Merge "microdroid: add /dev/hvc2"
diff --git a/private/apexd.te b/private/apexd.te
index 50a7a72..feee8ff 100644
--- a/private/apexd.te
+++ b/private/apexd.te
@@ -186,3 +186,6 @@
allow apexd postinstall_apex_mnt_dir:file { create_file_perms relabelfrom };
allow apexd postinstall_apex_mnt_dir:lnk_file create;
allow apexd proc_filesystems:file r_file_perms;
+
+# Allow calling derive_classpath to gather BCP information for staged sessions
+domain_auto_trans(apexd, derive_classpath_exec, apexd_derive_classpath);
diff --git a/private/apexd_derive_classpath.te b/private/apexd_derive_classpath.te
new file mode 100644
index 0000000..d4c5496
--- /dev/null
+++ b/private/apexd_derive_classpath.te
@@ -0,0 +1,9 @@
+# Exclusive domain for apexd calling into derive_classpath binary
+type apexd_derive_classpath, domain, coredomain;
+
+# Allow the binary to write into output file at location /apex/derive_classpath_temp
+allow apexd_derive_classpath apexd:fd use;
+allow apexd_derive_classpath apex_mnt_dir:file { write open };
+# Allow the binary to log using logwrap
+allow apexd_derive_classpath apexd_devpts:chr_file { read write };
+
diff --git a/private/compat/31.0/31.0.cil b/private/compat/31.0/31.0.cil
index 35059a9..a71eec4 100644
--- a/private/compat/31.0/31.0.cil
+++ b/private/compat/31.0/31.0.cil
@@ -1961,7 +1961,10 @@
(typeattributeset print_service_31_0 (print_service))
(typeattributeset priv_app_31_0 (priv_app))
(typeattributeset privapp_data_file_31_0 (privapp_data_file))
-(typeattributeset proc_31_0 (proc))
+(typeattributeset proc_31_0
+ ( proc
+ proc_cpu_alignment
+))
(typeattributeset proc_abi_31_0 (proc_abi))
(typeattributeset proc_asound_31_0 (proc_asound))
(typeattributeset proc_bluetooth_writable_31_0 (proc_bluetooth_writable))
diff --git a/private/compat/31.0/31.0.ignore.cil b/private/compat/31.0/31.0.ignore.cil
index 5860761..f9645f4 100644
--- a/private/compat/31.0/31.0.ignore.cil
+++ b/private/compat/31.0/31.0.ignore.cil
@@ -16,10 +16,13 @@
hal_health_service
hal_sensors_service
hal_system_suspend_service
+ hal_radio_service
hal_tv_tuner_service
hal_uwb_service
hal_uwb_vendor_service
hal_wifi_hostapd_service
+ hal_wifi_supplicant_service
+ hal_nlinterceptor_service
hypervisor_prop
locale_service
power_stats_service
diff --git a/private/genfs_contexts b/private/genfs_contexts
index 664a3b3..3e2dbe4 100644
--- a/private/genfs_contexts
+++ b/private/genfs_contexts
@@ -7,6 +7,7 @@
genfscon proc /buddyinfo u:object_r:proc_buddyinfo:s0
genfscon proc /cmdline u:object_r:proc_cmdline:s0
genfscon proc /config.gz u:object_r:config_gz:s0
+genfscon proc /cpu/alignment u:object_r:proc_cpu_alignment:s0
genfscon proc /diskstats u:object_r:proc_diskstats:s0
genfscon proc /filesystems u:object_r:proc_filesystems:s0
genfscon proc /interrupts u:object_r:proc_interrupts:s0
diff --git a/private/mediatranscoding.te b/private/mediatranscoding.te
index 6f7d027..817416d 100644
--- a/private/mediatranscoding.te
+++ b/private/mediatranscoding.te
@@ -18,6 +18,7 @@
hal_client_domain(mediatranscoding, hal_configstore)
hal_client_domain(mediatranscoding, hal_omx)
hal_client_domain(mediatranscoding, hal_codec2)
+hal_client_domain(mediatranscoding, hal_allocator)
allow mediatranscoding mediaserver_service:service_manager find;
allow mediatranscoding mediametrics_service:service_manager find;
diff --git a/private/property_contexts b/private/property_contexts
index 54eb0a4..040ffe6 100644
--- a/private/property_contexts
+++ b/private/property_contexts
@@ -44,6 +44,8 @@
log.tag u:object_r:log_tag_prop:s0
log.tag.WifiHAL u:object_r:wifi_log_prop:s0
security.perf_harden u:object_r:shell_prop:s0
+persist.simpleperf.profile_app_uid u:object_r:shell_prop:s0
+persist.simpleperf.profile_app_expiration_time u:object_r:shell_prop:s0
security.lower_kptr_restrict u:object_r:lower_kptr_restrict_prop:s0
service.adb.root u:object_r:shell_prop:s0
service.adb.tls.port u:object_r:adbd_prop:s0
diff --git a/private/service_contexts b/private/service_contexts
index 4470e1c..50002d4 100644
--- a/private/service_contexts
+++ b/private/service_contexts
@@ -10,9 +10,11 @@
android.hardware.identity.IIdentityCredentialStore/default u:object_r:hal_identity_service:s0
android.hardware.light.ILights/default u:object_r:hal_light_service:s0
android.hardware.memtrack.IMemtrack/default u:object_r:hal_memtrack_service:s0
+android.hardware.net.nlinterceptor.IInterceptor/default u:object_r:hal_nlinterceptor_service:s0
android.hardware.oemlock.IOemLock/default u:object_r:hal_oemlock_service:s0
android.hardware.power.IPower/default u:object_r:hal_power_service:s0
android.hardware.power.stats.IPowerStats/default u:object_r:hal_power_stats_service:s0
+android.hardware.radio.config.IRadioConfig/default u:object_r:hal_radio_service:s0
android.hardware.rebootescrow.IRebootEscrow/default u:object_r:hal_rebootescrow_service:s0
android.hardware.security.keymint.IKeyMintDevice/default u:object_r:hal_keymint_service:s0
android.hardware.security.keymint.IRemotelyProvisionedComponent/default u:object_r:hal_remotelyprovisionedcomponent_service:s0
@@ -26,6 +28,7 @@
android.hardware.vibrator.IVibratorManager/default u:object_r:hal_vibrator_service:s0
android.hardware.weaver.IWeaver/default u:object_r:hal_weaver_service:s0
android.hardware.wifi.hostapd.IHostapd/default u:object_r:hal_wifi_hostapd_service:s0
+android.hardware.wifi.supplicant.ISupplicant/default u:object_r:hal_wifi_supplicant_service:s0
android.frameworks.stats.IStats/default u:object_r:fwk_stats_service:s0
android.system.keystore2.IKeystoreService/default u:object_r:keystore_service:s0
android.system.suspend.ISystemSuspend/default u:object_r:hal_system_suspend_service:s0
diff --git a/private/virtualizationservice.te b/private/virtualizationservice.te
index 0b02745..1e00dcd 100644
--- a/private/virtualizationservice.te
+++ b/private/virtualizationservice.te
@@ -22,9 +22,6 @@
# When virtualizationservice execs a file with the crosvm_exec label, run it in the crosvm domain.
domain_auto_trans(virtualizationservice, crosvm_exec, crosvm)
-# Let virtualizationservice exec other files (e.g. mk_cdisk) in the same domain.
-allow virtualizationservice system_file:file execute_no_trans;
-
# Let virtualizationservice kill crosvm.
allow virtualizationservice crosvm:process sigkill;
diff --git a/public/attributes b/public/attributes
index 6c37db1..ee8a05e 100644
--- a/public/attributes
+++ b/public/attributes
@@ -354,6 +354,7 @@
hal_attribute(memtrack);
hal_attribute(neuralnetworks);
hal_attribute(nfc);
+hal_attribute(nlinterceptor);
hal_attribute(oemlock);
hal_attribute(omx);
hal_attribute(power);
diff --git a/public/cameraserver.te b/public/cameraserver.te
index b7e555f..577a465 100644
--- a/public/cameraserver.te
+++ b/public/cameraserver.te
@@ -36,6 +36,9 @@
allow cameraserver hidl_token_hwservice:hwservice_manager find;
+# Allow to talk with surfaceflinger through unix stream socket
+allow cameraserver surfaceflinger:unix_stream_socket { read write };
+
###
### neverallow rules
###
diff --git a/public/file.te b/public/file.te
index 0b94e2e..6e2adde 100644
--- a/public/file.te
+++ b/public/file.te
@@ -25,6 +25,7 @@
type proc_bootconfig, fs_type, proc_type;
type proc_buddyinfo, fs_type, proc_type;
type proc_cmdline, fs_type, proc_type;
+type proc_cpu_alignment, fs_type, proc_type;
type proc_cpuinfo, fs_type, proc_type;
type proc_dirty, fs_type, proc_type;
type proc_diskstats, fs_type, proc_type;
diff --git a/public/hal_neverallows.te b/public/hal_neverallows.te
index cd15910..e77ea9d 100644
--- a/public/hal_neverallows.te
+++ b/public/hal_neverallows.te
@@ -11,6 +11,7 @@
-hal_uwb_server
# TODO(b/196225233): Remove hal_uwb_vendor_server
-hal_uwb_vendor_server
+ -hal_nlinterceptor_server
} self:global_capability_class_set { net_admin net_raw };
# Unless a HAL's job is to communicate over the network, or control network
@@ -31,6 +32,7 @@
-hal_uwb_server
# TODO(b/196225233): Remove hal_uwb_vendor_server
-hal_uwb_vendor_server
+ -hal_nlinterceptor_server
} domain:{ udp_socket rawip_socket } *;
neverallow {
@@ -42,6 +44,7 @@
-hal_wifi_hostapd_server
-hal_wifi_supplicant_server
-hal_telephony_server
+ -hal_nlinterceptor_server
} {
domain
userdebug_or_eng(`-su')
diff --git a/public/hal_nlinterceptor.te b/public/hal_nlinterceptor.te
new file mode 100644
index 0000000..2076de8
--- /dev/null
+++ b/public/hal_nlinterceptor.te
@@ -0,0 +1,8 @@
+binder_call(hal_nlinterceptor_client, hal_nlinterceptor_server)
+
+hal_attribute_service(hal_nlinterceptor, hal_nlinterceptor_service)
+binder_call(hal_nlinterceptor, servicemanager)
+
+allow hal_nlinterceptor self:global_capability_class_set net_admin;
+allow hal_nlinterceptor self:netlink_generic_socket create_socket_perms_no_ioctl;
+allow hal_nlinterceptor self:netlink_route_socket { nlmsg_readpriv nlmsg_write };
diff --git a/public/hal_telephony.te b/public/hal_telephony.te
index f0cf075..dd89c8f 100644
--- a/public/hal_telephony.te
+++ b/public/hal_telephony.te
@@ -3,6 +3,7 @@
binder_call(hal_telephony_server, hal_telephony_client)
hal_attribute_hwservice(hal_telephony, hal_telephony_hwservice)
+hal_attribute_service(hal_telephony, hal_radio_service)
allowxperm hal_telephony_server self:udp_socket ioctl priv_sock_ioctls;
diff --git a/public/hal_wifi_supplicant.te b/public/hal_wifi_supplicant.te
index f7c444e..b4ff7aa 100644
--- a/public/hal_wifi_supplicant.te
+++ b/public/hal_wifi_supplicant.te
@@ -3,6 +3,9 @@
binder_call(hal_wifi_supplicant_server, hal_wifi_supplicant_client)
hal_attribute_hwservice(hal_wifi_supplicant, hal_wifi_supplicant_hwservice)
+hal_attribute_service(hal_wifi_supplicant, hal_wifi_supplicant_service)
+
+binder_call(hal_wifi_supplicant_server, servicemanager)
# in addition to ioctls allowlisted for all domains, grant hal_wifi_supplicant priv_sock_ioctls.
allowxperm hal_wifi_supplicant self:udp_socket ioctl priv_sock_ioctls;
diff --git a/public/init.te b/public/init.te
index 193941a..8799134 100644
--- a/public/init.te
+++ b/public/init.te
@@ -371,6 +371,7 @@
allow init {
proc_abi
+ proc_cpu_alignment
proc_dirty
proc_hostname
proc_hung_task
diff --git a/public/keystore.te b/public/keystore.te
index b7d5090..9535491 100644
--- a/public/keystore.te
+++ b/public/keystore.te
@@ -43,3 +43,7 @@
# TODO(b/186868271): Remove the crash dump exception soon-ish (maybe by May 14, 2021?)
neverallow { domain userdebug_or_eng(`-crash_dump') } keystore:process ptrace;
+
+# The software KeyMint implementation used in km_compat needs
+# to read the vendor security patch level.
+get_prop(keystore, vendor_security_patch_level_prop);
diff --git a/public/property.te b/public/property.te
index de61748..f73a408 100644
--- a/public/property.te
+++ b/public/property.te
@@ -64,7 +64,6 @@
system_restricted_prop(bq_config_prop)
system_restricted_prop(build_bootimage_prop)
system_restricted_prop(build_prop)
-system_restricted_prop(charger_status_prop)
system_restricted_prop(device_config_nnapi_native_prop)
system_restricted_prop(device_config_runtime_native_boot_prop)
system_restricted_prop(device_config_runtime_native_prop)
@@ -180,6 +179,7 @@
system_public_prop(bluetooth_a2dp_offload_prop)
system_public_prop(bluetooth_audio_hal_prop)
system_public_prop(bluetooth_prop)
+system_public_prop(charger_status_prop)
system_public_prop(ctl_default_prop)
system_public_prop(ctl_interface_start_prop)
system_public_prop(ctl_start_prop)
diff --git a/public/service.te b/public/service.te
index 083de1d..19f7aaa 100644
--- a/public/service.te
+++ b/public/service.te
@@ -249,6 +249,7 @@
type tethering_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type emergency_affordance_service, system_server_service, service_manager_type;
type hal_wifi_hostapd_service, vendor_service, protected_service, service_manager_type;
+type hal_wifi_supplicant_service, vendor_service, protected_service, service_manager_type;
###
### HAL Services
@@ -278,10 +279,12 @@
type hal_secureclock_service, vendor_service, protected_service, service_manager_type;
type hal_sharedsecret_service, vendor_service, protected_service, service_manager_type;
type hal_system_suspend_service, protected_service, service_manager_type;
+type hal_radio_service, vendor_service, protected_service, service_manager_type;
type hal_tv_tuner_service, vendor_service, protected_service, service_manager_type;
type hal_uwb_service, vendor_service, protected_service, service_manager_type;
type hal_vibrator_service, vendor_service, protected_service, service_manager_type;
type hal_weaver_service, vendor_service, protected_service, service_manager_type;
+type hal_nlinterceptor_service, vendor_service, protected_service, service_manager_type;
###
### Neverallow rules
diff --git a/public/wificond.te b/public/wificond.te
index 254fcbc..98db0d7 100644
--- a/public/wificond.te
+++ b/public/wificond.te
@@ -7,6 +7,7 @@
binder_call(wificond, keystore)
add_service(wificond, wifinl80211_service)
+hal_client_domain(wificond, hal_nlinterceptor)
# create sockets to set interfaces up and down
allow wificond self:udp_socket create_socket_perms;