Merge "Remove the bdev_type and sysfs_block_type SELinux attributes"
diff --git a/microdroid/system/private/file_contexts b/microdroid/system/private/file_contexts
index 89fa02f..1066367 100644
--- a/microdroid/system/private/file_contexts
+++ b/microdroid/system/private/file_contexts
@@ -51,6 +51,8 @@
/dev/event-log-tags u:object_r:runtime_event_log_tags_file:s0
/dev/cgroup_info(/.*)? u:object_r:cgroup_rc_file:s0
/dev/fuse u:object_r:fuse_device:s0
+/dev/hvc0 u:object_r:serial_device:s0
+/dev/hvc1 u:object_r:serial_device:s0
/dev/hw_random u:object_r:hw_random_device:s0
/dev/hwbinder u:object_r:hwbinder_device:s0
/dev/loop-control u:object_r:loop_control_device:s0
diff --git a/microdroid/system/private/logcat.te b/microdroid/system/private/logcat.te
new file mode 100644
index 0000000..be6e42a
--- /dev/null
+++ b/microdroid/system/private/logcat.te
@@ -0,0 +1,15 @@
+# logcat in Microdroid runs as a daemon process. It reads logs from logd and
+# emits the logs to the virtual serial console.
+typeattribute logcat coredomain;
+
+# logcat can be executed from init
+init_daemon_domain(logcat)
+
+# logcat can append to the virtual console devices
+allow logcat device:dir r_dir_perms;
+allow logcat serial_device:chr_file ra_file_perms;
+
+# logcat can get logs from logd
+read_logd(logcat)
+
+allow logcat self:global_capability_class_set { sys_nice };
diff --git a/microdroid/system/private/microdroid_manager.te b/microdroid/system/private/microdroid_manager.te
index caee216..0865727 100644
--- a/microdroid/system/private/microdroid_manager.te
+++ b/microdroid/system/private/microdroid_manager.te
@@ -52,6 +52,7 @@
# Allow microdroid_manager to start the services apexd-vm, apkdmverity and zipfuse
set_prop(microdroid_manager, ctl_apexd_vm_prop)
set_prop(microdroid_manager, ctl_apkdmverity_prop)
+set_prop(microdroid_manager, ctl_seriallogging_prop)
set_prop(microdroid_manager, ctl_zipfuse_prop)
# Allow microdroid_manager to wait for linkerconfig to be ready
@@ -60,4 +61,9 @@
# Allow microdroid_manager to pass the roothash to apkdmverity
set_prop(microdroid_manager, microdroid_manager_roothash_prop)
+# Allow microdroid_manager to read sysprops from bootconfigs. It will use the
+# sysprops to decide whether services required for debugging (adbd, logd, etc.)
+# need to be started or not.
+get_prop(microdroid_manager, bootloader_prop)
+
neverallow microdroid_manager { file_type fs_type }:file execute_no_trans;
diff --git a/microdroid/system/private/property_contexts b/microdroid/system/private/property_contexts
index 93ba1b5..c92a595 100644
--- a/microdroid/system/private/property_contexts
+++ b/microdroid/system/private/property_contexts
@@ -23,9 +23,10 @@
ctl.stop$apexd u:object_r:ctl_apexd_prop:s0
-ctl.start$apexd-vm u:object_r:ctl_apexd_vm_prop:s0
-ctl.start$apkdmverity u:object_r:ctl_apkdmverity_prop:s0
-ctl.start$zipfuse u:object_r:ctl_zipfuse_prop:s0
+ctl.start$apexd-vm u:object_r:ctl_apexd_vm_prop:s0
+ctl.start$apkdmverity u:object_r:ctl_apkdmverity_prop:s0
+ctl.start$seriallogging u:object_r:ctl_seriallogging_prop:s0
+ctl.start$zipfuse u:object_r:ctl_zipfuse_prop:s0
ctl.console u:object_r:ctl_console_prop:s0
ctl.fuse_ u:object_r:ctl_fuse_prop:s0
@@ -90,11 +91,13 @@
init.svc.vendor.keymint-microdroid u:object_r:vendor_default_prop:s0 exact string
-ro.boot.hardware u:object_r:bootloader_prop:s0 exact string
+ro.boot.adb.enabled u:object_r:bootloader_prop:s0 exact bool
ro.boot.avb_version u:object_r:bootloader_prop:s0 exact string
ro.boot.boot_devices u:object_r:bootloader_prop:s0 exact string
ro.boot.first_stage_console u:object_r:bootloader_prop:s0 exact string
ro.boot.force_normal_boot u:object_r:bootloader_prop:s0 exact string
+ro.boot.hardware u:object_r:bootloader_prop:s0 exact string
+ro.boot.logd.enabled u:object_r:bootloader_prop:s0 exact bool
ro.boot.slot_suffix u:object_r:bootloader_prop:s0 exact string
ro.boot.vbmeta.avb_version u:object_r:bootloader_prop:s0 exact string
ro.boot.vbmeta.device_state u:object_r:bootloader_prop:s0 exact string
diff --git a/microdroid/system/public/logcat.te b/microdroid/system/public/logcat.te
index 902fd8a..cf2bb7e 100644
--- a/microdroid/system/public/logcat.te
+++ b/microdroid/system/public/logcat.te
@@ -1,2 +1,2 @@
-type logcat;
+type logcat, domain;
type logcat_exec, file_type, exec_type, system_file_type;
diff --git a/microdroid/system/public/property.te b/microdroid/system/public/property.te
index 45b4151..f98d87f 100644
--- a/microdroid/system/public/property.te
+++ b/microdroid/system/public/property.te
@@ -17,6 +17,7 @@
type ctl_interface_start_prop, property_type;
type ctl_interface_stop_prop, property_type;
type ctl_restart_prop, property_type;
+type ctl_seriallogging_prop, property_type;
type ctl_sigstop_prop, property_type;
type ctl_start_prop, property_type;
type ctl_stop_prop, property_type;
diff --git a/private/compat/31.0/31.0.ignore.cil b/private/compat/31.0/31.0.ignore.cil
index 7decba1..179592d 100644
--- a/private/compat/31.0/31.0.ignore.cil
+++ b/private/compat/31.0/31.0.ignore.cil
@@ -13,6 +13,7 @@
extra_free_kbytes_exec
hal_contexthub_service
hal_graphics_composer_service
+ hal_health_service
hal_sensors_service
hal_system_suspend_service
hal_tv_tuner_service
diff --git a/private/property_contexts b/private/property_contexts
index 5d4c3b7..54eb0a4 100644
--- a/private/property_contexts
+++ b/private/property_contexts
@@ -542,6 +542,7 @@
ro.lmk.thrashing_limit_critical u:object_r:lmkd_config_prop:s0 exact int
ro.lmk.thrashing_limit_decay u:object_r:lmkd_config_prop:s0 exact int
ro.lmk.use_minfree_levels u:object_r:lmkd_config_prop:s0 exact bool
+ro.lmk.use_new_strategy u:object_r:lmkd_config_prop:s0 exact bool
ro.lmk.upgrade_pressure u:object_r:lmkd_config_prop:s0 exact int
lmkd.reinit u:object_r:lmkd_prop:s0 exact int
diff --git a/private/service_contexts b/private/service_contexts
index b9ab85d..40977f2 100644
--- a/private/service_contexts
+++ b/private/service_contexts
@@ -6,6 +6,7 @@
android.hardware.gnss.IGnss/default u:object_r:hal_gnss_service:s0
android.hardware.graphics.composer3.IComposer/default u:object_r:hal_graphics_composer_service:s0
android.hardware.health.storage.IStorage/default u:object_r:hal_health_storage_service:s0
+android.hardware.health.IHealth/default u:object_r:hal_health_service:s0
android.hardware.identity.IIdentityCredentialStore/default u:object_r:hal_identity_service:s0
android.hardware.light.ILights/default u:object_r:hal_light_service:s0
android.hardware.memtrack.IMemtrack/default u:object_r:hal_memtrack_service:s0
diff --git a/public/hal_health.te b/public/hal_health.te
index dc7d083..e2a6a60 100644
--- a/public/hal_health.te
+++ b/public/hal_health.te
@@ -3,6 +3,7 @@
binder_call(hal_health_server, hal_health_client)
hal_attribute_hwservice(hal_health, hal_health_hwservice)
+hal_attribute_service(hal_health, hal_health_service)
# Common rules for a health service.
diff --git a/public/hal_neverallows.te b/public/hal_neverallows.te
index 3254f11..cd15910 100644
--- a/public/hal_neverallows.te
+++ b/public/hal_neverallows.te
@@ -8,6 +8,8 @@
-hal_wifi_hostapd_server
-hal_wifi_supplicant_server
-hal_telephony_server
+ -hal_uwb_server
+ # TODO(b/196225233): Remove hal_uwb_vendor_server
-hal_uwb_vendor_server
} self:global_capability_class_set { net_admin net_raw };
@@ -26,6 +28,8 @@
-hal_wifi_hostapd_server
-hal_wifi_supplicant_server
-hal_telephony_server
+ -hal_uwb_server
+ # TODO(b/196225233): Remove hal_uwb_vendor_server
-hal_uwb_vendor_server
} domain:{ udp_socket rawip_socket } *;
diff --git a/public/service.te b/public/service.te
index a821941..3462426 100644
--- a/public/service.te
+++ b/public/service.te
@@ -261,6 +261,7 @@
type hal_fingerprint_service, vendor_service, protected_service, service_manager_type;
type hal_gnss_service, vendor_service, protected_service, service_manager_type;
type hal_graphics_composer_service, vendor_service, protected_service, service_manager_type;
+type hal_health_service, vendor_service, protected_service, service_manager_type;
type hal_health_storage_service, vendor_service, protected_service, service_manager_type;
type hal_identity_service, vendor_service, protected_service, service_manager_type;
type hal_keymint_service, vendor_service, protected_service, service_manager_type;
diff --git a/tools/version_policy.c b/tools/version_policy.c
index 8bb422a..3f97268 100644
--- a/tools/version_policy.c
+++ b/tools/version_policy.c
@@ -9,7 +9,6 @@
#include <sys/stat.h>
#include <cil/android.h>
#include <cil/cil.h>
-#include <cil/cil_write_ast.h>
void __attribute__ ((noreturn)) static usage(char *prog) {
printf("Usage: %s [OPTION]...\n", prog);
@@ -90,6 +89,7 @@
char *num = NULL;
char *dot;
char *output = NULL;
+ FILE *output_file = NULL;
struct cil_db *base_db = NULL;
struct cil_db *out_db = NULL;
@@ -177,11 +177,21 @@
goto exit;
}
}
- rc = cil_write_ast(out_db, output);
- if (rc != SEPOL_OK) {
+
+ output_file = fopen(output, "we");
+ if (!output_file) {
+ fprintf(stderr, "Could not open file: %s\n", output);
goto exit;
}
+ rc = cil_write_build_ast(output_file, out_db);
+ if (rc != SEPOL_OK) {
+ fprintf(stderr, "Failed to write AST\n");
+ goto build_err;
+ }
+
+build_err:
+ fclose(output_file);
exit:
free(base);
free(tgt_policy);
diff --git a/vendor/file_contexts b/vendor/file_contexts
index 59694ec..a2587e1 100644
--- a/vendor/file_contexts
+++ b/vendor/file_contexts
@@ -44,6 +44,7 @@
/(vendor|system/vendor)/bin/hw/android\.hardware\.health@1\.0-service u:object_r:hal_health_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.health@2\.0-service u:object_r:hal_health_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.health@2\.1-service u:object_r:hal_health_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.health-service\.example u:object_r:hal_health_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.health\.storage@1\.0-service u:object_r:hal_health_storage_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.health\.storage-service\.default u:object_r:hal_health_storage_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.identity-service.example u:object_r:hal_identity_default_exec:s0