Merge "Add /data/fonts/files directory"
diff --git a/private/compat/30.0/30.0.ignore.cil b/private/compat/30.0/30.0.ignore.cil
index 559d4ad..dc679d1 100644
--- a/private/compat/30.0/30.0.ignore.cil
+++ b/private/compat/30.0/30.0.ignore.cil
@@ -42,6 +42,7 @@
hal_keymint_service
hal_neuralnetworks_service
hal_power_stats_service
+ hal_weaver_service
keystore_compat_hal_service
keystore2_key_contexts_file
legacy_permission_service
@@ -67,6 +68,7 @@
profcollectd_service
radio_core_data_file
reboot_readiness_service
+ resolver_service
search_ui_service
shell_test_data_file
smartspace_service
@@ -75,6 +77,7 @@
snapuserd_socket
speech_recognition_service
sysfs_devices_cs_etm
+ sysfs_uhid
system_server_dumper_service
system_suspend_control_internal_service
task_profiles_api_file
diff --git a/private/genfs_contexts b/private/genfs_contexts
index 4e78804..ecde711 100644
--- a/private/genfs_contexts
+++ b/private/genfs_contexts
@@ -159,6 +159,7 @@
genfscon sysfs /module/tcp_cubic/parameters u:object_r:sysfs_net:s0
genfscon sysfs /module/wlan/parameters/fwpath u:object_r:sysfs_wlan_fwpath:s0
genfscon sysfs /devices/virtual/timed_output/vibrator/enable u:object_r:sysfs_vibrator:s0
+genfscon sysfs /devices/virtual/misc/uhid u:object_r:sysfs_uhid:s0
genfscon debugfs /kprobes u:object_r:debugfs_kprobes:s0
genfscon debugfs /mmc0 u:object_r:debugfs_mmc:s0
diff --git a/private/installd.te b/private/installd.te
index b0e38fb..c89ba8b 100644
--- a/private/installd.te
+++ b/private/installd.te
@@ -43,6 +43,3 @@
# Allow installd to delete files in /data/staging
allow installd staging_data_file:file unlink;
allow installd staging_data_file:dir { open read remove_name rmdir search write };
-
-# TODO(b/177187042): Remove this when the denials are fixed.
-dontaudit installd device:file write;
\ No newline at end of file
diff --git a/private/service.te b/private/service.te
index f17fe86..821b740 100644
--- a/private/service.te
+++ b/private/service.te
@@ -4,6 +4,7 @@
type incidentcompanion_service, system_api_service, system_server_service, service_manager_type;
type mediatuner_service, app_api_service, service_manager_type;
type profcollectd_service, service_manager_type;
+type resolver_service, system_server_service, service_manager_type;
type stats_service, service_manager_type;
type statscompanion_service, system_server_service, service_manager_type;
type statsmanager_service, system_api_service, system_server_service, service_manager_type;
diff --git a/private/service_contexts b/private/service_contexts
index 96384e2..c90d48e 100644
--- a/private/service_contexts
+++ b/private/service_contexts
@@ -14,6 +14,7 @@
android.hardware.security.keymint.IKeyMintDevice/default u:object_r:hal_keymint_service:s0
android.hardware.vibrator.IVibrator/default u:object_r:hal_vibrator_service:s0
android.hardware.vibrator.IVibratorManager/default u:object_r:hal_vibrator_service:s0
+android.hardware.weaver.IWeaver/default u:object_r:hal_weaver_service:s0
accessibility u:object_r:accessibility_service:s0
account u:object_r:account_service:s0
@@ -202,6 +203,7 @@
rcs u:object_r:radio_service:s0
reboot_readiness u:object_r:reboot_readiness_service:s0
recovery u:object_r:recovery_service:s0
+resolver u:object_r:resolver_service:s0
restrictions u:object_r:restrictions_service:s0
role u:object_r:role_service:s0
rollback u:object_r:rollback_service:s0
diff --git a/private/system_server.te b/private/system_server.te
index b7dbed0..6767cd1 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -275,6 +275,10 @@
hal_client_domain(system_server, hal_wifi)
hal_client_domain(system_server, hal_wifi_hostapd)
hal_client_domain(system_server, hal_wifi_supplicant)
+# The bootctl is a pass through HAL mode under recovery mode. So we skip the
+# permission for recovery in order not to give system server the access to
+# the low level block devices.
+not_recovery(`hal_client_domain(system_server, hal_bootctl)')
# Talk with graphics composer fences
allow system_server hal_graphics_composer:fd use;
@@ -370,6 +374,8 @@
allow system_server sysfs_power:file rw_file_perms;
allow system_server sysfs_thermal:dir search;
allow system_server sysfs_thermal:file r_file_perms;
+allow system_server sysfs_uhid:dir r_dir_perms;
+allow system_server sysfs_uhid:file rw_file_perms;
# TODO: Remove when HALs are forced into separate processes
allow system_server sysfs_vibrator:file { write append };
@@ -1272,6 +1278,15 @@
-system_server
} wifi_config_prop:file no_rw_file_perms;
+# Only allow system server to write uhid sysfs files
+neverallow {
+ domain
+ -init
+ -system_server
+ -ueventd
+ -vendor_init
+} sysfs_uhid:file no_w_file_perms;
+
# BINDER_FREEZE is used to block ipc transactions to frozen processes, so it
# can be accessed by system_server only (b/143717177)
# BINDER_GET_FROZEN_INFO is used by system_server to determine the state of a frozen binder
diff --git a/public/file.te b/public/file.te
index 1092b90..c1c69b9 100644
--- a/public/file.te
+++ b/public/file.te
@@ -121,7 +121,7 @@
# /sys/module/wlan/parameters/fwpath
type sysfs_wlan_fwpath, fs_type, sysfs_type;
type sysfs_vibrator, fs_type, sysfs_type;
-
+type sysfs_uhid, fs_type, sysfs_type;
type sysfs_thermal, sysfs_type, fs_type;
type sysfs_zram, fs_type, sysfs_type;
diff --git a/public/hal_weaver.te b/public/hal_weaver.te
index 36d1306..2b34989 100644
--- a/public/hal_weaver.te
+++ b/public/hal_weaver.te
@@ -2,3 +2,6 @@
binder_call(hal_weaver_client, hal_weaver_server)
hal_attribute_hwservice(hal_weaver, hal_weaver_hwservice)
+hal_attribute_service(hal_weaver, hal_weaver_service)
+
+binder_call(hal_weaver_server, servicemanager)
diff --git a/public/service.te b/public/service.te
index 5837951..3d91b73 100644
--- a/public/service.te
+++ b/public/service.te
@@ -246,6 +246,7 @@
type hal_power_stats_service, vendor_service, protected_service, service_manager_type;
type hal_rebootescrow_service, vendor_service, protected_service, service_manager_type;
type hal_vibrator_service, vendor_service, protected_service, service_manager_type;
+type hal_weaver_service, vendor_service, protected_service, service_manager_type;
###
### Neverallow rules
diff --git a/public/te_macros b/public/te_macros
index 1966f20..c6035f8 100644
--- a/public/te_macros
+++ b/public/te_macros
@@ -467,6 +467,12 @@
define(`recovery_only', ifelse(target_recovery, `true', $1, ))
#####################################
+# Not recovery
+# SELinux rules which apply only to non-recovery (normal) mode
+#
+define(`not_recovery', ifelse(target_recovery, `true', , $1))
+
+#####################################
# Full TREBLE only
# SELinux rules which apply only to full TREBLE devices
#
diff --git a/vendor/hal_weaver_default.te b/vendor/hal_weaver_default.te
new file mode 100644
index 0000000..0dd7679
--- /dev/null
+++ b/vendor/hal_weaver_default.te
@@ -0,0 +1,5 @@
+type hal_weaver_default, domain;
+hal_server_domain(hal_weaver_default, hal_weaver)
+
+type hal_weaver_default_exec, exec_type, vendor_file_type, file_type;
+init_daemon_domain(hal_weaver_default)