Merge "Granting remote_prov_app find for tethering"
diff --git a/private/dex2oat.te b/private/dex2oat.te
index 909f94c..b08462e 100644
--- a/private/dex2oat.te
+++ b/private/dex2oat.te
@@ -17,6 +17,7 @@
# Acquire advisory lock on /system/framework/arm/*
allow dex2oat system_file:file lock;
+allow dex2oat postinstall_file:file lock;
# Read already open asec_apk_file file descriptors passed by installd.
# Also allow reading unlabeled files, to allow for upgrading forward
diff --git a/private/file_contexts b/private/file_contexts
index 35b93a1..a4a0449 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -361,7 +361,6 @@
/system/bin/gsid u:object_r:gsid_exec:s0
/system/bin/simpleperf u:object_r:simpleperf_exec:s0
/system/bin/simpleperf_app_runner u:object_r:simpleperf_app_runner_exec:s0
-/system/bin/notify_traceur\.sh u:object_r:notify_traceur_exec:s0
/system/bin/migrate_legacy_obb_data\.sh u:object_r:migrate_legacy_obb_data_exec:s0
/system/bin/android\.frameworks\.automotive\.display@1\.0-service u:object_r:automotive_display_service_exec:s0
/system/bin/snapuserd u:object_r:snapuserd_exec:s0
diff --git a/private/keystore2_key_contexts b/private/keystore2_key_contexts
index 9612b90..5695cc3 100644
--- a/private/keystore2_key_contexts
+++ b/private/keystore2_key_contexts
@@ -20,3 +20,6 @@
# namespace in keystore.
102 u:object_r:wifi_key:s0
+# resume_on_reboot_key is a keystore2_key namespace intended for resume on reboot.
+120 u:object_r:resume_on_reboot_key:s0
+
diff --git a/private/keystore_keys.te b/private/keystore_keys.te
index 990bc29..8d33d5d 100644
--- a/private/keystore_keys.te
+++ b/private/keystore_keys.te
@@ -13,3 +13,7 @@
# A keystore2 namespace for the on-device signing daemon.
type odsign_key, keystore2_key_type;
+
+# A keystore2 namespace for resume on reboot.
+type resume_on_reboot_key, keystore2_key_type;
+
diff --git a/private/linkerconfig.te b/private/linkerconfig.te
index 3e08e42..84fde67 100644
--- a/private/linkerconfig.te
+++ b/private/linkerconfig.te
@@ -19,4 +19,4 @@
# Allow linkerconfig to read apex-info-list.xml
allow linkerconfig apex_info_file:file r_file_perms;
-neverallow { domain -init -linkerconfig } linkerconfig_exec:file no_x_file_perms;
+neverallow { domain -init -linkerconfig -otapreopt_chroot } linkerconfig_exec:file no_x_file_perms;
diff --git a/private/notify_traceur.te b/private/notify_traceur.te
deleted file mode 100644
index ef1fd4f..0000000
--- a/private/notify_traceur.te
+++ /dev/null
@@ -1,12 +0,0 @@
-type notify_traceur, domain, coredomain;
-type notify_traceur_exec, system_file_type, exec_type, file_type;
-
-init_daemon_domain(notify_traceur);
-binder_use(notify_traceur);
-
-# This is to execute am
-allow notify_traceur activity_service:service_manager find;
-allow notify_traceur shell_exec:file rx_file_perms;
-allow notify_traceur system_file:file rx_file_perms;
-
-binder_call(notify_traceur, system_server);
diff --git a/private/otapreopt_chroot.te b/private/otapreopt_chroot.te
index 37149ab..610c4cb 100644
--- a/private/otapreopt_chroot.te
+++ b/private/otapreopt_chroot.te
@@ -37,6 +37,10 @@
# Allow to transition to postinstall_dexopt, to run otapreopt in its own sandbox.
domain_auto_trans(otapreopt_chroot, postinstall_file, postinstall_dexopt)
+# Allow otapreopt_chroot to control linkerconfig
+allow otapreopt_chroot linkerconfig_file:dir { create_dir_perms relabelto };
+allow otapreopt_chroot linkerconfig_file:file create_file_perms;
+
# Allow otapreopt_chroot to create loop devices with /dev/loop-control.
allow otapreopt_chroot loop_control_device:chr_file rw_file_perms;
# Allow otapreopt_chroot to access loop devices.
@@ -63,6 +67,7 @@
# Allow otapreopt_chroot to manipulate directory /postinstall/apex.
allow otapreopt_chroot postinstall_apex_mnt_dir:dir create_dir_perms;
+allow otapreopt_chroot postinstall_apex_mnt_dir:file create_file_perms;
# Allow otapreopt_chroot to mount APEX packages in /postinstall/apex.
allow otapreopt_chroot postinstall_apex_mnt_dir:dir mounton;
@@ -77,3 +82,6 @@
# This is a temporary solution to make sure that otapreopt_chroot doesn't block indefinetelly.
# TODO(b/165948777): remove this once otapreopt_chroot is migrated to libapexmount.
get_prop(otapreopt_chroot, cold_boot_done_prop)
+
+# allow otapreopt_chroot to run the linkerconfig from the new image.
+allow otapreopt_chroot linkerconfig_exec:file rx_file_perms;
diff --git a/private/property_contexts b/private/property_contexts
index 1854bd7..35bf7eb 100644
--- a/private/property_contexts
+++ b/private/property_contexts
@@ -467,6 +467,7 @@
external_storage.projid.enabled u:object_r:storage_config_prop:s0 exact bool
external_storage.casefold.enabled u:object_r:storage_config_prop:s0 exact bool
external_storage.sdcardfs.enabled u:object_r:storage_config_prop:s0 exact bool
+external_storage.cross_user.enabled u:object_r:storage_config_prop:s0 exact bool
ro.config.per_app_memcg u:object_r:lmkd_config_prop:s0 exact bool
ro.lmk.critical u:object_r:lmkd_config_prop:s0 exact int
diff --git a/private/remote_prov_app.te b/private/remote_prov_app.te
index 34bbadc..d536622 100644
--- a/private/remote_prov_app.te
+++ b/private/remote_prov_app.te
@@ -4,6 +4,9 @@
app_domain(remote_prov_app)
net_domain(remote_prov_app)
+# The app needs access to properly build a DeviceInfo package for the verifying server
+get_prop(remote_prov_app, vendor_security_patch_level_prop)
+
allow remote_prov_app {
activity_service
remoteprovisioning_service
diff --git a/private/surfaceflinger.te b/private/surfaceflinger.te
index 640306f..a32f89c 100644
--- a/private/surfaceflinger.te
+++ b/private/surfaceflinger.te
@@ -109,6 +109,7 @@
allow surfaceflinger system_server:fd use;
allow surfaceflinger system_server:unix_stream_socket { read write };
allow surfaceflinger ion_device:chr_file r_file_perms;
+allow surfaceflinger dmabuf_system_heap_device:chr_file r_file_perms;
# pdx IPC
pdx_server(surfaceflinger, display_client)
diff --git a/private/system_server.te b/private/system_server.te
index 8bee1bf..05a6e48 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -240,7 +240,6 @@
binder_call(system_server, incidentd)
binder_call(system_server, iorapd)
binder_call(system_server, netd)
-binder_call(system_server, notify_traceur)
userdebug_or_eng(`binder_call(system_server, profcollectd)')
binder_call(system_server, statsd)
binder_call(system_server, storaged)
@@ -891,6 +890,15 @@
use
};
+# Allow lock_settings service to manage RoR keys.
+allow system_server resume_on_reboot_key:keystore2_key {
+ delete
+ get_info
+ rebind
+ update
+ use
+};
+
# Allow system server to search and write to the persistent factory reset
# protection partition. This block device does not get wiped in a factory reset.
allow system_server block_device:dir search;
diff --git a/private/zygote.te b/private/zygote.te
index 83323c9..5f24115 100644
--- a/private/zygote.te
+++ b/private/zygote.te
@@ -197,9 +197,11 @@
# undesirable, so suppress the denial.
dontaudit zygote self:global_capability_class_set { sys_resource fsetid };
-# Ignore spurious denials calling access() on fuse
+# Ignore spurious denials calling access() on fuse.
+# Also ignore read and open as sdcardfs may read and open dir when app tries to access a dir that
+# doesn't exist.
# TODO(b/151316657): avoid the denials
-dontaudit zygote media_rw_data_file:dir setattr;
+dontaudit zygote media_rw_data_file:dir { read open setattr };
# Allow zygote to use ashmem fds from system_server.
allow zygote system_server:fd use;
diff --git a/public/bootanim.te b/public/bootanim.te
index acef6da..88fe173 100644
--- a/public/bootanim.te
+++ b/public/bootanim.te
@@ -27,6 +27,10 @@
# Allow access to ion memory allocation device
allow bootanim ion_device:chr_file rw_file_perms;
+
+# Allow access to DMA-BUF system heap
+allow bootanim dmabuf_system_heap_device:chr_file r_file_perms;
+
allow bootanim hal_graphics_allocator:fd use;
# Fences
diff --git a/public/cameraserver.te b/public/cameraserver.te
index 365af78..7a29240 100644
--- a/public/cameraserver.te
+++ b/public/cameraserver.te
@@ -13,6 +13,7 @@
hal_client_domain(cameraserver, hal_graphics_allocator)
allow cameraserver ion_device:chr_file rw_file_perms;
+allow cameraserver dmabuf_system_heap_device:chr_file r_file_perms;
# Talk with graphics composer fences
allow cameraserver hal_graphics_composer:fd use;
diff --git a/public/hal_camera.te b/public/hal_camera.te
index 77216e4..45fad56 100644
--- a/public/hal_camera.te
+++ b/public/hal_camera.te
@@ -9,6 +9,8 @@
allow hal_camera video_device:chr_file rw_file_perms;
allow hal_camera camera_device:chr_file rw_file_perms;
allow hal_camera ion_device:chr_file rw_file_perms;
+allow hal_camera dmabuf_system_heap_device:chr_file r_file_perms;
+
# Both the client and the server need to use the graphics allocator
allow { hal_camera_client hal_camera_server } hal_graphics_allocator:fd use;
diff --git a/public/hal_graphics_allocator.te b/public/hal_graphics_allocator.te
index 991e147..3ec6b96 100644
--- a/public/hal_graphics_allocator.te
+++ b/public/hal_graphics_allocator.te
@@ -8,6 +8,7 @@
# GPU device access
allow hal_graphics_allocator gpu_device:chr_file rw_file_perms;
allow hal_graphics_allocator ion_device:chr_file r_file_perms;
+allow hal_graphics_allocator dmabuf_system_heap_device:chr_file r_file_perms;
# allow to run with real-time scheduling policy
allow hal_graphics_allocator self:global_capability_class_set sys_nice;
diff --git a/public/hal_graphics_composer.te b/public/hal_graphics_composer.te
index cb4a130..1c69c99 100644
--- a/public/hal_graphics_composer.te
+++ b/public/hal_graphics_composer.te
@@ -16,6 +16,7 @@
# GPU device access
allow hal_graphics_composer gpu_device:chr_file rw_file_perms;
allow hal_graphics_composer ion_device:chr_file r_file_perms;
+allow hal_graphics_composer dmabuf_system_heap_device:chr_file r_file_perms;
allow hal_graphics_composer hal_graphics_allocator:fd use;
# Access /dev/graphics/fb0.
diff --git a/public/hal_power_stats.te b/public/hal_power_stats.te
index f458db6..4076eff 100644
--- a/public/hal_power_stats.te
+++ b/public/hal_power_stats.te
@@ -6,3 +6,4 @@
hal_attribute_service(hal_power_stats, hal_power_stats_service)
binder_call(hal_power_stats_server, servicemanager)
+binder_call(hal_power_stats_client, servicemanager)
diff --git a/public/ueventd.te b/public/ueventd.te
index 9c2575a..d5d4301 100644
--- a/public/ueventd.te
+++ b/public/ueventd.te
@@ -40,8 +40,9 @@
# Use setfscreatecon() to label /dev directories and files.
allow ueventd self:process setfscreate;
-# Allow ueventd to read androidboot.android_dt_dir from kernel cmdline.
+# Allow ueventd to read androidboot.android_dt_dir from kernel cmdline or bootconfig.
allow ueventd proc_cmdline:file r_file_perms;
+allow ueventd proc_bootconfig:file r_file_perms;
# Everything is labeled as rootfs in recovery mode. ueventd has to execute
# the dynamic linker and shared libraries.
diff --git a/vendor/hal_sensors_default.te b/vendor/hal_sensors_default.te
index f00b25a..8752364 100644
--- a/vendor/hal_sensors_default.te
+++ b/vendor/hal_sensors_default.te
@@ -13,6 +13,7 @@
# android.hardware.graphics.allocator
allow hal_sensors_default hal_graphics_allocator_default:fd use;
allow hal_sensors_default ion_device:chr_file r_file_perms;
+allow hal_sensors_default dmabuf_system_heap_device:chr_file r_file_perms;
# allow sensor hal to use lock for keeping system awake for wake up
# events delivery.
diff --git a/vendor/hal_tv_tuner_default.te b/vendor/hal_tv_tuner_default.te
index abe1e77..639c7bd 100644
--- a/vendor/hal_tv_tuner_default.te
+++ b/vendor/hal_tv_tuner_default.te
@@ -5,3 +5,6 @@
init_daemon_domain(hal_tv_tuner_default)
allow hal_tv_tuner_default ion_device:chr_file r_file_perms;
+
+# Access to /dev/dma_heap/system
+allow hal_tv_tuner_default dmabuf_system_heap_device:chr_file r_file_perms;