Merge "[Thread] move Thread settings data to APEX data dir" into main
diff --git a/Android.bp b/Android.bp
index fe755d4..88107cc 100644
--- a/Android.bp
+++ b/Android.bp
@@ -337,36 +337,6 @@
product_specific: true,
}
-// HACK to support pre-vFRC vendor blobs
-// TODO(b/314010177): remove after new ToT (1000000.0) fully propagates
-se_versioned_policy {
- name: "plat_mapping_file_10000.0",
- base: ":plat_pub_policy.cil",
- mapping: true,
- version: "10000.0",
- relative_install_path: "mapping", // install to /system/etc/selinux/mapping
-}
-
-se_versioned_policy {
- name: "system_ext_mapping_file_10000.0",
- base: ":system_ext_pub_policy.cil",
- mapping: true,
- version: "10000.0",
- filter_out: [":plat_mapping_file"],
- relative_install_path: "mapping", // install to /system_ext/etc/selinux/mapping
- system_ext_specific: true,
-}
-
-se_versioned_policy {
- name: "product_mapping_file_10000.0",
- base: ":pub_policy.cil",
- mapping: true,
- version: "10000.0",
- filter_out: [":plat_mapping_file", ":system_ext_mapping_file"],
- relative_install_path: "mapping", // install to /product/etc/selinux/mapping
- product_specific: true,
-}
-
//////////////////////////////////
// vendor/odm sepolicy
//////////////////////////////////
diff --git a/Android.mk b/Android.mk
index 8cdedbe..63b74aa 100644
--- a/Android.mk
+++ b/Android.mk
@@ -210,12 +210,6 @@
plat_sepolicy.cil \
secilc \
-# HACK to support pre-vFRC vendor blobs
-# TODO(b/314010177): remove after new ToT (1000000.0) fully propagates
-ifneq (true,$(BOARD_API_LEVEL_FROZEN))
-LOCAL_REQUIRED_MODULES += plat_mapping_file_10000.0
-endif
-
ifneq ($(PRODUCT_PRECOMPILED_SEPOLICY),false)
LOCAL_REQUIRED_MODULES += plat_sepolicy_and_mapping.sha256
endif
@@ -284,12 +278,6 @@
LOCAL_REQUIRED_MODULES += \
system_ext_mapping_file
-# HACK to support pre-vFRC vendor blobs
-# TODO(b/314010177): remove after new ToT (1000000.0) fully propagates
-ifneq (true,$(BOARD_API_LEVEL_FROZEN))
-LOCAL_REQUIRED_MODULES += system_ext_mapping_file_10000.0
-endif
-
system_ext_compat_files := $(call build_policy, $(sepolicy_compat_files), $(SYSTEM_EXT_PRIVATE_POLICY))
LOCAL_REQUIRED_MODULES += $(addprefix system_ext_, $(notdir $(system_ext_compat_files)))
@@ -338,12 +326,6 @@
LOCAL_REQUIRED_MODULES += \
product_mapping_file
-# HACK to support pre-vFRC vendor blobs
-# TODO(b/314010177): remove after new ToT (1000000.0) fully propagates
-ifneq (true,$(BOARD_API_LEVEL_FROZEN))
-LOCAL_REQUIRED_MODULES += product_mapping_file_10000.0
-endif
-
product_compat_files := $(call build_policy, $(sepolicy_compat_files), $(PRODUCT_PRIVATE_POLICY))
LOCAL_REQUIRED_MODULES += $(addprefix product_, $(notdir $(product_compat_files)))
diff --git a/microdroid/system/private/init.te b/microdroid/system/private/init.te
index 896590d..c83bcdb 100644
--- a/microdroid/system/private/init.te
+++ b/microdroid/system/private/init.te
@@ -435,3 +435,8 @@
# PRNG seeder daemon socket is created and listened on by init before forking.
allow init prng_seeder:unix_stream_socket { create bind listen };
+
+# Allow init to load vendor modules
+r_dir_file(init, vendor_kernel_modules)
+allow init self:capability sys_module;
+allow init vendor_kernel_modules:system module_load;
diff --git a/microdroid/system/public/file.te b/microdroid/system/public/file.te
index d53de79..57852c2 100644
--- a/microdroid/system/public/file.te
+++ b/microdroid/system/public/file.te
@@ -37,6 +37,7 @@
type vendor_configs_file, file_type, vendor_file_type;
type vendor_data_file, file_type, data_file_type;
type vendor_file, file_type, vendor_file_type;
+type vendor_kernel_modules, vendor_file_type, file_type;
type vendor_service_contexts_file, vendor_file_type, file_type;
type vm_payload_service_socket, file_type, coredomain_socket;
type traced_consumer_socket, file_type, coredomain_socket;
diff --git a/private/snapuserd.te b/private/snapuserd.te
index 8cd9e63..3752e01 100644
--- a/private/snapuserd.te
+++ b/private/snapuserd.te
@@ -33,6 +33,9 @@
allow snapuserd snapuserd_socket:unix_stream_socket { accept listen getattr read write };
allow snapuserd snapuserd_proxy_socket:sock_file write;
+# Required for setting GID to system while calling SetTaskProfile() API
+allow snapuserd self:global_capability_class_set { setgid };
+
# This arises due to first-stage init opening /dev/null without F_CLOEXEC
# (see SetStdioToDevNull in init). When we fork() and execveat() snapuserd
# again, the descriptor leaks into the new process.
diff --git a/private/system_app.te b/private/system_app.te
index 31e10bb..e08941d 100644
--- a/private/system_app.te
+++ b/private/system_app.te
@@ -187,3 +187,5 @@
# system_app should be the only domain writing the adaptive haptics prop
neverallow { domain -init -system_app } adaptive_haptics_prop:property_service set;
+# system_app should be the only domain writing the force l3 prop
+neverallow { domain -init -system_app } drm_forcel3_prop:property_service set;
diff --git a/private/virtualizationmanager.te b/private/virtualizationmanager.te
index bbae070..d0fe571 100644
--- a/private/virtualizationmanager.te
+++ b/private/virtualizationmanager.te
@@ -111,3 +111,8 @@
# For debug purposes we try to get the canonical path from /proc/self/fd/N. That triggers
# a harmless denial for CompOS log files, so ignore that.
dontaudit virtualizationmanager apex_module_data_file:dir search;
+
+is_flag_enabled(RELEASE_AVF_ENABLE_DEVICE_ASSIGNMENT, `
+ # virtualizationmanager holds references to bound devices, returned from vfio_handler
+ binder_call(virtualizationmanager, vfio_handler)
+')
diff --git a/private/virtualizationservice.te b/private/virtualizationservice.te
index e17797e..4d8ac6b 100644
--- a/private/virtualizationservice.te
+++ b/private/virtualizationservice.te
@@ -104,6 +104,6 @@
}:process setrlimit;
is_flag_enabled(RELEASE_AVF_ENABLE_DEVICE_ASSIGNMENT, `
- # Only virtualizationservice can communicate to vfio_handler
- neverallow { domain -virtualizationservice -servicemanager } vfio_handler:binder call;
+ # Only virtualizationservice and virtualizationmanager can communicate to vfio_handler
+ neverallow { domain -virtualizationmanager -virtualizationservice -servicemanager } vfio_handler:binder call;
')
diff --git a/public/service.te b/public/service.te
index acbaf4d..1c7605e 100644
--- a/public/service.te
+++ b/public/service.te
@@ -213,7 +213,7 @@
type search_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type search_ui_service, app_api_service, system_server_service, service_manager_type;
type sec_key_att_app_id_provider_service, app_api_service, system_server_service, service_manager_type;
-type security_state_service, app_api_service, system_server_service, service_manager_type;
+type security_state_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type selection_toolbar_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type sensorservice_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type sensor_privacy_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;