Merge changes from topic "31.0_compat_mapping"
* changes:
Add 31.0 mapping files
Add fake 31.0 prebuilt
diff --git a/private/bpfloader.te b/private/bpfloader.te
index ae9b52c..343ec7a 100644
--- a/private/bpfloader.te
+++ b/private/bpfloader.te
@@ -27,13 +27,13 @@
# TODO: get rid of init & vendor_init
neverallow { domain -bpfloader -init -vendor_init } { fs_bpf fs_bpf_tethering }:file { map open setattr };
neverallow { domain -bpfloader } { fs_bpf fs_bpf_tethering }:file create;
-neverallow { domain -bpfloader -gpuservice -init -netd -netutils_wrapper -network_stack -system_server -vendor_init } { fs_bpf fs_bpf_tethering }:file read;
+neverallow { domain -bpfloader -gpuservice -init -lmkd -netd -netutils_wrapper -network_stack -system_server -vendor_init } { fs_bpf fs_bpf_tethering }:file read;
neverallow { domain -bpfloader -gpuservice -netd -netutils_wrapper -network_stack -system_server } { fs_bpf fs_bpf_tethering }:file write;
neverallow domain { fs_bpf fs_bpf_tethering }:file ~{ create map open read setattr write };
neverallow { domain -bpfloader } *:bpf { map_create prog_load };
neverallow { domain -bpfloader -gpuservice -netd -netutils_wrapper -network_stack -system_server } *:bpf prog_run;
-neverallow { domain -bpfloader -gpuservice -netd -network_stack -system_server } *:bpf { map_read map_write };
+neverallow { domain -bpfloader -gpuservice -lmkd -netd -network_stack -system_server } *:bpf { map_read map_write };
neverallow { domain -bpfloader -init } bpfloader_exec:file { execute execute_no_trans };
diff --git a/private/compat/30.0/30.0.ignore.cil b/private/compat/30.0/30.0.ignore.cil
index 6e66493..7c508cd 100644
--- a/private/compat/30.0/30.0.ignore.cil
+++ b/private/compat/30.0/30.0.ignore.cil
@@ -68,6 +68,7 @@
hal_remotelyprovisionedcomponent_service
hal_secureclock_service
hal_sharedsecret_service
+ hal_uwb_service
hal_weaver_service
hw_timeout_multiplier_prop
keystore_compat_hal_service
@@ -132,7 +133,7 @@
system_suspend_control_internal_service
task_profiles_api_file
texttospeech_service
- transformer_service
+ translation_service
update_engine_stable_service
userdata_sysdev
userspace_reboot_metadata_file
diff --git a/private/file_contexts b/private/file_contexts
index 89b63d6..d34f64f 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -361,7 +361,6 @@
/system/bin/stats u:object_r:stats_exec:s0
/system/bin/statsd u:object_r:statsd_exec:s0
/system/bin/bpfloader u:object_r:bpfloader_exec:s0
-/system/bin/wait_for_keymaster u:object_r:wait_for_keymaster_exec:s0
/system/bin/watchdogd u:object_r:watchdogd_exec:s0
/system/bin/apexd u:object_r:apexd_exec:s0
/system/bin/gsid u:object_r:gsid_exec:s0
diff --git a/private/keystore.te b/private/keystore.te
index 3fccf59..0e57045 100644
--- a/private/keystore.te
+++ b/private/keystore.te
@@ -29,7 +29,6 @@
get_prop(keystore, keystore_listen_prop)
-# Keystore needs to transfer binder references to vold and wait_for_keymaster so that they
+# Keystore needs to transfer binder references to vold so that it
# can call keystore methods on those references.
allow keystore vold:binder transfer;
-allow keystore wait_for_keymaster:binder transfer;
diff --git a/private/lmkd.te b/private/lmkd.te
index fef3a89..ec9a93e 100644
--- a/private/lmkd.te
+++ b/private/lmkd.te
@@ -8,4 +8,8 @@
# Set lmkd.* properties.
set_prop(lmkd, lmkd_prop)
+allow lmkd fs_bpf:dir search;
+allow lmkd fs_bpf:file read;
+allow lmkd bpfloader:bpf map_read;
+
neverallow { domain -init -lmkd -vendor_init } lmkd_prop:property_service set;
diff --git a/private/priv_app.te b/private/priv_app.te
index 63a9cbf..3ceb7a3 100644
--- a/private/priv_app.te
+++ b/private/priv_app.te
@@ -189,6 +189,14 @@
# allow priv app to access the system app data files for ContentProvider case.
allow priv_app system_app_data_file:file { read getattr };
+# Allow the renderscript compiler to be run.
+domain_auto_trans(priv_app, rs_exec, rs)
+
+# Allow loading and deleting executable shared libraries
+# within an application home directory. Such shared libraries would be
+# created by things like renderscript or via other mechanisms.
+allow priv_app app_exec_data_file:file { r_file_perms execute unlink };
+
###
### neverallow rules
###
diff --git a/private/rs.te b/private/rs.te
index bf10841..268f040 100644
--- a/private/rs.te
+++ b/private/rs.te
@@ -1,18 +1,19 @@
-# Any files which would have been created as app_data_file
-# will be created as app_exec_data_file instead.
-allow rs app_data_file:dir ra_dir_perms;
+# Any files which would have been created as app_data_file and
+# privapp_data_file will be created as app_exec_data_file instead.
+allow rs { app_data_file privapp_data_file }:dir ra_dir_perms;
allow rs app_exec_data_file:file create_file_perms;
type_transition rs app_data_file:file app_exec_data_file;
+type_transition rs privapp_data_file:file app_exec_data_file;
# Follow /data/user/0 symlink
allow rs system_data_file:lnk_file read;
# Read files from the app home directory.
-allow rs app_data_file:file r_file_perms;
-allow rs app_data_file:dir r_dir_perms;
+allow rs { app_data_file privapp_data_file }:file r_file_perms;
+allow rs { app_data_file privapp_data_file }:dir r_dir_perms;
# Cleanup app_exec_data_file files in the app home directory.
-allow rs app_data_file:dir remove_name;
+allow rs { app_data_file privapp_data_file }:dir remove_name;
# Use vendor resources
allow rs vendor_file:dir r_dir_perms;
@@ -27,7 +28,7 @@
allow rs same_process_hal_file:file { r_file_perms execute };
# File descriptors passed from app to renderscript
-allow rs { untrusted_app_all ephemeral_app }:fd use;
+allow rs { untrusted_app_all ephemeral_app priv_app }:fd use;
# rs can access app data, so ensure it can only be entered via an app domain and cannot have
# CAP_DAC_OVERRIDE.
diff --git a/private/service_contexts b/private/service_contexts
index b410b18..c020a04 100644
--- a/private/service_contexts
+++ b/private/service_contexts
@@ -275,7 +275,7 @@
timezone u:object_r:timezone_service:s0
thermalservice u:object_r:thermal_service:s0
tracing.proxy u:object_r:tracingproxy_service:s0
-transformer u:object_r:transformer_service:s0
+translation u:object_r:translation_service:s0
trust u:object_r:trust_service:s0
tv_input u:object_r:tv_input_service:s0
tv_tuner_resource_mgr u:object_r:tv_tuner_resource_mgr_service:s0
diff --git a/private/wait_for_keymaster.te b/private/wait_for_keymaster.te
index da98e2e..974a297 100644
--- a/private/wait_for_keymaster.te
+++ b/private/wait_for_keymaster.te
@@ -1,15 +1,5 @@
-# wait_for_keymaster service
+# wait_for_keymaster service. No longer used;
+# here only so that downstream code compiles.
type wait_for_keymaster, domain, coredomain;
type wait_for_keymaster_exec, system_file_type, exec_type, file_type;
-init_daemon_domain(wait_for_keymaster)
-
-hal_client_domain(wait_for_keymaster, hal_keymaster)
-
-allow wait_for_keymaster kmsg_device:chr_file w_file_perms;
-
-# wait_for_keymaster needs to find keystore and call methods with the returned
-# binder reference.
-binder_use(wait_for_keymaster)
-allow wait_for_keymaster keystore_service:service_manager find;
-binder_call(wait_for_keymaster, keystore)
diff --git a/private/zygote.te b/private/zygote.te
index 9038c4f..dd42a81 100644
--- a/private/zygote.te
+++ b/private/zygote.te
@@ -69,8 +69,8 @@
# Zygote opens /mnt/expand to mount CE DE storage on each vol
allow zygote mnt_expand_file:dir { open read search relabelto };
-# Bind mount subdirectories on /data/misc/profiles/cur
-allow zygote user_profile_root_file:dir { mounton search };
+# Bind mount subdirectories on /data/misc/profiles/cur and /data/misc/profiles/ref
+allow zygote { user_profile_root_file user_profile_data_file }:dir { mounton search };
# Create and bind dirs on /data/data
allow zygote tmpfs:dir { create_dir_perms mounton };
diff --git a/public/app.te b/public/app.te
index ae8d7fd..a49faaf 100644
--- a/public/app.te
+++ b/public/app.te
@@ -70,7 +70,7 @@
allow { appdomain -isolated_app -mlstrustedsubject } { app_data_file privapp_data_file }:file create_file_perms;
# Access via already open fds is ok even for mlstrustedsubject.
-allow { appdomain -isolated_app } { app_data_file privapp_data_file }:file { getattr map read write };
+allow { appdomain -isolated_app } { app_data_file privapp_data_file system_app_data_file }:file { getattr map read write };
# Traverse into expanded storage
allow appdomain mnt_expand_file:dir r_dir_perms;
diff --git a/public/attributes b/public/attributes
index daef4bb..2e01f1e 100644
--- a/public/attributes
+++ b/public/attributes
@@ -358,6 +358,7 @@
hal_attribute(tv_tuner);
hal_attribute(usb);
hal_attribute(usb_gadget);
+hal_attribute(uwb);
hal_attribute(vehicle);
hal_attribute(vibrator);
hal_attribute(vr);
diff --git a/public/hal_neverallows.te b/public/hal_neverallows.te
index 0214e2a..a895ad0 100644
--- a/public/hal_neverallows.te
+++ b/public/hal_neverallows.te
@@ -8,6 +8,7 @@
-hal_wifi_hostapd_server
-hal_wifi_supplicant_server
-hal_telephony_server
+ -hal_uwb_server
} self:global_capability_class_set { net_admin net_raw };
# Unless a HAL's job is to communicate over the network, or control network
@@ -25,6 +26,7 @@
-hal_wifi_hostapd_server
-hal_wifi_supplicant_server
-hal_telephony_server
+ -hal_uwb_server
} domain:{ udp_socket rawip_socket } *;
neverallow {
@@ -36,6 +38,7 @@
-hal_wifi_hostapd_server
-hal_wifi_supplicant_server
-hal_telephony_server
+ -hal_uwb_server
} {
domain
userdebug_or_eng(`-su')
diff --git a/public/service.te b/public/service.te
index 74dc104..4fa6a13 100644
--- a/public/service.te
+++ b/public/service.te
@@ -160,7 +160,7 @@
type oem_lock_service, system_api_service, system_server_service, service_manager_type;
type otadexopt_service, system_server_service, service_manager_type;
type overlay_service, system_api_service, system_server_service, service_manager_type;
-type pac_proxy_service, system_server_service, service_manager_type;
+type pac_proxy_service, app_api_service, system_server_service, service_manager_type;
type package_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type package_native_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type people_service, app_api_service, system_server_service, service_manager_type;
@@ -212,7 +212,7 @@
type timedetector_service, app_api_service, system_server_service, service_manager_type;
type timezone_service, system_server_service, service_manager_type;
type timezonedetector_service, app_api_service, system_server_service, service_manager_type;
-type transformer_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type translation_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type trust_service, app_api_service, system_server_service, service_manager_type;
type tv_input_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type tv_tuner_resource_mgr_service, app_api_service, system_server_service, service_manager_type;