Merge "sepolicy: dontaudit dumpstate to talk with virtualizationservice" into main
diff --git a/apex/Android.bp b/apex/Android.bp
index 37400dd..66f8ef3 100644
--- a/apex/Android.bp
+++ b/apex/Android.bp
@@ -253,6 +253,13 @@
}
filegroup {
+ name: "com.android.bt-file_contexts",
+ srcs: [
+ "com.android.bt-file_contexts",
+ ],
+}
+
+filegroup {
name: "com.android.car.framework-file_contexts",
srcs: [
"com.android.car.framework-file_contexts",
diff --git a/apex/com.android.bluetooth-file_contexts b/apex/com.android.bt-file_contexts
similarity index 100%
rename from apex/com.android.bluetooth-file_contexts
rename to apex/com.android.bt-file_contexts
diff --git a/apex/com.android.virt-file_contexts b/apex/com.android.virt-file_contexts
index 75f9c10..bb0f909 100644
--- a/apex/com.android.virt-file_contexts
+++ b/apex/com.android.virt-file_contexts
@@ -12,3 +12,4 @@
is_flag_enabled(RELEASE_AVF_ENABLE_EARLY_VM, `
/bin/early_virtmgr u:object_r:early_virtmgr_exec:s0
')
+/lib(64)?(/.*)? u:object_r:system_lib_file:s0
diff --git a/build/soong/service_fuzzer_bindings.go b/build/soong/service_fuzzer_bindings.go
index 35f4e09..257cee6 100644
--- a/build/soong/service_fuzzer_bindings.go
+++ b/build/soong/service_fuzzer_bindings.go
@@ -197,101 +197,102 @@
"android.system.virtualizationservice_internal.IVmnic": EXCEPTION_NO_FUZZER,
"android.system.virtualizationmaintenance": EXCEPTION_NO_FUZZER,
"android.system.vmtethering.IVmTethering": EXCEPTION_NO_FUZZER,
- "ambient_context": EXCEPTION_NO_FUZZER,
- "app_binding": EXCEPTION_NO_FUZZER,
- "app_function": EXCEPTION_NO_FUZZER,
- "app_hibernation": EXCEPTION_NO_FUZZER,
- "app_integrity": EXCEPTION_NO_FUZZER,
- "app_prediction": EXCEPTION_NO_FUZZER,
- "app_search": EXCEPTION_NO_FUZZER,
- "apexservice": EXCEPTION_NO_FUZZER,
- "archive": EXCEPTION_NO_FUZZER,
- "attestation_verification": EXCEPTION_NO_FUZZER,
- "authentication_policy": EXCEPTION_NO_FUZZER,
- "blob_store": EXCEPTION_NO_FUZZER,
- "gsiservice": EXCEPTION_NO_FUZZER,
- "appops": EXCEPTION_NO_FUZZER,
- "appwidget": EXCEPTION_NO_FUZZER,
- "artd": []string{"artd_fuzzer"},
- "artd_pre_reboot": []string{"artd_fuzzer"},
- "assetatlas": EXCEPTION_NO_FUZZER,
- "attention": EXCEPTION_NO_FUZZER,
- "audio": EXCEPTION_NO_FUZZER,
- "auth": EXCEPTION_NO_FUZZER,
- "autofill": EXCEPTION_NO_FUZZER,
- "background_install_control": EXCEPTION_NO_FUZZER,
- "backup": EXCEPTION_NO_FUZZER,
- "batteryproperties": EXCEPTION_NO_FUZZER,
- "batterystats": EXCEPTION_NO_FUZZER,
- "battery": EXCEPTION_NO_FUZZER,
- "binder_calls_stats": EXCEPTION_NO_FUZZER,
- "biometric": EXCEPTION_NO_FUZZER,
- "bluetooth_manager": EXCEPTION_NO_FUZZER,
- "bluetooth": EXCEPTION_NO_FUZZER,
- "broadcastradio": EXCEPTION_NO_FUZZER,
- "bugreport": EXCEPTION_NO_FUZZER,
- "cacheinfo": EXCEPTION_NO_FUZZER,
- "carrier_config": EXCEPTION_NO_FUZZER,
- "clipboard": EXCEPTION_NO_FUZZER,
- "cloudsearch": EXCEPTION_NO_FUZZER,
- "cloudsearch_service": EXCEPTION_NO_FUZZER,
- "com.android.net.IProxyService": EXCEPTION_NO_FUZZER,
- "companiondevice": EXCEPTION_NO_FUZZER,
- "communal": EXCEPTION_NO_FUZZER,
- "platform_compat": EXCEPTION_NO_FUZZER,
- "platform_compat_native": EXCEPTION_NO_FUZZER,
- "connectivity": EXCEPTION_NO_FUZZER,
- "connectivity_native": EXCEPTION_NO_FUZZER,
- "connmetrics": EXCEPTION_NO_FUZZER,
- "consumer_ir": EXCEPTION_NO_FUZZER,
- "content": EXCEPTION_NO_FUZZER,
- "content_capture": EXCEPTION_NO_FUZZER,
- "content_suggestions": EXCEPTION_NO_FUZZER,
- "contexthub": EXCEPTION_NO_FUZZER,
- "contextual_search": EXCEPTION_NO_FUZZER,
- "country_detector": EXCEPTION_NO_FUZZER,
- "coverage": EXCEPTION_NO_FUZZER,
- "cpuinfo": EXCEPTION_NO_FUZZER,
- "cpu_monitor": EXCEPTION_NO_FUZZER,
- "credential": EXCEPTION_NO_FUZZER,
- "crossprofileapps": EXCEPTION_NO_FUZZER,
- "dataloader_manager": EXCEPTION_NO_FUZZER,
- "dbinfo": EXCEPTION_NO_FUZZER,
- "device_config": EXCEPTION_NO_FUZZER,
- "device_config_updatable": EXCEPTION_NO_FUZZER,
- "device_policy": EXCEPTION_NO_FUZZER,
- "device_identifiers": EXCEPTION_NO_FUZZER,
- "deviceidle": EXCEPTION_NO_FUZZER,
- "device_lock": EXCEPTION_NO_FUZZER,
- "device_state": EXCEPTION_NO_FUZZER,
- "devicestoragemonitor": EXCEPTION_NO_FUZZER,
- "dexopt_chroot_setup": []string{"dexopt_chroot_setup_fuzzer"},
- "diskstats": EXCEPTION_NO_FUZZER,
- "display": EXCEPTION_NO_FUZZER,
- "dnsresolver": []string{"resolv_service_fuzzer"},
- "domain_verification": EXCEPTION_NO_FUZZER,
- "color_display": EXCEPTION_NO_FUZZER,
- "netd_listener": EXCEPTION_NO_FUZZER,
- "network_watchlist": EXCEPTION_NO_FUZZER,
- "DockObserver": EXCEPTION_NO_FUZZER,
- "dreams": EXCEPTION_NO_FUZZER,
- "drm.drmManager": []string{"drmserver_fuzzer"},
- "dropbox": EXCEPTION_NO_FUZZER,
- "dumpstate": EXCEPTION_NO_FUZZER,
- "dynamic_system": EXCEPTION_NO_FUZZER,
- "dynamic_instrumentation": EXCEPTION_NO_FUZZER,
- "econtroller": EXCEPTION_NO_FUZZER,
- "ecm_enhanced_confirmation": EXCEPTION_NO_FUZZER,
- "emergency_affordance": EXCEPTION_NO_FUZZER,
- "euicc_card_controller": EXCEPTION_NO_FUZZER,
- "external_vibrator_service": EXCEPTION_NO_FUZZER,
- "ethernet": EXCEPTION_NO_FUZZER,
- "face": EXCEPTION_NO_FUZZER,
- "file_integrity": EXCEPTION_NO_FUZZER,
- "fingerprint": EXCEPTION_NO_FUZZER,
- "feature_flags": EXCEPTION_NO_FUZZER,
- "font": EXCEPTION_NO_FUZZER,
- "forensic": EXCEPTION_NO_FUZZER,
+ "android.system.vold.IVold/default": []string{"vold_native_service_fuzzer"},
+ "ambient_context": EXCEPTION_NO_FUZZER,
+ "app_binding": EXCEPTION_NO_FUZZER,
+ "app_function": EXCEPTION_NO_FUZZER,
+ "app_hibernation": EXCEPTION_NO_FUZZER,
+ "app_integrity": EXCEPTION_NO_FUZZER,
+ "app_prediction": EXCEPTION_NO_FUZZER,
+ "app_search": EXCEPTION_NO_FUZZER,
+ "apexservice": EXCEPTION_NO_FUZZER,
+ "archive": EXCEPTION_NO_FUZZER,
+ "attestation_verification": EXCEPTION_NO_FUZZER,
+ "authentication_policy": EXCEPTION_NO_FUZZER,
+ "blob_store": EXCEPTION_NO_FUZZER,
+ "gsiservice": EXCEPTION_NO_FUZZER,
+ "appops": EXCEPTION_NO_FUZZER,
+ "appwidget": EXCEPTION_NO_FUZZER,
+ "artd": []string{"artd_fuzzer"},
+ "artd_pre_reboot": []string{"artd_fuzzer"},
+ "assetatlas": EXCEPTION_NO_FUZZER,
+ "attention": EXCEPTION_NO_FUZZER,
+ "audio": EXCEPTION_NO_FUZZER,
+ "auth": EXCEPTION_NO_FUZZER,
+ "autofill": EXCEPTION_NO_FUZZER,
+ "background_install_control": EXCEPTION_NO_FUZZER,
+ "backup": EXCEPTION_NO_FUZZER,
+ "batteryproperties": EXCEPTION_NO_FUZZER,
+ "batterystats": EXCEPTION_NO_FUZZER,
+ "battery": EXCEPTION_NO_FUZZER,
+ "binder_calls_stats": EXCEPTION_NO_FUZZER,
+ "biometric": EXCEPTION_NO_FUZZER,
+ "bluetooth_manager": EXCEPTION_NO_FUZZER,
+ "bluetooth": EXCEPTION_NO_FUZZER,
+ "broadcastradio": EXCEPTION_NO_FUZZER,
+ "bugreport": EXCEPTION_NO_FUZZER,
+ "cacheinfo": EXCEPTION_NO_FUZZER,
+ "carrier_config": EXCEPTION_NO_FUZZER,
+ "clipboard": EXCEPTION_NO_FUZZER,
+ "cloudsearch": EXCEPTION_NO_FUZZER,
+ "cloudsearch_service": EXCEPTION_NO_FUZZER,
+ "com.android.net.IProxyService": EXCEPTION_NO_FUZZER,
+ "companiondevice": EXCEPTION_NO_FUZZER,
+ "communal": EXCEPTION_NO_FUZZER,
+ "platform_compat": EXCEPTION_NO_FUZZER,
+ "platform_compat_native": EXCEPTION_NO_FUZZER,
+ "connectivity": EXCEPTION_NO_FUZZER,
+ "connectivity_native": EXCEPTION_NO_FUZZER,
+ "connmetrics": EXCEPTION_NO_FUZZER,
+ "consumer_ir": EXCEPTION_NO_FUZZER,
+ "content": EXCEPTION_NO_FUZZER,
+ "content_capture": EXCEPTION_NO_FUZZER,
+ "content_suggestions": EXCEPTION_NO_FUZZER,
+ "contexthub": EXCEPTION_NO_FUZZER,
+ "contextual_search": EXCEPTION_NO_FUZZER,
+ "country_detector": EXCEPTION_NO_FUZZER,
+ "coverage": EXCEPTION_NO_FUZZER,
+ "cpuinfo": EXCEPTION_NO_FUZZER,
+ "cpu_monitor": EXCEPTION_NO_FUZZER,
+ "credential": EXCEPTION_NO_FUZZER,
+ "crossprofileapps": EXCEPTION_NO_FUZZER,
+ "dataloader_manager": EXCEPTION_NO_FUZZER,
+ "dbinfo": EXCEPTION_NO_FUZZER,
+ "device_config": EXCEPTION_NO_FUZZER,
+ "device_config_updatable": EXCEPTION_NO_FUZZER,
+ "device_policy": EXCEPTION_NO_FUZZER,
+ "device_identifiers": EXCEPTION_NO_FUZZER,
+ "deviceidle": EXCEPTION_NO_FUZZER,
+ "device_lock": EXCEPTION_NO_FUZZER,
+ "device_state": EXCEPTION_NO_FUZZER,
+ "devicestoragemonitor": EXCEPTION_NO_FUZZER,
+ "dexopt_chroot_setup": []string{"dexopt_chroot_setup_fuzzer"},
+ "diskstats": EXCEPTION_NO_FUZZER,
+ "display": EXCEPTION_NO_FUZZER,
+ "dnsresolver": []string{"resolv_service_fuzzer"},
+ "domain_verification": EXCEPTION_NO_FUZZER,
+ "color_display": EXCEPTION_NO_FUZZER,
+ "netd_listener": EXCEPTION_NO_FUZZER,
+ "network_watchlist": EXCEPTION_NO_FUZZER,
+ "DockObserver": EXCEPTION_NO_FUZZER,
+ "dreams": EXCEPTION_NO_FUZZER,
+ "drm.drmManager": []string{"drmserver_fuzzer"},
+ "dropbox": EXCEPTION_NO_FUZZER,
+ "dumpstate": EXCEPTION_NO_FUZZER,
+ "dynamic_system": EXCEPTION_NO_FUZZER,
+ "dynamic_instrumentation": EXCEPTION_NO_FUZZER,
+ "econtroller": EXCEPTION_NO_FUZZER,
+ "ecm_enhanced_confirmation": EXCEPTION_NO_FUZZER,
+ "emergency_affordance": EXCEPTION_NO_FUZZER,
+ "euicc_card_controller": EXCEPTION_NO_FUZZER,
+ "external_vibrator_service": EXCEPTION_NO_FUZZER,
+ "ethernet": EXCEPTION_NO_FUZZER,
+ "face": EXCEPTION_NO_FUZZER,
+ "file_integrity": EXCEPTION_NO_FUZZER,
+ "fingerprint": EXCEPTION_NO_FUZZER,
+ "feature_flags": EXCEPTION_NO_FUZZER,
+ "font": EXCEPTION_NO_FUZZER,
+ "forensic": EXCEPTION_NO_FUZZER,
"android.hardware.fingerprint.IFingerprintDaemon": EXCEPTION_NO_FUZZER,
"game": EXCEPTION_NO_FUZZER,
"gfxinfo": EXCEPTION_NO_FUZZER,
diff --git a/microdroid/system/private/apexd.te b/microdroid/system/private/apexd.te
index 275a455..8c331d0 100644
--- a/microdroid/system/private/apexd.te
+++ b/microdroid/system/private/apexd.te
@@ -92,6 +92,9 @@
# apexd can set apexd sysprop
set_prop(apexd, apexd_prop)
+# apexd can set apex.all.ready sysprop
+set_prop(apexd, apex_ready_prop)
+
# Allow apexd to stop itself
set_prop(apexd, ctl_apexd_prop)
diff --git a/microdroid/system/private/init.te b/microdroid/system/private/init.te
index 9a0345f..11e398e 100644
--- a/microdroid/system/private/init.te
+++ b/microdroid/system/private/init.te
@@ -19,6 +19,12 @@
allow init self:global_capability2_class_set perfmon;
dontaudit init self:perf_event { kernel tracepoint read write };
+# Allow opening /proc/kallsyms so that on boot, init can create and retain an
+# fd with the full address visibility (which is evaluated on open and persists
+# for the lifetime of the open file description). This fd can then be shared
+# with other privileged processes.
+allow init proc_kallsyms:file r_file_perms;
+
# Allow init to restore contexts of vd_device(/dev/block/vd[..]) when labeling
# /dev/block.
allow init vd_device:blk_file relabelto;
diff --git a/microdroid/system/private/property_contexts b/microdroid/system/private/property_contexts
index 2bd5a22..803e25e 100644
--- a/microdroid/system/private/property_contexts
+++ b/microdroid/system/private/property_contexts
@@ -58,6 +58,7 @@
apexd.status u:object_r:apexd_prop:s0 exact enum starting activated ready
ro.apex.updatable u:object_r:apexd_prop:s0 exact bool
+apex.all.ready u:object_r:apex_ready_prop:s0 exact bool
ro.cold_boot_done u:object_r:cold_boot_done_prop:s0 exact bool
diff --git a/microdroid/system/public/property.te b/microdroid/system/public/property.te
index 7db53d0..18dab10 100644
--- a/microdroid/system/public/property.te
+++ b/microdroid/system/public/property.te
@@ -2,6 +2,7 @@
type apex_config_prop, property_type;
type apexd_payload_metadata_prop, property_type;
type apexd_prop, property_type;
+type apex_ready_prop, property_type;
type arm64_memtag_prop, property_type;
type bootloader_prop, property_type;
type boottime_prop, property_type;
diff --git a/private/apexd.te b/private/apexd.te
index 58a3658..3205b02 100644
--- a/private/apexd.te
+++ b/private/apexd.te
@@ -229,8 +229,8 @@
# The update_provider performs APEX updates. To do this, it needs to be able to find apex_service
# and make binder calls to apexd.
# WARNING: USING THE update_provider ATTRIBUTE WILL CAUSE CTS TO FAIL!
-neverallow { domain -init -apexd -system_server -update_engine -update_provider } apex_service:service_manager find;
+neverallow { domain -init -apexd -keystore -system_server -update_engine -update_provider } apex_service:service_manager find;
# WARNING: USING THE update_provider ATTRIBUTE WILL CAUSE CTS TO FAIL!
-neverallow { domain -init -apexd -system_server -servicemanager -update_engine -update_provider } apexd:binder call;
+neverallow { domain -init -apexd -keystore -system_server -servicemanager -update_engine -update_provider } apexd:binder call;
neverallow { domain userdebug_or_eng(`-crash_dump') } apexd:process ptrace;
diff --git a/private/compat/202404/202404.cil b/private/compat/202404/202404.cil
index 85eb601..c78632b 100644
--- a/private/compat/202404/202404.cil
+++ b/private/compat/202404/202404.cil
@@ -1,8 +1,10 @@
;; This type may or may not already exist in vendor policy. Re-define it here (duplicate
;; definitions in CIL will be ignored) - so we can reference it in 202404.cil.
-(type virtual_fingerprint_hal_prop)
+(type cgroup_desc_api_file)
(type otapreopt_chroot)
+(type task_profiles_api_file)
(type vendor_hidraw_device)
+(type virtual_fingerprint_hal_prop)
(typeattributeset dev_type (vendor_hidraw_device))
;; mapping information from ToT policy's types to 202404 policy's types.
@@ -2473,7 +2475,7 @@
(typeattributeset surfaceflinger_tmpfs_202404 (surfaceflinger_tmpfs))
(typeattributeset suspend_prop_202404 (suspend_prop))
(typeattributeset swap_block_device_202404 (swap_block_device))
-(typeattributeset sysfs_202404 (sysfs))
+(typeattributeset sysfs_202404 (sysfs sysfs_udc))
(typeattributeset sysfs_android_usb_202404 (sysfs_android_usb))
(typeattributeset sysfs_batteryinfo_202404 (sysfs_batteryinfo))
(typeattributeset sysfs_bluetooth_writable_202404 (sysfs_bluetooth_writable))
diff --git a/private/compat/202404/202404.ignore.cil b/private/compat/202404/202404.ignore.cil
index 0bf3f7e..0aa0580 100644
--- a/private/compat/202404/202404.ignore.cil
+++ b/private/compat/202404/202404.ignore.cil
@@ -5,24 +5,33 @@
(typeattribute new_objects)
(typeattributeset new_objects
( new_objects
- bluetooth_finder_prop
- profcollectd_etr_prop
- fstype_prop
- binderfs_logs_transactions
+ advanced_protection_service
+ app_function_service
binderfs_logs_transaction_history
+ binderfs_logs_transactions
+ bluetooth_finder_prop
+ crosvm
+ early_virtmgr
+ early_virtmgr_exec
+ forensic_service
+ fstype_prop
+ hal_mediaquality_service
+ intrusion_detection_service
+ media_quality_service
proc_cgroups
+ proc_compaction_proactiveness
+ profcollectd_etr_prop
ranging_service
supervision_service
- app_function_service
- virtual_fingerprint
- virtual_fingerprint_exec
+ sysfs_firmware_acpi_tables
+ tee_service_contexts_file
+ trusty_security_vm_sys_vendor_prop
virtual_face
virtual_face_exec
- hal_mediaquality_service
- media_quality_service
- advanced_protection_service
- sysfs_firmware_acpi_tables
- dynamic_instrumentation_service
- intrusion_detection_service
+ virtual_fingerprint
+ virtual_fingerprint_exec
+ virtualizationmanager
+ virtualizationmanager_exec
wifi_mainline_supplicant_service
+ wifi_usd_service
))
diff --git a/private/crosvm.te b/private/crosvm.te
index 750df24..a377e7a 100644
--- a/private/crosvm.te
+++ b/private/crosvm.te
@@ -1,4 +1,7 @@
-type crosvm, domain, coredomain;
+until_board_api(202504, `
+ type crosvm, domain, coredomain;
+')
+
type crosvm_exec, system_file_type, exec_type, file_type;
type crosvm_tmpfs, file_type;
diff --git a/private/domain.te b/private/domain.te
index 4563895..a8ec298 100644
--- a/private/domain.te
+++ b/private/domain.te
@@ -1170,6 +1170,8 @@
# Vendor components still can invoke shell commands via /system/bin/sh
-shell_exec
-toolbox_exec
+ -virtualizationmanager_exec
+ is_flag_enabled(RELEASE_AVF_ENABLE_EARLY_VM, `-early_virtmgr_exec')
}:file { entrypoint execute execute_no_trans };
')
@@ -1254,6 +1256,8 @@
# Vendor components still can invoke shell commands via /system/bin/sh
-shell_exec
-toolbox_exec
+ -virtualizationmanager_exec
+ is_flag_enabled(RELEASE_AVF_ENABLE_EARLY_VM, `-early_virtmgr_exec')
}:file *;
')
@@ -2118,18 +2122,24 @@
-dumpstate
} mm_events_config_prop:file no_rw_file_perms;
-# Allow the tracing daemon and callstack sampler to use kallsyms to symbolize
-# kernel traces. Addresses are not disclosed, they are repalced with symbol
-# names (if available). Traces don't disclose KASLR.
+# Allow init to open /proc/kallsyms while kernel address mappings are still
+# visible, and later share it with tracing daemons (traced_probes,
+# traced_perf). These daemons are allowed to read from the shared fd, but also
+# to separately open the file (which will always have zeroed out addresses due
+# to init raising kptr_restrict) for locking to coordinate access to the shared
+# fd. The performance traces contain only the referenced kernel symbols, and
+# never the raw addresses (i.e. KASLR is not disclosed).
+# On debuggable builds, performance tools are allowed to open and read the file
+# directly because init is allowed to temporarily unrestrict systemwide address
+# visibility.
neverallow {
domain
-init
- userdebug_or_eng(`-profcollectd')
- -vendor_init
- userdebug_or_eng(`-simpleperf_boot')
-traced_probes
-traced_perf
-} proc_kallsyms:file { open read };
+ userdebug_or_eng(`-profcollectd')
+ userdebug_or_eng(`-simpleperf_boot')
+} proc_kallsyms:file *;
# debugfs_kcov type is not included in this neverallow statement since the KCOV
# tool uses it for kernel fuzzing.
diff --git a/private/early_virtmgr.te b/private/early_virtmgr.te
index e244be2..d1579fe 100644
--- a/private/early_virtmgr.te
+++ b/private/early_virtmgr.te
@@ -1,8 +1,8 @@
is_flag_enabled(RELEASE_AVF_ENABLE_EARLY_VM, `
- # Domain for a child process that manages early VMs available before /data mount, on behalf of
- # its parent.
- type early_virtmgr, domain, coredomain;
- type early_virtmgr_exec, system_file_type, exec_type, file_type;
+ until_board_api(202504, `
+ type early_virtmgr, domain, coredomain;
+ type early_virtmgr_exec, system_file_type, exec_type, file_type;
+ ')
use_bootstrap_libs(early_virtmgr)
diff --git a/private/init.te b/private/init.te
index 012ef0b..23c464c 100644
--- a/private/init.te
+++ b/private/init.te
@@ -68,6 +68,12 @@
allow init self:perf_event { open cpu };
allow init self:global_capability2_class_set perfmon;
+# Allow opening /proc/kallsyms so that on boot, init can create and retain an
+# fd with the full address visibility (which is evaluated on open and persists
+# for the lifetime of the open file description). This fd can then be shared
+# with other privileged processes.
+allow init proc_kallsyms:file r_file_perms;
+
# Allow init to communicate with snapuserd to transition Virtual A/B devices
# from the first-stage daemon to the second-stage.
allow init snapuserd_socket:sock_file write;
diff --git a/private/installd.te b/private/installd.te
index 55e962a..50c378a 100644
--- a/private/installd.te
+++ b/private/installd.te
@@ -226,6 +226,13 @@
allow installd storage_area_key_file:file unlink;
')
+# Allow installd to delete the terminal app's data file.
+# `virtualizationservice_data_file` was used for a while, but it needs to be
+# deleted when terminal feature is disabled.
+# TODO(b/383026786): Remove this rule once the there is no
+# `virtualizationservice_data_file` in terminal app anymore..
+allow installd virtualizationservice_data_file:file unlink;
+
###
### Neverallow rules
###
diff --git a/private/keystore.te b/private/keystore.te
index 50542b0..014903e 100644
--- a/private/keystore.te
+++ b/private/keystore.te
@@ -41,6 +41,9 @@
set_prop(keystore, keystore_crash_prop)
+# Allow keystore to monitor the `apexd.status` property.
+get_prop(keystore, apexd_prop)
+
# keystore is using apex_info via libvintf
use_apex_info(keystore)
@@ -61,6 +64,10 @@
allow keystore remote_provisioning_service:service_manager find;
allow keystore rkp_cert_processor_service:service_manager find;
+# Allow keystore to communicate to apexd
+allow keystore apex_service:service_manager find;
+allow keystore apexd:binder call;
+
add_service(keystore, apc_service)
add_service(keystore, keystore_compat_hal_service)
add_service(keystore, authorization_service)
diff --git a/private/property.te b/private/property.te
index 525754f..92e244d 100644
--- a/private/property.te
+++ b/private/property.te
@@ -112,6 +112,7 @@
system_vendor_config_prop(avf_virtualizationservice_prop)
system_vendor_config_prop(high_barometer_quality_prop)
system_vendor_config_prop(prefetch_boot_prop)
+system_vendor_config_prop(widevine_sys_vendor_prop)
typeattribute log_prop log_property_type;
typeattribute log_tag_prop log_property_type;
diff --git a/private/property_contexts b/private/property_contexts
index b67fbff..643a179 100644
--- a/private/property_contexts
+++ b/private/property_contexts
@@ -483,6 +483,10 @@
# See b/323989070 for the discussion why this approach was chosen.
ro.audio.ihaladaptervendorextension_enabled u:object_r:system_audio_config_prop:s0 exact bool
+# String property used in audioparameterparser.example service to load
+# vendor implementation IHalAdapterVendorExtension
+ro.audio.ihaladaptervendorextension_libname u:object_r:system_audio_config_prop:s0 exact string
+
persist.config.calibration_fac u:object_r:camera_calibration_prop:s0 exact string
config.disable_cameraservice u:object_r:camera_config_prop:s0 exact bool
@@ -695,6 +699,11 @@
bluetooth.core.le.min_connection_interval u:object_r:bluetooth_config_prop:s0 exact uint
bluetooth.core.le.max_connection_interval u:object_r:bluetooth_config_prop:s0 exact uint
+bluetooth.core.le.min_connection_interval_relaxed u:object_r:bluetooth_config_prop:s0 exact uint
+bluetooth.core.le.max_connection_interval_relaxed u:object_r:bluetooth_config_prop:s0 exact uint
+bluetooth.core.le.min_connection_interval_aggressive u:object_r:bluetooth_config_prop:s0 exact uint
+bluetooth.core.le.max_connection_interval_aggressive u:object_r:bluetooth_config_prop:s0 exact uint
+bluetooth.core.le.aggressive_connection_threshold u:object_r:bluetooth_config_prop:s0 exact uint
bluetooth.core.le.connection_latency u:object_r:bluetooth_config_prop:s0 exact uint
bluetooth.core.le.connection_supervision_timeout u:object_r:bluetooth_config_prop:s0 exact uint
bluetooth.core.le.direct_connection_timeout u:object_r:bluetooth_config_prop:s0 exact uint
@@ -767,6 +776,7 @@
ro.apk_verity.mode u:object_r:apk_verity_prop:s0 exact int
ro.bluetooth.a2dp_offload.supported u:object_r:bluetooth_a2dp_offload_prop:s0 exact bool
+ro.bluetooth.leaudio_offload.supported u:object_r:bluetooth_a2dp_offload_prop:s0 exact bool
ro.boot.vendor.overlay.theme u:object_r:exported_overlay_prop:s0 exact string
@@ -1785,6 +1795,13 @@
trusty.security_vm.enabled u:object_r:trusty_security_vm_sys_vendor_prop:s0 exact bool
trusty.security_vm.keymint.enabled u:object_r:trusty_security_vm_sys_vendor_prop:s0 exact bool
+# Properties that allows vendors to enable Trusty widevine VM features
+# Enable Widevine VM
+trusty.widevine_vm.enabled u:object_r:widevine_sys_vendor_prop:s0 exact bool
+# Sets the path used by Widevine HALs to find correct library for the widevine
+# service provider location
+widevine.liboemcrypto.path u:object_r:widevine_sys_vendor_prop:s0 exact string
+
# Properties for mmd
mmd. u:object_r:mmd_prop:s0
mmd.enabled_aconfig u:object_r:mmd_prop:s0 exact bool
diff --git a/private/seapp_contexts b/private/seapp_contexts
index ce49fc4..25ed1ba 100644
--- a/private/seapp_contexts
+++ b/private/seapp_contexts
@@ -224,4 +224,3 @@
user=_app isPrivApp=true name=com.android.virtualization.vmlauncher domain=vmlauncher_app type=privapp_data_file levelFrom=all
user=_app isPrivApp=true name=com.google.android.virtualization.vmlauncher domain=vmlauncher_app type=privapp_data_file levelFrom=all
user=_app isPrivApp=true name=com.android.virtualization.terminal domain=vmlauncher_app type=privapp_data_file levelFrom=all
-user=_app isPrivApp=true name=com.google.android.virtualization.terminal domain=vmlauncher_app type=privapp_data_file levelFrom=all
diff --git a/private/service.te b/private/service.te
index 7e89300..ce648c2 100644
--- a/private/service.te
+++ b/private/service.te
@@ -60,8 +60,14 @@
')
type uce_service, service_manager_type;
+type fwk_vold_service, service_manager_type;
type wearable_sensing_service, app_api_service, system_server_service, service_manager_type;
type wifi_mainline_supplicant_service, service_manager_type;
+type dynamic_instrumentation_service, app_api_service, system_server_service, service_manager_type;
+
+is_flag_enabled(RELEASE_RANGING_STACK, `
+ type ranging_service, app_api_service, system_server_service, service_manager_type;
+')
###
### Neverallow rules
diff --git a/private/service_contexts b/private/service_contexts
index 1478e93..e2998c7 100644
--- a/private/service_contexts
+++ b/private/service_contexts
@@ -141,6 +141,7 @@
android.system.keystore2.IKeystoreService/default u:object_r:keystore_service:s0
android.system.net.netd.INetd/default u:object_r:system_net_netd_service:s0
android.system.suspend.ISystemSuspend/default u:object_r:hal_system_suspend_service:s0
+android.system.vold.IVold/default u:object_r:fwk_vold_service:s0
accessibility u:object_r:accessibility_service:s0
account u:object_r:account_service:s0
@@ -188,9 +189,7 @@
app_binding u:object_r:app_binding_service:s0
app_function u:object_r:app_function_service:s0
app_hibernation u:object_r:app_hibernation_service:s0
-starting_at_board_api(202504, `
- dynamic_instrumentation u:object_r:dynamic_instrumentation_service:s0
-')
+dynamic_instrumentation u:object_r:dynamic_instrumentation_service:s0
app_integrity u:object_r:app_integrity_service:s0
app_prediction u:object_r:app_prediction_service:s0
app_search u:object_r:app_search_service:s0
diff --git a/private/traced_perf.te b/private/traced_perf.te
index c7e81cd..8bd7ad3 100644
--- a/private/traced_perf.te
+++ b/private/traced_perf.te
@@ -35,10 +35,13 @@
r_dir_file(traced_perf, apex_art_data_file)
allow traced_perf apex_module_data_file:dir { getattr search };
-# Allow to temporarily lift the kptr_restrict setting and build a symbolization
-# map reading /proc/kallsyms.
+# For kernel address symbolisation. Allow reading from /proc/kallsyms inherited
+# from init, as well as separately opening and locking the file for
+# coordinating the use of that shared fd.
+# On debuggable builds, allow using lower_kptr_restrict_prop to temporarily
+# lift kptr_restrict systemwide.
userdebug_or_eng(`set_prop(traced_perf, lower_kptr_restrict_prop)')
-allow traced_perf proc_kallsyms:file r_file_perms;
+allow traced_perf proc_kallsyms:file { open read lock };
# Allow reading tracefs files to get the format and numeric ids of tracepoints.
allow traced_perf debugfs_tracing:dir r_dir_perms;
diff --git a/private/traced_probes.te b/private/traced_probes.te
index 6540420..78dc7eb 100644
--- a/private/traced_probes.te
+++ b/private/traced_probes.te
@@ -35,10 +35,13 @@
# Allow procfs access
r_dir_file(traced_probes, domain)
-# Allow to temporarily lift the kptr_restrict setting and build a symbolization
-# map reading /proc/kallsyms.
+# For kernel address symbolisation. Allow reading from /proc/kallsyms inherited
+# from init, as well as separately opening and locking the file for
+# coordinating the use of that shared fd.
+# On debuggable builds, allow using lower_kptr_restrict_prop to temporarily
+# lift kptr_restrict systemwide.
userdebug_or_eng(`set_prop(traced_probes, lower_kptr_restrict_prop)')
-allow traced_probes proc_kallsyms:file r_file_perms;
+allow traced_probes proc_kallsyms:file { open read lock };
# Allow to read packages.list file.
allow traced_probes packages_list_file:file r_file_perms;
diff --git a/private/tradeinmode.te b/private/tradeinmode.te
index dca1bc1..99035f8 100644
--- a/private/tradeinmode.te
+++ b/private/tradeinmode.te
@@ -22,6 +22,7 @@
get_prop(tradeinmode, odsign_prop)
get_prop(tradeinmode, build_attestation_prop)
get_prop(tradeinmode, adbd_tradeinmode_prop)
+set_prop(tradeinmode, powerctl_prop)
# Needed to start activities through "am".
binder_call(tradeinmode, system_server)
diff --git a/private/uprobestats.te b/private/uprobestats.te
index c55f23d..d778126 100644
--- a/private/uprobestats.te
+++ b/private/uprobestats.te
@@ -24,9 +24,7 @@
# For registration with system server as a process observer.
binder_use(uprobestats)
allow uprobestats activity_service:service_manager find;
-starting_at_board_api(202504, `
- allow uprobestats dynamic_instrumentation_service:service_manager find;
-')
+allow uprobestats dynamic_instrumentation_service:service_manager find;
binder_call(uprobestats, system_server);
# Allow uprobestats to talk to native package manager
diff --git a/private/vendor_init.te b/private/vendor_init.te
index a50bc27..60962d4 100644
--- a/private/vendor_init.te
+++ b/private/vendor_init.te
@@ -116,6 +116,7 @@
-aconfig_storage_metadata_file
-aconfig_storage_flags_metadata_file
-tradeinmode_metadata_file
+ -proc_kallsyms
enforce_debugfs_restriction(`-debugfs_type')
}:file { create getattr open read write setattr relabelfrom unlink map };
@@ -195,6 +196,7 @@
-proc_uid_time_in_state
-proc_uid_concurrent_active_time
-proc_uid_concurrent_policy_time
+ -proc_kallsyms
enforce_debugfs_restriction(`-debugfs_type')
}:file { open read setattr map };
diff --git a/private/virtual_camera.te b/private/virtual_camera.te
index c4fa6a1..31eadb2 100644
--- a/private/virtual_camera.te
+++ b/private/virtual_camera.te
@@ -55,3 +55,6 @@
allow virtual_camera adbd:fd use;
allow virtual_camera adbd:unix_stream_socket { getattr read write };
allow virtual_camera shell:fifo_file { getattr read write };
+
+# Allow virtual_camera to access dmabuf_system_heap_device
+allow virtual_camera dmabuf_system_heap_device:chr_file { read open };
diff --git a/private/virtualizationmanager.te b/private/virtualizationmanager.te
index ca72279..259c402 100644
--- a/private/virtualizationmanager.te
+++ b/private/virtualizationmanager.te
@@ -1,7 +1,7 @@
-# Domain for a child process that manages virtual machines on behalf of its parent.
-
-type virtualizationmanager, domain, coredomain;
-type virtualizationmanager_exec, system_file_type, exec_type, file_type;
+until_board_api(202504, `
+ type virtualizationmanager, domain, coredomain;
+ type virtualizationmanager_exec, system_file_type, exec_type, file_type;
+')
# Allow virtualizationmanager to communicate use, read and write over the adb connection.
allow virtualizationmanager adbd:fd use;
diff --git a/private/vold.te b/private/vold.te
index c242040..8fe8518 100644
--- a/private/vold.te
+++ b/private/vold.te
@@ -291,9 +291,10 @@
# Allow vold to use wake locks. Needed for idle maintenance and moving storage.
wakelock_use(vold)
-# Allow vold to publish a binder service and make binder calls.
+# Allow vold to make binder calls and publish binder services.
binder_use(vold)
add_service(vold, vold_service)
+add_service(vold, fwk_vold_service)
# Allow vold to call into the system server so it can check permissions.
binder_call(vold, system_server)
diff --git a/public/crosvm.te b/public/crosvm.te
new file mode 100644
index 0000000..174a8b2
--- /dev/null
+++ b/public/crosvm.te
@@ -0,0 +1,7 @@
+starting_at_board_api(202504, `
+ type crosvm, domain, coredomain;
+')
+
+# system/sepolicy/public is for vendor-facing type and attribute definitions.
+# DO NOT ADD allow, neverallow, or dontaudit statements here.
+# Instead, add such policy rules to system/sepolicy/private/*.te.
diff --git a/public/early_virtmgr.te b/public/early_virtmgr.te
new file mode 100644
index 0000000..6caac18
--- /dev/null
+++ b/public/early_virtmgr.te
@@ -0,0 +1,12 @@
+is_flag_enabled(RELEASE_AVF_ENABLE_EARLY_VM, `
+ # Domain for a child process that manages early VMs available before /data mount, on behalf of
+ # its parent.
+ starting_at_board_api(202504, `
+ type early_virtmgr, domain, coredomain;
+ type early_virtmgr_exec, system_file_type, exec_type, file_type;
+ ')
+')
+
+# system/sepolicy/public is for vendor-facing type and attribute definitions.
+# DO NOT ADD allow, neverallow, or dontaudit statements here.
+# Instead, add such policy rules to system/sepolicy/private/*.te.
diff --git a/public/service.te b/public/service.te
index 854ceef..68f4ea0 100644
--- a/public/service.te
+++ b/public/service.te
@@ -75,9 +75,6 @@
type app_function_service, app_api_service, system_server_service, service_manager_type;
')
type app_hibernation_service, app_api_service, system_api_service, system_server_service, service_manager_type;
-starting_at_board_api(202504, `
- type dynamic_instrumentation_service, app_api_service, system_server_service, service_manager_type;
-')
type app_integrity_service, system_api_service, system_server_service, service_manager_type;
type app_prediction_service, app_api_service, system_server_service, service_manager_type;
type app_search_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
@@ -220,9 +217,6 @@
type print_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type processinfo_service, system_server_service, service_manager_type;
type procstats_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-is_flag_enabled(RELEASE_RANGING_STACK, `
- type ranging_service, app_api_service, system_server_service, service_manager_type;
-')
type reboot_readiness_service, app_api_service, system_server_service, service_manager_type;
type recovery_service, system_server_service, service_manager_type;
type registry_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
diff --git a/public/te_macros b/public/te_macros
index e446f56..2ba15b3 100644
--- a/public/te_macros
+++ b/public/te_macros
@@ -201,6 +201,10 @@
get_prop($1, hypervisor_prop)
# Allow client to read (but not open) the crashdump provided by virtualizationmanager
allow $1 virtualizationservice_data_file:file { getattr read };
+# Allow virtualizationmanager to read the path of the client using /proc/{PID}/exe
+allow virtualizationmanager $1:dir search;
+allow virtualizationmanager $1:file read;
+allow virtualizationmanager $1:lnk_file read;
')
####################################
diff --git a/public/virtualizationmanager.te b/public/virtualizationmanager.te
new file mode 100644
index 0000000..555bc23
--- /dev/null
+++ b/public/virtualizationmanager.te
@@ -0,0 +1,9 @@
+# Domain for a child process that manages virtual machines on behalf of its parent.
+starting_at_board_api(202504, `
+ type virtualizationmanager, domain, coredomain;
+ type virtualizationmanager_exec, system_file_type, exec_type, file_type;
+')
+
+# system/sepolicy/public is for vendor-facing type and attribute definitions.
+# DO NOT ADD allow, neverallow, or dontaudit statements here.
+# Instead, add such policy rules to system/sepolicy/private/*.te.
diff --git a/tests/sepolicy_freeze_test.py b/tests/sepolicy_freeze_test.py
index b9b935c..fa05eb1 100644
--- a/tests/sepolicy_freeze_test.py
+++ b/tests/sepolicy_freeze_test.py
@@ -48,10 +48,6 @@
removed_attributes = prebuilt_policy.typeattributes - current_policy.typeattributes
added_attributes = current_policy.typeattributes - prebuilt_policy.typeattributes
- # TODO(b/330670954): remove this once all internal references are removed.
- if "proc_compaction_proactiveness" in added_types:
- added_types.remove("proc_compaction_proactiveness")
-
if removed_types:
results += "The following public types were removed:\n" + ", ".join(removed_types) + "\n"
diff --git a/tools/finalize-vintf-resources.sh b/tools/finalize-vintf-resources.sh
index cdf82f1..3f3def6 100755
--- a/tools/finalize-vintf-resources.sh
+++ b/tools/finalize-vintf-resources.sh
@@ -30,6 +30,22 @@
cat > "$prebuilt_dir/Android.bp" <<EOF
// Automatically generated file, do not edit!
se_policy_conf {
+ name: "${ver}_reqd_policy_mask.conf",
+ defaults: ["se_policy_conf_flags_defaults"],
+ srcs: reqd_mask_policy,
+ installable: false,
+ build_variant: "user",
+ board_api_level: "${ver}",
+}
+
+se_policy_cil {
+ name: "${ver}_reqd_policy_mask.cil",
+ src: ":${ver}_reqd_policy_mask.conf",
+ secilc_check: false,
+ installable: false,
+}
+
+se_policy_conf {
name: "${ver}_plat_pub_policy.conf",
defaults: ["se_policy_conf_flags_defaults"],
srcs: [
@@ -38,12 +54,13 @@
],
installable: false,
build_variant: "user",
+ board_api_level: "${ver}",
}
se_policy_cil {
name: "${ver}_plat_pub_policy.cil",
src: ":${ver}_plat_pub_policy.conf",
- filter_out: [":reqd_policy_mask.cil"],
+ filter_out: [":${ver}_reqd_policy_mask.cil"],
secilc_check: false,
installable: false,
}
@@ -59,16 +76,25 @@
],
installable: false,
build_variant: "user",
+ board_api_level: "${ver}",
}
se_policy_cil {
name: "${ver}_product_pub_policy.cil",
src: ":${ver}_product_pub_policy.conf",
- filter_out: [":reqd_policy_mask.cil"],
+ filter_out: [":${ver}_reqd_policy_mask.cil"],
secilc_check: false,
installable: false,
}
+se_versioned_policy {
+ name: "${ver}_plat_pub_versioned.cil",
+ base: ":${ver}_product_pub_policy.cil",
+ target_policy: ":${ver}_product_pub_policy.cil",
+ version: "${ver}",
+ installable: false,
+}
+
se_policy_conf {
name: "${ver}_plat_policy.conf",
defaults: ["se_policy_conf_flags_defaults"],
diff --git a/treble_sepolicy_tests_for_release/Android.bp b/treble_sepolicy_tests_for_release/Android.bp
index 7756cbb..d27dc56 100644
--- a/treble_sepolicy_tests_for_release/Android.bp
+++ b/treble_sepolicy_tests_for_release/Android.bp
@@ -38,12 +38,12 @@
srcs: [
":29.0_plat_policy.cil",
":29.0_mapping.combined.cil",
- ":29.0_plat_pub_policy.cil",
+ ":base_plat_pub_policy.cil",
],
tools: ["treble_sepolicy_tests"],
out: ["treble_sepolicy_tests_29.0"],
cmd: "$(location treble_sepolicy_tests) " +
- "-b $(location :29.0_plat_pub_policy.cil) " +
+ "-b $(location :base_plat_pub_policy.cil) " +
"-m $(location :29.0_mapping.combined.cil) " +
"-o $(location :29.0_plat_policy.cil) && " +
"touch $(out)",
@@ -92,8 +92,8 @@
soong_config_variable("ANDROID", "HAS_BOARD_SYSTEM_EXT_PREBUILT_DIR"),
soong_config_variable("ANDROID", "HAS_BOARD_PRODUCT_PREBUILT_DIR"),
), {
- (false, false): [":30.0_plat_pub_policy.cil"],
- (default, default): [":30.0_product_pub_policy.cil"],
+ (false, false): [":base_plat_pub_policy.cil"],
+ (default, default): [":base_product_pub_policy.cil"],
}),
tools: ["treble_sepolicy_tests"],
out: ["treble_sepolicy_tests_30.0"],
@@ -102,12 +102,12 @@
soong_config_variable("ANDROID", "HAS_BOARD_PRODUCT_PREBUILT_DIR"),
), {
(false, false): "$(location treble_sepolicy_tests) " +
- "-b $(location :30.0_plat_pub_policy.cil) " +
+ "-b $(location :base_plat_pub_policy.cil) " +
"-m $(location :30.0_mapping.combined.cil) " +
"-o $(location :30.0_plat_policy.cil) && " +
"touch $(out)",
(default, default): "$(location treble_sepolicy_tests) " +
- "-b $(location :30.0_product_pub_policy.cil) " +
+ "-b $(location :base_product_pub_policy.cil) " +
"-m $(location :30.0_mapping.combined.cil) " +
"-o $(location :30.0_plat_policy.cil) && " +
"touch $(out)",
@@ -157,8 +157,8 @@
soong_config_variable("ANDROID", "HAS_BOARD_SYSTEM_EXT_PREBUILT_DIR"),
soong_config_variable("ANDROID", "HAS_BOARD_PRODUCT_PREBUILT_DIR"),
), {
- (false, false): [":31.0_plat_pub_policy.cil"],
- (default, default): [":31.0_product_pub_policy.cil"],
+ (false, false): [":base_plat_pub_policy.cil"],
+ (default, default): [":base_product_pub_policy.cil"],
}),
tools: ["treble_sepolicy_tests"],
out: ["treble_sepolicy_tests_31.0"],
@@ -167,12 +167,12 @@
soong_config_variable("ANDROID", "HAS_BOARD_PRODUCT_PREBUILT_DIR"),
), {
(false, false): "$(location treble_sepolicy_tests) " +
- "-b $(location :31.0_plat_pub_policy.cil) " +
+ "-b $(location :base_plat_pub_policy.cil) " +
"-m $(location :31.0_mapping.combined.cil) " +
"-o $(location :31.0_plat_policy.cil) && " +
"touch $(out)",
(default, default): "$(location treble_sepolicy_tests) " +
- "-b $(location :31.0_product_pub_policy.cil) " +
+ "-b $(location :base_product_pub_policy.cil) " +
"-m $(location :31.0_mapping.combined.cil) " +
"-o $(location :31.0_plat_policy.cil) && " +
"touch $(out)",
@@ -222,8 +222,8 @@
soong_config_variable("ANDROID", "HAS_BOARD_SYSTEM_EXT_PREBUILT_DIR"),
soong_config_variable("ANDROID", "HAS_BOARD_PRODUCT_PREBUILT_DIR"),
), {
- (false, false): [":32.0_plat_pub_policy.cil"],
- (default, default): [":32.0_product_pub_policy.cil"],
+ (false, false): [":base_plat_pub_policy.cil"],
+ (default, default): [":base_product_pub_policy.cil"],
}),
tools: ["treble_sepolicy_tests"],
out: ["treble_sepolicy_tests_32.0"],
@@ -232,12 +232,12 @@
soong_config_variable("ANDROID", "HAS_BOARD_PRODUCT_PREBUILT_DIR"),
), {
(false, false): "$(location treble_sepolicy_tests) " +
- "-b $(location :32.0_plat_pub_policy.cil) " +
+ "-b $(location :base_plat_pub_policy.cil) " +
"-m $(location :32.0_mapping.combined.cil) " +
"-o $(location :32.0_plat_policy.cil) && " +
"touch $(out)",
(default, default): "$(location treble_sepolicy_tests) " +
- "-b $(location :32.0_product_pub_policy.cil) " +
+ "-b $(location :base_product_pub_policy.cil) " +
"-m $(location :32.0_mapping.combined.cil) " +
"-o $(location :32.0_plat_policy.cil) && " +
"touch $(out)",
@@ -287,8 +287,8 @@
soong_config_variable("ANDROID", "HAS_BOARD_SYSTEM_EXT_PREBUILT_DIR"),
soong_config_variable("ANDROID", "HAS_BOARD_PRODUCT_PREBUILT_DIR"),
), {
- (false, false): [":33.0_plat_pub_policy.cil"],
- (default, default): [":33.0_product_pub_policy.cil"],
+ (false, false): [":base_plat_pub_policy.cil"],
+ (default, default): [":base_product_pub_policy.cil"],
}),
tools: ["treble_sepolicy_tests"],
out: ["treble_sepolicy_tests_33.0"],
@@ -297,12 +297,12 @@
soong_config_variable("ANDROID", "HAS_BOARD_PRODUCT_PREBUILT_DIR"),
), {
(false, false): "$(location treble_sepolicy_tests) " +
- "-b $(location :33.0_plat_pub_policy.cil) " +
+ "-b $(location :base_plat_pub_policy.cil) " +
"-m $(location :33.0_mapping.combined.cil) " +
"-o $(location :33.0_plat_policy.cil) && " +
"touch $(out)",
(default, default): "$(location treble_sepolicy_tests) " +
- "-b $(location :33.0_product_pub_policy.cil) " +
+ "-b $(location :base_product_pub_policy.cil) " +
"-m $(location :33.0_mapping.combined.cil) " +
"-o $(location :33.0_plat_policy.cil) && " +
"touch $(out)",
@@ -352,8 +352,8 @@
soong_config_variable("ANDROID", "HAS_BOARD_SYSTEM_EXT_PREBUILT_DIR"),
soong_config_variable("ANDROID", "HAS_BOARD_PRODUCT_PREBUILT_DIR"),
), {
- (false, false): [":34.0_plat_pub_policy.cil"],
- (default, default): [":34.0_product_pub_policy.cil"],
+ (false, false): [":base_plat_pub_policy.cil"],
+ (default, default): [":base_product_pub_policy.cil"],
}),
tools: ["treble_sepolicy_tests"],
out: ["treble_sepolicy_tests_34.0"],
@@ -362,12 +362,12 @@
soong_config_variable("ANDROID", "HAS_BOARD_PRODUCT_PREBUILT_DIR"),
), {
(false, false): "$(location treble_sepolicy_tests) " +
- "-b $(location :34.0_plat_pub_policy.cil) " +
+ "-b $(location :base_plat_pub_policy.cil) " +
"-m $(location :34.0_mapping.combined.cil) " +
"-o $(location :34.0_plat_policy.cil) && " +
"touch $(out)",
(default, default): "$(location treble_sepolicy_tests) " +
- "-b $(location :34.0_product_pub_policy.cil) " +
+ "-b $(location :base_product_pub_policy.cil) " +
"-m $(location :34.0_mapping.combined.cil) " +
"-o $(location :34.0_plat_policy.cil) && " +
"touch $(out)",
@@ -422,8 +422,8 @@
soong_config_variable("ANDROID", "HAS_BOARD_SYSTEM_EXT_PREBUILT_DIR"),
soong_config_variable("ANDROID", "HAS_BOARD_PRODUCT_PREBUILT_DIR"),
), {
- (false, false): [":202404_plat_pub_policy.cil"],
- (default, default): [":202404_product_pub_policy.cil"],
+ (false, false): [":base_plat_pub_policy.cil"],
+ (default, default): [":base_product_pub_policy.cil"],
}),
tools: ["treble_sepolicy_tests"],
out: ["treble_sepolicy_tests_202404"],
@@ -435,12 +435,12 @@
("202404", false, false): "touch $(out)",
("202404", default, default): "touch $(out)",
(default, false, false): "$(location treble_sepolicy_tests) " +
- "-b $(location :202404_plat_pub_policy.cil) " +
+ "-b $(location :base_plat_pub_policy.cil) " +
"-m $(location :202404_mapping.combined.cil) " +
"-o $(location :202404_plat_policy.cil) && " +
"touch $(out)",
(default, default, default): "$(location treble_sepolicy_tests) " +
- "-b $(location :202404_product_pub_policy.cil) " +
+ "-b $(location :base_product_pub_policy.cil) " +
"-m $(location :202404_mapping.combined.cil) " +
"-o $(location :202404_plat_policy.cil) && " +
"touch $(out)",
diff --git a/vendor/file_contexts b/vendor/file_contexts
index 66ac4ec..220fbd2 100644
--- a/vendor/file_contexts
+++ b/vendor/file_contexts
@@ -14,7 +14,7 @@
/(vendor|system/vendor)/bin/hw/android\.hardware\.automotive\.evs(.*)? u:object_r:hal_evs_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.automotive\.ivn@V1-(.*)-service u:object_r:hal_ivn_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.automotive\.vehicle@2\.0-((default|emulator)-)*(service|protocan-service) u:object_r:hal_vehicle_default_exec:s0
-/(vendor|system/vendor)/bin/hw/android\.hardware\.automotive\.vehicle@V[1-3]-(default|emulator)-service u:object_r:hal_vehicle_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.automotive\.vehicle@V[0-9]+-(default|emulator)-service u:object_r:hal_vehicle_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.automotive\.remoteaccess@V[1-2]-(.*)-service u:object_r:hal_remoteaccess_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.bluetooth@1\.[0-9]+-service u:object_r:hal_bluetooth_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.bluetooth@1\.[0-9]+-service\.btlinux u:object_r:hal_bluetooth_btlinux_exec:s0
diff --git a/vendor/hal_bluetooth_default.te b/vendor/hal_bluetooth_default.te
index efa75a7..2b3729d 100644
--- a/vendor/hal_bluetooth_default.te
+++ b/vendor/hal_bluetooth_default.te
@@ -1,7 +1,7 @@
type hal_bluetooth_default, domain;
hal_server_domain(hal_bluetooth_default, hal_bluetooth)
-allow hal_bluetooth_default bt_device:chr_file { open read write };
+allow hal_bluetooth_default bt_device:chr_file { open read write ioctl };
allow hal_bluetooth_default self:bluetooth_socket { create bind read write };
type hal_bluetooth_default_exec, exec_type, vendor_file_type, file_type;