Merge "SEPolicy: Add LEA codec_extension_aidl property" into main
diff --git a/build/soong/service_fuzzer_bindings.go b/build/soong/service_fuzzer_bindings.go
index a69d649..35b7d7f 100644
--- a/build/soong/service_fuzzer_bindings.go
+++ b/build/soong/service_fuzzer_bindings.go
@@ -524,7 +524,7 @@
"wifiaware": EXCEPTION_NO_FUZZER,
"wifi_usd": EXCEPTION_NO_FUZZER,
"wifirtt": EXCEPTION_NO_FUZZER,
- "wifi_mainline_supplicant": EXCEPTION_NO_FUZZER, // defined internally
+ "wifi_mainline_supplicant": []string{"mainline_supplicant_service_fuzzer"},
"window": EXCEPTION_NO_FUZZER,
"*": EXCEPTION_NO_FUZZER,
}
diff --git a/private/app.te b/private/app.te
index b359663..a32cdb2 100644
--- a/private/app.te
+++ b/private/app.te
@@ -371,7 +371,7 @@
# Write profiles /data/misc/profiles
allow appdomain user_profile_root_file:dir search;
-allow appdomain user_profile_data_file:dir w_dir_perms;
+allow appdomain user_profile_data_file:dir rw_dir_perms;
allow appdomain user_profile_data_file:file create_file_perms;
# Allow writing performance tracing data into the perfetto traced daemon.
diff --git a/private/domain.te b/private/domain.te
index 4282b4d..b912aae 100644
--- a/private/domain.te
+++ b/private/domain.te
@@ -2318,7 +2318,7 @@
domain
# these are expected
- -early_virtmgr
+ is_flag_enabled(RELEASE_AVF_ENABLE_EARLY_VM, `-early_virtmgr')
-virtualizationmanager
-virtualizationservice
-adbd_common # maybe should move to emulator/virtual device specific policy
diff --git a/private/property_contexts b/private/property_contexts
index 02efe22..d7c2c94 100644
--- a/private/property_contexts
+++ b/private/property_contexts
@@ -730,6 +730,8 @@
bluetooth.core.le.vendor_capabilities.enabled u:object_r:bluetooth_config_prop:s0 exact bool
bluetooth.hfp.software_datapath.enabled u:object_r:bluetooth_config_prop:s0 exact bool
+bluetooth.hfp.codec_aptx_voice.enabled u:object_r:bluetooth_config_prop:s0 exact bool
+bluetooth.hfp.swb.aptx.power_management.enabled u:object_r:bluetooth_config_prop:s0 exact bool
bluetooth.sco.disable_enhanced_connection u:object_r:bluetooth_config_prop:s0 exact bool
bluetooth.sco.managed_by_audio u:object_r:bluetooth_config_prop:s0 exact bool
bluetooth.core.le.dsa_transport_preference u:object_r:bluetooth_config_prop:s0 exact string
diff --git a/private/system_server.te b/private/system_server.te
index 7bdcaef..bdfec3b 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -1296,7 +1296,7 @@
# On userdebug build we may profile system server. Allow it to write and create its own profile.
userdebug_or_eng(`
- allow system_server user_profile_data_file:dir w_dir_perms;
+ allow system_server user_profile_data_file:dir rw_dir_perms;
allow system_server user_profile_data_file:file create_file_perms;
')
# Allow system server to load JVMTI agents under control of a property.
diff --git a/private/vmlauncher_app.te b/private/vmlauncher_app.te
index ef34c31..6c398a2 100644
--- a/private/vmlauncher_app.te
+++ b/private/vmlauncher_app.te
@@ -7,6 +7,9 @@
allow vmlauncher_app app_api_service:service_manager find;
allow vmlauncher_app system_api_service:service_manager find;
+# TODO(b/402303887): Remove this when WebView doesn't requires camera access.
+allow vmlauncher_app cameraserver_service:service_manager find;
+
allow vmlauncher_app shell_data_file:dir search;
allow vmlauncher_app shell_data_file:file { read open write };
virtualizationservice_use(vmlauncher_app)
diff --git a/public/ioctl_defines b/public/ioctl_defines
index 1dd2e3d..df7d1a2 100644
--- a/public/ioctl_defines
+++ b/public/ioctl_defines
@@ -24,6 +24,7 @@
define(`APEI_ERST_GET_RECORD_COUNT', `0x80044502')
define(`APM_IOC_STANDBY', `0x00004101')
define(`APM_IOC_SUSPEND', `0x00004102')
+define(`ASHMEM_GET_FILE_ID', `0x8008770b')
define(`ASHMEM_GET_NAME', `0x81007702')
define(`ASHMEM_GET_PIN_STATUS', `0x00007709')
define(`ASHMEM_GET_PROT_MASK', `0x00007706')
@@ -726,6 +727,9 @@
define(`F2FS_IOC_SET_COMPRESS_OPTION', `0xf516')
define(`F2FS_IOC_DECOMPRESS_FILE', `0xf517')
define(`F2FS_IOC_COMPRESS_FILE', `0xf518')
+define(`F2FS_IOC_START_ATOMIC_REPLACE', `0xf519')
+define(`F2FS_IOC_GET_DEV_ALIAS_FILE', `0xf51a')
+define(`F2FS_IOC_IO_PRIO', `0xf51b')
define(`F2FS_IOC_SHUTDOWN', `0x587d')
define(`FAT_IOCTL_GET_ATTRIBUTES', `0x80047210')
define(`FAT_IOCTL_GET_VOLUME_ID', `0x80047213')
diff --git a/public/ioctl_macros b/public/ioctl_macros
index 64ee1b0..6757acd 100644
--- a/public/ioctl_macros
+++ b/public/ioctl_macros
@@ -75,3 +75,10 @@
BINDER_SET_CONTEXT_MGR_EXT BINDER_ENABLE_ONEWAY_SPAM_DETECTION
BINDER_GET_EXTENDED_ERROR
}')
+
+# ashmem ioctls to be used on memfds for compatibility
+define(`ashmem_ioctls', `{
+ASHMEM_SET_NAME ASHMEM_GET_NAME ASHMEM_SET_SIZE ASHMEM_GET_SIZE
+ASHMEM_SET_PROT_MASK ASHMEM_GET_PROT_MASK ASHMEM_PIN ASHMEM_UNPIN
+ASHMEM_GET_PIN_STATUS ASHMEM_PURGE_ALL_CACHES ASHMEM_GET_FILE_ID
+}')
diff --git a/public/te_macros b/public/te_macros
index 2ba15b3..78e75a0 100644
--- a/public/te_macros
+++ b/public/te_macros
@@ -75,7 +75,8 @@
# Allow access to a unique type for this domain when creating tmpfs / ashmem files.
define(`tmpfs_domain', `
type_transition $1 tmpfs:file $1_tmpfs;
-allow $1 $1_tmpfs:file { read write getattr map };
+allow $1 $1_tmpfs:file { read write getattr map ioctl };
+allowxperm $1 $1_tmpfs:file ioctl ashmem_ioctls;
')
# pdx macros for IPC. pdx is a high-level name which contains transport-specific
@@ -243,7 +244,8 @@
# Label tmpfs objects for all apps.
type_transition $1 tmpfs:file appdomain_tmpfs;
userfaultfd_use($1)
-allow $1 appdomain_tmpfs:file { execute getattr map read write };
+allow $1 appdomain_tmpfs:file { execute getattr map read write ioctl };
+allowxperm $1 appdomain_tmpfs:file ioctl ashmem_ioctls;
neverallow { $1 -runas_app -shell -simpleperf } { domain -$1 }:file no_rw_file_perms;
neverallow { appdomain -runas_app -shell -simpleperf -$1 } $1:file no_rw_file_perms;
# The Android security model guarantees the confidentiality and integrity