Merge "Add support for invoking derive_classpath from otadexopt"
diff --git a/apex/com.android.art-file_contexts b/apex/com.android.art-file_contexts
index d2a8626..2533cac 100644
--- a/apex/com.android.art-file_contexts
+++ b/apex/com.android.art-file_contexts
@@ -2,6 +2,7 @@
# System files
#
(/.*)? u:object_r:system_file:s0
+/bin/artd u:object_r:artd_exec:s0
/bin/dex2oat(32|64)? u:object_r:dex2oat_exec:s0
/bin/dexoptanalyzer u:object_r:dexoptanalyzer_exec:s0
/bin/odrefresh u:object_r:odrefresh_exec:s0
diff --git a/private/artd.te b/private/artd.te
new file mode 100644
index 0000000..a76074b
--- /dev/null
+++ b/private/artd.te
@@ -0,0 +1,12 @@
+# art service daemon
+type artd, domain;
+type artd_exec, system_file_type, exec_type, file_type;
+
+# Allow artd to publish a binder service and make binder calls.
+binder_use(artd)
+add_service(artd, artd_service)
+allow artd dumpstate:fifo_file { getattr write };
+
+typeattribute artd coredomain;
+
+init_daemon_domain(artd)
diff --git a/private/compat/26.0/26.0.ignore.cil b/private/compat/26.0/26.0.ignore.cil
index 1599a3e..98d5840 100644
--- a/private/compat/26.0/26.0.ignore.cil
+++ b/private/compat/26.0/26.0.ignore.cil
@@ -211,6 +211,7 @@
vndk_prop
vold_config_prop
vold_metadata_file
+ vold_post_fs_data_prop
vold_prepare_subdirs
vold_prepare_subdirs_exec
vold_service
diff --git a/private/compat/27.0/27.0.ignore.cil b/private/compat/27.0/27.0.ignore.cil
index 202baaf..9fda88e 100644
--- a/private/compat/27.0/27.0.ignore.cil
+++ b/private/compat/27.0/27.0.ignore.cil
@@ -227,6 +227,7 @@
vndk_prop
vold_config_prop
vold_metadata_file
+ vold_post_fs_data_prop
vold_prepare_subdirs
vold_prepare_subdirs_exec
vold_service
diff --git a/private/compat/29.0/29.0.cil b/private/compat/29.0/29.0.cil
index fb0fa44..0fb0a1c 100644
--- a/private/compat/29.0/29.0.cil
+++ b/private/compat/29.0/29.0.cil
@@ -1206,7 +1206,10 @@
(typeattributeset exported2_system_prop_29_0
( exported2_system_prop
surfaceflinger_color_prop))
-(typeattributeset exported2_vold_prop_29_0 (exported2_vold_prop vold_config_prop))
+(typeattributeset exported2_vold_prop_29_0
+ ( exported2_vold_prop
+ vold_config_prop
+ vold_post_fs_data_prop))
(typeattributeset exported3_default_prop_29_0 (exported3_default_prop lmkd_config_prop))
(typeattributeset exported3_radio_prop_29_0 (exported3_radio_prop))
(typeattributeset exported3_system_prop_29_0 (exported3_system_prop boot_status_prop))
diff --git a/private/compat/30.0/30.0.cil b/private/compat/30.0/30.0.cil
index c158a30..c7a84ff 100644
--- a/private/compat/30.0/30.0.cil
+++ b/private/compat/30.0/30.0.cil
@@ -1378,7 +1378,10 @@
dalvik_runtime_prop
surfaceflinger_color_prop
zram_control_prop))
-(typeattributeset exported2_vold_prop_30_0 (exported2_vold_prop vold_config_prop))
+(typeattributeset exported2_vold_prop_30_0
+ ( exported2_vold_prop
+ vold_config_prop
+ vold_post_fs_data_prop))
(typeattributeset exported3_default_prop_30_0
( exported3_default_prop
camera_calibration_prop
diff --git a/private/compat/30.0/30.0.ignore.cil b/private/compat/30.0/30.0.ignore.cil
index e479f33..eb34315 100644
--- a/private/compat/30.0/30.0.ignore.cil
+++ b/private/compat/30.0/30.0.ignore.cil
@@ -17,6 +17,9 @@
app_hibernation_service
appcompat_data_file
arm64_memtag_prop
+ artd
+ artd_exec
+ artd_service
authorization_service
bootanim_config_prop
camerax_extensions_prop
diff --git a/private/domain.te b/private/domain.te
index 87518a7..9e2e033 100644
--- a/private/domain.te
+++ b/private/domain.te
@@ -49,6 +49,9 @@
-zygote
})')
+# Everyone can access the IncFS list of features.
+r_dir_file(domain, sysfs_fs_incfs_features);
+
# Path resolution access in cgroups.
allow domain cgroup:dir search;
allow { domain -appdomain -rs } cgroup:dir w_dir_perms;
diff --git a/private/isolated_app.te b/private/isolated_app.te
index 94d60f0..71749c0 100644
--- a/private/isolated_app.te
+++ b/private/isolated_app.te
@@ -128,6 +128,7 @@
-sysfs_devices_system_cpu
-sysfs_transparent_hugepage
-sysfs_usb # TODO: check with audio team if needed for isolated_app (b/28417852)
+ -sysfs_fs_incfs_features
}:file no_rw_file_perms;
# No creation of sockets families other than AF_UNIX sockets.
diff --git a/private/priv_app.te b/private/priv_app.te
index 4fd86e5..63a9cbf 100644
--- a/private/priv_app.te
+++ b/private/priv_app.te
@@ -161,9 +161,6 @@
allow priv_app system_server:udp_socket {
connect getattr read recvfrom sendto write getopt setopt };
-# Access the IncFS list of features
-r_dir_file(priv_app, sysfs_fs_incfs_features)
-
# allow apps like Phonesky to check the file signature of an apk installed on
# the Incremental File System, fill missing blocks and get the app status and loading progress
allowxperm priv_app apk_data_file:file ioctl {
diff --git a/private/property_contexts b/private/property_contexts
index 58780d0..d0ee098 100644
--- a/private/property_contexts
+++ b/private/property_contexts
@@ -560,7 +560,7 @@
tombstoned.max_tombstone_count u:object_r:tombstone_config_prop:s0 exact int
-vold.post_fs_data_done u:object_r:vold_config_prop:s0 exact int
+vold.post_fs_data_done u:object_r:vold_post_fs_data_prop:s0 exact int
apexd.status u:object_r:apexd_prop:s0 exact enum starting activated ready
@@ -1041,6 +1041,7 @@
ro.surface_flinger.update_device_product_info_on_hotplug_reconnect u:object_r:surfaceflinger_prop:s0 exact bool
ro.surface_flinger.enable_frame_rate_override u:object_r:surfaceflinger_prop:s0 exact bool
ro.surface_flinger.enable_layer_caching u:object_r:surfaceflinger_prop:s0 exact bool
+ro.surface_flinger.display_update_imminent_timeout_ms u:object_r:surfaceflinger_prop:s0 exact int
ro.sf.disable_triple_buffer u:object_r:surfaceflinger_prop:s0 exact bool
ro.sf.lcd_density u:object_r:surfaceflinger_prop:s0 exact int
@@ -1168,4 +1169,4 @@
persist.rollback.is_test u:object_r:rollback_test_prop:s0 exact bool
# bootanimation properties
-ro.bootanim.quiescent.enabled u:object_r:bootanim_config_prop:s0 exact bool
\ No newline at end of file
+ro.bootanim.quiescent.enabled u:object_r:bootanim_config_prop:s0 exact bool
diff --git a/private/service_contexts b/private/service_contexts
index c9c6aef..3357943 100644
--- a/private/service_contexts
+++ b/private/service_contexts
@@ -51,6 +51,7 @@
gsiservice u:object_r:gsi_service:s0
appops u:object_r:appops_service:s0
appwidget u:object_r:appwidget_service:s0
+artd u:object_r:artd_service:s0
assetatlas u:object_r:assetatlas_service:s0
attention u:object_r:attention_service:s0
audio u:object_r:audio_service:s0
diff --git a/private/system_server.te b/private/system_server.te
index d3478bd..1d3cf09 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -26,9 +26,6 @@
# For Incremental Service to check if incfs is available
allow system_server proc_filesystems:file r_file_perms;
-# Access the IncFS list of features
-r_dir_file(system_server, sysfs_fs_incfs_features);
-
# To create files, get permission to fill blocks, and configure Incremental File System
allow system_server incremental_control_file:file { ioctl r_file_perms };
allowxperm system_server incremental_control_file:file ioctl {
diff --git a/private/vold.te b/private/vold.te
index d794abf..a802bdb 100644
--- a/private/vold.te
+++ b/private/vold.te
@@ -23,6 +23,7 @@
get_prop(vold, storage_config_prop);
get_prop(vold, incremental_prop);
+set_prop(vold, vold_post_fs_data_prop)
set_prop(vold, vold_prop)
set_prop(vold, vold_status_prop)
set_prop(vold, powerctl_prop)
diff --git a/public/hal_neuralnetworks.te b/public/hal_neuralnetworks.te
index 4eb8bb2..7497dec 100644
--- a/public/hal_neuralnetworks.te
+++ b/public/hal_neuralnetworks.te
@@ -21,6 +21,9 @@
# Allow NN HAL service to use a client-provided fd residing in /storage
allow hal_neuralnetworks_server storage_file:file { getattr map read };
+# Allow NN HAL service to read a client-provided fd residing in /data/app/.
+allow hal_neuralnetworks_server apk_data_file:file { getattr map read };
+
# Allow NN HAL client to check the ro.nnapi.extensions.deny_on_product
# property to determine whether to deny NNAPI extensions use for apps
# on product partition (apps in GSI are not allowed to use NNAPI extensions).
diff --git a/public/property.te b/public/property.te
index 55eb7c2..6861d89 100644
--- a/public/property.te
+++ b/public/property.te
@@ -208,6 +208,7 @@
system_public_prop(system_prop)
system_public_prop(telephony_status_prop)
system_public_prop(usb_control_prop)
+system_public_prop(vold_post_fs_data_prop)
system_public_prop(wifi_hal_prop)
system_public_prop(wifi_log_prop)
system_public_prop(wifi_prop)
diff --git a/public/service.te b/public/service.te
index 4012fca..916ad53 100644
--- a/public/service.te
+++ b/public/service.te
@@ -1,6 +1,7 @@
type aidl_lazy_test_service, service_manager_type;
type apc_service, service_manager_type;
type apex_service, service_manager_type;
+type artd_service, service_manager_type;
type audioserver_service, service_manager_type;
type authorization_service, service_manager_type;
type batteryproperties_service, app_api_service, ephemeral_app_api_service, service_manager_type;
diff --git a/public/vendor_init.te b/public/vendor_init.te
index 1c425fb..ae523b9 100644
--- a/public/vendor_init.te
+++ b/public/vendor_init.te
@@ -244,6 +244,7 @@
set_prop(vendor_init, vendor_security_patch_level_prop)
set_prop(vendor_init, vndk_prop)
set_prop(vendor_init, virtual_ab_prop)
+set_prop(vendor_init, vold_post_fs_data_prop)
set_prop(vendor_init, wifi_hal_prop)
set_prop(vendor_init, wifi_log_prop)
set_prop(vendor_init, zram_control_prop)
diff --git a/public/vold.te b/public/vold.te
index 17c71b5..7796ba8 100644
--- a/public/vold.te
+++ b/public/vold.te
@@ -127,8 +127,6 @@
allow vold apk_data_file:dir { create getattr setattr };
allow vold shell_data_file:dir { create getattr setattr };
-# Access the IncFS list of features
-r_dir_file(vold, sysfs_fs_incfs_features);
# Allow to mount incremental file system on /data/incremental and create files
allow vold apk_data_file:dir { mounton rw_dir_perms };
# Allow to create and write files in /data/incremental