Merge "Modify the automotive display service file context"

commit: 347a7d5c3c6f4925b6fdc23c481d16f32a5d36ba [log] [tgz]
author: Treehugger Robot <treehugger-gerrit@google.com> Thu Jan 19 00:35:18 2023 +0000
committer: Gerrit Code Review <noreply-gerritcodereview@google.com> Thu Jan 19 00:35:18 2023 +0000
tree: 476787e0059079770c6816f55f47fa04b54c6c68
parent: e7fc603518f7edd07ea3a2e0a4c17681536f86de [diff]
parent: edf54208309f8d73f39a6cdd8fdfe4b981e916c0 [diff]
diff --git a/build/soong/service_fuzzer_bindings.go b/build/soong/service_fuzzer_bindings.go
index f13c23c..f706339 100644
--- a/build/soong/service_fuzzer_bindings.go
+++ b/build/soong/service_fuzzer_bindings.go

@@ -116,6 +116,7 @@
 		"android.hardware.security.sharedsecret.ISharedSecret/default":            EXCEPTION_NO_FUZZER,
 		"android.hardware.sensors.ISensors/default":                               EXCEPTION_NO_FUZZER,
 		"android.hardware.soundtrigger3.ISoundTriggerHw/default":                  EXCEPTION_NO_FUZZER,
+		"android.hardware.tetheroffload.IOffload/default":                         EXCEPTION_NO_FUZZER,
 		"android.hardware.thermal.IThermal/default":                               EXCEPTION_NO_FUZZER,
 		"android.hardware.tv.hdmi.cec.IHdmiCec/default":                           EXCEPTION_NO_FUZZER,
 		"android.hardware.tv.hdmi.connection.IHdmiConnection/default":             EXCEPTION_NO_FUZZER,

diff --git a/private/artd.te b/private/artd.te
index c887258..ef54d8c 100644
--- a/private/artd.te
+++ b/private/artd.te

@@ -31,8 +31,10 @@
 
 # Read access to primary dex'es on writable partitions
 # ({/data,/mnt/expand/<volume-uuid>}/app/...).
+# Also allow creating the "oat" directory before restorecon.
 allow artd mnt_expand_file:dir { getattr search };
-r_dir_file(artd, apk_data_file)
+allow artd apk_data_file:dir { rw_dir_perms create setattr relabelfrom };
+allow artd apk_data_file:file r_file_perms;
 
 # Read access to vendor APKs ({/vendor,/odm}/{app,priv-app}/...).
 r_dir_file(artd, vendor_app_file)
@@ -46,8 +48,8 @@
 
 # Read/write access to all compilation artifacts generated on device for apps'
 # primary dex'es. (/data/dalvik-cache/..., /data/app/.../oat/..., etc.)
-allow artd dalvikcache_data_file:dir create_dir_perms;
-allow artd dalvikcache_data_file:file create_file_perms;
+allow artd dalvikcache_data_file:dir { create_dir_perms relabelto };
+allow artd dalvikcache_data_file:file { create_file_perms relabelto };
 
 # Read access to the ART APEX data directory.
 # Needed for reading the boot image generated on device.

diff --git a/private/compat/33.0/33.0.ignore.cil b/private/compat/33.0/33.0.ignore.cil
index 11bff79..d998d73 100644
--- a/private/compat/33.0/33.0.ignore.cil
+++ b/private/compat/33.0/33.0.ignore.cil

@@ -8,6 +8,7 @@
     adaptive_haptics_prop
     apex_ready_prop
     artd
+    bt_device
     credential_service
     device_config_camera_native_prop
     device_config_memory_safety_native_prop
@@ -21,6 +22,7 @@
     hal_cas_service
     hal_remoteaccess_service
     hal_secure_element_service
+    hal_tetheroffload_service
     hal_thermal_service
     hal_usb_gadget_service
     hal_tv_input_service
@@ -48,4 +50,5 @@
     hal_confirmationui_service
     hal_fastboot_service
     hal_can_controller_service
+    zoned_block_device
   ))

diff --git a/private/coredomain.te b/private/coredomain.te
index 55f715d..96ce488 100644
--- a/private/coredomain.te
+++ b/private/coredomain.te

@@ -93,6 +93,8 @@
         coredomain
         -appdomain
         -artd
+        -dex2oat
+        -dexoptanalyzer
         -idmap
         -init
         -installd
@@ -112,6 +114,8 @@
         coredomain
         -appdomain
         -artd
+        -dex2oat
+        -dexoptanalyzer
         -idmap
         -init
         -installd

diff --git a/private/dex2oat.te b/private/dex2oat.te
index 2ce2459..ea9ab9c 100644
--- a/private/dex2oat.te
+++ b/private/dex2oat.te

@@ -10,6 +10,8 @@
 # Access /vendor/framework
 allow dex2oat vendor_framework_file:dir { getattr search };
 allow dex2oat vendor_framework_file:file { getattr open read map };
+# Access /vendor/overlay
+r_dir_file(dex2oat, vendor_overlay_file);
 
 allow dex2oat tmpfs:file { read getattr map };
 
@@ -59,6 +61,9 @@
 # Allow dex2oat to use file descriptors passed from privileged programs.
 allow dex2oat { artd installd odrefresh odsign }:fd use;
 
+# Allow dex2oat to read the /proc filesystem for CPU features, etc.
+allow dex2oat proc_filesystems:file r_file_perms;
+
 ##################
 # A/B OTA Dexopt #
 ##################

diff --git a/private/file_contexts b/private/file_contexts
index 9d26b88..7ce80ae 100644
--- a/private/file_contexts
+++ b/private/file_contexts

@@ -79,6 +79,7 @@
 /dev/audio.*		u:object_r:audio_device:s0
 /dev/binder		u:object_r:binder_device:s0
 /dev/block(/.*)?	u:object_r:block_device:s0
+/dev/block/by-name/zoned_device	u:object_r:zoned_block_device:s0
 /dev/block/dm-[0-9]+	u:object_r:dm_device:s0
 /dev/block/loop[0-9]*	u:object_r:loop_device:s0
 /dev/block/vd[a-z][0-9]*  u:object_r:vd_device:s0

diff --git a/private/property_contexts b/private/property_contexts
index f208e52..8f0f851 100644
--- a/private/property_contexts
+++ b/private/property_contexts

@@ -592,6 +592,14 @@
 ro.hdmi.cec.source.send_standby_on_sleep                           u:object_r:hdmi_config_prop:s0 exact enum to_tv broadcast none
 ro.hdmi.cec.source.playback_device_action_on_routing_control       u:object_r:hdmi_config_prop:s0 exact enum none wake_up_only wake_up_and_send_active_source
 
+# This is the namespace of all system properties used by ART Service.
+# As ART Service is in the updatable ART module, we need the prefix to allow us
+# to add new properties.
+pm.dexopt.                                  u:object_r:exported_pm_prop:s0 prefix
+
+# A set of pm.dexopt properties that we should keep supporting for Treble
+# compatibility. We explicitly list them here to discourage renaming or
+# disregarding them.
 pm.dexopt.ab-ota                            u:object_r:exported_pm_prop:s0 exact string
 pm.dexopt.bg-dexopt                         u:object_r:exported_pm_prop:s0 exact string
 pm.dexopt.boot                              u:object_r:exported_pm_prop:s0 exact string

diff --git a/private/service_contexts b/private/service_contexts
index a144db1..8de1d42 100644
--- a/private/service_contexts
+++ b/private/service_contexts

@@ -91,6 +91,7 @@
 android.hardware.security.sharedsecret.ISharedSecret/default             u:object_r:hal_sharedsecret_service:s0
 android.hardware.sensors.ISensors/default                            u:object_r:hal_sensors_service:s0
 android.hardware.soundtrigger3.ISoundTriggerHw/default               u:object_r:hal_audio_service:s0
+android.hardware.tetheroffload.IOffload/default                      u:object_r:hal_tetheroffload_service:s0
 android.hardware.thermal.IThermal/default                            u:object_r:hal_thermal_service:s0
 android.hardware.tv.hdmi.cec.IHdmiCec/default                        u:object_r:hal_tv_hdmi_cec_service:s0
 android.hardware.tv.hdmi.connection.IHdmiConnection/default          u:object_r:hal_tv_hdmi_connection_service:s0

diff --git a/public/device.te b/public/device.te
index 1bb386f..ead7fbc 100644
--- a/public/device.te
+++ b/public/device.te

@@ -7,6 +7,7 @@
 type hwbinder_device, dev_type, mlstrustedobject;
 type vndbinder_device, dev_type;
 type block_device, dev_type;
+type bt_device, dev_type;
 type camera_device, dev_type;
 type dm_device, dev_type;
 type dm_user_device, dev_type;
@@ -94,6 +95,9 @@
 # Documented at https://source.android.com/devices/bootloader/partitions
 type userdata_block_device, dev_type;
 
+# Zoned block device.
+type zoned_block_device, dev_type;
+
 # Cache block device mounted on /cache.
 # Documented at https://source.android.com/devices/bootloader/partitions
 type cache_block_device, dev_type;

diff --git a/public/e2fs.te b/public/e2fs.te
index 20f70d9..8dcf0cc 100644
--- a/public/e2fs.te
+++ b/public/e2fs.te

@@ -8,6 +8,7 @@
 allow e2fs userdata_block_device:blk_file rw_file_perms;
 allow e2fs metadata_block_device:blk_file rw_file_perms;
 allow e2fs dm_device:blk_file rw_file_perms;
+allow e2fs zoned_block_device:blk_file rw_file_perms;
 allowxperm e2fs { userdata_block_device metadata_block_device dm_device }:blk_file ioctl {
   BLKSECDISCARD BLKDISCARD BLKPBSZGET BLKDISCARDZEROES BLKROGET BLKREPORTZONE BLKRESETZONE
 };

diff --git a/public/fsck.te b/public/fsck.te
index 4fb3817..1a74ba8 100644
--- a/public/fsck.te
+++ b/public/fsck.te

@@ -17,6 +17,7 @@
 allow fsck userdata_block_device:blk_file rw_file_perms;
 allow fsck cache_block_device:blk_file rw_file_perms;
 allow fsck dm_device:blk_file rw_file_perms;
+allow fsck zoned_block_device:blk_file rw_file_perms;
 userdebug_or_eng(`
 allow fsck system_block_device:blk_file rw_file_perms;
 ')

diff --git a/public/hal_tetheroffload.te b/public/hal_tetheroffload.te
index cf51723..c9553dc 100644
--- a/public/hal_tetheroffload.te
+++ b/public/hal_tetheroffload.te

@@ -3,6 +3,9 @@
 binder_call(hal_tetheroffload_server, hal_tetheroffload_client)
 
 hal_attribute_hwservice(hal_tetheroffload, hal_tetheroffload_hwservice)
+hal_attribute_service(hal_tetheroffload, hal_tetheroffload_service)
+
+binder_use(hal_tetheroffload_server)
 
 # allow the client to pass the server already open netlink sockets
 allow hal_tetheroffload_server hal_tetheroffload_client:netlink_netfilter_socket { getattr read setopt write };

diff --git a/public/service.te b/public/service.te
index 443a4f7..154ebb9 100644
--- a/public/service.te
+++ b/public/service.te

@@ -314,6 +314,7 @@
 type hal_secure_element_service, protected_service, hal_service_type, service_manager_type;
 type hal_sharedsecret_service, protected_service, hal_service_type, service_manager_type;
 type hal_system_suspend_service, protected_service, hal_service_type, service_manager_type;
+type hal_tetheroffload_service, protected_service, hal_service_type, service_manager_type;
 type hal_thermal_service, protected_service, hal_service_type, service_manager_type;
 type hal_tv_hdmi_cec_service, protected_service, hal_service_type, service_manager_type;
 type hal_tv_hdmi_connection_service, protected_service, hal_service_type, service_manager_type;

diff --git a/public/vold.te b/public/vold.te
index 41f95d3..209bf49 100644
--- a/public/vold.te
+++ b/public/vold.te

@@ -227,6 +227,9 @@
 allow vold userdata_block_device:blk_file rw_file_perms;
 allowxperm vold userdata_block_device:blk_file ioctl BLKSECDISCARD;
 
+# Access zoned block device.
+allow vold zoned_block_device:blk_file rw_file_perms;
+
 # Access metadata block device used for encryption meta-data.
 allow vold metadata_block_device:blk_file rw_file_perms;
 allowxperm vold metadata_block_device:blk_file ioctl BLKSECDISCARD;

diff --git a/vendor/file_contexts b/vendor/file_contexts
index b21302c..f167e65 100644
--- a/vendor/file_contexts
+++ b/vendor/file_contexts

@@ -17,6 +17,7 @@
 /(vendor|system/vendor)/bin/hw/android\.hardware\.automotive\.remoteaccess@V1-(.*)-service u:object_r:hal_remoteaccess_default_exec:s0
 /(vendor|system/vendor)/bin/hw/android\.hardware\.bluetooth@1\.[0-9]+-service      u:object_r:hal_bluetooth_default_exec:s0
 /(vendor|system/vendor)/bin/hw/android\.hardware\.bluetooth@1\.[0-9]+-service\.btlinux    u:object_r:hal_bluetooth_btlinux_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.bluetooth-service.default      u:object_r:hal_bluetooth_default_exec:s0
 /(vendor|system/vendor)/bin/hw/android\.hardware\.biometrics\.face@1\.[0-9]+-service\.example u:object_r:hal_face_default_exec:s0
 /(vendor|system/vendor)/bin/hw/android\.hardware\.biometrics\.face-service\.example u:object_r:hal_face_default_exec:s0
 /(vendor|system/vendor)/bin/hw/android\.hardware\.biometrics\.fingerprint@2\.1-service u:object_r:hal_fingerprint_default_exec:s0
@@ -96,6 +97,7 @@
 /(vendor|system/vendor)/bin/hw/android\.hardware\.security\.dice-service\.non-secure-software   u:object_r:hal_dice_default_exec:s0
 /(vendor|system/vendor)/bin/hw/android\.hardware\.security\.keymint-service   u:object_r:hal_keymint_default_exec:s0
 /(vendor|system/vendor)/bin/hw/rild                                           u:object_r:rild_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.tetheroffload-service\.example u:object_r:hal_tetheroffload_default_exec:s0
 /(vendor|system/vendor)/bin/hw/android\.hardware\.thermal@1\.[01]-service        u:object_r:hal_thermal_default_exec:s0
 /(vendor|system/vendor)/bin/hw/android\.hardware\.thermal-service\.example       u:object_r:hal_thermal_default_exec:s0
 /(vendor|system/vendor)/bin/hw/android\.hardware\.tv\.cec@1\.[01]-service        u:object_r:hal_tv_cec_default_exec:s0

diff --git a/vendor/hal_bluetooth_default.te b/vendor/hal_bluetooth_default.te
index 01d60db..efa75a7 100644
--- a/vendor/hal_bluetooth_default.te
+++ b/vendor/hal_bluetooth_default.te

@@ -1,5 +1,8 @@
 type hal_bluetooth_default, domain;
 hal_server_domain(hal_bluetooth_default, hal_bluetooth)
 
+allow hal_bluetooth_default bt_device:chr_file { open read write };
+allow hal_bluetooth_default self:bluetooth_socket { create bind read write };
+
 type hal_bluetooth_default_exec, exec_type, vendor_file_type, file_type;
 init_daemon_domain(hal_bluetooth_default)
commit	347a7d5c3c6f4925b6fdc23c481d16f32a5d36ba	[log] [tgz]
author	Treehugger Robot <treehugger-gerrit@google.com>	Thu Jan 19 00:35:18 2023 +0000
committer	Gerrit Code Review <noreply-gerritcodereview@google.com>	Thu Jan 19 00:35:18 2023 +0000
tree	476787e0059079770c6816f55f47fa04b54c6c68
parent	e7fc603518f7edd07ea3a2e0a4c17681536f86de [diff]
parent	edf54208309f8d73f39a6cdd8fdfe4b981e916c0 [diff]