Merge "[service-vm] Adjust sepolicy for running service VM" into main
diff --git a/Android.bp b/Android.bp
index cac0748..b0544cf 100644
--- a/Android.bp
+++ b/Android.bp
@@ -359,116 +359,16 @@
product_specific: true,
}
+//////////////////////////////////
// vendor/odm sepolicy
-//
-// If BOARD_SEPOLICY_VERS is set to a value other than PLATFORM_SEPOLICY_VERSION,
-// policy files of platform (system, system_ext, product) can't be mixed with
-// policy files of vendor (vendor, odm). If it's the case, platform policies and
-// vendor policies are separately built. More specifically,
-//
-// - Platform policy files needed to build vendor policies, such as plat_policy,
-// plat_mapping_cil, plat_pub_policy, reqd_policy_mask, are built from the
-// prebuilts (copy of platform policy files of version BOARD_SEPOLICY_VERS).
-//
-// - sepolicy_neverallows only checks platform policies, and a new module
-// sepolicy_neverallows_vendor checks vendor policies.
-//
-// - neverallow checks are turned off while compiling precompiled_sepolicy
-// module and sepolicy module.
-//
-// - Vendor policies are not checked on the compat test (compat.mk).
-//
-// In such scenario, we can grab platform policy files from the prebuilts/api
-// directory. But we need more than that: prebuilts of system_ext, product,
-// system/sepolicy/reqd_mask, and system/sepolicy/vendor. The following
-// variables are introduced to specify such prebuilts.
-//
-// - BOARD_REQD_MASK_POLICY (prebuilt of system/sepolicy/reqd_mask)
-// - BOARD_PLAT_VENDOR_POLICY (prebuilt of system/sepolicy/vendor)
-// - BOARD_SYSTEM_EXT_PUBLIC_PREBUILT_DIRS (prebuilt of system_ext public)
-// - BOARD_SYSTEM_EXT_PRIVATE_PREBUILT_DIRS (prebuilt of system_ext private)
-// - BOARD_PRODUCT_PUBLIC_PREBUILT_DIRS (prebuilt of product public)
-// - BOARD_PRODUCT_PRIVATE_PREBUILT_DIRS (prebuilt of product private)
-//
-// Vendors are responsible for copying policy files from the old version of the
-// source tree as prebuilts, and for setting BOARD_*_POLICY variables so they
-// can be used to build vendor policies.
-//
-// To support both mixed build and normal build, platform policy files are
-// indirectly referred as {.(partition)_(scope)_for_vendor}. They will be equal
-// to {.(partition)_scope)} if BOARD_SEPOLICY_VERS == PLATFORM_SEPOLICY_VERSION.
-// Otherwise, they will be equal to the Makefile variables above.
-
-plat_public_policies_for_vendor = [
- ":se_build_files{.plat_public_for_vendor}",
- ":se_build_files{.system_ext_public_for_vendor}",
- ":se_build_files{.product_public_for_vendor}",
- ":se_build_files{.reqd_mask_for_vendor}",
-]
-
-plat_policies_for_vendor = [
- ":se_build_files{.plat_public_for_vendor}",
- ":se_build_files{.plat_private_for_vendor}",
- ":se_build_files{.system_ext_public_for_vendor}",
- ":se_build_files{.system_ext_private_for_vendor}",
- ":se_build_files{.product_public_for_vendor}",
- ":se_build_files{.product_private_for_vendor}",
-]
-
-se_policy_conf {
- name: "plat_policy_for_vendor.conf",
- srcs: plat_policies_for_vendor,
- installable: false,
-}
-
-se_policy_cil {
- name: "plat_policy_for_vendor.cil",
- src: ":plat_policy_for_vendor.conf",
- additional_cil_files: [":sepolicy_technical_debt{.plat_private_for_vendor}"],
- installable: false,
-}
-
-se_policy_conf {
- name: "reqd_policy_mask_for_vendor.conf",
- srcs: [":se_build_files{.reqd_mask_for_vendor}"],
- installable: false,
-}
-
-se_policy_cil {
- name: "reqd_policy_mask_for_vendor.cil",
- src: ":reqd_policy_mask_for_vendor.conf",
- secilc_check: false,
- installable: false,
-}
-
-se_policy_conf {
- name: "pub_policy_for_vendor.conf",
- srcs: plat_public_policies_for_vendor,
- installable: false,
-}
-
-se_policy_cil {
- name: "pub_policy_for_vendor.cil",
- src: ":pub_policy_for_vendor.conf",
- filter_out: [":reqd_policy_mask_for_vendor.cil"],
- secilc_check: false,
- installable: false,
-}
-
-se_versioned_policy {
- name: "plat_mapping_file_for_vendor",
- base: ":pub_policy_for_vendor.cil",
- mapping: true,
- version: "vendor",
- installable: false,
-}
+//////////////////////////////////
// plat_pub_versioned.cil - the exported platform policy associated with the version
// that non-platform policy targets.
se_versioned_policy {
name: "plat_pub_versioned.cil",
- base: ":pub_policy_for_vendor.cil",
- target_policy: ":pub_policy_for_vendor.cil",
+ base: ":pub_policy.cil",
+ target_policy: ":pub_policy.cil",
version: "vendor",
vendor: true,
}
@@ -478,8 +378,11 @@
// policy and the platform public policy files in order to use checkpolicy.
se_policy_conf {
name: "vendor_sepolicy.conf",
- srcs: plat_public_policies_for_vendor + [
- ":se_build_files{.plat_vendor_for_vendor}",
+ srcs: plat_public_policy +
+ system_ext_public_policy +
+ product_public_policy +
+ reqd_mask_policy + [
+ ":se_build_files{.plat_vendor}",
":se_build_files{.vendor}",
],
vendor: true,
@@ -489,7 +392,7 @@
se_policy_cil {
name: "vendor_sepolicy.cil.raw",
src: ":vendor_sepolicy.conf",
- filter_out: [":reqd_policy_mask_for_vendor.cil"],
+ filter_out: [":reqd_policy_mask.cil"],
secilc_check: false, // will be done in se_versioned_policy module
vendor: true,
installable: false,
@@ -497,13 +400,15 @@
se_versioned_policy {
name: "vendor_sepolicy.cil",
- base: ":pub_policy_for_vendor.cil",
+ base: ":pub_policy.cil",
target_policy: ":vendor_sepolicy.cil.raw",
version: "vendor",
dependent_cils: [
- ":plat_policy_for_vendor.cil",
+ ":plat_sepolicy.cil",
+ ":system_ext_sepolicy.cil",
+ ":product_sepolicy.cil",
":plat_pub_versioned.cil",
- ":plat_mapping_file_for_vendor",
+ ":plat_mapping_file",
],
filter_out: [":plat_pub_versioned.cil"],
vendor: true,
@@ -514,8 +419,11 @@
// policy and the platform public policy files in order to use checkpolicy.
se_policy_conf {
name: "odm_sepolicy.conf",
- srcs: plat_public_policies_for_vendor + [
- ":se_build_files{.plat_vendor_for_vendor}",
+ srcs: plat_public_policy +
+ system_ext_public_policy +
+ product_public_policy +
+ reqd_mask_policy + [
+ ":se_build_files{.plat_vendor}",
":se_build_files{.vendor}",
":se_build_files{.odm}",
],
@@ -527,7 +435,7 @@
name: "odm_sepolicy.cil.raw",
src: ":odm_sepolicy.conf",
filter_out: [
- ":reqd_policy_mask_for_vendor.cil",
+ ":reqd_policy_mask.cil",
":vendor_sepolicy.cil",
],
secilc_check: false, // will be done in se_versioned_policy module
@@ -537,13 +445,15 @@
se_versioned_policy {
name: "odm_sepolicy.cil",
- base: ":pub_policy_for_vendor.cil",
+ base: ":pub_policy.cil",
target_policy: ":odm_sepolicy.cil.raw",
version: "vendor",
dependent_cils: [
- ":plat_policy_for_vendor.cil",
+ ":plat_sepolicy.cil",
+ ":system_ext_sepolicy.cil",
+ ":product_sepolicy.cil",
":plat_pub_versioned.cil",
- ":plat_mapping_file_for_vendor",
+ ":plat_mapping_file",
":vendor_sepolicy.cil",
],
filter_out: [":plat_pub_versioned.cil", ":vendor_sepolicy.cil"],
@@ -701,9 +611,8 @@
name: "precompiled_se_policy_binary",
module_type: "se_policy_binary",
config_namespace: "ANDROID",
- bool_variables: ["BOARD_USES_ODMIMAGE", "IS_TARGET_MIXED_SEPOLICY"],
- value_variables: ["MIXED_SEPOLICY_VERSION"],
- properties: ["vendor", "device_specific", "srcs", "ignore_neverallow"],
+ bool_variables: ["BOARD_USES_ODMIMAGE"],
+ properties: ["vendor", "device_specific"],
}
precompiled_se_policy_binary {
@@ -716,6 +625,9 @@
":product_sepolicy.cil",
":vendor_sepolicy.cil",
":odm_sepolicy.cil",
+ ":plat_mapping_file",
+ ":system_ext_mapping_file",
+ ":product_mapping_file",
],
soong_config_variables: {
BOARD_USES_ODMIMAGE: {
@@ -724,27 +636,9 @@
vendor: true,
},
},
- IS_TARGET_MIXED_SEPOLICY: {
- ignore_neverallow: true,
- },
- MIXED_SEPOLICY_VERSION: {
- srcs: [
- ":plat_%s.cil",
- ":system_ext_%s.cil",
- ":product_%s.cil",
- ],
- conditions_default: {
- srcs: [
- ":plat_mapping_file",
- ":system_ext_mapping_file",
- ":product_mapping_file",
- ],
- },
- },
},
required: [
"sepolicy_neverallows",
- "sepolicy_neverallows_vendor",
],
dist: {
targets: ["base-sepolicy-files-for-mapping"],
@@ -760,6 +654,9 @@
":product_sepolicy.cil",
":vendor_sepolicy.cil",
":odm_sepolicy.cil",
+ ":plat_mapping_file",
+ ":system_ext_mapping_file",
+ ":product_mapping_file",
],
soong_config_variables: {
BOARD_USES_ODMIMAGE: {
@@ -768,27 +665,9 @@
vendor: true,
},
},
- IS_TARGET_MIXED_SEPOLICY: {
- ignore_neverallow: true,
- },
- MIXED_SEPOLICY_VERSION: {
- srcs: [
- ":plat_%s.cil",
- ":system_ext_%s.cil",
- ":product_%s.cil",
- ],
- conditions_default: {
- srcs: [
- ":plat_mapping_file",
- ":system_ext_mapping_file",
- ":product_mapping_file",
- ],
- },
- },
},
required: [
"sepolicy_neverallows",
- "sepolicy_neverallows_vendor",
],
dist: {
targets: ["base-sepolicy-files-for-mapping"],
@@ -798,8 +677,13 @@
// policy for recovery
se_policy_conf {
name: "recovery_sepolicy.conf",
- srcs: plat_policies_for_vendor + [
- ":se_build_files{.plat_vendor_for_vendor}",
+ srcs: plat_public_policy +
+ plat_private_policy +
+ system_ext_public_policy +
+ system_ext_private_policy +
+ product_public_policy +
+ product_private_policy + [
+ ":se_build_files{.plat_vendor}",
":se_build_files{.vendor}",
":se_build_files{.odm}",
],
@@ -1003,7 +887,7 @@
se_bug_map {
name: "vendor_bug_map",
- srcs: [":bug_map_files{.vendor}", ":bug_map_files{.plat_vendor_for_vendor}"],
+ srcs: [":bug_map_files{.vendor}", ":bug_map_files{.plat_vendor}"],
// Legacy file name of the vendor partition bug_map.
stem: "selinux_denial_metadata",
vendor: true,
@@ -1016,17 +900,11 @@
system_ext_public_policy +
system_ext_private_policy +
product_public_policy +
- product_private_policy,
-}
-
-se_neverallow_test {
- name: "sepolicy_neverallows_vendor",
- srcs: plat_policies_for_vendor + [
- ":se_build_files{.plat_vendor_for_vendor}",
+ product_private_policy + [
+ ":se_build_files{.plat_vendor}",
":se_build_files{.vendor}",
":se_build_files{.odm}",
],
- vendor: true,
}
//////////////////////////////////
diff --git a/Android.mk b/Android.mk
index d496f1d..b39ee44 100644
--- a/Android.mk
+++ b/Android.mk
@@ -73,12 +73,6 @@
HAS_PRODUCT_SEPOLICY_DIR := true
endif
-ifneq ($(PLATFORM_SEPOLICY_VERSION),$(BOARD_SEPOLICY_VERS))
-mixed_sepolicy_build := true
-else
-mixed_sepolicy_build :=
-endif
-
NEVERALLOW_ARG :=
ifeq ($(SELINUX_IGNORE_NEVERALLOWS),true)
ifeq ($(TARGET_BUILD_VARIANT),user)
@@ -98,21 +92,6 @@
BOARD_VENDOR_SEPOLICY_DIRS += $(BOARD_SEPOLICY_DIRS)
endif
-# Set default values for these prebuilt directories
-ifeq (,$(BOARD_REQD_MASK_POLICY))
-BOARD_REQD_MASK_POLICY := $(REQD_MASK_POLICY)
-endif
-
-ifeq (,$(BOARD_PLAT_VENDOR_POLICY))
-BOARD_PLAT_VENDOR_POLICY := $(PLAT_VENDOR_POLICY)
-endif
-
-$(foreach p,SYSTEM_EXT PRODUCT,$(foreach q,PUBLIC PRIVATE,$(eval \
- $(if $(BOARD_$(p)_$(q)_PREBUILT_DIRS),,\
- BOARD_$(p)_$(q)_PREBUILT_DIRS := $($(p)_$(q)_POLICY) \
- ) \
-)))
-
###########################################################
# Compute policy files to be used in policy build.
# $(1): files to include
@@ -125,7 +104,7 @@
# Builds paths for all policy files found in BOARD_VENDOR_SEPOLICY_DIRS.
# $(1): the set of policy name paths to build
-build_vendor_policy = $(call build_policy, $(1), $(BOARD_PLAT_VENDOR_POLICY) $(BOARD_VENDOR_SEPOLICY_DIRS))
+build_vendor_policy = $(call build_policy, $(1), $(PLAT_VENDOR_POLICY) $(BOARD_VENDOR_SEPOLICY_DIRS))
# Builds paths for all policy files found in BOARD_ODM_SEPOLICY_DIRS.
build_odm_policy = $(call build_policy, $(1), $(BOARD_ODM_SEPOLICY_DIRS))
@@ -513,7 +492,6 @@
built_sepolicy := $(call intermediates-dir-for,ETC,precompiled_sepolicy)/precompiled_sepolicy
built_sepolicy_neverallows := $(call intermediates-dir-for,ETC,sepolicy_neverallows)/sepolicy_neverallows
-built_sepolicy_neverallows += $(call intermediates-dir-for,ETC,sepolicy_neverallows_vendor)/sepolicy_neverallows_vendor
##################################
# TODO - remove this. Keep around until we get the filesystem creation stuff taken care of.
diff --git a/build/soong/build_files.go b/build/soong/build_files.go
index ed92f1a..db028e6 100644
--- a/build/soong/build_files.go
+++ b/build/soong/build_files.go
@@ -103,28 +103,6 @@
b.srcs[".vendor"] = b.findSrcsInDirs(ctx, ctx.DeviceConfig().VendorSepolicyDirs()...)
b.srcs[".odm"] = b.findSrcsInDirs(ctx, ctx.DeviceConfig().OdmSepolicyDirs()...)
- if ctx.DeviceConfig().PlatformSepolicyVersion() == ctx.DeviceConfig().BoardSepolicyVers() {
- // vendor uses the same source with plat policy
- b.srcs[".reqd_mask_for_vendor"] = b.srcs[".reqd_mask"]
- b.srcs[".plat_vendor_for_vendor"] = b.srcs[".plat_vendor"]
- b.srcs[".plat_public_for_vendor"] = b.srcs[".plat_public"]
- b.srcs[".plat_private_for_vendor"] = b.srcs[".plat_private"]
- b.srcs[".system_ext_public_for_vendor"] = b.srcs[".system_ext_public"]
- b.srcs[".system_ext_private_for_vendor"] = b.srcs[".system_ext_private"]
- b.srcs[".product_public_for_vendor"] = b.srcs[".product_public"]
- b.srcs[".product_private_for_vendor"] = b.srcs[".product_private"]
- } else {
- // use vendor-supplied plat prebuilts
- b.srcs[".reqd_mask_for_vendor"] = b.findSrcsInDirs(ctx, ctx.DeviceConfig().BoardReqdMaskPolicy()...)
- b.srcs[".plat_vendor_for_vendor"] = b.findSrcsInDirs(ctx, ctx.DeviceConfig().BoardPlatVendorPolicy()...)
- b.srcs[".plat_public_for_vendor"] = b.findSrcsInDirs(ctx, filepath.Join("system", "sepolicy", "prebuilts", "api", ctx.DeviceConfig().BoardSepolicyVers(), "public"))
- b.srcs[".plat_private_for_vendor"] = b.findSrcsInDirs(ctx, filepath.Join("system", "sepolicy", "prebuilts", "api", ctx.DeviceConfig().BoardSepolicyVers(), "private"))
- b.srcs[".system_ext_public_for_vendor"] = b.findSrcsInDirs(ctx, ctx.DeviceConfig().BoardSystemExtPublicPrebuiltDirs()...)
- b.srcs[".system_ext_private_for_vendor"] = b.findSrcsInDirs(ctx, ctx.DeviceConfig().BoardSystemExtPrivatePrebuiltDirs()...)
- b.srcs[".product_public_for_vendor"] = b.findSrcsInDirs(ctx, ctx.DeviceConfig().BoardProductPublicPrebuiltDirs()...)
- b.srcs[".product_private_for_vendor"] = b.findSrcsInDirs(ctx, ctx.DeviceConfig().BoardProductPrivatePrebuiltDirs()...)
- }
-
// directories used for compat tests and Treble tests
for _, ver := range ctx.DeviceConfig().PlatformSepolicyCompatVersions() {
b.srcs[".plat_public_"+ver] = b.findSrcsInDirs(ctx, filepath.Join("system", "sepolicy", "prebuilts", "api", ver, "public"))
diff --git a/contexts/Android.bp b/contexts/Android.bp
index 5982ae6..f2bb9c0 100644
--- a/contexts/Android.bp
+++ b/contexts/Android.bp
@@ -99,7 +99,7 @@
file_contexts {
name: "vendor_file_contexts",
srcs: [
- ":file_contexts_files{.plat_vendor_for_vendor}",
+ ":file_contexts_files{.plat_vendor}",
":file_contexts_files{.vendor}",
],
soc_specific: true,
@@ -108,7 +108,7 @@
file_contexts {
name: "vendor_file_contexts.recovery",
srcs: [
- ":file_contexts_files{.plat_vendor_for_vendor}",
+ ":file_contexts_files{.plat_vendor}",
":file_contexts_files{.vendor}",
],
stem: "vendor_file_contexts",
@@ -174,9 +174,9 @@
hwservice_contexts {
name: "vendor_hwservice_contexts",
srcs: [
- ":hwservice_contexts_files{.plat_vendor_for_vendor}",
+ ":hwservice_contexts_files{.plat_vendor}",
":hwservice_contexts_files{.vendor}",
- ":hwservice_contexts_files{.reqd_mask_for_vendor}",
+ ":hwservice_contexts_files{.reqd_mask}",
],
soc_specific: true,
}
@@ -216,9 +216,9 @@
property_contexts {
name: "vendor_property_contexts",
srcs: [
- ":property_contexts_files{.plat_vendor_for_vendor}",
+ ":property_contexts_files{.plat_vendor}",
":property_contexts_files{.vendor}",
- ":property_contexts_files{.reqd_mask_for_vendor}",
+ ":property_contexts_files{.reqd_mask}",
],
soc_specific: true,
recovery_available: true,
@@ -260,9 +260,9 @@
service_contexts {
name: "vendor_service_contexts",
srcs: [
- ":service_contexts_files{.plat_vendor_for_vendor}",
+ ":service_contexts_files{.plat_vendor}",
":service_contexts_files{.vendor}",
- ":service_contexts_files{.reqd_mask_for_vendor}",
+ ":service_contexts_files{.reqd_mask}",
],
soc_specific: true,
recovery_available: true,
@@ -297,9 +297,9 @@
keystore2_key_contexts {
name: "vendor_keystore2_key_contexts",
srcs: [
- ":keystore2_key_contexts_files{.plat_vendor_for_vendor}",
+ ":keystore2_key_contexts_files{.plat_vendor}",
":keystore2_key_contexts_files{.vendor}",
- ":keystore2_key_contexts_files{.reqd_mask_for_vendor}",
+ ":keystore2_key_contexts_files{.reqd_mask}",
],
soc_specific: true,
}
@@ -332,14 +332,14 @@
seapp_contexts {
name: "vendor_seapp_contexts",
srcs: [
- ":seapp_contexts_files{.plat_vendor_for_vendor}",
+ ":seapp_contexts_files{.plat_vendor}",
":seapp_contexts_files{.vendor}",
- ":seapp_contexts_files{.reqd_mask_for_vendor}",
+ ":seapp_contexts_files{.reqd_mask}",
],
neverallow_files: [
- ":seapp_contexts_files{.plat_private_for_vendor}",
- ":seapp_contexts_files{.system_ext_private_for_vendor}",
- ":seapp_contexts_files{.product_private_for_vendor}",
+ ":seapp_contexts_files{.plat_private}",
+ ":seapp_contexts_files{.system_ext_private}",
+ ":seapp_contexts_files{.product_private}",
],
soc_specific: true,
sepolicy: ":precompiled_sepolicy",
@@ -351,9 +351,9 @@
":seapp_contexts_files{.odm}",
],
neverallow_files: [
- ":seapp_contexts_files{.plat_private_for_vendor}",
- ":seapp_contexts_files{.system_ext_private_for_vendor}",
- ":seapp_contexts_files{.product_private_for_vendor}",
+ ":seapp_contexts_files{.plat_private}",
+ ":seapp_contexts_files{.system_ext_private}",
+ ":seapp_contexts_files{.product_private}",
],
device_specific: true,
sepolicy: ":precompiled_sepolicy",
@@ -362,9 +362,9 @@
vndservice_contexts {
name: "vndservice_contexts",
srcs: [
- ":vndservice_contexts_files{.plat_vendor_for_vendor}",
+ ":vndservice_contexts_files{.plat_vendor}",
":vndservice_contexts_files{.vendor}",
- ":vndservice_contexts_files{.reqd_mask_for_vendor}",
+ ":vndservice_contexts_files{.reqd_mask}",
],
soc_specific: true,
}
diff --git a/mac_permissions/Android.bp b/mac_permissions/Android.bp
index 401f78c..16132c6 100644
--- a/mac_permissions/Android.bp
+++ b/mac_permissions/Android.bp
@@ -72,14 +72,14 @@
mac_permissions {
name: "vendor_mac_permissions.xml",
keys: [
- ":keys.conf{.plat_vendor_for_vendor}",
+ ":keys.conf{.plat_vendor}",
":keys.conf{.vendor}",
- ":keys.conf{.reqd_mask_for_vendor}",
+ ":keys.conf{.reqd_mask}",
],
srcs: [
- ":mac_permissions.xml{.plat_vendor_for_vendor}",
+ ":mac_permissions.xml{.plat_vendor}",
":mac_permissions.xml{.vendor}",
- ":mac_permissions.xml{.reqd_mask_for_vendor}",
+ ":mac_permissions.xml{.reqd_mask}",
],
vendor: true,
}
@@ -88,11 +88,11 @@
name: "odm_mac_permissions.xml",
keys: [
":keys.conf{.odm}",
- ":keys.conf{.reqd_mask_for_vendor}",
+ ":keys.conf{.reqd_mask}",
],
srcs: [
":mac_permissions.xml{.odm}",
- ":mac_permissions.xml{.reqd_mask_for_vendor}",
+ ":mac_permissions.xml{.reqd_mask}",
],
device_specific: true,
}
diff --git a/private/artd.te b/private/artd.te
index 5fcd43a..3b234bf 100644
--- a/private/artd.te
+++ b/private/artd.te
@@ -7,7 +7,8 @@
# Allow artd to publish a binder service and make binder calls.
binder_use(artd)
add_service(artd, artd_service)
-allow artd dumpstate:fifo_file { getattr write };
+allow artd dumpstate:fifo_file { getattr write };
+allow artd dumpstate:fd use;
init_daemon_domain(artd)
diff --git a/private/binderservicedomain.te b/private/binderservicedomain.te
index fa9dd7d..21349df 100644
--- a/private/binderservicedomain.te
+++ b/private/binderservicedomain.te
@@ -1,4 +1,5 @@
-# Rules common to all binder service domains
+# Rules common to some specific binder service domains.
+# Deprecated. Consider granting the exact permissions required by your service.
# Allow dumpstate and incidentd to collect information from binder services
allow binderservicedomain { dumpstate incidentd }:fd use;
diff --git a/private/file_contexts b/private/file_contexts
index 68d765b..6ac2400 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -256,7 +256,6 @@
/system/bin/app_process32 u:object_r:zygote_exec:s0
/system/bin/app_process64 u:object_r:zygote_exec:s0
/system/bin/servicemanager u:object_r:servicemanager_exec:s0
-/system/bin/hwservicemanager u:object_r:hwservicemanager_exec:s0
/system/bin/surfaceflinger u:object_r:surfaceflinger_exec:s0
/system/bin/gpuservice u:object_r:gpuservice_exec:s0
/system/bin/bufferhubd u:object_r:bufferhubd_exec:s0
@@ -342,7 +341,6 @@
/system/bin/storaged u:object_r:storaged_exec:s0
/system/bin/virtual_touchpad u:object_r:virtual_touchpad_exec:s0
/system/bin/hw/android\.frameworks\.bufferhub@1\.0-service u:object_r:fwk_bufferhub_exec:s0
-/system/bin/hw/android\.hidl\.allocator@1\.0-service u:object_r:hal_allocator_default_exec:s0
/system/bin/hw/android\.system\.suspend-service u:object_r:system_suspend_exec:s0
/system/etc/cgroups\.json u:object_r:cgroup_desc_file:s0
/system/etc/task_profiles/cgroups_[0-9]+\.json u:object_r:cgroup_desc_api_file:s0
@@ -497,6 +495,9 @@
/(system_ext|system/system_ext)/bin/aidl_lazy_cb_test_server u:object_r:aidl_lazy_test_server_exec:s0
/(system_ext|system/system_ext)/bin/hidl_lazy_test_server u:object_r:hidl_lazy_test_server_exec:s0
/(system_ext|system/system_ext)/bin/hidl_lazy_cb_test_server u:object_r:hidl_lazy_test_server_exec:s0
+/(system_ext|system/system_ext)/bin/hwservicemanager u:object_r:hwservicemanager_exec:s0
+/(system_ext|system/system_ext)/bin/hw/android\.hidl\.allocator@1\.0-service u:object_r:hal_allocator_default_exec:s0
+
/(system_ext|system/system_ext)/bin/canhalconfigurator(-aidl)? u:object_r:canhalconfigurator_exec:s0
diff --git a/private/property.te b/private/property.te
index 892c94e..90cfad2 100644
--- a/private/property.te
+++ b/private/property.te
@@ -52,8 +52,10 @@
system_internal_prop(ctl_odsign_prop)
system_internal_prop(virtualizationservice_prop)
system_internal_prop(ctl_apex_load_prop)
-
+system_internal_prop(enable_16k_pages_prop)
system_internal_prop(sensors_config_prop)
+system_internal_prop(hypervisor_pvmfw_prop)
+system_internal_prop(hypervisor_virtualizationmanager_prop)
# Properties which can't be written outside system
system_restricted_prop(device_config_virtualization_framework_native_prop)
diff --git a/private/property_contexts b/private/property_contexts
index a7f6732..39dd3b5 100644
--- a/private/property_contexts
+++ b/private/property_contexts
@@ -700,6 +700,9 @@
ro.fuse.bpf.enabled u:object_r:storage_config_prop:s0 exact bool
ro.fuse.bpf.is_running u:object_r:vold_status_prop:s0 exact bool
+hypervisor.pvmfw.path u:object_r:hypervisor_pvmfw_prop:s0 exact string
+hypervisor.virtualizationmanager.debug_policy.path u:object_r:hypervisor_virtualizationmanager_prop:s0 exact string
+
# hypervisor.*: configured by the vendor to advertise capabilities of their
# hypervisor to virtualizationservice.
hypervisor.memory_reclaim.supported u:object_r:hypervisor_restricted_prop:s0 exact bool
@@ -945,6 +948,10 @@
ro.actionable_compatible_property.enabled u:object_r:build_prop:s0 exact bool
+
+# Property for enabling 16k pages developer option.
+ro.product.build.16k_page.enabled u:object_r:enable_16k_pages_prop:s0 exact bool
+
ro.debuggable u:object_r:userdebug_or_eng_prop:s0 exact bool
ro.force.debuggable u:object_r:build_prop:s0 exact bool
diff --git a/private/system_app.te b/private/system_app.te
index e2bec30..d0d88e9 100644
--- a/private/system_app.te
+++ b/private/system_app.te
@@ -66,6 +66,9 @@
# Allow developer settings to query gsid status
get_prop(system_app, gsid_prop)
+# Allow developer settings to check 16k pages boot option status
+get_prop(system_app, enable_16k_pages_prop)
+
# Create /data/anr/traces.txt.
allow system_app anr_data_file:dir ra_dir_perms;
allow system_app anr_data_file:file create_file_perms;
diff --git a/private/traceur_app.te b/private/traceur_app.te
index 2937e26..a743917 100644
--- a/private/traceur_app.te
+++ b/private/traceur_app.te
@@ -10,6 +10,8 @@
allow traceur_app trace_data_file:file create_file_perms;
allow traceur_app trace_data_file:dir rw_dir_perms;
+allow traceur_app wm_trace_data_file:dir rw_dir_perms;
+allow traceur_app wm_trace_data_file:file { getattr r_file_perms unlink };
allow traceur_app atrace_exec:file rx_file_perms;
# To exec the perfetto cmdline client and pass it the trace config on
diff --git a/private/virtualizationmanager.te b/private/virtualizationmanager.te
index cb2d0f6..d6f0e19 100644
--- a/private/virtualizationmanager.te
+++ b/private/virtualizationmanager.te
@@ -5,7 +5,7 @@
# Allow virtualizationmanager to communicate use, read and write over the adb connection.
allow virtualizationmanager adbd:fd use;
-allow virtualizationmanager adbd:unix_stream_socket { read write };
+allow virtualizationmanager adbd:unix_stream_socket { getattr read write };
# Allow writing VM logs to the shell console
allow virtualizationmanager devpts:chr_file { read write getattr ioctl };
@@ -66,6 +66,16 @@
get_prop(virtualizationmanager, hypervisor_prop)
get_prop(virtualizationmanager, hypervisor_restricted_prop)
+# Allow virtualizationmanager to be read custom pvmfw.img configuration
+userdebug_or_eng(`get_prop(virtualizationmanager, hypervisor_pvmfw_prop)')
+dontaudit virtualizationmanager hypervisor_pvmfw_prop:file read;
+neverallow { domain -init -dumpstate userdebug_or_eng(`-virtualizationmanager') } hypervisor_pvmfw_prop:file no_rw_file_perms;
+
+# Allow virtualizationmanager to be read custom virtualizationmanager configuration
+userdebug_or_eng(`get_prop(virtualizationmanager, hypervisor_virtualizationmanager_prop)')
+dontaudit virtualizationmanager hypervisor_virtualizationmanager_prop:file read;
+neverallow { domain -init -dumpstate userdebug_or_eng(`-virtualizationmanager') } hypervisor_virtualizationmanager_prop:file no_rw_file_perms;
+
# Allow virtualizationmanager service to talk to tombstoned to push guest ramdumps
unix_socket_connect(virtualizationmanager, tombstoned_crash, tombstoned)
diff --git a/private/virtualizationservice.te b/private/virtualizationservice.te
index 78a6e12..2d20195 100644
--- a/private/virtualizationservice.te
+++ b/private/virtualizationservice.te
@@ -75,6 +75,9 @@
# Allow virtualizationservice to access VM DTBO via a file created by virtualizationmanager.
allow virtualizationservice virtualizationmanager:fd use;
+# Allow virtualizationservice to access vendor_configs_file to get the list of assignable devices.
+r_dir_file(virtualizationservice, vendor_configs_file)
+
neverallow {
domain
-init
diff --git a/public/attributes b/public/attributes
index 0fdbf13..fdac127 100644
--- a/public/attributes
+++ b/public/attributes
@@ -221,7 +221,8 @@
# All domains used for apps with bluetooth access.
attribute bluetoothdomain;
-# All domains used for binder service domains.
+# Specific domains that expose a binder service.
+# Deprecated, consider granting the exact permissions required by your service.
attribute binderservicedomain;
# All domains which have BPF access.
diff --git a/public/dumpstate.te b/public/dumpstate.te
index 4877f14..3748605 100644
--- a/public/dumpstate.te
+++ b/public/dumpstate.te
@@ -146,7 +146,7 @@
# Allow dumpstate to make binder calls to any binder service
binder_call(dumpstate, binderservicedomain)
-binder_call(dumpstate, { appdomain netd wificond })
+binder_call(dumpstate, { appdomain artd netd wificond })
# Allow dumpstate to call dump() on specific hals.
dump_hal(hal_audio)
diff --git a/public/logpersist.te b/public/logpersist.te
index 6c1c404..f2e856b 100644
--- a/public/logpersist.te
+++ b/public/logpersist.te
@@ -28,3 +28,8 @@
# -system_app # Smith.apk
# } logpersist:process transition;
neverallow * logpersist:process dyntransition;
+
+allowxperm logpersist misc_logd_file:file ioctl {
+ F2FS_IOC_RELEASE_COMPRESS_BLOCKS
+ FS_IOC_SETFLAGS
+};
diff --git a/public/te_macros b/public/te_macros
index c4ebc63..d2f4406 100644
--- a/public/te_macros
+++ b/public/te_macros
@@ -440,8 +440,7 @@
#####################################
# binder_service(domain)
-# Mark a domain as being a Binder service domain.
-# Used to allow binder IPC to the various system services.
+# Deprecated. Consider granting the exact permissions required by your service.
define(`binder_service', `
typeattribute $1 binderservicedomain;
')