Merge "Add target_with_dexpreopt option to policy"
diff --git a/apex/com.android.sdkext-file_contexts b/apex/com.android.sdkext-file_contexts
index 2d59dda..551a12c 100644
--- a/apex/com.android.sdkext-file_contexts
+++ b/apex/com.android.sdkext-file_contexts
@@ -1,2 +1,3 @@
-(/.*)? u:object_r:system_file:s0
-/bin/derive_sdk u:object_r:derive_sdk_exec:s0
+(/.*)? u:object_r:system_file:s0
+/bin/derive_classpath u:object_r:derive_classpath_exec:s0
+/bin/derive_sdk u:object_r:derive_sdk_exec:s0
diff --git a/private/access_vectors b/private/access_vectors
index c1c0359..fdac890 100644
--- a/private/access_vectors
+++ b/private/access_vectors
@@ -731,6 +731,7 @@
class keystore2_key
{
+ convert_storage_key_to_ephemeral
delete
gen_unique_id
get_info
diff --git a/private/compat/30.0/30.0.ignore.cil b/private/compat/30.0/30.0.ignore.cil
index 0f9b7ec..3e66106 100644
--- a/private/compat/30.0/30.0.ignore.cil
+++ b/private/compat/30.0/30.0.ignore.cil
@@ -20,6 +20,7 @@
authorization_service
cgroup_desc_api_file
cgroup_v2
+ codec2_config_prop
ctl_snapuserd_prop
debugfs_kprobes
debugfs_mm_events_tracing
@@ -41,6 +42,7 @@
font_data_file
gki_apex_prepostinstall
gki_apex_prepostinstall_exec
+ hal_audio_service
hal_authsecret_service
hal_audiocontrol_service
hal_face_service
@@ -87,6 +89,7 @@
profcollectd
profcollectd_data_file
profcollectd_exec
+ profcollectd_node_id_prop
profcollectd_service
qemu_hw_prop
qemu_sf_lcd_density_prop
diff --git a/private/derive_classpath.te b/private/derive_classpath.te
new file mode 100644
index 0000000..71960d3
--- /dev/null
+++ b/private/derive_classpath.te
@@ -0,0 +1,12 @@
+
+# Domain for derive_classpath
+type derive_classpath, domain, coredomain;
+type derive_classpath_exec, system_file_type, exec_type, file_type;
+init_daemon_domain(derive_classpath)
+
+# Create /data/system/environ/classpath file
+allow derive_classpath environ_system_data_file:dir rw_dir_perms;
+allow derive_classpath environ_system_data_file:file create_file_perms;
+
+# b/183079517 fails on gphone targets otherwise
+allow derive_classpath unlabeled:dir search;
diff --git a/private/file.te b/private/file.te
index 910210d..984a7b6 100644
--- a/private/file.te
+++ b/private/file.te
@@ -53,3 +53,6 @@
# /data/misc/odsign
type odsign_data_file, file_type, data_file_type, core_data_file_type;
+
+# /data/system/environ
+type environ_system_data_file, file_type, data_file_type, core_data_file_type;
diff --git a/private/file_contexts b/private/file_contexts
index f8bb5ec..1347797 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -504,6 +504,7 @@
#
/data u:object_r:system_data_root_file:s0
/data/(.*)? u:object_r:system_data_file:s0
+/data/system/environ(/.*)? u:object_r:environ_system_data_file:s0
/data/system/packages\.list u:object_r:packages_list_file:s0
/data/unencrypted(/.*)? u:object_r:unencrypted_data_file:s0
/data/backup(/.*)? u:object_r:backup_data_file:s0
diff --git a/private/gsid.te b/private/gsid.te
index a0b74b6..c523731 100644
--- a/private/gsid.te
+++ b/private/gsid.te
@@ -168,21 +168,7 @@
-gsid
-fastbootd
-vold
-} gsi_metadata_file:notdevfile_class_set ~{ relabelto getattr };
-
-neverallow {
- domain
- -init
- -gsid
- -fastbootd
- -vold
-} { gsi_data_file gsi_metadata_file }:notdevfile_class_set *;
-
-neverallow {
- domain
- -gsid
- -init
-} gsi_data_file:dir ~{ open create read getattr setattr search relabelto ioctl };
+} gsi_metadata_file:file_class_set *;
neverallow {
domain
@@ -192,5 +178,13 @@
neverallow {
domain
+ -init
-gsid
-} gsi_data_file:notdevfile_class_set ~{ relabelto getattr };
+ -fastbootd
+ -vold
+} gsi_data_file:file_class_set *;
+
+neverallow {
+ domain
+ -gsid
+} gsi_data_file:file_class_set ~{ relabelto getattr };
diff --git a/private/profcollectd.te b/private/profcollectd.te
index baccf88..24fb056 100644
--- a/private/profcollectd.te
+++ b/private/profcollectd.te
@@ -40,6 +40,7 @@
# Allow profcollectd to read its system properties.
get_prop(profcollectd, device_config_profcollect_native_boot_prop)
+ set_prop(profcollectd, profcollectd_node_id_prop)
# Allow profcollectd to publish a binder service and make binder calls.
binder_use(profcollectd)
diff --git a/private/property.te b/private/property.te
index 2f5fcde..22c5bca 100644
--- a/private/property.te
+++ b/private/property.te
@@ -25,6 +25,7 @@
system_internal_prop(odsign_prop)
system_internal_prop(perf_drop_caches_prop)
system_internal_prop(pm_prop)
+system_internal_prop(profcollectd_node_id_prop)
system_internal_prop(rollback_test_prop)
system_internal_prop(setupwizard_prop)
system_internal_prop(system_adbd_prop)
@@ -590,3 +591,12 @@
-init
-shell
} rollback_test_prop:property_service set;
+
+neverallow {
+ # Only allow init and profcollectd to access profcollectd_node_id_prop
+ domain
+ -init
+ -dumpstate
+ -profcollectd
+} profcollectd_node_id_prop:file r_file_perms;
+
diff --git a/private/property_contexts b/private/property_contexts
index 7fb26fb..306b40a 100644
--- a/private/property_contexts
+++ b/private/property_contexts
@@ -64,6 +64,7 @@
persist.mmc. u:object_r:mmc_prop:s0
persist.netd.stable_secret u:object_r:netd_stable_secret_prop:s0
persist.pm.mock-upgrade u:object_r:mock_ota_prop:s0
+persist.profcollectd.node_id u:object_r:profcollectd_node_id_prop:s0 exact string
persist.sys. u:object_r:system_prop:s0
persist.sys.safemode u:object_r:safemode_prop:s0
persist.sys.theme u:object_r:theme_prop:s0
@@ -398,6 +399,8 @@
keyguard.no_require_sim u:object_r:keyguard_config_prop:s0 exact bool
+media.c2.dmabuf.padding u:object_r:codec2_config_prop:s0 exact int
+
media.recorder.show_manufacturer_and_model u:object_r:media_config_prop:s0 exact bool
media.stagefright.cache-params u:object_r:media_config_prop:s0 exact string
media.stagefright.enable-aac u:object_r:media_config_prop:s0 exact bool
diff --git a/private/service_contexts b/private/service_contexts
index 1965d65..826bc3a 100644
--- a/private/service_contexts
+++ b/private/service_contexts
@@ -15,6 +15,7 @@
android.hardware.security.keymint.IRemotelyProvisionedComponent/default u:object_r:hal_remotelyprovisionedcomponent_service:s0
android.hardware.security.secureclock.ISecureClock/default u:object_r:hal_secureclock_service:s0
android.hardware.security.sharedsecret.ISharedSecret/default u:object_r:hal_sharedsecret_service:s0
+android.hardware.soundtrigger3.ISoundTriggerHw/default u:object_r:hal_audio_service:s0
android.hardware.vibrator.IVibrator/default u:object_r:hal_vibrator_service:s0
android.hardware.vibrator.IVibratorManager/default u:object_r:hal_vibrator_service:s0
android.hardware.weaver.IWeaver/default u:object_r:hal_weaver_service:s0
diff --git a/private/untrusted_app_all.te b/private/untrusted_app_all.te
index 23ee943..d57939b 100644
--- a/private/untrusted_app_all.te
+++ b/private/untrusted_app_all.te
@@ -170,6 +170,9 @@
userdebug_or_eng(`
allow untrusted_app_all debugfs_kcov:file rw_file_perms;
allowxperm untrusted_app_all debugfs_kcov:file ioctl { KCOV_INIT_TRACE KCOV_ENABLE KCOV_DISABLE };
+ # The use of debugfs kcov is considered a breach of the kernel integrity
+ # according to the heuristic of lockdown.
+ allow untrusted_app_all self:lockdown integrity;
')
# Allow signalling simpleperf domain, which is the domain that the simpleperf
diff --git a/private/vold.te b/private/vold.te
index 09388f1..ba5ad8c 100644
--- a/private/vold.te
+++ b/private/vold.te
@@ -35,6 +35,7 @@
# Vold will use Keystore instead of using Keymint directly. But it still needs
# to manage its Keymint blobs. This is why it needs the `manage_blob` permission.
allow vold vold_key:keystore2_key {
+ convert_storage_key_to_ephemeral
delete
get_info
manage_blob
diff --git a/private/zygote.te b/private/zygote.te
index c2c6e89..9038c4f 100644
--- a/private/zygote.te
+++ b/private/zygote.te
@@ -78,6 +78,9 @@
# Goes into media directory and bind mount obb directory
allow zygote media_rw_data_file:dir { getattr search };
+# Bind mount on top of existing mounted obb and data directory
+allow zygote media_rw_data_file:dir { mounton };
+
# Read if sdcardfs is supported
allow zygote proc_filesystems:file r_file_perms;
diff --git a/public/domain.te b/public/domain.te
index e1d6739..f46ca67 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -275,6 +275,14 @@
allow domain debugfs_tracing_debug:dir search;
allow domain debugfs_trace_marker:file w_file_perms;
+# Linux lockdown mode offers coarse-grained definitions for access controls.
+# The "confidentiality" level detects access to tracefs or the perf subsystem.
+# This overlaps with more precise declarations in Android's policy. The
+# debugfs_trace_marker above is an example in which all processes should have
+# some access to tracefs. Therefore, allow all domains to access this level.
+# The "integrity" level is however enforced.
+allow domain self:lockdown confidentiality;
+
# Filesystem access.
allow domain fs_type:filesystem getattr;
allow domain fs_type:dir getattr;
@@ -1396,3 +1404,6 @@
} ashmem_device:chr_file open;
neverallow { domain -traced_probes -init -vendor_init } debugfs_tracing_printk_formats:file *;
+
+# Linux lockdown "integrity" level is enforced for user builds.
+neverallow { domain userdebug_or_eng(`-domain') } self:lockdown integrity;
diff --git a/public/hal_audio.te b/public/hal_audio.te
index eb8155b..d1970b9 100644
--- a/public/hal_audio.te
+++ b/public/hal_audio.te
@@ -3,6 +3,7 @@
binder_call(hal_audio_server, hal_audio_client)
hal_attribute_hwservice(hal_audio, hal_audio_hwservice)
+hal_attribute_service(hal_audio, hal_audio_service)
allow hal_audio ion_device:chr_file r_file_perms;
diff --git a/public/hal_codec2.te b/public/hal_codec2.te
index 8c7816a..a379bb3 100644
--- a/public/hal_codec2.te
+++ b/public/hal_codec2.te
@@ -1,5 +1,7 @@
get_prop(hal_codec2_client, media_variant_prop)
get_prop(hal_codec2_server, media_variant_prop)
+get_prop(hal_codec2_client, codec2_config_prop)
+get_prop(hal_codec2_server, codec2_config_prop)
binder_call(hal_codec2_client, hal_codec2_server)
binder_call(hal_codec2_server, hal_codec2_client)
diff --git a/public/property.te b/public/property.te
index 01bd68e..12f6998 100644
--- a/public/property.te
+++ b/public/property.te
@@ -122,6 +122,7 @@
system_vendor_config_prop(camera_calibration_prop)
system_vendor_config_prop(camera_config_prop)
system_vendor_config_prop(charger_config_prop)
+system_vendor_config_prop(codec2_config_prop)
system_vendor_config_prop(cpu_variant_prop)
system_vendor_config_prop(dalvik_config_prop)
system_vendor_config_prop(drm_service_config_prop)
diff --git a/public/service.te b/public/service.te
index 229131c..e618cdb 100644
--- a/public/service.te
+++ b/public/service.te
@@ -240,8 +240,9 @@
### HAL Services
###
-type hal_authsecret_service, vendor_service, protected_service, service_manager_type;
+type hal_audio_service, vendor_service, protected_service, service_manager_type;
type hal_audiocontrol_service, vendor_service, service_manager_type;
+type hal_authsecret_service, vendor_service, protected_service, service_manager_type;
type hal_face_service, vendor_service, protected_service, service_manager_type;
type hal_fingerprint_service, vendor_service, protected_service, service_manager_type;
type hal_gnss_service, vendor_service, protected_service, service_manager_type;
diff --git a/public/te_macros b/public/te_macros
index 1d919eb..097d068 100644
--- a/public/te_macros
+++ b/public/te_macros
@@ -687,11 +687,11 @@
###########################################
# hal_attribute_service(attribute, service)
-# Ability for domain to get a service to hwservice_manager
+# Ability for domain to get a service to service_manager
# and find it. It also creates a neverallow preventing
# others from adding it.
#
-# Used to pair hal_foo_client with hal_foo_hwservice
+# Used to pair hal_foo_client with hal_foo_service
define(`hal_attribute_service', `
allow $1_client $2:service_manager find;
add_service($1_server, $2)