Merge "Add sepolicy for KeyMint VM system properties exposed to vendors" into main
diff --git a/apex/Android.bp b/apex/Android.bp
index 0374b62..37400dd 100644
--- a/apex/Android.bp
+++ b/apex/Android.bp
@@ -328,3 +328,10 @@
"com.android.documentsuibundle-file_contexts",
],
}
+
+filegroup {
+ name: "com.android.profiling-file_contexts",
+ srcs: [
+ "com.android.profiling-file_contexts",
+ ],
+}
diff --git a/apex/com.android.profiling-file_contexts b/apex/com.android.profiling-file_contexts
new file mode 100644
index 0000000..796beca
--- /dev/null
+++ b/apex/com.android.profiling-file_contexts
@@ -0,0 +1,2 @@
+(/.*)? u:object_r:system_file:s0
+/bin/trace_redactor u:object_r:trace_redactor_exec:s0
diff --git a/build/soong/service_fuzzer_bindings.go b/build/soong/service_fuzzer_bindings.go
index f931115..17d737f 100644
--- a/build/soong/service_fuzzer_bindings.go
+++ b/build/soong/service_fuzzer_bindings.go
@@ -151,6 +151,7 @@
"android.hardware.wifi.hostapd.IHostapd/default": EXCEPTION_NO_FUZZER,
"android.hardware.wifi.supplicant.ISupplicant/default": EXCEPTION_NO_FUZZER,
"android.frameworks.cameraservice.service.ICameraService/default": EXCEPTION_NO_FUZZER,
+ "android.frameworks.devicestate.IDeviceStateService/default": EXCEPTION_NO_FUZZER,
"android.frameworks.location.altitude.IAltitudeService/default": EXCEPTION_NO_FUZZER,
"android.frameworks.sensorservice.ISensorManager/default": []string{"libsensorserviceaidl_fuzzer"},
"android.frameworks.stats.IStats/default": EXCEPTION_NO_FUZZER,
@@ -361,6 +362,7 @@
"meminfo": EXCEPTION_NO_FUZZER,
"memtrack.proxy": EXCEPTION_NO_FUZZER,
"midi": EXCEPTION_NO_FUZZER,
+ "mmd": EXCEPTION_NO_FUZZER,
"mount": EXCEPTION_NO_FUZZER,
"music_recognition": EXCEPTION_NO_FUZZER,
"nearby": EXCEPTION_NO_FUZZER,
@@ -514,6 +516,7 @@
"wifi": EXCEPTION_NO_FUZZER,
"wifinl80211": []string{"wificond_service_fuzzer"},
"wifiaware": EXCEPTION_NO_FUZZER,
+ "wifi_usd": EXCEPTION_NO_FUZZER,
"wifirtt": EXCEPTION_NO_FUZZER,
"wifi_mainline_supplicant": EXCEPTION_NO_FUZZER, // defined internally
"window": EXCEPTION_NO_FUZZER,
diff --git a/compat/libgenfslabelsversion/Android.bp b/compat/libgenfslabelsversion/Android.bp
new file mode 100644
index 0000000..7f512a7
--- /dev/null
+++ b/compat/libgenfslabelsversion/Android.bp
@@ -0,0 +1,35 @@
+// Copyright (C) 2024 The Android Open Source Project
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package {
+ // See: http://go/android-license-faq
+ // A large-scale-change added 'default_applicable_licenses' to import
+ // all of the 'license_kinds' from "system_sepolicy_license"
+ // to get the below license kinds:
+ // SPDX-license-identifier-Apache-2.0
+ default_applicable_licenses: ["system_sepolicy_license"],
+}
+
+rust_defaults {
+ name: "libgenfslabelsversion.default",
+ crate_name: "genfslabelsversion",
+ srcs: ["src/lib.rs"],
+ apex_available: ["//apex_available:platform"],
+}
+
+rust_ffi_static {
+ name: "libgenfslabelsversion.ffi",
+ defaults: ["libgenfslabelsversion.default"],
+ export_include_dirs: ["include"],
+}
diff --git a/compat/libgenfslabelsversion/include/genfslabelsversion.h b/compat/libgenfslabelsversion/include/genfslabelsversion.h
new file mode 100644
index 0000000..4c029c8
--- /dev/null
+++ b/compat/libgenfslabelsversion/include/genfslabelsversion.h
@@ -0,0 +1,27 @@
+/*
+ * Copyright 2024 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#pragma once
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+int get_genfs_labels_version();
+
+#ifdef __cplusplus
+}
+#endif
diff --git a/compat/libgenfslabelsversion/src/lib.rs b/compat/libgenfslabelsversion/src/lib.rs
new file mode 100644
index 0000000..21619e8
--- /dev/null
+++ b/compat/libgenfslabelsversion/src/lib.rs
@@ -0,0 +1,40 @@
+// Copyright 2024 The Android Open Source Project
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+//! Client library to read genfs labels version of the vendor.
+
+use std::fs;
+
+const GENFS_LABELS_VERSION_TXT_PATH: &str = "/vendor/etc/selinux/genfs_labels_version.txt";
+const DEFAULT_GENFS_LABELS_VERSION: i32 = 202404;
+
+/// Get genfs labels version from the vendor partition.
+///
+/// This function reads the genfs labels version from the file
+/// `/vendor/etc/selinux/genfs_labels_version.txt`. If the file does not exist or
+/// cannot be parsed, it returns a default version of 202404.
+///
+/// # Returns
+///
+/// The genfs labels version as an integer.
+#[no_mangle]
+pub extern "C" fn get_genfs_labels_version() -> i32 {
+ match fs::read_to_string(GENFS_LABELS_VERSION_TXT_PATH) {
+ Ok(contents) => match contents.trim().parse::<i32>() {
+ Ok(version) => version,
+ Err(_) => DEFAULT_GENFS_LABELS_VERSION,
+ },
+ Err(_) => DEFAULT_GENFS_LABELS_VERSION,
+ }
+}
diff --git a/contexts/plat_file_contexts_test b/contexts/plat_file_contexts_test
index 3e7379a..b3aaff1 100644
--- a/contexts/plat_file_contexts_test
+++ b/contexts/plat_file_contexts_test
@@ -325,6 +325,7 @@
/system/bin/sload_f2fs e2fs_exec
/system/bin/make_f2fs e2fs_exec
/system/bin/fsck_msdos fsck_exec
+/system/bin/prefetch prefetch_exec
/system/bin/tcpdump tcpdump_exec
/system/bin/tune2fs fsck_exec
/system/bin/resize2fs fsck_exec
@@ -398,6 +399,7 @@
/system/bin/bootstrap/linkerconfig linkerconfig_exec
/system/bin/llkd llkd_exec
/system/bin/lmkd lmkd_exec
+/system/bin/mmd mmd_exec
/system/bin/usbd usbd_exec
/system/bin/inputflinger inputflinger_exec
/system/bin/logd logd_exec
@@ -643,6 +645,7 @@
/odm/usr/keylayout/test.kl vendor_keylayout_file
/vendor/odm/usr/keylayout.kl vendor_keylayout_file
/vendor/odm/usr/keylayout/test.kl vendor_keylayout_file
+/vendor/usr/keylayout vendor_keylayout_file
/vendor/usr/keylayout.kl vendor_keylayout_file
/vendor/usr/keylayout/test.kl vendor_keylayout_file
/system/vendor/usr/keylayout.kl vendor_keylayout_file
@@ -651,6 +654,7 @@
/odm/usr/keychars/test.kcm vendor_keychars_file
/vendor/odm/usr/keychars.kcm vendor_keychars_file
/vendor/odm/usr/keychars/test.kcm vendor_keychars_file
+/vendor/usr/keychars vendor_keychars_file
/vendor/usr/keychars.kcm vendor_keychars_file
/vendor/usr/keychars/test.kcm vendor_keychars_file
/system/vendor/usr/keychars.kcm vendor_keychars_file
@@ -659,6 +663,7 @@
/odm/usr/idc/test.idc vendor_idc_file
/vendor/odm/usr/idc.idc vendor_idc_file
/vendor/odm/usr/idc/test.idc vendor_idc_file
+/vendor/usr/idc vendor_idc_file
/vendor/usr/idc.idc vendor_idc_file
/vendor/usr/idc/test.idc vendor_idc_file
/system/vendor/usr/idc.idc vendor_idc_file
@@ -1294,6 +1299,8 @@
/metadata/repair-mode/test repair_mode_metadata_file
/metadata/tradeinmode tradeinmode_metadata_file
/metadata/tradeinmode/test tradeinmode_metadata_file
+/metadata/prefetch prefetch_metadata_file
+/metadata/prefetch/test prefetch_metadata_file
/mnt/asec asec_apk_file
/mnt/asec/test asec_apk_file
diff --git a/private/compat/202404/202404.cil b/private/compat/202404/202404.cil
index 5ba9b3f..85eb601 100644
--- a/private/compat/202404/202404.cil
+++ b/private/compat/202404/202404.cil
@@ -2724,7 +2724,7 @@
(typeattributeset virtual_camera_service_202404 (virtual_camera_service))
(typeattributeset virtual_device_native_service_202404 (virtual_device_native_service))
(typeattributeset virtual_device_service_202404 (virtual_device_service))
-(typeattributeset virtual_face_hal_prop_202404 (virtual_face_hal_prop))
+(typeattributeset virtual_face_hal_prop_202404 (virtual_face_hal_prop virtual_face_prop))
(typeattributeset virtual_fingerprint_hal_prop_202404 (virtual_fingerprint_hal_prop virtual_fingerprint_prop))
(typeattributeset virtual_touchpad_202404 (virtual_touchpad))
(typeattributeset virtual_touchpad_exec_202404 (virtual_touchpad_exec))
diff --git a/private/compat/202404/202404.ignore.cil b/private/compat/202404/202404.ignore.cil
index 0bf3f7e..f518eac 100644
--- a/private/compat/202404/202404.ignore.cil
+++ b/private/compat/202404/202404.ignore.cil
@@ -7,6 +7,7 @@
( new_objects
bluetooth_finder_prop
profcollectd_etr_prop
+ fwk_devicestate_service
fstype_prop
binderfs_logs_transactions
binderfs_logs_transaction_history
diff --git a/private/compat/33.0/33.0.ignore.cil b/private/compat/33.0/33.0.ignore.cil
index a43f0fd..a9a37a4 100644
--- a/private/compat/33.0/33.0.ignore.cil
+++ b/private/compat/33.0/33.0.ignore.cil
@@ -80,6 +80,7 @@
ublk_control_device
usb_uvc_enabled_prop
virtual_face_hal_prop
+ virtual_face_prop
virtual_fingerprint_hal_prop
virtual_fingerprint_prop
hal_gatekeeper_service
diff --git a/private/coredomain.te b/private/coredomain.te
index 8a46a08..23ad43a 100644
--- a/private/coredomain.te
+++ b/private/coredomain.te
@@ -183,6 +183,7 @@
-shell
-system_server
-traceur_app
+ -prefetch
userdebug_or_eng(`-profcollectd')
userdebug_or_eng(`-simpleperf_boot')
} debugfs_tracing:file no_rw_file_perms;
diff --git a/private/file.te b/private/file.te
index 559b0fe..4ef8d55 100644
--- a/private/file.te
+++ b/private/file.te
@@ -224,6 +224,9 @@
# /metadata/tradeinmode files
type tradeinmode_metadata_file, file_type;
+# /metadata/prefetch files
+type prefetch_metadata_file, file_type;
+
# Types added in 202504 in public/file.te
until_board_api(202504, `
type binderfs_logs_transactions, fs_type;
diff --git a/private/file_contexts b/private/file_contexts
index 2350a7c..bb8a35a 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -329,6 +329,7 @@
/system/bin/bootstrap/linkerconfig u:object_r:linkerconfig_exec:s0
/system/bin/llkd u:object_r:llkd_exec:s0
/system/bin/lmkd u:object_r:lmkd_exec:s0
+/system/bin/mmd u:object_r:mmd_exec:s0
/system/bin/usbd u:object_r:usbd_exec:s0
/system/bin/inputflinger u:object_r:inputflinger_exec:s0
/system/bin/logd u:object_r:logd_exec:s0
@@ -414,6 +415,7 @@
/system/bin/bert_collector u:object_r:bert_collector_exec:s0
/system/bin/linux_vm_setup u:object_r:linux_vm_setup_exec:s0
/system/bin/tradeinmode u:object_r:tradeinmode_exec:s0
+/system/bin/prefetch u:object_r:prefetch_exec:s0
#############################
# Vendor files
@@ -472,8 +474,11 @@
/(odm|vendor/odm|vendor|system/vendor)/apex(/[^/]+){0,2} u:object_r:vendor_apex_file:s0
# Input configuration
+/(odm|vendor/odm|vendor|system/vendor)/usr/keylayout(/.*)? u:object_r:vendor_keylayout_file:s0
/(odm|vendor/odm|vendor|system/vendor)/usr/keylayout(/.*)?\.kl u:object_r:vendor_keylayout_file:s0
+/(odm|vendor/odm|vendor|system/vendor)/usr/keychars(/.*)? u:object_r:vendor_keychars_file:s0
/(odm|vendor/odm|vendor|system/vendor)/usr/keychars(/.*)?\.kcm u:object_r:vendor_keychars_file:s0
+/(odm|vendor/odm|vendor|system/vendor)/usr/idc(/.*)? u:object_r:vendor_idc_file:s0
/(odm|vendor/odm|vendor|system/vendor)/usr/idc(/.*)?\.idc u:object_r:vendor_idc_file:s0
/oem(/.*)? u:object_r:oemfs:s0
@@ -898,6 +903,7 @@
/metadata/aconfig/flags(/.*)? u:object_r:aconfig_storage_flags_metadata_file:s0
/metadata/aconfig_test_missions(/.*)? u:object_r:aconfig_test_mission_files:s0
/metadata/tradeinmode(/.*)? u:object_r:tradeinmode_metadata_file:s0
+/metadata/prefetch(/.*)? u:object_r:prefetch_metadata_file:s0
############################
# mount point for ota metadata
diff --git a/private/init.te b/private/init.te
index d1f7c18..15f79e3 100644
--- a/private/init.te
+++ b/private/init.te
@@ -85,6 +85,10 @@
# Allow init to set 16kb app compatibility props
set_prop(init, bionic_linker_16kb_app_compat_prop)
+# Allow init to set/get prefetch boot prop to initiate record/replay
+set_prop(init, ctl_prefetch_prop);
+get_prop(init, prefetch_boot_prop);
+
# Allow accessing /sys/kernel/tracing/instances/bootreceiver to set up tracing.
allow init debugfs_bootreceiver_tracing:file w_file_perms;
diff --git a/private/mmd.te b/private/mmd.te
new file mode 100644
index 0000000..193c307
--- /dev/null
+++ b/private/mmd.te
@@ -0,0 +1,17 @@
+# mmd memory management daemon
+type mmd, domain;
+typeattribute mmd coredomain;
+type mmd_exec, system_file_type, exec_type, file_type;
+
+init_daemon_domain(mmd)
+
+# mmd binder setup
+add_service(mmd, mmd_service)
+binder_use(mmd)
+
+# zram sysfs access
+allow mmd sysfs_zram:dir search;
+allow mmd sysfs_zram:file rw_file_perms;
+
+# procfs
+allow mmd proc_meminfo:file r_file_perms;
diff --git a/private/ot_daemon.te b/private/ot_daemon.te
index 2fc74b5..04cb70f 100644
--- a/private/ot_daemon.te
+++ b/private/ot_daemon.te
@@ -26,6 +26,9 @@
# Allow OT daemon to read/write on the socket created by System Server
allow ot_daemon system_server:rawip_socket rw_socket_perms_no_ioctl;
+# Allow OT daemon to read/write on the UDP sockets created by system server
+allow ot_daemon system_server:udp_socket rw_socket_perms;
+
hal_client_domain(ot_daemon, hal_threadnetwork)
# Only ot_daemon can publish the binder service
diff --git a/private/prefetch.te b/private/prefetch.te
new file mode 100644
index 0000000..c7ee8b1
--- /dev/null
+++ b/private/prefetch.te
@@ -0,0 +1,27 @@
+type prefetch, coredomain, domain;
+type prefetch_exec, exec_type, file_type, system_file_type;
+
+init_daemon_domain(prefetch)
+
+# Allow prefetch to start recording by enabling tracing event under
+# /sys/kernel/tracing/events/filemap/mm_filemap_add_to_page_cache
+allow prefetch debugfs_tracing_instances:dir create_dir_perms;
+allow prefetch debugfs_tracing_instances:file rw_file_perms;
+
+# Allow to read/write/create/delete to storage prefetch record files
+allow prefetch metadata_file:dir search;
+allow prefetch prefetch_metadata_file:dir rw_dir_perms;
+allow prefetch prefetch_metadata_file:file create_file_perms;
+
+# Disallow other domains controlling prefetch service.
+neverallow {
+ domain
+ -init
+ -shell
+} ctl_prefetch_prop:property_service set;
+
+# Disallow other domains controlling prefetch_boot_prop.
+neverallow {
+ domain
+ -init
+} prefetch_boot_prop:property_service set;
diff --git a/private/property.te b/private/property.te
index 0f5a3f0..e098fb2 100644
--- a/private/property.te
+++ b/private/property.te
@@ -3,6 +3,7 @@
system_internal_prop(adbd_tradeinmode_prop)
system_internal_prop(apexd_payload_metadata_prop)
system_internal_prop(ctl_snapuserd_prop)
+system_internal_prop(ctl_prefetch_prop)
system_internal_prop(ctl_uprobestats_prop)
system_internal_prop(crashrecovery_prop)
system_internal_prop(debug_tracing_desktop_mode_visible_tasks_prop)
@@ -50,6 +51,7 @@
system_internal_prop(setupwizard_prop)
system_internal_prop(snapshotctl_prop)
system_internal_prop(snapuserd_prop)
+system_internal_prop(prefetch_boot_prop)
system_internal_prop(system_adbd_prop)
system_internal_prop(system_audio_config_prop)
system_internal_prop(timezone_metadata_prop)
@@ -88,6 +90,7 @@
until_board_api(202504, `
system_public_prop(bluetooth_finder_prop)
system_public_prop(virtual_fingerprint_prop)
+ system_public_prop(virtual_face_prop)
')
# These types will be public starting at board api 202504
diff --git a/private/property_contexts b/private/property_contexts
index 241699a..163c873 100644
--- a/private/property_contexts
+++ b/private/property_contexts
@@ -203,6 +203,11 @@
ctl.stop$snapuserd u:object_r:ctl_snapuserd_prop:s0
ctl.restart$snapuserd u:object_r:ctl_snapuserd_prop:s0
+# Restrict access to control prefetch
+ctl.start$prefetch u:object_r:ctl_prefetch_prop:s0
+ctl.stop$prefetch u:object_r:ctl_prefetch_prop:s0
+ctl.restart$prefetch u:object_r:ctl_prefetch_prop:s0
+
# Restrict access to control uprobestats
ctl.start$uprobestats u:object_r:ctl_uprobestats_prop:s0
ctl.stop$uprobestats u:object_r:ctl_uprobestats_prop:s0
@@ -355,6 +360,13 @@
ro.enable_boot_charger_mode u:object_r:charger_config_prop:s0 exact bool
ro.product.charger.unplugged_shutdown_time u:object_r:charger_config_prop:s0 exact int
+# Prefetch boot properties
+ro.prefetch_boot.enabled u:object_r:prefetch_boot_prop:s0 exact bool
+ro.prefetch_boot.trace_buffer_size_kib u:object_r:prefetch_boot_prop:s0 exact int
+ro.prefetch_boot.duration_s u:object_r:prefetch_boot_prop:s0 exact int
+ro.prefetch_boot.io_depth u:object_r:prefetch_boot_prop:s0 exact int
+ro.prefetch_boot.max_fds u:object_r:prefetch_boot_prop:s0 exact int
+
# Virtual A/B and snapuserd properties
ro.virtual_ab.enabled u:object_r:virtual_ab_prop:s0 exact bool
ro.virtual_ab.retrofit u:object_r:virtual_ab_prop:s0 exact bool
@@ -1656,28 +1668,28 @@
composd.vm.vendor.memory_mib.config u:object_r:composd_vm_vendor_prop:s0 exact int
# properties for the virtual Face HAL
-persist.vendor.face.virtual.type u:object_r:virtual_face_hal_prop:s0 exact string
-persist.vendor.face.virtual.strength u:object_r:virtual_face_hal_prop:s0 exact string
-persist.vendor.face.virtual.enrollments u:object_r:virtual_face_hal_prop:s0 exact string
-persist.vendor.face.virtual.features u:object_r:virtual_face_hal_prop:s0 exact string
-persist.vendor.face.virtual.lockout_enable u:object_r:virtual_face_hal_prop:s0 exact bool
-persist.vendor.face.virtual.lockout_timed_enable u:object_r:virtual_face_hal_prop:s0 exact bool
-persist.vendor.face.virtual.lockout_timed_threshold u:object_r:virtual_face_hal_prop:s0 exact int
-persist.vendor.face.virtual.lockout_timed_duration u:object_r:virtual_face_hal_prop:s0 exact int
-persist.vendor.face.virtual.lockout_permanent_threshold u:object_r:virtual_face_hal_prop:s0 exact int
-vendor.face.virtual.no_human_face_detected u:object_r:virtual_face_hal_prop:s0 exact bool
-vendor.face.virtual.enrollment_hit u:object_r:virtual_face_hal_prop:s0 exact int
-vendor.face.virtual.next_enrollment u:object_r:virtual_face_hal_prop:s0 exact string
-vendor.face.virtual.authenticator_id u:object_r:virtual_face_hal_prop:s0 exact int
-vendor.face.virtual.challenge u:object_r:virtual_face_hal_prop:s0 exact int
-vendor.face.virtual.lockout u:object_r:virtual_face_hal_prop:s0 exact bool
-vendor.face.virtual.operation_authenticate_fails u:object_r:virtual_face_hal_prop:s0 exact bool
-vendor.face.virtual.operation_detect_interaction_fails u:object_r:virtual_face_hal_prop:s0 exact bool
-vendor.face.virtual.operation_enroll_fails u:object_r:virtual_face_hal_prop:s0 exact bool
-vendor.face.virtual.operation_authenticate_latency u:object_r:virtual_face_hal_prop:s0 exact string
-vendor.face.virtual.operation_detect_interaction_latency u:object_r:virtual_face_hal_prop:s0 exact string
-vendor.face.virtual.operation_enroll_latency u:object_r:virtual_face_hal_prop:s0 exact string
-vendor.face.virtual.operation_authenticate_duration u:object_r:virtual_face_hal_prop:s0 exact int
+persist.vendor.face.virtual.type u:object_r:virtual_face_prop:s0 exact string
+persist.vendor.face.virtual.strength u:object_r:virtual_face_prop:s0 exact string
+persist.vendor.face.virtual.enrollments u:object_r:virtual_face_prop:s0 exact string
+persist.vendor.face.virtual.features u:object_r:virtual_face_prop:s0 exact string
+persist.vendor.face.virtual.lockout_enable u:object_r:virtual_face_prop:s0 exact bool
+persist.vendor.face.virtual.lockout_timed_enable u:object_r:virtual_face_prop:s0 exact bool
+persist.vendor.face.virtual.lockout_timed_threshold u:object_r:virtual_face_prop:s0 exact int
+persist.vendor.face.virtual.lockout_timed_duration u:object_r:virtual_face_prop:s0 exact int
+persist.vendor.face.virtual.lockout_permanent_threshold u:object_r:virtual_face_prop:s0 exact int
+vendor.face.virtual.no_human_face_detected u:object_r:virtual_face_prop:s0 exact bool
+vendor.face.virtual.enrollment_hit u:object_r:virtual_face_prop:s0 exact int
+vendor.face.virtual.next_enrollment u:object_r:virtual_face_prop:s0 exact string
+vendor.face.virtual.authenticator_id u:object_r:virtual_face_prop:s0 exact int
+vendor.face.virtual.challenge u:object_r:virtual_face_prop:s0 exact int
+vendor.face.virtual.lockout u:object_r:virtual_face_prop:s0 exact bool
+vendor.face.virtual.operation_authenticate_fails u:object_r:virtual_face_prop:s0 exact bool
+vendor.face.virtual.operation_detect_interaction_fails u:object_r:virtual_face_prop:s0 exact bool
+vendor.face.virtual.operation_enroll_fails u:object_r:virtual_face_prop:s0 exact bool
+vendor.face.virtual.operation_authenticate_latency u:object_r:virtual_face_prop:s0 exact string
+vendor.face.virtual.operation_detect_interaction_latency u:object_r:virtual_face_prop:s0 exact string
+vendor.face.virtual.operation_enroll_latency u:object_r:virtual_face_prop:s0 exact string
+vendor.face.virtual.operation_authenticate_duration u:object_r:virtual_face_prop:s0 exact int
# properties for the virtual Fingerprint HAL
persist.vendor.fingerprint.virtual.type u:object_r:virtual_fingerprint_prop:s0 exact string
diff --git a/private/service.te b/private/service.te
index bb24fd4..c12c1a0 100644
--- a/private/service.te
+++ b/private/service.te
@@ -16,6 +16,7 @@
type logcat_service, system_server_service, service_manager_type;
type logd_service, service_manager_type;
type mediatuner_service, app_api_service, service_manager_type;
+type mmd_service, service_manager_type;
type on_device_intelligence_service, app_api_service, system_server_service, service_manager_type, isolated_compute_allowed_service;
type profcollectd_service, service_manager_type;
type protolog_configuration_service, app_api_service, system_api_service, system_server_service, service_manager_type;
diff --git a/private/service_contexts b/private/service_contexts
index e452172..77f1eec 100644
--- a/private/service_contexts
+++ b/private/service_contexts
@@ -3,6 +3,9 @@
android.frameworks.stats.IStats/default u:object_r:fwk_stats_service:s0
android.frameworks.sensorservice.ISensorManager/default u:object_r:fwk_sensor_service:s0
android.frameworks.vibrator.IVibratorControlService/default u:object_r:fwk_vibrator_control_service:s0
+starting_at_board_api(202504, `
+ android.frameworks.devicestate.IDeviceStateService/default u:object_r:fwk_devicestate_service:s0
+')
android.hardware.audio.core.IConfig/default u:object_r:hal_audio_service:s0
# 'default' IModule is equivalent to 'primary' in HIDL
android.hardware.audio.core.IModule/default u:object_r:hal_audio_service:s0
@@ -354,6 +357,7 @@
meminfo u:object_r:meminfo_service:s0
memtrack.proxy u:object_r:memtrackproxy_service:s0
midi u:object_r:midi_service:s0
+mmd u:object_r:mmd_service:s0
mount u:object_r:mount_service:s0
music_recognition u:object_r:music_recognition_service:s0
nearby u:object_r:nearby_service:s0
@@ -514,6 +518,9 @@
wifinl80211 u:object_r:wifinl80211_service:s0
wifiaware u:object_r:wifiaware_service:s0
wifirtt u:object_r:rttmanager_service:s0
+starting_at_board_api(202504, `
+ wifi_usd u:object_r:wifi_usd_service:s0
+')
wifi_mainline_supplicant u:object_r:wifi_mainline_supplicant_service:s0
window u:object_r:window_service:s0
* u:object_r:default_android_service:s0
diff --git a/private/shell.te b/private/shell.te
index 70f296e..6372609 100644
--- a/private/shell.te
+++ b/private/shell.te
@@ -42,10 +42,8 @@
domain_auto_trans(shell, vendor_shell_exec, vendor_shell)
-# Allow shell to execute tradeinmode on userdebug builds, for testing.
-userdebug_or_eng(`
- domain_auto_trans(shell, tradeinmode_exec, tradeinmode)
-')
+# Allow shell to execute tradeinmode for testing.
+domain_auto_trans(shell, tradeinmode_exec, tradeinmode)
# Allow shell binaries to exec the perfetto cmdline util and have that
# transition into its own domain, so that it behaves consistently to
@@ -185,6 +183,8 @@
# Allow shell to start/stop gsid via ctl.start|stop|restart gsid.
set_prop(shell, ctl_gsid_prop)
set_prop(shell, ctl_snapuserd_prop)
+# Allow shell to start/stop prefetch
+set_prop(shell, ctl_prefetch_prop)
# Allow shell to enable Dynamic System Update
set_prop(shell, dynamic_system_prop)
# Allow shell to mock an OTA using persist.pm.mock-upgrade
diff --git a/private/system_server.te b/private/system_server.te
index 044edc1..aeeb566 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -293,6 +293,7 @@
binder_call(system_server, idmap)
binder_call(system_server, installd)
binder_call(system_server, incidentd)
+binder_call(system_server, mmd)
binder_call(system_server, netd)
binder_call(system_server, ot_daemon)
userdebug_or_eng(`binder_call(system_server, profcollectd)')
@@ -393,6 +394,7 @@
mediaswcodec
mediatranscoding
mediatuner
+ mmd
netd
sdcardd
servicemanager
@@ -1006,6 +1008,7 @@
allow system_server mediaextractor_service:service_manager find;
allow system_server mediadrmserver_service:service_manager find;
allow system_server mediatuner_service:service_manager find;
+allow system_server mmd_service:service_manager find;
allow system_server netd_service:service_manager find;
allow system_server nfc_service:service_manager find;
allow system_server ot_daemon_service:service_manager find;
diff --git a/private/tradeinmode.te b/private/tradeinmode.te
index 821faf4..febe35f 100644
--- a/private/tradeinmode.te
+++ b/private/tradeinmode.te
@@ -6,11 +6,9 @@
allow tradeinmode adbd_tradeinmode:fd use;
allow tradeinmode adbd_tradeinmode:unix_stream_socket { read write ioctl };
-# Allow running from normal shell on userdebug/eng.
-userdebug_or_eng(`
- allow tradeinmode { adbd shell }:fd use;
- allow tradeinmode adbd:unix_stream_socket { read write ioctl };
-')
+# Allow running from normal shell.
+allow tradeinmode { adbd shell }:fd use;
+allow tradeinmode adbd:unix_stream_socket { read write ioctl };
allow tradeinmode devpts:chr_file rw_file_perms;
diff --git a/private/virtual_face.te b/private/virtual_face.te
index 0e33d6b..9a805e8 100644
--- a/private/virtual_face.te
+++ b/private/virtual_face.te
@@ -4,3 +4,4 @@
hal_server_domain(virtual_face, hal_face)
typeattribute virtual_face coredomain;
init_daemon_domain(virtual_face)
+set_prop(virtual_face, virtual_face_prop)
diff --git a/private/vmlauncher_app.te b/private/vmlauncher_app.te
index abee70f..934031a 100644
--- a/private/vmlauncher_app.te
+++ b/private/vmlauncher_app.te
@@ -13,7 +13,7 @@
allow vmlauncher_app fsck_exec:file { r_file_perms execute execute_no_trans };
-allow vmlauncher_app virtualizationservice_data_file:file { read relabelto open write unlink };
+allow vmlauncher_app virtualizationservice_data_file:file { read relabelto open write unlink rename };
allow vmlauncher_app privapp_data_file:file { relabelfrom };
is_flag_enabled(RELEASE_AVF_SUPPORT_CUSTOM_VM_WITH_PARAVIRTUALIZED_DEVICES, `
diff --git a/public/property.te b/public/property.te
index 43f162f..cb18741 100644
--- a/public/property.te
+++ b/public/property.te
@@ -279,7 +279,10 @@
vendor_internal_prop(rebootescrow_hal_prop)
# Properties used in the default Face HAL implementations
-system_public_prop(virtual_face_hal_prop)
+vendor_internal_prop(virtual_face_hal_prop)
+starting_at_board_api(202504, `
+ system_public_prop(virtual_face_prop)
+')
# Properties used in the default Fingerprint HAL implementations
vendor_internal_prop(virtual_fingerprint_hal_prop)
diff --git a/public/service.te b/public/service.te
index 7aab275..2b75cc6 100644
--- a/public/service.te
+++ b/public/service.te
@@ -151,6 +151,9 @@
type forensic_service, app_api_service, system_api_service, system_server_service, service_manager_type;
')
type fwk_altitude_service, system_server_service, service_manager_type;
+starting_at_board_api(202504, `
+ type fwk_devicestate_service, system_server_service, service_manager_type;
+')
type fwk_stats_service, app_api_service, system_server_service, service_manager_type;
type fwk_sensor_service, system_server_service, service_manager_type;
type fwk_vibrator_control_service, system_server_service, service_manager_type;
@@ -298,6 +301,9 @@
type wifi_service, app_api_service, system_server_service, service_manager_type;
type wifinl80211_service, service_manager_type;
type wifiaware_service, app_api_service, system_server_service, service_manager_type;
+starting_at_board_api(202504, `
+ type wifi_usd_service, app_api_service, system_server_service, service_manager_type;
+')
type window_service, system_api_service, system_server_service, service_manager_type;
type inputflinger_service, system_api_service, system_server_service, service_manager_type;
type tethering_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
diff --git a/vendor/hal_face_default.te b/vendor/hal_face_default.te
index 3d608cd..b9815ec 100644
--- a/vendor/hal_face_default.te
+++ b/vendor/hal_face_default.te
@@ -8,7 +8,10 @@
allow hal_face_default fwk_sensor_service:service_manager find;
# virtual_face_hal_prop is only for debuggable builds
-userdebug_or_eng(`set_prop(hal_face_default, virtual_face_hal_prop)');
+starting_at_board_api(202504, `
+ set_prop(hal_face_default, virtual_face_prop)
+')
+
neverallow { domain -init -dumpstate userdebug_or_eng(`-hal_face_default') not_compatible_property(`-vendor_init') } virtual_face_hal_prop:file no_rw_file_perms;
neverallow { domain -init userdebug_or_eng(`-hal_face_default') not_compatible_property(`-vendor_init') } virtual_face_hal_prop:property_service set;