Merge "load selinux mapping ignore file in BOARD_PLAT_PRIVATE_SEPOLICY_DIR"
diff --git a/apex/com.android.media.swcodec-file_contexts b/apex/com.android.media.swcodec-file_contexts
index f6b21da..b718121 100644
--- a/apex/com.android.media.swcodec-file_contexts
+++ b/apex/com.android.media.swcodec-file_contexts
@@ -1,2 +1,3 @@
(/.*)? u:object_r:system_file:s0
/lib(64)?(/.*) u:object_r:system_lib_file:s0
+/bin/mediaswcodec u:object_r:mediaswcodec_exec:s0
diff --git a/private/cameraserver.te b/private/cameraserver.te
index ef44bfa..2be3c9e 100644
--- a/private/cameraserver.te
+++ b/private/cameraserver.te
@@ -1,4 +1,6 @@
typeattribute cameraserver coredomain;
+typeattribute cameraserver camera_service_server;
+
init_daemon_domain(cameraserver)
tmpfs_domain(cameraserver)
diff --git a/private/compat/28.0/28.0.cil b/private/compat/28.0/28.0.cil
index cc3502b..18604bc 100644
--- a/private/compat/28.0/28.0.cil
+++ b/private/compat/28.0/28.0.cil
@@ -1538,6 +1538,7 @@
(typeattributeset swap_block_device_28_0 (swap_block_device))
(typeattributeset sysfs_28_0
( sysfs
+ sysfs_devices_block
sysfs_extcon
sysfs_loop))
(typeattributeset sysfs_android_usb_28_0 (sysfs_android_usb))
diff --git a/private/compat/28.0/28.0.ignore.cil b/private/compat/28.0/28.0.ignore.cil
index f7f3a54..fd42fff 100644
--- a/private/compat/28.0/28.0.ignore.cil
+++ b/private/compat/28.0/28.0.ignore.cil
@@ -48,6 +48,7 @@
flags_health_check
flags_health_check_exec
fwk_bufferhub_hwservice
+ fwk_camera_hwservice
fwk_stats_hwservice
gpuservice
gsi_data_file
diff --git a/private/domain.te b/private/domain.te
index bc05875..3b340c5 100644
--- a/private/domain.te
+++ b/private/domain.te
@@ -19,6 +19,10 @@
-keystore
-llkd
-logd
+ -logpersist
+ -recovery
+ -recovery_persist
+ -recovery_refresh
-ueventd
-vendor_init
-vold
diff --git a/private/genfs_contexts b/private/genfs_contexts
index 8700dc0..9eeb43a 100644
--- a/private/genfs_contexts
+++ b/private/genfs_contexts
@@ -111,6 +111,7 @@
genfscon sysfs /class/switch u:object_r:sysfs_switch:s0
genfscon sysfs /devices/platform/nfc-power/nfc_power u:object_r:sysfs_nfc_power_writable:s0
genfscon sysfs /devices/virtual/android_usb u:object_r:sysfs_android_usb:s0
+genfscon sysfs /devices/virtual/block/ u:object_r:sysfs_devices_block:s0
genfscon sysfs /devices/virtual/block/dm- u:object_r:sysfs_dm:s0
genfscon sysfs /devices/virtual/block/loop u:object_r:sysfs_loop:s0
genfscon sysfs /devices/virtual/block/zram0 u:object_r:sysfs_zram:s0
diff --git a/private/heapprofd.te b/private/heapprofd.te
index 7f8d8d6..1339673 100644
--- a/private/heapprofd.te
+++ b/private/heapprofd.te
@@ -10,8 +10,14 @@
# On debug builds, this central daemon performs profiling for all target
# processes (which talk directly to this daemon).
type heapprofd_exec, exec_type, file_type, system_file_type;
+type heapprofd_tmpfs, file_type;
init_daemon_domain(heapprofd)
+tmpfs_domain(heapprofd)
+
+# Allow apps in other MLS contexts (for multi-user) to access
+# shared memory buffers created by heapprofd.
+typeattribute heapprofd_tmpfs mlstrustedobject;
set_prop(heapprofd, heapprofd_prop);
diff --git a/private/hwservice_contexts b/private/hwservice_contexts
index 859293d..f3745a3 100644
--- a/private/hwservice_contexts
+++ b/private/hwservice_contexts
@@ -1,4 +1,5 @@
android.frameworks.bufferhub::IBufferHub u:object_r:fwk_bufferhub_hwservice:s0
+android.frameworks.cameraservice.service::ICameraService u:object_r:fwk_camera_hwservice:s0
android.frameworks.displayservice::IDisplayService u:object_r:fwk_display_hwservice:s0
android.frameworks.schedulerservice::ISchedulingPolicyService u:object_r:fwk_scheduler_hwservice:s0
android.frameworks.sensorservice::ISensorManager u:object_r:fwk_sensor_hwservice:s0
diff --git a/private/postinstall_dexopt.te b/private/postinstall_dexopt.te
index 14e54be..c0836ec 100644
--- a/private/postinstall_dexopt.te
+++ b/private/postinstall_dexopt.te
@@ -62,3 +62,7 @@
# Allow otapreopt to use file descriptors from otapreopt_chroot.
# TODO: Probably we can actually close file descriptors...
allow postinstall_dexopt otapreopt_chroot:fd use;
+
+# Allow postinstall_dexopt to access the runtime feature flag properties.
+get_prop(postinstall_dexopt, device_config_runtime_native_prop)
+get_prop(postinstall_dexopt, device_config_runtime_native_boot_prop)
diff --git a/public/attributes b/public/attributes
index 8f52637..4cae0ff 100644
--- a/public/attributes
+++ b/public/attributes
@@ -307,3 +307,4 @@
attribute wifi_keystore_service_server;
attribute mediaswcodec_server;
attribute system_suspend_server;
+attribute camera_service_server;
diff --git a/public/camera_service_server.te b/public/camera_service_server.te
new file mode 100644
index 0000000..352e1b7
--- /dev/null
+++ b/public/camera_service_server.te
@@ -0,0 +1 @@
+add_hwservice(camera_service_server, fwk_camera_hwservice)
diff --git a/public/dumpstate.te b/public/dumpstate.te
index 3e18b5d..0bd6f83 100644
--- a/public/dumpstate.te
+++ b/public/dumpstate.te
@@ -92,6 +92,7 @@
allow dumpstate sysfs_type:dir r_dir_perms;
allow dumpstate {
+ sysfs_devices_block
sysfs_dm
sysfs_loop
sysfs_usb
@@ -102,6 +103,8 @@
allow dumpstate debugfs:file r_file_perms;
auditallow dumpstate debugfs:file r_file_perms;
+allow dumpstate debugfs_mmc:file r_file_perms;
+
# df for
allow dumpstate {
block_device
diff --git a/public/file.te b/public/file.te
index bdcaae7..514f23d 100644
--- a/public/file.te
+++ b/public/file.te
@@ -73,6 +73,7 @@
type sysfs_uio, sysfs_type, fs_type;
type sysfs_batteryinfo, fs_type, sysfs_type;
type sysfs_bluetooth_writable, fs_type, sysfs_type, mlstrustedobject;
+type sysfs_devices_block, fs_type, sysfs_type;
type sysfs_dm, fs_type, sysfs_type;
type sysfs_dt_firmware_android, fs_type, sysfs_type;
type sysfs_extcon, fs_type, sysfs_type;
diff --git a/public/gatekeeperd.te b/public/gatekeeperd.te
index e1739c2..dc46d07 100644
--- a/public/gatekeeperd.te
+++ b/public/gatekeeperd.te
@@ -35,4 +35,7 @@
# For hardware properties retrieval
allow gatekeeperd hardware_properties_service:service_manager find;
+# For checking whether GSI is running
+get_prop(gatekeeperd, gsid_prop)
+
r_dir_file(gatekeeperd, cgroup)
diff --git a/public/hal_evs.te b/public/hal_evs.te
index 710051e..bf2e38b 100644
--- a/public/hal_evs.te
+++ b/public/hal_evs.te
@@ -2,4 +2,4 @@
hwbinder_use(hal_evs_server)
binder_call(hal_evs_client, hal_evs_server)
binder_call(hal_evs_server, hal_evs_client)
-
+allow hal_evs_client hal_evs_hwservice:hwservice_manager find;
diff --git a/public/hwservice.te b/public/hwservice.te
index 80bd3dc..7425878 100644
--- a/public/hwservice.te
+++ b/public/hwservice.te
@@ -1,5 +1,6 @@
type default_android_hwservice, hwservice_manager_type;
type fwk_bufferhub_hwservice, hwservice_manager_type, coredomain_hwservice;
+type fwk_camera_hwservice, hwservice_manager_type, coredomain_hwservice;
type fwk_display_hwservice, hwservice_manager_type, coredomain_hwservice;
type fwk_scheduler_hwservice, hwservice_manager_type, coredomain_hwservice;
type fwk_sensor_hwservice, hwservice_manager_type, coredomain_hwservice;
diff --git a/public/property_contexts b/public/property_contexts
index bea017a..701b98d 100644
--- a/public/property_contexts
+++ b/public/property_contexts
@@ -344,6 +344,7 @@
wifi.concurrent.interface u:object_r:exported_default_prop:s0 exact string
wifi.direct.interface u:object_r:exported_default_prop:s0 exact string
wifi.interface u:object_r:exported_default_prop:s0 exact string
+ro.apex.updatable u:object_r:exported_default_prop:s0 exact bool
# public-readable
ro.boot.revision u:object_r:exported2_default_prop:s0 exact string
diff --git a/public/te_macros b/public/te_macros
index b9a6c05..cd4bf61 100644
--- a/public/te_macros
+++ b/public/te_macros
@@ -661,14 +661,8 @@
allow heapprofd $1:file r_file_perms;
allow heapprofd $1:dir r_dir_perms;
- # On debug builds, central daemon can handle profiling of all processes
- # directly.
- userdebug_or_eng(`
- # Allow connecting to the daemon.
- unix_socket_connect($1, heapprofd, heapprofd)
- # Allow daemon to use the passed fds.
- allow heapprofd $1:fd use;
- ')
+ # Profilability on user implies profilability on userdebug and eng.
+ can_profile_heap_userdebug_or_eng($1)
')
###################################
@@ -686,6 +680,11 @@
unix_socket_connect($1, heapprofd, heapprofd)
# Allow daemon to use the passed fds.
allow heapprofd $1:fd use;
+ # Allow to read and write to heapprofd shmem.
+ # The client needs to read the read and write pointers in order to write.
+ allow $1 heapprofd_tmpfs:file { read write getattr map };
+ # Use shared memory received over the unix socket.
+ allow $1 heapprofd:fd use;
# To read from the received file descriptors.
# /proc/[pid]/maps and /proc/[pid]/mem have the same SELinux label as the
diff --git a/tools/build_policies.sh b/tools/build_policies.sh
index 77f0fc6..f39b679 100755
--- a/tools/build_policies.sh
+++ b/tools/build_policies.sh
@@ -54,7 +54,7 @@
# This heuristic could probably be improved.
cores=$(nproc --all)
num_targets=$(echo "$targets" | sed 's/ /\n/g' | wc -l)
-parallel_jobs=$(expr $cores / 2)
+parallel_jobs=$(expr $cores / 4)
if [[ $num_targets -lt $parallel_jobs ]]; then
export mmma_jobs=$(expr $cores / $num_targets \* 2)
else