Merge "Additional sepolicy rules for dex2oat"
diff --git a/build/soong/service_fuzzer_bindings.go b/build/soong/service_fuzzer_bindings.go
index f13c23c..f706339 100644
--- a/build/soong/service_fuzzer_bindings.go
+++ b/build/soong/service_fuzzer_bindings.go
@@ -116,6 +116,7 @@
"android.hardware.security.sharedsecret.ISharedSecret/default": EXCEPTION_NO_FUZZER,
"android.hardware.sensors.ISensors/default": EXCEPTION_NO_FUZZER,
"android.hardware.soundtrigger3.ISoundTriggerHw/default": EXCEPTION_NO_FUZZER,
+ "android.hardware.tetheroffload.IOffload/default": EXCEPTION_NO_FUZZER,
"android.hardware.thermal.IThermal/default": EXCEPTION_NO_FUZZER,
"android.hardware.tv.hdmi.cec.IHdmiCec/default": EXCEPTION_NO_FUZZER,
"android.hardware.tv.hdmi.connection.IHdmiConnection/default": EXCEPTION_NO_FUZZER,
diff --git a/private/artd.te b/private/artd.te
index c887258..ef54d8c 100644
--- a/private/artd.te
+++ b/private/artd.te
@@ -31,8 +31,10 @@
# Read access to primary dex'es on writable partitions
# ({/data,/mnt/expand/<volume-uuid>}/app/...).
+# Also allow creating the "oat" directory before restorecon.
allow artd mnt_expand_file:dir { getattr search };
-r_dir_file(artd, apk_data_file)
+allow artd apk_data_file:dir { rw_dir_perms create setattr relabelfrom };
+allow artd apk_data_file:file r_file_perms;
# Read access to vendor APKs ({/vendor,/odm}/{app,priv-app}/...).
r_dir_file(artd, vendor_app_file)
@@ -46,8 +48,8 @@
# Read/write access to all compilation artifacts generated on device for apps'
# primary dex'es. (/data/dalvik-cache/..., /data/app/.../oat/..., etc.)
-allow artd dalvikcache_data_file:dir create_dir_perms;
-allow artd dalvikcache_data_file:file create_file_perms;
+allow artd dalvikcache_data_file:dir { create_dir_perms relabelto };
+allow artd dalvikcache_data_file:file { create_file_perms relabelto };
# Read access to the ART APEX data directory.
# Needed for reading the boot image generated on device.
diff --git a/private/compat/33.0/33.0.ignore.cil b/private/compat/33.0/33.0.ignore.cil
index 11bff79..6464848 100644
--- a/private/compat/33.0/33.0.ignore.cil
+++ b/private/compat/33.0/33.0.ignore.cil
@@ -21,6 +21,7 @@
hal_cas_service
hal_remoteaccess_service
hal_secure_element_service
+ hal_tetheroffload_service
hal_thermal_service
hal_usb_gadget_service
hal_tv_input_service
diff --git a/private/crosvm.te b/private/crosvm.te
index c682bb5..aae8323 100644
--- a/private/crosvm.te
+++ b/private/crosvm.te
@@ -16,7 +16,7 @@
# Let crosvm receive file descriptors from VirtualizationService.
allow crosvm virtualizationmanager:fd use;
-# Allow sending VirtualizationService the failure reason from the VM via pipe.
+# Allow sending VirtualizationService the failure reason and console/log from the VM via pipe.
allow crosvm virtualizationmanager:fifo_file write;
# Let crosvm read the composite disk images (virtualizationservice_data_file), APEXes
@@ -74,6 +74,11 @@
# when the vm is created by the `vm` tool) and handed over to crosvm as FD.
allow crosvm shell_data_file:file write;
+# crosvm tries to read serial device, including the write-only pipe from virtualizationmanager (to
+# forward console/log to the host logcat).
+# crosvm only needs write permission, so dontaudit read
+dontaudit crosvm virtualizationmanager:fifo_file read;
+
# Don't allow crosvm to open files that it doesn't own.
# This is important because a malicious application could try to start a VM with a composite disk
# image referring by name to files which it doesn't have permission to open, trying to get crosvm to
diff --git a/private/property_contexts b/private/property_contexts
index f208e52..8f0f851 100644
--- a/private/property_contexts
+++ b/private/property_contexts
@@ -592,6 +592,14 @@
ro.hdmi.cec.source.send_standby_on_sleep u:object_r:hdmi_config_prop:s0 exact enum to_tv broadcast none
ro.hdmi.cec.source.playback_device_action_on_routing_control u:object_r:hdmi_config_prop:s0 exact enum none wake_up_only wake_up_and_send_active_source
+# This is the namespace of all system properties used by ART Service.
+# As ART Service is in the updatable ART module, we need the prefix to allow us
+# to add new properties.
+pm.dexopt. u:object_r:exported_pm_prop:s0 prefix
+
+# A set of pm.dexopt properties that we should keep supporting for Treble
+# compatibility. We explicitly list them here to discourage renaming or
+# disregarding them.
pm.dexopt.ab-ota u:object_r:exported_pm_prop:s0 exact string
pm.dexopt.bg-dexopt u:object_r:exported_pm_prop:s0 exact string
pm.dexopt.boot u:object_r:exported_pm_prop:s0 exact string
diff --git a/private/rkpd_app.te b/private/rkpd_app.te
index 21f9b0c..2d25540 100644
--- a/private/rkpd_app.te
+++ b/private/rkpd_app.te
@@ -12,6 +12,7 @@
# Grant access to certain system properties related to RKP
get_prop(rkpdapp, device_config_remote_key_provisioning_native_prop)
+get_prop(rkpdapp, remote_prov_prop)
# Grant access to the normal services that are available to all apps
allow rkpdapp app_api_service:service_manager find;
diff --git a/private/service_contexts b/private/service_contexts
index a144db1..8de1d42 100644
--- a/private/service_contexts
+++ b/private/service_contexts
@@ -91,6 +91,7 @@
android.hardware.security.sharedsecret.ISharedSecret/default u:object_r:hal_sharedsecret_service:s0
android.hardware.sensors.ISensors/default u:object_r:hal_sensors_service:s0
android.hardware.soundtrigger3.ISoundTriggerHw/default u:object_r:hal_audio_service:s0
+android.hardware.tetheroffload.IOffload/default u:object_r:hal_tetheroffload_service:s0
android.hardware.thermal.IThermal/default u:object_r:hal_thermal_service:s0
android.hardware.tv.hdmi.cec.IHdmiCec/default u:object_r:hal_tv_hdmi_cec_service:s0
android.hardware.tv.hdmi.connection.IHdmiConnection/default u:object_r:hal_tv_hdmi_connection_service:s0
diff --git a/public/hal_tetheroffload.te b/public/hal_tetheroffload.te
index cf51723..c9553dc 100644
--- a/public/hal_tetheroffload.te
+++ b/public/hal_tetheroffload.te
@@ -3,6 +3,9 @@
binder_call(hal_tetheroffload_server, hal_tetheroffload_client)
hal_attribute_hwservice(hal_tetheroffload, hal_tetheroffload_hwservice)
+hal_attribute_service(hal_tetheroffload, hal_tetheroffload_service)
+
+binder_use(hal_tetheroffload_server)
# allow the client to pass the server already open netlink sockets
allow hal_tetheroffload_server hal_tetheroffload_client:netlink_netfilter_socket { getattr read setopt write };
diff --git a/public/service.te b/public/service.te
index 443a4f7..154ebb9 100644
--- a/public/service.te
+++ b/public/service.te
@@ -314,6 +314,7 @@
type hal_secure_element_service, protected_service, hal_service_type, service_manager_type;
type hal_sharedsecret_service, protected_service, hal_service_type, service_manager_type;
type hal_system_suspend_service, protected_service, hal_service_type, service_manager_type;
+type hal_tetheroffload_service, protected_service, hal_service_type, service_manager_type;
type hal_thermal_service, protected_service, hal_service_type, service_manager_type;
type hal_tv_hdmi_cec_service, protected_service, hal_service_type, service_manager_type;
type hal_tv_hdmi_connection_service, protected_service, hal_service_type, service_manager_type;
diff --git a/vendor/file_contexts b/vendor/file_contexts
index b21302c..53c0b96 100644
--- a/vendor/file_contexts
+++ b/vendor/file_contexts
@@ -96,6 +96,7 @@
/(vendor|system/vendor)/bin/hw/android\.hardware\.security\.dice-service\.non-secure-software u:object_r:hal_dice_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.security\.keymint-service u:object_r:hal_keymint_default_exec:s0
/(vendor|system/vendor)/bin/hw/rild u:object_r:rild_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.tetheroffload-service\.example u:object_r:hal_tetheroffload_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.thermal@1\.[01]-service u:object_r:hal_thermal_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.thermal-service\.example u:object_r:hal_thermal_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.tv\.cec@1\.[01]-service u:object_r:hal_tv_cec_default_exec:s0