Merge "Revert^2 "Make default_prop only readable from coredomain""
diff --git a/Android.mk b/Android.mk
index 111ddd9..8afd5a8 100644
--- a/Android.mk
+++ b/Android.mk
@@ -95,6 +95,51 @@
BOARD_SEPOLICY_VERS := $(PLATFORM_SEPOLICY_VERSION)
endif
+# If BOARD_SEPOLICY_VERS is set to a value other than PLATFORM_SEPOLICY_VERSION,
+# policy files of platform (system, system_ext, product) can't be mixed with
+# policy files of vendor (vendor, odm). If it's the case, platform policies and
+# vendor policies are separately built. More specifically,
+#
+# - Platform policy files needed to build vendor policies, such as plat_policy,
+# plat_mapping_cil, plat_pub_policy, reqd_policy_mask, are built from the
+# prebuilts (copy of platform policy files of version BOARD_SEPOLICY_VERS).
+#
+# - sepolicy_neverallows only checks platform policies, and a new module
+# sepolicy_neverallows_vendor checks vendor policies.
+#
+# - neverallow checks are turned off while compiling precompiled_sepolicy module
+# and sepolicy module.
+#
+# - Vendor policies are not checked on the compat test (compat.mk).
+#
+# In such scenario, we can grab platform policy files from the prebuilts/api
+# directory. But we need more than that: prebuilts of system_ext, product,
+# system/sepolicy/reqd_mask, and system/sepolicy/vendor. The following variables
+# are introduced to specify such prebuilts.
+#
+# - BOARD_REQD_MASK_POLICY (prebuilt of system/sepolicy/reqd_mask)
+# - BOARD_PLAT_VENDOR_POLICY (prebuilt of system/sepolicy/vendor)
+# - BOARD_SYSTEM_EXT_PUBLIC_PREBUILT_DIRS (prebuilt of system_ext public)
+# - BOARD_SYSTEM_EXT_PRIVATE_PREBUILT_DIRS (prebuilt of system_ext private)
+# - BOARD_PRODUCT_PUBLIC_PREBUILT_DIRS (prebuilt of product public)
+# - BOARD_PRODUCT_PRIVATE_PREBUILT_DIRS (prebuilt of product private)
+#
+# Vendors are responsible for copying policy files from the old version of the
+# source tree as prebuilts, and for setting BOARD_*_POLICY variables so they can
+# be used to build vendor policies. See prebuilt_policy.mk for more details.
+#
+# To support both mixed build and normal build, platform policy files are
+# indirectly referred by {partition}_{public|private}_policy_$(ver) variables
+# when building vendor policies. See vendor_sepolicy.cil and odm_sepolicy.cil
+# for more details.
+#
+# sepolicy.recovery is also compiled from vendor and plat prebuilt policies.
+ifneq ($(PLATFORM_SEPOLICY_VERSION),$(BOARD_SEPOLICY_VERS))
+mixed_sepolicy_build := true
+else
+mixed_sepolicy_build :=
+endif
+
NEVERALLOW_ARG :=
ifeq ($(SELINUX_IGNORE_NEVERALLOWS),true)
ifeq ($(TARGET_BUILD_VARIANT),user)
@@ -114,6 +159,21 @@
BOARD_VENDOR_SEPOLICY_DIRS += $(BOARD_SEPOLICY_DIRS)
endif
+# Set default values for these prebuilt directories
+ifeq (,$(BOARD_REQD_MASK_POLICY))
+BOARD_REQD_MASK_POLICY := $(REQD_MASK_POLICY)
+endif
+
+ifeq (,$(BOARD_PLAT_VENDOR_POLICY))
+BOARD_PLAT_VENDOR_POLICY := $(PLAT_VENDOR_POLICY)
+endif
+
+$(foreach p,SYSTEM_EXT PRODUCT,$(foreach q,PUBLIC PRIVATE,$(eval \
+ $(if $(BOARD_$(p)_$(q)_PREBUILT_DIRS),,\
+ BOARD_$(p)_$(q)_PREBUILT_DIRS := $($(p)_$(q)_POLICY) \
+ ) \
+)))
+
ifdef BOARD_ODM_SEPOLICY_DIRS
ifneq ($(PRODUCT_SEPOLICY_SPLIT),true)
$(error PRODUCT_SEPOLICY_SPLIT needs to be true when using BOARD_ODM_SEPOLICY_DIRS)
@@ -295,9 +355,12 @@
$(addprefix plat_,$(addsuffix .cil,$(PLATFORM_SEPOLICY_COMPAT_VERSIONS))) \
$(addsuffix .compat.cil,$(PLATFORM_SEPOLICY_COMPAT_VERSIONS)) \
plat_sepolicy.cil \
- plat_sepolicy_and_mapping.sha256 \
secilc \
+ifneq ($(PRODUCT_PRECOMPILED_SEPOLICY),false)
+LOCAL_REQUIRED_MODULES += plat_sepolicy_and_mapping.sha256
+endif
+
LOCAL_REQUIRED_MODULES += \
build_sepolicy \
plat_file_contexts \
@@ -493,6 +556,20 @@
include $(BUILD_PHONY_PACKAGE)
#################################
+
+ifeq ($(mixed_sepolicy_build),true)
+include $(LOCAL_PATH)/prebuilt_policy.mk
+else
+reqd_policy_$(PLATFORM_SEPOLICY_VERSION) := $(REQD_MASK_POLICY)
+plat_public_policy_$(PLATFORM_SEPOLICY_VERSION) := $(LOCAL_PATH)/public
+plat_private_policy_$(PLATFORM_SEPOLICY_VERSION) := $(LOCAL_PATH)/private
+system_ext_public_policy_$(PLATFORM_SEPOLICY_VERSION) := $(SYSTEM_EXT_PUBLIC_POLICY)
+system_ext_private_policy_$(PLATFORM_SEPOLICY_VERSION) := $(SYSTEM_EXT_PRIVATE_POLICY)
+product_public_policy_$(PLATFORM_SEPOLICY_VERSION) := $(PRODUCT_PUBLIC_POLICY)
+product_private_policy_$(PLATFORM_SEPOLICY_VERSION) := $(PRODUCT_PRIVATE_POLICY)
+endif
+
+#################################
include $(CLEAR_VARS)
LOCAL_MODULE := sepolicy_neverallows
@@ -503,11 +580,19 @@
# sepolicy_policy.conf - All of the policy for the device. This is only used to
# check neverallow rules.
-policy_files := $(call build_policy, $(sepolicy_build_files), \
- $(PLAT_PUBLIC_POLICY) $(PLAT_PRIVATE_POLICY) $(PLAT_VENDOR_POLICY) \
+# In a mixed build target, vendor policies are checked separately, on the module
+# sepolicy_neverallows_vendor.
+
+all_plat_policy := $(PLAT_PUBLIC_POLICY) $(PLAT_PRIVATE_POLICY) $(PLAT_VENDOR_POLICY) \
$(SYSTEM_EXT_PUBLIC_POLICY) $(SYSTEM_EXT_PRIVATE_POLICY) \
- $(PRODUCT_PUBLIC_POLICY) $(PRODUCT_PRIVATE_POLICY) \
- $(BOARD_VENDOR_SEPOLICY_DIRS) $(BOARD_ODM_SEPOLICY_DIRS))
+ $(PRODUCT_PUBLIC_POLICY) $(PRODUCT_PRIVATE_POLICY)
+ifeq ($(mixed_sepolicy_build),true)
+policy_files := $(call build_policy, $(sepolicy_build_files), $(all_plat_policy))
+else
+policy_files := $(call build_policy, $(sepolicy_build_files), \
+ $(all_plat_policy) $(BOARD_VENDOR_SEPOLICY_DIRS) $(BOARD_ODM_SEPOLICY_DIRS))
+endif
+
sepolicy_policy.conf := $(intermediates)/policy.conf
$(sepolicy_policy.conf): PRIVATE_MLS_SENS := $(MLS_SENS)
$(sepolicy_policy.conf): PRIVATE_MLS_CATS := $(MLS_CATS)
@@ -524,11 +609,6 @@
# sepolicy_policy_2.conf - All of the policy for the device. This is only used to
# check neverallow rules using sepolicy-analyze, similar to CTS.
-policy_files := $(call build_policy, $(sepolicy_build_files), \
- $(PLAT_PUBLIC_POLICY) $(PLAT_PRIVATE_POLICY) $(PLAT_VENDOR_POLICY) \
- $(SYSTEM_EXT_PUBLIC_POLICY) $(SYSTEM_EXT_PRIVATE_POLICY) \
- $(PRODUCT_PUBLIC_POLICY) $(PRODUCT_PRIVATE_POLICY) \
- $(BOARD_VENDOR_SEPOLICY_DIRS) $(BOARD_ODM_SEPOLICY_DIRS))
sepolicy_policy_2.conf := $(intermediates)/policy_2.conf
$(sepolicy_policy_2.conf): PRIVATE_MLS_SENS := $(MLS_SENS)
$(sepolicy_policy_2.conf): PRIVATE_MLS_CATS := $(MLS_CATS)
@@ -565,6 +645,80 @@
sepolicy_policy_2.conf :=
built_sepolicy_neverallows := $(LOCAL_BUILT_MODULE)
+#################################
+# sepolicy_neverallows_vendor: neverallow check module for vendors in a mixed build target
+ifeq ($(mixed_sepolicy_build),true)
+include $(CLEAR_VARS)
+
+LOCAL_MODULE := sepolicy_neverallows_vendor
+LOCAL_MODULE_CLASS := FAKE
+LOCAL_MODULE_TAGS := optional
+
+include $(BUILD_SYSTEM)/base_rules.mk
+
+# Check neverallow with prebuilt policy files
+policy_files := $(call build_policy, $(sepolicy_build_files), \
+ $(plat_public_policy_$(BOARD_SEPOLICY_VERS)) $(plat_private_policy_$(BOARD_SEPOLICY_VERS)) \
+ $(system_ext_public_policy_$(BOARD_SEPOLICY_VERS)) $(system_ext_private_policy_$(BOARD_SEPOLICY_VERS)) \
+ $(product_public_policy_$(BOARD_SEPOLICY_VERS)) $(product_private_policy_$(BOARD_SEPOLICY_VERS)) \
+ $(BOARD_PLAT_VENDOR_POLICY) $(BOARD_VENDOR_SEPOLICY_DIRS) $(BOARD_ODM_SEPOLICY_DIRS))
+
+# sepolicy_policy.conf - All of the policy for the device. This is only used to
+# check neverallow rules.
+sepolicy_policy.conf := $(intermediates)/policy_vendor.conf
+$(sepolicy_policy.conf): PRIVATE_MLS_SENS := $(MLS_SENS)
+$(sepolicy_policy.conf): PRIVATE_MLS_CATS := $(MLS_CATS)
+$(sepolicy_policy.conf): PRIVATE_TARGET_BUILD_VARIANT := user
+$(sepolicy_policy.conf): PRIVATE_TGT_ARCH := $(my_target_arch)
+$(sepolicy_policy.conf): PRIVATE_TGT_WITH_ASAN := $(with_asan)
+$(sepolicy_policy.conf): PRIVATE_TGT_WITH_NATIVE_COVERAGE := $(with_native_coverage)
+$(sepolicy_policy.conf): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
+$(sepolicy_policy.conf): PRIVATE_SEPOLICY_SPLIT := $(PRODUCT_SEPOLICY_SPLIT)
+$(sepolicy_policy.conf): PRIVATE_POLICY_FILES := $(policy_files)
+$(sepolicy_policy.conf): $(policy_files) $(M4)
+ $(transform-policy-to-conf)
+ $(hide) sed '/^\s*dontaudit.*;/d' $@ | sed '/^\s*dontaudit/,/;/d' > $@.dontaudit
+
+# sepolicy_policy_2.conf - All of the policy for the device. This is only used to
+# check neverallow rules using sepolicy-analyze, similar to CTS.
+sepolicy_policy_2.conf := $(intermediates)/policy_vendor_2.conf
+$(sepolicy_policy_2.conf): PRIVATE_MLS_SENS := $(MLS_SENS)
+$(sepolicy_policy_2.conf): PRIVATE_MLS_CATS := $(MLS_CATS)
+$(sepolicy_policy_2.conf): PRIVATE_TARGET_BUILD_VARIANT := user
+$(sepolicy_policy_2.conf): PRIVATE_EXCLUDE_BUILD_TEST := true
+$(sepolicy_policy_2.conf): PRIVATE_TGT_ARCH := $(my_target_arch)
+$(sepolicy_policy_2.conf): PRIVATE_TGT_WITH_ASAN := $(with_asan)
+$(sepolicy_policy_2.conf): PRIVATE_TGT_WITH_NATIVE_COVERAGE := $(with_native_coverage)
+$(sepolicy_policy_2.conf): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
+$(sepolicy_policy_2.conf): PRIVATE_SEPOLICY_SPLIT := $(PRODUCT_SEPOLICY_SPLIT)
+$(sepolicy_policy_2.conf): PRIVATE_POLICY_FILES := $(policy_files)
+$(sepolicy_policy_2.conf): $(policy_files) $(M4)
+ $(transform-policy-to-conf)
+ $(hide) sed '/^\s*dontaudit.*;/d' $@ | sed '/^\s*dontaudit/,/;/d' > $@.dontaudit
+
+$(LOCAL_BUILT_MODULE): PRIVATE_SEPOLICY_1 := $(sepolicy_policy.conf)
+$(LOCAL_BUILT_MODULE): PRIVATE_SEPOLICY_2 := $(sepolicy_policy_2.conf)
+$(LOCAL_BUILT_MODULE): $(sepolicy_policy.conf) $(sepolicy_policy_2.conf) \
+ $(HOST_OUT_EXECUTABLES)/checkpolicy $(HOST_OUT_EXECUTABLES)/sepolicy-analyze
+ifneq ($(SELINUX_IGNORE_NEVERALLOWS),true)
+ $(hide) $(CHECKPOLICY_ASAN_OPTIONS) $(HOST_OUT_EXECUTABLES)/checkpolicy -M -c \
+ $(POLICYVERS) -o $@.tmp $(PRIVATE_SEPOLICY_1)
+ $(hide) $(HOST_OUT_EXECUTABLES)/sepolicy-analyze $@.tmp neverallow -w -f $(PRIVATE_SEPOLICY_2) || \
+ ( echo "" 1>&2; \
+ echo "sepolicy-analyze failed. This is most likely due to the use" 1>&2; \
+ echo "of an expanded attribute in a neverallow assertion. Please fix" 1>&2; \
+ echo "the policy." 1>&2; \
+ exit 1 )
+endif # ($(SELINUX_IGNORE_NEVERALLOWS),true)
+ $(hide) touch $@.tmp
+ $(hide) mv $@.tmp $@
+
+sepolicy_policy.conf :=
+sepolicy_policy_2.conf :=
+built_sepolicy_neverallows += $(LOCAL_BUILT_MODULE)
+
+endif # ifeq ($(mixed_sepolicy_build),true)
+
##################################
# reqd_policy_mask - a policy.conf file which contains only the bare minimum
# policy necessary to use checkpolicy. This bare-minimum policy needs to be
@@ -599,6 +753,7 @@
$(POLICYVERS) -o $@ $<
reqd_policy_mask.conf :=
+reqd_policy_mask_$(PLATFORM_SEPOLICY_VERSION).cil := $(reqd_policy_mask.cil)
##################################
# pub_policy - policy that will be exported to be a part of non-platform
@@ -646,6 +801,8 @@
$(hide) $(HOST_OUT_EXECUTABLES)/build_sepolicy -a $(HOST_OUT_EXECUTABLES) filter_out \
-f $(PRIVATE_REQD_MASK) -t $@
+pub_policy_$(PLATFORM_SEPOLICY_VERSION).cil := $(pub_policy.cil)
+
pub_policy.conf :=
##################################
@@ -677,6 +834,8 @@
$(hide) $(HOST_OUT_EXECUTABLES)/build_sepolicy -a $(HOST_OUT_EXECUTABLES) filter_out \
-f $(PRIVATE_REQD_MASK) -t $@
+system_ext_pub_policy_$(PLATFORM_SEPOLICY_VERSION).cil := $(system_ext_pub_policy.cil)
+
system_ext_pub_policy.conf :=
##################################
@@ -708,6 +867,8 @@
$(hide) $(HOST_OUT_EXECUTABLES)/build_sepolicy -a $(HOST_OUT_EXECUTABLES) filter_out \
-f $(PRIVATE_REQD_MASK) -t $@
+plat_pub_policy_$(PLATFORM_SEPOLICY_VERSION).cil := $(plat_pub_policy.cil)
+
plat_pub_policy.conf :=
#################################
@@ -757,6 +918,7 @@
$(hide) mv $@.tmp $@
built_plat_cil := $(LOCAL_BUILT_MODULE)
+built_plat_cil_$(PLATFORM_SEPOLICY_VERSION) := $(built_plat_cil)
plat_policy.conf :=
#################################
@@ -858,6 +1020,7 @@
built_system_ext_cil := $(LOCAL_BUILT_MODULE)
+built_system_ext_cil_$(PLATFORM_SEPOLICY_VERSION) := $(built_system_ext_cil)
system_ext_policy.conf :=
endif # ifdef HAS_SYSTEM_EXT_SEPOLICY
@@ -916,6 +1079,7 @@
built_product_cil := $(LOCAL_BUILT_MODULE)
+built_product_cil_$(PLATFORM_SEPOLICY_VERSION) := $(built_product_cil)
product_policy.conf :=
endif # ifdef HAS_PRODUCT_SEPOLICY
@@ -954,6 +1118,7 @@
$(hide) $(HOST_OUT_EXECUTABLES)/version_policy -b $< -m -n $(PRIVATE_VERS) -o $@
built_plat_mapping_cil := $(LOCAL_BUILT_MODULE)
+built_plat_mapping_cil_$(PLATFORM_SEPOLICY_VERSION) := $(built_plat_mapping_cil)
#################################
include $(CLEAR_VARS)
@@ -979,6 +1144,7 @@
-f $(PRIVATE_PLAT_MAPPING_CIL) -t $@
built_system_ext_mapping_cil := $(LOCAL_BUILT_MODULE)
+built_system_ext_mapping_cil_$(PLATFORM_SEPOLICY_VERSION) := $(built_system_ext_mapping_cil)
endif # ifdef HAS_SYSTEM_EXT_PUBLIC_SEPOLICY
#################################
@@ -1005,6 +1171,7 @@
-f $(PRIVATE_FILTER_CIL_FILES) -t $@
built_product_mapping_cil := $(LOCAL_BUILT_MODULE)
+built_product_mapping_cil_$(PLATFORM_SEPOLICY_VERSION) := $(built_product_mapping_cil)
endif # ifdef HAS_PRODUCT_PUBLIC_SEPOLICY
#################################
@@ -1020,7 +1187,7 @@
include $(BUILD_SYSTEM)/base_rules.mk
-$(LOCAL_BUILT_MODULE) : PRIVATE_VERS := $(BOARD_SEPOLICY_VERS)
+$(LOCAL_BUILT_MODULE) : PRIVATE_VERS := $(PLATFORM_SEPOLICY_VERSION)
$(LOCAL_BUILT_MODULE) : PRIVATE_TGT_POL := $(pub_policy.cil)
$(LOCAL_BUILT_MODULE) : PRIVATE_DEP_CIL_FILES := $(built_plat_cil) $(built_system_ext_cil) \
$(built_product_cil) $(built_plat_mapping_cil) $(built_system_ext_mapping_cil) \
@@ -1034,6 +1201,7 @@
$(PRIVATE_DEP_CIL_FILES) $@ -o /dev/null -f /dev/null
built_pub_vers_cil := $(LOCAL_BUILT_MODULE)
+built_pub_vers_cil_$(PLATFORM_SEPOLICY_VERSION) := $(built_pub_vers_cil)
#################################
include $(CLEAR_VARS)
@@ -1049,9 +1217,11 @@
include $(BUILD_SYSTEM)/base_rules.mk
+# Use either prebuilt policy files or current policy files, depending on BOARD_SEPOLICY_VERS
policy_files := $(call build_policy, $(sepolicy_build_files), \
- $(PLAT_PUBLIC_POLICY) $(SYSTEM_EXT_PUBLIC_POLICY) $(PRODUCT_PUBLIC_POLICY) \
- $(REQD_MASK_POLICY) $(PLAT_VENDOR_POLICY) $(BOARD_VENDOR_SEPOLICY_DIRS))
+ $(plat_public_policy_$(BOARD_SEPOLICY_VERS)) $(system_ext_public_policy_$(BOARD_SEPOLICY_VERS)) \
+ $(product_public_policy_$(BOARD_SEPOLICY_VERS)) $(reqd_policy_$(BOARD_SEPOLICY_VERS)) \
+ $(BOARD_PLAT_VENDOR_POLICY) $(BOARD_VENDOR_SEPOLICY_DIRS))
vendor_policy.conf := $(intermediates)/vendor_policy.conf
$(vendor_policy.conf): PRIVATE_MLS_SENS := $(MLS_SENS)
$(vendor_policy.conf): PRIVATE_MLS_CATS := $(MLS_CATS)
@@ -1070,18 +1240,20 @@
$(hide) sed '/^\s*dontaudit.*;/d' $@ | sed '/^\s*dontaudit/,/;/d' > $@.dontaudit
$(LOCAL_BUILT_MODULE): PRIVATE_POL_CONF := $(vendor_policy.conf)
-$(LOCAL_BUILT_MODULE): PRIVATE_REQD_MASK := $(reqd_policy_mask.cil)
-$(LOCAL_BUILT_MODULE): PRIVATE_BASE_CIL := $(pub_policy.cil)
+$(LOCAL_BUILT_MODULE): PRIVATE_REQD_MASK := $(reqd_policy_mask_$(BOARD_SEPOLICY_VERS).cil)
+$(LOCAL_BUILT_MODULE): PRIVATE_BASE_CIL := $(pub_policy_$(BOARD_SEPOLICY_VERS).cil)
$(LOCAL_BUILT_MODULE): PRIVATE_VERS := $(BOARD_SEPOLICY_VERS)
-$(LOCAL_BUILT_MODULE): PRIVATE_DEP_CIL_FILES := $(built_plat_cil) $(built_system_ext_cil) \
-$(built_product_cil) $(built_pub_vers_cil) $(built_plat_mapping_cil) \
-$(built_system_ext_mapping_cil) $(built_product_mapping_cil)
-$(LOCAL_BUILT_MODULE): PRIVATE_FILTER_CIL := $(built_pub_vers_cil)
+$(LOCAL_BUILT_MODULE): PRIVATE_DEP_CIL_FILES := $(built_plat_cil_$(BOARD_SEPOLICY_VERS)) \
+$(built_system_ext_cil_$(BOARD_SEPOLICY_VERS)) $(built_product_cil_$(BOARD_SEPOLICY_VERS)) \
+$(built_pub_vers_cil_$(BOARD_SEPOLICY_VERS)) $(built_plat_mapping_cil_$(BOARD_SEPOLICY_VERS)) \
+$(built_system_ext_mapping_cil_$(BOARD_SEPOLICY_VERS)) $(built_product_mapping_cil_$(BOARD_SEPOLICY_VERS))
+$(LOCAL_BUILT_MODULE): PRIVATE_FILTER_CIL := $(built_pub_vers_cil_$(BOARD_SEPOLICY_VERS))
$(LOCAL_BUILT_MODULE): $(HOST_OUT_EXECUTABLES)/build_sepolicy \
- $(vendor_policy.conf) $(reqd_policy_mask.cil) $(pub_policy.cil) \
- $(built_plat_cil) $(built_system_ext_cil) $(built_product_cil) \
- $(built_pub_vers_cil) $(built_plat_mapping_cil) $(built_system_ext_mapping_cil) \
- $(built_product_mapping_cil)
+ $(vendor_policy.conf) $(reqd_policy_mask_$(BOARD_SEPOLICY_VERS).cil) \
+ $(pub_policy_$(BOARD_SEPOLICY_VERS).cil) $(built_plat_cil_$(BOARD_SEPOLICY_VERS)) \
+ $(built_system_ext_cil_$(BOARD_SEPOLICY_VERS)) $(built_product_cil_$(BOARD_SEPOLICY_VERS)) \
+ $(built_pub_vers_cil_$(BOARD_SEPOLICY_VERS)) $(built_plat_mapping_cil_$(BOARD_SEPOLICY_VERS)) \
+ $(built_system_ext_mapping_cil_$(BOARD_SEPOLICY_VERS)) $(built_product_mapping_cil_$(BOARD_SEPOLICY_VERS))
@mkdir -p $(dir $@)
$(hide) $(HOST_OUT_EXECUTABLES)/build_sepolicy -a $(HOST_OUT_EXECUTABLES) build_cil \
-i $(PRIVATE_POL_CONF) -m $(PRIVATE_REQD_MASK) -c $(CHECKPOLICY_ASAN_OPTIONS) \
@@ -1106,9 +1278,11 @@
include $(BUILD_SYSTEM)/base_rules.mk
+# Use either prebuilt policy files or current policy files, depending on BOARD_SEPOLICY_VERS
policy_files := $(call build_policy, $(sepolicy_build_files), \
- $(PLAT_PUBLIC_POLICY) $(SYSTEM_EXT_PUBLIC_POLICY) $(PRODUCT_PUBLIC_POLICY) \
- $(REQD_MASK_POLICY) $(PLAT_VENDOR_POLICY) $(BOARD_VENDOR_SEPOLICY_DIRS) $(BOARD_ODM_SEPOLICY_DIRS))
+ $(plat_public_policy_$(BOARD_SEPOLICY_VERS)) $(system_ext_public_policy_$(BOARD_SEPOLICY_VERS)) \
+ $(product_public_policy_$(BOARD_SEPOLICY_VERS)) $(reqd_policy_$(BOARD_SEPOLICY_VERS)) \
+ $(BOARD_PLAT_VENDOR_POLICY) $(BOARD_VENDOR_SEPOLICY_DIRS) $(BOARD_ODM_SEPOLICY_DIRS))
odm_policy.conf := $(intermediates)/odm_policy.conf
$(odm_policy.conf): PRIVATE_MLS_SENS := $(MLS_SENS)
$(odm_policy.conf): PRIVATE_MLS_CATS := $(MLS_CATS)
@@ -1127,17 +1301,21 @@
$(hide) sed '/^\s*dontaudit.*;/d' $@ | sed '/^\s*dontaudit/,/;/d' > $@.dontaudit
$(LOCAL_BUILT_MODULE): PRIVATE_POL_CONF := $(odm_policy.conf)
-$(LOCAL_BUILT_MODULE): PRIVATE_REQD_MASK := $(reqd_policy_mask.cil)
-$(LOCAL_BUILT_MODULE): PRIVATE_BASE_CIL := $(pub_policy.cil)
+$(LOCAL_BUILT_MODULE): PRIVATE_REQD_MASK := $(reqd_policy_mask_$(BOARD_SEPOLICY_VERS).cil)
+$(LOCAL_BUILT_MODULE): PRIVATE_BASE_CIL := $(pub_policy_$(BOARD_SEPOLICY_VERS).cil)
$(LOCAL_BUILT_MODULE): PRIVATE_VERS := $(BOARD_SEPOLICY_VERS)
-$(LOCAL_BUILT_MODULE): PRIVATE_DEP_CIL_FILES := $(built_plat_cil) $(built_system_ext_cil) \
- $(built_product_cil) $(built_pub_vers_cil) $(built_plat_mapping_cil) \
- $(built_system_ext_mapping_cil) $(built_product_mapping_cil) $(built_vendor_cil)
-$(LOCAL_BUILT_MODULE) : PRIVATE_FILTER_CIL_FILES := $(built_pub_vers_cil) $(built_vendor_cil)
+$(LOCAL_BUILT_MODULE): PRIVATE_DEP_CIL_FILES := $(built_plat_cil_$(BOARD_SEPOLICY_VERS)) \
+$(built_system_ext_cil_$(BOARD_SEPOLICY_VERS)) $(built_product_cil_$(BOARD_SEPOLICY_VERS)) \
+$(built_pub_vers_cil_$(BOARD_SEPOLICY_VERS)) $(built_plat_mapping_cil_$(BOARD_SEPOLICY_VERS)) \
+$(built_system_ext_mapping_cil_$(BOARD_SEPOLICY_VERS)) $(built_product_mapping_cil_$(BOARD_SEPOLICY_VERS)) \
+$(built_vendor_cil)
+$(LOCAL_BUILT_MODULE) : PRIVATE_FILTER_CIL_FILES := $(built_pub_vers_cil_$(BOARD_SEPOLICY_VERS)) $(built_vendor_cil)
$(LOCAL_BUILT_MODULE): $(HOST_OUT_EXECUTABLES)/build_sepolicy \
- $(odm_policy.conf) $(reqd_policy_mask.cil) $(pub_policy.cil) \
- $(built_plat_cil) $(built_system_ext_cil) $(built_product_cil) $(built_pub_vers_cil) \
- $(built_plat_mapping_cil) $(built_system_ext_mapping_cil) $(built_product_mapping_cil) \
+ $(odm_policy.conf) $(reqd_policy_mask_$(BOARD_SEPOLICY_VERS).cil) \
+ $(pub_policy_$(BOARD_SEPOLICY_VERS).cil) $(built_plat_cil_$(BOARD_SEPOLICY_VERS)) \
+ $(built_system_ext_cil_$(BOARD_SEPOLICY_VERS)) $(built_product_cil_$(BOARD_SEPOLICY_VERS)) \
+ $(built_pub_vers_cil_$(BOARD_SEPOLICY_VERS)) $(built_plat_mapping_cil_$(BOARD_SEPOLICY_VERS)) \
+ $(built_system_ext_mapping_cil_$(BOARD_SEPOLICY_VERS)) $(built_product_mapping_cil_$(BOARD_SEPOLICY_VERS)) \
$(built_vendor_cil)
@mkdir -p $(dir $@)
$(hide) $(HOST_OUT_EXECUTABLES)/build_sepolicy -a $(HOST_OUT_EXECUTABLES) build_cil \
@@ -1168,8 +1346,8 @@
all_cil_files := \
$(built_plat_cil) \
- $(built_plat_mapping_cil) \
- $(built_pub_vers_cil) \
+ $(TARGET_OUT)/etc/selinux/mapping/$(BOARD_SEPOLICY_VERS).cil \
+ $(built_pub_vers_cil_$(BOARD_SEPOLICY_VERS)) \
$(built_vendor_cil)
ifdef HAS_SYSTEM_EXT_SEPOLICY
@@ -1177,7 +1355,7 @@
endif
ifdef HAS_SYSTEM_EXT_PUBLIC_SEPOLICY
-all_cil_files += $(built_system_ext_mapping_cil)
+all_cil_files += $(TARGET_OUT_SYSTEM_EXT)/etc/selinux/mapping/$(BOARD_SEPOLICY_VERS).cil
endif
ifdef HAS_PRODUCT_SEPOLICY
@@ -1185,7 +1363,7 @@
endif
ifdef HAS_PRODUCT_PUBLIC_SEPOLICY
-all_cil_files += $(built_product_mapping_cil)
+all_cil_files += $(TARGET_OUT_PRODUCT)/etc/selinux/mapping/$(BOARD_SEPOLICY_VERS).cil
endif
ifdef BOARD_ODM_SEPOLICY_DIRS
@@ -1193,7 +1371,8 @@
endif
$(LOCAL_BUILT_MODULE): PRIVATE_CIL_FILES := $(all_cil_files)
-$(LOCAL_BUILT_MODULE): PRIVATE_NEVERALLOW_ARG := $(NEVERALLOW_ARG)
+# Neverallow checks are skipped in a mixed build target.
+$(LOCAL_BUILT_MODULE): PRIVATE_NEVERALLOW_ARG := $(if $(filter $(PLATFORM_SEPOLICY_VERSION),$(BOARD_SEPOLICY_VERS)),$(NEVERALLOW_ARG),-N)
$(LOCAL_BUILT_MODULE): $(HOST_OUT_EXECUTABLES)/secilc $(all_cil_files) $(built_sepolicy_neverallows)
$(hide) $(HOST_OUT_EXECUTABLES)/secilc -m -M true -G -c $(POLICYVERS) $(PRIVATE_NEVERALLOW_ARG) \
$(PRIVATE_CIL_FILES) -o $@ -f /dev/null
@@ -1327,8 +1506,8 @@
all_cil_files := \
$(built_plat_cil) \
- $(built_plat_mapping_cil) \
- $(built_pub_vers_cil) \
+ $(TARGET_OUT)/etc/selinux/mapping/$(BOARD_SEPOLICY_VERS).cil \
+ $(built_pub_vers_cil_$(BOARD_SEPOLICY_VERS)) \
$(built_vendor_cil)
ifdef HAS_SYSTEM_EXT_SEPOLICY
@@ -1336,7 +1515,7 @@
endif
ifdef HAS_SYSTEM_EXT_PUBLIC_SEPOLICY
-all_cil_files += $(built_system_ext_mapping_cil)
+all_cil_files += $(TARGET_OUT_SYSTEM_EXT)/etc/selinux/mapping/$(BOARD_SEPOLICY_VERS).cil
endif
ifdef HAS_PRODUCT_SEPOLICY
@@ -1344,7 +1523,7 @@
endif
ifdef HAS_PRODUCT_PUBLIC_SEPOLICY
-all_cil_files += $(built_product_mapping_cil)
+all_cil_files += $(TARGET_OUT_PRODUCT)/etc/selinux/mapping/$(BOARD_SEPOLICY_VERS).cil
endif
ifdef BOARD_ODM_SEPOLICY_DIRS
@@ -1352,7 +1531,8 @@
endif
$(LOCAL_BUILT_MODULE): PRIVATE_CIL_FILES := $(all_cil_files)
-$(LOCAL_BUILT_MODULE): PRIVATE_NEVERALLOW_ARG := $(NEVERALLOW_ARG)
+# Neverallow checks are skipped in a mixed build target.
+$(LOCAL_BUILT_MODULE): PRIVATE_NEVERALLOW_ARG := $(if $(filter $(PLATFORM_SEPOLICY_VERSION),$(BOARD_SEPOLICY_VERS)),$(NEVERALLOW_ARG),-N)
$(LOCAL_BUILT_MODULE): $(HOST_OUT_EXECUTABLES)/secilc $(HOST_OUT_EXECUTABLES)/sepolicy-analyze $(all_cil_files) \
$(built_sepolicy_neverallows)
@mkdir -p $(dir $@)
@@ -1384,12 +1564,12 @@
include $(BUILD_SYSTEM)/base_rules.mk
+# We use vendor version's policy files because recovery partition is vendor-owned.
policy_files := $(call build_policy, $(sepolicy_build_files), \
- $(PLAT_PUBLIC_POLICY) $(PLAT_PRIVATE_POLICY) \
- $(SYSTEM_EXT_PUBLIC_POLICY) $(SYSTEM_EXT_PRIVATE_POLICY) \
- $(PRODUCT_PUBLIC_POLICY) $(PRODUCT_PRIVATE_POLICY) \
- $(PLAT_VENDOR_POLICY) $(BOARD_VENDOR_SEPOLICY_DIRS) \
- $(BOARD_ODM_SEPOLICY_DIRS))
+ $(plat_public_policy_$(BOARD_SEPOLICY_VERS)) $(plat_private_policy_$(BOARD_SEPOLICY_VERS)) \
+ $(system_ext_public_policy_$(BOARD_SEPOLICY_VERS)) $(system_ext_private_policy_$(BOARD_SEPOLICY_VERS)) \
+ $(product_public_policy_$(BOARD_SEPOLICY_VERS)) $(product_private_policy_$(BOARD_SEPOLICY_VERS)) \
+ $(BOARD_PLAT_VENDOR_POLICY) $(BOARD_VENDOR_SEPOLICY_DIRS) $(BOARD_ODM_SEPOLICY_DIRS))
sepolicy.recovery.conf := $(intermediates)/sepolicy.recovery.conf
$(sepolicy.recovery.conf): PRIVATE_MLS_SENS := $(MLS_SENS)
$(sepolicy.recovery.conf): PRIVATE_MLS_CATS := $(MLS_CATS)
@@ -1477,7 +1657,7 @@
# 4. Run checkfc -e (allow no device fc entries ie empty) and fc_sort on
# file_contexts.device.tmp and output to file_contexts.device.sorted.tmp.
# 5. Concatenate file_contexts.local.tmp, file_contexts.modules.tmp and
-# file_contexts.device.tmp into file_contexts.concat.tmp.
+# file_contexts.device.sorted.tmp into file_contexts.concat.tmp.
# 6. Run checkfc and sefcontext_compile on file_contexts.concat.tmp to produce
# file_contexts.bin.
#
diff --git a/build/soong/filegroup.go b/build/soong/filegroup.go
index 63873d2..700f8e0 100644
--- a/build/soong/filegroup.go
+++ b/build/soong/filegroup.go
@@ -55,8 +55,9 @@
productPublicSrcs android.Paths
productPrivateSrcs android.Paths
- vendorSrcs android.Paths
- odmSrcs android.Paths
+ vendorSrcs android.Paths
+ vendorReqdMaskSrcs android.Paths
+ odmSrcs android.Paths
}
// Source files from system/sepolicy/public
@@ -104,6 +105,10 @@
return fg.vendorSrcs
}
+func (fg *fileGroup) VendorReqdMaskSrcs() android.Paths {
+ return fg.vendorReqdMaskSrcs
+}
+
// Source files from BOARD_ODM_SEPOLICY_DIRS
func (fg *fileGroup) OdmSrcs() android.Paths {
return fg.odmSrcs
@@ -141,6 +146,7 @@
fg.productPublicSrcs = fg.findSrcsInDirs(ctx, ctx.Config().ProductPublicSepolicyDirs())
fg.productPrivateSrcs = fg.findSrcsInDirs(ctx, ctx.Config().ProductPrivateSepolicyDirs())
+ fg.vendorReqdMaskSrcs = fg.findSrcsInDirs(ctx, ctx.DeviceConfig().BoardReqdMaskPolicy())
fg.vendorSrcs = fg.findSrcsInDirs(ctx, ctx.DeviceConfig().VendorSepolicyDirs())
fg.odmSrcs = fg.findSrcsInDirs(ctx, ctx.DeviceConfig().OdmSepolicyDirs())
}
diff --git a/build/soong/selinux_contexts.go b/build/soong/selinux_contexts.go
index 8e2d1da..5b21d41 100644
--- a/build/soong/selinux_contexts.go
+++ b/build/soong/selinux_contexts.go
@@ -158,7 +158,9 @@
if ctx.ProductSpecific() {
inputs = append(inputs, segroup.ProductPrivateSrcs()...)
} else if ctx.SocSpecific() {
- inputs = append(inputs, segroup.SystemVendorSrcs()...)
+ if ctx.DeviceConfig().BoardSepolicyVers() == ctx.DeviceConfig().PlatformSepolicyVersion() {
+ inputs = append(inputs, segroup.SystemVendorSrcs()...)
+ }
inputs = append(inputs, segroup.VendorSrcs()...)
} else if ctx.DeviceSpecific() {
inputs = append(inputs, segroup.OdmSrcs()...)
@@ -170,7 +172,11 @@
}
if proptools.Bool(m.properties.Reqd_mask) {
- inputs = append(inputs, segroup.SystemReqdMaskSrcs()...)
+ if ctx.SocSpecific() || ctx.DeviceSpecific() {
+ inputs = append(inputs, segroup.VendorReqdMaskSrcs()...)
+ } else {
+ inputs = append(inputs, segroup.SystemReqdMaskSrcs()...)
+ }
}
})
@@ -225,6 +231,7 @@
fmt.Fprintln(w, "\ninclude $(CLEAR_VARS)")
fmt.Fprintln(w, "LOCAL_PATH :=", moduleDir)
fmt.Fprintln(w, "LOCAL_MODULE :=", name+nameSuffix)
+ data.Entries.WriteLicenseVariables(w)
fmt.Fprintln(w, "LOCAL_MODULE_CLASS := ETC")
if m.Owner() != "" {
fmt.Fprintln(w, "LOCAL_MODULE_OWNER :=", m.Owner())
diff --git a/compat.mk b/compat.mk
index 5e6dc41..2b691ec 100644
--- a/compat.mk
+++ b/compat.mk
@@ -15,7 +15,6 @@
$(built_plat_cil) \
$(built_plat_mapping_cil) \
$(built_pub_vers_cil) \
- $(built_vendor_cil) \
$(ALL_MODULES.$(version).compat.cil.BUILT) \
ifdef HAS_SYSTEM_EXT_SEPOLICY
@@ -34,10 +33,16 @@
all_cil_files += $(built_product_mapping_cil)
endif
+ifneq ($(mixed_sepolicy_build),true)
+
+all_cil_files += $(built_vendor_cil)
+
ifdef BOARD_ODM_SEPOLICY_DIRS
all_cil_files += $(built_odm_cil)
endif
+endif # ifneq ($(mixed_sepolicy_build),true)
+
$(LOCAL_BUILT_MODULE): PRIVATE_CIL_FILES := $(all_cil_files)
$(LOCAL_BUILT_MODULE): $(HOST_OUT_EXECUTABLES)/secilc $(HOST_OUT_EXECUTABLES)/sepolicy-analyze $(all_cil_files)
@mkdir -p $(dir $@)
diff --git a/prebuilt_policy.mk b/prebuilt_policy.mk
new file mode 100644
index 0000000..ee65878
--- /dev/null
+++ b/prebuilt_policy.mk
@@ -0,0 +1,315 @@
+# Copyright (C) 2020 The Android Open Source Project
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+# prebuilt_policy.mk generates policy files from prebuilts of BOARD_SEPOLICY_VERS.
+# The policy files will only be used to compile vendor and odm policies.
+#
+# Specifically, the following prebuilts are used...
+# - system/sepolicy/prebuilts/api/{BOARD_SEPOLICY_VERS}
+# - BOARD_PLAT_VENDOR_POLICY (copy of system/sepolicy/vendor from a previous release)
+# - BOARD_REQD_MASK_POLICY (copy of reqd_mask from a previous release)
+# - BOARD_SYSTEM_EXT_PUBLIC_PREBUILT_DIRS (copy of system_ext public from a previous release)
+# - BOARD_SYSTEM_EXT_PRIVATE_PREBUILT_DIRS (copy of system_ext private from a previous release)
+# - BOARD_PRODUCT_PUBLIC_PREBUILT_DIRS (copy of product public from a previous release)
+# - BOARD_PRODUCT_PRIVATE_PREBUILT_DIRS (copy of product private from a previous release)
+#
+# ... to generate following policy files.
+#
+# - reqd policy mask
+# - plat, system_ext, product public policy
+# - plat, system_ext, product policy
+# - plat, system_ext, product versioned policy
+#
+# These generated policy files will be used only when building vendor policies.
+# They are not installed to system, system_ext, or product partition.
+ver := $(BOARD_SEPOLICY_VERS)
+prebuilt_dir := $(LOCAL_PATH)/prebuilts/api/$(ver)
+plat_public_policy_$(ver) := $(prebuilt_dir)/public
+plat_private_policy_$(ver) := $(prebuilt_dir)/private
+system_ext_public_policy_$(ver) := $(BOARD_SYSTEM_EXT_PUBLIC_PREBUILT_DIRS)
+system_ext_private_policy_$(ver) := $(BOARD_SYSTEM_EXT_PRIVATE_PREBUILT_DIRS)
+product_public_policy_$(ver) := $(BOARD_PRODUCT_PUBLIC_PREBUILT_DIRS)
+product_private_policy_$(ver) := $(BOARD_PRODUCT_PRIVATE_PREBUILT_DIRS)
+
+##################################
+# policy-to-conf-rule: a helper macro to transform policy files to conf file.
+#
+# This expands to a set of rules which assign variables for transform-policy-to-conf and then call
+# transform-policy-to-conf. Before calling this, policy_files must be set with build_policy macro.
+#
+# $(1): output path (.conf file)
+define policy-to-conf-rule
+$(1): PRIVATE_MLS_SENS := $$(MLS_SENS)
+$(1): PRIVATE_MLS_CATS := $$(MLS_CATS)
+$(1): PRIVATE_TARGET_BUILD_VARIANT := $$(TARGET_BUILD_VARIANT)
+$(1): PRIVATE_TGT_ARCH := $$(my_target_arch)
+$(1): PRIVATE_TGT_WITH_ASAN := $$(with_asan)
+$(1): PRIVATE_TGT_WITH_NATIVE_COVERAGE := $$(with_native_coverage)
+$(1): PRIVATE_ADDITIONAL_M4DEFS := $$(LOCAL_ADDITIONAL_M4DEFS)
+$(1): PRIVATE_SEPOLICY_SPLIT := $$(PRODUCT_SEPOLICY_SPLIT)
+$(1): PRIVATE_COMPATIBLE_PROPERTY := $$(PRODUCT_COMPATIBLE_PROPERTY)
+$(1): PRIVATE_TREBLE_SYSPROP_NEVERALLOW := $$(treble_sysprop_neverallow)
+$(1): PRIVATE_ENFORCE_SYSPROP_OWNER := $$(enforce_sysprop_owner)
+$(1): PRIVATE_POLICY_FILES := $$(policy_files)
+$(1): $$(policy_files) $$(M4)
+ $$(transform-policy-to-conf)
+endef
+
+##################################
+# reqd_policy_mask_$(ver).cil
+#
+policy_files := $(call build_policy, $(sepolicy_build_files), $(BOARD_REQD_MASK_POLICY))
+reqd_policy_mask_$(ver).conf := $(intermediates)/reqd_policy_mask_$(ver).conf
+$(eval $(call policy-to-conf-rule,$(reqd_policy_mask_$(ver).conf)))
+
+# b/37755687
+CHECKPOLICY_ASAN_OPTIONS := ASAN_OPTIONS=detect_leaks=0
+
+reqd_policy_mask_$(ver).cil := $(intermediates)/reqd_policy_mask_$(ver).cil
+$(reqd_policy_mask_$(ver).cil): $(reqd_policy_mask_$(ver).conf) $(HOST_OUT_EXECUTABLES)/checkpolicy
+ @mkdir -p $(dir $@)
+ $(hide) $(CHECKPOLICY_ASAN_OPTIONS) $(HOST_OUT_EXECUTABLES)/checkpolicy -C -M -c \
+ $(POLICYVERS) -o $@ $<
+
+reqd_policy_mask_$(ver).conf :=
+
+reqd_policy_$(ver) := $(BOARD_REQD_MASK_POLICY)
+
+##################################
+# plat_pub_policy_$(ver).cil: exported plat policies
+#
+policy_files := $(call build_policy, $(sepolicy_build_files), \
+ $(plat_public_policy_$(ver)) $(reqd_policy_$(ver)))
+plat_pub_policy_$(ver).conf := $(intermediates)/plat_pub_policy_$(ver).conf
+$(eval $(call policy-to-conf-rule,$(plat_pub_policy_$(ver).conf)))
+
+plat_pub_policy_$(ver).cil := $(intermediates)/plat_pub_policy_$(ver).cil
+$(plat_pub_policy_$(ver).cil): PRIVATE_POL_CONF := $(plat_pub_policy_$(ver).conf)
+$(plat_pub_policy_$(ver).cil): PRIVATE_REQD_MASK := $(reqd_policy_mask_$(ver).cil)
+$(plat_pub_policy_$(ver).cil): $(HOST_OUT_EXECUTABLES)/checkpolicy \
+$(HOST_OUT_EXECUTABLES)/build_sepolicy $(plat_pub_policy_$(ver).conf) $(reqd_policy_mask_$(ver).cil)
+ @mkdir -p $(dir $@)
+ $(hide) $(CHECKPOLICY_ASAN_OPTIONS) $< -C -M -c $(POLICYVERS) -o $@ $(PRIVATE_POL_CONF)
+ $(hide) $(HOST_OUT_EXECUTABLES)/build_sepolicy -a $(HOST_OUT_EXECUTABLES) filter_out \
+ -f $(PRIVATE_REQD_MASK) -t $@
+
+plat_pub_policy_$(ver).conf :=
+
+##################################
+# plat_mapping_cil_$(ver).cil: versioned exported system policy
+#
+plat_mapping_cil_$(ver) := $(intermediates)/plat_mapping_$(ver).cil
+$(plat_mapping_cil_$(ver)) : PRIVATE_VERS := $(ver)
+$(plat_mapping_cil_$(ver)) : $(plat_pub_policy_$(ver).cil) $(HOST_OUT_EXECUTABLES)/version_policy
+ @mkdir -p $(dir $@)
+ $(hide) $(HOST_OUT_EXECUTABLES)/version_policy -b $< -m -n $(PRIVATE_VERS) -o $@
+built_plat_mapping_cil_$(ver) := $(plat_mapping_cil_$(ver))
+
+##################################
+# plat_policy_$(ver).cil: system policy
+#
+policy_files := $(call build_policy, $(sepolicy_build_files), \
+ $(plat_public_policy_$(ver)) $(plat_private_policy_$(ver)) )
+plat_policy_$(ver).conf := $(intermediates)/plat_policy_$(ver).conf
+$(eval $(call policy-to-conf-rule,$(plat_policy_$(ver).conf)))
+
+plat_policy_$(ver).cil := $(intermediates)/plat_policy_$(ver).cil
+$(plat_policy_$(ver).cil): PRIVATE_ADDITIONAL_CIL_FILES := \
+ $(call build_policy, $(sepolicy_build_cil_workaround_files), $(plat_private_policy_$(ver)))
+$(plat_policy_$(ver).cil): PRIVATE_NEVERALLOW_ARG := $(NEVERALLOW_ARG)
+$(plat_policy_$(ver).cil): $(plat_policy_$(ver).conf) $(HOST_OUT_EXECUTABLES)/checkpolicy \
+ $(HOST_OUT_EXECUTABLES)/secilc \
+ $(call build_policy, $(sepolicy_build_cil_workaround_files), $(plat_private_policy_$(ver)))
+ @mkdir -p $(dir $@)
+ $(hide) $(CHECKPOLICY_ASAN_OPTIONS) $(HOST_OUT_EXECUTABLES)/checkpolicy -M -C -c \
+ $(POLICYVERS) -o $@.tmp $<
+ $(hide) cat $(PRIVATE_ADDITIONAL_CIL_FILES) >> $@.tmp
+ $(hide) $(HOST_OUT_EXECUTABLES)/secilc -m -M true -G -c $(POLICYVERS) $(PRIVATE_NEVERALLOW_ARG) $@.tmp -o /dev/null -f /dev/null
+ $(hide) mv $@.tmp $@
+
+plat_policy_$(ver).conf :=
+
+built_plat_cil_$(ver) := $(plat_policy_$(ver).cil)
+
+ifdef HAS_SYSTEM_EXT_SEPOLICY_DIR
+
+##################################
+# system_ext_pub_policy_$(ver).cil: exported system and system_ext policy
+#
+policy_files := $(call build_policy, $(sepolicy_build_files), \
+ $(plat_public_policy_$(ver)) $(system_ext_public_policy_$(ver)) $(reqd_policy_$(ver)))
+system_ext_pub_policy_$(ver).conf := $(intermediates)/system_ext_pub_policy_$(ver).conf
+$(eval $(call policy-to-conf-rule,$(system_ext_pub_policy_$(ver).conf)))
+
+system_ext_pub_policy_$(ver).cil := $(intermediates)/system_ext_pub_policy_$(ver).cil
+$(system_ext_pub_policy_$(ver).cil): PRIVATE_POL_CONF := $(system_ext_pub_policy_$(ver).conf)
+$(system_ext_pub_policy_$(ver).cil): PRIVATE_REQD_MASK := $(reqd_policy_mask_$(ver).cil)
+$(system_ext_pub_policy_$(ver).cil): $(HOST_OUT_EXECUTABLES)/checkpolicy \
+$(HOST_OUT_EXECUTABLES)/build_sepolicy $(system_ext_pub_policy_$(ver).conf) $(reqd_policy_mask_$(ver).cil)
+ @mkdir -p $(dir $@)
+ $(hide) $(CHECKPOLICY_ASAN_OPTIONS) $< -C -M -c $(POLICYVERS) -o $@ $(PRIVATE_POL_CONF)
+ $(hide) $(HOST_OUT_EXECUTABLES)/build_sepolicy -a $(HOST_OUT_EXECUTABLES) filter_out \
+ -f $(PRIVATE_REQD_MASK) -t $@
+
+system_ext_pub_policy_$(ver).conf :=
+
+##################################
+# system_ext_policy_$(ver).cil: system_ext policy
+#
+policy_files := $(call build_policy, $(sepolicy_build_files), \
+ $(plat_public_policy_$(ver)) $(plat_private_policy_$(ver)) \
+ $(system_ext_public_policy_$(ver)) $(system_ext_private_policy_$(ver)) )
+system_ext_policy_$(ver).conf := $(intermediates)/system_ext_policy_$(ver).conf
+$(eval $(call policy-to-conf-rule,$(system_ext_policy_$(ver).conf)))
+
+system_ext_policy_$(ver).cil := $(intermediates)/system_ext_policy_$(ver).cil
+$(system_ext_policy_$(ver).cil): PRIVATE_NEVERALLOW_ARG := $(NEVERALLOW_ARG)
+$(system_ext_policy_$(ver).cil): PRIVATE_PLAT_CIL := $(built_plat_cil_$(ver))
+$(system_ext_policy_$(ver).cil): $(system_ext_policy_$(ver).conf) $(HOST_OUT_EXECUTABLES)/checkpolicy \
+$(HOST_OUT_EXECUTABLES)/build_sepolicy $(HOST_OUT_EXECUTABLES)/secilc $(built_plat_cil_$(ver))
+ @mkdir -p $(dir $@)
+ $(hide) $(CHECKPOLICY_ASAN_OPTIONS) $(HOST_OUT_EXECUTABLES)/checkpolicy -M -C -c \
+ $(POLICYVERS) -o $@ $<
+ $(hide) $(HOST_OUT_EXECUTABLES)/build_sepolicy -a $(HOST_OUT_EXECUTABLES) filter_out \
+ -f $(PRIVATE_PLAT_CIL) -t $@
+ # Line markers (denoted by ;;) are malformed after above cmd. They are only
+ # used for debugging, so we remove them.
+ $(hide) grep -v ';;' $@ > $@.tmp
+ $(hide) mv $@.tmp $@
+ # Combine plat_sepolicy.cil and system_ext_sepolicy.cil to make sure that the
+ # latter doesn't accidentally depend on vendor/odm policies.
+ $(hide) $(HOST_OUT_EXECUTABLES)/secilc -m -M true -G -c $(POLICYVERS) \
+ $(PRIVATE_NEVERALLOW_ARG) $(PRIVATE_PLAT_CIL) $@ -o /dev/null -f /dev/null
+
+system_ext_policy_$(ver).conf :=
+
+built_system_ext_cil_$(ver) := $(system_ext_policy_$(ver).cil)
+
+##################################
+# system_ext_mapping_cil_$(ver).cil: versioned exported system_ext policy
+#
+system_ext_mapping_cil_$(ver) := $(intermediates)/system_ext_mapping_$(ver).cil
+$(system_ext_mapping_cil_$(ver)) : PRIVATE_VERS := $(ver)
+$(system_ext_mapping_cil_$(ver)) : PRIVATE_PLAT_MAPPING_CIL := $(built_plat_mapping_cil_$(ver))
+$(system_ext_mapping_cil_$(ver)) : $(system_ext_pub_policy_$(ver).cil) $(HOST_OUT_EXECUTABLES)/version_policy \
+$(built_plat_mapping_cil_$(ver))
+ @mkdir -p $(dir $@)
+ # Generate system_ext mapping file as mapping file of 'system' (plat) and 'system_ext'
+ # sepolicy minus plat_mapping_file.
+ $(hide) $(HOST_OUT_EXECUTABLES)/version_policy -b $< -m -n $(PRIVATE_VERS) -o $@
+ $(hide) $(HOST_OUT_EXECUTABLES)/build_sepolicy -a $(HOST_OUT_EXECUTABLES) filter_out \
+ -f $(PRIVATE_PLAT_MAPPING_CIL) -t $@
+
+built_system_ext_mapping_cil_$(ver) := $(system_ext_mapping_cil_$(ver))
+
+endif # ifdef HAS_SYSTEM_EXT_SEPOLICY_DIR
+
+ifdef HAS_PRODUCT_SEPOLICY_DIR
+
+##################################
+# product_policy_$(ver).cil: product policy
+#
+policy_files := $(call build_policy, $(sepolicy_build_files), \
+ $(plat_public_policy_$(ver)) $(plat_private_policy_$(ver)) \
+ $(system_ext_public_policy_$(ver)) $(system_ext_private_policy_$(ver)) \
+ $(product_public_policy_$(ver)) $(product_private_policy_$(ver)) )
+product_policy_$(ver).conf := $(intermediates)/product_policy_$(ver).conf
+$(eval $(call policy-to-conf-rule,$(product_policy_$(ver).conf)))
+
+product_policy_$(ver).cil := $(intermediates)/product_policy_$(ver).cil
+$(product_policy_$(ver).cil): PRIVATE_NEVERALLOW_ARG := $(NEVERALLOW_ARG)
+$(product_policy_$(ver).cil): PRIVATE_PLAT_CIL_FILES := $(built_plat_cil_$(ver)) $(built_system_ext_cil_$(ver))
+$(product_policy_$(ver).cil): $(product_policy_$(ver).conf) $(HOST_OUT_EXECUTABLES)/checkpolicy \
+$(HOST_OUT_EXECUTABLES)/build_sepolicy $(HOST_OUT_EXECUTABLES)/secilc \
+$(built_plat_cil_$(ver)) $(built_system_ext_cil_$(ver))
+ @mkdir -p $(dir $@)
+ $(hide) $(CHECKPOLICY_ASAN_OPTIONS) $(HOST_OUT_EXECUTABLES)/checkpolicy -M -C -c \
+ $(POLICYVERS) -o $@ $<
+ $(hide) $(HOST_OUT_EXECUTABLES)/build_sepolicy -a $(HOST_OUT_EXECUTABLES) filter_out \
+ -f $(PRIVATE_PLAT_CIL) -t $@
+ # Line markers (denoted by ;;) are malformed after above cmd. They are only
+ # used for debugging, so we remove them.
+ $(hide) grep -v ';;' $@ > $@.tmp
+ $(hide) mv $@.tmp $@
+ # Combine plat_sepolicy.cil, system_ext_sepolicy.cil and product_sepolicy.cil to
+ # make sure that the latter doesn't accidentally depend on vendor/odm policies.
+ $(hide) $(HOST_OUT_EXECUTABLES)/secilc -m -M true -G -c $(POLICYVERS) \
+ $(PRIVATE_NEVERALLOW_ARG) $(PRIVATE_PLAT_CIL_FILES) $@ -o /dev/null -f /dev/null
+
+product_policy_$(ver).conf :=
+
+built_product_cil_$(ver) := $(product_policy_$(ver).cil)
+
+endif # ifdef HAS_PRODUCT_SEPOLICY_DIR
+
+##################################
+# pub_policy_$(ver).cil: exported plat, system_ext, and product policies
+#
+policy_files := $(call build_policy, $(sepolicy_build_files), \
+ $(plat_public_policy_$(ver)) $(system_ext_public_policy_$(ver)) \
+ $(product_public_policy_$(ver)) $(reqd_policy_$(ver)) )
+pub_policy_$(ver).conf := $(intermediates)/pub_policy_$(ver).conf
+$(eval $(call policy-to-conf-rule,$(pub_policy_$(ver).conf)))
+
+pub_policy_$(ver).cil := $(intermediates)/pub_policy_$(ver).cil
+$(pub_policy_$(ver).cil): PRIVATE_POL_CONF := $(pub_policy_$(ver).conf)
+$(pub_policy_$(ver).cil): PRIVATE_REQD_MASK := $(reqd_policy_mask_$(ver).cil)
+$(pub_policy_$(ver).cil): $(HOST_OUT_EXECUTABLES)/checkpolicy \
+$(HOST_OUT_EXECUTABLES)/build_sepolicy $(pub_policy_$(ver).conf) $(reqd_policy_mask_$(ver).cil)
+ @mkdir -p $(dir $@)
+ $(hide) $(CHECKPOLICY_ASAN_OPTIONS) $< -C -M -c $(POLICYVERS) -o $@ $(PRIVATE_POL_CONF)
+ $(hide) $(HOST_OUT_EXECUTABLES)/build_sepolicy -a $(HOST_OUT_EXECUTABLES) filter_out \
+ -f $(PRIVATE_REQD_MASK) -t $@
+
+pub_policy_$(ver).conf :=
+
+ifdef HAS_PRODUCT_SEPOLICY_DIR
+
+##################################
+# product_mapping_cil_$(ver).cil: versioned exported product policy
+#
+product_mapping_cil_$(ver) := $(intermediates)/product_mapping_cil_$(ver).cil
+$(product_mapping_cil_$(ver)) : PRIVATE_VERS := $(ver)
+$(product_mapping_cil_$(ver)) : PRIVATE_FILTER_CIL_FILES := $(built_plat_mapping_cil_$(ver)) $(built_system_ext_mapping_cil_$(ver))
+$(product_mapping_cil_$(ver)) : $(pub_policy_$(ver).cil) $(HOST_OUT_EXECUTABLES)/version_policy \
+$(built_plat_mapping_cil_$(ver)) $(built_system_ext_mapping_cil_$(ver))
+ @mkdir -p $(dir $@)
+ # Generate product mapping file as mapping file of all public sepolicy minus
+ # plat_mapping_file and system_ext_mapping_file.
+ $(hide) $(HOST_OUT_EXECUTABLES)/version_policy -b $< -m -n $(PRIVATE_VERS) -o $@
+ $(hide) $(HOST_OUT_EXECUTABLES)/build_sepolicy -a $(HOST_OUT_EXECUTABLES) filter_out \
+ -f $(PRIVATE_FILTER_CIL_FILES) -t $@
+
+built_product_mapping_cil_$(ver) := $(product_mapping_cil_$(ver))
+
+endif # ifdef HAS_PRODUCT_SEPOLICY_DIR
+
+##################################
+# plat_pub_versioned_$(ver).cil - the exported platform policy
+#
+plat_pub_versioned_$(ver).cil := $(intermediates)/plat_pub_versioned_$(ver).cil
+$(plat_pub_versioned_$(ver).cil) : PRIVATE_VERS := $(ver)
+$(plat_pub_versioned_$(ver).cil) : PRIVATE_TGT_POL := $(pub_policy_$(ver).cil)
+$(plat_pub_versioned_$(ver).cil) : PRIVATE_DEP_CIL_FILES := $(built_plat_cil_$(ver)) $(built_system_ext_cil_$(ver)) \
+$(built_product_cil_$(ver)) $(built_plat_mapping_cil_$(ver)) $(built_system_ext_mapping_cil_$(ver)) \
+$(built_product_mapping_cil_$(ver))
+$(plat_pub_versioned_$(ver).cil) : $(pub_policy_$(ver).cil) $(HOST_OUT_EXECUTABLES)/version_policy \
+ $(HOST_OUT_EXECUTABLES)/secilc $(built_plat_cil_$(ver)) $(built_system_ext_cil_$(ver)) $(built_product_cil_$(ver)) \
+ $(built_plat_mapping_cil_$(ver)) $(built_system_ext_mapping_cil_$(ver)) $(built_product_mapping_cil_$(ver))
+ @mkdir -p $(dir $@)
+ $(HOST_OUT_EXECUTABLES)/version_policy -b $< -t $(PRIVATE_TGT_POL) -n $(PRIVATE_VERS) -o $@
+ $(hide) $(HOST_OUT_EXECUTABLES)/secilc -m -M true -G -N -c $(POLICYVERS) \
+ $(PRIVATE_DEP_CIL_FILES) $@ -o /dev/null -f /dev/null
+
+built_pub_vers_cil_$(ver) := $(plat_pub_versioned_$(ver).cil)
diff --git a/private/canhalconfigurator.te b/private/canhalconfigurator.te
index 171f68a..9ba60ac 100644
--- a/private/canhalconfigurator.te
+++ b/private/canhalconfigurator.te
@@ -4,8 +4,4 @@
# This allows the configurator to look up the CAN HAL controller via
# hwservice_manager and communicate with it.
-allow canhalconfigurator hal_can_controller_hwservice:hwservice_manager find;
-binder_call(canhalconfigurator, hal_can_controller);
-allow canhalconfigurator hidl_manager_hwservice:hwservice_manager find;
-hwbinder_use(canhalconfigurator);
-get_prop(canhalconfigurator, hwservicemanager_prop);
+hal_client_domain(canhalconfigurator, hal_can_controller)
diff --git a/private/compat/30.0/30.0.cil b/private/compat/30.0/30.0.cil
index 49a5a77..6c95364 100644
--- a/private/compat/30.0/30.0.cil
+++ b/private/compat/30.0/30.0.cil
@@ -2155,7 +2155,10 @@
(typeattributeset usbd_exec_30_0 (usbd_exec))
(typeattributeset usbfs_30_0 (usbfs))
(typeattributeset use_memfd_prop_30_0 (use_memfd_prop))
-(typeattributeset user_profile_data_file_30_0 (user_profile_data_file))
+(typeattributeset user_profile_data_file_30_0
+ ( user_profile_data_file
+ user_profile_root_file
+))
(typeattributeset user_service_30_0 (user_service))
(typeattributeset userdata_block_device_30_0 (userdata_block_device))
(typeattributeset usermodehelper_30_0 (usermodehelper))
diff --git a/private/compat/30.0/30.0.ignore.cil b/private/compat/30.0/30.0.ignore.cil
index a19361c..a77ac01 100644
--- a/private/compat/30.0/30.0.ignore.cil
+++ b/private/compat/30.0/30.0.ignore.cil
@@ -7,7 +7,9 @@
( new_objects
ab_update_gki_prop
adbd_config_prop
+ apc_service
apex_info_file
+ arm64_memtag_prop
cgroup_desc_api_file
cgroup_v2
ctl_snapuserd_prop
@@ -15,21 +17,31 @@
device_config_profcollect_native_boot_prop
device_state_service
dm_user_device
+ dmabuf_heap_device
dmabuf_system_heap_device
+ dmabuf_system_secure_heap_device
framework_watchdog_config_prop
+ game_service
gki_apex_prepostinstall
gki_apex_prepostinstall_exec
+ hal_authsecret_service
hal_audiocontrol_service
hal_face_service
hal_fingerprint_service
+ hal_memtrack_service
+ hal_oemlock_service
gnss_device
hal_dumpstate_config_prop
hal_gnss_service
- hal_power_stats_service
hal_keymint_service
+ hal_power_stats_service
+ keystore_compat_hal_service
keystore2_key_contexts_file
legacy_permission_service
location_time_zone_manager_service
+ mediatuner_exec
+ mediatuner_service
+ mediatuner
mediatranscoding_tmpfs
music_recognition_service
nfc_logs_data_file
@@ -38,10 +50,13 @@
power_debug_prop
power_stats_service
proc_kallsyms
+ proc_locks
profcollectd
profcollectd_data_file
profcollectd_exec
profcollectd_service
+ radio_core_data_file
+ search_ui_service
shell_test_data_file
snapuserd
snapuserd_exec
@@ -50,8 +65,10 @@
system_server_dumper_service
system_suspend_control_internal_service
task_profiles_api_file
+ transformer_service
update_engine_stable_service
userspace_reboot_metadata_file
vcn_management_service
vibrator_manager_service
+ watchdog_metadata_file
zygote_config_prop))
diff --git a/private/coredomain.te b/private/coredomain.te
index ceda5f2..516b49c 100644
--- a/private/coredomain.te
+++ b/private/coredomain.te
@@ -52,7 +52,7 @@
-idmap
-init
-installd
- userdebug_or_eng(`-heapprofd')
+ -heapprofd
-postinstall_dexopt
-rs # spawned by appdomain, so carryover the exception above
-system_server
@@ -69,7 +69,7 @@
-idmap
-init
-installd
- userdebug_or_eng(`-heapprofd')
+ -heapprofd
userdebug_or_eng(`-profcollectd')
-postinstall_dexopt
-rs # spawned by appdomain, so carryover the exception above
@@ -96,7 +96,7 @@
-app_zygote
-webview_zygote
-zygote
- userdebug_or_eng(`-heapprofd')
+ -heapprofd
} vendor_overlay_file:dir { getattr open read search };
')
@@ -116,7 +116,7 @@
-app_zygote
-webview_zygote
-zygote
- userdebug_or_eng(`-heapprofd')
+ -heapprofd
userdebug_or_eng(`-profcollectd')
} vendor_overlay_file:file open;
')
@@ -214,6 +214,17 @@
coredomain
-init
}{ usbfs binfmt_miscfs }:file no_rw_file_perms;
+
+ # dmabuf heaps
+ neverallow {
+ coredomain
+ -init
+ -ueventd
+ }{
+ dmabuf_heap_device_type
+ -dmabuf_system_heap_device
+ -dmabuf_system_secure_heap_device
+ }:chr_file no_rw_file_perms;
')
# Following /dev nodes must not be directly accessed by coredomain, but should
diff --git a/private/domain.te b/private/domain.te
index d4f9e0e..e6b26f4 100644
--- a/private/domain.te
+++ b/private/domain.te
@@ -11,7 +11,7 @@
# necessary SELinux permissions.
get_prop(domain, heapprofd_prop);
# Allow heap profiling on debug builds.
-userdebug_or_eng(`can_profile_heap_central({
+userdebug_or_eng(`can_profile_heap({
domain
-bpfloader
-init
@@ -307,7 +307,7 @@
iorap_prefetcherd
traced_perf
traced_probes
- userdebug_or_eng(`heapprofd')
+ heapprofd
} self:global_capability_class_set dac_read_search;
# Limit what domains can mount filesystems or change their mount flags.
@@ -414,7 +414,7 @@
-iorap_inode2filename
-iorap_prefetcherd
-kernel # loads /vendor/firmware
- userdebug_or_eng(`-heapprofd')
+ -heapprofd
userdebug_or_eng(`-profcollectd')
-shell
-system_executes_vendor_violators
diff --git a/private/file_contexts b/private/file_contexts
index 633a6ce..5330bdb 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -93,7 +93,10 @@
/dev/bus/usb(.*)? u:object_r:usb_device:s0
/dev/console u:object_r:console_device:s0
/dev/cpu_variant:.* u:object_r:dev_cpu_variant:s0
+/dev/dma_heap(/.*)? u:object_r:dmabuf_heap_device:s0
/dev/dma_heap/system u:object_r:dmabuf_system_heap_device:s0
+/dev/dma_heap/system-uncached u:object_r:dmabuf_system_heap_device:s0
+/dev/dma_heap/system-secure u:object_r:dmabuf_system_secure_heap_device:s0
/dev/dm-user(/.*)? u:object_r:dm_user_device:s0
/dev/device-mapper u:object_r:dm_device:s0
/dev/eac u:object_r:audio_device:s0
@@ -257,6 +260,7 @@
/system/bin/mediaextractor u:object_r:mediaextractor_exec:s0
/system/bin/mediaswcodec u:object_r:mediaswcodec_exec:s0
/system/bin/mediatranscoding u:object_r:mediatranscoding_exec:s0
+/system/bin/mediatuner u:object_r:mediatuner_exec:s0
/system/bin/mdnsd u:object_r:mdnsd_exec:s0
/system/bin/installd u:object_r:installd_exec:s0
/system/bin/otapreopt_chroot u:object_r:otapreopt_chroot_exec:s0
@@ -543,6 +547,10 @@
/data/preloads/demo(/.*)? u:object_r:preloads_media_file:s0
/data/server_configurable_flags(/.*)? u:object_r:server_configurable_flags_data_file:s0
/data/app-staging(/.*)? u:object_r:staging_data_file:s0
+# Ensure we have the same labels as /data/app or /data/apex/active
+# to avoid restorecon conflicts
+/data/rollback/\d+/[^/]+/.*\.apk u:object_r:apk_data_file:s0
+/data/rollback/\d+/[^/]+/.*\.apex u:object_r:staging_data_file:s0
# Misc data
/data/misc/adb(/.*)? u:object_r:adb_keys_file:s0
@@ -581,6 +589,7 @@
/data/misc/perfetto-configs(/.*)? u:object_r:perfetto_configs_data_file:s0
/data/misc/prereboot(/.*)? u:object_r:prereboot_data_file:s0
/data/misc/profcollectd(/.*)? u:object_r:profcollectd_data_file:s0
+/data/misc/radio(/.*)? u:object_r:radio_core_data_file:s0
/data/misc/recovery(/.*)? u:object_r:recovery_data_file:s0
/data/misc/shared_relro(/.*)? u:object_r:shared_relro_file:s0
/data/misc/sms(/.*)? u:object_r:radio_data_file:s0
@@ -609,7 +618,8 @@
/data/misc/wmtrace(/.*)? u:object_r:wm_trace_data_file:s0
# TODO(calin) label profile reference differently so that only
# profman run as a special user can write to them
-/data/misc/profiles/cur(/.*)? u:object_r:user_profile_data_file:s0
+/data/misc/profiles/cur(/[0-9]+)? u:object_r:user_profile_root_file:s0
+/data/misc/profiles/cur/[0-9]+/.* u:object_r:user_profile_data_file:s0
/data/misc/profiles/ref(/.*)? u:object_r:user_profile_data_file:s0
/data/misc/profman(/.*)? u:object_r:profman_dump_data_file:s0
/data/vendor(/.*)? u:object_r:vendor_data_file:s0
@@ -744,6 +754,7 @@
/metadata/bootstat(/.*)? u:object_r:metadata_bootstat_file:s0
/metadata/staged-install(/.*)? u:object_r:staged_install_file:s0
/metadata/userspacereboot(/.*)? u:object_r:userspace_reboot_metadata_file:s0
+/metadata/watchdog(/.*)? u:object_r:watchdog_metadata_file:s0
#############################
# asec containers
diff --git a/private/genfs_contexts b/private/genfs_contexts
index 74a8434..900b25b 100644
--- a/private/genfs_contexts
+++ b/private/genfs_contexts
@@ -14,6 +14,7 @@
genfscon proc /keys u:object_r:proc_keys:s0
genfscon proc /kmsg u:object_r:proc_kmsg:s0
genfscon proc /loadavg u:object_r:proc_loadavg:s0
+genfscon proc /locks u:object_r:proc_locks:s0
genfscon proc /lowmemorykiller u:object_r:proc_lowmemorykiller:s0
genfscon proc /meminfo u:object_r:proc_meminfo:s0
genfscon proc /misc u:object_r:proc_misc:s0
@@ -66,6 +67,9 @@
genfscon proc /sys/kernel/sched_rt_runtime_us u:object_r:proc_sched:s0
genfscon proc /sys/kernel/sched_schedstats u:object_r:proc_sched:s0
genfscon proc /sys/kernel/sched_tunable_scaling u:object_r:proc_sched:s0
+genfscon proc /sys/kernel/sched_util_clamp_max u:object_r:proc_sched:s0
+genfscon proc /sys/kernel/sched_util_clamp_min u:object_r:proc_sched:s0
+genfscon proc /sys/kernel/sched_util_clamp_min_rt_default u:object_r:proc_sched:s0
genfscon proc /sys/kernel/sched_wakeup_granularity_ns u:object_r:proc_sched:s0
genfscon proc /sys/kernel/sysrq u:object_r:proc_sysrq:s0
genfscon proc /sys/kernel/usermodehelper u:object_r:usermodehelper:s0
diff --git a/private/heapprofd.te b/private/heapprofd.te
index 7e16b9b..50039c2 100644
--- a/private/heapprofd.te
+++ b/private/heapprofd.te
@@ -39,19 +39,17 @@
# When handling profiling for all processes, heapprofd needs to read
# executables/libraries/etc to do stack unwinding.
-userdebug_or_eng(`
- r_dir_file(heapprofd, nativetest_data_file)
- r_dir_file(heapprofd, system_file_type)
- r_dir_file(heapprofd, apk_data_file)
- r_dir_file(heapprofd, dalvikcache_data_file)
- r_dir_file(heapprofd, vendor_file_type)
- r_dir_file(heapprofd, shell_data_file)
- # Some dex files are not world-readable.
- # We are still constrained by the SELinux rules above.
- allow heapprofd self:global_capability_class_set dac_read_search;
+r_dir_file(heapprofd, nativetest_data_file)
+r_dir_file(heapprofd, system_file_type)
+r_dir_file(heapprofd, apk_data_file)
+r_dir_file(heapprofd, dalvikcache_data_file)
+r_dir_file(heapprofd, vendor_file_type)
+# Some dex files are not world-readable.
+# We are still constrained by the SELinux rules above.
+allow heapprofd self:global_capability_class_set dac_read_search;
- allow heapprofd proc_kpageflags:file r_file_perms;
-')
+# For checking profileability.
+allow heapprofd packages_list_file:file r_file_perms;
# This is going to happen on user but is benign because central heapprofd
# does not actually need these permission.
diff --git a/private/kernel.te b/private/kernel.te
index 207800e..70ca912 100644
--- a/private/kernel.te
+++ b/private/kernel.te
@@ -1,8 +1,32 @@
typeattribute kernel coredomain;
domain_auto_trans(kernel, init_exec, init)
+domain_auto_trans(kernel, snapuserd_exec, snapuserd)
# Allow the kernel to read otapreopt_chroot's file descriptors and files under
# /postinstall, as it uses apexd logic to mount APEX packages in /postinstall/apex.
allow kernel otapreopt_chroot:fd use;
allow kernel postinstall_file:file read;
+
+# The following sections are for the transition period during a Virtual A/B
+# OTA. Once sepolicy is loaded, snapuserd must be re-launched in the correct
+# context, and with properly labelled devices. This must be done before
+# enabling enforcement, eg, in permissive mode while still in the kernel
+# context.
+allow kernel tmpfs:blk_file { getattr relabelfrom };
+allow kernel tmpfs:chr_file { getattr relabelfrom };
+allow kernel tmpfs:lnk_file { getattr relabelfrom };
+allow kernel tmpfs:dir { open read relabelfrom };
+
+allow kernel block_device:blk_file relabelto;
+allow kernel block_device:lnk_file relabelto;
+allow kernel dm_device:chr_file relabelto;
+allow kernel dm_device:blk_file relabelto;
+allow kernel dm_user_device:dir { read open search relabelto };
+allow kernel dm_user_device:chr_file relabelto;
+allow kernel kmsg_device:chr_file relabelto;
+allow kernel null_device:chr_file relabelto;
+allow kernel random_device:chr_file relabelto;
+allow kernel snapuserd_exec:file relabelto;
+
+allow kernel kmsg_device:chr_file write;
diff --git a/private/keystore.te b/private/keystore.te
index 2f62920c..5cded8a 100644
--- a/private/keystore.te
+++ b/private/keystore.te
@@ -8,6 +8,9 @@
# talk to confirmationui
hal_client_domain(keystore, hal_confirmationui)
+# talk to keymint
+hal_client_domain(keystore, hal_keymint)
+
# This is used for the ConfirmationUI async callback.
allow keystore platform_app:binder call;
diff --git a/private/mediatuner.te b/private/mediatuner.te
new file mode 100644
index 0000000..443119e
--- /dev/null
+++ b/private/mediatuner.te
@@ -0,0 +1,27 @@
+# mediatuner - mediatuner daemon
+type mediatuner, domain;
+type mediatuner_exec, system_file_type, exec_type, file_type;
+
+typeattribute mediatuner coredomain;
+
+init_daemon_domain(mediatuner)
+hal_client_domain(mediatuner, hal_tv_tuner)
+
+binder_use(mediatuner)
+binder_call(mediatuner, appdomain)
+binder_service(mediatuner)
+
+add_service(mediatuner, mediatuner_service)
+allow mediatuner system_server:fd use;
+
+###
+### neverallow rules
+###
+
+# mediatuner should never execute any executable without a
+# domain transition
+neverallow mediatuner { file_type fs_type }:file execute_no_trans;
+
+# do not allow privileged socket ioctl commands
+neverallowxperm mediatuner domain:{ rawip_socket tcp_socket udp_socket } ioctl priv_sock_ioctls;
+
diff --git a/private/mls b/private/mls
index 68d0e58..1588a13 100644
--- a/private/mls
+++ b/private/mls
@@ -75,7 +75,7 @@
# or the object is trusted.
mlsconstrain dir { read getattr search }
(t2 == app_data_file_type or l1 dom l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject
- or (t1 == mlsvendorcompat and (t2 == system_data_file or t2 == user_profile_data_file) ) );
+ or (t1 == mlsvendorcompat and (t2 == system_data_file or t2 == user_profile_root_file) ) );
mlsconstrain { file lnk_file sock_file chr_file blk_file } { read getattr execute }
(t2 == app_data_file_type or t2 == appdomain_tmpfs or l1 dom l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject);
diff --git a/private/postinstall_dexopt.te b/private/postinstall_dexopt.te
index fd370c2..4c4960c 100644
--- a/private/postinstall_dexopt.te
+++ b/private/postinstall_dexopt.te
@@ -3,7 +3,7 @@
# Note: otapreopt is a driver for dex2oat, and reuses parts of installd. As such,
# this is derived and adapted from installd.te.
-type postinstall_dexopt, domain, coredomain;
+type postinstall_dexopt, domain, coredomain, mlstrustedsubject;
# Run dex2oat/patchoat in its own sandbox.
# We have to manually transition, as we don't have an entrypoint.
@@ -38,7 +38,7 @@
r_dir_file(postinstall_dexopt, dalvikcache_data_file)
# Read profile data.
-allow postinstall_dexopt user_profile_data_file:dir { getattr search };
+allow postinstall_dexopt { user_profile_root_file user_profile_data_file }:dir { getattr search };
allow postinstall_dexopt user_profile_data_file:file r_file_perms;
# Suppress deletion denial (we do not want to update the profile).
dontaudit postinstall_dexopt user_profile_data_file:file { write };
diff --git a/private/property.te b/private/property.te
index 7ebfb02..0885b91 100644
--- a/private/property.te
+++ b/private/property.te
@@ -375,6 +375,15 @@
libc_debug_prop
}:property_service set;
+# Allow the shell to set MTE props, so that non-root users with adb shell
+# access can control the settings on their device.
+neverallow {
+ -init
+ -shell
+} {
+ arm64_memtag_prop
+}:property_service set;
+
neverallow {
-init
-system_server
diff --git a/private/property_contexts b/private/property_contexts
index 32e4c5c..c1aa5e0 100644
--- a/private/property_contexts
+++ b/private/property_contexts
@@ -127,9 +127,6 @@
vold. u:object_r:vold_prop:s0
ro.crypto. u:object_r:vold_prop:s0
-# TODO(b/141677108): Remove once true everywhere
-ro.vold.level_from_user u:object_r:vold_config_prop:s0
-
# ro.build.fingerprint is either set in /system/build.prop, or is
# set at runtime by system_server.
ro.build.fingerprint u:object_r:fingerprint_prop:s0 exact string
@@ -579,6 +576,9 @@
libc.debug.malloc.program u:object_r:libc_debug_prop:s0 exact string
libc.debug.hooks.enable u:object_r:libc_debug_prop:s0 exact string
+# shell-only props for ARM memory tagging (MTE).
+arm64.memtag. u:object_r:arm64_memtag_prop:s0 prefix string
+
net.redirect_socket_calls.hooked u:object_r:socket_hook_prop:s0 exact bool
persist.sys.locale u:object_r:exported_system_prop:s0 exact string
@@ -818,6 +818,7 @@
ro.vendor.redirect_socket_calls u:object_r:vendor_socket_hook_prop:s0 exact bool
service.bootanim.exit u:object_r:exported_system_prop:s0 exact int
+service.bootanim.progress u:object_r:exported_system_prop:s0 exact int
sys.init.userspace_reboot.in_progress u:object_r:userspace_reboot_exported_prop:s0 exact bool
sys.use_memfd u:object_r:use_memfd_prop:s0 exact bool
@@ -982,6 +983,7 @@
ro.surface_flinger.color_space_agnostic_dataspace u:object_r:surfaceflinger_prop:s0 exact int
ro.surface_flinger.refresh_rate_switching u:object_r:surfaceflinger_prop:s0 exact bool
ro.surface_flinger.update_device_product_info_on_hotplug_reconnect u:object_r:surfaceflinger_prop:s0 exact bool
+ro.surface_flinger.enable_frame_rate_override u:object_r:surfaceflinger_prop:s0 exact bool
ro.sf.disable_triple_buffer u:object_r:surfaceflinger_prop:s0 exact bool
ro.sf.lcd_density u:object_r:surfaceflinger_prop:s0 exact int
@@ -1090,6 +1092,6 @@
setupwizard.metrics_debug_mode u:object_r:setupwizard_prop:s0 exact bool
setupwizard.theme u:object_r:setupwizard_prop:s0 exact string
-db.log.detailed u:object_r:sqlite_log_prop:s0 exact bool
-db.log.slow_query_threshold u:object_r:sqlite_log_prop:s0 exact int
-db.log.slow_query_threshold.* u:object_r:sqlite_log_prop:s0 prefix int
+db.log.detailed u:object_r:sqlite_log_prop:s0 exact bool
+db.log.slow_query_threshold u:object_r:sqlite_log_prop:s0 exact int
+db.log.slow_query_threshold. u:object_r:sqlite_log_prop:s0 prefix int
diff --git a/private/service.te b/private/service.te
index 29932d2..f17fe86 100644
--- a/private/service.te
+++ b/private/service.te
@@ -2,6 +2,7 @@
type dynamic_system_service, system_api_service, system_server_service, service_manager_type;
type gsi_service, service_manager_type;
type incidentcompanion_service, system_api_service, system_server_service, service_manager_type;
+type mediatuner_service, app_api_service, service_manager_type;
type profcollectd_service, service_manager_type;
type stats_service, service_manager_type;
type statscompanion_service, system_server_service, service_manager_type;
diff --git a/private/service_contexts b/private/service_contexts
index 60890c4..dd27bcf 100644
--- a/private/service_contexts
+++ b/private/service_contexts
@@ -1,13 +1,16 @@
+android.hardware.authsecret.IAuthSecret/default u:object_r:hal_authsecret_service:s0
android.hardware.automotive.audiocontrol.IAudioControl/default u:object_r:hal_audiocontrol_service:s0
android.hardware.biometrics.face.IFace/default u:object_r:hal_face_service:s0
android.hardware.biometrics.fingerprint.IFingerprint/default u:object_r:hal_fingerprint_service:s0
android.hardware.gnss.IGnss/default u:object_r:hal_gnss_service:s0
android.hardware.identity.IIdentityCredentialStore/default u:object_r:hal_identity_service:s0
-android.hardware.security.keymint.IKeyMintDevice/default u:object_r:hal_keymint_service:s0
android.hardware.light.ILights/default u:object_r:hal_light_service:s0
+android.hardware.memtrack.IMemtrack/default u:object_r:hal_memtrack_service:s0
+android.hardware.oemlock.IOemLock/default u:object_r:hal_oemlock_service:s0
android.hardware.power.IPower/default u:object_r:hal_power_service:s0
android.hardware.power.stats.IPowerStats/default u:object_r:hal_power_stats_service:s0
android.hardware.rebootescrow.IRebootEscrow/default u:object_r:hal_rebootescrow_service:s0
+android.hardware.security.keymint.IKeyMintDevice/default u:object_r:hal_keymint_service:s0
android.hardware.vibrator.IVibrator/default u:object_r:hal_vibrator_service:s0
android.hardware.vibrator.IVibratorManager/default u:object_r:hal_vibrator_service:s0
@@ -21,6 +24,8 @@
alarm u:object_r:alarm_service:s0
android.os.UpdateEngineService u:object_r:update_engine_service:s0
android.os.UpdateEngineStableService u:object_r:update_engine_stable_service:s0
+android.security.apc u:object_r:apc_service:s0
+android.security.compat u:object_r:keystore_compat_hal_service:s0
android.security.identity u:object_r:credstore_service:s0
android.security.keystore u:object_r:keystore_service:s0
android.service.gatekeeper.IGateKeeperService u:object_r:gatekeeper_service:s0
@@ -98,6 +103,7 @@
fingerprint u:object_r:fingerprint_service:s0
font u:object_r:font_service:s0
android.hardware.fingerprint.IFingerprintDaemon u:object_r:fingerprintd_service:s0
+game u:object_r:game_service:s0
gfxinfo u:object_r:gfxinfo_service:s0
graphicsstats u:object_r:graphicsstats_service:s0
gpu u:object_r:gpu_service:s0
@@ -149,6 +155,7 @@
media.resource_observer u:object_r:mediaserver_service:s0
media.sound_trigger_hw u:object_r:audioserver_service:s0
media.drm u:object_r:mediadrmserver_service:s0
+media.tuner u:object_r:mediatuner_service:s0
media_projection u:object_r:media_projection_service:s0
media_resource_monitor u:object_r:media_session_service:s0
media_router u:object_r:media_router_service:s0
@@ -199,6 +206,7 @@
samplingprofiler u:object_r:samplingprofiler_service:s0
scheduling_policy u:object_r:scheduling_policy_service:s0
search u:object_r:search_service:s0
+search_ui u:object_r:search_ui_service:s0
secure_element u:object_r:secure_element_service:s0
sec_key_att_app_id_provider u:object_r:sec_key_att_app_id_provider_service:s0
sensorservice u:object_r:sensorservice_service:s0
@@ -240,6 +248,7 @@
time_zone_detector u:object_r:timezonedetector_service:s0
timezone u:object_r:timezone_service:s0
thermalservice u:object_r:thermal_service:s0
+transformer u:object_r:transformer_service:s0
trust u:object_r:trust_service:s0
tv_input u:object_r:tv_input_service:s0
tv_tuner_resource_mgr u:object_r:tv_tuner_resource_mgr_service:s0
diff --git a/private/shared_relro.te b/private/shared_relro.te
index 02f7206..31fdb8c 100644
--- a/private/shared_relro.te
+++ b/private/shared_relro.te
@@ -3,3 +3,13 @@
# The shared relro process is a Java program forked from the zygote, so it
# inherits from app to get basic permissions it needs to run.
app_domain(shared_relro)
+
+allow shared_relro shared_relro_file:dir rw_dir_perms;
+allow shared_relro shared_relro_file:file create_file_perms;
+
+allow shared_relro activity_service:service_manager find;
+allow shared_relro webviewupdate_service:service_manager find;
+allow shared_relro package_service:service_manager find;
+
+# StrictMode may attempt to find this service, failure is harmless.
+dontaudit shared_relro network_management_service:service_manager find;
diff --git a/private/shell.te b/private/shell.te
index 0e94cd1..73aac1d 100644
--- a/private/shell.te
+++ b/private/shell.te
@@ -168,3 +168,6 @@
# Allow shell to write db.log.detailed, db.log.slow_query_threshold*
set_prop(shell, sqlite_log_prop)
+
+# Allow shell to write MTE properties even on user builds.
+set_prop(shell, arm64_memtag_prop)
diff --git a/private/snapuserd.te b/private/snapuserd.te
index 99ee90f..d96b31e 100644
--- a/private/snapuserd.te
+++ b/private/snapuserd.te
@@ -16,3 +16,11 @@
# Reading and writing to dm-user control nodes.
allow snapuserd dm_user_device:dir r_dir_perms;
allow snapuserd dm_user_device:chr_file rw_file_perms;
+
+# Reading and writing to /dev/socket/snapuserd.
+allow snapuserd snapuserd_socket:unix_stream_socket { accept listen getattr read write };
+
+# This arises due to first-stage init opening /dev/null without F_CLOEXEC
+# (see SetStdioToDevNull in init). When we fork() and execveat() snapuserd
+# again, the descriptor leaks into the new process.
+allow snapuserd kernel:fd use;
diff --git a/private/system_server.te b/private/system_server.te
index 90061c6..69e04d9 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -290,6 +290,7 @@
mediaserver
mediaswcodec
mediatranscoding
+ mediatuner
netd
sdcardd
statsd
@@ -519,6 +520,9 @@
allow system_server staging_data_file:dir create_dir_perms;
allow system_server staging_data_file:file create_file_perms;
+# Manage /data/rollback.
+allow system_server staging_data_file:{ file lnk_file } { create_file_perms link };
+
# Walk /data/data subdirectories.
allow system_server app_data_file_type:dir { getattr read search };
@@ -778,6 +782,7 @@
allow system_server mediametrics_service:service_manager find;
allow system_server mediaextractor_service:service_manager find;
allow system_server mediadrmserver_service:service_manager find;
+allow system_server mediatuner_service:service_manager find;
allow system_server netd_service:service_manager find;
allow system_server nfc_service:service_manager find;
allow system_server radio_service:service_manager find;
@@ -925,6 +930,8 @@
# Access to /dev/dma_heap/system
allow system_server dmabuf_system_heap_device:chr_file r_file_perms;
+# Access to /dev/dma_heap/system-secure
+allow system_server dmabuf_system_secure_heap_device:chr_file r_file_perms;
r_dir_file(system_server, proc_asound)
r_dir_file(system_server, proc_net_type)
@@ -932,6 +939,7 @@
allow system_server {
proc_cmdline
proc_loadavg
+ proc_locks
proc_meminfo
proc_pagetypeinfo
proc_pipe_conf
@@ -977,7 +985,7 @@
# Allow system_server to open profile snapshots for read.
# System server never reads the actual content. It passes the descriptor to
# to privileged apps which acquire the permissions to inspect the profiles.
-allow system_server user_profile_data_file:dir { getattr search };
+allow system_server { user_profile_root_file user_profile_data_file}:dir { getattr search };
allow system_server user_profile_data_file:file { getattr open read };
# System server may dump profile data for debuggable apps in the /data/misc/profman.
@@ -1169,6 +1177,9 @@
allow system_server staged_install_file:dir rw_dir_perms;
allow system_server staged_install_file:file create_file_perms;
+allow system_server watchdog_metadata_file:dir rw_dir_perms;
+allow system_server watchdog_metadata_file:file create_file_perms;
+
# Allow init to set sysprop used to compute stats about userspace reboot.
set_prop(system_server, userspace_reboot_log_prop)
diff --git a/private/traced.te b/private/traced.te
index 2410d7e..ccb28ef 100644
--- a/private/traced.te
+++ b/private/traced.te
@@ -62,6 +62,9 @@
# Allow to lazily start producers.
set_prop(traced, traced_lazy_prop)
+# Allow traced to talk to statsd for logging metrics.
+unix_socket_send(traced, statsdw, statsd)
+
###
### Neverallow rules
###
diff --git a/private/traced_probes.te b/private/traced_probes.te
index c669eba..9da4d94 100644
--- a/private/traced_probes.te
+++ b/private/traced_probes.te
@@ -58,7 +58,7 @@
allow traced_probes bootstat_data_file:dir { getattr open read search };
allow traced_probes update_engine_data_file:dir { getattr open read search };
allow traced_probes update_engine_log_data_file:dir { getattr open read search };
-allow traced_probes user_profile_data_file:dir { getattr open read search };
+allow traced_probes { user_profile_root_file user_profile_data_file}:dir { getattr open read search };
# Allow traced_probes to run atrace. atrace pokes at system services to enable
# their userspace TRACE macros.
@@ -113,6 +113,7 @@
-bootstat_data_file
-update_engine_data_file
-update_engine_log_data_file
+ -user_profile_root_file
-user_profile_data_file
# TODO(b/72998741) Remove vendor_data_file exemption. Further restricted in a
# subsequent neverallow. Currently only getattr and search are allowed.
diff --git a/private/vold_prepare_subdirs.te b/private/vold_prepare_subdirs.te
index 4197ddd..9bea43c 100644
--- a/private/vold_prepare_subdirs.te
+++ b/private/vold_prepare_subdirs.te
@@ -45,7 +45,8 @@
}:file { getattr unlink };
allow vold_prepare_subdirs apex_mnt_dir:dir { open read };
allow vold_prepare_subdirs mnt_expand_file:dir search;
-allow vold_prepare_subdirs user_profile_data_file:dir { search getattr relabelfrom relabelto };
+allow vold_prepare_subdirs user_profile_data_file:dir { search getattr relabelfrom };
+allow vold_prepare_subdirs user_profile_root_file:dir { search getattr relabelfrom relabelto };
# /data/misc is unlabeled during early boot.
allow vold_prepare_subdirs unlabeled:dir search;
diff --git a/private/zygote.te b/private/zygote.te
index d3d08bf..577ace8 100644
--- a/private/zygote.te
+++ b/private/zygote.te
@@ -61,7 +61,7 @@
allow zygote mnt_expand_file:dir { open read search relabelto };
# Bind mount subdirectories on /data/misc/profiles/cur
-allow zygote { user_profile_data_file }:dir { mounton search };
+allow zygote user_profile_root_file:dir { mounton search };
# Create and bind dirs on /data/data
allow zygote tmpfs:dir { create_dir_perms mounton };
diff --git a/public/app.te b/public/app.te
index 40c7e71..f9c0d95 100644
--- a/public/app.te
+++ b/public/app.te
@@ -170,6 +170,7 @@
unix_socket_send(appdomain, statsdw, statsd)
# Write profiles /data/misc/profiles
+allow appdomain user_profile_root_file:dir search;
allow appdomain user_profile_data_file:dir { search write add_name };
allow appdomain user_profile_data_file:file create_file_perms;
@@ -309,6 +310,7 @@
allow { appdomain -isolated_app } ion_device:chr_file r_file_perms;
allow { appdomain -isolated_app } dmabuf_system_heap_device:chr_file r_file_perms;
+allow { appdomain -isolated_app } dmabuf_system_secure_heap_device:chr_file r_file_perms;
# Allow AAudio apps to use shared memory file descriptors from the HAL
allow { appdomain -isolated_app } hal_audio:fd use;
diff --git a/public/attributes b/public/attributes
index 5b0d019..8ba17cd 100644
--- a/public/attributes
+++ b/public/attributes
@@ -381,3 +381,7 @@
# All types used for super partition block devices.
attribute super_block_device_type;
+
+# All types used for DMA-BUF heaps
+attribute dmabuf_heap_device_type;
+expandattribute dmabuf_heap_device_type false;
diff --git a/public/device.te b/public/device.te
index 1acbc36..d98806a 100644
--- a/public/device.te
+++ b/public/device.te
@@ -45,7 +45,9 @@
type fuse_device, dev_type, mlstrustedobject;
type iio_device, dev_type;
type ion_device, dev_type, mlstrustedobject;
-type dmabuf_system_heap_device, dev_type, mlstrustedobject;
+type dmabuf_heap_device, dmabuf_heap_device_type, dev_type, mlstrustedobject;
+type dmabuf_system_heap_device, dmabuf_heap_device_type, dev_type, mlstrustedobject;
+type dmabuf_system_secure_heap_device, dmabuf_heap_device_type, dev_type, mlstrustedobject;
type qtaguid_device, dev_type;
type watchdog_device, dev_type;
type uhid_device, dev_type;
diff --git a/public/domain.te b/public/domain.te
index 108b05d..a530267 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -66,6 +66,7 @@
allow domain device:dir search;
allow domain dev_type:lnk_file r_file_perms;
allow domain devpts:dir search;
+allow domain dmabuf_heap_device:dir search;
allow domain socket_device:dir r_dir_perms;
allow domain owntty_device:chr_file rw_file_perms;
allow domain null_device:chr_file rw_file_perms;
@@ -99,6 +100,7 @@
# Public readable properties
get_prop(domain, aaudio_config_prop)
+get_prop(domain, arm64_memtag_prop)
get_prop(domain, bootloader_prop)
get_prop(domain, build_odm_prop)
get_prop(domain, build_prop)
@@ -680,6 +682,7 @@
-vendor_service # must be @VintfStability to be used by an app
-ephemeral_app_api_service
+ -apc_service
-audioserver_service # TODO(b/36783122) remove exemptions below once app_api_service is fixed
-cameraserver_service
-drmserver_service
@@ -1200,7 +1203,6 @@
domain
-shell
userdebug_or_eng(`-uncrypt')
- userdebug_or_eng(`-heapprofd')
-installd
} shell_data_file:lnk_file read;
@@ -1229,7 +1231,6 @@
-simpleperf_app_runner
-system_server # why?
userdebug_or_eng(`-uncrypt')
- userdebug_or_eng(`-heapprofd')
} shell_data_file:dir { open search };
# Same as above for /data/local/tmp files. We allow shell files
@@ -1241,7 +1242,6 @@
-dumpstate
-installd
userdebug_or_eng(`-uncrypt')
- userdebug_or_eng(`-heapprofd')
} shell_data_file:file open;
# servicemanager and vndservicemanager are the only processes which handle the
diff --git a/public/dumpstate.te b/public/dumpstate.te
index fdd50d1..154b9c9 100644
--- a/public/dumpstate.te
+++ b/public/dumpstate.te
@@ -229,7 +229,7 @@
# Access /data/misc/profiles/{cur,ref}/
userdebug_or_eng(`
- allow dumpstate user_profile_data_file:dir r_dir_perms;
+ allow dumpstate { user_profile_root_file user_profile_data_file}:dir r_dir_perms;
allow dumpstate user_profile_data_file:file r_file_perms;
')
diff --git a/public/file.te b/public/file.te
index 021779c..ccd65e2 100644
--- a/public/file.te
+++ b/public/file.te
@@ -37,6 +37,7 @@
type proc_keys, fs_type, proc_type;
type proc_kmsg, fs_type, proc_type;
type proc_loadavg, fs_type, proc_type;
+type proc_locks, fs_type, proc_type;
type proc_lowmemorykiller, fs_type, proc_type;
type proc_max_map_count, fs_type, proc_type;
type proc_meminfo, fs_type, proc_type;
@@ -245,6 +246,8 @@
type userspace_reboot_metadata_file, file_type;
# Staged install files within /metadata/staged-install
type staged_install_file, file_type;
+# Metadata information within /metadata/watchdog
+type watchdog_metadata_file, file_type;
# Type for /dev/cpu_variant:.*.
type dev_cpu_variant, file_type;
@@ -295,6 +298,7 @@
# /data/ota_package
type ota_package_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
# /data/misc/profiles
+type user_profile_root_file, file_type, data_file_type, core_data_file_type;
type user_profile_data_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
# /data/misc/profman
type profman_dump_data_file, file_type, data_file_type, core_data_file_type;
@@ -409,6 +413,7 @@
# /data/misc/trace for method traces on userdebug / eng builds
type method_trace_data_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
type gsi_data_file, file_type, data_file_type, core_data_file_type;
+type radio_core_data_file, file_type, data_file_type, core_data_file_type;
# /data/data subdirectories - app sandboxes
type app_data_file, file_type, data_file_type, core_data_file_type, app_data_file_type;
diff --git a/public/hal_audiocontrol.te b/public/hal_audiocontrol.te
index 3962cc8..6f45b0e 100644
--- a/public/hal_audiocontrol.te
+++ b/public/hal_audiocontrol.te
@@ -3,8 +3,6 @@
binder_call(hal_audiocontrol_server, hal_audiocontrol_client)
hal_attribute_hwservice(hal_audiocontrol, hal_audiocontrol_hwservice)
+hal_attribute_service(hal_audiocontrol, hal_audiocontrol_service)
-add_service(hal_audiocontrol_server, hal_audiocontrol_service)
binder_call(hal_audiocontrol_server, servicemanager)
-
-allow hal_audiocontrol_client hal_audiocontrol_service:service_manager find;
diff --git a/public/hal_authsecret.te b/public/hal_authsecret.te
index daf8d48..bbcdb9a 100644
--- a/public/hal_authsecret.te
+++ b/public/hal_authsecret.te
@@ -2,3 +2,6 @@
binder_call(hal_authsecret_client, hal_authsecret_server)
hal_attribute_hwservice(hal_authsecret, hal_authsecret_hwservice)
+hal_attribute_service(hal_authsecret, hal_authsecret_service)
+
+binder_call(hal_authsecret_server, servicemanager)
diff --git a/public/hal_can.te b/public/hal_can.te
index c75495b..959d1d9 100644
--- a/public/hal_can.te
+++ b/public/hal_can.te
@@ -1,9 +1,9 @@
# CAN controller
binder_call(hal_can_controller_client, hal_can_controller_server)
-add_hwservice(hal_can_controller_server, hal_can_controller_hwservice)
-allow hal_can_controller_client hal_can_controller_hwservice:hwservice_manager find;
+binder_call(hal_can_controller_server, hal_can_controller_client)
+hal_attribute_hwservice(hal_can_controller, hal_can_controller_hwservice)
# CAN bus
binder_call(hal_can_bus_client, hal_can_bus_server)
-add_hwservice(hal_can_bus_server, hal_can_bus_hwservice)
-allow hal_can_bus_client hal_can_bus_hwservice:hwservice_manager find;
+binder_call(hal_can_bus_server, hal_can_bus_client)
+hal_attribute_hwservice(hal_can_bus, hal_can_bus_hwservice)
diff --git a/public/hal_keymint.te b/public/hal_keymint.te
index cd9b5b5..7570188 100644
--- a/public/hal_keymint.te
+++ b/public/hal_keymint.te
@@ -1,6 +1,4 @@
binder_call(hal_keymint_client, hal_keymint_server)
-add_service(hal_keymint_server, hal_keymint_service)
+hal_attribute_service(hal_keymint, hal_keymint_service)
binder_call(hal_keymint_server, servicemanager)
-
-allow hal_keymint_client hal_keymint_service:service_manager find;
diff --git a/public/hal_memtrack.te b/public/hal_memtrack.te
index ed93a29..30a4480 100644
--- a/public/hal_memtrack.te
+++ b/public/hal_memtrack.te
@@ -2,3 +2,6 @@
binder_call(hal_memtrack_client, hal_memtrack_server)
hal_attribute_hwservice(hal_memtrack, hal_memtrack_hwservice)
+
+hal_attribute_service(hal_memtrack, hal_memtrack_service)
+binder_call(hal_memtrack_server, servicemanager)
diff --git a/public/hal_oemlock.te b/public/hal_oemlock.te
index 26b2b42..9f38fa5 100644
--- a/public/hal_oemlock.te
+++ b/public/hal_oemlock.te
@@ -2,3 +2,6 @@
binder_call(hal_oemlock_client, hal_oemlock_server)
hal_attribute_hwservice(hal_oemlock, hal_oemlock_hwservice)
+hal_attribute_service(hal_oemlock, hal_oemlock_service)
+
+binder_call(hal_oemlock_server, servicemanager)
diff --git a/public/hal_power_stats.te b/public/hal_power_stats.te
index b989e2e..f458db6 100644
--- a/public/hal_power_stats.te
+++ b/public/hal_power_stats.te
@@ -3,8 +3,6 @@
binder_call(hal_power_stats_server, hal_power_stats_client)
hal_attribute_hwservice(hal_power_stats, hal_power_stats_hwservice)
+hal_attribute_service(hal_power_stats, hal_power_stats_service)
-add_service(hal_power_stats_server, hal_power_stats_service)
binder_call(hal_power_stats_server, servicemanager)
-
-allow hal_power_stats_client hal_power_stats_service:service_manager find;
diff --git a/public/init.te b/public/init.te
index 0bbeb29..59e6b4e 100644
--- a/public/init.te
+++ b/public/init.te
@@ -16,6 +16,12 @@
userdebug_or_eng(`
allow init kmsg_debug_device:chr_file { open write relabelto };
')
+
+# allow init to mount and unmount debugfs in debug builds
+userdebug_or_eng(`
+ allow init debugfs:dir mounton;
+')
+
# /dev/__properties__
allow init properties_device:dir relabelto;
allow init properties_serial:file { write relabelto };
@@ -37,6 +43,7 @@
allow init tmpfs:blk_file getattr;
allow init block_device:{ dir blk_file lnk_file } relabelto;
allow init dm_device:{ chr_file blk_file } relabelto;
+allow init dm_user_device:chr_file relabelto;
allow init kernel:fd use;
# restorecon for early mount device symlinks
allow init tmpfs:lnk_file { getattr read relabelfrom };
@@ -543,6 +550,9 @@
allow init dm_device:chr_file rw_file_perms;
allow init dm_device:blk_file rw_file_perms;
+# Access dm-user for OTA boot
+allow init dm_user_device:chr_file rw_file_perms;
+
# Access metadata block device for storing dm-verity state
allow init metadata_block_device:blk_file rw_file_perms;
diff --git a/public/installd.te b/public/installd.te
index 53acaf0..b9c7b3e 100644
--- a/public/installd.te
+++ b/public/installd.te
@@ -114,15 +114,15 @@
allow installd app_data_file_type:dir { create_dir_perms relabelfrom relabelto };
allow installd app_data_file_type:notdevfile_class_set { create_file_perms relabelfrom relabelto };
+# Similar for the files under /data/misc/profiles/
+allow installd user_profile_root_file:dir { create_dir_perms relabelfrom };
+allow installd user_profile_data_file:dir { create_dir_perms relabelto };
+allow installd user_profile_data_file:file create_file_perms;
+allow installd user_profile_data_file:file unlink;
+
# Allow zygote to unmount mirror directories
allow installd labeledfs:filesystem unmount;
-# Similar for the files under /data/misc/profiles/
-allow installd user_profile_data_file:dir create_dir_perms;
-allow installd user_profile_data_file:file create_file_perms;
-allow installd user_profile_data_file:dir rmdir;
-allow installd user_profile_data_file:file unlink;
-
# Files created/updated by profman dumps.
allow installd profman_dump_data_file:dir { search add_name write };
allow installd profman_dump_data_file:file { create setattr open write };
diff --git a/public/iorap_inode2filename.te b/public/iorap_inode2filename.te
index aaf4520..6f119ee 100644
--- a/public/iorap_inode2filename.te
+++ b/public/iorap_inode2filename.te
@@ -52,6 +52,7 @@
allow iorap_inode2filename textclassifier_data_file:dir { getattr open read search };
allow iorap_inode2filename textclassifier_data_file:file { getattr };
allow iorap_inode2filename toolbox_exec:file getattr;
+allow iorap_inode2filename user_profile_root_file:dir { getattr open read search };
allow iorap_inode2filename user_profile_data_file:dir { getattr open read search };
allow iorap_inode2filename user_profile_data_file:file { getattr };
allow iorap_inode2filename unencrypted_data_file:dir { getattr open read search };
diff --git a/public/iorap_prefetcherd.te b/public/iorap_prefetcherd.te
index ad9db14..4b218fb 100644
--- a/public/iorap_prefetcherd.te
+++ b/public/iorap_prefetcherd.te
@@ -39,6 +39,7 @@
allow iorap_prefetcherd system_data_file:dir { open read search };
allow iorap_prefetcherd system_data_file:file { open read };
allow iorap_prefetcherd system_data_file:lnk_file { open read };
+allow iorap_prefetcherd user_profile_root_file:dir { open read search };
allow iorap_prefetcherd user_profile_data_file:dir { open read search };
allow iorap_prefetcherd user_profile_data_file:file { open read };
allow iorap_prefetcherd vendor_overlay_file:dir { open read search };
diff --git a/public/keystore.te b/public/keystore.te
index 3fac95f..564e9f3 100644
--- a/public/keystore.te
+++ b/public/keystore.te
@@ -15,6 +15,8 @@
add_service(keystore, keystore_service)
allow keystore sec_key_att_app_id_provider_service:service_manager find;
allow keystore dropbox_service:service_manager find;
+add_service(keystore, apc_service)
+add_service(keystore, keystore_compat_hal_service)
# Check SELinux permissions.
selinux_check_access(keystore)
diff --git a/public/mediaserver.te b/public/mediaserver.te
index 1978aa3..d32b9d9 100644
--- a/public/mediaserver.te
+++ b/public/mediaserver.te
@@ -120,6 +120,7 @@
allow mediaserver ion_device:chr_file r_file_perms;
allow mediaserver dmabuf_system_heap_device:chr_file r_file_perms;
+allow mediaserver dmabuf_system_secure_heap_device:chr_file r_file_perms;
allow mediaserver hal_graphics_allocator:fd use;
allow mediaserver hal_graphics_composer:fd use;
allow mediaserver hal_camera:fd use;
diff --git a/public/mediaswcodec.te b/public/mediaswcodec.te
index 8e35225..5726842 100644
--- a/public/mediaswcodec.te
+++ b/public/mediaswcodec.te
@@ -24,3 +24,4 @@
neverallow mediaswcodec domain:{ tcp_socket udp_socket rawip_socket } *;
allow mediaswcodec dmabuf_system_heap_device:chr_file r_file_perms;
+allow mediaswcodec dmabuf_system_secure_heap_device:chr_file r_file_perms;
diff --git a/public/property.te b/public/property.te
index c949cd7..151983f 100644
--- a/public/property.te
+++ b/public/property.te
@@ -55,6 +55,7 @@
# Properties which can't be written outside system
system_restricted_prop(aac_drc_prop)
+system_restricted_prop(arm64_memtag_prop)
system_restricted_prop(binder_cache_bluetooth_server_prop)
system_restricted_prop(binder_cache_system_server_prop)
system_restricted_prop(binder_cache_telephony_server_prop)
diff --git a/public/radio.te b/public/radio.te
index 6ec0086..e03b706 100644
--- a/public/radio.te
+++ b/public/radio.te
@@ -11,7 +11,8 @@
# Data file accesses.
allow radio radio_data_file:dir create_dir_perms;
allow radio radio_data_file:notdevfile_class_set create_file_perms;
-
+allow radio radio_core_data_file:dir r_dir_perms;
+allow radio radio_core_data_file:file r_file_perms;
allow radio net_data_file:dir search;
allow radio net_data_file:file r_file_perms;
diff --git a/public/service.te b/public/service.te
index 9159e6b..072de79 100644
--- a/public/service.te
+++ b/public/service.te
@@ -1,4 +1,5 @@
type aidl_lazy_test_service, service_manager_type;
+type apc_service, service_manager_type;
type apex_service, service_manager_type;
type audioserver_service, service_manager_type;
type batteryproperties_service, app_api_service, ephemeral_app_api_service, service_manager_type;
@@ -16,6 +17,7 @@
type incident_service, service_manager_type;
type installd_service, service_manager_type;
type credstore_service, app_api_service, service_manager_type;
+type keystore_compat_hal_service, service_manager_type;
type keystore_service, service_manager_type;
type lpdump_service, service_manager_type;
type mediaserver_service, service_manager_type;
@@ -108,6 +110,7 @@
type platform_compat_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type face_service, app_api_service, system_server_service, service_manager_type;
type fingerprint_service, app_api_service, system_server_service, service_manager_type;
+type game_service, app_api_service, system_server_service, service_manager_type;
type gfxinfo_service, system_api_service, system_server_service, service_manager_type;
type graphicsstats_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type hardware_service, system_server_service, service_manager_type;
@@ -166,6 +169,7 @@
type samplingprofiler_service, system_server_service, service_manager_type;
type scheduling_policy_service, system_server_service, service_manager_type;
type search_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type search_ui_service, app_api_service, system_server_service, service_manager_type;
type sec_key_att_app_id_provider_service, app_api_service, system_server_service, service_manager_type;
type sensorservice_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type sensor_privacy_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
@@ -189,6 +193,7 @@
type timedetector_service, system_server_service, service_manager_type;
type timezone_service, system_server_service, service_manager_type;
type timezonedetector_service, app_api_service, system_server_service, service_manager_type;
+type transformer_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type trust_service, app_api_service, system_server_service, service_manager_type;
type tv_input_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type tv_tuner_resource_mgr_service, app_api_service, system_server_service, service_manager_type;
@@ -220,6 +225,7 @@
### HAL Services
###
+type hal_authsecret_service, vendor_service, protected_service, service_manager_type;
type hal_audiocontrol_service, vendor_service, service_manager_type;
type hal_face_service, vendor_service, protected_service, service_manager_type;
type hal_fingerprint_service, vendor_service, protected_service, service_manager_type;
@@ -227,6 +233,8 @@
type hal_identity_service, vendor_service, protected_service, service_manager_type;
type hal_keymint_service, vendor_service, protected_service, service_manager_type;
type hal_light_service, vendor_service, protected_service, service_manager_type;
+type hal_memtrack_service, vendor_service, protected_service, service_manager_type;
+type hal_oemlock_service, vendor_service, protected_service, service_manager_type;
type hal_power_service, vendor_service, protected_service, service_manager_type;
type hal_power_stats_service, vendor_service, protected_service, service_manager_type;
type hal_rebootescrow_service, vendor_service, protected_service, service_manager_type;
diff --git a/public/shared_relro.te b/public/shared_relro.te
index 8e58e42..6dd5bd7 100644
--- a/public/shared_relro.te
+++ b/public/shared_relro.te
@@ -1,11 +1,2 @@
# Process which creates/updates shared RELRO files to be used by other apps.
type shared_relro, domain;
-
-# Grant write access to the shared relro files/directory.
-allow shared_relro shared_relro_file:dir rw_dir_perms;
-allow shared_relro shared_relro_file:file create_file_perms;
-
-# Needs to contact the "webviewupdate" and "activity" services
-allow shared_relro activity_service:service_manager find;
-allow shared_relro webviewupdate_service:service_manager find;
-allow shared_relro package_service:service_manager find;
diff --git a/public/te_macros b/public/te_macros
index 65b7b34..1966f20 100644
--- a/public/te_macros
+++ b/public/te_macros
@@ -594,6 +594,7 @@
allow keystore $1:dir search;
allow keystore $1:file { read open };
allow keystore $1:process getattr;
+ allow $1 apc_service:service_manager find;
allow $1 keystore_service:service_manager find;
binder_call($1, keystore)
binder_call(keystore, $1)
@@ -692,40 +693,9 @@
###################################
# can_profile_heap(domain)
-# Allow processes within the domain to have their heap profiled by heapprofd.
-#
-# Note that profiling is performed differently between debug and user builds.
-# There are two modes for profiling:
-# * forked
-# * central.
-# On user builds, the default is to allow only forked mode. If it is desired
-# to allow central mode as well for a domain, use can_profile_heap_central.
-# On userdebug, this macro allows both forked and central.
-define(`can_profile_heap', `
- # Allow central daemon to send signal for client initialization.
- allow heapprofd $1:process signal;
-
- # Allow executing a private heapprofd process to handle profiling on
- # user builds (also debug builds for testing & development purposes).
- allow $1 heapprofd_exec:file rx_file_perms;
-
- # Allow directory & file read to the central heapprofd daemon, as it scans
- # /proc/[pid]/cmdline for by-process-name profiling configs.
- # Note that this excludes /proc/[pid]/mem, as it requires ptrace capabilities.
- allow heapprofd $1:file r_file_perms;
- allow heapprofd $1:dir r_dir_perms;
-
- # Profilability on user implies profilability on userdebug and eng.
- userdebug_or_eng(`
- can_profile_heap_central($1)
- ')
-')
-
-###################################
-# can_profile_heap_central(domain)
# Allow processes within the domain to have their heap profiled by central
# heapprofd.
-define(`can_profile_heap_central', `
+define(`can_profile_heap', `
# Allow central daemon to send signal for client initialization.
allow heapprofd $1:process signal;
# Allow connecting to the daemon.
diff --git a/public/vold.te b/public/vold.te
index 737d215..9ec6bd1 100644
--- a/public/vold.te
+++ b/public/vold.te
@@ -153,7 +153,7 @@
allowxperm vold vold_device:blk_file ioctl { BLKDISCARD BLKGETSIZE };
allow vold dm_device:chr_file rw_file_perms;
allow vold dm_device:blk_file rw_file_perms;
-allowxperm vold dm_device:blk_file ioctl BLKSECDISCARD;
+allowxperm vold dm_device:blk_file ioctl { BLKDISCARD BLKSECDISCARD };
# For vold Process::killProcessesWithOpenFiles function.
allow vold domain:dir r_dir_perms;
allow vold domain:{ file lnk_file } r_file_perms;
@@ -280,7 +280,7 @@
allow vold toolbox_exec:file rx_file_perms;
# Prepare profile dir for users.
-allow vold user_profile_data_file:dir create_dir_perms;
+allow vold { user_profile_data_file user_profile_root_file }:dir create_dir_perms;
# Raw writes to misc block device
allow vold misc_block_device:blk_file w_file_perms;
diff --git a/tests/sepolicy_tests.py b/tests/sepolicy_tests.py
index 5597f14..edd1708 100644
--- a/tests/sepolicy_tests.py
+++ b/tests/sepolicy_tests.py
@@ -82,6 +82,10 @@
]
return pol.AssertPathTypesDoNotHaveAttr(partitions, [], "app_data_file_type",
exceptions)
+def TestDmaHeapDevTypeViolations(pol):
+ return pol.AssertPathTypesHaveAttr(["/dev/dma_heap/"], [],
+ "dmabuf_heap_device_type")
+
###
@@ -111,6 +115,7 @@
"TestCoreDataTypeViolations",
"TestPropertyTypeViolations",
"TestAppDataTypeViolations",
+ "TestDmaHeapDevTypeViolations",
]
if __name__ == '__main__':
@@ -168,6 +173,8 @@
results += TestPropertyTypeViolations(pol)
if options.test is None or "TestAppDataTypeViolations" in options.test:
results += TestAppDataTypeViolations(pol)
+ if options.test is None or "TestDmaHeapDevTypeViolations" in options.test:
+ results += TestDmaHeapDevTypeViolations(pol)
if len(results) > 0:
sys.exit(results)
diff --git a/vendor/file_contexts b/vendor/file_contexts
index 49ba272..dd351cf 100644
--- a/vendor/file_contexts
+++ b/vendor/file_contexts
@@ -49,12 +49,12 @@
/(vendor|system/vendor)/bin/hw/android\.hardware\.keymaster@3\.0-service u:object_r:hal_keymaster_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.keymaster@4\.0-service u:object_r:hal_keymaster_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.keymaster@4\.1-service u:object_r:hal_keymaster_default_exec:s0
-/(vendor|system/vendor)/bin/hw/android\.hardware\.security\.keymint-service u:object_r:hal_keymint_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.light@2\.0-service u:object_r:hal_light_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.light@2\.0-service-lazy u:object_r:hal_light_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.lights-service\.example u:object_r:hal_light_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.lowpan@1\.0-service u:object_r:hal_lowpan_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.memtrack@1\.0-service u:object_r:hal_memtrack_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.memtrack-service.example u:object_r:hal_memtrack_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.nfc@1\.0-service u:object_r:hal_nfc_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.nfc@1\.1-service u:object_r:hal_nfc_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.nfc@1\.2-service u:object_r:hal_nfc_default_exec:s0
@@ -69,6 +69,7 @@
/(vendor|system/vendor)/bin/hw/android\.hardware\.rebootescrow-service\.default u:object_r:hal_rebootescrow_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.sensors@[0-9]\.[0-9]-service(\.multihal)? u:object_r:hal_sensors_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.secure_element@1\.0-service u:object_r:hal_secure_element_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.security\.keymint-service u:object_r:hal_keymint_default_exec:s0
/(vendor|system/vendor)/bin/hw/rild u:object_r:rild_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.thermal@1\.[01]-service u:object_r:hal_thermal_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.tv\.cec@1\.0-service u:object_r:hal_tv_cec_default_exec:s0
diff --git a/vendor/hal_oemlock_default.te b/vendor/hal_oemlock_default.te
new file mode 100644
index 0000000..8597f2c
--- /dev/null
+++ b/vendor/hal_oemlock_default.te
@@ -0,0 +1,5 @@
+type hal_oemlock_default, domain;
+hal_server_domain(hal_oemlock_default, hal_oemlock)
+
+type hal_oemlock_default_exec, exec_type, vendor_file_type, file_type;
+init_daemon_domain(hal_oemlock_default)
diff --git a/vendor/hal_vehicle_default.te b/vendor/hal_vehicle_default.te
index dcb03a8..56a47b7 100644
--- a/vendor/hal_vehicle_default.te
+++ b/vendor/hal_vehicle_default.te
@@ -7,6 +7,4 @@
init_daemon_domain(hal_vehicle_default)
# communication with CAN bus HAL
-allow hal_vehicle_default hal_can_bus_hwservice:hwservice_manager find;
-allow hal_vehicle_default hal_can_socketcan:binder { call transfer };
-allow hal_can_socketcan hal_vehicle_default:binder { call transfer };
+hal_client_domain(hal_vehicle_default, hal_can_bus)