Merge "Create virtmgr domain and initial policy"
diff --git a/build/soong/service_fuzzer_bindings.go b/build/soong/service_fuzzer_bindings.go
index 2ee0ae2..104ac81 100644
--- a/build/soong/service_fuzzer_bindings.go
+++ b/build/soong/service_fuzzer_bindings.go
@@ -25,7 +25,15 @@
ServiceFuzzerBindings = map[string][]string{
"android.hardware.audio.core.IConfig/default": EXCEPTION_NO_FUZZER,
"android.hardware.audio.core.IModule/default": EXCEPTION_NO_FUZZER,
+ "android.hardware.audio.core.IModule/a2dp": EXCEPTION_NO_FUZZER,
+ "android.hardware.audio.core.IModule/bluetooth": EXCEPTION_NO_FUZZER,
+ "android.hardware.audio.core.IModule/hearing_aid": EXCEPTION_NO_FUZZER,
+ "android.hardware.audio.core.IModule/msd": EXCEPTION_NO_FUZZER,
+ "android.hardware.audio.core.IModule/r_submix": EXCEPTION_NO_FUZZER,
+ "android.hardware.audio.core.IModule/stub": EXCEPTION_NO_FUZZER,
+ "android.hardware.audio.core.IModule/usb": EXCEPTION_NO_FUZZER,
"android.hardware.audio.effect.IFactory/default": EXCEPTION_NO_FUZZER,
+ "android.hardware.audio.sounddose.ISoundDoseFactory/default": EXCEPTION_NO_FUZZER,
"android.hardware.authsecret.IAuthSecret/default": EXCEPTION_NO_FUZZER,
"android.hardware.automotive.evs.IEvsEnumerator/hw/0": EXCEPTION_NO_FUZZER,
"android.hardware.boot.IBootControl/default": EXCEPTION_NO_FUZZER,
@@ -40,6 +48,7 @@
"android.hardware.bluetooth.audio.IBluetoothAudioProviderFactory/default": EXCEPTION_NO_FUZZER,
"android.hardware.broadcastradio.IBroadcastRadio/amfm": EXCEPTION_NO_FUZZER,
"android.hardware.broadcastradio.IBroadcastRadio/dab": EXCEPTION_NO_FUZZER,
+ "android.hardware.bluetooth.IBluetoothHci/default": EXCEPTION_NO_FUZZER,
"android.hardware.camera.provider.ICameraProvider/internal/0": EXCEPTION_NO_FUZZER,
"android.hardware.cas.IMediaCasService/default": EXCEPTION_NO_FUZZER,
"android.hardware.confirmationui.IConfirmationUI/default": []string{"android.hardware.confirmationui-service.trusty_fuzzer"},
@@ -84,9 +93,9 @@
"android.hardware.radio.sim.IRadioSim/slot1": EXCEPTION_NO_FUZZER,
"android.hardware.radio.sim.IRadioSim/slot2": EXCEPTION_NO_FUZZER,
"android.hardware.radio.sim.IRadioSim/slot3": EXCEPTION_NO_FUZZER,
- "android.hardware.radio.sim.ISap/slot1": EXCEPTION_NO_FUZZER,
- "android.hardware.radio.sim.ISap/slot2": EXCEPTION_NO_FUZZER,
- "android.hardware.radio.sim.ISap/slot3": EXCEPTION_NO_FUZZER,
+ "android.hardware.radio.sap.ISap/slot1": EXCEPTION_NO_FUZZER,
+ "android.hardware.radio.sap.ISap/slot2": EXCEPTION_NO_FUZZER,
+ "android.hardware.radio.sap.ISap/slot3": EXCEPTION_NO_FUZZER,
"android.hardware.radio.voice.IRadioVoice/slot1": EXCEPTION_NO_FUZZER,
"android.hardware.radio.voice.IRadioVoice/slot2": EXCEPTION_NO_FUZZER,
"android.hardware.radio.voice.IRadioVoice/slot3": EXCEPTION_NO_FUZZER,
@@ -118,6 +127,7 @@
"android.hardware.wifi.IWifi/default": EXCEPTION_NO_FUZZER,
"android.hardware.wifi.hostapd.IHostapd/default": EXCEPTION_NO_FUZZER,
"android.hardware.wifi.supplicant.ISupplicant/default": EXCEPTION_NO_FUZZER,
+ "android.frameworks.cameraservice.service.ICameraService/default": EXCEPTION_NO_FUZZER,
"android.frameworks.sensorservice.ISensorManager/default": []string{"libsensorserviceaidl_fuzzer"},
"android.frameworks.stats.IStats/default": EXCEPTION_NO_FUZZER,
"android.se.omapi.ISecureElementService/default": EXCEPTION_NO_FUZZER,
@@ -240,6 +250,7 @@
"game": EXCEPTION_NO_FUZZER,
"gfxinfo": EXCEPTION_NO_FUZZER,
"gnss_time_update_service": EXCEPTION_NO_FUZZER,
+ "grammatical_inflection": EXCEPTION_NO_FUZZER,
"graphicsstats": EXCEPTION_NO_FUZZER,
"gpu": EXCEPTION_NO_FUZZER,
"hardware": EXCEPTION_NO_FUZZER,
diff --git a/microdroid/system/private/domain.te b/microdroid/system/private/domain.te
index 7d4fc8a..d300679 100644
--- a/microdroid/system/private/domain.te
+++ b/microdroid/system/private/domain.te
@@ -383,9 +383,9 @@
# Ensure that context mount types are not writable, to ensure that
# the write to /system restriction above is not bypassed via context=
# mount to another type.
-neverallow * { contextmount_type -authfs_fuse }:dir_file_class_set
+neverallow * { contextmount_type -authfs_fuse -encryptedstore_file }:dir_file_class_set
{ create relabelfrom relabelto append link rename };
-neverallow domain { contextmount_type -authfs_fuse }:dir_file_class_set { write unlink };
+neverallow domain { contextmount_type -authfs_fuse -encryptedstore_file }:dir_file_class_set { write unlink };
neverallow { domain -init -vendor_init } vendor_default_prop:property_service set;
@@ -550,3 +550,6 @@
# These domains must not be crash dumped
neverallow no_crash_dump_domain crash_dump_exec:file no_x_file_perms;
neverallow no_crash_dump_domain crash_dump:process { transition dyntransition };
+
+# Ensure that no one can execute from encrypted storage, which is a writable partition in VM.
+neverallow domain encryptedstore_file:file no_x_file_perms;
diff --git a/microdroid/system/private/encryptedstore.te b/microdroid/system/private/encryptedstore.te
index 522f090..5fa2e3a 100644
--- a/microdroid/system/private/encryptedstore.te
+++ b/microdroid/system/private/encryptedstore.te
@@ -31,11 +31,12 @@
allow encryptedstore sysfs_fs_ext4_features:dir search;
allow encryptedstore sysfs_fs_ext4_features:file r_file_perms;
-# encryptedstore to mount on /mnt/ directory
+# encryptedstore to mount on tmpfs bases directory (/mnt/)
allow encryptedstore tmpfs:dir { add_name create mounton write };
-# Unmount and mount filesystem
-allow encryptedstore labeledfs:filesystem { mount unmount };
+# encryptedstore relabels the labeledfs to encryptedstore_fs, then mounts on the later
+allow encryptedstore labeledfs:filesystem { relabelfrom };
+allow encryptedstore encryptedstore_fs:filesystem { mount unmount relabelto relabelfrom };
# allow encryptedstore to log to the kernel
allow encryptedstore kmsg_device:chr_file w_file_perms;
diff --git a/microdroid/system/private/file.te b/microdroid/system/private/file.te
index b94571d..da54361 100644
--- a/microdroid/system/private/file.te
+++ b/microdroid/system/private/file.te
@@ -4,6 +4,7 @@
allow cgroup_rc_file tmpfs:filesystem associate;
allow debugfs_type { debugfs debugfs_tracing debugfs_tracing_debug }:filesystem associate;
allow dev_type tmpfs:filesystem associate;
+allow encryptedstore_file encryptedstore_fs:filesystem associate;
allow extra_apk_file zipfusefs:filesystem associate;
allow file_type labeledfs:filesystem associate;
allow file_type tmpfs:filesystem associate;
@@ -20,3 +21,6 @@
# /system/bin/mke2fs - used to format encryptedstore block device
type e2fs_exec, system_file_type, exec_type, file_type;
+
+type encryptedstore_file, file_type;
+type encryptedstore_fs, fs_type, contextmount_type;
diff --git a/microdroid/system/private/file_contexts b/microdroid/system/private/file_contexts
index ae9b095..0ccb250 100644
--- a/microdroid/system/private/file_contexts
+++ b/microdroid/system/private/file_contexts
@@ -167,3 +167,7 @@
#############################
# Directory for extra apks
/mnt/extra-apk u:object_r:extra_apk_file:s0
+
+#############################
+# Directory for encrypted storage (persistent across boot)
+/mnt/encryptedstore u:object_r:encryptedstore_file:s0
diff --git a/microdroid/system/private/microdroid_payload.te b/microdroid/system/private/microdroid_payload.te
index 309210c..c1974c7 100644
--- a/microdroid/system/private/microdroid_payload.te
+++ b/microdroid/system/private/microdroid_payload.te
@@ -36,7 +36,6 @@
create listen accept read getattr write setattr lock append bind
getopt setopt shutdown map
};
-neverallow microdroid_payload self:vsock_socket connect;
# Payload can read extra apks
r_dir_file(microdroid_payload, extra_apk_file)
@@ -56,3 +55,10 @@
# Allow payload to communicate with microdroid manager
unix_socket_connect(microdroid_payload, vm_payload_service, microdroid_manager)
+
+# Payload can read, write into encrypted storage directory
+allow microdroid_payload encryptedstore_file:dir create_dir_perms;
+allow microdroid_payload encryptedstore_file:file create_file_perms;
+
+# Never allow microdroid_payload to connect to vsock
+neverallow microdroid_payload self:vsock_socket connect;
diff --git a/microdroid/system/private/property_contexts b/microdroid/system/private/property_contexts
index c2a3f4c..0d5786c 100644
--- a/microdroid/system/private/property_contexts
+++ b/microdroid/system/private/property_contexts
@@ -1,7 +1,6 @@
# property contexts for microdroid
-# microdroid only uses much fewer properties than normal Android, so every property is listed as
-# an exact entry. The only wildcards are "debug.*", "init.svc_debug_pid.*", "ctl.*", and
-# process-dependent properties like "arm64.memtag.*" and "log.tag.*".
+# microdroid uses far fewer properties than normal Android, so almost
+# every property is listed as an exact entry.
debug. u:object_r:debug_prop:s0 prefix
persist.debug. u:object_r:debug_prop:s0 prefix
@@ -119,6 +118,7 @@
microdroid_manager.apk_root_hash u:object_r:microdroid_manager_roothash_prop:s0 exact string
microdroid_manager.apk.mounted u:object_r:microdroid_manager_zipfuse_prop:s0 exact bool
+microdroid_manager.extra_apk.mounted. u:object_r:microdroid_manager_zipfuse_prop:s0 prefix bool
microdroid_manager.authfs.enabled u:object_r:microdroid_config_prop:s0 exact bool
diff --git a/private/artd.te b/private/artd.te
index 96b2990..88094e7 100644
--- a/private/artd.te
+++ b/private/artd.te
@@ -82,6 +82,18 @@
allow artd app_data_file_type:dir { create_dir_perms relabelfrom relabelto };
allow artd app_data_file_type:file { create_file_perms relabelfrom relabelto };
+# Allow symlinks for secondary dex files. This has be to restricted because
+# symlinks can cause various security issues. We allow "privapp_data_file" just
+# for GMS because so far we only see GMS using symlinks.
+allow artd privapp_data_file:lnk_file { getattr read };
+
+# Read access to SELinux context files, for restorecon.
+allow artd file_contexts_file:file r_file_perms;
+allow artd seapp_contexts_file:file r_file_perms;
+
+# Check validity of SELinux context, for restorecon.
+selinux_check_context(artd)
+
# Never allow running other binaries without a domain transition.
# The only exception is art_exec. It is allowed to use the artd domain because
# it is a thin wrapper that executes other binaries on behalf of artd.
diff --git a/private/compat/33.0/33.0.ignore.cil b/private/compat/33.0/33.0.ignore.cil
index 4e6c053..89afef2 100644
--- a/private/compat/33.0/33.0.ignore.cil
+++ b/private/compat/33.0/33.0.ignore.cil
@@ -9,10 +9,14 @@
apex_ready_prop
artd
credential_service
+ device_config_camera_native_prop
device_config_memory_safety_native_prop
device_config_vendor_system_native_prop
devicelock_service
+ fwk_camera_service
fwk_sensor_service
+ grammatical_inflection_service
+ hal_bluetooth_service
hal_bootctl_service
hal_cas_service
hal_remoteaccess_service
diff --git a/private/domain.te b/private/domain.te
index 787a559..2b2619b 100644
--- a/private/domain.te
+++ b/private/domain.te
@@ -2,7 +2,9 @@
# This occurs when the process crashes.
# We do not apply this to the su domain to avoid interfering with
# tests (b/114136122)
-domain_auto_trans({ domain userdebug_or_eng(`-su') }, crash_dump_exec, crash_dump);
+# We exempt crosvm because parts of its memory are inaccessible to the
+# kernel. TODO(b/238324526): Remove this.
+domain_auto_trans({ domain userdebug_or_eng(`-su') -crosvm }, crash_dump_exec, crash_dump);
allow domain crash_dump:process sigchld;
# Allow every process to check the heapprofd.enable properties to determine
diff --git a/private/flags_health_check.te b/private/flags_health_check.te
index a26726d..0cc450d 100644
--- a/private/flags_health_check.te
+++ b/private/flags_health_check.te
@@ -28,6 +28,7 @@
set_prop(flags_health_check, device_config_virtualization_framework_native_prop)
set_prop(flags_health_check, device_config_memory_safety_native_prop)
set_prop(flags_health_check, device_config_remote_key_provisioning_native_prop)
+set_prop(flags_health_check, device_config_camera_native_prop)
# system property device_config_boot_count_prop is used for deciding when to perform server
# configurable flags related disaster recovery. Mistakenly set up by unrelated components can, at a
diff --git a/private/property_contexts b/private/property_contexts
index 38ed8d5..32746cd 100644
--- a/private/property_contexts
+++ b/private/property_contexts
@@ -247,6 +247,7 @@
device_config.reset_performed u:object_r:device_config_reset_performed_prop:s0
persist.device_config.activity_manager_native_boot. u:object_r:device_config_activity_manager_native_boot_prop:s0
persist.device_config.attempted_boot_count u:object_r:device_config_boot_count_prop:s0
+persist.device_config.camera_native. u:object_r:device_config_camera_native_prop:s0
persist.device_config.configuration. u:object_r:device_config_configuration_prop:s0
persist.device_config.connectivity. u:object_r:device_config_connectivity_prop:s0
persist.device_config.input_native_boot. u:object_r:device_config_input_native_boot_prop:s0
@@ -468,7 +469,6 @@
dalvik.vm.restore-dex2oat-cpu-set u:object_r:dalvik_config_prop:s0 exact string
dalvik.vm.restore-dex2oat-threads u:object_r:dalvik_config_prop:s0 exact int
dalvik.vm.usejit u:object_r:dalvik_config_prop:s0 exact bool
-dalvik.vm.usejitprofiles u:object_r:dalvik_config_prop:s0 exact bool
dalvik.vm.zygote.max-boot-retry u:object_r:dalvik_config_prop:s0 exact int
persist.sys.dalvik.vm.lib.2 u:object_r:dalvik_runtime_prop:s0 exact string
@@ -507,6 +507,7 @@
bluetooth.core.gap.le.privacy.enabled u:object_r:bluetooth_config_prop:s0 exact bool
bluetooth.core.gap.le.conn.min.limit u:object_r:bluetooth_config_prop:s0 exact int
+bluetooth.core.gap.le.conn.only_init_1m_phy.enabled u:object_r:bluetooth_config_prop:s0 exact bool
bluetooth.device.default_name u:object_r:bluetooth_config_prop:s0 exact string
bluetooth.device.class_of_device u:object_r:bluetooth_config_prop:s0 exact string
@@ -642,6 +643,7 @@
external_storage.sdcardfs.enabled u:object_r:storage_config_prop:s0 exact bool
external_storage.cross_user.enabled u:object_r:storage_config_prop:s0 exact bool
ro.fuse.bpf.enabled u:object_r:storage_config_prop:s0 exact bool
+ro.fuse.bpf.is_running u:object_r:vold_status_prop:s0 exact bool
# hypervisor.*: configured by the vendor to advertise capabilities of their
# hypervisor to virtualizationservice.
diff --git a/private/rkpd_app.te b/private/rkpd_app.te
index 9064e5d..21f9b0c 100644
--- a/private/rkpd_app.te
+++ b/private/rkpd_app.te
@@ -16,6 +16,10 @@
# Grant access to the normal services that are available to all apps
allow rkpdapp app_api_service:service_manager find;
+# Grant access to media.metrics service, needed for widevine. This
+# access is granted to all other apps already (e.g. untrusted_app_all).
+allow rkpdapp mediametrics_service:service_manager find;
+
# Grant access to statsd
allow rkpdapp statsmanager_service:service_manager find;
binder_call(rkpdapp, statsd)
diff --git a/private/sdk_sandbox.te b/private/sdk_sandbox.te
index 12310d2..a0e77a2 100644
--- a/private/sdk_sandbox.te
+++ b/private/sdk_sandbox.te
@@ -213,6 +213,10 @@
allow sdk_sandbox system_linker_exec:file execute_no_trans;
+# Required to read CTS tests data from the shell_data_file location.
+allow sdk_sandbox shell_data_file:file r_file_perms;
+allow sdk_sandbox shell_data_file:dir r_dir_perms;
+
# Write app-specific trace data to the Perfetto traced damon. This requires
# connecting to its producer socket and obtaining a (per-process) tmpfs fd.
perfetto_producer(sdk_sandbox)
diff --git a/private/service_contexts b/private/service_contexts
index e9fc83c..04615c0 100644
--- a/private/service_contexts
+++ b/private/service_contexts
@@ -1,8 +1,18 @@
+android.frameworks.cameraservice.service.ICameraService/default u:object_r:fwk_camera_service:s0
android.frameworks.stats.IStats/default u:object_r:fwk_stats_service:s0
android.frameworks.sensorservice.ISensorManager/default u:object_r:fwk_sensor_service:s0
android.hardware.audio.core.IConfig/default u:object_r:hal_audio_service:s0
+# 'default' IModule is equivalent to 'primary' in HIDL
android.hardware.audio.core.IModule/default u:object_r:hal_audio_service:s0
+android.hardware.audio.core.IModule/a2dp u:object_r:hal_audio_service:s0
+android.hardware.audio.core.IModule/bluetooth u:object_r:hal_audio_service:s0
+android.hardware.audio.core.IModule/hearing_aid u:object_r:hal_audio_service:s0
+android.hardware.audio.core.IModule/msd u:object_r:hal_audio_service:s0
+android.hardware.audio.core.IModule/r_submix u:object_r:hal_audio_service:s0
+android.hardware.audio.core.IModule/stub u:object_r:hal_audio_service:s0
+android.hardware.audio.core.IModule/usb u:object_r:hal_audio_service:s0
android.hardware.audio.effect.IFactory/default u:object_r:hal_audio_service:s0
+android.hardware.audio.sounddose.ISoundDoseFactory/default u:object_r:hal_audio_service:s0
android.hardware.authsecret.IAuthSecret/default u:object_r:hal_authsecret_service:s0
android.hardware.automotive.evs.IEvsEnumerator/hw/0 u:object_r:hal_evs_service:s0
android.hardware.boot.IBootControl/default u:object_r:hal_bootctl_service:s0
@@ -14,6 +24,7 @@
android.hardware.biometrics.face.IFace/default u:object_r:hal_face_service:s0
android.hardware.biometrics.fingerprint.IFingerprint/default u:object_r:hal_fingerprint_service:s0
android.hardware.biometrics.fingerprint.IFingerprint/virtual u:object_r:hal_fingerprint_service:s0
+android.hardware.bluetooth.IBluetoothHci/default u:object_r:hal_bluetooth_service:s0
android.hardware.bluetooth.audio.IBluetoothAudioProviderFactory/default u:object_r:hal_audio_service:s0
android.hardware.broadcastradio.IBroadcastRadio/amfm u:object_r:hal_broadcastradio_service:s0
android.hardware.broadcastradio.IBroadcastRadio/dab u:object_r:hal_broadcastradio_service:s0
@@ -62,9 +73,9 @@
android.hardware.radio.sim.IRadioSim/slot1 u:object_r:hal_radio_service:s0
android.hardware.radio.sim.IRadioSim/slot2 u:object_r:hal_radio_service:s0
android.hardware.radio.sim.IRadioSim/slot3 u:object_r:hal_radio_service:s0
-android.hardware.radio.sim.ISap/slot1 u:object_r:hal_radio_service:s0
-android.hardware.radio.sim.ISap/slot2 u:object_r:hal_radio_service:s0
-android.hardware.radio.sim.ISap/slot3 u:object_r:hal_radio_service:s0
+android.hardware.radio.sap.ISap/slot1 u:object_r:hal_radio_service:s0
+android.hardware.radio.sap.ISap/slot2 u:object_r:hal_radio_service:s0
+android.hardware.radio.sap.ISap/slot3 u:object_r:hal_radio_service:s0
android.hardware.radio.voice.IRadioVoice/slot1 u:object_r:hal_radio_service:s0
android.hardware.radio.voice.IRadioVoice/slot2 u:object_r:hal_radio_service:s0
android.hardware.radio.voice.IRadioVoice/slot3 u:object_r:hal_radio_service:s0
@@ -218,6 +229,7 @@
game u:object_r:game_service:s0
gfxinfo u:object_r:gfxinfo_service:s0
gnss_time_update_service u:object_r:gnss_time_update_service:s0
+grammatical_inflection u:object_r:grammatical_inflection_service:s0
graphicsstats u:object_r:graphicsstats_service:s0
gpu u:object_r:gpu_service:s0
hardware u:object_r:hardware_service:s0
diff --git a/private/system_server.te b/private/system_server.te
index a967dcf..54ad242 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -744,6 +744,7 @@
set_prop(system_server, device_config_runtime_native_prop)
set_prop(system_server, device_config_lmkd_native_prop)
set_prop(system_server, device_config_media_native_prop)
+set_prop(system_server, device_config_camera_native_prop)
set_prop(system_server, device_config_mglru_native_prop)
set_prop(system_server, device_config_profcollect_native_boot_prop)
set_prop(system_server, device_config_statsd_native_prop)
diff --git a/public/cameraserver.te b/public/cameraserver.te
index d41339a..c88e3f0 100644
--- a/public/cameraserver.te
+++ b/public/cameraserver.te
@@ -19,6 +19,7 @@
allow cameraserver hal_graphics_composer:fd use;
add_service(cameraserver, cameraserver_service)
+add_service(cameraserver, fwk_camera_service)
add_hwservice(cameraserver, fwk_camera_hwservice)
allow cameraserver activity_service:service_manager find;
diff --git a/public/domain.te b/public/domain.te
index f99243b..79e62d0 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -1101,6 +1101,7 @@
neverallow {
domain
-appdomain
+ -artd
-installd
} { app_data_file privapp_data_file }:lnk_file read;
diff --git a/public/dumpstate.te b/public/dumpstate.te
index c0af235..6b112dc 100644
--- a/public/dumpstate.te
+++ b/public/dumpstate.te
@@ -150,6 +150,7 @@
# Allow dumpstate to call dump() on specific hals.
dump_hal(hal_authsecret)
+dump_hal(hal_bluetooth)
dump_hal(hal_contexthub)
dump_hal(hal_drm)
dump_hal(hal_dumpstate)
diff --git a/public/hal_bluetooth.te b/public/hal_bluetooth.te
index 97177ba..53bbef2 100644
--- a/public/hal_bluetooth.te
+++ b/public/hal_bluetooth.te
@@ -1,8 +1,10 @@
# HwBinder IPC from clients into server, and callbacks
binder_call(hal_bluetooth_client, hal_bluetooth_server)
binder_call(hal_bluetooth_server, hal_bluetooth_client)
+binder_call(hal_bluetooth_server, servicemanager)
hal_attribute_hwservice(hal_bluetooth, hal_bluetooth_hwservice)
+hal_attribute_service(hal_bluetooth, hal_bluetooth_service)
wakelock_use(hal_bluetooth);
diff --git a/public/hal_can.te b/public/hal_can.te
index 6d4cc89..d48c43f 100644
--- a/public/hal_can.te
+++ b/public/hal_can.te
@@ -10,5 +10,4 @@
# AIDL HAL for CAN buses (ICanController)
hal_attribute_service(hal_can_controller, hal_can_controller_service)
-binder_call(hal_can_controller, servicemanager)
-
+binder_use(hal_can_controller)
diff --git a/public/init.te b/public/init.te
index fa51ef5..a399b3a 100644
--- a/public/init.te
+++ b/public/init.te
@@ -379,7 +379,8 @@
userdebug_or_eng(`
# Overlayfs workdir write access check during mount to permit remount,rw
allow init overlayfs_file:dir { relabelfrom mounton write };
- allow init overlayfs_file:file { append };
+ allow init overlayfs_file:file { append rename };
+ allow init overlayfs_file:chr_file unlink;
allow init system_block_device:blk_file { write };
')
diff --git a/public/property.te b/public/property.te
index 00ae1bb..c0a3a6e 100644
--- a/public/property.te
+++ b/public/property.te
@@ -65,6 +65,7 @@
system_restricted_prop(bq_config_prop)
system_restricted_prop(build_bootimage_prop)
system_restricted_prop(build_prop)
+system_restricted_prop(device_config_camera_native_prop)
system_restricted_prop(device_config_nnapi_native_prop)
system_restricted_prop(device_config_runtime_native_boot_prop)
system_restricted_prop(device_config_runtime_native_prop)
diff --git a/public/service.te b/public/service.te
index 1fcaaf1..b4745bb 100644
--- a/public/service.te
+++ b/public/service.te
@@ -7,6 +7,7 @@
type batteryproperties_service, app_api_service, ephemeral_app_api_service, service_manager_type;
type bluetooth_service, service_manager_type;
type cameraserver_service, service_manager_type;
+type fwk_camera_service, service_manager_type;
type default_android_service, service_manager_type;
type dice_maintenance_service, service_manager_type;
type dice_node_service, service_manager_type;
@@ -135,6 +136,7 @@
type game_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type gfxinfo_service, system_api_service, system_server_service, service_manager_type;
type gnss_time_update_service, system_server_service, service_manager_type;
+type grammatical_inflection_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type graphicsstats_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type hardware_service, system_server_service, service_manager_type;
type hardware_properties_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
@@ -272,6 +274,7 @@
type hal_audio_service, protected_service, hal_service_type, service_manager_type;
type hal_audiocontrol_service, hal_service_type, service_manager_type;
type hal_authsecret_service, protected_service, hal_service_type, service_manager_type;
+type hal_bluetooth_service, protected_service, hal_service_type, service_manager_type;
type hal_bootctl_service, protected_service, hal_service_type, service_manager_type;
type hal_broadcastradio_service, protected_service, hal_service_type, service_manager_type;
type hal_camera_service, protected_service, hal_service_type, service_manager_type;
diff --git a/public/usbd.te b/public/usbd.te
index 6f34954..ee36784 100644
--- a/public/usbd.te
+++ b/public/usbd.te
@@ -1,2 +1,4 @@
type usbd, domain;
type usbd_exec, system_file_type, exec_type, file_type;
+
+binder_call(usbd, servicemanager)
diff --git a/vendor/file_contexts b/vendor/file_contexts
index a8655b0..2c9a74a 100644
--- a/vendor/file_contexts
+++ b/vendor/file_contexts
@@ -14,7 +14,7 @@
/(vendor|system/vendor)/bin/hw/android\.hardware\.automotive\.evs(.*)? u:object_r:hal_evs_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.automotive\.vehicle@2\.0-((default|emulator)-)*(service|protocan-service) u:object_r:hal_vehicle_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.automotive\.vehicle@V1-(default|emulator)-service u:object_r:hal_vehicle_default_exec:s0
-/(vendor|system/vendor)/bin/hw/android\.hardware\.automotive\.remoteaccess@V1-default-service u:object_r:hal_remoteaccess_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.automotive\.remoteaccess@V1-(.*)-service u:object_r:hal_remoteaccess_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.bluetooth@1\.[0-9]+-service u:object_r:hal_bluetooth_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.bluetooth@1\.[0-9]+-service\.btlinux u:object_r:hal_bluetooth_btlinux_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.biometrics\.face@1\.[0-9]+-service\.example u:object_r:hal_face_default_exec:s0
diff --git a/vendor/hal_camera_default.te b/vendor/hal_camera_default.te
index b0912d4..f0098a8 100644
--- a/vendor/hal_camera_default.te
+++ b/vendor/hal_camera_default.te
@@ -6,6 +6,8 @@
allow hal_camera_default fwk_sensor_hwservice:hwservice_manager find;
+get_prop(hal_camera_default, device_config_camera_native_prop);
+
# For collecting bugreports.
allow hal_camera_default dumpstate:fd use;
allow hal_camera_default dumpstate:fifo_file write;