Merge "Allow binder to send signals to hal_neuralnetworks_service"
diff --git a/OWNERS b/OWNERS
index d7cde74..a0326af 100644
--- a/OWNERS
+++ b/OWNERS
@@ -2,6 +2,7 @@
alanstokes@google.com
bowgotsai@google.com
cbrubaker@google.com
+inseob@google.com
jbires@google.com
jeffv@google.com
jgalenson@google.com
diff --git a/build/soong/build_files.go b/build/soong/build_files.go
index 88c07fa..5de6122 100644
--- a/build/soong/build_files.go
+++ b/build/soong/build_files.go
@@ -44,7 +44,7 @@
// system/sepolicy/{public, private, vendor, reqd_mask}
// and directories specified by following config variables:
// BOARD_SEPOLICY_DIRS, BOARD_ODM_SEPOLICY_DIRS
- // BOARD_PLAT_PUBLIC_SEPOLICY_DIR, BOARD_PLAT_PRIVATE_SEPOLICY_DIR
+ // SYSTEM_EXT_PUBLIC_SEPOLICY_DIR, SYSTEM_EXT_PRIVATE_SEPOLICY_DIR
Srcs []string
}
diff --git a/build/soong/compat_cil.go b/build/soong/compat_cil.go
index 230fdc3..5cc73f9 100644
--- a/build/soong/compat_cil.go
+++ b/build/soong/compat_cil.go
@@ -87,6 +87,15 @@
srcPaths := c.expandSeSources(ctx)
out := android.PathForModuleGen(ctx, c.Name())
+
+ // TODO(b/183362912): Patch secilc to handle empty cil files.
+ // Put a header so that the generated cil mustn't be empty.
+ header := android.PathForModuleGen(ctx, c.Name()+"_header")
+ rule := android.NewRuleBuilder(pctx, ctx)
+ rule.Command().Text("echo").Flag(proptools.ShellEscape(";; " + c.stem())).Text(">").Output(header)
+ rule.Build(c.Name()+"_header", "Generate cil header")
+ srcPaths = append(android.Paths{header}, srcPaths...)
+
ctx.Build(pctx, android.BuildParams{
Rule: android.Cat,
Inputs: srcPaths,
diff --git a/build/soong/filegroup.go b/build/soong/filegroup.go
index 700f8e0..0d426af 100644
--- a/build/soong/filegroup.go
+++ b/build/soong/filegroup.go
@@ -36,7 +36,7 @@
// system/sepolicy/{public, private, vendor, reqd_mask}
// and directories specified by following config variables:
// BOARD_SEPOLICY_DIRS, BOARD_ODM_SEPOLICY_DIRS
- // BOARD_PLAT_PUBLIC_SEPOLICY_DIR, BOARD_PLAT_PRIVATE_SEPOLICY_DIR
+ // SYSTEM_EXT_PUBLIC_SEPOLICY_DIR, SYSTEM_EXT_PRIVATE_SEPOLICY_DIR
Srcs []string
}
@@ -80,12 +80,12 @@
return fg.systemReqdMaskSrcs
}
-// Source files from BOARD_PLAT_PUBLIC_SEPOLICY_DIR
+// Source files from SYSTEM_EXT_PUBLIC_SEPOLICY_DIR
func (fg *fileGroup) SystemExtPublicSrcs() android.Paths {
return fg.systemExtPublicSrcs
}
-// Source files from BOARD_PLAT_PRIVATE_SEPOLICY_DIR
+// Source files from SYSTEM_EXT_PRIVATE_SEPOLICY_DIR
func (fg *fileGroup) SystemExtPrivateSrcs() android.Paths {
return fg.systemExtPrivateSrcs
}
diff --git a/private/app.te b/private/app.te
index 0c81515..126f11f 100644
--- a/private/app.te
+++ b/private/app.te
@@ -34,6 +34,9 @@
# Apps should not be reading vendor-defined properties.
dontaudit appdomain vendor_default_prop:file read;
+# Access to /mnt/media_rw/<vol> (limited by DAC to apps with external_storage gid)
+allow appdomain mnt_media_rw_file:dir search;
+
neverallow appdomain system_server:udp_socket {
accept append bind create ioctl listen lock name_bind
relabelfrom relabelto setattr shutdown };
diff --git a/private/compat/30.0/30.0.ignore.cil b/private/compat/30.0/30.0.ignore.cil
index e5681de..3bf3a13 100644
--- a/private/compat/30.0/30.0.ignore.cil
+++ b/private/compat/30.0/30.0.ignore.cil
@@ -18,6 +18,7 @@
appcompat_data_file
arm64_memtag_prop
authorization_service
+ camerax_extensions_prop
cgroup_desc_api_file
cgroup_v2
codec2_config_prop
@@ -125,6 +126,7 @@
update_engine_stable_service
userdata_sysdev
userspace_reboot_metadata_file
+ uwb_service
vcn_management_service
vendor_kernel_modules
vibrator_manager_service
diff --git a/private/property_contexts b/private/property_contexts
index c7d6743..34efaac 100644
--- a/private/property_contexts
+++ b/private/property_contexts
@@ -323,6 +323,8 @@
ro.camera.notify_nfc u:object_r:camera_config_prop:s0 exact bool
ro.camera.enableLazyHal u:object_r:camera_config_prop:s0 exact bool
+ro.camerax.extensions.enabled u:object_r:camerax_extensions_prop:s0 exact bool
+
# Should always_debuggable be bool? It's checked against the string "1".
dalvik.vm.always_debuggable u:object_r:dalvik_config_prop:s0 exact int
dalvik.vm.appimageformat u:object_r:dalvik_config_prop:s0 exact string
diff --git a/private/service_contexts b/private/service_contexts
index a4179b5..728df40 100644
--- a/private/service_contexts
+++ b/private/service_contexts
@@ -284,6 +284,7 @@
usagestats u:object_r:usagestats_service:s0
usb u:object_r:usb_service:s0
user u:object_r:user_service:s0
+uwb u:object_r:uwb_service:s0
vcn_management u:object_r:vcn_management_service:s0
vibrator u:object_r:vibrator_service:s0
vibrator_manager u:object_r:vibrator_manager_service:s0
diff --git a/private/system_app.te b/private/system_app.te
index 58322b8..48d5f9d 100644
--- a/private/system_app.te
+++ b/private/system_app.te
@@ -21,9 +21,6 @@
allow system_app misc_user_data_file:dir create_dir_perms;
allow system_app misc_user_data_file:file create_file_perms;
-# Access to vold-mounted storage for measuring free space
-allow system_app mnt_media_rw_file:dir search;
-
# Access to apex files stored on /data (b/136063500)
# Needed so that Settings can access NOTICE files inside apex
# files located in the assets/ directory.
diff --git a/private/untrusted_app_all.te b/private/untrusted_app_all.te
index d57939b..6064c14 100644
--- a/private/untrusted_app_all.te
+++ b/private/untrusted_app_all.te
@@ -84,10 +84,6 @@
allow untrusted_app_all media_rw_data_file:dir create_dir_perms;
allow untrusted_app_all media_rw_data_file:file create_file_perms;
-# Traverse into /mnt/media_rw for bypassing FUSE daemon
-# TODO: narrow this to just MediaProvider
-allow untrusted_app_all mnt_media_rw_file:dir search;
-
# allow cts to query all services
allow untrusted_app_all servicemanager:service_manager list;
diff --git a/public/app.te b/public/app.te
index af19d10..ae8d7fd 100644
--- a/public/app.te
+++ b/public/app.te
@@ -592,3 +592,6 @@
{ open read write append execute execute_no_trans map };
neverallow appdomain system_bootstrap_lib_file:dir
{ open read getattr search };
+
+# Allow to ro.camerax.extensions.enabled
+get_prop(appdomain, camerax_extensions_prop)
diff --git a/public/property.te b/public/property.te
index 8cae47c..caa705a 100644
--- a/public/property.te
+++ b/public/property.te
@@ -122,6 +122,7 @@
system_vendor_config_prop(build_vendor_prop)
system_vendor_config_prop(camera_calibration_prop)
system_vendor_config_prop(camera_config_prop)
+system_vendor_config_prop(camerax_extensions_prop)
system_vendor_config_prop(charger_config_prop)
system_vendor_config_prop(codec2_config_prop)
system_vendor_config_prop(cpu_variant_prop)
diff --git a/public/service.te b/public/service.te
index 0b4f8e9..8632887 100644
--- a/public/service.te
+++ b/public/service.te
@@ -220,6 +220,7 @@
type usagestats_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type usb_service, app_api_service, system_server_service, service_manager_type;
type user_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type uwb_service, app_api_service, system_server_service, service_manager_type;
type vcn_management_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type vibrator_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type vibrator_manager_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
diff --git a/public/su.te b/public/su.te
index cefc44d..074ff2e 100644
--- a/public/su.te
+++ b/public/su.te
@@ -18,6 +18,7 @@
vndbinder_use(su)
dontaudit su self:capability_class_set *;
+ dontaudit su self:capability2 *;
dontaudit su kernel:security *;
dontaudit su { kernel file_type }:system *;
dontaudit su self:memprotect *;
diff --git a/public/vendor_init.te b/public/vendor_init.te
index 25d0dcb..a8f9418 100644
--- a/public/vendor_init.te
+++ b/public/vendor_init.te
@@ -223,6 +223,7 @@
set_prop(vendor_init, apk_verity_prop)
set_prop(vendor_init, bluetooth_a2dp_offload_prop)
set_prop(vendor_init, bluetooth_audio_hal_prop)
+set_prop(vendor_init, camerax_extensions_prop)
set_prop(vendor_init, cpu_variant_prop)
set_prop(vendor_init, dalvik_runtime_prop)
set_prop(vendor_init, debug_prop)