Merge "Allow init to launch BootControlHAL in recovery"
diff --git a/Android.mk b/Android.mk
index 21bc6a9..c3728fd 100644
--- a/Android.mk
+++ b/Android.mk
@@ -477,6 +477,7 @@
LOCAL_REQUIRED_MODULES += precompiled_sepolicy.product_sepolicy_and_mapping.sha256
endif
+LOCAL_REQUIRED_MODULES += precompiled_sepolicy.apex_sepolicy.sha256
endif # ($(PRODUCT_PRECOMPILED_SEPOLICY),false)
diff --git a/prebuilts/api/31.0/private/property.te b/prebuilts/api/31.0/private/property.te
index 29f4f1a..e72693a 100644
--- a/prebuilts/api/31.0/private/property.te
+++ b/prebuilts/api/31.0/private/property.te
@@ -395,10 +395,12 @@
# Allow the shell to set MTE props, so that non-root users with adb shell
# access can control the settings on their device.
+# Allow system apps to set MTE props, so Developer Options can set them.
neverallow {
domain
-init
-shell
+ -system_app
} {
arm64_memtag_prop
}:property_service set;
diff --git a/prebuilts/api/31.0/private/system_app.te b/prebuilts/api/31.0/private/system_app.te
index 239686e..41fac62 100644
--- a/prebuilts/api/31.0/private/system_app.te
+++ b/prebuilts/api/31.0/private/system_app.te
@@ -34,6 +34,7 @@
allow system_app icon_file:file r_file_perms;
# Write to properties
+set_prop(system_app, arm64_memtag_prop)
set_prop(system_app, bluetooth_a2dp_offload_prop)
set_prop(system_app, bluetooth_audio_hal_prop)
set_prop(system_app, bluetooth_prop)
diff --git a/prebuilts/api/32.0/private/property.te b/prebuilts/api/32.0/private/property.te
index 587cf5e..77e1a7d 100644
--- a/prebuilts/api/32.0/private/property.te
+++ b/prebuilts/api/32.0/private/property.te
@@ -396,10 +396,12 @@
# Allow the shell to set MTE props, so that non-root users with adb shell
# access can control the settings on their device.
+# Allow system apps to set MTE props, so Developer Options can set them.
neverallow {
domain
-init
-shell
+ -system_app
} {
arm64_memtag_prop
}:property_service set;
diff --git a/prebuilts/api/32.0/private/system_app.te b/prebuilts/api/32.0/private/system_app.te
index 239686e..41fac62 100644
--- a/prebuilts/api/32.0/private/system_app.te
+++ b/prebuilts/api/32.0/private/system_app.te
@@ -34,6 +34,7 @@
allow system_app icon_file:file r_file_perms;
# Write to properties
+set_prop(system_app, arm64_memtag_prop)
set_prop(system_app, bluetooth_a2dp_offload_prop)
set_prop(system_app, bluetooth_audio_hal_prop)
set_prop(system_app, bluetooth_prop)
diff --git a/private/apexd.te b/private/apexd.te
index 0482090..b74d4ee 100644
--- a/private/apexd.te
+++ b/private/apexd.te
@@ -133,7 +133,6 @@
# Allow apexd to send control messages to load/unload apex from init
set_prop(apexd, ctl_apex_load_prop)
-get_prop(apexd, init_apex_status_private_prop)
# Find the vold service, and call into vold to manage FS checkpoints
allow apexd vold_service:service_manager find;
@@ -210,3 +209,6 @@
# Allow calling derive_classpath to gather BCP information for staged sessions
domain_auto_trans(apexd, derive_classpath_exec, apexd_derive_classpath);
+
+# Allow set apex ready property
+set_prop(apexd, apex_ready_prop)
diff --git a/private/app_neverallows.te b/private/app_neverallows.te
index 0d6d42c..1a1ed62 100644
--- a/private/app_neverallows.te
+++ b/private/app_neverallows.te
@@ -123,7 +123,7 @@
# Apps can read/write an already open vsock (e.g. created by
# virtualizationservice) but nothing more than that (e.g. creating a
# new vsock, etc.)
-neverallow all_untrusted_apps *:vsock_socket ~{ getattr read write };
+neverallow all_untrusted_apps *:vsock_socket ~{ getattr getopt read write };
# Disallow sending RTM_GETLINK messages on netlink sockets.
neverallow all_untrusted_apps domain:netlink_route_socket { bind nlmsg_readpriv };
diff --git a/private/compat/29.0/29.0.cil b/private/compat/29.0/29.0.cil
index 0fb0a1c..5dba020 100644
--- a/private/compat/29.0/29.0.cil
+++ b/private/compat/29.0/29.0.cil
@@ -1577,7 +1577,8 @@
(typeattributeset proc_29_0
( proc
proc_kpageflags
- proc_lowmemorykiller))
+ proc_lowmemorykiller
+ proc_watermark_scale_factor))
(typeattributeset proc_abi_29_0 (proc_abi))
(typeattributeset proc_asound_29_0 (proc_asound))
(typeattributeset proc_bluetooth_writable_29_0 (proc_bluetooth_writable))
diff --git a/private/compat/30.0/30.0.cil b/private/compat/30.0/30.0.cil
index 9f40876..44044fb 100644
--- a/private/compat/30.0/30.0.cil
+++ b/private/compat/30.0/30.0.cil
@@ -1820,7 +1820,8 @@
(typeattributeset privapp_data_file_30_0 (privapp_data_file))
(typeattributeset proc_30_0
( proc
- proc_bootconfig))
+ proc_bootconfig
+ proc_watermark_scale_factor))
(typeattributeset proc_abi_30_0 (proc_abi))
(typeattributeset proc_asound_30_0 (proc_asound))
(typeattributeset proc_bluetooth_writable_30_0 (proc_bluetooth_writable))
diff --git a/private/compat/31.0/31.0.cil b/private/compat/31.0/31.0.cil
index ba6944e..0e90912 100644
--- a/private/compat/31.0/31.0.cil
+++ b/private/compat/31.0/31.0.cil
@@ -1974,6 +1974,7 @@
( proc
proc_bpf
proc_cpu_alignment
+ proc_watermark_scale_factor
))
(typeattributeset proc_abi_31_0 (proc_abi))
(typeattributeset proc_asound_31_0 (proc_asound))
diff --git a/private/compat/31.0/31.0.ignore.cil b/private/compat/31.0/31.0.ignore.cil
index 496832e..a5a3475 100644
--- a/private/compat/31.0/31.0.ignore.cil
+++ b/private/compat/31.0/31.0.ignore.cil
@@ -39,7 +39,6 @@
tare_service
transformer_service
proc_watermark_boost_factor
- proc_watermark_scale_factor
untrusted_app_30
proc_vendor_sched
sdk_sandbox_service
diff --git a/private/compat/32.0/32.0.cil b/private/compat/32.0/32.0.cil
index a99b628..3672436 100644
--- a/private/compat/32.0/32.0.cil
+++ b/private/compat/32.0/32.0.cil
@@ -1972,7 +1972,10 @@
(typeattributeset print_service_32_0 (print_service))
(typeattributeset priv_app_32_0 (priv_app))
(typeattributeset privapp_data_file_32_0 (privapp_data_file))
-(typeattributeset proc_32_0 (proc proc_bpf proc_cpu_alignment))
+(typeattributeset proc_32_0 (proc))
+(typeattributeset proc_32_0 (proc_bpf))
+(typeattributeset proc_32_0 (proc_cpu_alignment))
+(typeattributeset proc_32_0 (proc_watermark_scale_factor))
(typeattributeset proc_abi_32_0 (proc_abi))
(typeattributeset proc_asound_32_0 (proc_asound))
(typeattributeset proc_bluetooth_writable_32_0 (proc_bluetooth_writable))
diff --git a/private/compat/32.0/32.0.ignore.cil b/private/compat/32.0/32.0.ignore.cil
index 18de796..50e3be7 100644
--- a/private/compat/32.0/32.0.ignore.cil
+++ b/private/compat/32.0/32.0.ignore.cil
@@ -60,7 +60,6 @@
nearby_service
persist_wm_debug_prop
proc_watermark_boost_factor
- proc_watermark_scale_factor
remotelyprovisionedkeypool_service
resources_manager_service
rootdisk_sysdev
diff --git a/private/compat/33.0/33.0.ignore.cil b/private/compat/33.0/33.0.ignore.cil
index 40c035e..90e2eaf 100644
--- a/private/compat/33.0/33.0.ignore.cil
+++ b/private/compat/33.0/33.0.ignore.cil
@@ -5,10 +5,12 @@
(typeattribute new_objects)
(typeattributeset new_objects
( new_objects
+ apex_ready_prop
artd
device_config_memory_safety_native_prop
device_config_vendor_system_native_prop
hal_bootctl_service
+ hal_tv_input_service
keystore_config_prop
permissive_mte_prop
servicemanager_prop
diff --git a/private/coredomain.te b/private/coredomain.te
index 9888fa4..c041ca3 100644
--- a/private/coredomain.te
+++ b/private/coredomain.te
@@ -1,3 +1,4 @@
+get_prop(coredomain, apex_ready_prop)
get_prop(coredomain, boot_status_prop)
get_prop(coredomain, camera_config_prop)
get_prop(coredomain, dalvik_config_prop)
@@ -7,7 +8,6 @@
get_prop(coredomain, graphics_config_prop)
get_prop(coredomain, hdmi_config_prop)
get_prop(coredomain, init_service_status_private_prop)
-get_prop(coredomain, init_apex_status_private_prop)
get_prop(coredomain, lmkd_config_prop)
get_prop(coredomain, localization_prop)
get_prop(coredomain, pm_prop)
diff --git a/private/file_contexts b/private/file_contexts
index fedea70..f5d40c8 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -369,7 +369,7 @@
/system/bin/gsid u:object_r:gsid_exec:s0
/system/bin/simpleperf u:object_r:simpleperf_exec:s0
/system/bin/simpleperf_app_runner u:object_r:simpleperf_app_runner_exec:s0
-/system/bin/migrate_legacy_obb_data\.sh u:object_r:migrate_legacy_obb_data_exec:s0
+/system/bin/migrate_legacy_obb_data u:object_r:migrate_legacy_obb_data_exec:s0
/system/bin/android\.frameworks\.automotive\.display@1\.0-service u:object_r:automotive_display_service_exec:s0
/system/bin/snapuserd u:object_r:snapuserd_exec:s0
/system/bin/odsign u:object_r:odsign_exec:s0
diff --git a/private/property.te b/private/property.te
index ddb427d..27a8e38 100644
--- a/private/property.te
+++ b/private/property.te
@@ -47,7 +47,6 @@
system_internal_prop(ctl_odsign_prop)
system_internal_prop(virtualizationservice_prop)
system_internal_prop(ctl_apex_load_prop)
-system_internal_prop(init_apex_status_private_prop)
# Properties which can't be written outside system
system_restricted_prop(device_config_virtualization_framework_native_prop)
@@ -633,11 +632,6 @@
neverallow {
domain
-init
-} init_apex_status_private_prop:property_service set;
-
-neverallow {
- domain
- -init
-apexd
} ctl_apex_load_prop:property_service set;
@@ -647,7 +641,21 @@
-init
-dumpstate
-apexd
-} {init_apex_status_private_prop ctl_apex_load_prop}:file no_rw_file_perms;
+} ctl_apex_load_prop:file no_rw_file_perms;
+
+neverallow {
+ domain
+ -init
+ -apexd
+} apex_ready_prop:property_service set;
+
+neverallow {
+ domain
+ -coredomain
+ -dumpstate
+ -apexd
+ -vendor_init
+} apex_ready_prop:file no_rw_file_perms;
neverallow {
# Only allow init and profcollectd to access profcollectd_node_id_prop
diff --git a/private/property_contexts b/private/property_contexts
index ed9de36..b2586f9 100644
--- a/private/property_contexts
+++ b/private/property_contexts
@@ -288,6 +288,9 @@
persist.vendor.apex. u:object_r:apexd_select_prop:s0
ro.boot.vendor.apex. u:object_r:apexd_select_prop:s0
+# Property that indicates if an apex is ready: apex.<apex-name>.ready
+apex. u:object_r:apex_ready_prop:s0 prefix bool
+
bpf.progs_loaded u:object_r:bpf_progs_loaded_prop:s0 exact bool
gsid. u:object_r:gsid_prop:s0
@@ -761,10 +764,6 @@
init.svc.tombstoned u:object_r:init_service_status_prop:s0 exact string
init.svc.zygote u:object_r:init_service_status_prop:s0 exact string
-# apexd reads this property to check if init has done with ctl.apex_* messages
-# This should be the form of init.apex.<apex_name>.
-init.apex. u:object_r:init_apex_status_private_prop:s0 prefix enum loaded unloaded
-
libc.debug.malloc.options u:object_r:libc_debug_prop:s0 exact string
libc.debug.malloc.program u:object_r:libc_debug_prop:s0 exact string
libc.debug.hooks.enable u:object_r:libc_debug_prop:s0 exact string
diff --git a/private/service_contexts b/private/service_contexts
index 4a4eef4..1504bac 100644
--- a/private/service_contexts
+++ b/private/service_contexts
@@ -61,6 +61,7 @@
android.hardware.sensors.ISensors/default u:object_r:hal_sensors_service:s0
android.hardware.soundtrigger3.ISoundTriggerHw/default u:object_r:hal_audio_service:s0
android.hardware.tv.tuner.ITuner/default u:object_r:hal_tv_tuner_service:s0
+android.hardware.tv.input.ITvInput/default u:object_r:hal_tv_input_service:s0
android.hardware.usb.IUsb/default u:object_r:hal_usb_service:s0
android.hardware.uwb.IUwb/default u:object_r:hal_uwb_service:s0
android.hardware.vibrator.IVibrator/default u:object_r:hal_vibrator_service:s0
diff --git a/private/system_server.te b/private/system_server.te
index aa674d0..ab0bfe0 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -1076,14 +1076,11 @@
# Allow invoking tools like "timeout"
allow system_server toolbox_exec:file rx_file_perms;
-# Allow system process to setup and measure fs-verity
-allowxperm system_server apk_data_file:file ioctl {
- FS_IOC_ENABLE_VERITY FS_IOC_MEASURE_VERITY
-};
+# Allow system process to setup fs-verity
+allowxperm system_server apk_data_file:file ioctl FS_IOC_ENABLE_VERITY;
-allowxperm system_server system_file:file ioctl {
- FS_IOC_MEASURE_VERITY
-};
+# Allow system process to measure fs-verity for apps, apps being installed and system files
+allowxperm system_server { apk_data_file apk_tmp_file system_file }:file ioctl FS_IOC_MEASURE_VERITY;
# Postinstall
#
diff --git a/private/vendor_init.te b/private/vendor_init.te
index 70b3ef9..acbd84e 100644
--- a/private/vendor_init.te
+++ b/private/vendor_init.te
@@ -12,6 +12,9 @@
# Let vendor_init react to AVF device config changes
get_prop(vendor_init, device_config_virtualization_framework_native_prop)
+# Let vendor_init use apex.<name>.ready to start services from vendor APEX
+get_prop(vendor_init, apex_ready_prop)
+
# chown/chmod on devices, e.g. /dev/ttyHS0
allow vendor_init {
dev_type
diff --git a/private/virtualizationservice.te b/private/virtualizationservice.te
index c369a90..9ae5308 100644
--- a/private/virtualizationservice.te
+++ b/private/virtualizationservice.te
@@ -82,3 +82,9 @@
-init
-virtualizationservice
} virtualizationservice_prop:property_service set;
+
+neverallow {
+ domain
+ -init
+ -virtualizationservice
+} virtualizationservice_data_file:file { open create };
diff --git a/public/hal_tv_input.te b/public/hal_tv_input.te
index 5a5bdda..b345189 100644
--- a/public/hal_tv_input.te
+++ b/public/hal_tv_input.te
@@ -3,3 +3,7 @@
binder_call(hal_tv_input_server, hal_tv_input_client)
hal_attribute_hwservice(hal_tv_input, hal_tv_input_hwservice)
+hal_attribute_service(hal_tv_input, hal_tv_input_service)
+
+binder_call(hal_tv_input_server, servicemanager)
+binder_call(hal_tv_input_client, servicemanager)
diff --git a/public/property.te b/public/property.te
index 1688b54..80df624 100644
--- a/public/property.te
+++ b/public/property.te
@@ -52,6 +52,7 @@
# Properties which can't be written outside system
system_restricted_prop(aac_drc_prop)
+system_restricted_prop(apex_ready_prop)
system_restricted_prop(arm64_memtag_prop)
system_restricted_prop(binder_cache_bluetooth_server_prop)
system_restricted_prop(binder_cache_system_server_prop)
diff --git a/public/service.te b/public/service.te
index a75d6a3..4bd5e65 100644
--- a/public/service.te
+++ b/public/service.te
@@ -299,6 +299,7 @@
type hal_secureclock_service, protected_service, hal_service_type, service_manager_type;
type hal_sharedsecret_service, protected_service, hal_service_type, service_manager_type;
type hal_system_suspend_service, protected_service, hal_service_type, service_manager_type;
+type hal_tv_input_service, protected_service, hal_service_type, service_manager_type;
type hal_tv_tuner_service, protected_service, hal_service_type, service_manager_type;
type hal_usb_service, protected_service, hal_service_type, service_manager_type;
type hal_uwb_service, protected_service, hal_service_type, service_manager_type;
diff --git a/public/te_macros b/public/te_macros
index 78e7636..551f4f3 100644
--- a/public/te_macros
+++ b/public/te_macros
@@ -199,7 +199,7 @@
# communicate with the VM that it created. Notice that we do not grant
# permission to create a vsock; the client can only connect to VMs
# that it owns.
-allow $1 virtualizationservice:vsock_socket { getattr read write };
+allow $1 virtualizationservice:vsock_socket { getattr getopt read write };
# Allow client to inspect hypervisor capabilities
get_prop($1, hypervisor_prop)
# Allow client to read (but not open) the crashdump provided by virtualizationservice
diff --git a/vendor/file_contexts b/vendor/file_contexts
index 1cff892..24f0d51 100644
--- a/vendor/file_contexts
+++ b/vendor/file_contexts
@@ -92,6 +92,7 @@
/(vendor|system/vendor)/bin/hw/android\.hardware\.thermal@1\.[01]-service u:object_r:hal_thermal_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.tv\.cec@1\.[01]-service u:object_r:hal_tv_cec_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.tv\.input@1\.0-service u:object_r:hal_tv_input_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.tv\.input-service\.example u:object_r:hal_tv_input_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.tv\.tuner@1\.[01]-service u:object_r:hal_tv_tuner_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.tv\.tuner-service\.example(-lazy)? u:object_r:hal_tv_tuner_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.usb@1\.0-service u:object_r:hal_usb_default_exec:s0