Merge "Add service wait override property for audioserver clients" into main
diff --git a/Android.bp b/Android.bp
index db1ea27..558810c 100644
--- a/Android.bp
+++ b/Android.bp
@@ -102,6 +102,7 @@
"plat_property_contexts",
"plat_seapp_contexts",
"plat_sepolicy.cil",
+ "plat_sepolicy_genfs_202504.cil",
"plat_service_contexts",
"secilc",
"plat_29.0.cil",
@@ -125,6 +126,9 @@
}) + select(soong_config_variable("ANDROID", "PRODUCT_PRECOMPILED_SEPOLICY"), {
true: ["plat_sepolicy_and_mapping.sha256"],
default: [],
+ }) + select(release_flag("RELEASE_AVF_ENABLE_VM_TO_TEE_SERVICES_ALLOWLIST"), {
+ true: ["plat_tee_service_contexts"],
+ default: [],
}),
}
@@ -568,6 +572,22 @@
vendor: true,
}
+genrule {
+ name: "genfs_labels_version.txt.gen",
+ out: ["genfs_labels_version.txt"],
+ cmd: select(soong_config_variable("ANDROID", "BOARD_GENFS_LABELS_VERSION"), {
+ any @ value: "echo " + value + " > $(out)",
+ default: "echo > $(out)",
+ }),
+}
+
+prebuilt_etc {
+ name: "genfs_labels_version.txt",
+ src: ":genfs_labels_version.txt.gen",
+ relative_install_path: "selinux",
+ vendor: true,
+}
+
soong_config_module_type {
name: "precompiled_sepolicy_prebuilts_defaults",
module_type: "prebuilt_defaults",
@@ -651,6 +671,10 @@
":system_ext_mapping_file",
":product_mapping_file",
],
+ device_first_srcs: select(soong_config_variable("ANDROID", "BOARD_GENFS_LABELS_VERSION"), {
+ "202504": [":plat_sepolicy_genfs_202504.cil"],
+ default: [],
+ }),
// Make precompiled_sepolicy_srcs as public so that OEMs have access to them.
// Useful when some partitions need to be bind mounted across VM boundaries.
visibility: ["//visibility:public"],
@@ -1003,6 +1027,9 @@
default: [
"system_ext_202404.compat.cil",
],
+ }) + select(release_flag("RELEASE_AVF_ENABLE_VM_TO_TEE_SERVICES_ALLOWLIST"), {
+ true: ["system_ext_tee_service_contexts"],
+ default: [],
}),
system_ext_specific: true,
}
@@ -1039,6 +1066,9 @@
default: [
"product_202404.cil",
],
+ }) + select(release_flag("RELEASE_AVF_ENABLE_VM_TO_TEE_SERVICES_ALLOWLIST"), {
+ true: ["product_tee_service_contexts"],
+ default: [],
}),
product_specific: true,
}
@@ -1058,6 +1088,7 @@
phony {
name: "selinux_policy_vendor",
required: [
+ "genfs_labels_version.txt",
"plat_pub_versioned.cil",
"vendor_sepolicy.cil",
"plat_sepolicy_vers.txt",
@@ -1075,7 +1106,10 @@
"vendor_bug_map",
"vndservice_contexts",
"vndservice_contexts_test",
- ],
+ ] + select(release_flag("RELEASE_AVF_ENABLE_VM_TO_TEE_SERVICES_ALLOWLIST"), {
+ true: ["vendor_tee_service_contexts"],
+ default: [],
+ }),
vendor: true,
}
@@ -1135,6 +1169,7 @@
"plat_property_contexts_test",
"plat_seapp_contexts",
"plat_sepolicy.cil",
+ "plat_sepolicy_genfs_202504.cil",
"plat_service_contexts",
"plat_service_contexts_test",
"searchpolicy",
@@ -1178,6 +1213,9 @@
}) + select(soong_config_variable("ANDROID", "RELEASE_BOARD_API_LEVEL_FROZEN"), {
true: ["se_freeze_test"],
default: [],
+ }) + select(release_flag("RELEASE_AVF_ENABLE_VM_TO_TEE_SERVICES_ALLOWLIST"), {
+ true: ["plat_tee_service_contexts"],
+ default: [],
}),
}
diff --git a/apex/Android.bp b/apex/Android.bp
index 304eb85..0374b62 100644
--- a/apex/Android.bp
+++ b/apex/Android.bp
@@ -156,6 +156,13 @@
}
filegroup {
+ name: "com.android.nfcservices-file_contexts",
+ srcs: [
+ "com.android.nfcservices-file_contexts",
+ ],
+}
+
+filegroup {
name: "com.android.os.statsd-file_contexts",
srcs: [
"com.android.os.statsd-file_contexts",
diff --git a/build/soong/compat_cil.go b/build/soong/compat_cil.go
index d02d61e..33c6d3b 100644
--- a/build/soong/compat_cil.go
+++ b/build/soong/compat_cil.go
@@ -29,7 +29,7 @@
func init() {
ctx := android.InitRegistrationContext
ctx.RegisterModuleType("se_compat_cil", compatCilFactory)
- ctx.RegisterParallelSingletonModuleType("se_compat_test", compatTestFactory)
+ ctx.RegisterModuleType("se_compat_test", compatTestFactory)
}
// se_compat_cil collects and installs backwards compatibility cil files.
@@ -116,7 +116,7 @@
// se_compat_test checks if compat files ({ver}.cil, {ver}.compat.cil) files are compatible with
// current policy.
-func compatTestFactory() android.SingletonModule {
+func compatTestFactory() android.Module {
f := &compatTestModule{}
f.AddProperties(&f.properties)
android.InitAndroidArchModule(f, android.DeviceSupported, android.MultilibCommon)
@@ -127,7 +127,7 @@
}
type compatTestModule struct {
- android.SingletonModuleBase
+ android.ModuleBase
properties struct {
// Default modules for conf
Defaults []string
@@ -180,11 +180,11 @@
}
}
-func (f *compatTestModule) GenerateSingletonBuildActions(ctx android.SingletonContext) {
- // does nothing; se_compat_test is a singeton because two compat test modules don't make sense.
-}
-
func (f *compatTestModule) GenerateAndroidBuildActions(ctx android.ModuleContext) {
+ if ctx.ModuleName() != "sepolicy_compat_test" || ctx.ModuleDir() != "system/sepolicy/compat" {
+ // two compat test modules don't make sense.
+ ctx.ModuleErrorf("There can only be 1 se_compat_test module named sepolicy_compat_test in system/sepolicy/compat")
+ }
var inputs android.Paths
ctx.VisitDirectDepsWithTag(compatTestDepTag, func(child android.Module) {
outputs := android.OutputFilesForModule(ctx, child, "")
diff --git a/build/soong/selinux_contexts.go b/build/soong/selinux_contexts.go
index 330e02f..c96dda5 100644
--- a/build/soong/selinux_contexts.go
+++ b/build/soong/selinux_contexts.go
@@ -91,6 +91,7 @@
android.RegisterModuleType("keystore2_key_contexts", keystoreKeyFactory)
android.RegisterModuleType("seapp_contexts", seappFactory)
android.RegisterModuleType("vndservice_contexts", vndServiceFactory)
+ android.RegisterModuleType("tee_service_contexts", teeServiceFactory)
android.RegisterModuleType("file_contexts_test", fileContextsTestFactory)
android.RegisterModuleType("property_contexts_test", propertyContextsTestFactory)
@@ -538,6 +539,12 @@
return m
}
+func teeServiceFactory() android.Module {
+ m := newModule()
+ m.build = m.buildGeneralContexts
+ return m
+}
+
func seappFactory() android.Module {
m := newModule()
m.build = m.buildSeappContexts
diff --git a/build/soong/sepolicy_freeze.go b/build/soong/sepolicy_freeze.go
index bfbac97..41d460d 100644
--- a/build/soong/sepolicy_freeze.go
+++ b/build/soong/sepolicy_freeze.go
@@ -25,13 +25,13 @@
func init() {
ctx := android.InitRegistrationContext
- ctx.RegisterParallelSingletonModuleType("se_freeze_test", freezeTestFactory)
+ ctx.RegisterModuleType("se_freeze_test", freezeTestFactory)
}
// se_freeze_test compares the plat sepolicy with the prebuilt sepolicy. Additional directories can
// be specified via Makefile variables: SEPOLICY_FREEZE_TEST_EXTRA_DIRS and
// SEPOLICY_FREEZE_TEST_EXTRA_PREBUILT_DIRS.
-func freezeTestFactory() android.SingletonModule {
+func freezeTestFactory() android.Module {
f := &freezeTestModule{}
android.InitAndroidArchModule(f, android.DeviceSupported, android.MultilibCommon)
android.AddLoadHook(f, func(ctx android.LoadHookContext) {
@@ -41,7 +41,7 @@
}
type freezeTestModule struct {
- android.SingletonModuleBase
+ android.ModuleBase
freezeTestTimestamp android.ModuleOutPath
}
@@ -82,10 +82,6 @@
ctx.AddDependency(f, prebuiltCilTag, f.prebuiltCilModuleName(ctx))
}
-func (f *freezeTestModule) GenerateSingletonBuildActions(ctx android.SingletonContext) {
- // does nothing; se_freeze_test is a singeton because two freeze test modules don't make sense.
-}
-
func (f *freezeTestModule) outputFileOfDep(ctx android.ModuleContext, depTag dependencyTag) android.Path {
deps := ctx.GetDirectDepsWithTag(depTag)
if len(deps) != 1 {
@@ -104,6 +100,11 @@
}
func (f *freezeTestModule) GenerateAndroidBuildActions(ctx android.ModuleContext) {
+ if ctx.ModuleName() != "se_freeze_test" || ctx.ModuleDir() != "system/sepolicy" {
+ // two freeze test modules don't make sense.
+ ctx.ModuleErrorf("There can only be 1 se_freeze_test module named se_freeze_test in system/sepolicy")
+ }
+
f.freezeTestTimestamp = android.PathForModuleOut(ctx, "freeze_test")
if !f.shouldRunTest(ctx) {
diff --git a/build/soong/service_fuzzer_bindings.go b/build/soong/service_fuzzer_bindings.go
index c2a1b27..4f4497b 100644
--- a/build/soong/service_fuzzer_bindings.go
+++ b/build/soong/service_fuzzer_bindings.go
@@ -159,19 +159,18 @@
"android.system.keystore2.IKeystoreService/default": EXCEPTION_NO_FUZZER,
"android.system.net.netd.INetd/default": []string{"netd_hw_service_fuzzer"},
"android.system.suspend.ISystemSuspend/default": EXCEPTION_NO_FUZZER,
- "accessibility": EXCEPTION_NO_FUZZER,
- "account": EXCEPTION_NO_FUZZER,
- "activity": EXCEPTION_NO_FUZZER,
- "activity_task": EXCEPTION_NO_FUZZER,
- "adaptive_authentication": EXCEPTION_NO_FUZZER,
- "adb": EXCEPTION_NO_FUZZER,
- "adservices_manager": EXCEPTION_NO_FUZZER,
- "advanced_protection": EXCEPTION_NO_FUZZER,
- "aidl_lazy_test_1": EXCEPTION_NO_FUZZER,
- "aidl_lazy_test_2": EXCEPTION_NO_FUZZER,
- "aidl_lazy_test_quit": EXCEPTION_NO_FUZZER,
- "aidl_lazy_cb_test": EXCEPTION_NO_FUZZER,
- "alarm": EXCEPTION_NO_FUZZER,
+ "accessibility": EXCEPTION_NO_FUZZER,
+ "account": EXCEPTION_NO_FUZZER,
+ "activity": EXCEPTION_NO_FUZZER,
+ "activity_task": EXCEPTION_NO_FUZZER,
+ "adb": EXCEPTION_NO_FUZZER,
+ "adservices_manager": EXCEPTION_NO_FUZZER,
+ "advanced_protection": EXCEPTION_NO_FUZZER,
+ "aidl_lazy_test_1": EXCEPTION_NO_FUZZER,
+ "aidl_lazy_test_2": EXCEPTION_NO_FUZZER,
+ "aidl_lazy_test_quit": EXCEPTION_NO_FUZZER,
+ "aidl_lazy_cb_test": EXCEPTION_NO_FUZZER,
+ "alarm": EXCEPTION_NO_FUZZER,
"android.hardware.automotive.evs.IEvsEnumerator/default": EXCEPTION_NO_FUZZER,
"android.os.UpdateEngineService": []string{"update_engine_service_fuzzer"},
"android.os.UpdateEngineStableService": []string{"update_engine_service_fuzzer"},
@@ -206,6 +205,7 @@
"apexservice": EXCEPTION_NO_FUZZER,
"archive": EXCEPTION_NO_FUZZER,
"attestation_verification": EXCEPTION_NO_FUZZER,
+ "authentication_policy": EXCEPTION_NO_FUZZER,
"blob_store": EXCEPTION_NO_FUZZER,
"gsiservice": EXCEPTION_NO_FUZZER,
"appops": EXCEPTION_NO_FUZZER,
diff --git a/compat/Android.bp b/compat/Android.bp
index f09fb21..28936dd 100644
--- a/compat/Android.bp
+++ b/compat/Android.bp
@@ -585,3 +585,9 @@
system_ext_specific: true,
version: "202404",
}
+
+prebuilt_etc {
+ name: "plat_sepolicy_genfs_202504.cil",
+ src: "plat_sepolicy_genfs_202504.cil",
+ relative_install_path: "selinux",
+}
diff --git a/compat/plat_sepolicy_genfs_202504.cil b/compat/plat_sepolicy_genfs_202504.cil
new file mode 100644
index 0000000..79cc732
--- /dev/null
+++ b/compat/plat_sepolicy_genfs_202504.cil
@@ -0,0 +1 @@
+(genfscon sysfs "/class/udc" (u object_r sysfs_udc ((s0) (s0))))
diff --git a/contexts/Android.bp b/contexts/Android.bp
index 850601f..08a4f64 100644
--- a/contexts/Android.bp
+++ b/contexts/Android.bp
@@ -68,6 +68,11 @@
srcs: ["vndservice_contexts"],
}
+se_build_files {
+ name: "tee_service_contexts_files",
+ srcs: ["tee_service_contexts"],
+}
+
file_contexts {
name: "plat_file_contexts",
defaults: ["contexts_flags_defaults"],
@@ -614,3 +619,34 @@
name: "fuzzer_bindings_test",
srcs: [":plat_service_contexts"],
}
+
+tee_service_contexts {
+ name: "plat_tee_service_contexts",
+ defaults: ["contexts_flags_defaults"],
+ srcs: [":tee_service_contexts_files{.plat_private}"],
+}
+
+tee_service_contexts {
+ name: "system_ext_tee_service_contexts",
+ defaults: ["contexts_flags_defaults"],
+ srcs: [":tee_service_contexts_files{.system_ext_private}"],
+ system_ext_specific: true,
+}
+
+tee_service_contexts {
+ name: "product_tee_service_contexts",
+ defaults: ["contexts_flags_defaults"],
+ srcs: [":tee_service_contexts_files{.product_private}"],
+ product_specific: true,
+}
+
+tee_service_contexts {
+ name: "vendor_tee_service_contexts",
+ defaults: ["contexts_flags_defaults"],
+ srcs: [
+ ":tee_service_contexts_files{.plat_vendor}",
+ ":tee_service_contexts_files{.vendor}",
+ ":tee_service_contexts_files{.reqd_mask}",
+ ],
+ soc_specific: true,
+}
diff --git a/contexts/plat_file_contexts_test b/contexts/plat_file_contexts_test
index 7400a33..51d27d3 100644
--- a/contexts/plat_file_contexts_test
+++ b/contexts/plat_file_contexts_test
@@ -65,6 +65,7 @@
/vendor_seapp_contexts seapp_contexts_file
/plat_seapp_contexts seapp_contexts_file
/sepolicy sepolicy_file
+/plat_tee_service_contexts tee_service_contexts_file
/plat_service_contexts service_contexts_file
/plat_hwservice_contexts hwservice_contexts_file
/plat_keystore2_key_contexts keystore2_key_contexts_file
@@ -452,6 +453,7 @@
#/system/etc/selinux/mapping/30.compat.0.cil sepolicy_file
/system/etc/selinux/plat_mac_permissions.xml mac_perms_file
/system/etc/selinux/plat_property_contexts property_contexts_file
+/system/etc/selinux/plat_tee_service_contexts tee_service_contexts_file
/system/etc/selinux/plat_service_contexts service_contexts_file
/system/etc/selinux/plat_hwservice_contexts hwservice_contexts_file
/system/etc/selinux/plat_keystore2_key_contexts keystore2_key_contexts_file
@@ -689,6 +691,8 @@
/vendor/odm/etc/selinux/odm_keystore2_key_contexts keystore2_key_contexts_file
/odm/etc/selinux/odm_mac_permissions.xml mac_perms_file
/vendor/odm/etc/selinux/odm_mac_permissions.xml mac_perms_file
+/odm/etc/selinux/odm_tee_service_contexts tee_service_contexts_file
+/vendor/odm//etc/selinux/odm_tee_service_contexts tee_service_contexts_file
/product system_file
/product/does_not_exist system_file
@@ -717,6 +721,8 @@
/system/product/etc/selinux/product_service_contexts service_contexts_file
/product/etc/selinux/product_mac_permissions.xml mac_perms_file
/system/product/etc/selinux/product_mac_permissions.xml mac_perms_file
+/product/etc/selinux/product_tee_service_contexts tee_service_contexts_file
+/system/product/etc/selinux/product_tee_service_contexts tee_service_contexts_file
/product/lib system_lib_file
/product/lib/does_not_exist system_lib_file
@@ -761,6 +767,8 @@
/system/system_ext/etc/selinux/system_ext_mac_permissions.xml mac_perms_file
/system_ext/etc/selinux/userdebug_plat_sepolicy.cil sepolicy_file
/system/system_ext/etc/selinux/userdebug_plat_sepolicy.cil sepolicy_file
+/system_ext/etc/selinux/system_ext_tee_service_contexts tee_service_contexts_file
+/system/system_ext/etc/selinux/system_ext_tee_service_contexts tee_service_contexts_file
/system_ext/bin/aidl_lazy_test_server aidl_lazy_test_server_exec
/system/system_ext/bin/aidl_lazy_test_server aidl_lazy_test_server_exec
diff --git a/flagging/Android.bp b/flagging/Android.bp
index 5466d2a..f68375b 100644
--- a/flagging/Android.bp
+++ b/flagging/Android.bp
@@ -23,6 +23,7 @@
"RELEASE_AVF_ENABLE_LLPVM_CHANGES",
"RELEASE_AVF_ENABLE_NETWORK",
"RELEASE_AVF_ENABLE_MICROFUCHSIA",
+ "RELEASE_AVF_ENABLE_VM_TO_TEE_SERVICES_ALLOWLIST",
"RELEASE_AVF_ENABLE_WIDEVINE_PVM",
"RELEASE_RANGING_STACK",
"RELEASE_READ_FROM_NEW_STORAGE",
diff --git a/microdroid/system/private/microdroid_app.te b/microdroid/system/private/microdroid_app.te
index d26154a..77667ff 100644
--- a/microdroid/system/private/microdroid_app.te
+++ b/microdroid/system/private/microdroid_app.te
@@ -8,3 +8,7 @@
type microdroid_app, domain, coredomain, microdroid_payload;
type microdroid_app_exec, exec_type, file_type, system_file_type;
+
+# Let microdroid_manager kernel-log.
+allow microdroid_app kmsg_device:chr_file w_file_perms;
+allow microdroid_app kmsg_debug_device:chr_file w_file_perms;
diff --git a/prebuilts/api/202404/202404_general_sepolicy.conf b/prebuilts/api/202404/202404_general_sepolicy.conf
index 5ce168c..2c418a8 100644
--- a/prebuilts/api/202404/202404_general_sepolicy.conf
+++ b/prebuilts/api/202404/202404_general_sepolicy.conf
@@ -56456,7 +56456,7 @@
}:service_manager find;
# Isolated apps shouldn't be able to access the driver directly.
-neverallow isolated_app_all gpu_device:chr_file { { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } } execute };
+neverallow { isolated_app_all -isolated_compute_app } gpu_device:chr_file { { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } } execute };
# Do not allow isolated_apps access to /cache
neverallow isolated_app_all cache_file:dir ~{ { open getattr read search ioctl lock watch watch_reads } };
diff --git a/private/access_vectors b/private/access_vectors
index 9d82ac8..f91c1a4 100644
--- a/private/access_vectors
+++ b/private/access_vectors
@@ -807,3 +807,8 @@
{
create
}
+
+class tee_service
+{
+ use
+}
diff --git a/private/aconfigd.te b/private/aconfigd.te
index 1601e61..5ee967d 100644
--- a/private/aconfigd.te
+++ b/private/aconfigd.te
@@ -1,5 +1,5 @@
# aconfigd -- manager for aconfig flags
-type aconfigd, domain, coredomain;
+type aconfigd, domain, coredomain, mlstrustedsubject;
type aconfigd_exec, exec_type, file_type, system_file_type;
init_daemon_domain(aconfigd)
diff --git a/private/attributes b/private/attributes
index 7e25e94..13479c9 100644
--- a/private/attributes
+++ b/private/attributes
@@ -27,3 +27,7 @@
# WARNING: USING THE update_provider ATTRIBUTE WILL CAUSE CTS TO FAIL!
attribute update_provider;
expandattribute update_provider false;
+
+until_board_api(202504, `
+ attribute tee_service_type;
+')
diff --git a/private/file.te b/private/file.te
index 60aa5d5..98fbd35 100644
--- a/private/file.te
+++ b/private/file.te
@@ -156,7 +156,7 @@
type sysfs_uprobe, fs_type, sysfs_type;
# Type for aconfig daemon socket
-type aconfigd_socket, file_type, coredomain_socket;
+type aconfigd_socket, file_type, coredomain_socket, mlstrustedobject;
# Type for /(system|system_ext|product)/etc/aconfig
type system_aconfig_storage_file, system_file_type, file_type;
@@ -244,5 +244,10 @@
# boot otas for 16KB developer option
type vendor_boot_ota_file, vendor_file_type, file_type;
')
+
+until_board_api(202504, `
+ type tee_service_contexts_file, system_file_type, file_type;
+')
+
## END Types added in 202504 in public/file.te
diff --git a/private/file_contexts b/private/file_contexts
index a957f24..20ef9b8 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -83,6 +83,7 @@
/vendor_seapp_contexts u:object_r:seapp_contexts_file:s0
/plat_seapp_contexts u:object_r:seapp_contexts_file:s0
/sepolicy u:object_r:sepolicy_file:s0
+/plat_tee_service_contexts u:object_r:tee_service_contexts_file:s0
/plat_service_contexts u:object_r:service_contexts_file:s0
/plat_hwservice_contexts u:object_r:hwservice_contexts_file:s0
/plat_keystore2_key_contexts u:object_r:keystore2_key_contexts_file:s0
@@ -377,6 +378,7 @@
/system/etc/selinux/mapping/[0-9]+\.[0-9]+(\.compat)?\.cil u:object_r:sepolicy_file:s0
/system/etc/selinux/plat_mac_permissions\.xml u:object_r:mac_perms_file:s0
/system/etc/selinux/plat_property_contexts u:object_r:property_contexts_file:s0
+/system/etc/selinux/plat_tee_service_contexts u:object_r:tee_service_contexts_file:s0
/system/etc/selinux/plat_service_contexts u:object_r:service_contexts_file:s0
/system/etc/selinux/plat_hwservice_contexts u:object_r:hwservice_contexts_file:s0
/system/etc/selinux/plat_keystore2_key_contexts u:object_r:keystore2_key_contexts_file:s0
@@ -493,6 +495,7 @@
/(odm|vendor/odm)/etc/selinux/odm_hwservice_contexts u:object_r:hwservice_contexts_file:s0
/(odm|vendor/odm)/etc/selinux/odm_keystore2_key_contexts u:object_r:keystore2_key_contexts_file:s0
/(odm|vendor/odm)/etc/selinux/odm_mac_permissions\.xml u:object_r:mac_perms_file:s0
+/(odm|vendor/odm)/etc/selinux/odm_tee_service_contexts u:object_r:tee_service_contexts_file:s0
#############################
# Product files
@@ -509,6 +512,7 @@
/(product|system/product)/etc/selinux/product_seapp_contexts u:object_r:seapp_contexts_file:s0
/(product|system/product)/etc/selinux/product_service_contexts u:object_r:service_contexts_file:s0
/(product|system/product)/etc/selinux/product_mac_permissions\.xml u:object_r:mac_perms_file:s0
+/(product|system/product)/etc/selinux/product_tee_service_contexts u:object_r:tee_service_contexts_file:s0
/(product|system/product)/lib(64)?(/.*)? u:object_r:system_lib_file:s0
@@ -545,6 +549,7 @@
/(system_ext|system/system_ext)/lib(64)?(/.*)? u:object_r:system_lib_file:s0
/(system_ext|system/system_ext)/etc/aconfig(/.*)? u:object_r:system_aconfig_storage_file:s0
+/(system_ext|system/system_ext)/etc/selinux/system_ext_tee_service_contexts u:object_r:tee_service_contexts_file:s0
#############################
# VendorDlkm files
diff --git a/private/property_contexts b/private/property_contexts
index 3da6d7b..a9116b3 100644
--- a/private/property_contexts
+++ b/private/property_contexts
@@ -456,6 +456,10 @@
# to enable spatialization for stereo channel mask
ro.audio.stereo_spatialization_enabled u:object_r:audio_config_prop:s0 exact bool
+# Boolean property used in AudioPolicyInterfaceImpl to configure whether
+# to disable usecase validator for game mode
+ro.audio.usecase_validator_enabled u:object_r:audio_config_prop:s0 exact bool
+
# Boolean property used in UsbAlsaManager to decide if only one or multiple
# USB devices can be connected to audio system at a certain time
ro.audio.multi_usb_mode u:object_r:audio_config_prop:s0 exact bool
@@ -792,6 +796,7 @@
hypervisor.pvmfw.path u:object_r:hypervisor_pvmfw_prop:s0 exact string
hypervisor.virtualizationmanager.debug_policy.path u:object_r:hypervisor_virtualizationmanager_prop:s0 exact string
+hypervisor.virtualizationmanager.dump_device_tree u:object_r:hypervisor_virtualizationmanager_prop:s0 exact bool
# hypervisor.*: configured by the vendor to advertise capabilities of their
# hypervisor to virtualizationservice.
@@ -1025,12 +1030,12 @@
ro.boottime.init.fsck.data u:object_r:boottime_public_prop:s0 exact string
ro.fstype.data u:object_r:fstype_prop:s0 exact string
+ro.build.backported_fixes.alias_bitset.long_list u:object_r:build_prop:s0 exact string
ro.build.characteristics u:object_r:build_prop:s0 exact string
ro.build.date u:object_r:build_prop:s0 exact string
ro.build.date.utc u:object_r:build_prop:s0 exact int
ro.build.description u:object_r:build_prop:s0 exact string
ro.build.display.id u:object_r:build_prop:s0 exact string
-ro.build.critical_issues.fixed_issues.long_list u:object_r:build_prop:s0 exact string
ro.build.flavor u:object_r:build_prop:s0 exact string
ro.build.host u:object_r:build_prop:s0 exact string
ro.build.id u:object_r:build_prop:s0 exact string
diff --git a/private/rkp_cert_processor.te b/private/rkp_cert_processor.te
index 578bd4c..e5c9d07 100644
--- a/private/rkp_cert_processor.te
+++ b/private/rkp_cert_processor.te
@@ -6,7 +6,10 @@
net_domain(rkp_cert_processor)
binder_use(rkp_cert_processor)
+binder_call(rkp_cert_processor, system_server)
add_service(rkp_cert_processor, rkp_cert_processor_service)
use_bootstrap_libs(rkp_cert_processor)
+
+allow rkp_cert_processor package_native_service:service_manager find;
diff --git a/private/security_classes b/private/security_classes
index 1d13d9f..0537214 100644
--- a/private/security_classes
+++ b/private/security_classes
@@ -172,3 +172,6 @@
class drmservice # userspace
# FLASK
+
+# Permissions for VMs to access SMC services
+class tee_service # userspace
diff --git a/private/service.te b/private/service.te
index 31b3d73..72949f9 100644
--- a/private/service.te
+++ b/private/service.te
@@ -1,5 +1,5 @@
-type adaptive_authentication_service, system_api_service, system_server_service, service_manager_type;
type ambient_context_service, app_api_service, system_server_service, service_manager_type;
+type authentication_policy_service, system_api_service, system_server_service, service_manager_type;
# These types will be public starting at board api 202504
until_board_api(202504, `
diff --git a/private/service_contexts b/private/service_contexts
index 26ba680..56268b6 100644
--- a/private/service_contexts
+++ b/private/service_contexts
@@ -144,7 +144,6 @@
account u:object_r:account_service:s0
activity u:object_r:activity_service:s0
activity_task u:object_r:activity_task_service:s0
-adaptive_authentication u:object_r:adaptive_authentication_service:s0
adb u:object_r:adb_service:s0
adservices_manager u:object_r:adservices_manager_service:s0
starting_at_board_api(202504, `
@@ -206,6 +205,7 @@
attention u:object_r:attention_service:s0
audio u:object_r:audio_service:s0
auth u:object_r:auth_service:s0
+authentication_policy u:object_r:authentication_policy_service:s0
autofill u:object_r:autofill_service:s0
background_install_control u:object_r:bg_install_control_service:s0
backup u:object_r:backup_service:s0
diff --git a/private/shell.te b/private/shell.te
index 38c5ac8..70f296e 100644
--- a/private/shell.te
+++ b/private/shell.te
@@ -483,6 +483,9 @@
allow shell linux_vm_setup_exec:file { entrypoint r_file_perms };
')
+allow shell tee_service_contexts_file:file r_file_perms;
+allow shell test_pkvm_tee_service:tee_service use;
+
# Everything is labeled as rootfs in recovery mode. Allow shell to
# execute them.
recovery_only(`
diff --git a/private/tee_service_contexts b/private/tee_service_contexts
new file mode 100644
index 0000000..89eceae
--- /dev/null
+++ b/private/tee_service_contexts
@@ -0,0 +1,13 @@
+# Tee services contexts.
+#
+# This file defines all tee services available to VMs.
+# This file is read by virtmngr.
+#
+# Format:
+# <tee_service_name> <label>
+#
+# <tee_service_name> must be a string
+
+# Example tee service that can be used for end-to-end integration of
+# custom smcs filtering on devices with pkvm hypervisor.
+test_pkvm_tee_service u:object_r:test_pkvm_tee_service:s0
diff --git a/private/tee_services.te b/private/tee_services.te
new file mode 100644
index 0000000..320f8b7
--- /dev/null
+++ b/private/tee_services.te
@@ -0,0 +1,6 @@
+# Specify tee_services in this file.
+# Please keep the names in the alphabetical order and comment each new entry.
+
+# An example tee_service that can be used to test end-to-end integration of custom
+# smcs filtering feature on a device with pkvm hypervisor.
+type test_pkvm_tee_service, tee_service_type;
diff --git a/private/virtualizationmanager.te b/private/virtualizationmanager.te
index 023e3e9..ca72279 100644
--- a/private/virtualizationmanager.te
+++ b/private/virtualizationmanager.te
@@ -135,3 +135,10 @@
allow virtualizationmanager tun_device:chr_file rw_file_perms;
allow virtualizationmanager vmnic:fd use;
')
+
+# virtualizationmanager reads tee_service_contexts_file to determine if VM is allowed
+# to access requested tee services
+allow virtualizationmanager tee_service_contexts_file:file r_file_perms;
+# virtualizationmanager uses libselinux to check if VM is allowed to access requested
+# tee services.
+selinux_check_access(virtualizationmanager)
diff --git a/public/attributes b/public/attributes
index 0503450..6e11b86 100644
--- a/public/attributes
+++ b/public/attributes
@@ -452,3 +452,8 @@
# All types of ART properties.
attribute dalvik_config_prop_type;
+
+# All tee services that can be accessed by VMs
+starting_at_board_api(202504, `
+ attribute tee_service_type;
+')
diff --git a/public/file.te b/public/file.te
index 9cc76c0..94483a3 100644
--- a/public/file.te
+++ b/public/file.te
@@ -647,6 +647,11 @@
# Deprecated in SDK version 28
type audiohal_data_file, file_type, data_file_type, core_data_file_type;
+starting_at_board_api(202504, `
+ type sysfs_udc, fs_type, sysfs_type;
+ type tee_service_contexts_file, system_file_type, file_type;
+')
+
# system/sepolicy/public is for vendor-facing type and attribute definitions.
# DO NOT ADD allow, neverallow, or dontaudit statements here.
# Instead, add such policy rules to system/sepolicy/private/*.te.