ],
+}
diff --git a/apex/com.android.car.framework-file_contexts b/apex/com.android.car.framework-file_contexts
new file mode 100644
index 0000000..44527bc
--- /dev/null
+++ b/apex/com.android.car.framework-file_contexts
@@ -0,0 +1,2 @@
+(/.*)? u:object_r:system_file:s0
+/lib(64)?(/.*)? u:object_r:system_lib_file:s0
diff --git a/private/apexd.te b/private/apexd.te
index fae3e41..50a7a72 100644
--- a/private/apexd.te
+++ b/private/apexd.te
@@ -44,8 +44,8 @@
LOOP_CONFIGURE
};
# Allow apexd to access /dev/block
-allow apexd bdev_type:dir r_dir_perms;
-allow apexd bdev_type:blk_file getattr;
+allow apexd dev_type:dir r_dir_perms;
+allow apexd dev_type:blk_file getattr;
#allow apexd to access virtual disks
allow apexd vd_device:blk_file r_file_perms;
@@ -99,8 +99,9 @@
# /sys directory tree traversal
allow apexd sysfs_type:dir search;
-allow apexd sysfs_block_type:dir r_dir_perms;
-allow apexd sysfs_block_type:file r_file_perms;
+# Access to /sys/class/block
+allow apexd sysfs_type:dir r_dir_perms;
+allow apexd sysfs_type:file r_file_perms;
# Configure read-ahead of dm-verity and loop devices
# for dm-X
allow apexd sysfs_dm:dir r_dir_perms;
diff --git a/private/compat/31.0/31.0.ignore.cil b/private/compat/31.0/31.0.ignore.cil
index 0fdb697..58841c6 100644
--- a/private/compat/31.0/31.0.ignore.cil
+++ b/private/compat/31.0/31.0.ignore.cil
@@ -7,6 +7,7 @@
( new_objects
artd_service
camera2_extensions_prop
+ device_config_nnapi_native_prop
extra_free_kbytes
extra_free_kbytes_exec
hal_contexthub_service
diff --git a/private/coredomain.te b/private/coredomain.te
index b7f4f5d..dde80b2 100644
--- a/private/coredomain.te
+++ b/private/coredomain.te
@@ -37,6 +37,7 @@
-init
# generic access to sysfs_type
+ -apexd
-ueventd
-vold
} sysfs_leds:file *;
@@ -137,6 +138,7 @@
# /sys
neverallow {
coredomain
+ -apexd
-init
-ueventd
-vold
@@ -145,6 +147,7 @@
# /dev
neverallow {
coredomain
+ -apexd
-fsck
-init
-ueventd
diff --git a/private/flags_health_check.te b/private/flags_health_check.te
index aefbb3d..c4e589d 100644
--- a/private/flags_health_check.te
+++ b/private/flags_health_check.te
@@ -9,6 +9,7 @@
set_prop(flags_health_check, device_config_input_native_boot_prop)
set_prop(flags_health_check, device_config_lmkd_native_prop)
set_prop(flags_health_check, device_config_netd_native_prop)
+set_prop(flags_health_check, device_config_nnapi_native_prop)
set_prop(flags_health_check, device_config_activity_manager_native_boot_prop)
set_prop(flags_health_check, device_config_media_native_prop)
set_prop(flags_health_check, device_config_profcollect_native_boot_prop)
diff --git a/private/incidentd.te b/private/incidentd.te
index 918ffda..c1314a8 100644
--- a/private/incidentd.te
+++ b/private/incidentd.te
@@ -150,6 +150,9 @@
dontaudit incidentd apex_art_data_file:dir r_dir_perms;
dontaudit incidentd tmpfs:file rwx_file_perms;
+# Allow incidentd to read /apex/apex-info-list.xml
+allow incidentd apex_info_file:file r_file_perms;
+
# logd access - work to be done is a PII safe log (possibly an event log?)
userdebug_or_eng(`read_logd(incidentd)')
# TODO control_logd(incidentd)
diff --git a/private/property.te b/private/property.te
index 32cdc75..b196a1b 100644
--- a/private/property.te
+++ b/private/property.te
@@ -43,6 +43,9 @@
system_internal_prop(ctl_odsign_prop)
system_internal_prop(virtualizationservice_prop)
+# Properties which can't be written outside system
+system_restricted_prop(device_config_virtualization_framework_native_prop)
+
###
### Neverallow rules
###
diff --git a/private/property_contexts b/private/property_contexts
index 1b35d3b..2667615 100644
--- a/private/property_contexts
+++ b/private/property_contexts
@@ -241,6 +241,7 @@
persist.device_config.lmkd_native. u:object_r:device_config_lmkd_native_prop:s0
persist.device_config.media_native. u:object_r:device_config_media_native_prop:s0
persist.device_config.netd_native. u:object_r:device_config_netd_native_prop:s0
+persist.device_config.nnapi_native. u:object_r:device_config_nnapi_native_prop:s0
persist.device_config.profcollect_native_boot. u:object_r:device_config_profcollect_native_boot_prop:s0
persist.device_config.runtime_native. u:object_r:device_config_runtime_native_prop:s0
persist.device_config.runtime_native_boot. u:object_r:device_config_runtime_native_boot_prop:s0
@@ -249,6 +250,7 @@
persist.device_config.storage_native_boot. u:object_r:device_config_storage_native_boot_prop:s0
persist.device_config.surface_flinger_native_boot. u:object_r:device_config_surface_flinger_native_boot_prop:s0
persist.device_config.swcodec_native. u:object_r:device_config_swcodec_native_prop:s0
+persist.device_config.virtualization_framework_native. u:object_r:device_config_virtualization_framework_native_prop:s0
persist.device_config.window_manager_native_boot. u:object_r:device_config_window_manager_native_boot_prop:s0
# MM Events config props
diff --git a/private/system_server.te b/private/system_server.te
index 66f9ba4..4c87b3f 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -696,6 +696,7 @@
# server configurable flags properties
set_prop(system_server, device_config_input_native_boot_prop)
set_prop(system_server, device_config_netd_native_prop)
+set_prop(system_server, device_config_nnapi_native_prop)
set_prop(system_server, device_config_activity_manager_native_boot_prop)
set_prop(system_server, device_config_runtime_native_boot_prop)
set_prop(system_server, device_config_runtime_native_prop)
@@ -1217,6 +1218,7 @@
device_config_input_native_boot_prop
device_config_lmkd_native_prop
device_config_netd_native_prop
+ device_config_nnapi_native_prop
device_config_runtime_native_boot_prop
device_config_runtime_native_prop
device_config_media_native_prop
diff --git a/private/vendor_init.te b/private/vendor_init.te
index 2e616f3..70b3ef9 100644
--- a/private/vendor_init.te
+++ b/private/vendor_init.te
@@ -9,6 +9,9 @@
# Let vendor_init set service.adb.tcp.port.
set_prop(vendor_init, adbd_config_prop)
+# Let vendor_init react to AVF device config changes
+get_prop(vendor_init, device_config_virtualization_framework_native_prop)
+
# chown/chmod on devices, e.g. /dev/ttyHS0
allow vendor_init {
dev_type
diff --git a/public/domain.te b/public/domain.te
index 19562b1..b789ebf 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -1357,6 +1357,8 @@
coredomain
-healthd
-shell
+ # For access to block device information under /sys/class/block.
+ -apexd
# Generate uevents for health info
-ueventd
# Recovery uses health HAL passthrough implementation.
diff --git a/public/hal_neuralnetworks.te b/public/hal_neuralnetworks.te
index 7497dec..04d0b59 100644
--- a/public/hal_neuralnetworks.te
+++ b/public/hal_neuralnetworks.te
@@ -28,6 +28,10 @@
# property to determine whether to deny NNAPI extensions use for apps
# on product partition (apps in GSI are not allowed to use NNAPI extensions).
get_prop(hal_neuralnetworks_client, nnapi_ext_deny_product_prop);
+
+# Allow NN HAL client to read device_config_nnapi_native_prop.
+get_prop(hal_neuralnetworks_client, device_config_nnapi_native_prop)
+
# This property is only expected to be found in /product/build.prop,
# allow to be set only by init.
neverallow { domain -init } nnapi_ext_deny_product_prop:property_service set;
diff --git a/public/property.te b/public/property.te
index 2b2af6d..de61748 100644
--- a/public/property.te
+++ b/public/property.te
@@ -65,6 +65,7 @@
system_restricted_prop(build_bootimage_prop)
system_restricted_prop(build_prop)
system_restricted_prop(charger_status_prop)
+system_restricted_prop(device_config_nnapi_native_prop)
system_restricted_prop(device_config_runtime_native_boot_prop)
system_restricted_prop(device_config_runtime_native_prop)
system_restricted_prop(fingerprint_prop)