commit 1bb00f0d813baac4d4e37644cdda47521c0cde02
author Yo Chiang <yochiang@google.com> Thu Apr 15 03:34:50 2021 +0000
committer Gerrit Code Review <noreply-gerritcodereview@google.com> Thu Apr 15 03:34:50 2021 +0000
tree e56f9911a6b00db970d7b98b84c141b715c79703
parent e40879c3b52a8f9adc2263ebc688aedcd8fedcea
parent 694ab7920756ac5f8ef29b64fe0aacbf208663b3

Merge "Allow shell to read default fstab"

Android.bp

diff --git a/Android.bp b/Android.bp
index 15adf7e..ed766e4 100644
--- a/Android.bp
+++ b/Android.bp
@@ -80,6 +80,41 @@
 }
 
 se_filegroup {
+    name: "26.0.board.compat.cil",
+    srcs: [
+        "compat/26.0/26.0.compat.cil",
+    ],
+}
+
+se_filegroup {
+    name: "27.0.board.compat.cil",
+    srcs: [
+        "compat/27.0/27.0.compat.cil",
+    ],
+}
+
+se_filegroup {
+    name: "28.0.board.compat.cil",
+    srcs: [
+        "compat/28.0/28.0.compat.cil",
+    ],
+}
+
+se_filegroup {
+    name: "29.0.board.compat.cil",
+    srcs: [
+        "compat/29.0/29.0.compat.cil",
+    ],
+}
+
+se_filegroup {
+    name: "30.0.board.compat.cil",
+    srcs: [
+        "compat/30.0/30.0.compat.cil",
+    ],
+}
+
+se_filegroup {
     name: "26.0.board.ignore.map",
     srcs: [
         "compat/26.0/26.0.ignore.cil",
@@ -259,34 +294,64 @@
     // top_half: "31.0.ignore.cil",
 }
 
-prebuilt_etc {
+se_compat_cil {
     name: "26.0.compat.cil",
-    src: "private/compat/26.0/26.0.compat.cil",
-    sub_dir: "selinux/mapping",
+    srcs: [":26.0.board.compat.cil"],
 }
 
-prebuilt_etc {
+se_compat_cil {
     name: "27.0.compat.cil",
-    src: "private/compat/27.0/27.0.compat.cil",
-    sub_dir: "selinux/mapping",
+    srcs: [":27.0.board.compat.cil"],
 }
 
-prebuilt_etc {
+se_compat_cil {
     name: "28.0.compat.cil",
-    src: "private/compat/28.0/28.0.compat.cil",
-    sub_dir: "selinux/mapping",
+    srcs: [":28.0.board.compat.cil"],
 }
 
-prebuilt_etc {
+se_compat_cil {
     name: "29.0.compat.cil",
-    src: "private/compat/29.0/29.0.compat.cil",
-    sub_dir: "selinux/mapping",
+    srcs: [":29.0.board.compat.cil"],
 }
 
-prebuilt_etc {
+se_compat_cil {
     name: "30.0.compat.cil",
-    src: "private/compat/30.0/30.0.compat.cil",
-    sub_dir: "selinux/mapping",
+    srcs: [":30.0.board.compat.cil"],
+}
+
+se_compat_cil {
+    name: "system_ext_26.0.compat.cil",
+    srcs: [":26.0.board.compat.cil"],
+    stem: "26.0.compat.cil",
+    system_ext_specific: true,
+}
+
+se_compat_cil {
+    name: "system_ext_27.0.compat.cil",
+    srcs: [":27.0.board.compat.cil"],
+    stem: "27.0.compat.cil",
+    system_ext_specific: true,
+}
+
+se_compat_cil {
+    name: "system_ext_28.0.compat.cil",
+    srcs: [":28.0.board.compat.cil"],
+    stem: "28.0.compat.cil",
+    system_ext_specific: true,
+}
+
+se_compat_cil {
+    name: "system_ext_29.0.compat.cil",
+    srcs: [":29.0.board.compat.cil"],
+    stem: "29.0.compat.cil",
+    system_ext_specific: true,
+}
+
+se_compat_cil {
+    name: "system_ext_30.0.compat.cil",
+    srcs: [":30.0.board.compat.cil"],
+    stem: "30.0.compat.cil",
+    system_ext_specific: true,
 }
 
 se_filegroup {

Android.mk

diff --git a/Android.mk b/Android.mk
index 767a864..7e0e02e 100644
--- a/Android.mk
+++ b/Android.mk
@@ -458,6 +458,7 @@
     system_ext_service_contexts \
     system_ext_service_contexts_test \
     system_ext_mac_permissions.xml \
+    $(addprefix system_ext_,$(addsuffix .compat.cil,$(PLATFORM_SEPOLICY_COMPAT_VERSIONS))) \
 
 endif
 

OWNERS

diff --git a/OWNERS b/OWNERS
index d7cde74..a0326af 100644
--- a/OWNERS
+++ b/OWNERS
@@ -2,6 +2,7 @@
 alanstokes@google.com
 bowgotsai@google.com
 cbrubaker@google.com
+inseob@google.com
 jbires@google.com
 jeffv@google.com
 jgalenson@google.com

build/soong/Android.bp

diff --git a/build/soong/Android.bp b/build/soong/Android.bp
index aa6ad71..6a52fe5 100644
--- a/build/soong/Android.bp
+++ b/build/soong/Android.bp
@@ -33,6 +33,7 @@
     srcs: [
         "build_files.go",
         "cil_compat_map.go",
+        "compat_cil.go",
         "filegroup.go",
         "policy.go",
         "selinux.go",

build/soong/build_files.go

diff --git a/build/soong/build_files.go b/build/soong/build_files.go
index 88c07fa..5de6122 100644
--- a/build/soong/build_files.go
+++ b/build/soong/build_files.go
@@ -44,7 +44,7 @@
 	// system/sepolicy/{public, private, vendor, reqd_mask}
 	// and directories specified by following config variables:
 	// BOARD_SEPOLICY_DIRS, BOARD_ODM_SEPOLICY_DIRS
-	// BOARD_PLAT_PUBLIC_SEPOLICY_DIR, BOARD_PLAT_PRIVATE_SEPOLICY_DIR
+	// SYSTEM_EXT_PUBLIC_SEPOLICY_DIR, SYSTEM_EXT_PRIVATE_SEPOLICY_DIR
 	Srcs []string
 }
 

build/soong/compat_cil.go

diff --git a/build/soong/compat_cil.go b/build/soong/compat_cil.go
new file mode 100644
index 0000000..5cc73f9
--- /dev/null
+++ b/build/soong/compat_cil.go
@@ -0,0 +1,122 @@
+// Copyright 2021 The Android Open Source Project
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package selinux
+
+import (
+	"github.com/google/blueprint/proptools"
+
+	"android/soong/android"
+)
+
+func init() {
+	android.RegisterModuleType("se_compat_cil", compatCilFactory)
+}
+
+// se_compat_cil collects and installs backwards compatibility cil files.
+func compatCilFactory() android.Module {
+	c := &compatCil{}
+	c.AddProperties(&c.properties)
+	android.InitAndroidArchModule(c, android.DeviceSupported, android.MultilibCommon)
+	return c
+}
+
+type compatCil struct {
+	android.ModuleBase
+	properties    compatCilProperties
+	installSource android.Path
+	installPath   android.InstallPath
+}
+
+type compatCilProperties struct {
+	// List of source files. Can reference se_filegroup type modules with the ":module" syntax.
+	Srcs []string
+
+	// Output file name. Defaults to module name if unspecified.
+	Stem *string
+}
+
+func (c *compatCil) stem() string {
+	return proptools.StringDefault(c.properties.Stem, c.Name())
+}
+
+func (c *compatCil) expandSeSources(ctx android.ModuleContext) android.Paths {
+	srcPaths := make(android.Paths, 0, len(c.properties.Srcs))
+	for _, src := range c.properties.Srcs {
+		if m := android.SrcIsModule(src); m != "" {
+			module := ctx.GetDirectDepWithTag(m, android.SourceDepTag)
+			if module == nil {
+				// Error would have been handled by ExtractSourcesDeps
+				continue
+			}
+			if fg, ok := module.(*fileGroup); ok {
+				if c.SystemExtSpecific() {
+					srcPaths = append(srcPaths, fg.SystemExtPrivateSrcs()...)
+				} else {
+					srcPaths = append(srcPaths, fg.SystemPrivateSrcs()...)
+				}
+			} else {
+				ctx.PropertyErrorf("srcs", "%q is not an se_filegroup", m)
+			}
+		} else {
+			srcPaths = append(srcPaths, android.PathForModuleSrc(ctx, src))
+		}
+	}
+	return srcPaths
+}
+
+func (c *compatCil) DepsMutator(ctx android.BottomUpMutatorContext) {
+	android.ExtractSourcesDeps(ctx, c.properties.Srcs)
+}
+
+func (c *compatCil) GenerateAndroidBuildActions(ctx android.ModuleContext) {
+	if c.ProductSpecific() || c.SocSpecific() || c.DeviceSpecific() {
+		ctx.ModuleErrorf("Compat cil files only support system and system_ext partitions")
+	}
+
+	srcPaths := c.expandSeSources(ctx)
+	out := android.PathForModuleGen(ctx, c.Name())
+
+	// TODO(b/183362912): Patch secilc to handle empty cil files.
+	// Put a header so that the generated cil mustn't be empty.
+	header := android.PathForModuleGen(ctx, c.Name()+"_header")
+	rule := android.NewRuleBuilder(pctx, ctx)
+	rule.Command().Text("echo").Flag(proptools.ShellEscape(";; " + c.stem())).Text(">").Output(header)
+	rule.Build(c.Name()+"_header", "Generate cil header")
+	srcPaths = append(android.Paths{header}, srcPaths...)
+
+	ctx.Build(pctx, android.BuildParams{
+		Rule:        android.Cat,
+		Inputs:      srcPaths,
+		Output:      out,
+		Description: "Combining compat cil for " + c.Name(),
+	})
+
+	c.installPath = android.PathForModuleInstall(ctx, "etc", "selinux", "mapping")
+	c.installSource = out
+	ctx.InstallFile(c.installPath, c.stem(), c.installSource)
+}
+
+func (c *compatCil) AndroidMkEntries() []android.AndroidMkEntries {
+	return []android.AndroidMkEntries{android.AndroidMkEntries{
+		Class:      "ETC",
+		OutputFile: android.OptionalPathForPath(c.installSource),
+		ExtraEntries: []android.AndroidMkExtraEntriesFunc{
+			func(ctx android.AndroidMkExtraEntriesContext, entries *android.AndroidMkEntries) {
+				entries.SetPath("LOCAL_MODULE_PATH", c.installPath.ToMakePath())
+				entries.SetString("LOCAL_INSTALLED_MODULE_STEM", c.stem())
+			},
+		},
+	}}
+}

build/soong/filegroup.go

diff --git a/build/soong/filegroup.go b/build/soong/filegroup.go
index 700f8e0..0d426af 100644
--- a/build/soong/filegroup.go
+++ b/build/soong/filegroup.go
@@ -36,7 +36,7 @@
 	// system/sepolicy/{public, private, vendor, reqd_mask}
 	// and directories specified by following config variables:
 	// BOARD_SEPOLICY_DIRS, BOARD_ODM_SEPOLICY_DIRS
-	// BOARD_PLAT_PUBLIC_SEPOLICY_DIR, BOARD_PLAT_PRIVATE_SEPOLICY_DIR
+	// SYSTEM_EXT_PUBLIC_SEPOLICY_DIR, SYSTEM_EXT_PRIVATE_SEPOLICY_DIR
 	Srcs []string
 }
 
@@ -80,12 +80,12 @@
 	return fg.systemReqdMaskSrcs
 }
 
-// Source files from BOARD_PLAT_PUBLIC_SEPOLICY_DIR
+// Source files from SYSTEM_EXT_PUBLIC_SEPOLICY_DIR
 func (fg *fileGroup) SystemExtPublicSrcs() android.Paths {
 	return fg.systemExtPublicSrcs
 }
 
-// Source files from BOARD_PLAT_PRIVATE_SEPOLICY_DIR
+// Source files from SYSTEM_EXT_PRIVATE_SEPOLICY_DIR
 func (fg *fileGroup) SystemExtPrivateSrcs() android.Paths {
 	return fg.systemExtPrivateSrcs
 }

private/adbd.te

diff --git a/private/adbd.te b/private/adbd.te
index f569ad2..3fc77a2 100644
--- a/private/adbd.te
+++ b/private/adbd.te
@@ -209,6 +209,10 @@
 allow adbd vendor_apex_file:dir search;
 allow adbd vendor_apex_file:file r_file_perms;
 
+# Allow adb pull of updated apex files in /data/apex/active.
+allow adbd apex_data_file:dir search;
+allow adbd staging_data_file:file r_file_perms;
+
 ###
 ### Neverallow rules
 ###

private/app.te

diff --git a/private/app.te b/private/app.te
index 0c81515..126f11f 100644
--- a/private/app.te
+++ b/private/app.te
@@ -34,6 +34,9 @@
 # Apps should not be reading vendor-defined properties.
 dontaudit appdomain vendor_default_prop:file read;
 
+# Access to /mnt/media_rw/<vol> (limited by DAC to apps with external_storage gid)
+allow appdomain mnt_media_rw_file:dir search;
+
 neverallow appdomain system_server:udp_socket {
         accept append bind create ioctl listen lock name_bind
         relabelfrom relabelto setattr shutdown };

private/compat/30.0/30.0.ignore.cil

diff --git a/private/compat/30.0/30.0.ignore.cil b/private/compat/30.0/30.0.ignore.cil
index f27b390..3bf3a13 100644
--- a/private/compat/30.0/30.0.ignore.cil
+++ b/private/compat/30.0/30.0.ignore.cil
@@ -18,6 +18,7 @@
     appcompat_data_file
     arm64_memtag_prop
     authorization_service
+    camerax_extensions_prop
     cgroup_desc_api_file
     cgroup_v2
     codec2_config_prop
@@ -125,7 +126,9 @@
     update_engine_stable_service
     userdata_sysdev
     userspace_reboot_metadata_file
+    uwb_service
     vcn_management_service
+    vendor_kernel_modules
     vibrator_manager_service
     virtualization_service
     vpn_management_service

private/domain.te

diff --git a/private/domain.te b/private/domain.te
index c73dbe0..87518a7 100644
--- a/private/domain.te
+++ b/private/domain.te
@@ -201,7 +201,7 @@
 # do not change between system_server staging the files and apexd processing
 # the files.
 neverallow { domain -init -system_server -apexd -installd -iorap_inode2filename -priv_app } staging_data_file:dir *;
-neverallow { domain -init -system_app -system_server -apexd -kernel -installd -iorap_inode2filename -priv_app } staging_data_file:file *;
+neverallow { domain -init -system_app -system_server -apexd -adbd -kernel -installd -iorap_inode2filename -priv_app } staging_data_file:file *;
 neverallow { domain -init -system_server -installd} staging_data_file:dir no_w_dir_perms;
 # apexd needs the link and unlink permissions, so list every `no_w_file_perms`
 # except for `link` and `unlink`.
@@ -498,3 +498,15 @@
   -vendor_init
   -dumpstate
 } mm_events_config_prop:file no_rw_file_perms;
+
+# Allow the tracing daemon and callstack sampler to use kallsyms to symbolize
+# kernel traces. Addresses are not disclosed, they are repalced with symbol
+# names (if available). Traces don't disclose KASLR.
+neverallow {
+  domain
+  -init
+  userdebug_or_eng(`-profcollectd')
+  -vendor_init
+  -traced_probes
+  -traced_perf
+} proc_kallsyms:file { open read };

private/gmscore_app.te

diff --git a/private/gmscore_app.te b/private/gmscore_app.te
index af94906..10de777 100644
--- a/private/gmscore_app.te
+++ b/private/gmscore_app.te
@@ -58,10 +58,6 @@
 dontaudit gmscore_app mirror_data_file:dir search;
 dontaudit gmscore_app mnt_vendor_file:dir search;
 
-# Don't audit memtrack hal denials (b/177664629)
-dontaudit gmscore_app hal_memtrack_hwservice:hwservice_manager find;
-dontaudit gmscore_app hal_memtrack_service:service_manager find;
-
 # Access the network
 net_domain(gmscore_app)
 

private/keystore.te

diff --git a/private/keystore.te b/private/keystore.te
index 85f1517..aa902d5 100644
--- a/private/keystore.te
+++ b/private/keystore.te
@@ -24,3 +24,8 @@
 allow keystore keystore2_key_contexts_file:file r_file_perms;
 
 get_prop(keystore, keystore_listen_prop)
+
+# Keystore needs to transfer binder references to vold and wait_for_keymaster so that they
+# can call keystore methods on those references.
+allow keystore vold:binder transfer;
+allow keystore wait_for_keymaster:binder transfer;

private/keystore2_key_contexts

diff --git a/private/keystore2_key_contexts b/private/keystore2_key_contexts
index 5695cc3..3833971 100644
--- a/private/keystore2_key_contexts
+++ b/private/keystore2_key_contexts
@@ -16,10 +16,13 @@
 # odsign_key is a keystore2_key namespace for the on-device signing daemon.
 101            u:object_r:odsign_key:s0
 
-# wifi_key is a keystore2_key namspace for the WI-FI subsystem. It replaces the WIFI_UID
+# wifi_key is a keystore2_key namespace for the WI-FI subsystem. It replaces the WIFI_UID
 # namespace in keystore.
 102            u:object_r:wifi_key:s0
 
+# locksettings_key is a keystore2_key namespace for the LockSettingsService.
+103            u:object_r:locksettings_key:s0
+
 # resume_on_reboot_key is a keystore2_key namespace intended for resume on reboot.
 120            u:object_r:resume_on_reboot_key:s0
 

private/keystore_keys.te

diff --git a/private/keystore_keys.te b/private/keystore_keys.te
index 8d33d5d..2f97608 100644
--- a/private/keystore_keys.te
+++ b/private/keystore_keys.te
@@ -14,6 +14,9 @@
 # A keystore2 namespace for the on-device signing daemon.
 type odsign_key, keystore2_key_type;
 
+# A keystore2 namespace for LockSettingsService.
+type locksettings_key, keystore2_key_type;
+
 # A keystore2 namespace for resume on reboot.
 type resume_on_reboot_key, keystore2_key_type;
 

private/mediaprovider.te

diff --git a/private/mediaprovider.te b/private/mediaprovider.te
index 978ae2a..78bbdb0 100644
--- a/private/mediaprovider.te
+++ b/private/mediaprovider.te
@@ -24,6 +24,7 @@
 
 allow mediaprovider app_api_service:service_manager find;
 allow mediaprovider audioserver_service:service_manager find;
+allow mediaprovider cameraserver_service:service_manager find;
 allow mediaprovider drmserver_service:service_manager find;
 allow mediaprovider mediaextractor_service:service_manager find;
 allow mediaprovider mediaserver_service:service_manager find;

private/network_stack.te

diff --git a/private/network_stack.te b/private/network_stack.te
index 6fa3055..9a22a19 100644
--- a/private/network_stack.te
+++ b/private/network_stack.te
@@ -32,6 +32,9 @@
 # in order to invoke side effect of close() on such a socket calling synchronize_rcu()
 # TODO: Remove this permission when 4.9 kernel is deprecated.
 allow network_stack self:key_socket create;
+# Java's Os.close() in libcore/luni/src/main/java/libcore/io/BlockGuardOs.java;l=100
+# calls if (fd.isSocket$()) if (isLingerSocket(fd)) ...
+dontaudit network_stack self:key_socket getopt;
 
 # Grant read permission of connectivity namespace system property prefix.
 get_prop(network_stack, device_config_connectivity_prop)

private/profcollectd.te

diff --git a/private/profcollectd.te b/private/profcollectd.te
index 24fb056..efde321 100644
--- a/private/profcollectd.te
+++ b/private/profcollectd.te
@@ -19,6 +19,10 @@
   allow profcollectd system_file_type:file r_file_perms;
   allow profcollectd vendor_file_type:file r_file_perms;
 
+  # Allow profcollectd to search for and read kernel modules.
+  allow profcollectd vendor_file:dir r_dir_perms;
+  allow profcollectd vendor_kernel_modules:file r_file_perms;
+
   # Allow profcollectd to read system bootstrap libs.
   allow profcollectd system_bootstrap_lib_file:dir search;
   allow profcollectd system_bootstrap_lib_file:file r_file_perms;
@@ -45,4 +49,13 @@
   # Allow profcollectd to publish a binder service and make binder calls.
   binder_use(profcollectd)
   add_service(profcollectd, profcollectd_service)
+
+  # Allow to temporarily lift the kptr_restrict setting and get kernel start address
+  # by reading /proc/kallsyms, get module start address by reading /proc/modules.
+  set_prop(profcollectd, lower_kptr_restrict_prop)
+  allow profcollectd proc_kallsyms:file r_file_perms;
+  allow profcollectd proc_modules:file r_file_perms;
+
+  # Allow profcollectd to read kernel build id.
+  allow profcollectd sysfs_kernel_notes:file r_file_perms;
 ')

private/property.te

diff --git a/private/property.te b/private/property.te
index 8565275..d6533e8 100644
--- a/private/property.te
+++ b/private/property.te
@@ -533,6 +533,7 @@
 neverallow {
   domain
   -init
+  userdebug_or_eng(`-profcollectd')
   userdebug_or_eng(`-traced_probes')
   userdebug_or_eng(`-traced_perf')
 } {

private/property_contexts

diff --git a/private/property_contexts b/private/property_contexts
index 5e4620f..34efaac 100644
--- a/private/property_contexts
+++ b/private/property_contexts
@@ -323,6 +323,8 @@
 ro.camera.notify_nfc    u:object_r:camera_config_prop:s0 exact bool
 ro.camera.enableLazyHal u:object_r:camera_config_prop:s0 exact bool
 
+ro.camerax.extensions.enabled u:object_r:camerax_extensions_prop:s0 exact bool
+
 # Should always_debuggable be bool? It's checked against the string "1".
 dalvik.vm.always_debuggable                   u:object_r:dalvik_config_prop:s0 exact int
 dalvik.vm.appimageformat                      u:object_r:dalvik_config_prop:s0 exact string
@@ -827,6 +829,7 @@
 
 # GRF property for the first api level of the vendor partition
 ro.board.first_api_level u:object_r:build_vendor_prop:s0 exact int
+ro.board.api_level       u:object_r:build_vendor_prop:s0 exact int
 
 # Boot image build props set by /{second_stage_resources/,}boot/etc/build.prop
 ro.bootimage.build.date                        u:object_r:build_bootimage_prop:s0 exact string

private/service_contexts

diff --git a/private/service_contexts b/private/service_contexts
index e47cd6e..728df40 100644
--- a/private/service_contexts
+++ b/private/service_contexts
@@ -124,7 +124,6 @@
 hardware                                  u:object_r:hardware_service:s0
 hardware_properties                       u:object_r:hardware_properties_service:s0
 hdmi_control                              u:object_r:hdmi_control_service:s0
-hint                                      u:object_r:hint_service:s0
 ions                                      u:object_r:radio_service:s0
 idmap                                     u:object_r:idmap_service:s0
 incident                                  u:object_r:incident_service:s0
@@ -198,6 +197,7 @@
 package                                   u:object_r:package_service:s0
 package_native                            u:object_r:package_native_service:s0
 people                                    u:object_r:people_service:s0
+performance_hint                          u:object_r:hint_service:s0
 permission                                u:object_r:permission_service:s0
 permissionmgr                             u:object_r:permissionmgr_service:s0
 persistent_data_block                     u:object_r:persistent_data_block_service:s0
@@ -284,6 +284,7 @@
 usagestats                                u:object_r:usagestats_service:s0
 usb                                       u:object_r:usb_service:s0
 user                                      u:object_r:user_service:s0
+uwb                                       u:object_r:uwb_service:s0
 vcn_management                            u:object_r:vcn_management_service:s0
 vibrator                                  u:object_r:vibrator_service:s0
 vibrator_manager                          u:object_r:vibrator_manager_service:s0

private/system_app.te

diff --git a/private/system_app.te b/private/system_app.te
index 58322b8..48d5f9d 100644
--- a/private/system_app.te
+++ b/private/system_app.te
@@ -21,9 +21,6 @@
 allow system_app misc_user_data_file:dir create_dir_perms;
 allow system_app misc_user_data_file:file create_file_perms;
 
-# Access to vold-mounted storage for measuring free space
-allow system_app mnt_media_rw_file:dir search;
-
 # Access to apex files stored on /data (b/136063500)
 # Needed so that Settings can access NOTICE files inside apex
 # files located in the assets/ directory.

private/system_server.te

diff --git a/private/system_server.te b/private/system_server.te
index 084ea22..1bab3e7 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -905,6 +905,16 @@
 	use
 };
 
+# Allow lock_settings service to manage locksettings keys (e.g. the synthetic password key).
+allow system_server locksettings_key:keystore2_key {
+	delete
+	get_info
+	rebind
+	update
+	use
+};
+
+
 # Allow system server to search and write to the persistent factory reset
 # protection partition. This block device does not get wiped in a factory reset.
 allow system_server block_device:dir search;

private/traced.te

diff --git a/private/traced.te b/private/traced.te
index aa16966..6e3ad46 100644
--- a/private/traced.te
+++ b/private/traced.te
@@ -3,7 +3,6 @@
 # type traced is defined under /public (because iorapd rules
 # under public/ need to refer to it).
 type traced_exec, system_file_type, exec_type, file_type;
-type traced_tmpfs, file_type;
 
 # Allow init to exec the daemon.
 init_daemon_domain(traced)

private/untrusted_app_all.te

diff --git a/private/untrusted_app_all.te b/private/untrusted_app_all.te
index d57939b..6064c14 100644
--- a/private/untrusted_app_all.te
+++ b/private/untrusted_app_all.te
@@ -84,10 +84,6 @@
 allow untrusted_app_all media_rw_data_file:dir create_dir_perms;
 allow untrusted_app_all media_rw_data_file:file create_file_perms;
 
-# Traverse into /mnt/media_rw for bypassing FUSE daemon
-# TODO: narrow this to just MediaProvider
-allow untrusted_app_all mnt_media_rw_file:dir search;
-
 # allow cts to query all services
 allow untrusted_app_all servicemanager:service_manager list;
 

private/vold.te

diff --git a/private/vold.te b/private/vold.te
index 93a3515..d794abf 100644
--- a/private/vold.te
+++ b/private/vold.te
@@ -45,7 +45,11 @@
     use
 };
 
+# vold needs to call keystore methods
+allow vold keystore:binder call;
+
 # vold needs to find keystore2 services
+allow vold keystore_service:service_manager find;
 allow vold keystore_maintenance_service:service_manager find;
 
 # vold needs to be able to call earlyBootEnded()

private/wait_for_keymaster.te

diff --git a/private/wait_for_keymaster.te b/private/wait_for_keymaster.te
index 85a28da..8878acf 100644
--- a/private/wait_for_keymaster.te
+++ b/private/wait_for_keymaster.te
@@ -7,3 +7,9 @@
 hal_client_domain(wait_for_keymaster, hal_keymaster)
 
 allow wait_for_keymaster kmsg_device:chr_file w_file_perms;
+
+# wait_for_keymaster needs to find keystore and call methods with the returned
+# binder reference.
+allow wait_for_keymaster servicemanager:binder call;
+allow wait_for_keymaster keystore_service:service_manager find;
+allow wait_for_keymaster keystore:binder call;

public/app.te

diff --git a/public/app.te b/public/app.te
index af19d10..ae8d7fd 100644
--- a/public/app.te
+++ b/public/app.te
@@ -592,3 +592,6 @@
     { open read write append execute execute_no_trans map };
 neverallow appdomain system_bootstrap_lib_file:dir
     { open read getattr search };
+
+# Allow to ro.camerax.extensions.enabled
+get_prop(appdomain, camerax_extensions_prop)

public/domain.te

diff --git a/public/domain.te b/public/domain.te
index 0c37ee4..8244b9c 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -446,17 +446,6 @@
 neverallow { domain -init -ueventd } sysfs_usermodehelper:file { append write };
 neverallow { domain -init -vendor_init } proc_security:file { append open read write };
 
-# Allow the tracing daemon and callstack sampler to use kallsyms to symbolize
-# kernel traces. Addresses are not disclosed, they are repalced with symbol
-# names (if available). Traces don't disclose KASLR.
-neverallow {
-  domain
-  -init
-  -vendor_init
-  -traced_probes
-  -traced_perf
-} proc_kallsyms:file { open read };
-
 # Init can't do anything with binder calls. If this neverallow rule is being
 # triggered, it's probably due to a service with no SELinux domain.
 neverallow * init:binder *;

public/file.te

diff --git a/public/file.te b/public/file.te
index c4c2a21..174a149 100644
--- a/public/file.te
+++ b/public/file.te
@@ -562,6 +562,9 @@
 # /sys/kernel/tracing/instances/bootreceiver for monitoring kernel memory corruptions.
 type debugfs_bootreceiver_tracing, fs_type, debugfs_type;
 
+# kernel modules
+type vendor_kernel_modules, vendor_file_type, file_type;
+
 # Allow files to be created in their appropriate filesystems.
 allow fs_type self:filesystem associate;
 allow cgroup tmpfs:filesystem associate;

public/hal_neuralnetworks.te

diff --git a/public/hal_neuralnetworks.te b/public/hal_neuralnetworks.te
index 416448a..4eb8bb2 100644
--- a/public/hal_neuralnetworks.te
+++ b/public/hal_neuralnetworks.te
@@ -33,4 +33,6 @@
 hal_attribute_service(hal_neuralnetworks, hal_neuralnetworks_service)
 binder_call(hal_neuralnetworks_server, servicemanager)
 
+binder_use(hal_neuralnetworks_server)
+
 allow hal_neuralnetworks_server dumpstate:fifo_file write;

public/property.te

diff --git a/public/property.te b/public/property.te
index 8cae47c..caa705a 100644
--- a/public/property.te
+++ b/public/property.te
@@ -122,6 +122,7 @@
 system_vendor_config_prop(build_vendor_prop)
 system_vendor_config_prop(camera_calibration_prop)
 system_vendor_config_prop(camera_config_prop)
+system_vendor_config_prop(camerax_extensions_prop)
 system_vendor_config_prop(charger_config_prop)
 system_vendor_config_prop(codec2_config_prop)
 system_vendor_config_prop(cpu_variant_prop)

public/service.te

diff --git a/public/service.te b/public/service.te
index 0b4f8e9..8632887 100644
--- a/public/service.te
+++ b/public/service.te
@@ -220,6 +220,7 @@
 type usagestats_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
 type usb_service, app_api_service, system_server_service, service_manager_type;
 type user_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type uwb_service, app_api_service, system_server_service, service_manager_type;
 type vcn_management_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
 type vibrator_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
 type vibrator_manager_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;

public/su.te

diff --git a/public/su.te b/public/su.te
index cefc44d..074ff2e 100644
--- a/public/su.te
+++ b/public/su.te
@@ -18,6 +18,7 @@
   vndbinder_use(su)
 
   dontaudit su self:capability_class_set *;
+  dontaudit su self:capability2 *;
   dontaudit su kernel:security *;
   dontaudit su { kernel file_type }:system *;
   dontaudit su self:memprotect *;

public/traced.te

diff --git a/public/traced.te b/public/traced.te
index ec5b850..922d46e 100644
--- a/public/traced.te
+++ b/public/traced.te
@@ -1,2 +1,3 @@
 type traced, domain, coredomain, mlstrustedsubject;
+type traced_tmpfs, file_type;
 

public/update_engine_common.te

diff --git a/public/update_engine_common.te b/public/update_engine_common.te
index 286ff4d..e8fd29e 100644
--- a/public/update_engine_common.te
+++ b/public/update_engine_common.te
@@ -59,6 +59,10 @@
 # Needed because libdm reads sysfs to validate when a dm path is ready.
 r_dir_file(update_engine_common, sysfs_dm)
 
+# Scan files in /sys/fs/ext4 and /sys/fs/f2fs for device-mapper diagnostics.
+allow update_engine_common sysfs:dir r_dir_perms;
+allow update_engine_common sysfs_fs_f2fs:dir r_dir_perms;
+
 # read / write on /dev/device-mapper to map / unmap devices
 allow update_engine_common dm_device:chr_file rw_file_perms;
 

public/vendor_init.te

diff --git a/public/vendor_init.te b/public/vendor_init.te
index 25d0dcb..a8f9418 100644
--- a/public/vendor_init.te
+++ b/public/vendor_init.te
@@ -223,6 +223,7 @@
 set_prop(vendor_init, apk_verity_prop)
 set_prop(vendor_init, bluetooth_a2dp_offload_prop)
 set_prop(vendor_init, bluetooth_audio_hal_prop)
+set_prop(vendor_init, camerax_extensions_prop)
 set_prop(vendor_init, cpu_variant_prop)
 set_prop(vendor_init, dalvik_runtime_prop)
 set_prop(vendor_init, debug_prop)

public/vold.te

diff --git a/public/vold.te b/public/vold.te
index 5a14c44..17c71b5 100644
--- a/public/vold.te
+++ b/public/vold.te
@@ -351,6 +351,7 @@
   -healthd
   -hwservicemanager
   -iorapd_service
+  -keystore
   -servicemanager
   -system_server
   userdebug_or_eng(`-su')