Merge "Adding more permission for selinux to some attributes and flags"
diff --git a/Android.bp b/Android.bp
index 0ca82a6..8e2a966 100644
--- a/Android.bp
+++ b/Android.bp
@@ -189,6 +189,11 @@
srcs: ["seapp_contexts"],
}
+se_build_files {
+ name: "vndservice_contexts_files",
+ srcs: ["vndservice_contexts"],
+}
+
// For vts_treble_sys_prop_test
filegroup {
name: "private_property_contexts",
@@ -1103,3 +1108,29 @@
se_freeze_test {
name: "sepolicy_freeze_test",
}
+
+//////////////////////////////////
+// sepolicy_test checks various types of violations, which can't be easily done
+// by CIL itself. Refer tests/sepolicy_tests.py for more detail.
+//////////////////////////////////
+genrule {
+ name: "sepolicy_test",
+ srcs: [
+ ":plat_file_contexts",
+ ":vendor_file_contexts",
+ ":system_ext_file_contexts",
+ ":product_file_contexts",
+ ":odm_file_contexts",
+ ":precompiled_sepolicy",
+ ],
+ tools: ["sepolicy_tests"],
+ out: ["sepolicy_test"],
+ cmd: "$(location sepolicy_tests) " +
+ "-f $(location :plat_file_contexts) " +
+ "-f $(location :vendor_file_contexts) " +
+ "-f $(location :system_ext_file_contexts) " +
+ "-f $(location :product_file_contexts) " +
+ "-f $(location :odm_file_contexts) " +
+ "-p $(location :precompiled_sepolicy) && " +
+ "touch $(out)",
+}
diff --git a/Android.mk b/Android.mk
index 27123d7..c98de45 100644
--- a/Android.mk
+++ b/Android.mk
@@ -347,9 +347,13 @@
ifneq ($(with_asan),true)
ifneq ($(SELINUX_IGNORE_NEVERALLOWS),true)
LOCAL_REQUIRED_MODULES += \
- sepolicy_tests \
sepolicy_compat_test \
+# HACK: sepolicy_test is implemented as genrule
+# genrule modules aren't installable, so LOCAL_REQUIRED_MODULES doesn't work.
+# Instead, use LOCAL_ADDITIONAL_DEPENDENCIES with intermediate output
+LOCAL_ADDITIONAL_DEPENDENCIES += $(call intermediates-dir-for,ETC,sepolicy_test)/sepolicy_test
+
ifeq ($(PRODUCT_SEPOLICY_SPLIT),true)
LOCAL_REQUIRED_MODULES += \
$(addprefix treble_sepolicy_tests_,$(PLATFORM_SEPOLICY_COMPAT_VERSIONS)) \
@@ -505,6 +509,7 @@
vendor_hwservice_contexts_test \
vendor_bug_map \
vndservice_contexts \
+ vndservice_contexts_test \
ifdef BOARD_ODM_SEPOLICY_DIRS
LOCAL_REQUIRED_MODULES += \
@@ -664,50 +669,8 @@
file_contexts.modules.tmp :=
##################################
-include $(CLEAR_VARS)
-
-LOCAL_MODULE := vndservice_contexts
-LOCAL_LICENSE_KINDS := SPDX-license-identifier-Apache-2.0 legacy_unencumbered
-LOCAL_LICENSE_CONDITIONS := notice unencumbered
-LOCAL_NOTICE_FILE := $(LOCAL_PATH)/NOTICE
-LOCAL_MODULE_CLASS := ETC
-LOCAL_MODULE_TAGS := optional
-LOCAL_MODULE_PATH := $(TARGET_OUT_VENDOR)/etc/selinux
-
-include $(BUILD_SYSTEM)/base_rules.mk
-
-vnd_svcfiles := $(call build_policy, vndservice_contexts, $(BOARD_PLAT_VENDOR_POLICY) $(BOARD_VENDOR_SEPOLICY_DIRS) $(BOARD_REQD_MASK_POLICY))
-
-vndservice_contexts.tmp := $(intermediates)/vndservice_contexts.tmp
-$(vndservice_contexts.tmp): PRIVATE_SVC_FILES := $(vnd_svcfiles)
-$(vndservice_contexts.tmp): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
-$(vndservice_contexts.tmp): $(vnd_svcfiles) $(M4)
- @mkdir -p $(dir $@)
- $(hide) $(M4) --fatal-warnings -s $(PRIVATE_ADDITIONAL_M4DEFS) $(PRIVATE_SVC_FILES) > $@
-
-$(LOCAL_BUILT_MODULE): PRIVATE_SEPOLICY := $(built_sepolicy)
-$(LOCAL_BUILT_MODULE): $(vndservice_contexts.tmp) $(built_sepolicy) $(HOST_OUT_EXECUTABLES)/checkfc $(ACP)
- @mkdir -p $(dir $@)
- sed -e 's/#.*$$//' -e '/^$$/d' $< > $@
- $(hide) $(HOST_OUT_EXECUTABLES)/checkfc -e -v $(PRIVATE_SEPOLICY) $@
-
-vnd_svcfiles :=
-vndservice_contexts.tmp :=
-
-##################################
include $(LOCAL_PATH)/mac_permissions.mk
-#################################
-include $(CLEAR_VARS)
-LOCAL_MODULE := sepolicy_tests
-LOCAL_LICENSE_KINDS := SPDX-license-identifier-Apache-2.0 legacy_unencumbered
-LOCAL_LICENSE_CONDITIONS := notice unencumbered
-LOCAL_NOTICE_FILE := $(LOCAL_PATH)/NOTICE
-LOCAL_MODULE_CLASS := FAKE
-LOCAL_MODULE_TAGS := optional
-
-include $(BUILD_SYSTEM)/base_rules.mk
-
all_fc_files := $(TARGET_OUT)/etc/selinux/plat_file_contexts
all_fc_files += $(TARGET_OUT_VENDOR)/etc/selinux/vendor_file_contexts
ifdef HAS_SYSTEM_EXT_SEPOLICY_DIR
@@ -721,13 +684,6 @@
endif
all_fc_args := $(foreach file, $(all_fc_files), -f $(file))
-$(LOCAL_BUILT_MODULE): ALL_FC_ARGS := $(all_fc_args)
-$(LOCAL_BUILT_MODULE): PRIVATE_SEPOLICY := $(built_sepolicy)
-$(LOCAL_BUILT_MODULE): $(HOST_OUT_EXECUTABLES)/sepolicy_tests $(all_fc_files) $(built_sepolicy)
- @mkdir -p $(dir $@)
- $(hide) $(HOST_OUT_EXECUTABLES)/sepolicy_tests $(ALL_FC_ARGS) -p $(PRIVATE_SEPOLICY)
- $(hide) touch $@
-
##################################
# Tests for Treble compatibility of current platform policy and vendor policy of
# given release version.
diff --git a/METADATA b/METADATA
index cdcfa70..5a356a4 100644
--- a/METADATA
+++ b/METADATA
@@ -1,6 +1,4 @@
third_party {
- # would be UNENCUMBERED save for
- # tests/combine_maps.py
- # build/soong/
+ license_note: "would be UNENCUMBERED save for: tests/combine_maps.py and build/soong/"
license_type: NOTICE
}
diff --git a/apex/Android.bp b/apex/Android.bp
index 166c2d3..b85b1f5 100644
--- a/apex/Android.bp
+++ b/apex/Android.bp
@@ -251,6 +251,13 @@
}
filegroup {
+ name: "com.android.adservices-file_contexts",
+ srcs: [
+ "com.android.adservices-file_contexts",
+ ],
+}
+
+filegroup {
name: "com.android.car.framework-file_contexts",
srcs: [
"com.android.car.framework-file_contexts",
diff --git a/apex/com.android.adservices-file_contexts b/apex/com.android.adservices-file_contexts
new file mode 100644
index 0000000..9398505
--- /dev/null
+++ b/apex/com.android.adservices-file_contexts
@@ -0,0 +1 @@
+(/.*)? u:object_r:system_file:s0
diff --git a/build/soong/selinux_contexts.go b/build/soong/selinux_contexts.go
index 8894931..463a978 100644
--- a/build/soong/selinux_contexts.go
+++ b/build/soong/selinux_contexts.go
@@ -93,11 +93,13 @@
android.RegisterModuleType("service_contexts", serviceFactory)
android.RegisterModuleType("keystore2_key_contexts", keystoreKeyFactory)
android.RegisterModuleType("seapp_contexts", seappFactory)
+ android.RegisterModuleType("vndservice_contexts", vndServiceFactory)
android.RegisterModuleType("file_contexts_test", fileContextsTestFactory)
android.RegisterModuleType("property_contexts_test", propertyContextsTestFactory)
android.RegisterModuleType("hwservice_contexts_test", hwserviceContextsTestFactory)
android.RegisterModuleType("service_contexts_test", serviceContextsTestFactory)
+ android.RegisterModuleType("vndservice_contexts_test", vndServiceContextsTestFactory)
}
func (m *selinuxContextsModule) InstallInRoot() bool {
@@ -495,6 +497,18 @@
return m
}
+func vndServiceFactory() android.Module {
+ m := newModule()
+ m.build = m.buildGeneralContexts
+ android.AddLoadHook(m, func(ctx android.LoadHookContext) {
+ if !ctx.SocSpecific() {
+ ctx.ModuleErrorf(m.Name(), "must set vendor: true")
+ return
+ }
+ })
+ return m
+}
+
var _ android.OutputFileProducer = (*selinuxContextsModule)(nil)
// Implements android.OutputFileProducer
@@ -565,6 +579,14 @@
return m
}
+// vndservice_contexts_test tests given vndservice_contexts files with checkfc.
+func vndServiceContextsTestFactory() android.Module {
+ m := &contextsTestModule{tool: "checkfc", flags: []string{"-e" /* allow empty */, "-v" /* vnd service */}}
+ m.AddProperties(&m.properties)
+ android.InitAndroidArchModule(m, android.DeviceSupported, android.MultilibCommon)
+ return m
+}
+
func (m *contextsTestModule) GenerateAndroidBuildActions(ctx android.ModuleContext) {
tool := m.tool
if tool != "checkfc" && tool != "property_info_checker" {
diff --git a/contexts/Android.bp b/contexts/Android.bp
index 3062a61..2a5a058 100644
--- a/contexts/Android.bp
+++ b/contexts/Android.bp
@@ -67,28 +67,55 @@
":file_contexts_files{.vendor}",
],
soc_specific: true,
- recovery_available: true,
+}
+
+file_contexts {
+ name: "vendor_file_contexts.recovery",
+ srcs: [
+ ":file_contexts_files{.plat_vendor_for_vendor}",
+ ":file_contexts_files{.vendor}",
+ ],
+ stem: "vendor_file_contexts",
+ recovery: true,
}
file_contexts {
name: "system_ext_file_contexts",
srcs: [":file_contexts_files{.system_ext_private}"],
system_ext_specific: true,
- recovery_available: true,
+}
+
+file_contexts {
+ name: "system_ext_file_contexts.recovery",
+ srcs: [":file_contexts_files{.system_ext_private}"],
+ stem: "system_ext_file_contexts",
+ recovery: true,
}
file_contexts {
name: "product_file_contexts",
srcs: [":file_contexts_files{.product_private}"],
product_specific: true,
- recovery_available: true,
+}
+
+file_contexts {
+ name: "product_file_contexts.recovery",
+ srcs: [":file_contexts_files{.product_private}"],
+ stem: "product_file_contexts",
+ recovery: true,
}
file_contexts {
name: "odm_file_contexts",
srcs: [":file_contexts_files{.odm}"],
device_specific: true,
- recovery_available: true,
+}
+
+file_contexts {
+ name: "odm_file_contexts.recovery",
+ srcs: [":file_contexts_files{.odm}"],
+ stem: "odm_file_contexts",
+ recovery: true,
}
hwservice_contexts {
@@ -287,6 +314,16 @@
sepolicy: ":precompiled_sepolicy",
}
+vndservice_contexts {
+ name: "vndservice_contexts",
+ srcs: [
+ ":vndservice_contexts_files{.plat_vendor_for_vendor}",
+ ":vndservice_contexts_files{.vendor}",
+ ":vndservice_contexts_files{.reqd_mask_for_vendor}",
+ ],
+ soc_specific: true,
+}
+
// for CTS
genrule {
name: "plat_seapp_neverallows",
@@ -432,3 +469,9 @@
srcs: [":vendor_service_contexts"],
sepolicy: ":precompiled_sepolicy",
}
+
+vndservice_contexts_test {
+ name: "vndservice_contexts_test",
+ srcs: [":vndservice_contexts"],
+ sepolicy: ":precompiled_sepolicy",
+}
diff --git a/microdroid/system/private/compos.te b/microdroid/system/private/compos.te
index c9fc32c..49bc5b3 100644
--- a/microdroid/system/private/compos.te
+++ b/microdroid/system/private/compos.te
@@ -7,13 +7,8 @@
# Allow using various binder services
binder_use(compos);
-allow compos {
- authfs_binder_service
- dice_node_service
-}:service_manager find;
+allow compos authfs_binder_service:service_manager find;
binder_call(compos, authfs_service);
-binder_call(compos, diced);
-allow compos diced:diced { get_attestation_chain derive };
# Read artifacts created by odrefresh and create signature files.
allow compos authfs_fuse:dir rw_dir_perms;
diff --git a/microdroid/system/private/crash_dump.te b/microdroid/system/private/crash_dump.te
index a636e9c..61dfa0b 100644
--- a/microdroid/system/private/crash_dump.te
+++ b/microdroid/system/private/crash_dump.te
@@ -57,6 +57,7 @@
-init
-kernel
-logd
+ -no_crash_dump_domain
-ueventd
-vendor_init
}:process { ptrace signal sigchld sigstop sigkill };
@@ -67,3 +68,5 @@
logd
}:process { ptrace signal sigchld sigstop sigkill };
')
+
+neverallow crash_dump no_crash_dump_domain:process ptrace;
diff --git a/microdroid/system/private/odrefresh.te b/microdroid/system/private/odrefresh.te
index d8b4392..be11b69 100644
--- a/microdroid/system/private/odrefresh.te
+++ b/microdroid/system/private/odrefresh.te
@@ -30,3 +30,8 @@
# (unless specified otherwise). Without allowing the use, the execution will
# fail immediately. See b/210909688.
allow odrefresh compos:fd use;
+
+# Silently ignore the access to properties. Unlike on Android, parameters
+# should be passed from command line to avoid global state.
+dontaudit odrefresh property_socket:sock_file write;
+dontaudit odrefresh dalvik_config_prop:file read;
diff --git a/prebuilts/api/29.0/private/adbd.te b/prebuilts/api/29.0/private/adbd.te
index ec5c57e..ea9fb1e 100644
--- a/prebuilts/api/29.0/private/adbd.te
+++ b/prebuilts/api/29.0/private/adbd.te
@@ -152,6 +152,9 @@
# Allow pulling config.gz for CTS purposes
allow adbd config_gz:file r_file_perms;
+# For CTS listening ports test.
+allow adbd proc_net_tcp_udp:file r_file_perms;
+
allow adbd gpu_service:service_manager find;
allow adbd surfaceflinger_service:service_manager find;
allow adbd bootchart_data_file:dir search;
diff --git a/prebuilts/api/30.0/private/adbd.te b/prebuilts/api/30.0/private/adbd.te
index be4f0f7..e81aac7 100644
--- a/prebuilts/api/30.0/private/adbd.te
+++ b/prebuilts/api/30.0/private/adbd.te
@@ -158,6 +158,9 @@
# Allow pulling config.gz for CTS purposes
allow adbd config_gz:file r_file_perms;
+# For CTS listening ports test.
+allow adbd proc_net_tcp_udp:file r_file_perms;
+
allow adbd gpu_service:service_manager find;
allow adbd surfaceflinger_service:service_manager find;
allow adbd bootchart_data_file:dir search;
diff --git a/prebuilts/api/31.0/private/adbd.te b/prebuilts/api/31.0/private/adbd.te
index c2c6164..4273995 100644
--- a/prebuilts/api/31.0/private/adbd.te
+++ b/prebuilts/api/31.0/private/adbd.te
@@ -169,6 +169,9 @@
# Allow pulling config.gz for CTS purposes
allow adbd config_gz:file r_file_perms;
+# For CTS listening ports test.
+allow adbd proc_net_tcp_udp:file r_file_perms;
+
allow adbd gpu_service:service_manager find;
allow adbd surfaceflinger_service:service_manager find;
allow adbd bootchart_data_file:dir search;
diff --git a/private/apexd.te b/private/apexd.te
index 69645a1..040651d 100644
--- a/private/apexd.te
+++ b/private/apexd.te
@@ -16,6 +16,10 @@
# Allow creating and writing APEX files/dirs in the SEPolicy metadata dir
allow apexd sepolicy_metadata_file:dir create_dir_perms;
allow apexd sepolicy_metadata_file:file create_file_perms;
+# Allow apexd to setup fs-verity for SEPolicy files in metadata
+allowxperm apexd sepolicy_metadata_file:file ioctl {
+ FS_IOC_ENABLE_VERITY FS_IOC_MEASURE_VERITY
+};
# Allow reserving space on /data/apex/ota_reserved for apex decompression
allow apexd apex_ota_reserved_file:dir create_dir_perms;
diff --git a/private/app.te b/private/app.te
index 856f483..e152591 100644
--- a/private/app.te
+++ b/private/app.te
@@ -14,6 +14,7 @@
get_prop(appdomain, vold_config_prop)
get_prop(appdomain, adbd_config_prop)
get_prop(appdomain, dck_prop)
+get_prop(appdomain, persist_wm_debug_prop)
# Allow ART to be configurable via device_config properties
# (ART "runs" inside the app process)
diff --git a/private/atrace.te b/private/atrace.te
index 2ab8c69..ca0e527 100644
--- a/private/atrace.te
+++ b/private/atrace.te
@@ -12,10 +12,10 @@
allow atrace debugfs_tracing:file rw_file_perms;
allow atrace debugfs_trace_marker:file getattr;
-# Allow atrace to write data when a pipe is used for stdout/stderr
-# This is used by Perfetto to capture the output on error in atrace.
+# Allow atrace to write data when a pipe is used for stdout/stderr.
+# This is used by Perfetto to capture atrace stdout/stderr.
allow atrace traced_probes:fd use;
-allow atrace traced_probes:fifo_file write;
+allow atrace traced_probes:fifo_file { getattr write };
# atrace sets debug.atrace.* properties
set_prop(atrace, debug_prop)
diff --git a/private/bug_map b/private/bug_map
index cb27f53..5b042ae 100644
--- a/private/bug_map
+++ b/private/bug_map
@@ -33,4 +33,3 @@
vold system_data_file file b/124108085
zygote untrusted_app_25 process b/77925912
zygote labeledfs filesystem b/170748799
-hal_wifi_default vendor_default_prop property_service b/220258444
diff --git a/private/compat/32.0/32.0.ignore.cil b/private/compat/32.0/32.0.ignore.cil
index ee7d51e..369b816 100644
--- a/private/compat/32.0/32.0.ignore.cil
+++ b/private/compat/32.0/32.0.ignore.cil
@@ -50,6 +50,7 @@
locale_service
mdns_service
nearby_service
+ persist_wm_debug_prop
proc_watermark_boost_factor
proc_watermark_scale_factor
remotelyprovisionedkeypool_service
diff --git a/private/crosvm.te b/private/crosvm.te
index 426cb28..25d3309 100644
--- a/private/crosvm.te
+++ b/private/crosvm.te
@@ -59,7 +59,6 @@
# Allow crosvm to pipe console log to shell or app which could be the owner of a VM.
allow crosvm adbd:fd use;
allow crosvm adbd:unix_stream_socket { read write };
-allow crosvm appdomain:fifo_file { read write };
# The console log can also be written to /data/local/tmp. This is not safe as the log then can be
# visible to the processes which don't own the VM. Therefore, this is a debugging only feature.
diff --git a/private/domain.te b/private/domain.te
index 988bd56..ef9d036 100644
--- a/private/domain.te
+++ b/private/domain.te
@@ -245,6 +245,7 @@
-installd
-iorap_inode2filename
-priv_app
+ -shell
-virtualizationservice
-crosvm
} staging_data_file:file *;
@@ -499,6 +500,7 @@
-init
-tombstoned # linker to tombstoned
userdebug_or_eng(`-heapprofd')
+ userdebug_or_eng(`-traced')
userdebug_or_eng(`-traced_perf')
});
')
diff --git a/private/dumpstate.te b/private/dumpstate.te
index 4fad585..ed3e996 100644
--- a/private/dumpstate.te
+++ b/private/dumpstate.te
@@ -6,6 +6,10 @@
# Execute and transition to the vdc domain
domain_auto_trans(dumpstate, vdc_exec, vdc)
+# Create tmpfs files for using memfd descriptors to get output from child
+# processes.
+tmpfs_domain(dumpstate)
+
# Acquire advisory lock on /system/etc/xtables.lock from ip[6]tables
allow dumpstate system_file:file lock;
diff --git a/private/odsign.te b/private/odsign.te
index 381cf17..86a0a6b 100644
--- a/private/odsign.te
+++ b/private/odsign.te
@@ -44,10 +44,6 @@
allow odsign apex_art_data_file:dir { rw_dir_perms rmdir rename };
allow odsign apex_art_data_file:file { rw_file_perms unlink };
-# For CompOS instance & key files
-allow odsign apex_compos_data_file:dir { getattr search };
-allow odsign apex_compos_data_file:file r_file_perms;
-
# Run odrefresh to refresh ART artifacts
domain_auto_trans(odsign, odrefresh_exec, odrefresh)
diff --git a/private/platform_app.te b/private/platform_app.te
index 20c9820..b723633 100644
--- a/private/platform_app.te
+++ b/private/platform_app.te
@@ -40,6 +40,10 @@
# com.android.systemui
allow platform_app rootfs:dir getattr;
get_prop(platform_app, radio_cdma_ecm_prop)
+userdebug_or_eng(`
+ set_prop(platform_app, persist_wm_debug_prop)
+')
+neverallow { domain -init -dumpstate userdebug_or_eng(`-domain') } persist_wm_debug_prop:property_service set;
# com.android.captiveportallogin reads /proc/vmstat
allow platform_app {
diff --git a/private/property_contexts b/private/property_contexts
index dcaa432..c732b73 100644
--- a/private/property_contexts
+++ b/private/property_contexts
@@ -102,6 +102,7 @@
sys.lmk. u:object_r:system_lmk_prop:s0
sys.trace. u:object_r:system_trace_prop:s0
wrap. u:object_r:zygote_wrap_prop:s0 prefix string
+persist.wm.debug. u:object_r:persist_wm_debug_prop:s0
# Suspend service properties
suspend.max_sleep_time_millis u:object_r:suspend_prop:s0 exact uint
@@ -339,6 +340,9 @@
ro.audio.ignore_effects u:object_r:audio_config_prop:s0 exact bool
ro.audio.monitorRotation u:object_r:audio_config_prop:s0 exact bool
ro.audio.offload_wakelock u:object_r:audio_config_prop:s0 exact bool
+# Boolean property used in AudioService to configure whether
+# spatializer functionality should be initialized
+ro.audio.spatializer_enabled u:object_r:audio_config_prop:s0 exact bool
persist.config.calibration_fac u:object_r:camera_calibration_prop:s0 exact string
@@ -588,6 +592,7 @@
ro.lmk.medium u:object_r:lmkd_config_prop:s0 exact int
ro.lmk.psi_partial_stall_ms u:object_r:lmkd_config_prop:s0 exact int
ro.lmk.psi_complete_stall_ms u:object_r:lmkd_config_prop:s0 exact int
+ro.lmk.stall_limit_critical u:object_r:lmkd_config_prop:s0 exact int
ro.lmk.swap_free_low_percentage u:object_r:lmkd_config_prop:s0 exact int
ro.lmk.swap_util_max u:object_r:lmkd_config_prop:s0 exact int
ro.lmk.thrashing_limit u:object_r:lmkd_config_prop:s0 exact int
diff --git a/private/shell.te b/private/shell.te
index 63746f6..ae5ff55 100644
--- a/private/shell.te
+++ b/private/shell.te
@@ -130,6 +130,10 @@
allow shell vendor_apex_file:file r_file_perms;
allow shell vendor_apex_file:dir r_dir_perms;
+# Allow shell to read updated APEXes under /data/apex
+allow shell apex_data_file:dir search;
+allow shell staging_data_file:file r_file_perms;
+
# Set properties.
set_prop(shell, shell_prop)
set_prop(shell, ctl_bugreport_prop)
@@ -223,3 +227,6 @@
# Let the shell user call virtualizationservice (and
# virtualizationservice call back to shell) for debugging.
virtualizationservice_use(shell)
+
+# Allow shell to set persist.wm.debug properties
+userdebug_or_eng(`set_prop(shell, persist_wm_debug_prop)')
diff --git a/private/system_server.te b/private/system_server.te
index 682be60..275bb6f 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -799,6 +799,9 @@
# Read hypervisor capabilities ro.boot.hypervisor.*
get_prop(system_server, hypervisor_prop)
+# Read persist.wm.debug. properties
+get_prop(system_server, persist_wm_debug_prop)
+
# Create a socket for connections from debuggerd.
allow system_server system_ndebug_socket:sock_file create_file_perms;
diff --git a/public/dumpstate.te b/public/dumpstate.te
index 18f481b..871403a 100644
--- a/public/dumpstate.te
+++ b/public/dumpstate.te
@@ -157,6 +157,7 @@
dump_hal(hal_fingerprint)
dump_hal(hal_gnss)
dump_hal(hal_contexthub)
+dump_hal(hal_drm)
# Vibrate the device after we are done collecting the bugreport
hal_client_domain(dumpstate, hal_vibrator)
diff --git a/public/hal_graphics_composer.te b/public/hal_graphics_composer.te
index 7327256..3dbc1d8 100644
--- a/public/hal_graphics_composer.te
+++ b/public/hal_graphics_composer.te
@@ -31,6 +31,10 @@
# allow self to set SCHED_FIFO
allow hal_graphics_composer self:global_capability_class_set sys_nice;
+# allow surfaceflinger to use a pipe for dumpsys output
+allow hal_graphics_composer_server hal_graphics_composer_client:fifo_file write;
+
+
binder_call(hal_graphics_composer_client, servicemanager)
binder_call(hal_graphics_composer_server, servicemanager)
diff --git a/public/property.te b/public/property.te
index 7957f8c..46d6776 100644
--- a/public/property.te
+++ b/public/property.te
@@ -74,6 +74,7 @@
system_restricted_prop(libc_debug_prop)
system_restricted_prop(module_sdkextensions_prop)
system_restricted_prop(nnapi_ext_deny_product_prop)
+system_restricted_prop(persist_wm_debug_prop)
system_restricted_prop(power_debug_prop)
system_restricted_prop(property_service_version_prop)
system_restricted_prop(provisioned_prop)
diff --git a/public/te_macros b/public/te_macros
index 5c3438f..06d292c 100644
--- a/public/te_macros
+++ b/public/te_macros
@@ -191,6 +191,8 @@
# Let the client pass file descriptors to virtualizationservice and on
# to crosvm
allow { virtualizationservice crosvm } $1:fd use;
+# Allow piping console log to the client
+allow { virtualizationservice crosvm } $1:fifo_file write;
# Allow client to read/write vsock created by virtualizationservice to
# communicate with the VM that it created. Notice that we do not grant
# permission to create a vsock; the client can only connect to VMs
diff --git a/vendor/file_contexts b/vendor/file_contexts
index 4faa05a..d0c474c 100644
--- a/vendor/file_contexts
+++ b/vendor/file_contexts
@@ -43,6 +43,7 @@
/(vendor|system/vendor)/bin/hw/android\.hardware\.graphics\.allocator@2\.0-service u:object_r:hal_graphics_allocator_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.graphics\.allocator@3\.0-service u:object_r:hal_graphics_allocator_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.graphics\.allocator@4\.0-service u:object_r:hal_graphics_allocator_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.graphics\.allocator-V1-service u:object_r:hal_graphics_allocator_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.graphics\.composer@[0-9]\.[0-9]-service u:object_r:hal_graphics_composer_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.graphics\.composer3-service\.example u:object_r:hal_graphics_composer_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.health@1\.0-service u:object_r:hal_health_default_exec:s0
diff --git a/vendor/hal_evs_default.te b/vendor/hal_evs_default.te
index d1d4559..176d611 100644
--- a/vendor/hal_evs_default.te
+++ b/vendor/hal_evs_default.te
@@ -15,6 +15,9 @@
binder_call(hal_evs_default, automotive_display_service_server)
allow hal_evs_default fwk_automotive_display_hwservice:hwservice_manager find;
+# allow to access data from surfaceflinger
+allow hal_evs_default surfaceflinger:fd use;
+
# allow to access EGL
allow hal_evs_default gpu_device:chr_file rw_file_perms;
allow hal_evs_default gpu_device:dir search;