Merge "microdroid: Allow payload read /proc/meminfo"
diff --git a/Android.bp b/Android.bp
index 5909f8d..677c014 100644
--- a/Android.bp
+++ b/Android.bp
@@ -44,177 +44,6 @@
cc_defaults { name: "selinux_policy_version", cflags: ["-DSEPOLICY_VERSION=30"], }
-se_build_files {
- name: "28.0.board.compat.map",
- srcs: [
- "compat/28.0/28.0.cil",
- ],
-}
-
-se_build_files {
- name: "29.0.board.compat.map",
- srcs: [
- "compat/29.0/29.0.cil",
- ],
-}
-
-se_build_files {
- name: "30.0.board.compat.map",
- srcs: [
- "compat/30.0/30.0.cil",
- ],
-}
-
-se_build_files {
- name: "31.0.board.compat.map",
- srcs: [
- "compat/31.0/31.0.cil",
- ],
-}
-
-se_build_files {
- name: "32.0.board.compat.map",
- srcs: [
- "compat/32.0/32.0.cil",
- ],
-}
-
-se_build_files {
- name: "33.0.board.compat.map",
- srcs: [
- "compat/33.0/33.0.cil",
- ],
-}
-
-se_build_files {
- name: "28.0.board.compat.cil",
- srcs: [
- "compat/28.0/28.0.compat.cil",
- ],
-}
-
-se_build_files {
- name: "29.0.board.compat.cil",
- srcs: [
- "compat/29.0/29.0.compat.cil",
- ],
-}
-
-se_build_files {
- name: "30.0.board.compat.cil",
- srcs: [
- "compat/30.0/30.0.compat.cil",
- ],
-}
-
-se_build_files {
- name: "31.0.board.compat.cil",
- srcs: [
- "compat/31.0/31.0.compat.cil",
- ],
-}
-
-se_build_files {
- name: "32.0.board.compat.cil",
- srcs: [
- "compat/32.0/32.0.compat.cil",
- ],
-}
-
-se_build_files {
- name: "33.0.board.compat.cil",
- srcs: [
- "compat/33.0/33.0.compat.cil",
- ],
-}
-
-se_build_files {
- name: "28.0.board.ignore.map",
- srcs: [
- "compat/28.0/28.0.ignore.cil",
- ],
-}
-
-se_build_files {
- name: "29.0.board.ignore.map",
- srcs: [
- "compat/29.0/29.0.ignore.cil",
- ],
-}
-
-se_build_files {
- name: "30.0.board.ignore.map",
- srcs: [
- "compat/30.0/30.0.ignore.cil",
- ],
-}
-
-se_build_files {
- name: "31.0.board.ignore.map",
- srcs: [
- "compat/31.0/31.0.ignore.cil",
- ],
-}
-
-se_build_files {
- name: "32.0.board.ignore.map",
- srcs: [
- "compat/32.0/32.0.ignore.cil",
- ],
-}
-
-se_build_files {
- name: "33.0.board.ignore.map",
- srcs: [
- "compat/33.0/33.0.ignore.cil",
- ],
-}
-
-se_build_files {
- name: "file_contexts_files",
- srcs: ["file_contexts"],
-}
-
-se_build_files {
- name: "file_contexts_asan_files",
- srcs: ["file_contexts_asan"],
-}
-
-se_build_files {
- name: "file_contexts_overlayfs_files",
- srcs: ["file_contexts_overlayfs"],
-}
-
-se_build_files {
- name: "hwservice_contexts_files",
- srcs: ["hwservice_contexts"],
-}
-
-se_build_files {
- name: "property_contexts_files",
- srcs: ["property_contexts"],
-}
-
-se_build_files {
- name: "service_contexts_files",
- srcs: ["service_contexts"],
-}
-
-se_build_files {
- name: "keystore2_key_contexts_files",
- srcs: ["keystore2_key_contexts"],
-}
-
-se_build_files {
- name: "seapp_contexts_files",
- srcs: ["seapp_contexts"],
-}
-
-se_build_files {
- name: "vndservice_contexts_files",
- srcs: ["vndservice_contexts"],
-}
-
// For vts_treble_sys_prop_test
filegroup {
name: "private_property_contexts",
diff --git a/Android.mk b/Android.mk
index 50c265d..21bc6a9 100644
--- a/Android.mk
+++ b/Android.mk
@@ -660,7 +660,6 @@
file_contexts.modules.tmp :=
##################################
-include $(LOCAL_PATH)/mac_permissions.mk
all_fc_files := $(TARGET_OUT)/etc/selinux/plat_file_contexts
all_fc_files += $(TARGET_OUT_VENDOR)/etc/selinux/vendor_file_contexts
diff --git a/build/soong/Android.bp b/build/soong/Android.bp
index d1cead3..99dd662 100644
--- a/build/soong/Android.bp
+++ b/build/soong/Android.bp
@@ -35,6 +35,7 @@
"build_files.go",
"cil_compat_map.go",
"compat_cil.go",
+ "mac_permissions.go",
"policy.go",
"selinux.go",
"selinux_contexts.go",
diff --git a/build/soong/build_files.go b/build/soong/build_files.go
index 6cc40c6..383a282 100644
--- a/build/soong/build_files.go
+++ b/build/soong/build_files.go
@@ -92,10 +92,10 @@
func (b *buildFiles) GenerateAndroidBuildActions(ctx android.ModuleContext) {
b.srcs = make(map[string]android.Paths)
- b.srcs[".reqd_mask"] = b.findSrcsInDirs(ctx, filepath.Join(ctx.ModuleDir(), "reqd_mask"))
- b.srcs[".plat_public"] = b.findSrcsInDirs(ctx, filepath.Join(ctx.ModuleDir(), "public"))
- b.srcs[".plat_private"] = b.findSrcsInDirs(ctx, filepath.Join(ctx.ModuleDir(), "private"))
- b.srcs[".plat_vendor"] = b.findSrcsInDirs(ctx, filepath.Join(ctx.ModuleDir(), "vendor"))
+ b.srcs[".reqd_mask"] = b.findSrcsInDirs(ctx, filepath.Join("system", "sepolicy", "reqd_mask"))
+ b.srcs[".plat_public"] = b.findSrcsInDirs(ctx, filepath.Join("system", "sepolicy", "public"))
+ b.srcs[".plat_private"] = b.findSrcsInDirs(ctx, filepath.Join("system", "sepolicy", "private"))
+ b.srcs[".plat_vendor"] = b.findSrcsInDirs(ctx, filepath.Join("system", "sepolicy", "vendor"))
b.srcs[".system_ext_public"] = b.findSrcsInDirs(ctx, ctx.DeviceConfig().SystemExtPublicSepolicyDirs()...)
b.srcs[".system_ext_private"] = b.findSrcsInDirs(ctx, ctx.DeviceConfig().SystemExtPrivateSepolicyDirs()...)
b.srcs[".product_public"] = b.findSrcsInDirs(ctx, ctx.Config().ProductPublicSepolicyDirs()...)
@@ -117,8 +117,8 @@
// use vendor-supplied plat prebuilts
b.srcs[".reqd_mask_for_vendor"] = b.findSrcsInDirs(ctx, ctx.DeviceConfig().BoardReqdMaskPolicy()...)
b.srcs[".plat_vendor_for_vendor"] = b.findSrcsInDirs(ctx, ctx.DeviceConfig().BoardPlatVendorPolicy()...)
- b.srcs[".plat_public_for_vendor"] = b.findSrcsInDirs(ctx, filepath.Join(ctx.ModuleDir(), "prebuilts", "api", ctx.DeviceConfig().BoardSepolicyVers(), "public"))
- b.srcs[".plat_private_for_vendor"] = b.findSrcsInDirs(ctx, filepath.Join(ctx.ModuleDir(), "prebuilts", "api", ctx.DeviceConfig().BoardSepolicyVers(), "private"))
+ b.srcs[".plat_public_for_vendor"] = b.findSrcsInDirs(ctx, filepath.Join("system", "sepolicy", "prebuilts", "api", ctx.DeviceConfig().BoardSepolicyVers(), "public"))
+ b.srcs[".plat_private_for_vendor"] = b.findSrcsInDirs(ctx, filepath.Join("system", "sepolicy", "prebuilts", "api", ctx.DeviceConfig().BoardSepolicyVers(), "private"))
b.srcs[".system_ext_public_for_vendor"] = b.findSrcsInDirs(ctx, ctx.DeviceConfig().BoardSystemExtPublicPrebuiltDirs()...)
b.srcs[".system_ext_private_for_vendor"] = b.findSrcsInDirs(ctx, ctx.DeviceConfig().BoardSystemExtPrivatePrebuiltDirs()...)
b.srcs[".product_public_for_vendor"] = b.findSrcsInDirs(ctx, ctx.DeviceConfig().BoardProductPublicPrebuiltDirs()...)
@@ -127,8 +127,8 @@
// directories used for compat tests and Treble tests
for _, ver := range ctx.DeviceConfig().PlatformSepolicyCompatVersions() {
- b.srcs[".plat_public_"+ver] = b.findSrcsInDirs(ctx, filepath.Join(ctx.ModuleDir(), "prebuilts", "api", ver, "public"))
- b.srcs[".plat_private_"+ver] = b.findSrcsInDirs(ctx, filepath.Join(ctx.ModuleDir(), "prebuilts", "api", ver, "private"))
+ b.srcs[".plat_public_"+ver] = b.findSrcsInDirs(ctx, filepath.Join("system", "sepolicy", "prebuilts", "api", ver, "public"))
+ b.srcs[".plat_private_"+ver] = b.findSrcsInDirs(ctx, filepath.Join("system", "sepolicy", "prebuilts", "api", ver, "private"))
b.srcs[".system_ext_public_"+ver] = b.findSrcsInDirs(ctx, filepath.Join(ctx.DeviceConfig().SystemExtSepolicyPrebuiltApiDir(), "prebuilts", "api", ver, "public"))
b.srcs[".system_ext_private_"+ver] = b.findSrcsInDirs(ctx, filepath.Join(ctx.DeviceConfig().SystemExtSepolicyPrebuiltApiDir(), "prebuilts", "api", ver, "private"))
b.srcs[".product_public_"+ver] = b.findSrcsInDirs(ctx, filepath.Join(ctx.DeviceConfig().ProductSepolicyPrebuiltApiDir(), "prebuilts", "api", ver, "public"))
diff --git a/build/soong/go.mod b/build/soong/go.mod
new file mode 100644
index 0000000..37bc985
--- /dev/null
+++ b/build/soong/go.mod
@@ -0,0 +1,23 @@
+module android/soong/sepolicy
+
+require (
+ android/soong v0.0.0
+ github.com/google/blueprint v0.0.0
+ golang.org/x/xerrors v0.0.0-20220609144429-65e65417b02f // indirect
+)
+
+replace android/soong v0.0.0 => ../../../../build/soong
+
+replace google.golang.org/protobuf v0.0.0 => ../../../../external/golang-protobuf
+
+replace github.com/google/blueprint v0.0.0 => ../../../../build/blueprint
+
+// Indirect deps from golang-protobuf
+exclude github.com/golang/protobuf v1.5.0
+
+replace github.com/google/go-cmp v0.5.5 => ../../../../external/go-cmp
+
+// Indirect dep from go-cmp
+exclude golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543
+
+go 1.13
diff --git a/build/soong/go.sum b/build/soong/go.sum
new file mode 100644
index 0000000..cbe76d9
--- /dev/null
+++ b/build/soong/go.sum
@@ -0,0 +1,2 @@
+golang.org/x/xerrors v0.0.0-20220609144429-65e65417b02f h1:uF6paiQQebLeSXkrTqHqz0MXhXXS1KgF41eUdBNvxK0=
+golang.org/x/xerrors v0.0.0-20220609144429-65e65417b02f/go.mod h1:K8+ghG5WaK9qNqU5K3HdILfMLy1f3aNYFI/wnl100a8=
diff --git a/build/soong/mac_permissions.go b/build/soong/mac_permissions.go
new file mode 100644
index 0000000..9615d12
--- /dev/null
+++ b/build/soong/mac_permissions.go
@@ -0,0 +1,144 @@
+// Copyright (C) 2019 The Android Open Source Project
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package selinux
+
+import (
+ "fmt"
+ "io"
+
+ "github.com/google/blueprint/proptools"
+
+ "android/soong/android"
+)
+
+var (
+ // Should be synced with keys.conf.
+ AllPlatformKeys = []string{
+ "platform",
+ "sdk_sandbox",
+ "media",
+ "networkstack",
+ "shared",
+ "testkey",
+ "bluetooth",
+ }
+)
+
+type macPermissionsProperties struct {
+ // keys.conf files to control the mapping of "tags" found in the mac_permissions.xml files.
+ Keys []string `android:"path"`
+
+ // Source files for the generated mac_permissions.xml file.
+ Srcs []string `android:"path"`
+
+ // Output file name. Defaults to module name
+ Stem *string
+}
+
+type macPermissionsModule struct {
+ android.ModuleBase
+
+ properties macPermissionsProperties
+ outputPath android.ModuleOutPath
+ installPath android.InstallPath
+}
+
+func init() {
+ android.RegisterModuleType("mac_permissions", macPermissionsFactory)
+}
+
+func getAllPlatformKeyPaths(ctx android.ModuleContext) android.Paths {
+ var platformKeys android.Paths
+
+ defaultCertificateDir := ctx.Config().DefaultAppCertificateDir(ctx)
+ for _, key := range AllPlatformKeys {
+ platformKeys = append(platformKeys, defaultCertificateDir.Join(ctx, key+".x509.pem"))
+ }
+
+ return platformKeys
+}
+
+func (m *macPermissionsModule) DepsMutator(ctx android.BottomUpMutatorContext) {
+ // do nothing
+}
+
+func (m *macPermissionsModule) stem() string {
+ return proptools.StringDefault(m.properties.Stem, m.Name())
+}
+
+func buildVariant(ctx android.ModuleContext) string {
+ if ctx.Config().Eng() {
+ return "eng"
+ }
+ if ctx.Config().Debuggable() {
+ return "userdebug"
+ }
+ return "user"
+}
+
+func (m *macPermissionsModule) GenerateAndroidBuildActions(ctx android.ModuleContext) {
+ platformKeys := getAllPlatformKeyPaths(ctx)
+ keys := android.PathsForModuleSrc(ctx, m.properties.Keys)
+ srcs := android.PathsForModuleSrc(ctx, m.properties.Srcs)
+
+ m4Keys := android.PathForModuleGen(ctx, "mac_perms_keys.tmp")
+ rule := android.NewRuleBuilder(pctx, ctx)
+ rule.Command().
+ Tool(ctx.Config().PrebuiltBuildTool(ctx, "m4")).
+ Text("--fatal-warnings -s").
+ FlagForEachArg("-D", ctx.DeviceConfig().SepolicyM4Defs()).
+ Inputs(keys).
+ FlagWithOutput("> ", m4Keys).
+ Implicits(platformKeys)
+
+ m.outputPath = android.PathForModuleOut(ctx, m.stem())
+ rule.Command().Text("DEFAULT_SYSTEM_DEV_CERTIFICATE="+ctx.Config().DefaultAppCertificateDir(ctx).String()).
+ Text("MAINLINE_SEPOLICY_DEV_CERTIFICATES="+ctx.Config().MainlineSepolicyDevCertificatesDir(ctx).String()).
+ BuiltTool("insertkeys").
+ FlagWithArg("-t ", buildVariant(ctx)).
+ Input(m4Keys).
+ FlagWithOutput("-o ", m.outputPath).
+ Inputs(srcs)
+
+ rule.Build("mac_permission", "build "+m.Name())
+
+ m.installPath = android.PathForModuleInstall(ctx, "etc", "selinux")
+ ctx.InstallFile(m.installPath, m.stem(), m.outputPath)
+}
+
+func (m *macPermissionsModule) AndroidMk() android.AndroidMkData {
+ return android.AndroidMkData{
+ Class: "ETC",
+ OutputFile: android.OptionalPathForPath(m.outputPath),
+ Extra: []android.AndroidMkExtraFunc{
+ func(w io.Writer, outputFile android.Path) {
+ fmt.Fprintln(w, "LOCAL_MODULE_PATH :=", m.installPath.String())
+ fmt.Fprintln(w, "LOCAL_INSTALLED_MODULE_STEM :=", m.stem())
+ },
+ },
+ }
+}
+
+// mac_permissions module generates a mac_permissions.xml file from given keys.conf and
+// source files. The following variables are supported for keys.conf files.
+//
+// DEFAULT_SYSTEM_DEV_CERTIFICATE
+// MAINLINE_SEPOLICY_DEV_CERTIFICATES
+func macPermissionsFactory() android.Module {
+ m := &macPermissionsModule{}
+ m.AddProperties(&m.properties)
+ android.InitAndroidArchModule(m, android.DeviceSupported, android.MultilibCommon)
+ return m
+}
diff --git a/compat/Android.bp b/compat/Android.bp
index 2370c7b..895b5e7 100644
--- a/compat/Android.bp
+++ b/compat/Android.bp
@@ -23,6 +23,132 @@
default_applicable_licenses: ["system_sepolicy_license"],
}
+se_build_files {
+ name: "28.0.board.compat.map",
+ srcs: [
+ "compat/28.0/28.0.cil",
+ ],
+}
+
+se_build_files {
+ name: "29.0.board.compat.map",
+ srcs: [
+ "compat/29.0/29.0.cil",
+ ],
+}
+
+se_build_files {
+ name: "30.0.board.compat.map",
+ srcs: [
+ "compat/30.0/30.0.cil",
+ ],
+}
+
+se_build_files {
+ name: "31.0.board.compat.map",
+ srcs: [
+ "compat/31.0/31.0.cil",
+ ],
+}
+
+se_build_files {
+ name: "32.0.board.compat.map",
+ srcs: [
+ "compat/32.0/32.0.cil",
+ ],
+}
+
+se_build_files {
+ name: "33.0.board.compat.map",
+ srcs: [
+ "compat/33.0/33.0.cil",
+ ],
+}
+
+se_build_files {
+ name: "28.0.board.compat.cil",
+ srcs: [
+ "compat/28.0/28.0.compat.cil",
+ ],
+}
+
+se_build_files {
+ name: "29.0.board.compat.cil",
+ srcs: [
+ "compat/29.0/29.0.compat.cil",
+ ],
+}
+
+se_build_files {
+ name: "30.0.board.compat.cil",
+ srcs: [
+ "compat/30.0/30.0.compat.cil",
+ ],
+}
+
+se_build_files {
+ name: "31.0.board.compat.cil",
+ srcs: [
+ "compat/31.0/31.0.compat.cil",
+ ],
+}
+
+se_build_files {
+ name: "32.0.board.compat.cil",
+ srcs: [
+ "compat/32.0/32.0.compat.cil",
+ ],
+}
+
+se_build_files {
+ name: "33.0.board.compat.cil",
+ srcs: [
+ "compat/33.0/33.0.compat.cil",
+ ],
+}
+
+se_build_files {
+ name: "28.0.board.ignore.map",
+ srcs: [
+ "compat/28.0/28.0.ignore.cil",
+ ],
+}
+
+se_build_files {
+ name: "29.0.board.ignore.map",
+ srcs: [
+ "compat/29.0/29.0.ignore.cil",
+ ],
+}
+
+se_build_files {
+ name: "30.0.board.ignore.map",
+ srcs: [
+ "compat/30.0/30.0.ignore.cil",
+ ],
+}
+
+se_build_files {
+ name: "31.0.board.ignore.map",
+ srcs: [
+ "compat/31.0/31.0.ignore.cil",
+ ],
+}
+
+se_build_files {
+ name: "32.0.board.ignore.map",
+ srcs: [
+ "compat/32.0/32.0.ignore.cil",
+ ],
+}
+
+se_build_files {
+ name: "33.0.board.ignore.map",
+ srcs: [
+ "compat/33.0/33.0.ignore.cil",
+ ],
+}
+
se_cil_compat_map {
name: "plat_28.0.cil",
stem: "28.0.cil",
diff --git a/contexts/Android.bp b/contexts/Android.bp
index 2a5a058..04a0c11 100644
--- a/contexts/Android.bp
+++ b/contexts/Android.bp
@@ -23,6 +23,51 @@
default_applicable_licenses: ["system_sepolicy_license"],
}
+se_build_files {
+ name: "file_contexts_files",
+ srcs: ["file_contexts"],
+}
+
+se_build_files {
+ name: "file_contexts_asan_files",
+ srcs: ["file_contexts_asan"],
+}
+
+se_build_files {
+ name: "file_contexts_overlayfs_files",
+ srcs: ["file_contexts_overlayfs"],
+}
+
+se_build_files {
+ name: "hwservice_contexts_files",
+ srcs: ["hwservice_contexts"],
+}
+
+se_build_files {
+ name: "property_contexts_files",
+ srcs: ["property_contexts"],
+}
+
+se_build_files {
+ name: "service_contexts_files",
+ srcs: ["service_contexts"],
+}
+
+se_build_files {
+ name: "keystore2_key_contexts_files",
+ srcs: ["keystore2_key_contexts"],
+}
+
+se_build_files {
+ name: "seapp_contexts_files",
+ srcs: ["seapp_contexts"],
+}
+
+se_build_files {
+ name: "vndservice_contexts_files",
+ srcs: ["vndservice_contexts"],
+}
+
file_contexts {
name: "plat_file_contexts",
srcs: [":file_contexts_files{.plat_private}"],
diff --git a/mac_permissions.mk b/mac_permissions.mk
deleted file mode 100644
index ad17b8f..0000000
--- a/mac_permissions.mk
+++ /dev/null
@@ -1,175 +0,0 @@
-include $(CLEAR_VARS)
-
-LOCAL_MODULE := plat_mac_permissions.xml
-LOCAL_LICENSE_KINDS := SPDX-license-identifier-Apache-2.0 legacy_unencumbered
-LOCAL_LICENSE_CONDITIONS := notice unencumbered
-LOCAL_NOTICE_FILE := $(LOCAL_PATH)/NOTICE
-LOCAL_MODULE_CLASS := ETC
-LOCAL_MODULE_TAGS := optional
-LOCAL_MODULE_PATH := $(TARGET_OUT)/etc/selinux
-
-include $(BUILD_SYSTEM)/base_rules.mk
-
-all_plat_mac_perms_keys := $(call build_policy, keys.conf, $(PLAT_PRIVATE_POLICY) $(SYSTEM_EXT_PRIVATE_POLICY) $(PRODUCT_PRIVATE_POLICY))
-all_plat_mac_perms_files := $(call build_policy, mac_permissions.xml, $(PLAT_PRIVATE_POLICY))
-
-# Build keys.conf
-plat_mac_perms_keys.tmp := $(intermediates)/plat_keys.tmp
-$(plat_mac_perms_keys.tmp): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
-$(plat_mac_perms_keys.tmp): PRIVATE_KEYS := $(all_plat_mac_perms_keys)
-$(plat_mac_perms_keys.tmp): $(all_plat_mac_perms_keys) $(M4)
- @mkdir -p $(dir $@)
- $(hide) $(M4) --fatal-warnings -s $(PRIVATE_ADDITIONAL_M4DEFS) $(PRIVATE_KEYS) > $@
-
-# Should be synced with keys.conf.
-all_plat_keys := platform sdk_sandbox media networkstack shared testkey bluetooth
-all_plat_keys := $(all_plat_keys:%=$(dir $(DEFAULT_SYSTEM_DEV_CERTIFICATE))/%.x509.pem)
-
-$(LOCAL_BUILT_MODULE): PRIVATE_MAC_PERMS_FILES := $(all_plat_mac_perms_files)
-$(LOCAL_BUILT_MODULE): $(plat_mac_perms_keys.tmp) $(HOST_OUT_EXECUTABLES)/insertkeys \
-$(all_plat_mac_perms_files) $(all_plat_keys)
- @mkdir -p $(dir $@)
- $(hide) DEFAULT_SYSTEM_DEV_CERTIFICATE="$(dir $(DEFAULT_SYSTEM_DEV_CERTIFICATE))" \
- MAINLINE_SEPOLICY_DEV_CERTIFICATES="$(MAINLINE_SEPOLICY_DEV_CERTIFICATES)" \
- $(HOST_OUT_EXECUTABLES)/insertkeys -t $(TARGET_BUILD_VARIANT) -c $(TOP) $< -o $@ $(PRIVATE_MAC_PERMS_FILES)
-
-all_plat_keys :=
-all_plat_mac_perms_files :=
-all_plat_mac_perms_keys :=
-plat_mac_perms_keys.tmp :=
-
-##################################
-include $(CLEAR_VARS)
-
-LOCAL_MODULE := system_ext_mac_permissions.xml
-LOCAL_LICENSE_KINDS := SPDX-license-identifier-Apache-2.0 legacy_unencumbered
-LOCAL_LICENSE_CONDITIONS := notice unencumbered
-LOCAL_NOTICE_FILE := $(LOCAL_PATH)/NOTICE
-LOCAL_MODULE_CLASS := ETC
-LOCAL_MODULE_TAGS := optional
-LOCAL_MODULE_PATH := $(TARGET_OUT_SYSTEM_EXT)/etc/selinux
-
-include $(BUILD_SYSTEM)/base_rules.mk
-
-all_system_ext_mac_perms_keys := $(call build_policy, keys.conf, $(SYSTEM_EXT_PRIVATE_POLICY) $(REQD_MASK_POLICY))
-all_system_ext_mac_perms_files := $(call build_policy, mac_permissions.xml, $(SYSTEM_EXT_PRIVATE_POLICY) $(REQD_MASK_POLICY))
-
-# Build keys.conf
-system_ext_mac_perms_keys.tmp := $(intermediates)/system_ext_keys.tmp
-$(system_ext_mac_perms_keys.tmp): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
-$(system_ext_mac_perms_keys.tmp): PRIVATE_KEYS := $(all_system_ext_mac_perms_keys)
-$(system_ext_mac_perms_keys.tmp): $(all_system_ext_mac_perms_keys) $(M4)
- @mkdir -p $(dir $@)
- $(hide) $(M4) --fatal-warnings -s $(PRIVATE_ADDITIONAL_M4DEFS) $(PRIVATE_KEYS) > $@
-
-$(LOCAL_BUILT_MODULE): PRIVATE_MAC_PERMS_FILES := $(all_system_ext_mac_perms_files)
-$(LOCAL_BUILT_MODULE): $(system_ext_mac_perms_keys.tmp) $(HOST_OUT_EXECUTABLES)/insertkeys \
-$(all_system_ext_mac_perms_files)
- @mkdir -p $(dir $@)
- $(hide) $(HOST_OUT_EXECUTABLES)/insertkeys -t $(TARGET_BUILD_VARIANT) -c $(TOP) $< -o $@ $(PRIVATE_MAC_PERMS_FILES)
-
-system_ext_mac_perms_keys.tmp :=
-all_system_ext_mac_perms_files :=
-all_system_ext_mac_perms_keys :=
-
-##################################
-include $(CLEAR_VARS)
-
-LOCAL_MODULE := product_mac_permissions.xml
-LOCAL_LICENSE_KINDS := SPDX-license-identifier-Apache-2.0 legacy_unencumbered
-LOCAL_LICENSE_CONDITIONS := notice unencumbered
-LOCAL_NOTICE_FILE := $(LOCAL_PATH)/NOTICE
-LOCAL_MODULE_CLASS := ETC
-LOCAL_MODULE_TAGS := optional
-LOCAL_MODULE_PATH := $(TARGET_OUT_PRODUCT)/etc/selinux
-
-include $(BUILD_SYSTEM)/base_rules.mk
-
-all_product_mac_perms_keys := $(call build_policy, keys.conf, $(PRODUCT_PRIVATE_POLICY) $(REQD_MASK_POLICY))
-all_product_mac_perms_files := $(call build_policy, mac_permissions.xml, $(PRODUCT_PRIVATE_POLICY) $(REQD_MASK_POLICY))
-
-# Build keys.conf
-product_mac_perms_keys.tmp := $(intermediates)/product_keys.tmp
-$(product_mac_perms_keys.tmp): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
-$(product_mac_perms_keys.tmp): PRIVATE_KEYS := $(all_product_mac_perms_keys)
-$(product_mac_perms_keys.tmp): $(all_product_mac_perms_keys) $(M4)
- @mkdir -p $(dir $@)
- $(hide) $(M4) --fatal-warnings -s $(PRIVATE_ADDITIONAL_M4DEFS) $(PRIVATE_KEYS) > $@
-
-$(LOCAL_BUILT_MODULE): PRIVATE_MAC_PERMS_FILES := $(all_product_mac_perms_files)
-$(LOCAL_BUILT_MODULE): $(product_mac_perms_keys.tmp) $(HOST_OUT_EXECUTABLES)/insertkeys \
-$(all_product_mac_perms_files)
- @mkdir -p $(dir $@)
- $(hide) $(HOST_OUT_EXECUTABLES)/insertkeys -t $(TARGET_BUILD_VARIANT) -c $(TOP) $< -o $@ $(PRIVATE_MAC_PERMS_FILES)
-
-product_mac_perms_keys.tmp :=
-all_product_mac_perms_files :=
-all_product_mac_perms_keys :=
-
-##################################
-include $(CLEAR_VARS)
-
-LOCAL_MODULE := vendor_mac_permissions.xml
-LOCAL_LICENSE_KINDS := SPDX-license-identifier-Apache-2.0 legacy_unencumbered
-LOCAL_LICENSE_CONDITIONS := notice unencumbered
-LOCAL_NOTICE_FILE := $(LOCAL_PATH)/NOTICE
-LOCAL_MODULE_CLASS := ETC
-LOCAL_MODULE_TAGS := optional
-LOCAL_MODULE_PATH := $(TARGET_OUT_VENDOR)/etc/selinux
-
-include $(BUILD_SYSTEM)/base_rules.mk
-
-all_vendor_mac_perms_keys := $(call build_policy, keys.conf, $(BOARD_PLAT_VENDOR_POLICY) $(BOARD_VENDOR_SEPOLICY_DIRS) $(BOARD_REQD_MASK_POLICY))
-all_vendor_mac_perms_files := $(call build_policy, mac_permissions.xml, $(BOARD_PLAT_VENDOR_POLICY) $(BOARD_VENDOR_SEPOLICY_DIRS) $(BOARD_REQD_MASK_POLICY))
-
-# Build keys.conf
-vendor_mac_perms_keys.tmp := $(intermediates)/vendor_keys.tmp
-$(vendor_mac_perms_keys.tmp): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
-$(vendor_mac_perms_keys.tmp): PRIVATE_KEYS := $(all_vendor_mac_perms_keys)
-$(vendor_mac_perms_keys.tmp): $(all_vendor_mac_perms_keys) $(M4)
- @mkdir -p $(dir $@)
- $(hide) $(M4) --fatal-warnings -s $(PRIVATE_ADDITIONAL_M4DEFS) $(PRIVATE_KEYS) > $@
-
-$(LOCAL_BUILT_MODULE): PRIVATE_MAC_PERMS_FILES := $(all_vendor_mac_perms_files)
-$(LOCAL_BUILT_MODULE): $(vendor_mac_perms_keys.tmp) $(HOST_OUT_EXECUTABLES)/insertkeys \
-$(all_vendor_mac_perms_files)
- @mkdir -p $(dir $@)
- $(hide) DEFAULT_SYSTEM_DEV_CERTIFICATE="$(dir $(DEFAULT_SYSTEM_DEV_CERTIFICATE))" \
- $(HOST_OUT_EXECUTABLES)/insertkeys -t $(TARGET_BUILD_VARIANT) -c $(TOP) $< -o $@ $(PRIVATE_MAC_PERMS_FILES)
-
-vendor_mac_perms_keys.tmp :=
-all_vendor_mac_perms_files :=
-all_vendor_mac_perms_keys :=
-
-##################################
-include $(CLEAR_VARS)
-
-LOCAL_MODULE := odm_mac_permissions.xml
-LOCAL_LICENSE_KINDS := SPDX-license-identifier-Apache-2.0 legacy_unencumbered
-LOCAL_LICENSE_CONDITIONS := notice unencumbered
-LOCAL_NOTICE_FILE := $(LOCAL_PATH)/NOTICE
-LOCAL_MODULE_CLASS := ETC
-LOCAL_MODULE_TAGS := optional
-LOCAL_MODULE_PATH := $(TARGET_OUT_ODM)/etc/selinux
-
-include $(BUILD_SYSTEM)/base_rules.mk
-
-all_odm_mac_perms_keys := $(call build_policy, keys.conf, $(BOARD_ODM_SEPOLICY_DIRS) $(REQD_MASK_POLICY))
-all_odm_mac_perms_files := $(call build_policy, mac_permissions.xml, $(BOARD_ODM_SEPOLICY_DIRS) $(REQD_MASK_POLICY))
-
-# Build keys.conf
-odm_mac_perms_keys.tmp := $(intermediates)/odm_keys.tmp
-$(odm_mac_perms_keys.tmp): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
-$(odm_mac_perms_keys.tmp): PRIVATE_KEYS := $(all_odm_mac_perms_keys)
-$(odm_mac_perms_keys.tmp): $(all_odm_mac_perms_keys) $(M4)
- @mkdir -p $(dir $@)
- $(hide) $(M4) --fatal-warnings -s $(PRIVATE_ADDITIONAL_M4DEFS) $(PRIVATE_KEYS) > $@
-
-$(LOCAL_BUILT_MODULE): PRIVATE_MAC_PERMS_FILES := $(all_odm_mac_perms_files)
-$(LOCAL_BUILT_MODULE): $(odm_mac_perms_keys.tmp) $(HOST_OUT_EXECUTABLES)/insertkeys \
-$(all_odm_mac_perms_files)
- @mkdir -p $(dir $@)
- $(hide) $(HOST_OUT_EXECUTABLES)/insertkeys -t $(TARGET_BUILD_VARIANT) -c $(TOP) $< -o $@ $(PRIVATE_MAC_PERMS_FILES)
-
-odm_mac_perms_keys.tmp :=
-all_odm_mac_perms_files :=
diff --git a/mac_permissions/Android.bp b/mac_permissions/Android.bp
new file mode 100644
index 0000000..3a35814
--- /dev/null
+++ b/mac_permissions/Android.bp
@@ -0,0 +1,89 @@
+// Copyright (C) 2022 The Android Open Source Project
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+// This file contains module definitions for mac_permissions.xml files.
+
+se_build_files {
+ name: "keys.conf",
+ srcs: ["keys.conf"],
+}
+
+se_build_files {
+ name: "mac_permissions.xml",
+ srcs: ["mac_permissions.xml"],
+}
+
+mac_permissions {
+ name: "plat_mac_permissions.xml",
+ keys: [
+ ":keys.conf{.plat_private}",
+ ":keys.conf{.system_ext_private}",
+ ":keys.conf{.product_private}",
+ ],
+ srcs: [":mac_permissions.xml{.plat_private}"],
+}
+
+mac_permissions {
+ name: "system_ext_mac_permissions.xml",
+ keys: [
+ ":keys.conf{.system_ext_private}",
+ ":keys.conf{.reqd_mask}",
+ ],
+ srcs: [
+ ":mac_permissions.xml{.system_ext_private}",
+ ":mac_permissions.xml{.reqd_mask}",
+ ],
+ system_ext_specific: true,
+}
+
+mac_permissions {
+ name: "product_mac_permissions.xml",
+ keys: [
+ ":keys.conf{.product_private}",
+ ":keys.conf{.reqd_mask}",
+ ],
+ srcs: [
+ ":mac_permissions.xml{.product_private}",
+ ":mac_permissions.xml{.reqd_mask}",
+ ],
+ product_specific: true,
+}
+
+mac_permissions {
+ name: "vendor_mac_permissions.xml",
+ keys: [
+ ":keys.conf{.plat_vendor_for_vendor}",
+ ":keys.conf{.vendor}",
+ ":keys.conf{.reqd_mask_for_vendor}",
+ ],
+ srcs: [
+ ":mac_permissions.xml{.plat_vendor_for_vendor}",
+ ":mac_permissions.xml{.vendor}",
+ ":mac_permissions.xml{.reqd_mask_for_vendor}",
+ ],
+ vendor: true,
+}
+
+mac_permissions {
+ name: "odm_mac_permissions.xml",
+ keys: [
+ ":keys.conf{.odm}",
+ ":keys.conf{.reqd_mask_for_vendor}",
+ ],
+ srcs: [
+ ":mac_permissions.xml{.odm}",
+ ":mac_permissions.xml{.reqd_mask_for_vendor}",
+ ],
+ device_specific: true,
+}
diff --git a/microdroid/system/private/compos.te b/microdroid/system/private/compos.te
index 386f11e..26dffe5 100644
--- a/microdroid/system/private/compos.te
+++ b/microdroid/system/private/compos.te
@@ -2,9 +2,6 @@
type compos, domain, coredomain, microdroid_payload;
type compos_exec, exec_type, file_type, system_file_type;
-# Expose RPC Binder service over vsock
-allow compos self:vsock_socket { create_socket_perms_no_ioctl listen accept };
-
# Allow using various binder services
binder_use(compos);
allow compos authfs_binder_service:service_manager find;
diff --git a/microdroid/system/private/file_contexts b/microdroid/system/private/file_contexts
index 83eceb0..cd1961f 100644
--- a/microdroid/system/private/file_contexts
+++ b/microdroid/system/private/file_contexts
@@ -123,6 +123,7 @@
/system/bin/apkdmverity u:object_r:apkdmverity_exec:s0
/system/bin/authfs u:object_r:authfs_exec:s0
/system/bin/authfs_service u:object_r:authfs_service_exec:s0
+/system/bin/kexec_load u:object_r:kexec_exec:s0
/system/etc/cgroups\.json u:object_r:cgroup_desc_file:s0
/system/etc/task_profiles/cgroups_[0-9]+\.json u:object_r:cgroup_desc_api_file:s0
/system/etc/event-log-tags u:object_r:system_event_log_tags_file:s0
diff --git a/microdroid/system/private/kexec.te b/microdroid/system/private/kexec.te
new file mode 100644
index 0000000..c0ab735
--- /dev/null
+++ b/microdroid/system/private/kexec.te
@@ -0,0 +1,12 @@
+# kexec loads a crashdump kernel into memory using the kexec_file_load syscall.
+type kexec, domain, coredomain;
+type kexec_exec, exec_type, file_type, system_file_type;
+
+# allow kexec to write into /dev/kmsg for logging
+allow kexec kmsg_device:chr_file w_file_perms;
+
+# kexec is launched by microdroid_manager with fork/execvp.
+allow kexec microdroid_manager:fd use;
+
+# allow kexec to have SYS_BOOT
+allow kexec self:capability sys_boot;
diff --git a/microdroid/system/private/microdroid_manager.te b/microdroid/system/private/microdroid_manager.te
index 8f4b2c1..d4ad862 100644
--- a/microdroid/system/private/microdroid_manager.te
+++ b/microdroid/system/private/microdroid_manager.te
@@ -33,6 +33,9 @@
domain_auto_trans(microdroid_manager, apkdmverity_exec, apkdmverity)
domain_auto_trans(microdroid_manager, zipfuse_exec, zipfuse)
+# Allow microdroid_manager to run kexec to load crashkernel
+domain_auto_trans(microdroid_manager, kexec_exec, kexec)
+
# Let microdroid_manager kernel-log.
allow microdroid_manager kmsg_device:chr_file w_file_perms;
@@ -76,6 +79,10 @@
# that is different from what is recorded in the instance.img file.
allow microdroid_manager proc_bootconfig:file r_file_perms;
+# microdroid_manager needs to read /proc/cmdline to see if crashkernel= parameter is set
+# or not; if set, it executes kexec to load the crashkernel into memory.
+allow microdroid_manager proc_cmdline:file r_file_perms;
+
# Allow microdroid_manager to read/write failure serial device
allow microdroid_manager serial_device:chr_file w_file_perms;
diff --git a/microdroid/system/private/microdroid_payload.te b/microdroid/system/private/microdroid_payload.te
index a4d5553..fd36b02 100644
--- a/microdroid/system/private/microdroid_payload.te
+++ b/microdroid/system/private/microdroid_payload.te
@@ -27,8 +27,15 @@
# Write to /dev/kmsg.
allow microdroid_payload kmsg_device:chr_file rw_file_perms;
-# Only microdroid_payload and apk verity binaries can be run by microdroid_manager
-neverallow microdroid_manager { domain -crash_dump -microdroid_payload -apkdmverity -zipfuse }:process transition;
+# Only microdroid_payload and a few other critical binaries can be run by microdroid_manager
+neverallow microdroid_manager {
+ domain
+ -crash_dump
+ -microdroid_payload
+ -apkdmverity
+ -zipfuse
+ -kexec
+}:process transition;
# Allow microdroid_payload to open binder servers via vsock.
allow microdroid_payload self:vsock_socket { create_socket_perms_no_ioctl listen accept };
diff --git a/microdroid/system/public/attributes b/microdroid/system/public/attributes
index 7afa114..7d351a9 100644
--- a/microdroid/system/public/attributes
+++ b/microdroid/system/public/attributes
@@ -7,9 +7,6 @@
# in tools/checkfc.c
attribute dev_type;
-# TODO(b/202520796) Remove this attribute once the sc-dev branch stops using it.
-attribute bdev_type;
-
# All types used for processes.
attribute domain;
diff --git a/private/compat/33.0/33.0.ignore.cil b/private/compat/33.0/33.0.ignore.cil
index e943a6d..a032401 100644
--- a/private/compat/33.0/33.0.ignore.cil
+++ b/private/compat/33.0/33.0.ignore.cil
@@ -12,6 +12,8 @@
permissive_mte_prop
servicemanager_prop
system_net_netd_service
+ tuner_config_prop
+ tuner_server_ctl_prop
virtual_face_hal_prop
virtual_fingerprint_hal_prop
))
diff --git a/private/heapprofd.te b/private/heapprofd.te
index 246f936..36d2938 100644
--- a/private/heapprofd.te
+++ b/private/heapprofd.te
@@ -41,11 +41,14 @@
# executables/libraries/etc to do stack unwinding.
r_dir_file(heapprofd, nativetest_data_file)
r_dir_file(heapprofd, system_file_type)
-r_dir_file(heapprofd, apex_art_data_file)
r_dir_file(heapprofd, apk_data_file)
r_dir_file(heapprofd, dalvikcache_data_file)
r_dir_file(heapprofd, vendor_file_type)
r_dir_file(heapprofd, shell_test_data_file)
+# ART apex files and directory access to the containing /data/misc/apexdata.
+r_dir_file(heapprofd, apex_art_data_file)
+allow heapprofd apex_module_data_file:dir { getattr search };
+
# Some dex files are not world-readable.
# We are still constrained by the SELinux rules above.
allow heapprofd self:global_capability_class_set dac_read_search;
diff --git a/private/mediatuner.te b/private/mediatuner.te
index 413d2e5..bfb264e 100644
--- a/private/mediatuner.te
+++ b/private/mediatuner.te
@@ -17,6 +17,9 @@
allow mediatuner package_native_service:service_manager find;
binder_call(mediatuner, system_server)
+# Read ro.tuner.lazyhal
+get_prop(mediatuner, tuner_config_prop)
+
###
### neverallow rules
###
diff --git a/private/property.te b/private/property.te
index 871b673..ddb427d 100644
--- a/private/property.te
+++ b/private/property.te
@@ -38,6 +38,7 @@
system_internal_prop(snapuserd_prop)
system_internal_prop(system_adbd_prop)
system_internal_prop(traced_perf_enabled_prop)
+system_internal_prop(tuner_server_ctl_prop)
system_internal_prop(userspace_reboot_log_prop)
system_internal_prop(userspace_reboot_test_prop)
system_internal_prop(verity_status_prop)
diff --git a/private/property_contexts b/private/property_contexts
index 7ded7cc..5cf27aa 100644
--- a/private/property_contexts
+++ b/private/property_contexts
@@ -695,6 +695,7 @@
sys.usb.config. u:object_r:usb_prop:s0
sys.usb.ffs.aio_compat u:object_r:ffs_config_prop:s0 exact bool
+sys.usb.ffs.io_uring_enabled u:object_r:ffs_config_prop:s0 exact bool
sys.usb.ffs.max_read u:object_r:ffs_config_prop:s0 exact int
sys.usb.ffs.max_write u:object_r:ffs_config_prop:s0 exact int
@@ -1421,3 +1422,7 @@
vendor.fingerprint.virtual.operation_detect_interaction_latency u:object_r:virtual_fingerprint_hal_prop:s0 exact int
vendor.fingerprint.virtual.operation_enroll_latency u:object_r:virtual_fingerprint_hal_prop:s0 exact int
vendor.fingerprint.virtual.operation_authenticate_duration u:object_r:virtual_fingerprint_hal_prop:s0 exact int
+
+# properties for tuner
+ro.tuner.lazyhal u:object_r:tuner_config_prop:s0 exact bool
+tuner.server.enable u:object_r:tuner_server_ctl_prop:s0 exact bool
diff --git a/private/service_contexts b/private/service_contexts
index aa90983..0e9d4e8 100644
--- a/private/service_contexts
+++ b/private/service_contexts
@@ -1,5 +1,6 @@
android.hardware.audio.core.IConfig/default u:object_r:hal_audio_service:s0
android.hardware.audio.core.IModule/default u:object_r:hal_audio_service:s0
+android.hardware.audio.effect.IFactory/default u:object_r:hal_audio_service:s0
android.hardware.authsecret.IAuthSecret/default u:object_r:hal_authsecret_service:s0
android.hardware.automotive.evs.IEvsEnumerator/hw/0 u:object_r:hal_evs_service:s0
android.hardware.boot.IBootControl/default u:object_r:hal_bootctl_service:s0
diff --git a/private/system_server.te b/private/system_server.te
index a7be343..b783446 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -820,6 +820,11 @@
# Read persist.wm.debug. properties
get_prop(system_server, persist_wm_debug_prop)
+# Read ro.tuner.lazyhal
+get_prop(system_server, tuner_config_prop)
+# Write tuner.server.enable
+set_prop(system_server, tuner_server_ctl_prop)
+
# Create a socket for connections from debuggerd.
allow system_server system_ndebug_socket:sock_file create_file_perms;
@@ -1291,6 +1296,13 @@
device_config_window_manager_native_boot_prop
}:property_service set;
+# Only allow system_server and init to set tuner_server_ctl_prop
+neverallow {
+ domain
+ -system_server
+ -init
+} tuner_server_ctl_prop:property_service set;
+
# system_server should never be executing dex2oat. This is either
# a bug (for example, bug 16317188), or represents an attempt by
# system server to dynamically load a dex file, something we do not
diff --git a/private/traced_perf.te b/private/traced_perf.te
index 96a7263..811bf48 100644
--- a/private/traced_perf.te
+++ b/private/traced_perf.te
@@ -28,10 +28,12 @@
# Allow reading files for stack unwinding and symbolization.
r_dir_file(traced_perf, nativetest_data_file)
r_dir_file(traced_perf, system_file_type)
-r_dir_file(traced_perf, apex_art_data_file)
r_dir_file(traced_perf, apk_data_file)
r_dir_file(traced_perf, dalvikcache_data_file)
r_dir_file(traced_perf, vendor_file_type)
+# ART apex files and directory access to the containing /data/misc/apexdata.
+r_dir_file(traced_perf, apex_art_data_file)
+allow traced_perf apex_module_data_file:dir { getattr search };
# Allow to temporarily lift the kptr_restrict setting and build a symbolization
# map reading /proc/kallsyms.
diff --git a/public/attributes b/public/attributes
index f34ac41..aeed208 100644
--- a/public/attributes
+++ b/public/attributes
@@ -7,9 +7,6 @@
# in tools/checkfc.c
attribute dev_type;
-# TODO(b/202520796) Remove this attribute once the sc-dev branch stops using it.
-attribute bdev_type;
-
# Attribute for all bpf filesystem subtypes.
attribute bpffs_type;
@@ -74,9 +71,6 @@
# All types used for sysfs files.
attribute sysfs_type;
-# TODO(b/202520796) Remove this attribute once the sc-dev branch stops using it.
-attribute sysfs_block_type;
-
# All types use for debugfs files.
attribute debugfs_type;
diff --git a/public/hal_dumpstate.te b/public/hal_dumpstate.te
index aee283a..193b05a 100644
--- a/public/hal_dumpstate.te
+++ b/public/hal_dumpstate.te
@@ -13,3 +13,6 @@
allow hal_dumpstate shell_data_file:file write;
# allow reading /proc/interrupts for all hal impls
allow hal_dumpstate proc_interrupts:file r_file_perms;
+
+# Log fsck results
+r_dir_file(hal_dumpstate, fscklogs)
diff --git a/public/property.te b/public/property.te
index b6c365d..4bdf74f 100644
--- a/public/property.te
+++ b/public/property.te
@@ -181,6 +181,7 @@
system_vendor_config_prop(zram_config_prop)
system_vendor_config_prop(zygote_config_prop)
system_vendor_config_prop(dck_prop)
+system_vendor_config_prop(tuner_config_prop)
# Properties with no restrictions
system_public_prop(adbd_config_prop)
diff --git a/public/te_macros b/public/te_macros
index 4dd510a..78e7636 100644
--- a/public/te_macros
+++ b/public/te_macros
@@ -202,6 +202,8 @@
allow $1 virtualizationservice:vsock_socket { getattr read write };
# Allow client to inspect hypervisor capabilities
get_prop($1, hypervisor_prop)
+# Allow client to read (but not open) the crashdump provided by virtualizationservice
+allow $1 virtualizationservice_data_file:file { getattr read };
')
#####################################
diff --git a/vendor/file_contexts b/vendor/file_contexts
index 3646d4b..1cff892 100644
--- a/vendor/file_contexts
+++ b/vendor/file_contexts
@@ -4,7 +4,8 @@
/(vendor|system/vendor)/bin/hw/android\.hardware\.atrace@1\.0-service u:object_r:hal_atrace_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.audio(@2\.0-|\.)service u:object_r:hal_audio_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.audio@7\.0-service\.example u:object_r:hal_audio_default_exec:s0
-/(vendor|system/vendor)/bin/hw/android\.hardware\.audio\.service-aidl.example u:object_r:hal_audio_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.audio\.service-aidl\.example u:object_r:hal_audio_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.audio\.effect\.service-aidl\.example u:object_r:hal_audio_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.automotive\.audiocontrol@1\.0-service u:object_r:hal_audiocontrol_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.automotive\.audiocontrol@2\.0-service u:object_r:hal_audiocontrol_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.automotive\.audiocontrol-service.example u:object_r:hal_audiocontrol_default_exec:s0
@@ -92,7 +93,7 @@
/(vendor|system/vendor)/bin/hw/android\.hardware\.tv\.cec@1\.[01]-service u:object_r:hal_tv_cec_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.tv\.input@1\.0-service u:object_r:hal_tv_input_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.tv\.tuner@1\.[01]-service u:object_r:hal_tv_tuner_default_exec:s0
-/(vendor|system/vendor)/bin/hw/android\.hardware\.tv\.tuner-service\.example u:object_r:hal_tv_tuner_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.tv\.tuner-service\.example(-lazy)? u:object_r:hal_tv_tuner_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.usb@1\.0-service u:object_r:hal_usb_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.usb-service\.example u:object_r:hal_usb_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.usb\.gadget@1\.1-service u:object_r:hal_usb_gadget_default_exec:s0
diff --git a/vendor/hal_tv_tuner_default.te b/vendor/hal_tv_tuner_default.te
index 639c7bd..e11d4dd 100644
--- a/vendor/hal_tv_tuner_default.te
+++ b/vendor/hal_tv_tuner_default.te
@@ -8,3 +8,6 @@
# Access to /dev/dma_heap/system
allow hal_tv_tuner_default dmabuf_system_heap_device:chr_file r_file_perms;
+
+# Allow servicemanager to notify hal_tv_tuner_default clients status
+binder_use(hal_tv_tuner_default)