Merge "Update core sepolicy with neuralnetwork hal" into rvc-dev
diff --git a/private/file_contexts b/private/file_contexts
index 44f28f2..9bed5fd 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -552,6 +552,7 @@
/data/misc/stats-active-metric(/.*)? u:object_r:stats_data_file:s0
/data/misc/stats-data(/.*)? u:object_r:stats_data_file:s0
/data/misc/stats-service(/.*)? u:object_r:stats_data_file:s0
+/data/misc/stats-metadata(/.*)? u:object_r:stats_data_file:s0
/data/misc/systemkeys(/.*)? u:object_r:systemkeys_data_file:s0
/data/misc/textclassifier(/.*)? u:object_r:textclassifier_data_file:s0
/data/misc/train-info(/.*)? u:object_r:stats_data_file:s0
diff --git a/private/property_contexts b/private/property_contexts
index 1eb2d70..cf44144 100644
--- a/private/property_contexts
+++ b/private/property_contexts
@@ -247,3 +247,10 @@
# by devices with video decoding pipelines long enough to overflow the default
# history size.
ro.lib_gui.frame_event_history_size u:object_r:bq_config_prop:s0
+
+# Properties to configure userspace reboot.
+init.userspace_reboot.is_supported u:object_r:userspace_reboot_config_prop:s0 exact bool
+init.userspace_reboot.sigkill.timeoutmillis u:object_r:userspace_reboot_config_prop:s0 exact int
+init.userspace_reboot.sigterm.timeoutmillis u:object_r:userspace_reboot_config_prop:s0 exact int
+init.userspace_reboot.userdata_remount.timeoutmillis u:object_r:userspace_reboot_config_prop:s0 exact int
+init.userspace_reboot.watchdog.timeoutmillis u:object_r:userspace_reboot_config_prop:s0 exact int
diff --git a/private/system_server.te b/private/system_server.te
index 2e17e50..344055e 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -301,6 +301,7 @@
hal_codec2_server
hal_face_server
hal_fingerprint_server
+ hal_gnss_server
hal_graphics_allocator_server
hal_graphics_composer_server
hal_health_server
diff --git a/private/zygote.te b/private/zygote.te
index f27005e..5f08f8d 100644
--- a/private/zygote.te
+++ b/private/zygote.te
@@ -187,6 +187,10 @@
# ingore spurious denials
dontaudit zygote self:global_capability_class_set sys_resource;
+# Ignore spurious denials calling access() on fuse
+# TODO(b/151316657): avoid the denials
+dontaudit zygote media_rw_data_file:dir setattr;
+
# Allow zygote to use ashmem fds from system_server.
allow zygote system_server:fd use;
diff --git a/public/hal_neuralnetworks.te b/public/hal_neuralnetworks.te
index 1ef6cad..f8d6ff5 100644
--- a/public/hal_neuralnetworks.te
+++ b/public/hal_neuralnetworks.te
@@ -5,6 +5,8 @@
hal_attribute_hwservice(hal_neuralnetworks, hal_neuralnetworks_hwservice)
allow hal_neuralnetworks hidl_memory_hwservice:hwservice_manager find;
allow hal_neuralnetworks hal_allocator:fd use;
+allow hal_neuralnetworks hal_graphics_mapper_hwservice:hwservice_manager find;
+allow hal_neuralnetworks hal_graphics_allocator:fd use;
# Allow NN HAL service to use a client-provided fd residing in /data/data/.
allow hal_neuralnetworks_server app_data_file:file { read write getattr map };
@@ -13,6 +15,9 @@
# Allow NN HAL service to use a client-provided fd residing in /data/local/tmp/.
allow hal_neuralnetworks_server shell_data_file:file { read write getattr map };
+# Allow NN HAL service to read a client-provided ION memory fd.
+allow hal_neuralnetworks_server ion_device:chr_file r_file_perms;
+
# Allow NN HAL client to check the ro.nnapi.extensions.deny_on_product
# property to determine whether to deny NNAPI extensions use for apps
# on product partition (apps in GSI are not allowed to use NNAPI extensions).
diff --git a/public/property_contexts b/public/property_contexts
index b48bb62..d4b8395 100644
--- a/public/property_contexts
+++ b/public/property_contexts
@@ -1,5 +1,5 @@
# vendor-init-readable
-persist.radio.airplane_mode_on u:object_r:exported2_radio_prop:s0 exact int
+persist.radio.airplane_mode_on u:object_r:exported2_radio_prop:s0 exact bool
# vendor-init-settable
af.fast_track_multiplier u:object_r:exported3_default_prop:s0 exact int
@@ -228,7 +228,7 @@
persist.sys.locale u:object_r:exported_system_prop:s0 exact string
persist.sys.timezone u:object_r:exported_system_prop:s0 exact string
persist.sys.test_harness u:object_r:test_harness_prop:s0 exact bool
-ro.adb.secure u:object_r:exported_secure_prop:s0 exact int
+ro.adb.secure u:object_r:exported_secure_prop:s0 exact bool
ro.arch u:object_r:exported2_default_prop:s0 exact string
ro.audio.ignore_effects u:object_r:exported2_default_prop:s0 exact bool
ro.baseband u:object_r:exported2_default_prop:s0 exact string
@@ -270,8 +270,8 @@
ro.build.version.release_or_codename u:object_r:exported2_default_prop:s0 exact string
ro.build.version.sdk u:object_r:exported2_default_prop:s0 exact int
ro.build.version.security_patch u:object_r:exported2_default_prop:s0 exact string
-ro.crypto.state u:object_r:exported_vold_prop:s0 exact string
-ro.crypto.type u:object_r:exported_vold_prop:s0 exact string
+ro.crypto.state u:object_r:exported_vold_prop:s0 exact enum encrypted unencrypted unsupported
+ro.crypto.type u:object_r:exported_vold_prop:s0 exact enum block file none
ro.debuggable u:object_r:exported2_default_prop:s0 exact int
ro.hardware u:object_r:exported2_default_prop:s0 exact string
ro.product.brand u:object_r:exported2_default_prop:s0 exact string
@@ -419,7 +419,7 @@
ro.surface_flinger.max_graphics_height u:object_r:exported3_default_prop:s0 exact int
ro.surface_flinger.max_graphics_width u:object_r:exported3_default_prop:s0 exact int
ro.surface_flinger.max_virtual_display_dimension u:object_r:exported_default_prop:s0 exact int
-ro.surface_flinger.primary_display_orientation u:object_r:exported_default_prop:s0 exact string
+ro.surface_flinger.primary_display_orientation u:object_r:exported_default_prop:s0 exact enum ORIENTATION_0 ORIENTATION_180 ORIENTATION_270 ORIENTATION_90
ro.surface_flinger.present_time_offset_from_vsync_ns u:object_r:exported_default_prop:s0 exact int
ro.surface_flinger.running_without_sync_framework u:object_r:exported_default_prop:s0 exact bool
ro.surface_flinger.start_graphics_allocator_service u:object_r:exported_default_prop:s0 exact bool
diff --git a/public/recovery.te b/public/recovery.te
index 3bac03d..55568d4 100644
--- a/public/recovery.te
+++ b/public/recovery.te
@@ -148,6 +148,9 @@
allow recovery gsi_metadata_file:dir search;
allow recovery ota_metadata_file:dir rw_dir_perms;
allow recovery ota_metadata_file:file create_file_perms;
+
+ # Allow mounting /metadata for writing update states
+ allow recovery metadata_file:dir { getattr mounton };
')
###
diff --git a/vendor/file_contexts b/vendor/file_contexts
index 4e988a9..3d6fa9f 100644
--- a/vendor/file_contexts
+++ b/vendor/file_contexts
@@ -4,13 +4,14 @@
/(vendor|system/vendor)/bin/hw/android\.hardware\.atrace@1\.0-service u:object_r:hal_atrace_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.audio(@2\.0-|\.)service u:object_r:hal_audio_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.automotive\.audiocontrol@1\.0-service u:object_r:hal_audiocontrol_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.automotive\.audiocontrol@2\.0-service u:object_r:hal_audiocontrol_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.automotive\.can@1\.0-service u:object_r:hal_can_socketcan_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.automotive\.evs@1\.[0-9]-service u:object_r:hal_evs_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.automotive\.vehicle@2\.0-(service|protocan-service) u:object_r:hal_vehicle_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.bluetooth@1\.[0-9]+-service u:object_r:hal_bluetooth_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.bluetooth@1\.[0-9]+-service\.btlinux u:object_r:hal_bluetooth_btlinux_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.biometrics\.fingerprint@2\.1-service u:object_r:hal_fingerprint_default_exec:s0
-/(vendor|system/vendor)/bin/hw/android\.hardware\.biometrics\.face@1\.1-service\.example u:object_r:hal_face_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.biometrics\.face@1\.[0-9]+-service\.example u:object_r:hal_face_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.boot@1\.[0-9]+-service u:object_r:hal_bootctl_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.broadcastradio@\d+\.\d+-service u:object_r:hal_broadcastradio_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.camera\.provider@2\.[0-9]+-service_64 u:object_r:hal_camera_default_exec:s0
@@ -25,7 +26,7 @@
/(vendor|system/vendor)/bin/hw/android\.hardware\.drm@1\.0-service-lazy u:object_r:hal_drm_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.cas@1\.[0-2]-service u:object_r:hal_cas_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.cas@1\.[0-2]-service-lazy u:object_r:hal_cas_default_exec:s0
-/(vendor|system/vendor)/bin/hw/android\.hardware\.dumpstate@1\.0-service\.example u:object_r:hal_dumpstate_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.dumpstate@1\.[0-1]-service\.example u:object_r:hal_dumpstate_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.gatekeeper@1\.0-service u:object_r:hal_gatekeeper_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.gnss@[0-9]\.[0-9]-service u:object_r:hal_gnss_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.graphics\.allocator@2\.0-service u:object_r:hal_graphics_allocator_default_exec:s0