Merge "Add sepolicy for Battery Service client role sysprop"
diff --git a/Android.bp b/Android.bp
index 0ca82a6..8e2a966 100644
--- a/Android.bp
+++ b/Android.bp
@@ -189,6 +189,11 @@
srcs: ["seapp_contexts"],
}
+se_build_files {
+ name: "vndservice_contexts_files",
+ srcs: ["vndservice_contexts"],
+}
+
// For vts_treble_sys_prop_test
filegroup {
name: "private_property_contexts",
@@ -1103,3 +1108,29 @@
se_freeze_test {
name: "sepolicy_freeze_test",
}
+
+//////////////////////////////////
+// sepolicy_test checks various types of violations, which can't be easily done
+// by CIL itself. Refer tests/sepolicy_tests.py for more detail.
+//////////////////////////////////
+genrule {
+ name: "sepolicy_test",
+ srcs: [
+ ":plat_file_contexts",
+ ":vendor_file_contexts",
+ ":system_ext_file_contexts",
+ ":product_file_contexts",
+ ":odm_file_contexts",
+ ":precompiled_sepolicy",
+ ],
+ tools: ["sepolicy_tests"],
+ out: ["sepolicy_test"],
+ cmd: "$(location sepolicy_tests) " +
+ "-f $(location :plat_file_contexts) " +
+ "-f $(location :vendor_file_contexts) " +
+ "-f $(location :system_ext_file_contexts) " +
+ "-f $(location :product_file_contexts) " +
+ "-f $(location :odm_file_contexts) " +
+ "-p $(location :precompiled_sepolicy) && " +
+ "touch $(out)",
+}
diff --git a/Android.mk b/Android.mk
index 27123d7..c98de45 100644
--- a/Android.mk
+++ b/Android.mk
@@ -347,9 +347,13 @@
ifneq ($(with_asan),true)
ifneq ($(SELINUX_IGNORE_NEVERALLOWS),true)
LOCAL_REQUIRED_MODULES += \
- sepolicy_tests \
sepolicy_compat_test \
+# HACK: sepolicy_test is implemented as genrule
+# genrule modules aren't installable, so LOCAL_REQUIRED_MODULES doesn't work.
+# Instead, use LOCAL_ADDITIONAL_DEPENDENCIES with intermediate output
+LOCAL_ADDITIONAL_DEPENDENCIES += $(call intermediates-dir-for,ETC,sepolicy_test)/sepolicy_test
+
ifeq ($(PRODUCT_SEPOLICY_SPLIT),true)
LOCAL_REQUIRED_MODULES += \
$(addprefix treble_sepolicy_tests_,$(PLATFORM_SEPOLICY_COMPAT_VERSIONS)) \
@@ -505,6 +509,7 @@
vendor_hwservice_contexts_test \
vendor_bug_map \
vndservice_contexts \
+ vndservice_contexts_test \
ifdef BOARD_ODM_SEPOLICY_DIRS
LOCAL_REQUIRED_MODULES += \
@@ -664,50 +669,8 @@
file_contexts.modules.tmp :=
##################################
-include $(CLEAR_VARS)
-
-LOCAL_MODULE := vndservice_contexts
-LOCAL_LICENSE_KINDS := SPDX-license-identifier-Apache-2.0 legacy_unencumbered
-LOCAL_LICENSE_CONDITIONS := notice unencumbered
-LOCAL_NOTICE_FILE := $(LOCAL_PATH)/NOTICE
-LOCAL_MODULE_CLASS := ETC
-LOCAL_MODULE_TAGS := optional
-LOCAL_MODULE_PATH := $(TARGET_OUT_VENDOR)/etc/selinux
-
-include $(BUILD_SYSTEM)/base_rules.mk
-
-vnd_svcfiles := $(call build_policy, vndservice_contexts, $(BOARD_PLAT_VENDOR_POLICY) $(BOARD_VENDOR_SEPOLICY_DIRS) $(BOARD_REQD_MASK_POLICY))
-
-vndservice_contexts.tmp := $(intermediates)/vndservice_contexts.tmp
-$(vndservice_contexts.tmp): PRIVATE_SVC_FILES := $(vnd_svcfiles)
-$(vndservice_contexts.tmp): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
-$(vndservice_contexts.tmp): $(vnd_svcfiles) $(M4)
- @mkdir -p $(dir $@)
- $(hide) $(M4) --fatal-warnings -s $(PRIVATE_ADDITIONAL_M4DEFS) $(PRIVATE_SVC_FILES) > $@
-
-$(LOCAL_BUILT_MODULE): PRIVATE_SEPOLICY := $(built_sepolicy)
-$(LOCAL_BUILT_MODULE): $(vndservice_contexts.tmp) $(built_sepolicy) $(HOST_OUT_EXECUTABLES)/checkfc $(ACP)
- @mkdir -p $(dir $@)
- sed -e 's/#.*$$//' -e '/^$$/d' $< > $@
- $(hide) $(HOST_OUT_EXECUTABLES)/checkfc -e -v $(PRIVATE_SEPOLICY) $@
-
-vnd_svcfiles :=
-vndservice_contexts.tmp :=
-
-##################################
include $(LOCAL_PATH)/mac_permissions.mk
-#################################
-include $(CLEAR_VARS)
-LOCAL_MODULE := sepolicy_tests
-LOCAL_LICENSE_KINDS := SPDX-license-identifier-Apache-2.0 legacy_unencumbered
-LOCAL_LICENSE_CONDITIONS := notice unencumbered
-LOCAL_NOTICE_FILE := $(LOCAL_PATH)/NOTICE
-LOCAL_MODULE_CLASS := FAKE
-LOCAL_MODULE_TAGS := optional
-
-include $(BUILD_SYSTEM)/base_rules.mk
-
all_fc_files := $(TARGET_OUT)/etc/selinux/plat_file_contexts
all_fc_files += $(TARGET_OUT_VENDOR)/etc/selinux/vendor_file_contexts
ifdef HAS_SYSTEM_EXT_SEPOLICY_DIR
@@ -721,13 +684,6 @@
endif
all_fc_args := $(foreach file, $(all_fc_files), -f $(file))
-$(LOCAL_BUILT_MODULE): ALL_FC_ARGS := $(all_fc_args)
-$(LOCAL_BUILT_MODULE): PRIVATE_SEPOLICY := $(built_sepolicy)
-$(LOCAL_BUILT_MODULE): $(HOST_OUT_EXECUTABLES)/sepolicy_tests $(all_fc_files) $(built_sepolicy)
- @mkdir -p $(dir $@)
- $(hide) $(HOST_OUT_EXECUTABLES)/sepolicy_tests $(ALL_FC_ARGS) -p $(PRIVATE_SEPOLICY)
- $(hide) touch $@
-
##################################
# Tests for Treble compatibility of current platform policy and vendor policy of
# given release version.
diff --git a/METADATA b/METADATA
index cdcfa70..5a356a4 100644
--- a/METADATA
+++ b/METADATA
@@ -1,6 +1,4 @@
third_party {
- # would be UNENCUMBERED save for
- # tests/combine_maps.py
- # build/soong/
+ license_note: "would be UNENCUMBERED save for: tests/combine_maps.py and build/soong/"
license_type: NOTICE
}
diff --git a/apex/Android.bp b/apex/Android.bp
index b85b1f5..5d61303 100644
--- a/apex/Android.bp
+++ b/apex/Android.bp
@@ -263,3 +263,10 @@
"com.android.car.framework-file_contexts",
],
}
+
+filegroup {
+ name: "com.android.ondevicepersonalization-file_contexts",
+ srcs: [
+ "com.android.ondevicepersonalization-file_contexts",
+ ],
+}
diff --git a/apex/com.android.ondevicepersonalization-file_contexts b/apex/com.android.ondevicepersonalization-file_contexts
new file mode 100644
index 0000000..9398505
--- /dev/null
+++ b/apex/com.android.ondevicepersonalization-file_contexts
@@ -0,0 +1 @@
+(/.*)? u:object_r:system_file:s0
diff --git a/build/soong/policy.go b/build/soong/policy.go
index 390c439..b1840da 100644
--- a/build/soong/policy.go
+++ b/build/soong/policy.go
@@ -88,6 +88,9 @@
// Whether this module is directly installable to one of the partitions. Default is true
Installable *bool
+
+ // Desired number of MLS categories. Defaults to 1024
+ Mls_cats *int64
}
type policyConf struct {
@@ -189,6 +192,10 @@
return strconv.FormatBool(ctx.DeviceConfig().BuildDebugfsRestrictionsEnabled())
}
+func (c *policyConf) mlsCats() int {
+ return proptools.IntDefault(c.properties.Mls_cats, MlsCats)
+}
+
func findPolicyConfOrder(name string) int {
for idx, pattern := range policyConfOrder {
if pattern == name || (pattern == "*.te" && strings.HasSuffix(name, ".te")) {
@@ -212,7 +219,7 @@
Flag("--fatal-warnings").
FlagForEachArg("-D ", ctx.DeviceConfig().SepolicyM4Defs()).
FlagWithArg("-D mls_num_sens=", strconv.Itoa(MlsSens)).
- FlagWithArg("-D mls_num_cats=", strconv.Itoa(MlsCats)).
+ FlagWithArg("-D mls_num_cats=", strconv.Itoa(c.mlsCats())).
FlagWithArg("-D target_arch=", ctx.DeviceConfig().DeviceArch()).
FlagWithArg("-D target_with_asan=", c.withAsan(ctx)).
FlagWithArg("-D target_with_dexpreopt=", strconv.FormatBool(ctx.DeviceConfig().WithDexpreopt())).
diff --git a/build/soong/selinux_contexts.go b/build/soong/selinux_contexts.go
index 8894931..463a978 100644
--- a/build/soong/selinux_contexts.go
+++ b/build/soong/selinux_contexts.go
@@ -93,11 +93,13 @@
android.RegisterModuleType("service_contexts", serviceFactory)
android.RegisterModuleType("keystore2_key_contexts", keystoreKeyFactory)
android.RegisterModuleType("seapp_contexts", seappFactory)
+ android.RegisterModuleType("vndservice_contexts", vndServiceFactory)
android.RegisterModuleType("file_contexts_test", fileContextsTestFactory)
android.RegisterModuleType("property_contexts_test", propertyContextsTestFactory)
android.RegisterModuleType("hwservice_contexts_test", hwserviceContextsTestFactory)
android.RegisterModuleType("service_contexts_test", serviceContextsTestFactory)
+ android.RegisterModuleType("vndservice_contexts_test", vndServiceContextsTestFactory)
}
func (m *selinuxContextsModule) InstallInRoot() bool {
@@ -495,6 +497,18 @@
return m
}
+func vndServiceFactory() android.Module {
+ m := newModule()
+ m.build = m.buildGeneralContexts
+ android.AddLoadHook(m, func(ctx android.LoadHookContext) {
+ if !ctx.SocSpecific() {
+ ctx.ModuleErrorf(m.Name(), "must set vendor: true")
+ return
+ }
+ })
+ return m
+}
+
var _ android.OutputFileProducer = (*selinuxContextsModule)(nil)
// Implements android.OutputFileProducer
@@ -565,6 +579,14 @@
return m
}
+// vndservice_contexts_test tests given vndservice_contexts files with checkfc.
+func vndServiceContextsTestFactory() android.Module {
+ m := &contextsTestModule{tool: "checkfc", flags: []string{"-e" /* allow empty */, "-v" /* vnd service */}}
+ m.AddProperties(&m.properties)
+ android.InitAndroidArchModule(m, android.DeviceSupported, android.MultilibCommon)
+ return m
+}
+
func (m *contextsTestModule) GenerateAndroidBuildActions(ctx android.ModuleContext) {
tool := m.tool
if tool != "checkfc" && tool != "property_info_checker" {
diff --git a/contexts/Android.bp b/contexts/Android.bp
index 3062a61..2a5a058 100644
--- a/contexts/Android.bp
+++ b/contexts/Android.bp
@@ -67,28 +67,55 @@
":file_contexts_files{.vendor}",
],
soc_specific: true,
- recovery_available: true,
+}
+
+file_contexts {
+ name: "vendor_file_contexts.recovery",
+ srcs: [
+ ":file_contexts_files{.plat_vendor_for_vendor}",
+ ":file_contexts_files{.vendor}",
+ ],
+ stem: "vendor_file_contexts",
+ recovery: true,
}
file_contexts {
name: "system_ext_file_contexts",
srcs: [":file_contexts_files{.system_ext_private}"],
system_ext_specific: true,
- recovery_available: true,
+}
+
+file_contexts {
+ name: "system_ext_file_contexts.recovery",
+ srcs: [":file_contexts_files{.system_ext_private}"],
+ stem: "system_ext_file_contexts",
+ recovery: true,
}
file_contexts {
name: "product_file_contexts",
srcs: [":file_contexts_files{.product_private}"],
product_specific: true,
- recovery_available: true,
+}
+
+file_contexts {
+ name: "product_file_contexts.recovery",
+ srcs: [":file_contexts_files{.product_private}"],
+ stem: "product_file_contexts",
+ recovery: true,
}
file_contexts {
name: "odm_file_contexts",
srcs: [":file_contexts_files{.odm}"],
device_specific: true,
- recovery_available: true,
+}
+
+file_contexts {
+ name: "odm_file_contexts.recovery",
+ srcs: [":file_contexts_files{.odm}"],
+ stem: "odm_file_contexts",
+ recovery: true,
}
hwservice_contexts {
@@ -287,6 +314,16 @@
sepolicy: ":precompiled_sepolicy",
}
+vndservice_contexts {
+ name: "vndservice_contexts",
+ srcs: [
+ ":vndservice_contexts_files{.plat_vendor_for_vendor}",
+ ":vndservice_contexts_files{.vendor}",
+ ":vndservice_contexts_files{.reqd_mask_for_vendor}",
+ ],
+ soc_specific: true,
+}
+
// for CTS
genrule {
name: "plat_seapp_neverallows",
@@ -432,3 +469,9 @@
srcs: [":vendor_service_contexts"],
sepolicy: ":precompiled_sepolicy",
}
+
+vndservice_contexts_test {
+ name: "vndservice_contexts_test",
+ srcs: [":vndservice_contexts"],
+ sepolicy: ":precompiled_sepolicy",
+}
diff --git a/microdroid/Android.bp b/microdroid/Android.bp
index 0600207..0628a5b 100644
--- a/microdroid/Android.bp
+++ b/microdroid/Android.bp
@@ -109,6 +109,7 @@
name: "microdroid_reqd_policy_mask.conf",
srcs: reqd_mask_files,
installable: false,
+ mls_cats: 1,
}
se_policy_cil {
@@ -122,6 +123,7 @@
name: "microdroid_plat_sepolicy.conf",
srcs: system_policy_files,
installable: false,
+ mls_cats: 1,
}
se_policy_cil {
@@ -135,6 +137,7 @@
name: "microdroid_plat_pub_policy.conf",
srcs: system_public_policy_files,
installable: false,
+ mls_cats: 1,
}
se_policy_cil {
@@ -171,6 +174,7 @@
name: "microdroid_vendor_sepolicy.conf",
srcs: vendor_policy_files,
installable: false,
+ mls_cats: 1,
}
se_policy_cil {
@@ -287,4 +291,5 @@
srcs: system_policy_files,
exclude_build_test: true,
installable: false,
+ mls_cats: 1,
}
diff --git a/microdroid/system/private/dex2oat.te b/microdroid/system/private/dex2oat.te
index c7c53c2..d259e1c 100644
--- a/microdroid/system/private/dex2oat.te
+++ b/microdroid/system/private/dex2oat.te
@@ -2,6 +2,8 @@
type dex2oat, domain, coredomain;
type dex2oat_exec, system_file_type, exec_type, file_type;
+userfaultfd_use(dex2oat)
+
allow dex2oat tmpfs:file { read getattr map };
# Allow dex2oat to use FDs from authfs_service via compos.
diff --git a/microdroid/system/private/genfs_contexts b/microdroid/system/private/genfs_contexts
index 3499aa0..254dbe8 100644
--- a/microdroid/system/private/genfs_contexts
+++ b/microdroid/system/private/genfs_contexts
@@ -138,6 +138,8 @@
genfscon sysfs /devices/virtual/net u:object_r:sysfs_net:s0
genfscon sysfs /devices/virtual/switch u:object_r:sysfs_switch:s0
genfscon sysfs /devices/virtual/wakeup u:object_r:sysfs_wakeup:s0
+genfscon sysfs /firmware/devicetree/base/chosen/avf,new-instance u:object_r:sysfs_dt_avf:s0
+genfscon sysfs /firmware/devicetree/base/chosen/avf,strict-boot u:object_r:sysfs_dt_avf:s0
genfscon sysfs /firmware/devicetree/base/firmware/android u:object_r:sysfs_dt_firmware_android:s0
genfscon sysfs /fs/ext4/features u:object_r:sysfs_fs_ext4_features:s0
genfscon sysfs /fs/f2fs u:object_r:sysfs_fs_f2fs:s0
diff --git a/microdroid/system/private/microdroid_manager.te b/microdroid/system/private/microdroid_manager.te
index 3510e2f..bf344ac 100644
--- a/microdroid/system/private/microdroid_manager.te
+++ b/microdroid/system/private/microdroid_manager.te
@@ -14,6 +14,9 @@
# microdroid_manager verifies DM-verity mounted APK payload
allow microdroid_manager dm_device:blk_file r_file_perms;
+# microdroid_manager can query AVF flags in the device tree
+allow microdroid_manager sysfs_dt_avf:file r_file_perms;
+
# Allow microdroid_manager to do blkflsbuf on instance disk image. The ioctl
# requires sys_admin cap as well.
allowxperm microdroid_manager vd_device:blk_file ioctl BLKFLSBUF;
diff --git a/microdroid/system/public/file.te b/microdroid/system/public/file.te
index d15d9cd..dfa1ff2 100644
--- a/microdroid/system/public/file.te
+++ b/microdroid/system/public/file.te
@@ -167,6 +167,7 @@
type sysfs_dm_verity, fs_type, sysfs_type;
type sysfs_dma_heap, fs_type, sysfs_type;
type sysfs_dmabuf_stats, fs_type, sysfs_type;
+type sysfs_dt_avf, fs_type, sysfs_type;
type sysfs_dt_firmware_android, fs_type, sysfs_type;
type sysfs_extcon, fs_type, sysfs_type;
type sysfs_fs_ext4_features, fs_type, sysfs_type;
diff --git a/microdroid/vendor/hal_dice_default.te b/microdroid/vendor/hal_dice_default.te
index e3fd4be..9fbf90d 100644
--- a/microdroid/vendor/hal_dice_default.te
+++ b/microdroid/vendor/hal_dice_default.te
@@ -10,4 +10,5 @@
# hal_dice_default is using bootstrap bionic
use_bootstrap_libs(hal_dice_default)
+allow hal_dice_default sysfs_dt_avf:file r_file_perms;
allow hal_dice_default open_dice_device:chr_file rw_file_perms;
diff --git a/prebuilts/api/29.0/private/adbd.te b/prebuilts/api/29.0/private/adbd.te
index ec5c57e..ea9fb1e 100644
--- a/prebuilts/api/29.0/private/adbd.te
+++ b/prebuilts/api/29.0/private/adbd.te
@@ -152,6 +152,9 @@
# Allow pulling config.gz for CTS purposes
allow adbd config_gz:file r_file_perms;
+# For CTS listening ports test.
+allow adbd proc_net_tcp_udp:file r_file_perms;
+
allow adbd gpu_service:service_manager find;
allow adbd surfaceflinger_service:service_manager find;
allow adbd bootchart_data_file:dir search;
diff --git a/prebuilts/api/30.0/private/adbd.te b/prebuilts/api/30.0/private/adbd.te
index be4f0f7..e81aac7 100644
--- a/prebuilts/api/30.0/private/adbd.te
+++ b/prebuilts/api/30.0/private/adbd.te
@@ -158,6 +158,9 @@
# Allow pulling config.gz for CTS purposes
allow adbd config_gz:file r_file_perms;
+# For CTS listening ports test.
+allow adbd proc_net_tcp_udp:file r_file_perms;
+
allow adbd gpu_service:service_manager find;
allow adbd surfaceflinger_service:service_manager find;
allow adbd bootchart_data_file:dir search;
diff --git a/prebuilts/api/31.0/private/adbd.te b/prebuilts/api/31.0/private/adbd.te
index c2c6164..4273995 100644
--- a/prebuilts/api/31.0/private/adbd.te
+++ b/prebuilts/api/31.0/private/adbd.te
@@ -169,6 +169,9 @@
# Allow pulling config.gz for CTS purposes
allow adbd config_gz:file r_file_perms;
+# For CTS listening ports test.
+allow adbd proc_net_tcp_udp:file r_file_perms;
+
allow adbd gpu_service:service_manager find;
allow adbd surfaceflinger_service:service_manager find;
allow adbd bootchart_data_file:dir search;
diff --git a/private/app.te b/private/app.te
index 856f483..e152591 100644
--- a/private/app.te
+++ b/private/app.te
@@ -14,6 +14,7 @@
get_prop(appdomain, vold_config_prop)
get_prop(appdomain, adbd_config_prop)
get_prop(appdomain, dck_prop)
+get_prop(appdomain, persist_wm_debug_prop)
# Allow ART to be configurable via device_config properties
# (ART "runs" inside the app process)
diff --git a/private/app_zygote.te b/private/app_zygote.te
index 004c108..8a62341 100644
--- a/private/app_zygote.te
+++ b/private/app_zygote.te
@@ -56,6 +56,9 @@
r_dir_file(app_zygote, dalvikcache_data_file);
allow app_zygote dalvikcache_data_file:file execute;
+# For ART (allow userfaultfd and related ioctls)
+userfaultfd_use(app_zygote)
+
# Read /data/misc/apexdata/ to (get to com.android.art/dalvik-cache).
allow app_zygote apex_module_data_file:dir search;
# For ART APEX (read /data/misc/apexdata/com.android.art/dalvik-cache).
diff --git a/private/compat/32.0/32.0.ignore.cil b/private/compat/32.0/32.0.ignore.cil
index ee7d51e..b77c97b 100644
--- a/private/compat/32.0/32.0.ignore.cil
+++ b/private/compat/32.0/32.0.ignore.cil
@@ -9,6 +9,7 @@
artd_service
attestation_verification_service
bluetooth_config_prop
+ binderfs_features
charger_vendor
cloudsearch
cloudsearch_service
@@ -50,6 +51,7 @@
locale_service
mdns_service
nearby_service
+ persist_wm_debug_prop
proc_watermark_boost_factor
proc_watermark_scale_factor
remotelyprovisionedkeypool_service
diff --git a/private/crosvm.te b/private/crosvm.te
index 25d3309..26b1df3 100644
--- a/private/crosvm.te
+++ b/private/crosvm.te
@@ -19,6 +19,9 @@
# Let crosvm receive file descriptors from VirtualizationService.
allow crosvm virtualizationservice:fd use;
+# Allow sending VirtualizationService the failure reason from the VM via pipe.
+allow crosvm virtualizationservice:fifo_file write;
+
# Let crosvm read the composite disk images (virtualizationservice_data_file), APEXes
# (staging_data_file), APKs (apk_data_file and shell_data_file where the latter is for test apks in
# /data/local/tmp), and instance.img (app_data_file). Note that the open permission is not given as
diff --git a/private/domain.te b/private/domain.te
index acf5f55..ef9d036 100644
--- a/private/domain.te
+++ b/private/domain.te
@@ -500,6 +500,7 @@
-init
-tombstoned # linker to tombstoned
userdebug_or_eng(`-heapprofd')
+ userdebug_or_eng(`-traced')
userdebug_or_eng(`-traced_perf')
});
')
diff --git a/private/dumpstate.te b/private/dumpstate.te
index 4fad585..149d389 100644
--- a/private/dumpstate.te
+++ b/private/dumpstate.te
@@ -6,6 +6,10 @@
# Execute and transition to the vdc domain
domain_auto_trans(dumpstate, vdc_exec, vdc)
+# Create tmpfs files for using memfd descriptors to get output from child
+# processes.
+tmpfs_domain(dumpstate)
+
# Acquire advisory lock on /system/etc/xtables.lock from ip[6]tables
allow dumpstate system_file:file lock;
@@ -116,3 +120,6 @@
# /dev/null.
allow perfetto dumpstate_tmpfs:file rw_file_perms;
allow perfetto dumpstate:fd use;
+
+# system_dlkm_file for /system_dlkm partition
+allow dumpstate system_dlkm_file:dir getattr;
diff --git a/private/genfs_contexts b/private/genfs_contexts
index f20251d..ca64733 100644
--- a/private/genfs_contexts
+++ b/private/genfs_contexts
@@ -377,6 +377,7 @@
genfscon binder /vndbinder u:object_r:vndbinder_device:s0
genfscon binder /binder_logs u:object_r:binderfs_logs:s0
genfscon binder /binder_logs/proc u:object_r:binderfs_logs_proc:s0
+genfscon binder /features u:object_r:binderfs_features:s0
genfscon inotifyfs / u:object_r:inotify:s0
genfscon vfat / u:object_r:vfat:s0
diff --git a/private/platform_app.te b/private/platform_app.te
index 20c9820..b723633 100644
--- a/private/platform_app.te
+++ b/private/platform_app.te
@@ -40,6 +40,10 @@
# com.android.systemui
allow platform_app rootfs:dir getattr;
get_prop(platform_app, radio_cdma_ecm_prop)
+userdebug_or_eng(`
+ set_prop(platform_app, persist_wm_debug_prop)
+')
+neverallow { domain -init -dumpstate userdebug_or_eng(`-domain') } persist_wm_debug_prop:property_service set;
# com.android.captiveportallogin reads /proc/vmstat
allow platform_app {
diff --git a/private/property_contexts b/private/property_contexts
index d30bbec..f92e558 100644
--- a/private/property_contexts
+++ b/private/property_contexts
@@ -102,6 +102,7 @@
sys.lmk. u:object_r:system_lmk_prop:s0
sys.trace. u:object_r:system_trace_prop:s0
wrap. u:object_r:zygote_wrap_prop:s0 prefix string
+persist.wm.debug. u:object_r:persist_wm_debug_prop:s0
# Suspend service properties
suspend.max_sleep_time_millis u:object_r:suspend_prop:s0 exact uint
@@ -339,6 +340,9 @@
ro.audio.ignore_effects u:object_r:audio_config_prop:s0 exact bool
ro.audio.monitorRotation u:object_r:audio_config_prop:s0 exact bool
ro.audio.offload_wakelock u:object_r:audio_config_prop:s0 exact bool
+# Boolean property used in AudioService to configure whether
+# spatializer functionality should be initialized
+ro.audio.spatializer_enabled u:object_r:audio_config_prop:s0 exact bool
persist.config.calibration_fac u:object_r:camera_calibration_prop:s0 exact string
diff --git a/private/shell.te b/private/shell.te
index 32819ac..ae5ff55 100644
--- a/private/shell.te
+++ b/private/shell.te
@@ -227,3 +227,6 @@
# Let the shell user call virtualizationservice (and
# virtualizationservice call back to shell) for debugging.
virtualizationservice_use(shell)
+
+# Allow shell to set persist.wm.debug properties
+userdebug_or_eng(`set_prop(shell, persist_wm_debug_prop)')
diff --git a/private/system_server.te b/private/system_server.te
index 682be60..275bb6f 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -799,6 +799,9 @@
# Read hypervisor capabilities ro.boot.hypervisor.*
get_prop(system_server, hypervisor_prop)
+# Read persist.wm.debug. properties
+get_prop(system_server, persist_wm_debug_prop)
+
# Create a socket for connections from debuggerd.
allow system_server system_ndebug_socket:sock_file create_file_perms;
diff --git a/public/domain.te b/public/domain.te
index 2be67f5..705c13a 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -88,6 +88,8 @@
# /dev/binderfs needs to be accessed by everyone too!
allow domain binderfs:dir { getattr search };
allow domain binderfs_logs_proc:dir search;
+allow domain binderfs_features:dir search;
+allow domain binderfs_features:file r_file_perms;
allow { domain -servicemanager -vndservicemanager -isolated_app } hwbinder_device:chr_file rw_file_perms;
allow domain ptmx_device:chr_file rw_file_perms;
diff --git a/public/file.te b/public/file.te
index c0b7679..3c8fcc7 100644
--- a/public/file.te
+++ b/public/file.te
@@ -7,6 +7,7 @@
type binderfs, fs_type;
type binderfs_logs, fs_type;
type binderfs_logs_proc, fs_type;
+type binderfs_features, fs_type;
# Security-sensitive proc nodes that should not be writable to most.
type proc_security, fs_type, proc_type;
type proc_drop_caches, fs_type, proc_type;
diff --git a/public/installd.te b/public/installd.te
index 1ef4fc7..b0b2815 100644
--- a/public/installd.te
+++ b/public/installd.te
@@ -115,6 +115,15 @@
allow installd app_data_file_type:dir { create_dir_perms relabelfrom relabelto };
allow installd app_data_file_type:notdevfile_class_set { create_file_perms relabelfrom relabelto };
+# Allow setting extended attributes (for project quota IDs) on dirs
+# and to enable project ID inheritance through FS_IOC_SETFLAGS
+allowxperm installd { app_data_file_type system_data_file }:{ dir file } ioctl {
+ FS_IOC_FSGETXATTR
+ FS_IOC_FSSETXATTR
+ FS_IOC_GETFLAGS
+ FS_IOC_SETFLAGS
+};
+
# Similar for the files under /data/misc/profiles/
allow installd user_profile_root_file:dir { create_dir_perms relabelfrom };
allow installd user_profile_data_file:dir { create_dir_perms relabelto };
diff --git a/public/property.te b/public/property.te
index 7957f8c..46d6776 100644
--- a/public/property.te
+++ b/public/property.te
@@ -74,6 +74,7 @@
system_restricted_prop(libc_debug_prop)
system_restricted_prop(module_sdkextensions_prop)
system_restricted_prop(nnapi_ext_deny_product_prop)
+system_restricted_prop(persist_wm_debug_prop)
system_restricted_prop(power_debug_prop)
system_restricted_prop(property_service_version_prop)
system_restricted_prop(provisioned_prop)
diff --git a/vendor/file_contexts b/vendor/file_contexts
index d0c474c..0cfb7cf 100644
--- a/vendor/file_contexts
+++ b/vendor/file_contexts
@@ -32,7 +32,7 @@
/(vendor|system/vendor)/bin/hw/android\.hardware\.contexthub-service\.example u:object_r:hal_contexthub_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.drm@1\.0-service u:object_r:hal_drm_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.drm@1\.0-service-lazy u:object_r:hal_drm_default_exec:s0
-/(vendor|system/vendor)/bin/hw/android\.hardware\.drm-service\.clearkey(-lazy)? u:object_r:hal_drm_clearkey_aidl_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.drm-service(-lazy)?\.clearkey u:object_r:hal_drm_clearkey_aidl_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.cas@1\.[0-2]-service u:object_r:hal_cas_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.cas@1\.[0-2]-service-lazy u:object_r:hal_cas_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.dumpstate@1\.[0-1]-service\.example u:object_r:hal_dumpstate_default_exec:s0
diff --git a/vendor/hal_evs_default.te b/vendor/hal_evs_default.te
index d1d4559..176d611 100644
--- a/vendor/hal_evs_default.te
+++ b/vendor/hal_evs_default.te
@@ -15,6 +15,9 @@
binder_call(hal_evs_default, automotive_display_service_server)
allow hal_evs_default fwk_automotive_display_hwservice:hwservice_manager find;
+# allow to access data from surfaceflinger
+allow hal_evs_default surfaceflinger:fd use;
+
# allow to access EGL
allow hal_evs_default gpu_device:chr_file rw_file_perms;
allow hal_evs_default gpu_device:dir search;