Merge "Revert "Remove implicit access for isolated_app"" into main
diff --git a/build/soong/service_fuzzer_bindings.go b/build/soong/service_fuzzer_bindings.go
index 49481bd..48a3890 100644
--- a/build/soong/service_fuzzer_bindings.go
+++ b/build/soong/service_fuzzer_bindings.go
@@ -52,6 +52,7 @@
"android.hardware.broadcastradio.IBroadcastRadio/dab": EXCEPTION_NO_FUZZER,
"android.hardware.bluetooth.IBluetoothHci/default": EXCEPTION_NO_FUZZER,
"android.hardware.bluetooth.finder.IBluetoothFinder/default": EXCEPTION_NO_FUZZER,
+ "android.hardware.bluetooth.ranging.IBluetoothChannelSounding/default": EXCEPTION_NO_FUZZER,
"android.hardware.camera.provider.ICameraProvider/internal/0": EXCEPTION_NO_FUZZER,
"android.hardware.camera.provider.ICameraProvider/virtual/0": EXCEPTION_NO_FUZZER,
"android.hardware.cas.IMediaCasService/default": EXCEPTION_NO_FUZZER,
diff --git a/flagging/Android.bp b/flagging/Android.bp
index b61b41d..55e116b 100644
--- a/flagging/Android.bp
+++ b/flagging/Android.bp
@@ -16,14 +16,20 @@
se_policy_conf_defaults {
name: "se_policy_conf_flags_defaults",
srcs: [":sepolicy_flagging_macros"],
- flags: ["RELEASE_AVF_ENABLE_DEVICE_ASSIGNMENT"],
+ flags: [
+ "RELEASE_AVF_ENABLE_DEVICE_ASSIGNMENT",
+ "RELEASE_HARDWARE_BLUETOOTH_RANGING_SERVICE",
+ ],
}
contexts_defaults {
name: "contexts_flags_defaults",
srcs: [":sepolicy_flagging_macros"],
neverallow_files: [":sepolicy_flagging_macros"], // for seapp_contexts
- flags: ["RELEASE_AVF_ENABLE_DEVICE_ASSIGNMENT"],
+ flags: [
+ "RELEASE_AVF_ENABLE_DEVICE_ASSIGNMENT",
+ "RELEASE_HARDWARE_BLUETOOTH_RANGING_SERVICE",
+ ],
}
filegroup {
diff --git a/prebuilts/api/33.0/private/gmscore_app.te b/prebuilts/api/33.0/private/gmscore_app.te
index 8795798..d615d9b 100644
--- a/prebuilts/api/33.0/private/gmscore_app.te
+++ b/prebuilts/api/33.0/private/gmscore_app.te
@@ -46,6 +46,7 @@
dontaudit gmscore_app exec_type:file r_file_perms;
dontaudit gmscore_app device:dir r_dir_perms;
dontaudit gmscore_app fs_bpf:dir r_dir_perms;
+dontaudit gmscore_app kernel:security *;
dontaudit gmscore_app net_dns_prop:file r_file_perms;
dontaudit gmscore_app proc:file r_file_perms;
dontaudit gmscore_app proc_interrupts:file r_file_perms;
diff --git a/prebuilts/api/34.0/private/dex2oat.te b/prebuilts/api/34.0/private/dex2oat.te
index ea9ab9c..6ada2e2 100644
--- a/prebuilts/api/34.0/private/dex2oat.te
+++ b/prebuilts/api/34.0/private/dex2oat.te
@@ -82,7 +82,7 @@
# Allow dex2oat access to /postinstall/apex.
allow dex2oat postinstall_apex_mnt_dir:dir { getattr search };
-allow dex2oat postinstall_apex_mnt_dir:file r_file_perms;
+allow dex2oat postinstall_apex_mnt_dir:{ file lnk_file } r_file_perms;
# Allow dex2oat access to files in /data/ota.
allow dex2oat ota_data_file:dir ra_dir_perms;
diff --git a/prebuilts/api/34.0/private/fastbootd.te b/prebuilts/api/34.0/private/fastbootd.te
index 7dc1741..a189d23 100644
--- a/prebuilts/api/34.0/private/fastbootd.te
+++ b/prebuilts/api/34.0/private/fastbootd.te
@@ -42,6 +42,7 @@
# Mount /metadata to interact with Virtual A/B snapshots.
allow fastbootd labeledfs:filesystem { mount unmount };
+ set_prop(fastbootd, boottime_prop)
# Needed for reading boot properties.
allow fastbootd proc_bootconfig:file r_file_perms;
diff --git a/prebuilts/api/34.0/private/gmscore_app.te b/prebuilts/api/34.0/private/gmscore_app.te
index 46b90c6..b662f4f 100644
--- a/prebuilts/api/34.0/private/gmscore_app.te
+++ b/prebuilts/api/34.0/private/gmscore_app.te
@@ -46,6 +46,7 @@
dontaudit gmscore_app exec_type:file r_file_perms;
dontaudit gmscore_app device:dir r_dir_perms;
dontaudit gmscore_app fs_bpf:dir r_dir_perms;
+dontaudit gmscore_app kernel:security *;
dontaudit gmscore_app net_dns_prop:file r_file_perms;
dontaudit gmscore_app proc:file r_file_perms;
dontaudit gmscore_app proc_interrupts:file r_file_perms;
diff --git a/prebuilts/api/34.0/private/gsid.te b/prebuilts/api/34.0/private/gsid.te
index e795cea..9391016 100644
--- a/prebuilts/api/34.0/private/gsid.te
+++ b/prebuilts/api/34.0/private/gsid.te
@@ -150,7 +150,7 @@
allow gsid {
gsi_data_file
ota_image_data_file
-}:dir rw_dir_perms;
+}:dir create_dir_perms;
allow gsid {
gsi_data_file
ota_image_data_file
diff --git a/prebuilts/api/34.0/private/otapreopt_chroot.te b/prebuilts/api/34.0/private/otapreopt_chroot.te
index ea9d4ee..73e170b 100644
--- a/prebuilts/api/34.0/private/otapreopt_chroot.te
+++ b/prebuilts/api/34.0/private/otapreopt_chroot.te
@@ -36,9 +36,10 @@
# Allow otapreopt_chroot to read the persist.apexd.verity_on_system system property.
get_prop(otapreopt_chroot, apexd_prop)
-# Allow otapreopt to use file descriptors from update-engine. It will
-# close them immediately.
+# Allow otapreopt to use file descriptors from update-engine and the postinstall
+# script. It will read dexopt commands from stdin and write progress to stdout.
allow otapreopt_chroot postinstall:fd use;
+allow otapreopt_chroot postinstall:fifo_file { read write getattr };
allow otapreopt_chroot update_engine:fd use;
allow otapreopt_chroot update_engine:fifo_file write;
diff --git a/prebuilts/api/34.0/private/service.te b/prebuilts/api/34.0/private/service.te
index 3717150..98be17d 100644
--- a/prebuilts/api/34.0/private/service.te
+++ b/prebuilts/api/34.0/private/service.te
@@ -4,6 +4,7 @@
type compos_service, service_manager_type;
type communal_service, app_api_service, system_server_service, service_manager_type;
type dynamic_system_service, system_api_service, system_server_service, service_manager_type;
+type feature_flags_service, app_api_service, system_server_service, service_manager_type;
type gsi_service, service_manager_type;
type incidentcompanion_service, app_api_service, system_api_service, system_server_service, service_manager_type;
type logcat_service, system_server_service, service_manager_type;
diff --git a/prebuilts/api/34.0/private/service_contexts b/prebuilts/api/34.0/private/service_contexts
index 3bb9c85..553a71d 100644
--- a/prebuilts/api/34.0/private/service_contexts
+++ b/prebuilts/api/34.0/private/service_contexts
@@ -226,6 +226,7 @@
external_vibrator_service u:object_r:external_vibrator_service:s0
ethernet u:object_r:ethernet_service:s0
face u:object_r:face_service:s0
+feature_flags u:object_r:feature_flags_service:s0
file_integrity u:object_r:file_integrity_service:s0
fingerprint u:object_r:fingerprint_service:s0
font u:object_r:font_service:s0
diff --git a/private/service_contexts b/private/service_contexts
index 091ab99..ce151f0 100644
--- a/private/service_contexts
+++ b/private/service_contexts
@@ -30,6 +30,9 @@
android.hardware.biometrics.fingerprint.IFingerprint/virtual u:object_r:hal_fingerprint_service:s0
android.hardware.bluetooth.IBluetoothHci/default u:object_r:hal_bluetooth_service:s0
android.hardware.bluetooth.finder.IBluetoothFinder/default u:object_r:hal_bluetooth_service:s0
+is_flag_enabled(RELEASE_HARDWARE_BLUETOOTH_RANGING_SERVICE, `
+ android.hardware.bluetooth.ranging.IBluetoothChannelSounding/default u:object_r:hal_bluetooth_service:s0
+')
android.hardware.bluetooth.audio.IBluetoothAudioProviderFactory/default u:object_r:hal_audio_service:s0
android.hardware.broadcastradio.IBroadcastRadio/amfm u:object_r:hal_broadcastradio_service:s0
android.hardware.broadcastradio.IBroadcastRadio/dab u:object_r:hal_broadcastradio_service:s0
diff --git a/private/system_app.te b/private/system_app.te
index 88c3a62..31e10bb 100644
--- a/private/system_app.te
+++ b/private/system_app.te
@@ -159,6 +159,9 @@
allow system_app system_server:udp_socket {
connect getattr read recvfrom sendto write getopt setopt };
+# allow system apps to read game manager related sysrops
+get_prop(system_app, game_manager_config_prop)
+
# Settings app reads ro.oem_unlock_supported
get_prop(system_app, oem_unlock_prop)
diff --git a/private/system_server.te b/private/system_server.te
index bab31ae..474a7b6 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -388,6 +388,7 @@
mediatuner
netd
sdcardd
+ servicemanager
statsd
surfaceflinger
vold
diff --git a/public/domain.te b/public/domain.te
index ec8b247..d630a24 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -337,6 +337,10 @@
allow domain apex_mnt_dir:dir { getattr search };
allow domain apex_mnt_dir:lnk_file r_file_perms;
+# Allow everyone to read media server-configurable flags, so that libstagefright can be
+# configured using server-configurable flags
+get_prop(domain, device_config_media_native_prop)
+
###
### neverallow rules
###
diff --git a/public/hal_codec2.te b/public/hal_codec2.te
index 472d894..60cda48 100644
--- a/public/hal_codec2.te
+++ b/public/hal_codec2.te
@@ -29,4 +29,4 @@
# codec2 aidl graphic buffer allocation waitable object
allow hal_codec2_server su:fifo_file read;
allow hal_codec2_server mediaserver:fifo_file read;
-allow hal_codec2_server untrusted_app:fifo_file read;
+allow hal_codec2_server untrusted_app_all:fifo_file read;
diff --git a/vendor/file_contexts b/vendor/file_contexts
index 2790ef4..9929d7d 100644
--- a/vendor/file_contexts
+++ b/vendor/file_contexts
@@ -20,6 +20,7 @@
/(vendor|system/vendor)/bin/hw/android\.hardware\.bluetooth@1\.[0-9]+-service\.btlinux u:object_r:hal_bluetooth_btlinux_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.bluetooth-service.default u:object_r:hal_bluetooth_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.bluetooth\.finder-service\.default u:object_r:hal_bluetooth_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.bluetooth\.ranging-service\.default u:object_r:hal_bluetooth_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.biometrics\.face@1\.[0-9]+-service\.example u:object_r:hal_face_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.biometrics\.face-service\.example u:object_r:hal_face_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.biometrics\.fingerprint@2\.1-service u:object_r:hal_fingerprint_default_exec:s0