Merge "Allow dexopt_chroot_setup to mount on vendor_configs_file." into main
diff --git a/apex/com.android.biometrics.virtual.face-file_contexts b/apex/com.android.biometrics.virtual.face-file_contexts
index 07fc0a8..8d9b86c 100644
--- a/apex/com.android.biometrics.virtual.face-file_contexts
+++ b/apex/com.android.biometrics.virtual.face-file_contexts
@@ -1,3 +1,3 @@
-(/.*)? u:object_r:vendor_file:s0
-/etc(/.*)? u:object_r:vendor_configs_file:s0
+(/.*)? u:object_r:system_file:s0
+/lib(64)?(/.*) u:object_r:system_lib_file:s0
/bin/hw/android\.hardware\.biometrics\.face-service\.example u:object_r:virtual_face_exec:s0
diff --git a/build/soong/service_fuzzer_bindings.go b/build/soong/service_fuzzer_bindings.go
index 257cee6..7aaab4e 100644
--- a/build/soong/service_fuzzer_bindings.go
+++ b/build/soong/service_fuzzer_bindings.go
@@ -23,144 +23,146 @@
var (
ServiceFuzzerBindings = map[string][]string{
- "android.hardware.audio.core.IConfig/default": EXCEPTION_NO_FUZZER,
- "android.hardware.audio.core.IModule/default": EXCEPTION_NO_FUZZER,
- "android.hardware.audio.core.IModule/a2dp": EXCEPTION_NO_FUZZER,
- "android.hardware.audio.core.IModule/bluetooth": EXCEPTION_NO_FUZZER,
- "android.hardware.audio.core.IModule/hearing_aid": EXCEPTION_NO_FUZZER,
- "android.hardware.audio.core.IModule/msd": EXCEPTION_NO_FUZZER,
- "android.hardware.audio.core.IModule/r_submix": EXCEPTION_NO_FUZZER,
- "android.hardware.audio.core.IModule/stub": EXCEPTION_NO_FUZZER,
- "android.hardware.audio.core.IModule/usb": EXCEPTION_NO_FUZZER,
- "android.hardware.audio.effect.IFactory/default": EXCEPTION_NO_FUZZER,
- "android.hardware.audio.sounddose.ISoundDoseFactory/default": EXCEPTION_NO_FUZZER,
- "android.hardware.authsecret.IAuthSecret/default": EXCEPTION_NO_FUZZER,
- "android.hardware.automotive.evs.IEvsEnumerator/hw/0": EXCEPTION_NO_FUZZER,
- "android.hardware.boot.IBootControl/default": EXCEPTION_NO_FUZZER,
- "android.hardware.automotive.can.ICanController/default": EXCEPTION_NO_FUZZER,
- "android.hardware.automotive.evs.IEvsEnumerator/hw/1": EXCEPTION_NO_FUZZER,
- "android.hardware.automotive.ivn.IIvnAndroidDevice/default": EXCEPTION_NO_FUZZER,
- "android.hardware.automotive.remoteaccess.IRemoteAccess/default": EXCEPTION_NO_FUZZER,
- "android.hardware.automotive.vehicle.IVehicle/default": EXCEPTION_NO_FUZZER,
- "android.hardware.automotive.audiocontrol.IAudioControl/default": EXCEPTION_NO_FUZZER,
- "android.hardware.biometrics.face.IFace/default": EXCEPTION_NO_FUZZER,
- "android.hardware.biometrics.face.IFace/virtual": EXCEPTION_NO_FUZZER,
- "android.hardware.biometrics.face.virtualhal.IVirtualHal/virtual": EXCEPTION_NO_FUZZER,
- "android.hardware.biometrics.fingerprint.IFingerprint/default": EXCEPTION_NO_FUZZER,
- "android.hardware.biometrics.fingerprint.IFingerprint/virtual": EXCEPTION_NO_FUZZER,
- "android.hardware.biometrics.fingerprint.virtualhal.IVirtualHal/virtual": EXCEPTION_NO_FUZZER,
- "android.hardware.bluetooth.audio.IBluetoothAudioProviderFactory/default": EXCEPTION_NO_FUZZER,
- "android.hardware.broadcastradio.IBroadcastRadio/amfm": []string{"android.hardware.broadcastradio-service.default_fuzzer"},
- "android.hardware.broadcastradio.IBroadcastRadio/dab": []string{"android.hardware.broadcastradio-service.default_fuzzer"},
- "android.hardware.bluetooth.IBluetoothHci/default": EXCEPTION_NO_FUZZER,
- "android.hardware.bluetooth.finder.IBluetoothFinder/default": EXCEPTION_NO_FUZZER,
- "android.hardware.bluetooth.ranging.IBluetoothChannelSounding/default": EXCEPTION_NO_FUZZER,
- "android.hardware.bluetooth.lmp_event.IBluetoothLmpEvent/default": EXCEPTION_NO_FUZZER,
- "android.hardware.bluetooth.socket.IBluetoothSocket/default": []string{"android.hardware.bluetooth.socket-service_fuzzer"},
- "android.hardware.camera.provider.ICameraProvider/internal/0": EXCEPTION_NO_FUZZER,
- "android.hardware.camera.provider.ICameraProvider/virtual/0": EXCEPTION_NO_FUZZER,
- "android.hardware.cas.IMediaCasService/default": EXCEPTION_NO_FUZZER,
- "android.hardware.confirmationui.IConfirmationUI/default": []string{"android.hardware.confirmationui-service.trusty_fuzzer"},
- "android.hardware.contexthub.IContextHub/default": EXCEPTION_NO_FUZZER,
- "android.hardware.drm.IDrmFactory/clearkey": EXCEPTION_NO_FUZZER,
- "android.hardware.drm.ICryptoFactory/clearkey": EXCEPTION_NO_FUZZER,
- "android.hardware.dumpstate.IDumpstateDevice/default": EXCEPTION_NO_FUZZER,
- "android.hardware.fastboot.IFastboot/default": EXCEPTION_NO_FUZZER,
- "android.hardware.gatekeeper.IGatekeeper/default": EXCEPTION_NO_FUZZER,
- "android.hardware.gnss.IGnss/default": EXCEPTION_NO_FUZZER,
- "android.hardware.graphics.allocator.IAllocator/default": EXCEPTION_NO_FUZZER,
- "android.hardware.graphics.composer3.IComposer/default": EXCEPTION_NO_FUZZER,
- "android.hardware.health.storage.IStorage/default": EXCEPTION_NO_FUZZER,
- "android.hardware.health.IHealth/default": []string{"android.hardware.health-service.aidl_fuzzer"},
- "android.hardware.identity.IIdentityCredentialStore/default": EXCEPTION_NO_FUZZER,
- "android.hardware.input.processor.IInputProcessor/default": EXCEPTION_NO_FUZZER,
- "android.hardware.ir.IConsumerIr/default": EXCEPTION_NO_FUZZER,
- "android.hardware.light.ILights/default": EXCEPTION_NO_FUZZER,
- "android.hardware.macsec.IMacsecPskPlugin/default": EXCEPTION_NO_FUZZER,
- "android.hardware.media.c2.IComponentStore/default": EXCEPTION_NO_FUZZER,
- "android.hardware.media.c2.IComponentStore/default1": EXCEPTION_NO_FUZZER,
- "android.hardware.media.c2.IComponentStore/default2": EXCEPTION_NO_FUZZER,
- "android.hardware.media.c2.IComponentStore/software": []string{"libcodec2-aidl-fuzzer"},
- "android.hardware.memtrack.IMemtrack/default": EXCEPTION_NO_FUZZER,
- "android.hardware.net.nlinterceptor.IInterceptor/default": EXCEPTION_NO_FUZZER,
- "android.hardware.nfc.INfc/default": []string{"nfc_service_fuzzer"},
- "android.hardware.oemlock.IOemLock/default": EXCEPTION_NO_FUZZER,
- "android.hardware.power.IPower/default": EXCEPTION_NO_FUZZER,
- "android.hardware.power.stats.IPowerStats/default": EXCEPTION_NO_FUZZER,
- "android.hardware.radio.config.IRadioConfig/default": EXCEPTION_NO_FUZZER,
- "android.hardware.radio.data.IRadioData/slot1": EXCEPTION_NO_FUZZER,
- "android.hardware.radio.data.IRadioData/slot2": EXCEPTION_NO_FUZZER,
- "android.hardware.radio.data.IRadioData/slot3": EXCEPTION_NO_FUZZER,
- "android.hardware.radio.ims.IRadioIms/slot1": EXCEPTION_NO_FUZZER,
- "android.hardware.radio.ims.IRadioIms/slot2": EXCEPTION_NO_FUZZER,
- "android.hardware.radio.ims.IRadioIms/slot3": EXCEPTION_NO_FUZZER,
- "android.hardware.radio.ims.media.IImsMedia/default": EXCEPTION_NO_FUZZER,
- "android.hardware.radio.messaging.IRadioMessaging/slot1": EXCEPTION_NO_FUZZER,
- "android.hardware.radio.messaging.IRadioMessaging/slot2": EXCEPTION_NO_FUZZER,
- "android.hardware.radio.messaging.IRadioMessaging/slot3": EXCEPTION_NO_FUZZER,
- "android.hardware.radio.modem.IRadioModem/slot1": EXCEPTION_NO_FUZZER,
- "android.hardware.radio.modem.IRadioModem/slot2": EXCEPTION_NO_FUZZER,
- "android.hardware.radio.modem.IRadioModem/slot3": EXCEPTION_NO_FUZZER,
- "android.hardware.radio.network.IRadioNetwork/slot1": EXCEPTION_NO_FUZZER,
- "android.hardware.radio.network.IRadioNetwork/slot2": EXCEPTION_NO_FUZZER,
- "android.hardware.radio.network.IRadioNetwork/slot3": EXCEPTION_NO_FUZZER,
- "android.hardware.radio.satellite.IRadioSatellite/slot1": EXCEPTION_NO_FUZZER,
- "android.hardware.radio.satellite.IRadioSatellite/slot2": EXCEPTION_NO_FUZZER,
- "android.hardware.radio.satellite.IRadioSatellite/slot3": EXCEPTION_NO_FUZZER,
- "android.hardware.radio.sim.IRadioSim/slot1": EXCEPTION_NO_FUZZER,
- "android.hardware.radio.sim.IRadioSim/slot2": EXCEPTION_NO_FUZZER,
- "android.hardware.radio.sim.IRadioSim/slot3": EXCEPTION_NO_FUZZER,
- "android.hardware.radio.sap.ISap/slot1": EXCEPTION_NO_FUZZER,
- "android.hardware.radio.sap.ISap/slot2": EXCEPTION_NO_FUZZER,
- "android.hardware.radio.sap.ISap/slot3": EXCEPTION_NO_FUZZER,
- "android.hardware.radio.voice.IRadioVoice/slot1": EXCEPTION_NO_FUZZER,
- "android.hardware.radio.voice.IRadioVoice/slot2": EXCEPTION_NO_FUZZER,
- "android.hardware.radio.voice.IRadioVoice/slot3": EXCEPTION_NO_FUZZER,
- "android.hardware.rebootescrow.IRebootEscrow/default": EXCEPTION_NO_FUZZER,
- "android.hardware.secure_element.ISecureElement/eSE1": EXCEPTION_NO_FUZZER,
- "android.hardware.secure_element.ISecureElement/eSE2": EXCEPTION_NO_FUZZER,
- "android.hardware.secure_element.ISecureElement/eSE3": EXCEPTION_NO_FUZZER,
- "android.hardware.secure_element.ISecureElement/SIM1": EXCEPTION_NO_FUZZER,
- "android.hardware.secure_element.ISecureElement/SIM2": EXCEPTION_NO_FUZZER,
- "android.hardware.secure_element.ISecureElement/SIM3": EXCEPTION_NO_FUZZER,
- "android.hardware.security.authgraph.IAuthGraphKeyExchange/nonsecure": []string{"android.hardware.authgraph-service.nonsecure_fuzzer"},
- "android.hardware.security.dice.IDiceDevice/default": EXCEPTION_NO_FUZZER,
- "android.hardware.security.keymint.IKeyMintDevice/default": EXCEPTION_NO_FUZZER,
- "android.hardware.security.keymint.IRemotelyProvisionedComponent/default": EXCEPTION_NO_FUZZER,
- "android.hardware.security.secretkeeper.ISecretkeeper/default": EXCEPTION_NO_FUZZER,
- "android.hardware.security.secretkeeper.ISecretkeeper/nonsecure": []string{"android.hardware.security.secretkeeper-service.nonsecure_fuzzer"},
- "android.hardware.security.secureclock.ISecureClock/default": EXCEPTION_NO_FUZZER,
- "android.hardware.security.sharedsecret.ISharedSecret/default": EXCEPTION_NO_FUZZER,
- "android.hardware.sensors.ISensors/default": EXCEPTION_NO_FUZZER,
- "android.hardware.soundtrigger3.ISoundTriggerHw/default": EXCEPTION_NO_FUZZER,
- "android.hardware.tetheroffload.IOffload/default": EXCEPTION_NO_FUZZER,
- "android.hardware.thermal.IThermal/default": EXCEPTION_NO_FUZZER,
- "android.hardware.threadnetwork.IThreadChip/chip0": []string{"android.hardware.threadnetwork-service.fuzzer"},
- "android.hardware.tv.hdmi.cec.IHdmiCec/default": EXCEPTION_NO_FUZZER,
- "android.hardware.tv.hdmi.connection.IHdmiConnection/default": EXCEPTION_NO_FUZZER,
- "android.hardware.tv.hdmi.earc.IEArc/default": EXCEPTION_NO_FUZZER,
- "android.hardware.tv.input.ITvInput/default": EXCEPTION_NO_FUZZER,
- "android.hardware.tv.mediaquality.IMediaQuality/default": EXCEPTION_NO_FUZZER,
- "android.hardware.tv.tuner.ITuner/default": EXCEPTION_NO_FUZZER,
- "android.hardware.usb.IUsb/default": EXCEPTION_NO_FUZZER,
- "android.hardware.usb.gadget.IUsbGadget/default": EXCEPTION_NO_FUZZER,
- "android.hardware.uwb.IUwb/default": EXCEPTION_NO_FUZZER,
- "android.hardware.vibrator.IVibrator/default": EXCEPTION_NO_FUZZER,
- "android.hardware.vibrator.IVibratorManager/default": []string{"android.hardware.vibrator-service.example_fuzzer"},
- "android.hardware.weaver.IWeaver/default": EXCEPTION_NO_FUZZER,
- "android.hardware.wifi.IWifi/default": EXCEPTION_NO_FUZZER,
- "android.hardware.wifi.hostapd.IHostapd/default": EXCEPTION_NO_FUZZER,
- "android.hardware.wifi.supplicant.ISupplicant/default": EXCEPTION_NO_FUZZER,
- "android.frameworks.cameraservice.service.ICameraService/default": EXCEPTION_NO_FUZZER,
- "android.frameworks.devicestate.IDeviceStateService/default": EXCEPTION_NO_FUZZER,
- "android.frameworks.location.altitude.IAltitudeService/default": EXCEPTION_NO_FUZZER,
- "android.frameworks.sensorservice.ISensorManager/default": []string{"libsensorserviceaidl_fuzzer"},
- "android.frameworks.stats.IStats/default": EXCEPTION_NO_FUZZER,
- "android.frameworks.vibrator.IVibratorControlService/default": EXCEPTION_NO_FUZZER,
- "android.se.omapi.ISecureElementService/default": EXCEPTION_NO_FUZZER,
- "android.system.keystore2.IKeystoreService/default": EXCEPTION_NO_FUZZER,
- "android.system.net.netd.INetd/default": []string{"netd_hw_service_fuzzer"},
- "android.system.suspend.ISystemSuspend/default": EXCEPTION_NO_FUZZER,
+ "android.hardware.audio.core.IConfig/default": EXCEPTION_NO_FUZZER,
+ "android.hardware.audio.core.IModule/default": EXCEPTION_NO_FUZZER,
+ "android.hardware.audio.core.IModule/a2dp": EXCEPTION_NO_FUZZER,
+ "android.hardware.audio.core.IModule/bluetooth": EXCEPTION_NO_FUZZER,
+ "android.hardware.audio.core.IModule/hearing_aid": EXCEPTION_NO_FUZZER,
+ "android.hardware.audio.core.IModule/msd": EXCEPTION_NO_FUZZER,
+ "android.hardware.audio.core.IModule/r_submix": EXCEPTION_NO_FUZZER,
+ "android.hardware.audio.core.IModule/stub": EXCEPTION_NO_FUZZER,
+ "android.hardware.audio.core.IModule/usb": EXCEPTION_NO_FUZZER,
+ "android.hardware.audio.effect.IFactory/default": EXCEPTION_NO_FUZZER,
+ "android.hardware.audio.sounddose.ISoundDoseFactory/default": EXCEPTION_NO_FUZZER,
+ "android.hardware.authsecret.IAuthSecret/default": EXCEPTION_NO_FUZZER,
+ "android.hardware.automotive.evs.IEvsEnumerator/hw/0": EXCEPTION_NO_FUZZER,
+ "android.hardware.boot.IBootControl/default": EXCEPTION_NO_FUZZER,
+ "android.hardware.automotive.can.ICanController/default": EXCEPTION_NO_FUZZER,
+ "android.hardware.automotive.evs.IEvsEnumerator/hw/1": EXCEPTION_NO_FUZZER,
+ "android.hardware.automotive.ivn.IIvnAndroidDevice/default": EXCEPTION_NO_FUZZER,
+ "android.hardware.automotive.remoteaccess.IRemoteAccess/default": EXCEPTION_NO_FUZZER,
+ "android.hardware.automotive.vehicle.IVehicle/default": EXCEPTION_NO_FUZZER,
+ "android.hardware.automotive.audiocontrol.IAudioControl/default": EXCEPTION_NO_FUZZER,
+ "android.hardware.biometrics.face.IFace/default": EXCEPTION_NO_FUZZER,
+ "android.hardware.biometrics.face.IFace/virtual": EXCEPTION_NO_FUZZER,
+ "android.hardware.biometrics.face.virtualhal.IVirtualHal/virtual": EXCEPTION_NO_FUZZER,
+ "android.hardware.biometrics.fingerprint.IFingerprint/default": EXCEPTION_NO_FUZZER,
+ "android.hardware.biometrics.fingerprint.IFingerprint/virtual": EXCEPTION_NO_FUZZER,
+ "android.hardware.biometrics.fingerprint.virtualhal.IVirtualHal/virtual": EXCEPTION_NO_FUZZER,
+ "android.hardware.bluetooth.audio.IBluetoothAudioProviderFactory/default": EXCEPTION_NO_FUZZER,
+ "android.hardware.broadcastradio.IBroadcastRadio/amfm": []string{"android.hardware.broadcastradio-service.default_fuzzer"},
+ "android.hardware.broadcastradio.IBroadcastRadio/dab": []string{"android.hardware.broadcastradio-service.default_fuzzer"},
+ "android.hardware.bluetooth.IBluetoothHci/default": EXCEPTION_NO_FUZZER,
+ "android.hardware.bluetooth.finder.IBluetoothFinder/default": EXCEPTION_NO_FUZZER,
+ "android.hardware.bluetooth.ranging.IBluetoothChannelSounding/default": EXCEPTION_NO_FUZZER,
+ "android.hardware.bluetooth.lmp_event.IBluetoothLmpEvent/default": EXCEPTION_NO_FUZZER,
+ "android.hardware.bluetooth.socket.IBluetoothSocket/default": []string{"android.hardware.bluetooth.socket-service_fuzzer"},
+ "android.hardware.camera.provider.ICameraProvider/internal/0": EXCEPTION_NO_FUZZER,
+ "android.hardware.camera.provider.ICameraProvider/virtual/0": EXCEPTION_NO_FUZZER,
+ "android.hardware.cas.IMediaCasService/default": EXCEPTION_NO_FUZZER,
+ "android.hardware.confirmationui.IConfirmationUI/default": []string{"android.hardware.confirmationui-service.trusty_fuzzer"},
+ "android.hardware.contexthub.IContextHub/default": EXCEPTION_NO_FUZZER,
+ "android.hardware.drm.IDrmFactory/clearkey": EXCEPTION_NO_FUZZER,
+ "android.hardware.drm.ICryptoFactory/clearkey": EXCEPTION_NO_FUZZER,
+ "android.hardware.dumpstate.IDumpstateDevice/default": EXCEPTION_NO_FUZZER,
+ "android.hardware.fastboot.IFastboot/default": EXCEPTION_NO_FUZZER,
+ "android.hardware.gatekeeper.IGatekeeper/default": EXCEPTION_NO_FUZZER,
+ "android.hardware.gnss.IGnss/default": EXCEPTION_NO_FUZZER,
+ "android.hardware.graphics.allocator.IAllocator/default": EXCEPTION_NO_FUZZER,
+ "android.hardware.graphics.composer3.IComposer/default": EXCEPTION_NO_FUZZER,
+ "android.hardware.health.storage.IStorage/default": EXCEPTION_NO_FUZZER,
+ "android.hardware.health.IHealth/default": []string{"android.hardware.health-service.aidl_fuzzer"},
+ "android.hardware.identity.IIdentityCredentialStore/default": EXCEPTION_NO_FUZZER,
+ "android.hardware.input.processor.IInputProcessor/default": EXCEPTION_NO_FUZZER,
+ "android.hardware.ir.IConsumerIr/default": EXCEPTION_NO_FUZZER,
+ "android.hardware.light.ILights/default": EXCEPTION_NO_FUZZER,
+ "android.hardware.macsec.IMacsecPskPlugin/default": EXCEPTION_NO_FUZZER,
+ "android.hardware.media.c2.IComponentStore/default": EXCEPTION_NO_FUZZER,
+ "android.hardware.media.c2.IComponentStore/default1": EXCEPTION_NO_FUZZER,
+ "android.hardware.media.c2.IComponentStore/default2": EXCEPTION_NO_FUZZER,
+ "android.hardware.media.c2.IComponentStore/software": []string{"libcodec2-aidl-fuzzer"},
+ "android.hardware.memtrack.IMemtrack/default": EXCEPTION_NO_FUZZER,
+ "android.hardware.net.nlinterceptor.IInterceptor/default": EXCEPTION_NO_FUZZER,
+ "android.hardware.nfc.INfc/default": []string{"nfc_service_fuzzer"},
+ "android.hardware.oemlock.IOemLock/default": EXCEPTION_NO_FUZZER,
+ "android.hardware.power.IPower/default": EXCEPTION_NO_FUZZER,
+ "android.hardware.power.stats.IPowerStats/default": EXCEPTION_NO_FUZZER,
+ "android.hardware.radio.config.IRadioConfig/default": EXCEPTION_NO_FUZZER,
+ "android.hardware.radio.data.IRadioData/slot1": EXCEPTION_NO_FUZZER,
+ "android.hardware.radio.data.IRadioData/slot2": EXCEPTION_NO_FUZZER,
+ "android.hardware.radio.data.IRadioData/slot3": EXCEPTION_NO_FUZZER,
+ "android.hardware.radio.ims.IRadioIms/slot1": EXCEPTION_NO_FUZZER,
+ "android.hardware.radio.ims.IRadioIms/slot2": EXCEPTION_NO_FUZZER,
+ "android.hardware.radio.ims.IRadioIms/slot3": EXCEPTION_NO_FUZZER,
+ "android.hardware.radio.ims.media.IImsMedia/default": EXCEPTION_NO_FUZZER,
+ "android.hardware.radio.messaging.IRadioMessaging/slot1": EXCEPTION_NO_FUZZER,
+ "android.hardware.radio.messaging.IRadioMessaging/slot2": EXCEPTION_NO_FUZZER,
+ "android.hardware.radio.messaging.IRadioMessaging/slot3": EXCEPTION_NO_FUZZER,
+ "android.hardware.radio.modem.IRadioModem/slot1": EXCEPTION_NO_FUZZER,
+ "android.hardware.radio.modem.IRadioModem/slot2": EXCEPTION_NO_FUZZER,
+ "android.hardware.radio.modem.IRadioModem/slot3": EXCEPTION_NO_FUZZER,
+ "android.hardware.radio.network.IRadioNetwork/slot1": EXCEPTION_NO_FUZZER,
+ "android.hardware.radio.network.IRadioNetwork/slot2": EXCEPTION_NO_FUZZER,
+ "android.hardware.radio.network.IRadioNetwork/slot3": EXCEPTION_NO_FUZZER,
+ "android.hardware.radio.satellite.IRadioSatellite/slot1": EXCEPTION_NO_FUZZER,
+ "android.hardware.radio.satellite.IRadioSatellite/slot2": EXCEPTION_NO_FUZZER,
+ "android.hardware.radio.satellite.IRadioSatellite/slot3": EXCEPTION_NO_FUZZER,
+ "android.hardware.radio.sim.IRadioSim/slot1": EXCEPTION_NO_FUZZER,
+ "android.hardware.radio.sim.IRadioSim/slot2": EXCEPTION_NO_FUZZER,
+ "android.hardware.radio.sim.IRadioSim/slot3": EXCEPTION_NO_FUZZER,
+ "android.hardware.radio.sap.ISap/slot1": EXCEPTION_NO_FUZZER,
+ "android.hardware.radio.sap.ISap/slot2": EXCEPTION_NO_FUZZER,
+ "android.hardware.radio.sap.ISap/slot3": EXCEPTION_NO_FUZZER,
+ "android.hardware.radio.voice.IRadioVoice/slot1": EXCEPTION_NO_FUZZER,
+ "android.hardware.radio.voice.IRadioVoice/slot2": EXCEPTION_NO_FUZZER,
+ "android.hardware.radio.voice.IRadioVoice/slot3": EXCEPTION_NO_FUZZER,
+ "android.hardware.rebootescrow.IRebootEscrow/default": EXCEPTION_NO_FUZZER,
+ "android.hardware.secure_element.ISecureElement/eSE1": EXCEPTION_NO_FUZZER,
+ "android.hardware.secure_element.ISecureElement/eSE2": EXCEPTION_NO_FUZZER,
+ "android.hardware.secure_element.ISecureElement/eSE3": EXCEPTION_NO_FUZZER,
+ "android.hardware.secure_element.ISecureElement/SIM1": EXCEPTION_NO_FUZZER,
+ "android.hardware.secure_element.ISecureElement/SIM2": EXCEPTION_NO_FUZZER,
+ "android.hardware.secure_element.ISecureElement/SIM3": EXCEPTION_NO_FUZZER,
+ "android.hardware.security.authgraph.IAuthGraphKeyExchange/nonsecure": []string{"android.hardware.authgraph-service.nonsecure_fuzzer"},
+ "android.hardware.security.dice.IDiceDevice/default": EXCEPTION_NO_FUZZER,
+ "android.hardware.security.keymint.IKeyMintDevice/default": EXCEPTION_NO_FUZZER,
+ "android.hardware.security.keymint.IRemotelyProvisionedComponent/default": EXCEPTION_NO_FUZZER,
+ "android.hardware.security.secretkeeper.ISecretkeeper/default": EXCEPTION_NO_FUZZER,
+ "android.hardware.security.secretkeeper.ISecretkeeper/nonsecure": []string{"android.hardware.security.secretkeeper-service.nonsecure_fuzzer"},
+ "android.hardware.security.secureclock.ISecureClock/default": EXCEPTION_NO_FUZZER,
+ "android.hardware.security.sharedsecret.ISharedSecret/default": EXCEPTION_NO_FUZZER,
+ "android.hardware.sensors.ISensors/default": EXCEPTION_NO_FUZZER,
+ "android.hardware.soundtrigger3.ISoundTriggerHw/default": EXCEPTION_NO_FUZZER,
+ "android.hardware.tetheroffload.IOffload/default": EXCEPTION_NO_FUZZER,
+ "android.hardware.thermal.IThermal/default": EXCEPTION_NO_FUZZER,
+ "android.hardware.threadnetwork.IThreadChip/chip0": []string{"android.hardware.threadnetwork-service.fuzzer"},
+ "android.hardware.tv.hdmi.cec.IHdmiCec/default": EXCEPTION_NO_FUZZER,
+ "android.hardware.tv.hdmi.connection.IHdmiConnection/default": EXCEPTION_NO_FUZZER,
+ "android.hardware.tv.hdmi.earc.IEArc/default": EXCEPTION_NO_FUZZER,
+ "android.hardware.tv.input.ITvInput/default": EXCEPTION_NO_FUZZER,
+ "android.hardware.tv.mediaquality.IMediaQuality/default": EXCEPTION_NO_FUZZER,
+ "android.hardware.tv.tuner.ITuner/default": EXCEPTION_NO_FUZZER,
+ "android.hardware.usb.IUsb/default": EXCEPTION_NO_FUZZER,
+ "android.hardware.usb.gadget.IUsbGadget/default": EXCEPTION_NO_FUZZER,
+ "android.hardware.uwb.IUwb/default": EXCEPTION_NO_FUZZER,
+ "android.hardware.vibrator.IVibrator/default": EXCEPTION_NO_FUZZER,
+ "android.hardware.vibrator.IVibratorManager/default": []string{"android.hardware.vibrator-service.example_fuzzer"},
+ "android.hardware.virtualization.capabilities.IVmCapabilitiesService/default": EXCEPTION_NO_FUZZER,
+ "android.hardware.virtualization.capabilities.IVmCapabilitiesService/noop": EXCEPTION_NO_FUZZER,
+ "android.hardware.weaver.IWeaver/default": EXCEPTION_NO_FUZZER,
+ "android.hardware.wifi.IWifi/default": EXCEPTION_NO_FUZZER,
+ "android.hardware.wifi.hostapd.IHostapd/default": EXCEPTION_NO_FUZZER,
+ "android.hardware.wifi.supplicant.ISupplicant/default": EXCEPTION_NO_FUZZER,
+ "android.frameworks.cameraservice.service.ICameraService/default": EXCEPTION_NO_FUZZER,
+ "android.frameworks.devicestate.IDeviceStateService/default": EXCEPTION_NO_FUZZER,
+ "android.frameworks.location.altitude.IAltitudeService/default": EXCEPTION_NO_FUZZER,
+ "android.frameworks.sensorservice.ISensorManager/default": []string{"libsensorserviceaidl_fuzzer"},
+ "android.frameworks.stats.IStats/default": EXCEPTION_NO_FUZZER,
+ "android.frameworks.vibrator.IVibratorControlService/default": EXCEPTION_NO_FUZZER,
+ "android.se.omapi.ISecureElementService/default": EXCEPTION_NO_FUZZER,
+ "android.system.keystore2.IKeystoreService/default": EXCEPTION_NO_FUZZER,
+ "android.system.net.netd.INetd/default": []string{"netd_hw_service_fuzzer"},
+ "android.system.suspend.ISystemSuspend/default": EXCEPTION_NO_FUZZER,
"accessibility": EXCEPTION_NO_FUZZER,
"account": EXCEPTION_NO_FUZZER,
"activity": EXCEPTION_NO_FUZZER,
@@ -292,7 +294,6 @@
"fingerprint": EXCEPTION_NO_FUZZER,
"feature_flags": EXCEPTION_NO_FUZZER,
"font": EXCEPTION_NO_FUZZER,
- "forensic": EXCEPTION_NO_FUZZER,
"android.hardware.fingerprint.IFingerprintDaemon": EXCEPTION_NO_FUZZER,
"game": EXCEPTION_NO_FUZZER,
"gfxinfo": EXCEPTION_NO_FUZZER,
diff --git a/compat/plat_sepolicy_genfs_202504.cil b/compat/plat_sepolicy_genfs_202504.cil
index 79cc732..d78194f 100644
--- a/compat/plat_sepolicy_genfs_202504.cil
+++ b/compat/plat_sepolicy_genfs_202504.cil
@@ -1 +1,2 @@
(genfscon sysfs "/class/udc" (u object_r sysfs_udc ((s0) (s0))))
+(genfscon sysfs "/power/mem_sleep" (u object_r sysfs_mem_sleep ((s0) (s0))))
diff --git a/contexts/plat_file_contexts_test b/contexts/plat_file_contexts_test
index fc2d7b8..fcaf9f6 100644
--- a/contexts/plat_file_contexts_test
+++ b/contexts/plat_file_contexts_test
@@ -321,7 +321,6 @@
/system/bin/fsck.f2fs fsck_exec
/system/bin/init init_exec
/system/bin/mini-keyctl toolbox_exec
-/system/bin/fsverity_init fsverity_init_exec
/system/bin/sload_f2fs e2fs_exec
/system/bin/make_f2fs e2fs_exec
/system/bin/fsck_msdos fsck_exec
diff --git a/microdroid/system/private/microdroid_payload.te b/microdroid/system/private/microdroid_payload.te
index e4315a2..822797c 100644
--- a/microdroid/system/private/microdroid_payload.te
+++ b/microdroid/system/private/microdroid_payload.te
@@ -14,6 +14,10 @@
# Allow to set debug prop
set_prop(microdroid_payload, debug_prop)
+# Allow to use service manager APIs without waiting for the servicemanager
+# process because it's not installed in microdroid
+get_prop(microdroid_payload, servicemanager_prop)
+
# Allow microdroid_payload to use vsock inherited from microdroid_manager
allow microdroid_payload microdroid_manager:vsock_socket { read write };
diff --git a/microdroid/system/private/property_contexts b/microdroid/system/private/property_contexts
index 803e25e..13306dd 100644
--- a/microdroid/system/private/property_contexts
+++ b/microdroid/system/private/property_contexts
@@ -122,6 +122,9 @@
microdroid_manager.config_done u:object_r:microdroid_lifecycle_prop:s0 exact bool
microdroid_manager.init_done u:object_r:microdroid_lifecycle_prop:s0 exact bool
+# servicemanager property to avoid waiting for servicemanager process
+servicemanager.installed u:object_r:servicemanager_prop:s0 exact bool
+
init_debug_policy.adbd.enabled u:object_r:init_debug_policy_prop:s0 exact bool
dev.mnt.blk.root u:object_r:dev_mnt_prop:s0 exact string
diff --git a/microdroid/system/public/property.te b/microdroid/system/public/property.te
index 18dab10..ae1c70c 100644
--- a/microdroid/system/public/property.te
+++ b/microdroid/system/public/property.te
@@ -50,6 +50,7 @@
type usb_control_prop, property_type;
type vendor_default_prop, property_type;
type powerctl_prop, property_type;
+type servicemanager_prop, property_type;
# public is for vendor-facing type and attribute definitions.
# DO NOT ADD allow, neverallow, or dontaudit statements here.
diff --git a/private/attributes b/private/attributes
index 13479c9..0da777a 100644
--- a/private/attributes
+++ b/private/attributes
@@ -31,3 +31,7 @@
until_board_api(202504, `
attribute tee_service_type;
')
+
+until_board_api(202504, `
+ hal_attribute(vm_capabilities);
+')
diff --git a/private/compat/202404/202404.cil b/private/compat/202404/202404.cil
index c78632b..e9c97e5 100644
--- a/private/compat/202404/202404.cil
+++ b/private/compat/202404/202404.cil
@@ -2475,7 +2475,7 @@
(typeattributeset surfaceflinger_tmpfs_202404 (surfaceflinger_tmpfs))
(typeattributeset suspend_prop_202404 (suspend_prop))
(typeattributeset swap_block_device_202404 (swap_block_device))
-(typeattributeset sysfs_202404 (sysfs sysfs_udc))
+(typeattributeset sysfs_202404 (sysfs sysfs_mem_sleep sysfs_udc))
(typeattributeset sysfs_android_usb_202404 (sysfs_android_usb))
(typeattributeset sysfs_batteryinfo_202404 (sysfs_batteryinfo))
(typeattributeset sysfs_bluetooth_writable_202404 (sysfs_bluetooth_writable))
diff --git a/private/compat/202404/202404.ignore.cil b/private/compat/202404/202404.ignore.cil
index 0aa0580..91ca88f 100644
--- a/private/compat/202404/202404.ignore.cil
+++ b/private/compat/202404/202404.ignore.cil
@@ -5,7 +5,6 @@
(typeattribute new_objects)
(typeattributeset new_objects
( new_objects
- advanced_protection_service
app_function_service
binderfs_logs_transaction_history
binderfs_logs_transactions
@@ -16,6 +15,7 @@
forensic_service
fstype_prop
hal_mediaquality_service
+ hal_vm_capabilities_service
intrusion_detection_service
media_quality_service
proc_cgroups
@@ -23,6 +23,7 @@
profcollectd_etr_prop
ranging_service
supervision_service
+ sysfs_cma
sysfs_firmware_acpi_tables
tee_service_contexts_file
trusty_security_vm_sys_vendor_prop
diff --git a/private/domain.te b/private/domain.te
index a8ec298..6aaf5de 100644
--- a/private/domain.te
+++ b/private/domain.te
@@ -526,11 +526,12 @@
# still contains global information about the system.
neverallow { domain -dumpstate -init -vendor_init -system_server } binderfs_logs_transaction_history:file no_rw_file_perms;
-# Allow access to fsverity keyring.
+# Needed for loading kernel modules.
+# TODO(384942085): Reduce the scope.
allow domain kernel:key search;
-# Allow access to keys in the fsverity keyring that were installed at boot.
-allow domain fsverity_init:key search;
+
# For testing purposes, allow access to keys installed with su.
+# TODO(277916185): Remove since this shouldn't be needed anymore.
userdebug_or_eng(`
allow domain su:key search;
')
diff --git a/private/dumpstate.te b/private/dumpstate.te
index a1c9ed3..501d829 100644
--- a/private/dumpstate.te
+++ b/private/dumpstate.te
@@ -347,6 +347,7 @@
dump_hal(hal_sensors)
dump_hal(hal_thermal)
dump_hal(hal_vehicle)
+dump_hal(hal_vm_capabilities)
dump_hal(hal_weaver)
dump_hal(hal_wifi)
@@ -462,6 +463,7 @@
-hal_service_type
-virtual_touchpad_service
-vold_service
+ -fwk_vold_service
-default_android_service
}:service_manager find;
# suppress denials for services dumpstate should not be accessing.
@@ -472,6 +474,7 @@
hal_service_type
virtual_touchpad_service
vold_service
+ fwk_vold_service
}:service_manager find;
# Most of these are neverallowed.
diff --git a/private/file.te b/private/file.te
index 6fb9baa..b60ce34 100644
--- a/private/file.te
+++ b/private/file.te
@@ -259,4 +259,8 @@
type tee_service_contexts_file, system_file_type, file_type;
')
+until_board_api(202504, `
+ type sysfs_mem_sleep, fs_type, sysfs_type;
+')
+
## END Types added in 202504 in public/file.te
diff --git a/private/file_contexts b/private/file_contexts
index d6f7113..7e7ae7c 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -256,7 +256,6 @@
/system/bin/init u:object_r:init_exec:s0
# TODO(/123600489): merge mini-keyctl into toybox
/system/bin/mini-keyctl -- u:object_r:toolbox_exec:s0
-/system/bin/fsverity_init u:object_r:fsverity_init_exec:s0
/system/bin/sload_f2fs -- u:object_r:e2fs_exec:s0
/system/bin/make_f2fs -- u:object_r:e2fs_exec:s0
/system/bin/fsck_msdos -- u:object_r:fsck_exec:s0
diff --git a/private/fsverity_init.te b/private/fsverity_init.te
deleted file mode 100644
index a3765ec..0000000
--- a/private/fsverity_init.te
+++ /dev/null
@@ -1,16 +0,0 @@
-type fsverity_init, domain, coredomain;
-type fsverity_init_exec, exec_type, file_type, system_file_type;
-
-init_daemon_domain(fsverity_init)
-
-# Allow to read /proc/keys for searching key id.
-allow fsverity_init proc_keys:file r_file_perms;
-
-# Ignore denials to access irrelevant keys, as a side effect to access /proc/keys.
-dontaudit fsverity_init domain:key view;
-allow fsverity_init kernel:key { view search write setattr };
-allow fsverity_init fsverity_init:key { view search write };
-
-# Read the on-device signing certificate, to be able to add it to the keyring
-allow fsverity_init odsign:fd use;
-allow fsverity_init odsign_data_file:file { getattr read };
diff --git a/private/genfs_contexts b/private/genfs_contexts
index 62d6c1a..a872a04 100644
--- a/private/genfs_contexts
+++ b/private/genfs_contexts
@@ -169,6 +169,9 @@
genfscon sysfs /kernel/dma_heap u:object_r:sysfs_dma_heap:s0
genfscon sysfs /kernel/ion u:object_r:sysfs_ion:s0
genfscon sysfs /kernel/ipv4 u:object_r:sysfs_ipv4:s0
+starting_at_board_api(202504, `
+genfscon sysfs /kernel/mm/cma u:object_r:sysfs_cma:s0
+')
genfscon sysfs /kernel/mm/transparent_hugepage u:object_r:sysfs_transparent_hugepage:s0
genfscon sysfs /kernel/mm/lru_gen/enabled u:object_r:sysfs_lru_gen_enabled:s0
genfscon sysfs /kernel/mm/pgsize_migration/enabled u:object_r:sysfs_pgsize_migration:s0
diff --git a/private/hal_vm_capabilities.te b/private/hal_vm_capabilities.te
new file mode 100644
index 0000000..3197784
--- /dev/null
+++ b/private/hal_vm_capabilities.te
@@ -0,0 +1,9 @@
+# Domain for the VM capability HAL, which is used to allow some pVMs to issue
+# vendor-specific SMCs.
+
+binder_call(hal_vm_capabilities_client, hal_vm_capabilities_server)
+
+hal_attribute_service(hal_vm_capabilities, hal_vm_capabilities_service)
+
+binder_use(hal_vm_capabilities_client)
+binder_use(hal_vm_capabilities_server)
diff --git a/private/keystore.te b/private/keystore.te
index 014903e..41c29db 100644
--- a/private/keystore.te
+++ b/private/keystore.te
@@ -39,7 +39,7 @@
# can call keystore methods on those references.
allow keystore vold:binder transfer;
-set_prop(keystore, keystore_crash_prop)
+set_prop(keystore, keystore_diagnostics_prop)
# Allow keystore to monitor the `apexd.status` property.
get_prop(keystore, apexd_prop)
@@ -102,6 +102,6 @@
neverallow * keystore:process ptrace;
-# Only keystore can set keystore.crash_count system property. Since init is allowed to set any
-# system property, an exception is added for init as well.
-neverallow { domain -keystore -init } keystore_crash_prop:property_service set;
+# Only keystore can set keystore_diagnostics_prop system properties. Since init is allowed to set
+# any system property, an exception is added for init as well.
+neverallow { domain -keystore -init } keystore_diagnostics_prop:property_service set;
diff --git a/private/odsign.te b/private/odsign.te
index f06795c..4af0708 100644
--- a/private/odsign.te
+++ b/private/odsign.te
@@ -51,9 +51,6 @@
# Run odrefresh to refresh ART artifacts
domain_auto_trans(odsign, odrefresh_exec, odrefresh)
-# Run fsverity_init to add key to fsverity keyring
-domain_auto_trans(odsign, fsverity_init_exec, fsverity_init)
-
# Run compos_verify to verify CompOs signatures
domain_auto_trans(odsign, compos_verify_exec, compos_verify)
@@ -65,5 +62,5 @@
set_prop(odsign, ctl_odsign_prop)
# Neverallows
-neverallow { domain -odsign -init -fsverity_init} odsign_data_file:dir ~search;
-neverallow { domain -odsign -init -fsverity_init} odsign_data_file:file *;
+neverallow { domain -odsign -init} odsign_data_file:dir ~search;
+neverallow { domain -odsign -init} odsign_data_file:file *;
diff --git a/private/property.te b/private/property.te
index 92e244d..dec43e1 100644
--- a/private/property.te
+++ b/private/property.te
@@ -30,7 +30,7 @@
system_internal_prop(init_storage_prop)
system_internal_prop(init_svc_debug_prop)
system_internal_prop(kcmdline_prop)
-system_internal_prop(keystore_crash_prop)
+system_internal_prop(keystore_diagnostics_prop)
system_internal_prop(keystore_listen_prop)
system_internal_prop(last_boot_reason_prop)
system_internal_prop(localization_prop)
@@ -77,7 +77,7 @@
system_internal_prop(system_service_enable_prop)
system_internal_prop(ctl_artd_pre_reboot_prop)
system_internal_prop(trusty_security_vm_sys_prop)
-
+system_internal_prop(hint_manager_config_prop)
# Properties which can't be written outside system
system_restricted_prop(bionic_linker_16kb_app_compat_prop)
diff --git a/private/property_contexts b/private/property_contexts
index 121d0fa..843a778 100644
--- a/private/property_contexts
+++ b/private/property_contexts
@@ -250,7 +250,8 @@
traced.oome_heap_session.count u:object_r:traced_oome_heap_session_count_prop:s0 exact uint
# servicemanager properties
-servicemanager.ready u:object_r:servicemanager_prop:s0 exact bool
+servicemanager.ready u:object_r:servicemanager_prop:s0 exact bool
+servicemanager.installed u:object_r:servicemanager_prop:s0 exact bool
# hwservicemanager properties
hwservicemanager. u:object_r:hwservicemanager_prop:s0
@@ -621,6 +622,7 @@
persist.bluetooth.btsnoopdefaultmode u:object_r:bluetooth_prop:s0 exact enum empty disabled filtered full
persist.bluetooth.btsnooplogmode u:object_r:bluetooth_prop:s0 exact enum empty disabled filtered full
persist.bluetooth.finder.supported u:object_r:bluetooth_finder_prop:s0 exact bool
+persist.bluetooth.sniff_offload.enabled u:object_r:bluetooth_config_prop:s0 exact bool
persist.bluetooth.snooplogfilter.headers.enabled u:object_r:bluetooth_prop:s0 exact bool
persist.bluetooth.snooplogfilter.profiles.a2dp.enabled u:object_r:bluetooth_prop:s0 exact bool
persist.bluetooth.snooplogfilter.profiles.map u:object_r:bluetooth_prop:s0 exact enum empty disabled fullfilter header magic
@@ -1606,8 +1608,11 @@
# Broadcast boot stages, which keystore listens to
keystore.boot_level u:object_r:keystore_listen_prop:s0 exact int
-# Property that tracks keystore crash counts during a boot cycle.
-keystore.crash_count u:object_r:keystore_crash_prop:s0 exact int
+# Tracks keystore crash counts during a boot cycle.
+keystore.crash_count u:object_r:keystore_diagnostics_prop:s0 exact int
+
+# Tracks whether Keystore has successfully sent the module info hash to (V4+) KeyMints.
+keystore.module_hash.sent u:object_r:keystore_diagnostics_prop:s0 exact bool
# Configure the means by which we protect the L0 key from the future
ro.keystore.boot_level_key.strategy u:object_r:keystore_config_prop:s0 exact string
@@ -1719,7 +1724,7 @@
persist.vendor.fingerprint.virtual.sensor_id u:object_r:virtual_fingerprint_prop:s0 exact int
persist.vendor.fingerprint.virtual.sensor_strength u:object_r:virtual_fingerprint_prop:s0 exact int
persist.vendor.fingerprint.virtual.max_enrollments u:object_r:virtual_fingerprint_prop:s0 exact int
-persist.vendor.fingerprint.virtual.navigation_guesture u:object_r:virtual_fingerprint_prop:s0 exact bool
+persist.vendor.fingerprint.virtual.navigation_gesture u:object_r:virtual_fingerprint_prop:s0 exact bool
persist.vendor.fingerprint.virtual.detect_interaction u:object_r:virtual_fingerprint_prop:s0 exact bool
persist.vendor.fingerprint.virtual.udfps.display_touch u:object_r:virtual_fingerprint_prop:s0 exact bool
persist.vendor.fingerprint.virtual.udfps.control_illumination u:object_r:virtual_fingerprint_prop:s0 exact bool
@@ -1766,6 +1771,13 @@
# Properties for game manager service
persist.graphics.game_default_frame_rate.enabled u:object_r:game_manager_config_prop:s0 exact bool
+# Properties for the HintManagerService
+persist.hms.use_hal_headrooms u:object_r:hint_manager_config_prop:s0 exact bool
+persist.hms.check_headroom_tid u:object_r:hint_manager_config_prop:s0 exact bool
+persist.hms.check_headroom_affinity u:object_r:hint_manager_config_prop:s0 exact bool
+persist.hms.check_headroom_proc_stat_min_millis u:object_r:hint_manager_config_prop:s0 exact int
+persist.hms.cpu_headroom_tid_max_cnt u:object_r:hint_manager_config_prop:s0 exact int
+
# Properties for ThreadNetworkService
threadnetwork.country_code u:object_r:threadnetwork_config_prop:s0 exact string
diff --git a/private/service.te b/private/service.te
index ce648c2..6912eb9 100644
--- a/private/service.te
+++ b/private/service.te
@@ -64,11 +64,16 @@
type wearable_sensing_service, app_api_service, system_server_service, service_manager_type;
type wifi_mainline_supplicant_service, service_manager_type;
type dynamic_instrumentation_service, app_api_service, system_server_service, service_manager_type;
+type advanced_protection_service, app_api_service, system_server_service, service_manager_type;
is_flag_enabled(RELEASE_RANGING_STACK, `
type ranging_service, app_api_service, system_server_service, service_manager_type;
')
+until_board_api(202504, `
+ type hal_vm_capabilities_service, protected_service, hal_service_type, service_manager_type;
+')
+
###
### Neverallow rules
###
diff --git a/private/service_contexts b/private/service_contexts
index e2998c7..c72f9b0 100644
--- a/private/service_contexts
+++ b/private/service_contexts
@@ -138,6 +138,8 @@
android.hardware.secure_element.ISecureElement/SIM3 u:object_r:hal_secure_element_service:s0
android.hardware.security.secretkeeper.ISecretkeeper/default u:object_r:hal_secretkeeper_service:s0
android.hardware.security.secretkeeper.ISecretkeeper/nonsecure u:object_r:hal_secretkeeper_service:s0
+android.hardware.virtualization.capabilities.IVmCapabilitiesService/default u:object_r:hal_vm_capabilities_service:s0
+android.hardware.virtualization.capabilities.IVmCapabilitiesService/noop u:object_r:hal_vm_capabilities_service:s0
android.system.keystore2.IKeystoreService/default u:object_r:keystore_service:s0
android.system.net.netd.INetd/default u:object_r:system_net_netd_service:s0
android.system.suspend.ISystemSuspend/default u:object_r:hal_system_suspend_service:s0
@@ -149,9 +151,7 @@
activity_task u:object_r:activity_task_service:s0
adb u:object_r:adb_service:s0
adservices_manager u:object_r:adservices_manager_service:s0
-starting_at_board_api(202504, `
- advanced_protection u:object_r:advanced_protection_service:s0
-')
+advanced_protection u:object_r:advanced_protection_service:s0
aidl_lazy_test_1 u:object_r:aidl_lazy_test_service:s0
aidl_lazy_test_2 u:object_r:aidl_lazy_test_service:s0
aidl_lazy_test_quit u:object_r:aidl_lazy_test_service:s0
@@ -279,9 +279,6 @@
file_integrity u:object_r:file_integrity_service:s0
fingerprint u:object_r:fingerprint_service:s0
font u:object_r:font_service:s0
-starting_at_board_api(202504, `
- forensic u:object_r:forensic_service:s0
-')
android.hardware.fingerprint.IFingerprintDaemon u:object_r:fingerprintd_service:s0
game u:object_r:game_service:s0
gfxinfo u:object_r:gfxinfo_service:s0
diff --git a/private/shell.te b/private/shell.te
index 890d6f4..2033f7e 100644
--- a/private/shell.te
+++ b/private/shell.te
@@ -444,6 +444,9 @@
# Allow reads (but not writes) of the MGLRU state
allow shell sysfs_lru_gen_enabled:file r_file_perms;
+# Allow reads (but not writes) of mem_sleep to determine suspend mechanism
+allow shell sysfs_mem_sleep:file r_file_perms;
+
# Allow communicating with the VM terminal.
userdebug_or_eng(`
allow shell vmlauncher_app_devpts:chr_file rw_file_perms;
diff --git a/private/su.te b/private/su.te
index 1e2adef..247fd0b 100644
--- a/private/su.te
+++ b/private/su.te
@@ -127,6 +127,7 @@
typeattribute su hal_tv_tuner_client;
typeattribute su hal_usb_client;
typeattribute su hal_vibrator_client;
+ typeattribute su hal_vm_capabilities_client;
typeattribute su hal_vr_client;
typeattribute su hal_weaver_client;
typeattribute su hal_wifi_client;
diff --git a/private/system_server.te b/private/system_server.te
index 01097f2..20556ab 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -243,6 +243,11 @@
# Read /sys/kernel/dma_heap/*.
allow system_server sysfs_dma_heap:file r_file_perms;
+# Read /sys/kernel/mm/cma/*.
+starting_at_board_api(202504, `
+allow system_server sysfs_cma:file r_file_perms;
+')
+
# Allow reading DMA-BUF sysfs stats from /sys/kernel/dmabuf.
allow system_server sysfs_dmabuf_stats:dir r_dir_perms;
allow system_server sysfs_dmabuf_stats:file r_file_perms;
@@ -1651,6 +1656,16 @@
# Allow GameManagerService to read and write persist.graphics.game_default_frame_rate.enabled
set_prop(system_server, game_manager_config_prop)
+# Allow system server to write HintManagerService properties
+set_prop(system_server, hint_manager_config_prop)
+neverallow {
+ domain
+ -init
+ -vendor_init
+ -system_server
+ userdebug_or_eng(`-shell')
+} hint_manager_config_prop:property_service set;
+
# ThreadNetworkService reads Thread Network properties
get_prop(system_server, threadnetwork_config_prop)
diff --git a/public/attributes b/public/attributes
index 6e11b86..1556d57 100644
--- a/public/attributes
+++ b/public/attributes
@@ -457,3 +457,8 @@
starting_at_board_api(202504, `
attribute tee_service_type;
')
+
+# HAL service used for custom smc filtering project
+starting_at_board_api(202504, `
+ hal_attribute(vm_capabilities);
+')
diff --git a/public/file.te b/public/file.te
index 94483a3..7a8e3af 100644
--- a/public/file.te
+++ b/public/file.te
@@ -103,6 +103,11 @@
type sysfs_uio, sysfs_type, fs_type;
type sysfs_batteryinfo, fs_type, sysfs_type;
type sysfs_bluetooth_writable, fs_type, sysfs_type, mlstrustedobject;
+
+starting_at_board_api(202504, `
+ type sysfs_cma, fs_type, sysfs_type;
+')
+
type sysfs_devfreq_cur, fs_type, sysfs_type;
type sysfs_devfreq_dir, fs_type, sysfs_type;
type sysfs_devices_block, fs_type, sysfs_type;
@@ -124,6 +129,11 @@
type sysfs_net, fs_type, sysfs_type;
type sysfs_power, fs_type, sysfs_type;
type sysfs_rtc, fs_type, sysfs_type;
+
+starting_at_board_api(202504, `
+ type sysfs_mem_sleep, fs_type, sysfs_type;
+')
+
type sysfs_suspend_stats, fs_type, sysfs_type;
type sysfs_switch, fs_type, sysfs_type;
type sysfs_sync_on_suspend, fs_type, sysfs_type;
diff --git a/public/service.te b/public/service.te
index 68f4ea0..db79fdf 100644
--- a/public/service.te
+++ b/public/service.te
@@ -66,9 +66,6 @@
type activity_task_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type adb_service, system_api_service, system_server_service, service_manager_type;
type adservices_manager_service, system_api_service, system_server_service, service_manager_type;
-starting_at_board_api(202504, `
- type advanced_protection_service, app_api_service, system_server_service, service_manager_type;
-')
type alarm_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type app_binding_service, system_server_service, service_manager_type;
starting_at_board_api(202504, `
@@ -144,9 +141,6 @@
type platform_compat_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type face_service, app_api_service, system_server_service, service_manager_type;
type fingerprint_service, app_api_service, system_server_service, service_manager_type;
-starting_at_board_api(202504, `
- type forensic_service, app_api_service, system_api_service, system_server_service, service_manager_type;
-')
type fwk_altitude_service, system_server_service, service_manager_type;
type fwk_stats_service, app_api_service, system_server_service, service_manager_type;
type fwk_sensor_service, system_server_service, service_manager_type;
@@ -375,6 +369,9 @@
type hal_wifi_hostapd_service, protected_service, hal_service_type, service_manager_type;
type hal_wifi_supplicant_service, protected_service, hal_service_type, service_manager_type;
type hal_gatekeeper_service, protected_service, hal_service_type, service_manager_type;
+starting_at_board_api(202504, `
+ type hal_vm_capabilities_service, protected_service, hal_service_type, service_manager_type;
+')
# system/sepolicy/public is for vendor-facing type and attribute definitions.
# DO NOT ADD allow, neverallow, or dontaudit statements here.
diff --git a/tests/apex_sepolicy_tests.py b/tests/apex_sepolicy_tests.py
index 26082cb..d8c5c2b 100644
--- a/tests/apex_sepolicy_tests.py
+++ b/tests/apex_sepolicy_tests.py
@@ -29,7 +29,7 @@
import sys
import tempfile
from dataclasses import dataclass
-from typing import List
+from typing import Callable, List
import policy
@@ -61,7 +61,12 @@
pass
-Matcher = Is | Glob | Regex | BinaryFile
+@dataclass
+class MatchPred:
+ pred: Callable[[str], bool]
+
+
+Matcher = Is | Glob | Regex | BinaryFile | MatchPred
# predicate functions for Func matcher
@@ -87,7 +92,13 @@
labels: set[str]
-Rule = AllowPerm | ResolveType | NotAnyOf
+@dataclass
+class HasAttr:
+ """Rule checking if the context has the specified attribute"""
+ attr: str
+
+
+Rule = AllowPerm | ResolveType | NotAnyOf | HasAttr
# Helper for 'read'
@@ -104,8 +115,10 @@
return pathlib.PurePath(path).match(pattern)
case Regex(pattern):
return re.match(pattern, path)
- case BinaryFile:
+ case BinaryFile():
return path.startswith('./bin/') and not path.endswith('/')
+ case MatchPred(pred):
+ return pred(path)
def check_rule(pol, path: str, tcontext: str, rule: Rule) -> List[str]:
@@ -129,6 +142,9 @@
case NotAnyOf(labels):
if tcontext in labels:
errors.append(f"Error: {path}: can't be labelled as '{tcontext}'")
+ case HasAttr(attr):
+ if tcontext not in pol.QueryTypeAttribute(attr, True):
+ errors.append(f"Error: {path}: tcontext({tcontext}) must be associated with {attr}")
return errors
@@ -139,7 +155,7 @@
generic_rules = [
# binaries should be executable
- (BinaryFile, NotAnyOf({'vendor_file'})),
+ (BinaryFile(), NotAnyOf({'vendor_file'})),
# permissions
(Is('./etc/permissions/'), AllowRead('dir', {'system_server'})),
(Glob('./etc/permissions/*.xml'), AllowRead('file', {'system_server'})),
@@ -159,6 +175,25 @@
all_rules = target_specific_rules + generic_rules
+def base_attr_for(partition):
+ if partition in ['system', 'system_ext', 'product']:
+ return 'system_file_type'
+ elif partition in ['vendor', 'odm']:
+ return 'vendor_file_type'
+ else:
+ sys.exit(f"Error: invalid partition: {partition}\n")
+
+
+def system_vendor_rule(partition):
+ exceptions = [
+ "./etc/linkerconfig.pb"
+ ]
+ def pred(path):
+ return path not in exceptions
+
+ return pred, HasAttr(base_attr_for(partition))
+
+
def check_line(pol: policy.Policy, line: str, rules) -> List[str]:
"""Parses a file_contexts line and runs checks"""
# skip empty/comment line
@@ -197,7 +232,8 @@
"""Do testing"""
parser = argparse.ArgumentParser()
parser.add_argument('--all', action='store_true', help='tests ALL aspects')
- parser.add_argument('-f', '--file_contexts', help='output of "deapexer list -Z"')
+ parser.add_argument('-f', '--file_contexts', required=True, help='output of "deapexer list -Z"')
+ parser.add_argument('-p', '--partition', help='partition to check Treble violations')
args = parser.parse_args()
lib_path = extract_data(LIBSEPOLWRAP, work_dir)
@@ -209,6 +245,9 @@
else:
rules = generic_rules
+ if args.partition:
+ rules.append(system_vendor_rule(args.partition))
+
errors = []
with open(args.file_contexts, 'rt', encoding='utf-8') as file_contexts:
for line in file_contexts:
diff --git a/tests/apex_sepolicy_tests_test.py b/tests/apex_sepolicy_tests_test.py
index 727a023..2a92aee 100644
--- a/tests/apex_sepolicy_tests_test.py
+++ b/tests/apex_sepolicy_tests_test.py
@@ -106,7 +106,7 @@
self.assert_ok('./bin/init u:object_r:init_exec:s0')
self.assert_ok('./bin/hw/svc u:object_r:init_exec:s0')
self.assert_error('./bin/hw/svc u:object_r:vendor_file:s0',
- r"Error: .*svc: can\'t be labelled as \'vendor_file\'")
+ r'Error: .*svc: can\'t be labelled as \'vendor_file\'')
if __name__ == '__main__':
unittest.main(verbosity=2)
diff --git a/vendor/file_contexts b/vendor/file_contexts
index 220fbd2..b0c7a37 100644
--- a/vendor/file_contexts
+++ b/vendor/file_contexts
@@ -207,3 +207,4 @@
/(vendor|system/vendor)/lib(64)?/libutils\.so u:object_r:same_process_hal_file:s0
/(vendor|system/vendor)/lib(64)?/libutilscallstack\.so u:object_r:same_process_hal_file:s0
/(vendor|system/vendor)/lib(64)?/libz\.so u:object_r:same_process_hal_file:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.virtualization\.capabilities\.capabilities_service-noop u:object_r:hal_vm_capabilities_default_exec:s0
diff --git a/vendor/hal_vm_capabilities_default.te b/vendor/hal_vm_capabilities_default.te
new file mode 100644
index 0000000..82aaf41
--- /dev/null
+++ b/vendor/hal_vm_capabilities_default.te
@@ -0,0 +1,10 @@
+type hal_vm_capabilities_default, domain;
+
+starting_at_board_api(202504, `
+ hal_server_domain(hal_vm_capabilities_default, hal_vm_capabilities);
+')
+
+type hal_vm_capabilities_default_exec, exec_type, vendor_file_type, file_type;
+init_daemon_domain(hal_vm_capabilities_default);
+
+# TODO(b/360102915): add more rules around vm_fd passed to the HAL