Merge "Revert^2 "Use Soong-processed files for file_contexts.bin"" into main
diff --git a/build/soong/selinux_contexts.go b/build/soong/selinux_contexts.go
index b053c7a..de7355c 100644
--- a/build/soong/selinux_contexts.go
+++ b/build/soong/selinux_contexts.go
@@ -289,8 +289,8 @@
}
func (m *selinuxContextsModule) buildFileContexts(ctx android.ModuleContext, inputs android.Paths) android.Path {
- if m.properties.Fc_sort == nil {
- m.properties.Fc_sort = proptools.BoolPtr(true)
+ if m.properties.Remove_comment == nil {
+ m.properties.Remove_comment = proptools.BoolPtr(true)
}
return m.buildGeneralContexts(ctx, inputs)
}
diff --git a/build/soong/service_fuzzer_bindings.go b/build/soong/service_fuzzer_bindings.go
index 44c3243..05dc848 100644
--- a/build/soong/service_fuzzer_bindings.go
+++ b/build/soong/service_fuzzer_bindings.go
@@ -114,6 +114,7 @@
"android.hardware.secure_element.ISecureElement/SIM1": EXCEPTION_NO_FUZZER,
"android.hardware.secure_element.ISecureElement/SIM2": EXCEPTION_NO_FUZZER,
"android.hardware.secure_element.ISecureElement/SIM3": EXCEPTION_NO_FUZZER,
+ "android.hardware.security.authgraph.IAuthGraphKeyExchange/nonsecure": EXCEPTION_NO_FUZZER,
"android.hardware.security.dice.IDiceDevice/default": EXCEPTION_NO_FUZZER,
"android.hardware.security.keymint.IKeyMintDevice/default": EXCEPTION_NO_FUZZER,
"android.hardware.security.keymint.IRemotelyProvisionedComponent/default": EXCEPTION_NO_FUZZER,
@@ -392,6 +393,7 @@
"search": EXCEPTION_NO_FUZZER,
"search_ui": EXCEPTION_NO_FUZZER,
"secure_element": EXCEPTION_NO_FUZZER,
+ "security_state": EXCEPTION_NO_FUZZER,
"sec_key_att_app_id_provider": EXCEPTION_NO_FUZZER,
"selection_toolbar": EXCEPTION_NO_FUZZER,
"sensorservice": EXCEPTION_NO_FUZZER,
@@ -457,6 +459,7 @@
"uwb": EXCEPTION_NO_FUZZER,
"vcn_management": EXCEPTION_NO_FUZZER,
"vibrator": EXCEPTION_NO_FUZZER,
+ "vibrator_control": EXCEPTION_NO_FUZZER,
"vibrator_manager": EXCEPTION_NO_FUZZER,
"virtualdevice": EXCEPTION_NO_FUZZER,
"virtualdevice_native": EXCEPTION_NO_FUZZER,
diff --git a/contexts/Android.bp b/contexts/Android.bp
index ca51847..914232a 100644
--- a/contexts/Android.bp
+++ b/contexts/Android.bp
@@ -103,6 +103,7 @@
":file_contexts_files{.vendor}",
],
soc_specific: true,
+ fc_sort: true,
}
file_contexts {
@@ -113,6 +114,7 @@
],
stem: "vendor_file_contexts",
recovery: true,
+ fc_sort: true,
}
file_contexts {
@@ -145,6 +147,7 @@
name: "odm_file_contexts",
srcs: [":file_contexts_files{.odm}"],
device_specific: true,
+ fc_sort: true,
}
file_contexts {
@@ -152,6 +155,7 @@
srcs: [":file_contexts_files{.odm}"],
stem: "odm_file_contexts",
recovery: true,
+ fc_sort: true,
}
hwservice_contexts {
diff --git a/contexts/plat_file_contexts_test b/contexts/plat_file_contexts_test
index 287f754..50d9de4 100644
--- a/contexts/plat_file_contexts_test
+++ b/contexts/plat_file_contexts_test
@@ -280,6 +280,8 @@
/dev/zero zero_device
/dev/__properties__ properties_device
/dev/__properties__/property_info property_info
+/dev/__properties__/appcompat_override properties_device
+/dev/__properties__/appcompat_override/property_info property_info
/linkerconfig linkerconfig_file
/linkerconfig/test linkerconfig_file
diff --git a/microdroid/system/private/file_contexts b/microdroid/system/private/file_contexts
index e483237..046f20f 100644
--- a/microdroid/system/private/file_contexts
+++ b/microdroid/system/private/file_contexts
@@ -72,7 +72,9 @@
/dev/vsock u:object_r:vsock_device:s0
/dev/zero u:object_r:zero_device:s0
/dev/__properties__ u:object_r:properties_device:s0
+/dev/__properties__/appcompat_override u:object_r:properties_device:s0
/dev/__properties__/property_info u:object_r:property_info:s0
+/dev/__properties__/appcompat_override/property_info u:object_r:property_info:s0
#############################
# Linker configuration
#
diff --git a/microdroid/system/private/init.te b/microdroid/system/private/init.te
index 2dbf495..896590d 100644
--- a/microdroid/system/private/init.te
+++ b/microdroid/system/private/init.te
@@ -32,11 +32,11 @@
# /dev/__null__ node created by init.
allow init tmpfs:chr_file { create setattr unlink rw_file_perms };
-# /dev/__properties__
+# /dev/__properties__ and /dev/__properties__/appcompat_override
allow init properties_device:dir relabelto;
allow init properties_serial:file { write relabelto };
allow init property_type:file { append create getattr map open read relabelto rename setattr unlink write };
-# /dev/__properties__/property_info
+# /dev/__properties__/property_info and /dev/__properties__/appcompat_override/property_info
allow init properties_device:file create_file_perms;
allow init property_info:file relabelto;
# /dev/socket
@@ -435,7 +435,3 @@
# PRNG seeder daemon socket is created and listened on by init before forking.
allow init prng_seeder:unix_stream_socket { create bind listen };
-
-# Workaround for test failures (b/306516077)
-# We get a denial for this on VM boot, but the denial is correct.
-dontaudit init device:file relabelto;
diff --git a/private/access_vectors b/private/access_vectors
index adb3a61..32d73dd 100644
--- a/private/access_vectors
+++ b/private/access_vectors
@@ -726,6 +726,7 @@
early_boot_ended
get_attestation_key
get_auth_token
+ get_last_auth_time
get_state
list
lock
diff --git a/private/app_zygote.te b/private/app_zygote.te
index e3869cd..46cea8e 100644
--- a/private/app_zygote.te
+++ b/private/app_zygote.te
@@ -34,6 +34,8 @@
# Interaction between the app_zygote and its children.
allow app_zygote isolated_app:process setpgid;
+allow app_zygote properties_device:dir mounton;
+
# TODO (b/63631799) fix this access
dontaudit app_zygote mnt_expand_file:dir getattr;
diff --git a/private/attributes b/private/attributes
index 77143a3..fe50b0d 100644
--- a/private/attributes
+++ b/private/attributes
@@ -13,4 +13,5 @@
# All SDK sandbox domains
attribute sdk_sandbox_all;
-
+# The SDK sandbox domains for the current SDK level.
+attribute sdk_sandbox_current;
diff --git a/private/bug_map b/private/bug_map
index f35fbca..53cb8b1 100644
--- a/private/bug_map
+++ b/private/bug_map
@@ -20,6 +20,7 @@
mediaprovider mnt_media_rw_file dir b/77925342
mediaprovider shell_data_file dir b/77925342
mediaswcodec ashmem_device chr_file b/142679232
+platform_app device_config_media_native_prop file b/308043377
platform_app nfc_data_file dir b/74331887
platform_app system_data_file dir b/306090533
system_server overlayfs_file file b/142390309
@@ -30,4 +31,4 @@
untrusted_app untrusted_app netlink_route_socket b/155595000
vold system_data_file file b/124108085
zygote untrusted_app_25 process b/77925912
-zygote labeledfs filesystem b/170748799
+zygote labeledfs filesystem b/170748799
\ No newline at end of file
diff --git a/private/compat/34.0/34.0.ignore.cil b/private/compat/34.0/34.0.ignore.cil
index 69902d8..d98d69e 100644
--- a/private/compat/34.0/34.0.ignore.cil
+++ b/private/compat/34.0/34.0.ignore.cil
@@ -9,11 +9,14 @@
dtbo_block_device
ota_build_prop
snapuserd_log_data_file
+ hal_authgraph_service
+ vibrator_control_service
hal_codec2_service
hal_threadnetwork_service
virtual_camera_service
ot_daemon_service
remote_auth_service
+ security_state_service
sysfs_sync_on_suspend
threadnetwork_service
device_config_aconfig_flags_prop
@@ -21,4 +24,5 @@
virtual_device_native_service
next_boot_prop
binderfs_logs_stats
+ drm_forcel3_prop
))
diff --git a/private/file_contexts b/private/file_contexts
index 2d9b30d..2481c07 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -200,7 +200,9 @@
/dev/xt_qtaguid u:object_r:qtaguid_device:s0
/dev/zero u:object_r:zero_device:s0
/dev/__properties__ u:object_r:properties_device:s0
+/dev/__properties__/appcompat_override u:object_r:properties_device:s0
/dev/__properties__/property_info u:object_r:property_info:s0
+/dev/__properties__/appcompat_override/property_info u:object_r:property_info:s0
#############################
# Linker configuration
#
diff --git a/private/init.te b/private/init.te
index 67e5561..9d3a2c3 100644
--- a/private/init.te
+++ b/private/init.te
@@ -123,7 +123,3 @@
-vm_manager_device_type
-port_device
}:chr_file setattr;
-
-# Workaround for test failures (b/306516077)
-# We get a denial for this on boot, but the denial is correct.
-dontaudit init device:file relabelto;
diff --git a/private/ot_daemon.te b/private/ot_daemon.te
index 1021fd9..066d3d5 100644
--- a/private/ot_daemon.te
+++ b/private/ot_daemon.te
@@ -29,3 +29,6 @@
binder_use(ot_daemon)
add_service(ot_daemon, ot_daemon_service)
binder_call(ot_daemon, system_server)
+
+# Allow OT daemon to write to statsd
+unix_socket_send(ot_daemon, statsdw, statsd)
diff --git a/private/property_contexts b/private/property_contexts
index 6c81c03..69e4ec2 100644
--- a/private/property_contexts
+++ b/private/property_contexts
@@ -827,6 +827,7 @@
drm.64bit.enabled u:object_r:mediadrm_config_prop:s0 exact bool
media.mediadrmservice.enable u:object_r:mediadrm_config_prop:s0 exact bool
+persist.drm.forcel3.enabled u:object_r:drm_forcel3_prop:s0 exact bool
drm.service.enabled u:object_r:drm_service_config_prop:s0 exact bool
diff --git a/private/sdk_sandbox_34.te b/private/sdk_sandbox_34.te
index d45da88..bb15057 100644
--- a/private/sdk_sandbox_34.te
+++ b/private/sdk_sandbox_34.te
@@ -3,89 +3,7 @@
###
### This file defines the security policy for the sdk sandbox processes
### for targetSdkVersion=34.
-type sdk_sandbox_34, domain, coredomain, sdk_sandbox_all;
+type sdk_sandbox_34, domain, coredomain, sdk_sandbox_all, sdk_sandbox_current;
net_domain(sdk_sandbox_34)
app_domain(sdk_sandbox_34)
-
-# Allow finding services. This is different from ephemeral_app policy.
-# Adding services manually to the allowlist is preferred hence app_api_service is not used.
-allow sdk_sandbox_34 {
- activity_service
- activity_task_service
- appops_service
- audio_service
- audioserver_service
- batteryproperties_service
- batterystats_service
- cameraserver_service
- connectivity_service
- connmetrics_service
- deviceidle_service
- display_service
- dropbox_service
- ephemeral_app_api_service
- font_service
- game_service
- gpu_service
- graphicsstats_service
- hardware_properties_service
- hint_service
- imms_service
- input_method_service
- input_service
- IProxyService_service
- ipsec_service
- launcherapps_service
- legacy_permission_service
- light_service
- locale_service
- media_communication_service
- mediadrmserver_service
- mediaextractor_service
- mediametrics_service
- media_projection_service
- media_router_service
- mediaserver_service
- media_session_service
- memtrackproxy_service
- midi_service
- netpolicy_service
- netstats_service
- network_management_service
- notification_service
- package_service
- permission_checker_service
- permission_service
- permissionmgr_service
- platform_compat_service
- power_service
- procstats_service
- radio_service
- registry_service
- restrictions_service
- rttmanager_service
- search_service
- selection_toolbar_service
- sensor_privacy_service
- sensorservice_service
- servicediscovery_service
- settings_service
- speech_recognition_service
- statusbar_service
- storagestats_service
- surfaceflinger_service
- telecom_service
- tethering_service
- textclassification_service
- textservices_service
- texttospeech_service
- thermal_service
- translation_service
- tv_iapp_service
- tv_input_service
- uimode_service
- vcn_management_service
- webviewupdate_service
-}:service_manager find;
-
diff --git a/private/sdk_sandbox_audit.te b/private/sdk_sandbox_audit.te
new file mode 100644
index 0000000..bb531ca
--- /dev/null
+++ b/private/sdk_sandbox_audit.te
@@ -0,0 +1,34 @@
+###
+### SDK Sandbox process.
+###
+### This file defines the audit sdk sandbox security policy for
+### the set of restrictions proposed for the next SDK level.
+###
+### The sdk_sandbox_audit domain has the same rules as the
+### sdk_sandbox_current domain and additional auditing rules
+### for the accesses we are considering forbidding in the upcoming
+### sdk_sandbox_next domain.
+type sdk_sandbox_audit, domain, coredomain, sdk_sandbox_all, sdk_sandbox_current;
+
+net_domain(sdk_sandbox_audit)
+app_domain(sdk_sandbox_audit)
+
+# Auditallow rules for accesses that are currently allowed but we
+# might remove in the future.
+
+auditallow sdk_sandbox_audit {
+ cameraserver_service
+ ephemeral_app_api_service
+ mediadrmserver_service
+ radio_service
+}:service_manager find;
+
+auditallow sdk_sandbox_audit {
+ property_type
+ -system_property_type
+}:file rw_file_perms;
+
+auditallow sdk_sandbox_audit {
+ property_type
+ -system_property_type
+}:dir rw_dir_perms;
diff --git a/private/sdk_sandbox_current.te b/private/sdk_sandbox_current.te
new file mode 100644
index 0000000..55e5bc1
--- /dev/null
+++ b/private/sdk_sandbox_current.te
@@ -0,0 +1,87 @@
+###
+### SDK Sandbox process.
+###
+### This file defines the security policy for the sdk sandbox processes
+### for the current SDK level.
+
+# Allow finding services. This is different from ephemeral_app policy.
+# Adding services manually to the allowlist is preferred hence app_api_service is not used.
+allow sdk_sandbox_current {
+ activity_service
+ activity_task_service
+ appops_service
+ audio_service
+ audioserver_service
+ batteryproperties_service
+ batterystats_service
+ cameraserver_service
+ connectivity_service
+ connmetrics_service
+ deviceidle_service
+ display_service
+ dropbox_service
+ ephemeral_app_api_service
+ font_service
+ game_service
+ gpu_service
+ graphicsstats_service
+ hardware_properties_service
+ hint_service
+ imms_service
+ input_method_service
+ input_service
+ IProxyService_service
+ ipsec_service
+ launcherapps_service
+ legacy_permission_service
+ light_service
+ locale_service
+ media_communication_service
+ mediadrmserver_service
+ mediaextractor_service
+ mediametrics_service
+ media_projection_service
+ media_router_service
+ mediaserver_service
+ media_session_service
+ memtrackproxy_service
+ midi_service
+ netpolicy_service
+ netstats_service
+ network_management_service
+ notification_service
+ package_service
+ permission_checker_service
+ permission_service
+ permissionmgr_service
+ platform_compat_service
+ power_service
+ procstats_service
+ radio_service
+ registry_service
+ restrictions_service
+ rttmanager_service
+ search_service
+ selection_toolbar_service
+ sensor_privacy_service
+ sensorservice_service
+ servicediscovery_service
+ settings_service
+ speech_recognition_service
+ statusbar_service
+ storagestats_service
+ surfaceflinger_service
+ telecom_service
+ tethering_service
+ textclassification_service
+ textservices_service
+ texttospeech_service
+ thermal_service
+ translation_service
+ tv_iapp_service
+ tv_input_service
+ uimode_service
+ vcn_management_service
+ webviewupdate_service
+}:service_manager find;
+
diff --git a/private/seapp_contexts b/private/seapp_contexts
index bc68209..74701df 100644
--- a/private/seapp_contexts
+++ b/private/seapp_contexts
@@ -13,6 +13,7 @@
# fromRunAs (boolean)
# isIsolatedComputeApp (boolean)
# isSdkSandboxNext (boolean)
+# isSdkSandboxAudit (boolean)
#
# All specified input selectors in an entry must match (i.e. logical AND).
# An unspecified string or boolean selector with no default will match any
@@ -49,10 +50,20 @@
# to provide isolated processes with relaxed security restrictions.
# An unspecified isIsolatedComputeApp defaults to false.
#
+# The sdk_sandbox_next and sdk_sandbox_audit domains are special domains for the
+# SDK sandbox process. sdk_sandbox_next defines the set of restrictions proposed
+# for the upcoming dessert release. sdk_sandbox_audit uses the same restrictions
+# as the current dessert release, with additional auditing rules for the accesses
+# we are considering forbidding in the upcoming release.
+#
# isSdkSandboxNext=true means sdk sandbox processes will get
# sdk_sandbox_next sepolicy applied to them.
# An unspecified isSdkSandboxNext defaults to false.
#
+# isSdkSandboxAudit=true means sdk sandbox processes will get
+# sdk_sandbox_audit sepolicy applied to them.
+# An unspecified isSdkSandboxAudit defaults to false.
+#
# Precedence: entries are compared using the following rules, in the order shown
# (see external/selinux/libselinux/src/android/android_platform.c,
# seapp_context_cmp()).
@@ -174,6 +185,7 @@
user=_isolated isIsolatedComputeApp=true domain=isolated_compute_app levelFrom=user
user=_sdksandbox domain=sdk_sandbox_34 type=sdk_sandbox_data_file levelFrom=all
user=_sdksandbox isSdkSandboxNext=true domain=sdk_sandbox_next type=sdk_sandbox_data_file levelFrom=all
+user=_sdksandbox isSdkSandboxAudit=true domain=sdk_sandbox_audit type=sdk_sandbox_data_file levelFrom=all
user=_app seinfo=app_zygote domain=app_zygote levelFrom=user
user=_app seinfo=media domain=mediaprovider type=app_data_file levelFrom=user
user=_app seinfo=platform domain=platform_app type=app_data_file levelFrom=user
diff --git a/private/service_contexts b/private/service_contexts
index a1fb06b..3b088bf 100644
--- a/private/service_contexts
+++ b/private/service_contexts
@@ -89,6 +89,7 @@
android.hardware.radio.voice.IRadioVoice/slot2 u:object_r:hal_radio_service:s0
android.hardware.radio.voice.IRadioVoice/slot3 u:object_r:hal_radio_service:s0
android.hardware.rebootescrow.IRebootEscrow/default u:object_r:hal_rebootescrow_service:s0
+android.hardware.security.authgraph.IAuthGraphKeyExchange/nonsecure u:object_r:hal_authgraph_service:s0
android.hardware.security.keymint.IKeyMintDevice/default u:object_r:hal_keymint_service:s0
android.hardware.security.keymint.IRemotelyProvisionedComponent/default u:object_r:hal_remotelyprovisionedcomponent_service:s0
android.hardware.gatekeeper.IGatekeeper/default u:object_r:hal_gatekeeper_service:s0
@@ -368,6 +369,7 @@
search_ui u:object_r:search_ui_service:s0
secure_element u:object_r:secure_element_service:s0
sec_key_att_app_id_provider u:object_r:sec_key_att_app_id_provider_service:s0
+security_state u:object_r:security_state_service:s0
selection_toolbar u:object_r:selection_toolbar_service:s0
sensorservice u:object_r:sensorservice_service:s0
sensor_privacy u:object_r:sensor_privacy_service:s0
@@ -433,6 +435,7 @@
uwb u:object_r:uwb_service:s0
vcn_management u:object_r:vcn_management_service:s0
vibrator u:object_r:vibrator_service:s0
+vibrator_control u:object_r:vibrator_control_service:s0
vibrator_manager u:object_r:vibrator_manager_service:s0
virtualdevice u:object_r:virtual_device_service:s0
virtualdevice_native u:object_r:virtual_device_native_service:s0
diff --git a/private/system_app.te b/private/system_app.te
index 4f344cc..06b0feb 100644
--- a/private/system_app.te
+++ b/private/system_app.te
@@ -52,6 +52,7 @@
set_prop(system_app, usb_control_prop)
set_prop(system_app, usb_prop)
set_prop(system_app, log_tag_prop)
+set_prop(system_app, drm_forcel3_prop)
userdebug_or_eng(`set_prop(system_app, logpersistd_logging_prop)')
auditallow system_app net_radio_prop:property_service set;
auditallow system_app usb_control_prop:property_service set;
diff --git a/private/system_server.te b/private/system_server.te
index efdeff4..3d49a65 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -306,6 +306,7 @@
# Use HALs
hal_client_domain(system_server, hal_allocator)
hal_client_domain(system_server, hal_audio)
+hal_client_domain(system_server, hal_authgraph)
hal_client_domain(system_server, hal_authsecret)
hal_client_domain(system_server, hal_broadcastradio)
hal_client_domain(system_server, hal_codec2)
@@ -927,6 +928,9 @@
allow system_server sysfs_zram:dir search;
allow system_server sysfs_zram:file rw_file_perms;
+# Read /sys/fs/selinux/policy
+allow system_server kernel:security read_policy;
+
add_service(system_server, system_server_service);
allow system_server artd_service:service_manager find;
allow system_server audioserver_service:service_manager find;
@@ -979,6 +983,7 @@
change_user
clear_ns
clear_uid
+ get_last_auth_time
lock
pull_metrics
reset
diff --git a/private/webview_zygote.te b/private/webview_zygote.te
index 0556950..7b05af2 100644
--- a/private/webview_zygote.te
+++ b/private/webview_zygote.te
@@ -83,6 +83,8 @@
allow webview_zygote system_data_file:lnk_file r_file_perms;
+allow webview_zygote properties_device:dir mounton;
+
# Send unsolicited message to system_server
unix_socket_send(webview_zygote, system_unsolzygote, system_server)
diff --git a/private/zygote.te b/private/zygote.te
index 788dafe..4815ecc 100644
--- a/private/zygote.te
+++ b/private/zygote.te
@@ -76,6 +76,8 @@
user_profile_data_file
# /storage/emulated/$userId/Android/{data,obb}
media_rw_data_file
+ # /dev/__properties__
+ properties_device
}:dir { mounton search };
# Traverse /data_mirror to get to the above directories while their normal paths
diff --git a/public/attributes b/public/attributes
index d2b2cc1..a5d666e 100644
--- a/public/attributes
+++ b/public/attributes
@@ -331,6 +331,7 @@
hal_attribute(atrace);
hal_attribute(audio);
hal_attribute(audiocontrol);
+hal_attribute(authgraph);
hal_attribute(authsecret);
hal_attribute(bluetooth);
hal_attribute(bootctl);
diff --git a/public/domain.te b/public/domain.te
index bed0d7d..ec8b247 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -337,10 +337,6 @@
allow domain apex_mnt_dir:dir { getattr search };
allow domain apex_mnt_dir:lnk_file r_file_perms;
-# Allow everyone to read media server-configurable flags, so that libstagefright can be
-# configured using server-configurable flags
-get_prop(domain, device_config_media_native_prop)
-
###
### neverallow rules
###
@@ -440,6 +436,10 @@
neverallow * init:binder *;
neverallow * vendor_init:binder *;
+# Binderfs logs contain sensitive information about other processes.
+neverallow { domain -dumpstate -init -vendor_init userdebug_or_eng(`-domain') } { binderfs_logs binderfs_logs_proc }:file no_rw_file_perms;
+neverallow { domain -dumpstate -init -vendor_init -system_server } binderfs_logs_stats:file no_rw_file_perms;
+
# Don't allow raw read/write/open access to block_device
# Rather force a relabel to a more specific type
neverallow { domain -kernel -init -recovery } block_device:blk_file { open read write };
diff --git a/public/dumpstate.te b/public/dumpstate.te
index c52ca15..496d95974 100644
--- a/public/dumpstate.te
+++ b/public/dumpstate.te
@@ -151,6 +151,7 @@
# Allow dumpstate to call dump() on specific hals.
dump_hal(hal_audio)
dump_hal(hal_audiocontrol)
+dump_hal(hal_authgraph)
dump_hal(hal_authsecret)
dump_hal(hal_bluetooth)
dump_hal(hal_broadcastradio)
diff --git a/public/hal_authgraph.te b/public/hal_authgraph.te
new file mode 100644
index 0000000..f053cb0
--- /dev/null
+++ b/public/hal_authgraph.te
@@ -0,0 +1,7 @@
+binder_call(hal_authgraph_client, hal_authgraph_server)
+
+hal_attribute_service(hal_authgraph, hal_authgraph_service)
+binder_call(hal_authgraph_server, servicemanager)
+
+allow hal_authgraph_server tee_device:chr_file rw_file_perms;
+allow hal_authgraph_server ion_device:chr_file r_file_perms;
diff --git a/public/hal_drm.te b/public/hal_drm.te
index 34ca0b2..0ee0c5f 100644
--- a/public/hal_drm.te
+++ b/public/hal_drm.te
@@ -13,6 +13,8 @@
# Permit reading device's serial number from system properties
get_prop(hal_drm_server, serialno_prop)
+# Permit reading force L3 system property
+get_prop(hal_drm_server, drm_forcel3_prop)
# Read files already opened under /data
allow hal_drm system_data_file:file { getattr read };
diff --git a/public/hal_vibrator.te b/public/hal_vibrator.te
index c902495..85b8e8c 100644
--- a/public/hal_vibrator.te
+++ b/public/hal_vibrator.te
@@ -12,3 +12,6 @@
# vibrator sysfs rw access
allow hal_vibrator sysfs_vibrator:file rw_file_perms;
allow hal_vibrator sysfs_vibrator:dir search;
+
+# Allow HAL vibrator to control some parameters of a vibration, such as scaling.
+allow hal_vibrator vibrator_control_service:service_manager find;
diff --git a/public/init.te b/public/init.te
index e552ec2..29dd42d 100644
--- a/public/init.te
+++ b/public/init.te
@@ -26,7 +26,7 @@
allow init properties_device:dir relabelto;
allow init properties_serial:file { write relabelto };
allow init property_type:file { append create getattr map open read relabelto rename setattr unlink write };
-# /dev/__properties__/property_info
+# /dev/__properties__/property_info and /dev/__properties/appcompat_override/property_info
allow init properties_device:file create_file_perms;
allow init property_info:file relabelto;
# /dev/event-log-tags
diff --git a/public/property.te b/public/property.te
index 67463a5..1a5b105 100644
--- a/public/property.te
+++ b/public/property.te
@@ -75,6 +75,7 @@
system_restricted_prop(device_config_surface_flinger_native_boot_prop)
system_restricted_prop(device_config_vendor_system_native_prop)
system_restricted_prop(device_config_vendor_system_native_boot_prop)
+system_restricted_prop(drm_forcel3_prop)
system_restricted_prop(fingerprint_prop)
system_restricted_prop(gwp_asan_prop)
system_restricted_prop(hal_instrumentation_prop)
@@ -103,7 +104,6 @@
system_restricted_prop(vold_status_prop)
system_restricted_prop(vts_status_prop)
-
compatible_property_only(`
# DO NOT ADD ANY PROPERTIES HERE
system_restricted_prop(config_prop)
diff --git a/public/service.te b/public/service.te
index e018e40..77196d3 100644
--- a/public/service.te
+++ b/public/service.te
@@ -212,6 +212,7 @@
type search_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type search_ui_service, app_api_service, system_server_service, service_manager_type;
type sec_key_att_app_id_provider_service, app_api_service, system_server_service, service_manager_type;
+type security_state_service, system_server_service, service_manager_type;
type selection_toolbar_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type sensorservice_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type sensor_privacy_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
@@ -253,6 +254,7 @@
type user_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type uwb_service, app_api_service, system_server_service, service_manager_type;
type vcn_management_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type vibrator_control_service, system_server_service, service_manager_type;
type vibrator_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type vibrator_manager_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type virtual_device_service, app_api_service, system_server_service, service_manager_type;
@@ -279,6 +281,7 @@
type hal_audio_service, protected_service, hal_service_type, service_manager_type;
type hal_audiocontrol_service, hal_service_type, service_manager_type;
+type hal_authgraph_service, protected_service, hal_service_type, service_manager_type;
type hal_authsecret_service, protected_service, hal_service_type, service_manager_type;
type hal_bluetooth_service, protected_service, hal_service_type, service_manager_type;
type hal_bootctl_service, protected_service, hal_service_type, service_manager_type;
diff --git a/tools/check_seapp.c b/tools/check_seapp.c
index 21bc87a..02882af 100644
--- a/tools/check_seapp.c
+++ b/tools/check_seapp.c
@@ -228,6 +228,7 @@
{ .name = "minTargetSdkVersion", .dir = dir_in, .fn_validate = validate_uint },
{ .name = "fromRunAs", .dir = dir_in, .fn_validate = validate_bool },
{ .name = "isIsolatedComputeApp", .dir = dir_in, .fn_validate = validate_bool },
+ { .name = "isSdkSandboxAudit", .dir = dir_in, .fn_validate = validate_bool },
{ .name = "isSdkSandboxNext", .dir = dir_in, .fn_validate = validate_bool },
/*Outputs*/
{ .name = "domain", .dir = dir_out, .fn_validate = validate_domain },
diff --git a/vendor/file_contexts b/vendor/file_contexts
index efe0b71..5bae6c5 100644
--- a/vendor/file_contexts
+++ b/vendor/file_contexts
@@ -97,6 +97,7 @@
/(vendor|system/vendor)/bin/hw/android\.hardware\.sensors-service(\.multihal)? u:object_r:hal_sensors_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.secure_element@1\.0-service u:object_r:hal_secure_element_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.secure_element-service.example u:object_r:hal_secure_element_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.security\.authgraph-service\.nonsecure u:object_r:hal_authgraph_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.security\.keymint-service u:object_r:hal_keymint_default_exec:s0
/(vendor|system/vendor)/bin/hw/rild u:object_r:rild_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.tetheroffload-service\.example u:object_r:hal_tetheroffload_default_exec:s0
diff --git a/vendor/hal_authgraph_default.te b/vendor/hal_authgraph_default.te
new file mode 100644
index 0000000..1676cca
--- /dev/null
+++ b/vendor/hal_authgraph_default.te
@@ -0,0 +1,5 @@
+type hal_authgraph_default, domain;
+hal_server_domain(hal_authgraph_default, hal_authgraph)
+
+type hal_authgraph_default_exec, exec_type, vendor_file_type, file_type;
+init_daemon_domain(hal_authgraph_default)
diff --git a/vendor/hal_drm_clearkey.te b/vendor/hal_drm_clearkey.te
index ab474d6..4b4ee46 100644
--- a/vendor/hal_drm_clearkey.te
+++ b/vendor/hal_drm_clearkey.te
@@ -4,3 +4,4 @@
init_daemon_domain(hal_drm_clearkey_aidl)
hal_server_domain(hal_drm_clearkey_aidl, hal_drm)
+allow hal_drm_clearkey_aidl mediacodec:fd use;