Merge "Add clatd to apex/com.android.tethering-file_contexts"
diff --git a/Android.bp b/Android.bp
index 6aeb27b..df1e264 100644
--- a/Android.bp
+++ b/Android.bp
@@ -347,6 +347,21 @@
additional_cil_files: [":sepolicy_technical_debt{.plat_private}"],
}
+
+se_policy_conf {
+ name: "apex_sepolicy-33.conf",
+ srcs: plat_public_policy + plat_private_policy + ["com.android.sepolicy/33/*.te"],
+ installable: false,
+}
+
+se_policy_cil {
+ name: "apex_sepolicy-33.cil",
+ src: ":apex_sepolicy-33.conf",
+ filter_out: [":plat_sepolicy.cil"],
+ installable: false,
+ stem: "apex_sepolicy.cil",
+}
+
// userdebug_plat_policy.conf - the userdebug version plat_sepolicy.cil
se_policy_conf {
name: "userdebug_plat_sepolicy.conf",
@@ -664,6 +679,9 @@
// AND
// - product_sepolicy_and_mapping.sha256 equals
// precompiled_sepolicy.product_sepolicy_and_mapping.sha256
+// AND
+// - apex_sepolicy.sha256 equals
+// precompiled_sepolicy.apex_sepolicy.sha256
// See system/core/init/selinux.cpp for details.
//////////////////////////////////
genrule {
@@ -681,6 +699,20 @@
}
genrule {
+ name: "apex_sepolicy.sha256_gen",
+ srcs: [":apex_sepolicy-33.cil"],
+ out: ["apex_sepolicy.sha256"],
+ cmd: "cat $(in) | sha256sum | cut -d' ' -f1 > $(out)",
+}
+
+prebuilt_etc {
+ name: "apex_sepolicy.sha256",
+ filename: "apex_sepolicy.sha256",
+ src: ":apex_sepolicy.sha256_gen",
+ installable: false,
+}
+
+genrule {
name: "system_ext_sepolicy_and_mapping.sha256_gen",
srcs: [":system_ext_sepolicy.cil", ":system_ext_mapping_file"],
out: ["system_ext_sepolicy_and_mapping.sha256"],
@@ -749,6 +781,18 @@
}
//////////////////////////////////
+// SHA-256 digest of the apex_sepolicy.cil against which precompiled_policy
+// was built.
+//////////////////////////////////
+prebuilt_etc {
+ defaults: ["precompiled_sepolicy_prebuilts"],
+ name: "precompiled_sepolicy.apex_sepolicy.sha256",
+ filename: "precompiled_sepolicy.apex_sepolicy.sha256",
+ src: ":apex_sepolicy.sha256_gen",
+ relative_install_path: "selinux",
+}
+
+//////////////////////////////////
// SHA-256 digest of the system_ext_sepolicy.cil and system_ext_mapping_file against
// which precompiled_policy was built.
//////////////////////////////////
@@ -785,6 +829,7 @@
name: "precompiled_sepolicy",
srcs: [
":plat_sepolicy.cil",
+ ":apex_sepolicy-33.cil",
":plat_pub_versioned.cil",
":system_ext_sepolicy.cil",
":product_sepolicy.cil",
diff --git a/com.android.sepolicy/33/Android.bp b/com.android.sepolicy/33/Android.bp
new file mode 100644
index 0000000..f3387ac
--- /dev/null
+++ b/com.android.sepolicy/33/Android.bp
@@ -0,0 +1,56 @@
+// Copyright (C) 2021 The Android Open Source Project
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package {
+ // http://go/android-license-faq
+ // A large-scale-change added 'default_applicable_licenses' to import
+ // the below license kinds from "system_sepolicy_license":
+ // SPDX-license-identifier-Apache-2.0
+ default_applicable_licenses: ["system_sepolicy_license"],
+}
+
+genrule {
+ name: "apex_file_contexts-33.gen",
+ defaults: ["sepolicy_file_contexts_gen_default"],
+ srcs: ["file_contexts"],
+ out: ["apex_file_contexts-33"],
+}
+
+prebuilt_etc {
+ name: "apex_file_contexts-33",
+ filename: "apex_file_contexts",
+ src: ":apex_file_contexts-33.gen",
+ installable: false,
+}
+
+prebuilt_etc {
+ name: "apex_property_contexts-33",
+ filename: "apex_property_contexts",
+ src: "property_contexts",
+ installable: false,
+}
+
+prebuilt_etc {
+ name: "apex_service_contexts-33",
+ filename: "apex_service_contexts",
+ src: "service_contexts",
+ installable: false,
+}
+
+prebuilt_etc {
+ name: "apex_seapp_contexts-33",
+ filename: "apex_seapp_contexts",
+ src: "seapp_contexts",
+ installable: false,
+}
diff --git a/com.android.sepolicy/33/file_contexts b/com.android.sepolicy/33/file_contexts
new file mode 100644
index 0000000..14f99f9
--- /dev/null
+++ b/com.android.sepolicy/33/file_contexts
@@ -0,0 +1 @@
+/dev/selinux/apex_test u:object_r:sepolicy_test_file:s0
diff --git a/com.android.sepolicy/33/property_contexts b/com.android.sepolicy/33/property_contexts
new file mode 100644
index 0000000..e69de29
--- /dev/null
+++ b/com.android.sepolicy/33/property_contexts
diff --git a/com.android.sepolicy/33/seapp_contexts b/com.android.sepolicy/33/seapp_contexts
new file mode 100644
index 0000000..e69de29
--- /dev/null
+++ b/com.android.sepolicy/33/seapp_contexts
diff --git a/com.android.sepolicy/33/service_contexts b/com.android.sepolicy/33/service_contexts
new file mode 100644
index 0000000..e69de29
--- /dev/null
+++ b/com.android.sepolicy/33/service_contexts
diff --git a/com.android.sepolicy/33/shell.te b/com.android.sepolicy/33/shell.te
new file mode 100644
index 0000000..757328e
--- /dev/null
+++ b/com.android.sepolicy/33/shell.te
@@ -0,0 +1,2 @@
+allow shell sepolicy_test_file:file r_file_perms;
+
diff --git a/com.android.sepolicy/Android.bp b/com.android.sepolicy/Android.bp
new file mode 100644
index 0000000..1e042f3
--- /dev/null
+++ b/com.android.sepolicy/Android.bp
@@ -0,0 +1,28 @@
+// Copyright (C) 2021 The Android Open Source Project
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package {
+ // http://go/android-license-faq
+ // A large-scale-change added 'default_applicable_licenses' to import
+ // the below license kinds from "system_sepolicy_license":
+ // SPDX-license-identifier-Apache-2.0
+ default_applicable_licenses: ["system_sepolicy_license"],
+}
+
+genrule_defaults {
+ name: "sepolicy_file_contexts_gen_default",
+ tools: ["fc_sort"],
+ cmd: "sed -e 's/#.*$$//' -e '/^$$/d' $(in) > $(out).tmp && " +
+ "$(location fc_sort) -i $(out).tmp -o $(out)",
+}
diff --git a/microdroid/system/private/authfs.te b/microdroid/system/private/authfs.te
index 7bd39e4..23e881d 100644
--- a/microdroid/system/private/authfs.te
+++ b/microdroid/system/private/authfs.te
@@ -17,5 +17,9 @@
allow authfs authfs_fuse:filesystem { mount relabelfrom relabelto };
allow authfs authfs_data_file:dir { mounton search };
+# Allow authfs to access extra APK mount.
+allow authfs extra_apk_file:file r_file_perms;
+allow authfs extra_apk_file:dir search;
+
# TODO(195568812): Don't pass FD 0,1,2 unnecessarily.
allow authfs authfs_service:fd use;
diff --git a/private/compat/32.0/32.0.ignore.cil b/private/compat/32.0/32.0.ignore.cil
index cddf39b..43f8136 100644
--- a/private/compat/32.0/32.0.ignore.cil
+++ b/private/compat/32.0/32.0.ignore.cil
@@ -44,6 +44,7 @@
nearby_service
proc_watermark_boost_factor
proc_watermark_scale_factor
+ resources_manager_service
selection_toolbar_service
snapuserd_proxy_socket
supplemental_process_service
diff --git a/private/domain.te b/private/domain.te
index d12cbc7..ae5b0d7 100644
--- a/private/domain.te
+++ b/private/domain.te
@@ -569,6 +569,9 @@
}:file no_rw_file_perms;
')
+# Restrict write access to etm sysfs interface.
+neverallow { domain -ueventd -vendor_init } sysfs_devices_cs_etm:file no_w_file_perms;
+
# Restrict write access to shell owned files. The /data/local/tmp directory is
# untrustworthy, and non-allowed domains should not be trusting any content in
# those directories. We allow shell files to be passed around by file
diff --git a/private/property_contexts b/private/property_contexts
index 3650a44..5a9f0e8 100644
--- a/private/property_contexts
+++ b/private/property_contexts
@@ -296,9 +296,11 @@
ro.virtual_ab.compression.enabled u:object_r:virtual_ab_prop:s0 exact bool
ro.virtual_ab.compression.xor.enabled u:object_r:virtual_ab_prop:s0 exact bool
ro.virtual_ab.userspace.snapshots.enabled u:object_r:virtual_ab_prop:s0 exact bool
+ro.virtual_ab.io_uring.enabled u:object_r:virtual_ab_prop:s0 exact bool
snapuserd.ready u:object_r:snapuserd_prop:s0 exact bool
snapuserd.proxy_ready u:object_r:snapuserd_prop:s0 exact bool
snapuserd.test.dm.snapshots u:object_r:snapuserd_prop:s0 exact bool
+snapuserd.test.io_uring.force_disable u:object_r:snapuserd_prop:s0 exact bool
ro.product.ab_ota_partitions u:object_r:ota_prop:s0 exact string
# Property to set/clear the warm reset flag after an OTA update.
diff --git a/private/service_contexts b/private/service_contexts
index 4bb1a5b..bee400f 100644
--- a/private/service_contexts
+++ b/private/service_contexts
@@ -266,6 +266,7 @@
reboot_readiness u:object_r:reboot_readiness_service:s0
recovery u:object_r:recovery_service:s0
resolver u:object_r:resolver_service:s0
+resources u:object_r:resources_manager_service:s0
restrictions u:object_r:restrictions_service:s0
role u:object_r:role_service:s0
rollback u:object_r:rollback_service:s0
diff --git a/private/snapuserd.te b/private/snapuserd.te
index e3b43a1..2e2c473 100644
--- a/private/snapuserd.te
+++ b/private/snapuserd.te
@@ -8,6 +8,8 @@
allow snapuserd kmsg_device:chr_file rw_file_perms;
+allow snapuserd self:capability ipc_lock;
+
# Allow snapuserd to reach block devices in /dev/block.
allow snapuserd block_device:dir search;
diff --git a/public/service.te b/public/service.te
index e519297..0e9488c 100644
--- a/public/service.te
+++ b/public/service.te
@@ -185,6 +185,7 @@
type reboot_readiness_service, app_api_service, system_server_service, service_manager_type;
type recovery_service, system_server_service, service_manager_type;
type registry_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type resources_manager_service, system_api_service, system_server_service, service_manager_type;
type restrictions_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type role_service, app_api_service, system_server_service, service_manager_type;
type rollback_service, app_api_service, system_server_service, service_manager_type;
@@ -237,7 +238,7 @@
type vcn_management_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type vibrator_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type vibrator_manager_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type virtual_device_service, system_api_service, system_server_service, service_manager_type;
+type virtual_device_service, app_api_service, system_server_service, service_manager_type;
type voiceinteraction_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type vpn_management_service, app_api_service, system_server_service, service_manager_type;
type vr_manager_service, system_server_service, service_manager_type;