Merge "Allow mediaserver to find "audio" service" into qt-dev
diff --git a/Android.mk b/Android.mk
index ab88003..361cc30 100644
--- a/Android.mk
+++ b/Android.mk
@@ -309,6 +309,11 @@
selinux_denial_metadata \
endif
+
+# Builds an addtional userdebug sepolicy into the debug ramdisk.
+LOCAL_REQUIRED_MODULES += \
+ userdebug_plat_sepolicy.cil \
+
include $(BUILD_PHONY_PACKAGE)
#################################
@@ -525,6 +530,47 @@
#################################
include $(CLEAR_VARS)
+LOCAL_MODULE := userdebug_plat_sepolicy.cil
+LOCAL_MODULE_CLASS := ETC
+LOCAL_MODULE_TAGS := optional
+LOCAL_MODULE_PATH := $(TARGET_DEBUG_RAMDISK_OUT)
+
+include $(BUILD_SYSTEM)/base_rules.mk
+
+# userdebug_plat_policy.conf - the userdebug version plat_sepolicy.cil
+userdebug_plat_policy.conf := $(intermediates)/userdebug_plat_policy.conf
+$(userdebug_plat_policy.conf): PRIVATE_MLS_SENS := $(MLS_SENS)
+$(userdebug_plat_policy.conf): PRIVATE_MLS_CATS := $(MLS_CATS)
+$(userdebug_plat_policy.conf): PRIVATE_TARGET_BUILD_VARIANT := userdebug
+$(userdebug_plat_policy.conf): PRIVATE_TGT_ARCH := $(my_target_arch)
+$(userdebug_plat_policy.conf): PRIVATE_TGT_WITH_ASAN := $(with_asan)
+$(userdebug_plat_policy.conf): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
+$(userdebug_plat_policy.conf): PRIVATE_SEPOLICY_SPLIT := $(PRODUCT_SEPOLICY_SPLIT)
+$(userdebug_plat_policy.conf): PRIVATE_COMPATIBLE_PROPERTY := $(PRODUCT_COMPATIBLE_PROPERTY)
+$(userdebug_plat_policy.conf): $(call build_policy, $(sepolicy_build_files), \
+$(PLAT_PUBLIC_POLICY) $(PLAT_PRIVATE_POLICY))
+ $(transform-policy-to-conf)
+ $(hide) sed '/^\s*dontaudit.*;/d' $@ | sed '/^\s*dontaudit/,/;/d' > $@.dontaudit
+
+$(LOCAL_BUILT_MODULE): PRIVATE_ADDITIONAL_CIL_FILES := \
+ $(call build_policy, $(sepolicy_build_cil_workaround_files), $(PLAT_PRIVATE_POLICY))
+$(LOCAL_BUILT_MODULE): PRIVATE_NEVERALLOW_ARG := $(NEVERALLOW_ARG)
+$(LOCAL_BUILT_MODULE): $(userdebug_plat_policy.conf) $(HOST_OUT_EXECUTABLES)/checkpolicy \
+ $(HOST_OUT_EXECUTABLES)/secilc \
+ $(call build_policy, $(sepolicy_build_cil_workaround_files), $(PLAT_PRIVATE_POLICY)) \
+ $(built_sepolicy_neverallows)
+ @mkdir -p $(dir $@)
+ $(hide) $(CHECKPOLICY_ASAN_OPTIONS) $(HOST_OUT_EXECUTABLES)/checkpolicy -M -C -c \
+ $(POLICYVERS) -o $@.tmp $<
+ $(hide) cat $(PRIVATE_ADDITIONAL_CIL_FILES) >> $@.tmp
+ $(hide) $(HOST_OUT_EXECUTABLES)/secilc -m -M true -G -c $(POLICYVERS) $(PRIVATE_NEVERALLOW_ARG) $@.tmp -o /dev/null -f /dev/null
+ $(hide) mv $@.tmp $@
+
+userdebug_plat_policy.conf :=
+
+#################################
+include $(CLEAR_VARS)
+
ifdef HAS_PRODUCT_SEPOLICY
LOCAL_MODULE := product_sepolicy.cil
LOCAL_MODULE_CLASS := ETC
diff --git a/private/file_contexts b/private/file_contexts
index ceb330b..89d1188 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -24,6 +24,7 @@
/lost\+found u:object_r:rootfs:s0
/acct u:object_r:cgroup:s0
/config u:object_r:rootfs:s0
+/debug_ramdisk u:object_r:tmpfs:s0
/mnt u:object_r:tmpfs:s0
/postinstall u:object_r:postinstall_mnt_dir:s0
/postinstall/apex u:object_r:postinstall_apex_mnt_dir:s0
diff --git a/private/netd.te b/private/netd.te
index a00cb69..4c129b7 100644
--- a/private/netd.te
+++ b/private/netd.te
@@ -12,6 +12,10 @@
# the map created by bpfloader
allow netd bpfloader:bpf { prog_run map_read map_write };
+# in order to invoke side effect of close() on such a socket calling synchronize_rcu()
+# TODO: Remove this permission when 4.9 kernel is deprecated.
+allow netd self:key_socket create;
+
get_prop(netd, bpf_progs_loaded_prop)
# Allow netd to write to statsd.
diff --git a/private/statsd.te b/private/statsd.te
index 16d3aeb..99548a0 100644
--- a/private/statsd.te
+++ b/private/statsd.te
@@ -1,4 +1,5 @@
typeattribute statsd coredomain;
+typeattribute statsd stats_service_server;
init_daemon_domain(statsd)
diff --git a/private/system_server.te b/private/system_server.te
index c05413a..0132931 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -5,6 +5,8 @@
typeattribute system_server coredomain;
typeattribute system_server mlstrustedsubject;
+typeattribute system_server scheduler_service_server;
+typeattribute system_server sensor_service_server;
# Define a type for tmpfs-backed ashmem regions.
tmpfs_domain(system_server)
@@ -240,10 +242,6 @@
allow system_server hal_renderscript_hwservice:hwservice_manager find;
allow system_server same_process_hal_file:file { execute read open getattr map };
-# Offer HwBinder services
-add_hwservice(system_server, fwk_scheduler_hwservice)
-add_hwservice(system_server, fwk_sensor_hwservice)
-
# Talk to tombstoned to get ANR traces.
unix_socket_connect(system_server, tombstoned_intercept, tombstoned)
@@ -262,8 +260,9 @@
inputflinger
mediadrmserver
mediaextractor
- mediaserver
mediametrics
+ mediaserver
+ mediaswcodec
sdcardd
statsd
surfaceflinger
@@ -874,10 +873,6 @@
allow system_server fs_bpf:dir search;
allow system_server fs_bpf:file { read write };
allow system_server bpfloader:bpf { map_read map_write };
-# in order to invoke side effect of close() on such a socket calling synchronize_rcu()
-# TODO: Remove this permission when 4.9 kernel is deprecated.
-allow system_server self:key_socket create;
-
# ART Profiles.
# Allow system_server to open profile snapshots for read.
diff --git a/private/zygote.te b/private/zygote.te
index 759fc34..0466372 100644
--- a/private/zygote.te
+++ b/private/zygote.te
@@ -118,6 +118,9 @@
# System file accesses.
r_dir_file(zygote, system_file)
+# /oem accesses.
+allow zygote oemfs:dir search;
+
userdebug_or_eng(`
# Allow zygote to create and write method traces in /data/misc/trace.
allow zygote method_trace_data_file:dir w_dir_perms;
diff --git a/public/attributes b/public/attributes
index dbb9356..67979da 100644
--- a/public/attributes
+++ b/public/attributes
@@ -303,11 +303,14 @@
# from one core domain to another, without having to update the vendor image
# which contains clients of this service.
-attribute display_service_server;
-attribute wifi_keystore_service_server;
-attribute mediaswcodec_server;
-attribute system_suspend_server;
attribute camera_service_server;
+attribute display_service_server;
+attribute mediaswcodec_server;
+attribute scheduler_service_server;
+attribute sensor_service_server;
+attribute stats_service_server;
+attribute system_suspend_server;
+attribute wifi_keystore_service_server;
# All types used for super partition block devices.
attribute super_block_device_type;
diff --git a/public/dumpstate.te b/public/dumpstate.te
index 2d5215f..2906b5b 100644
--- a/public/dumpstate.te
+++ b/public/dumpstate.te
@@ -69,6 +69,7 @@
mediaextractor
mediametrics
mediaserver
+ mediaswcodec
sdcardd
surfaceflinger
@@ -81,8 +82,10 @@
hal_graphics_composer_server
hal_health_server
hal_omx_server
+ hal_power_server
hal_power_stats_server
hal_sensors_server
+ hal_thermal_server
hal_vr_server
}:process signal;
diff --git a/public/hal_neuralnetworks.te b/public/hal_neuralnetworks.te
index c2549ff..1ef6cad 100644
--- a/public/hal_neuralnetworks.te
+++ b/public/hal_neuralnetworks.te
@@ -8,6 +8,7 @@
# Allow NN HAL service to use a client-provided fd residing in /data/data/.
allow hal_neuralnetworks_server app_data_file:file { read write getattr map };
+allow hal_neuralnetworks_server privapp_data_file:file { read write getattr map };
# Allow NN HAL service to use a client-provided fd residing in /data/local/tmp/.
allow hal_neuralnetworks_server shell_data_file:file { read write getattr map };
diff --git a/public/idmap.te b/public/idmap.te
index d76558a..92c649c 100644
--- a/public/idmap.te
+++ b/public/idmap.te
@@ -2,7 +2,7 @@
type idmap, domain;
type idmap_exec, system_file_type, exec_type, file_type;
-# STOPSHIP remove /system/bin/idmap and the link between idmap and installd (b/118711077)
+# TODO remove /system/bin/idmap and the link between idmap and installd (b/118711077)
# Use open file to /data/resource-cache file inherited from installd.
allow idmap installd:fd use;
allow idmap resourcecache_data_file:file create_file_perms;
@@ -15,6 +15,10 @@
allow idmap apk_data_file:file r_file_perms;
allow idmap apk_data_file:dir search;
+# Allow /data/app/vmdl*.tmp, /data/app-private/vmdl*.tmp files
+allow idmap { apk_tmp_file apk_private_tmp_file }:file r_file_perms;
+allow idmap { apk_tmp_file apk_private_tmp_file }:dir search;
+
# Allow apps access to /vendor/app
r_dir_file(idmap, vendor_app_file)
diff --git a/public/init.te b/public/init.te
index fa7f685..ec5f6e0 100644
--- a/public/init.te
+++ b/public/init.te
@@ -49,8 +49,8 @@
# setrlimit
allow init self:global_capability_class_set sys_resource;
-# Remove /dev/.booting, created before initial policy load or restorecon /dev.
-allow init tmpfs:file unlink;
+# Remove /dev/.booting and load /debug_ramdisk/* files
+allow init tmpfs:file { getattr unlink };
# Access pty created for fsck.
allow init devpts:chr_file { read write open };
diff --git a/public/property_contexts b/public/property_contexts
index be4e98e..ba3724e 100644
--- a/public/property_contexts
+++ b/public/property_contexts
@@ -384,3 +384,5 @@
ro.surface_flinger.display_primary_blue u:object_r:exported_default_prop:s0 exact string
ro.surface_flinger.display_primary_white u:object_r:exported_default_prop:s0 exact string
ro.surface_flinger.protected_contents u:object_r:exported_default_prop:s0 exact bool
+ro.surface_flinger.set_idle_timer_ms u:object_r:exported_default_prop:s0 exact int
+ro.surface_flinger.use_smart_90_for_video u:object_r:exported_default_prop:s0 exact bool
diff --git a/public/scheduler_service_server.te b/public/scheduler_service_server.te
new file mode 100644
index 0000000..b3cede1
--- /dev/null
+++ b/public/scheduler_service_server.te
@@ -0,0 +1 @@
+add_hwservice(scheduler_service_server, fwk_scheduler_hwservice)
diff --git a/public/sensor_service_server.te b/public/sensor_service_server.te
new file mode 100644
index 0000000..7c526a5
--- /dev/null
+++ b/public/sensor_service_server.te
@@ -0,0 +1 @@
+add_hwservice(sensor_service_server, fwk_sensor_hwservice)
diff --git a/public/stats_service_server.te b/public/stats_service_server.te
new file mode 100644
index 0000000..564ae23
--- /dev/null
+++ b/public/stats_service_server.te
@@ -0,0 +1 @@
+add_hwservice(stats_service_server, fwk_stats_hwservice)
diff --git a/public/statsd.te b/public/statsd.te
index 8ba7f63..089cae9 100644
--- a/public/statsd.te
+++ b/public/statsd.te
@@ -50,9 +50,6 @@
system_api_service
}:service_manager find;
-# Allow statsd to add as HIDL service.
-add_hwservice(statsd, fwk_stats_hwservice)
-
# Grant statsd to access health hal to access battery metrics.
allow statsd hal_health_hwservice:hwservice_manager find;