Merge "Policy: file errors include files with attrs"
diff --git a/private/compat/30.0/30.0.ignore.cil b/private/compat/30.0/30.0.ignore.cil
index 7041276..069f82f 100644
--- a/private/compat/30.0/30.0.ignore.cil
+++ b/private/compat/30.0/30.0.ignore.cil
@@ -17,6 +17,7 @@
framework_watchdog_config_prop
gki_apex_prepostinstall
gki_apex_prepostinstall_exec
+ hal_audiocontrol_service
hal_face_service
hal_fingerprint_service
gnss_device
diff --git a/private/init.te b/private/init.te
index 1f7ce25..02d45a1 100644
--- a/private/init.te
+++ b/private/init.te
@@ -55,6 +55,13 @@
neverallow init self:perf_event { kernel tracepoint read write };
dontaudit init self:perf_event { kernel tracepoint read write };
+# Allow init to communicate with snapuserd to transition Virtual A/B devices
+# from the first-stage daemon to the second-stage.
+allow init snapuserd_socket:sock_file write;
+allow init snapuserd:unix_stream_socket connectto;
+# Allow for libsnapshot's use of flock() on /metadata/ota.
+allow init ota_metadata_file:dir lock;
+
# Only init is allowed to set the sysprop indicating whether perf_event_open()
# SELinux hooks were detected.
set_prop(init, init_perf_lsm_hooks_prop)
diff --git a/private/property_contexts b/private/property_contexts
index 2d90875..1399ff4 100644
--- a/private/property_contexts
+++ b/private/property_contexts
@@ -585,36 +585,97 @@
ro.boottime.init.mount.data u:object_r:boottime_public_prop:s0 exact string
ro.boottime.init.fsck.data u:object_r:boottime_public_prop:s0 exact string
-ro.build.date u:object_r:build_prop:s0 exact string
-ro.build.date.utc u:object_r:build_prop:s0 exact int
-ro.build.description u:object_r:build_prop:s0 exact string
-ro.build.display.id u:object_r:build_prop:s0 exact string
-ro.build.host u:object_r:build_prop:s0 exact string
-ro.build.id u:object_r:build_prop:s0 exact string
-ro.build.product u:object_r:build_prop:s0 exact string
-ro.build.system_root_image u:object_r:build_prop:s0 exact bool
-ro.build.tags u:object_r:build_prop:s0 exact string
-ro.build.type u:object_r:build_prop:s0 exact string
-ro.build.user u:object_r:build_prop:s0 exact string
-ro.build.version.base_os u:object_r:build_prop:s0 exact string
-ro.build.version.codename u:object_r:build_prop:s0 exact string
-ro.build.version.incremental u:object_r:build_prop:s0 exact string
-ro.build.version.preview_sdk u:object_r:build_prop:s0 exact int
-ro.build.version.release u:object_r:build_prop:s0 exact string
-ro.build.version.release_or_codename u:object_r:build_prop:s0 exact string
-ro.build.version.sdk u:object_r:build_prop:s0 exact int
-ro.build.version.security_patch u:object_r:build_prop:s0 exact string
+ro.build.characteristics u:object_r:build_prop:s0 exact string
+ro.build.date u:object_r:build_prop:s0 exact string
+ro.build.date.utc u:object_r:build_prop:s0 exact int
+ro.build.description u:object_r:build_prop:s0 exact string
+ro.build.display.id u:object_r:build_prop:s0 exact string
+ro.build.flavor u:object_r:build_prop:s0 exact string
+ro.build.host u:object_r:build_prop:s0 exact string
+ro.build.id u:object_r:build_prop:s0 exact string
+ro.build.product u:object_r:build_prop:s0 exact string
+ro.build.system_root_image u:object_r:build_prop:s0 exact bool
+ro.build.tags u:object_r:build_prop:s0 exact string
+ro.build.type u:object_r:build_prop:s0 exact string
+ro.build.user u:object_r:build_prop:s0 exact string
+ro.build.version.all_codenames u:object_r:build_prop:s0 exact string
+ro.build.version.base_os u:object_r:build_prop:s0 exact string
+ro.build.version.codename u:object_r:build_prop:s0 exact string
+ro.build.version.incremental u:object_r:build_prop:s0 exact string
+ro.build.version.min_supported_target_sdk u:object_r:build_prop:s0 exact int
+ro.build.version.preview_sdk u:object_r:build_prop:s0 exact int
+ro.build.version.preview_sdk_fingerprint u:object_r:build_prop:s0 exact string
+ro.build.version.release u:object_r:build_prop:s0 exact string
+ro.build.version.release_or_codename u:object_r:build_prop:s0 exact string
+ro.build.version.sdk u:object_r:build_prop:s0 exact int
+ro.build.version.security_patch u:object_r:build_prop:s0 exact string
+
+ro.actionable_compatible_property.enabled u:object_r:build_prop:s0 exact bool
ro.debuggable u:object_r:build_prop:s0 exact bool
+ro.treble.enabled u:object_r:build_prop:s0 exact bool
+
ro.product.cpu.abi u:object_r:build_prop:s0 exact string
ro.product.cpu.abilist u:object_r:build_prop:s0 exact string
ro.product.cpu.abilist32 u:object_r:build_prop:s0 exact string
ro.product.cpu.abilist64 u:object_r:build_prop:s0 exact string
+ro.product.system.brand u:object_r:build_prop:s0 exact string
+ro.product.system.device u:object_r:build_prop:s0 exact string
+ro.product.system.manufacturer u:object_r:build_prop:s0 exact string
+ro.product.system.model u:object_r:build_prop:s0 exact string
+ro.product.system.name u:object_r:build_prop:s0 exact string
+
+ro.system.build.date u:object_r:build_prop:s0 exact string
+ro.system.build.date.utc u:object_r:build_prop:s0 exact int
+ro.system.build.fingerprint u:object_r:build_prop:s0 exact string
+ro.system.build.id u:object_r:build_prop:s0 exact string
+ro.system.build.tags u:object_r:build_prop:s0 exact string
+ro.system.build.type u:object_r:build_prop:s0 exact string
+ro.system.build.version.incremental u:object_r:build_prop:s0 exact string
+ro.system.build.version.release u:object_r:build_prop:s0 exact string
+ro.system.build.version.release_or_codename u:object_r:build_prop:s0 exact string
+ro.system.build.version.sdk u:object_r:build_prop:s0 exact int
+
ro.adb.secure u:object_r:build_prop:s0 exact bool
ro.secure u:object_r:build_prop:s0 exact int
+ro.product.system_ext.brand u:object_r:build_prop:s0 exact string
+ro.product.system_ext.device u:object_r:build_prop:s0 exact string
+ro.product.system_ext.manufacturer u:object_r:build_prop:s0 exact string
+ro.product.system_ext.model u:object_r:build_prop:s0 exact string
+ro.product.system_ext.name u:object_r:build_prop:s0 exact string
+
+ro.system_ext.build.date u:object_r:build_prop:s0 exact string
+ro.system_ext.build.date.utc u:object_r:build_prop:s0 exact int
+ro.system_ext.build.fingerprint u:object_r:build_prop:s0 exact string
+ro.system_ext.build.id u:object_r:build_prop:s0 exact string
+ro.system_ext.build.tags u:object_r:build_prop:s0 exact string
+ro.system_ext.build.type u:object_r:build_prop:s0 exact string
+ro.system_ext.build.version.incremental u:object_r:build_prop:s0 exact string
+ro.system_ext.build.version.release u:object_r:build_prop:s0 exact string
+ro.system_ext.build.version.release_or_codename u:object_r:build_prop:s0 exact string
+ro.system_ext.build.version.sdk u:object_r:build_prop:s0 exact int
+
+# These ro.product.product.* and ro.product.build.* are set by /product/etc/build.prop
+ro.product.product.brand u:object_r:build_prop:s0 exact string
+ro.product.product.device u:object_r:build_prop:s0 exact string
+ro.product.product.manufacturer u:object_r:build_prop:s0 exact string
+ro.product.product.model u:object_r:build_prop:s0 exact string
+ro.product.product.name u:object_r:build_prop:s0 exact string
+
+ro.product.build.date u:object_r:build_prop:s0 exact string
+ro.product.build.date.utc u:object_r:build_prop:s0 exact int
+ro.product.build.fingerprint u:object_r:build_prop:s0 exact string
+ro.product.build.id u:object_r:build_prop:s0 exact string
+ro.product.build.tags u:object_r:build_prop:s0 exact string
+ro.product.build.type u:object_r:build_prop:s0 exact string
+ro.product.build.version.incremental u:object_r:build_prop:s0 exact string
+ro.product.build.version.release u:object_r:build_prop:s0 exact string
+ro.product.build.version.release_or_codename u:object_r:build_prop:s0 exact string
+ro.product.build.version.sdk u:object_r:build_prop:s0 exact int
+
# These 5 properties are set by property_service
ro.product.brand u:object_r:build_prop:s0 exact string
ro.product.device u:object_r:build_prop:s0 exact string
@@ -647,30 +708,40 @@
ro.product.odm.name u:object_r:build_odm_prop:s0 exact string
# All vendor_dlkm build props are set by /vendor_dlkm/etc/build.prop
-ro.vendor_dlkm.build.date u:object_r:build_vendor_prop:s0 exact string
-ro.vendor_dlkm.build.date.utc u:object_r:build_vendor_prop:s0 exact int
-ro.vendor_dlkm.build.fingerprint u:object_r:build_vendor_prop:s0 exact string
-ro.vendor_dlkm.build.version.incremental u:object_r:build_vendor_prop:s0 exact string
+ro.vendor_dlkm.build.date u:object_r:build_vendor_prop:s0 exact string
+ro.vendor_dlkm.build.date.utc u:object_r:build_vendor_prop:s0 exact int
+ro.vendor_dlkm.build.fingerprint u:object_r:build_vendor_prop:s0 exact string
+ro.vendor_dlkm.build.id u:object_r:build_vendor_prop:s0 exact string
+ro.vendor_dlkm.build.tags u:object_r:build_vendor_prop:s0 exact string
+ro.vendor_dlkm.build.type u:object_r:build_vendor_prop:s0 exact string
+ro.vendor_dlkm.build.version.incremental u:object_r:build_vendor_prop:s0 exact string
+ro.vendor_dlkm.build.version.release u:object_r:build_vendor_prop:s0 exact string
+ro.vendor_dlkm.build.version.release_or_codename u:object_r:build_vendor_prop:s0 exact string
+ro.vendor_dlkm.build.version.sdk u:object_r:build_vendor_prop:s0 exact int
# All odm_dlkm build props are set by /odm_dlkm/etc/build.prop
-ro.odm_dlkm.build.date u:object_r:build_vendor_prop:s0 exact string
-ro.odm_dlkm.build.date.utc u:object_r:build_vendor_prop:s0 exact int
-ro.odm_dlkm.build.fingerprint u:object_r:build_vendor_prop:s0 exact string
-ro.odm_dlkm.build.version.incremental u:object_r:build_vendor_prop:s0 exact string
+ro.old_dlkm.build.date u:object_r:build_vendor_prop:s0 exact string
+ro.old_dlkm.build.date.utc u:object_r:build_vendor_prop:s0 exact int
+ro.old_dlkm.build.fingerprint u:object_r:build_vendor_prop:s0 exact string
+ro.old_dlkm.build.id u:object_r:build_vendor_prop:s0 exact string
+ro.old_dlkm.build.tags u:object_r:build_vendor_prop:s0 exact string
+ro.old_dlkm.build.type u:object_r:build_vendor_prop:s0 exact string
+ro.old_dlkm.build.version.incremental u:object_r:build_vendor_prop:s0 exact string
+ro.old_dlkm.build.version.release u:object_r:build_vendor_prop:s0 exact string
+ro.old_dlkm.build.version.release_or_codename u:object_r:build_vendor_prop:s0 exact string
+ro.old_dlkm.build.version.sdk u:object_r:build_vendor_prop:s0 exact int
# All vendor build props are set by /vendor/build.prop
-ro.vendor.build.date u:object_r:build_vendor_prop:s0 exact string
-ro.vendor.build.date.utc u:object_r:build_vendor_prop:s0 exact int
-ro.vendor.build.fingerprint u:object_r:build_vendor_prop:s0 exact string
-ro.vendor.build.version.incremental u:object_r:build_vendor_prop:s0 exact string
-ro.vendor.build.version.sdk u:object_r:build_vendor_prop:s0 exact int
-
-# Boot image build props set by /{second_stage_resources/,}boot/etc/build.prop
-ro.bootimage.build.date u:object_r:build_bootimage_prop:s0 exact string
-ro.bootimage.build.date.utc u:object_r:build_bootimage_prop:s0 exact int
-ro.bootimage.build.fingerprint u:object_r:build_bootimage_prop:s0 exact string
-ro.bootimage.build.version.incremental u:object_r:build_bootimage_prop:s0 exact string
-ro.bootimage.build.version.sdk u:object_r:build_bootimage_prop:s0 exact int
+ro.vendor.build.date u:object_r:build_vendor_prop:s0 exact string
+ro.vendor.build.date.utc u:object_r:build_vendor_prop:s0 exact int
+ro.vendor.build.fingerprint u:object_r:build_vendor_prop:s0 exact string
+ro.vendor.build.id u:object_r:build_vendor_prop:s0 exact string
+ro.vendor.build.tags u:object_r:build_vendor_prop:s0 exact string
+ro.vendor.build.type u:object_r:build_vendor_prop:s0 exact string
+ro.vendor.build.version.incremental u:object_r:build_vendor_prop:s0 exact string
+ro.vendor.build.version.release u:object_r:build_vendor_prop:s0 exact string
+ro.vendor.build.version.release_or_codename u:object_r:build_vendor_prop:s0 exact string
+ro.vendor.build.version.sdk u:object_r:build_vendor_prop:s0 exact int
ro.product.board u:object_r:build_vendor_prop:s0 exact string
ro.product.first_api_level u:object_r:build_vendor_prop:s0 exact int
@@ -680,6 +751,24 @@
ro.product.vendor.model u:object_r:build_vendor_prop:s0 exact string
ro.product.vendor.name u:object_r:build_vendor_prop:s0 exact string
+# Boot image build props set by /{second_stage_resources/,}boot/etc/build.prop
+ro.bootimage.build.date u:object_r:build_bootimage_prop:s0 exact string
+ro.bootimage.build.date.utc u:object_r:build_bootimage_prop:s0 exact int
+ro.bootimage.build.fingerprint u:object_r:build_bootimage_prop:s0 exact string
+ro.bootimage.build.id u:object_r:build_bootimage_prop:s0 exact string
+ro.bootimage.build.tags u:object_r:build_bootimage_prop:s0 exact string
+ro.bootimage.build.type u:object_r:build_bootimage_prop:s0 exact string
+ro.bootimage.build.version.incremental u:object_r:build_bootimage_prop:s0 exact string
+ro.bootimage.build.version.release u:object_r:build_bootimage_prop:s0 exact string
+ro.bootimage.build.version.release_or_codename u:object_r:build_bootimage_prop:s0 exact string
+ro.bootimage.build.version.sdk u:object_r:build_bootimage_prop:s0 exact int
+
+ro.product.bootimage.brand u:object_r:build_bootimage_prop:s0 exact string
+ro.product.bootimage.device u:object_r:build_bootimage_prop:s0 exact string
+ro.product.bootimage.manufacturer u:object_r:build_bootimage_prop:s0 exact string
+ro.product.bootimage.model u:object_r:build_bootimage_prop:s0 exact string
+ro.product.bootimage.name u:object_r:build_bootimage_prop:s0 exact string
+
ro.crypto.state u:object_r:vold_status_prop:s0 exact enum encrypted unencrypted unsupported
ro.crypto.type u:object_r:vold_status_prop:s0 exact enum block file none
diff --git a/private/service_contexts b/private/service_contexts
index eb12633..02ec5d2 100644
--- a/private/service_contexts
+++ b/private/service_contexts
@@ -1,3 +1,4 @@
+android.hardware.automotive.audiocontrol.IAudioControl/default u:object_r:hal_audiocontrol_service:s0
android.hardware.biometrics.face.IFace/default u:object_r:hal_face_service:s0
android.hardware.biometrics.fingerprint.IFingerprint/default u:object_r:hal_fingerprint_service:s0
android.hardware.gnss.IGnss/default u:object_r:hal_gnss_service:s0
diff --git a/private/shell.te b/private/shell.te
index f40f89d..b4d3505 100644
--- a/private/shell.te
+++ b/private/shell.te
@@ -73,6 +73,10 @@
# /system/bin/bcc (b/126388046)
allow shell rs_exec:file rx_file_perms;
+# Allow (host-driven) ART run-tests to execute dex2oat, in order to
+# check ART's compiler.
+allow shell dex2oat_exec:file rx_file_perms;
+
# Allow shell to start and comminicate with lpdumpd.
set_prop(shell, lpdumpd_prop);
binder_call(shell, lpdumpd)
diff --git a/public/hal_audiocontrol.te b/public/hal_audiocontrol.te
index 4a52b89..3962cc8 100644
--- a/public/hal_audiocontrol.te
+++ b/public/hal_audiocontrol.te
@@ -3,3 +3,8 @@
binder_call(hal_audiocontrol_server, hal_audiocontrol_client)
hal_attribute_hwservice(hal_audiocontrol, hal_audiocontrol_hwservice)
+
+add_service(hal_audiocontrol_server, hal_audiocontrol_service)
+binder_call(hal_audiocontrol_server, servicemanager)
+
+allow hal_audiocontrol_client hal_audiocontrol_service:service_manager find;
diff --git a/public/service.te b/public/service.te
index cf268f8..3cbbdff 100644
--- a/public/service.te
+++ b/public/service.te
@@ -218,6 +218,7 @@
### HAL Services
###
+type hal_audiocontrol_service, vendor_service, service_manager_type;
type hal_face_service, vendor_service, protected_service, service_manager_type;
type hal_fingerprint_service, vendor_service, protected_service, service_manager_type;
type hal_gnss_service, vendor_service, protected_service, service_manager_type;
diff --git a/tests/sepolicy_tests.py b/tests/sepolicy_tests.py
index c92be7a..01dda04 100644
--- a/tests/sepolicy_tests.py
+++ b/tests/sepolicy_tests.py
@@ -12,7 +12,22 @@
return pol.AssertPathTypesHaveAttr(["/data/"], [], "data_file_type")
def TestSystemTypeViolations(pol):
- return pol.AssertPathTypesHaveAttr(["/system/"], [], "system_file_type")
+ partitions = ["/system/", "/system_ext/", "/product/"]
+ exceptions = [
+ # devices before treble don't have a vendor partition
+ "/system/vendor/",
+
+ # overlay files are mounted over vendor
+ "/product/overlay/",
+ "/product/vendor_overlay/",
+ "/system/overlay/",
+ "/system/product/overlay/",
+ "/system/product/vendor_overlay/",
+ "/system/system_ext/overlay/",
+ "/system_ext/overlay/",
+ ]
+
+ return pol.AssertPathTypesHaveAttr(partitions, exceptions, "system_file_type")
def TestProcTypeViolations(pol):
return pol.AssertGenfsFilesystemTypesHaveAttr("proc", "proc_type")
@@ -31,7 +46,13 @@
return ret
def TestVendorTypeViolations(pol):
- return pol.AssertPathTypesHaveAttr(["/vendor/"], [], "vendor_file_type")
+ partitions = ["/vendor/", "/odm/"]
+ exceptions = [
+ "/vendor/etc/selinux/",
+ "/vendor/odm/etc/selinux/",
+ "/odm/etc/selinux/",
+ ]
+ return pol.AssertPathTypesHaveAttr(partitions, exceptions, "vendor_file_type")
def TestCoreDataTypeViolations(pol):
return pol.AssertPathTypesHaveAttr(["/data/"], ["/data/vendor",
diff --git a/vendor/file_contexts b/vendor/file_contexts
index 88e8d39..3a38bd9 100644
--- a/vendor/file_contexts
+++ b/vendor/file_contexts
@@ -4,8 +4,9 @@
/(vendor|system/vendor)/bin/hw/android\.hardware\.atrace@1\.0-service u:object_r:hal_atrace_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.audio(@2\.0-|\.)service u:object_r:hal_audio_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.audio@7\.0-service\.example u:object_r:hal_audio_default_exec:s0
-/(vendor|system/vendor)/bin/hw/android\.hardware\.automotive\.audiocontrol@1\.0-service u:object_r:hal_audiocontrol_default_exec:s0
-/(vendor|system/vendor)/bin/hw/android\.hardware\.automotive\.audiocontrol@2\.0-service u:object_r:hal_audiocontrol_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.automotive\.audiocontrol@1\.0-service u:object_r:hal_audiocontrol_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.automotive\.audiocontrol@2\.0-service u:object_r:hal_audiocontrol_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.automotive\.audiocontrol-service.example u:object_r:hal_audiocontrol_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.automotive\.can@1\.0-service u:object_r:hal_can_socketcan_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.automotive\.evs@1\.[0-9]-service u:object_r:hal_evs_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.automotive\.vehicle@2\.0-(service|protocan-service) u:object_r:hal_vehicle_default_exec:s0