Merge "Move mediatranscoding type to public"
diff --git a/Android.bp b/Android.bp
index 1c272f8..e517356 100644
--- a/Android.bp
+++ b/Android.bp
@@ -790,6 +790,9 @@
src: ":userdebug_plat_sepolicy.conf",
additional_cil_files: ["private/technical_debt.cil"],
debug_ramdisk: true,
+ dist: {
+ targets: ["droidcore"],
+ },
}
// A copy of the userdebug_plat_policy in GSI.
diff --git a/microdroid/system/private/apexd.te b/microdroid/system/private/apexd.te
index bf67e4c..5ec418c 100644
--- a/microdroid/system/private/apexd.te
+++ b/microdroid/system/private/apexd.te
@@ -16,8 +16,9 @@
BLKFLSBUF
LOOP_CONFIGURE
};
-# allow apexd to access /dev/block
-allow apexd block_device:dir r_dir_perms;
+# Allow apexd to access /dev/block
+allow apexd dev_type:dir r_dir_perms;
+allow apexd dev_type:blk_file getattr;
#allow apexd to access virtual disks
allow apexd vd_device:blk_file r_file_perms;
@@ -56,6 +57,9 @@
# /sys directory tree traversal
allow apexd sysfs_type:dir search;
+# Access to /sys/class/block
+allow apexd sysfs_type:dir r_dir_perms;
+allow apexd sysfs_type:file r_file_perms;
# Configure read-ahead of dm-verity and loop devices
# for dm-X
allow apexd sysfs_dm:dir r_dir_perms;
diff --git a/microdroid/system/private/file_contexts b/microdroid/system/private/file_contexts
index e28f4fc..89fa02f 100644
--- a/microdroid/system/private/file_contexts
+++ b/microdroid/system/private/file_contexts
@@ -82,6 +82,7 @@
/dev/uinput u:object_r:uhid_device:s0
/dev/uio[0-9]* u:object_r:uio_device:s0
/dev/urandom u:object_r:random_device:s0
+/dev/hvc0 u:object_r:serial_device:s0
/dev/vhost-vsock u:object_r:kvm_device:s0
/dev/vndbinder u:object_r:vndbinder_device:s0
/dev/vsock u:object_r:vsock_device:s0
diff --git a/microdroid/system/private/microdroid_app.te b/microdroid/system/private/microdroid_app.te
index 004aa3d..de1c8d6 100644
--- a/microdroid/system/private/microdroid_app.te
+++ b/microdroid/system/private/microdroid_app.te
@@ -23,7 +23,3 @@
rebind
use
};
-
-# Microdroid manager connects vsock_socket to the host and app's output is redirected to it.
-# TODO(b/195751698) This is flaky; it seems this is not always necessary.
-dontaudit microdroid_app microdroid_manager:vsock_socket getattr;
diff --git a/private/app.te b/private/app.te
index 2b3554f..8477133 100644
--- a/private/app.te
+++ b/private/app.te
@@ -103,3 +103,7 @@
-system_data_file # shared libs in apks
-apk_data_file
}:file no_x_file_perms;
+
+# For now, don't allow apps other than gmscore to access /data/misc_ce/<userid>/checkin
+neverallow { appdomain -gmscore_app } checkin_data_file:dir *;
+neverallow { appdomain -gmscore_app } checkin_data_file:file *;
diff --git a/private/compat/31.0/31.0.cil b/private/compat/31.0/31.0.cil
index f3abde4..362b412 100644
--- a/private/compat/31.0/31.0.cil
+++ b/private/compat/31.0/31.0.cil
@@ -3,6 +3,8 @@
(type apex_permission_data_file)
(type apex_scheduling_data_file)
(type apex_wifi_data_file)
+(type vr_hwc)
+(type vr_hwc_exec)
(expandtypeattribute (DockObserver_service_31_0) true)
(expandtypeattribute (IProxyService_service_31_0) true)
diff --git a/private/compat/31.0/31.0.ignore.cil b/private/compat/31.0/31.0.ignore.cil
index 692d739..7decba1 100644
--- a/private/compat/31.0/31.0.ignore.cil
+++ b/private/compat/31.0/31.0.ignore.cil
@@ -12,6 +12,8 @@
extra_free_kbytes
extra_free_kbytes_exec
hal_contexthub_service
+ hal_graphics_composer_service
+ hal_sensors_service
hal_system_suspend_service
hal_tv_tuner_service
hal_uwb_service
@@ -31,4 +33,5 @@
sysfs_vendor_sched
vendor_vm_file
vendor_vm_data_file
+ virtual_device_service
))
diff --git a/private/file.te b/private/file.te
index 7e0bdd2..f2d3f56 100644
--- a/private/file.te
+++ b/private/file.te
@@ -30,6 +30,9 @@
# of application data.
type rollback_data_file, file_type, data_file_type, core_data_file_type;
+# /data/misc_ce/checkin for checkin apps.
+type checkin_data_file, file_type, data_file_type, core_data_file_type;
+
# /data/gsi/ota
type ota_image_data_file, file_type, data_file_type, core_data_file_type;
diff --git a/private/file_contexts b/private/file_contexts
index bc75fd3..18be045 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -357,7 +357,6 @@
/system/etc/task_profiles\.json u:object_r:task_profiles_file:s0
/system/etc/task_profiles/task_profiles_[0-9]+\.json u:object_r:task_profiles_api_file:s0
/system/usr/share/zoneinfo(/.*)? u:object_r:system_zoneinfo_file:s0
-/system/bin/vr_hwc u:object_r:vr_hwc_exec:s0
/system/bin/adbd u:object_r:adbd_exec:s0
/system/bin/vold_prepare_subdirs u:object_r:vold_prepare_subdirs_exec:s0
/system/bin/stats u:object_r:stats_exec:s0
@@ -658,6 +657,9 @@
/data/misc_de/[0-9]+/storaged(/.*)? u:object_r:storaged_data_file:s0
/data/misc_ce/[0-9]+/storaged(/.*)? u:object_r:storaged_data_file:s0
+# checkin data files
+/data/misc_ce/[0-9]+/checkin(/.*)? u:object_r:checkin_data_file:s0
+
# Fingerprint data
/data/system/users/[0-9]+/fpdata(/.*)? u:object_r:fingerprintd_data_file:s0
diff --git a/private/gmscore_app.te b/private/gmscore_app.te
index 571d155..799d7ff 100644
--- a/private/gmscore_app.te
+++ b/private/gmscore_app.te
@@ -121,6 +121,10 @@
allow gmscore_app ota_package_file:dir rw_dir_perms;
allow gmscore_app ota_package_file:file create_file_perms;
+# Write the checkin metadata to /data/misc_ce/<userid>/checkin
+allow gmscore_app checkin_data_file:dir rw_dir_perms;
+allow gmscore_app checkin_data_file:file create_file_perms;
+
# Used by Finsky / Android "Verify Apps" functionality when
# running "adb install foo.apk".
allow gmscore_app shell_data_file:file r_file_perms;
diff --git a/private/init.te b/private/init.te
index 200780d..3b64e25 100644
--- a/private/init.te
+++ b/private/init.te
@@ -43,10 +43,10 @@
allow init sysfs_loop:file rw_file_perms;
# Allow init to examine the properties of block devices.
-allow init sysfs_block_type:file { getattr read };
-# Allow init access /dev/block
-allow init bdev_type:dir r_dir_perms;
-allow init bdev_type:blk_file getattr;
+allow init sysfs_type:file { getattr read };
+# Allow init get the attributes of block devices in /dev/block.
+allow init dev_type:dir r_dir_perms;
+allow init dev_type:blk_file getattr;
# Allow init to write to the drop_caches file.
allow init proc_drop_caches:file rw_file_perms;
diff --git a/private/mediaprovider_app.te b/private/mediaprovider_app.te
index 5f14ba4..f370025 100644
--- a/private/mediaprovider_app.te
+++ b/private/mediaprovider_app.te
@@ -24,6 +24,9 @@
# Talk to the AudioServer service
allow mediaprovider_app audioserver_service:service_manager find;
+# Talk to the MediaCodec APIs that log media metrics
+allow mediaprovider_app mediametrics_service:service_manager find;
+
# Talk to regular app services
allow mediaprovider_app app_api_service:service_manager find;
diff --git a/private/property_contexts b/private/property_contexts
index 2667615..5d4c3b7 100644
--- a/private/property_contexts
+++ b/private/property_contexts
@@ -1185,16 +1185,19 @@
partition.system_ext.verified u:object_r:verity_status_prop:s0 exact string
partition.product.verified u:object_r:verity_status_prop:s0 exact string
partition.vendor.verified u:object_r:verity_status_prop:s0 exact string
+partition.odm.verified u:object_r:verity_status_prop:s0 exact string
# Properties that holds the hashtree information for verity partitions.
partition.system.verified.hash_alg u:object_r:verity_status_prop:s0 exact string
partition.system_ext.verified.hash_alg u:object_r:verity_status_prop:s0 exact string
partition.product.verified.hash_alg u:object_r:verity_status_prop:s0 exact string
partition.vendor.verified.hash_alg u:object_r:verity_status_prop:s0 exact string
+partition.odm.verified.hash_alg u:object_r:verity_status_prop:s0 exact string
partition.system.verified.root_digest u:object_r:verity_status_prop:s0 exact string
partition.system_ext.verified.root_digest u:object_r:verity_status_prop:s0 exact string
partition.product.verified.root_digest u:object_r:verity_status_prop:s0 exact string
partition.vendor.verified.root_digest u:object_r:verity_status_prop:s0 exact string
+partition.odm.verified.root_digest u:object_r:verity_status_prop:s0 exact string
ro.setupwizard.enterprise_mode u:object_r:setupwizard_prop:s0 exact bool
ro.setupwizard.esim_cid_ignore u:object_r:setupwizard_prop:s0 exact string
diff --git a/private/service_contexts b/private/service_contexts
index 805c6b3..b9ab85d 100644
--- a/private/service_contexts
+++ b/private/service_contexts
@@ -4,6 +4,7 @@
android.hardware.biometrics.fingerprint.IFingerprint/default u:object_r:hal_fingerprint_service:s0
android.hardware.contexthub.IContextHub/default u:object_r:hal_contexthub_service:s0
android.hardware.gnss.IGnss/default u:object_r:hal_gnss_service:s0
+android.hardware.graphics.composer3.IComposer/default u:object_r:hal_graphics_composer_service:s0
android.hardware.health.storage.IStorage/default u:object_r:hal_health_storage_service:s0
android.hardware.identity.IIdentityCredentialStore/default u:object_r:hal_identity_service:s0
android.hardware.light.ILights/default u:object_r:hal_light_service:s0
@@ -16,6 +17,7 @@
android.hardware.security.keymint.IRemotelyProvisionedComponent/default u:object_r:hal_remotelyprovisionedcomponent_service:s0
android.hardware.security.secureclock.ISecureClock/default u:object_r:hal_secureclock_service:s0
android.hardware.security.sharedsecret.ISharedSecret/default u:object_r:hal_sharedsecret_service:s0
+android.hardware.sensors.ISensors/default u:object_r:hal_sensors_service:s0
android.hardware.soundtrigger3.ISoundTriggerHw/default u:object_r:hal_audio_service:s0
android.hardware.tv.tuner.ITuner/default u:object_r:hal_tv_tuner_service:s0
android.hardware.uwb.IUwb/default u:object_r:hal_uwb_service:s0
@@ -302,12 +304,11 @@
vcn_management u:object_r:vcn_management_service:s0
vibrator u:object_r:vibrator_service:s0
vibrator_manager u:object_r:vibrator_manager_service:s0
+virtualdevice u:object_r:virtual_device_service:s0
virtual_touchpad u:object_r:virtual_touchpad_service:s0
voiceinteraction u:object_r:voiceinteraction_service:s0
vold u:object_r:vold_service:s0
vpn_management u:object_r:vpn_management_service:s0
-vr_hwc u:object_r:vr_hwc_service:s0
-vrflinger_vsync u:object_r:vrflinger_vsync_service:s0
vrmanager u:object_r:vr_manager_service:s0
wallpaper u:object_r:wallpaper_service:s0
webviewupdate u:object_r:webviewupdate_service:s0
diff --git a/private/surfaceflinger.te b/private/surfaceflinger.te
index 9900600..e88efd0 100644
--- a/private/surfaceflinger.te
+++ b/private/surfaceflinger.te
@@ -91,8 +91,6 @@
#add_service(surfaceflinger, surfaceflinger_service)
allow surfaceflinger surfaceflinger_service:service_manager { add find };
-add_service(surfaceflinger, vrflinger_vsync_service)
-
allow surfaceflinger mediaserver_service:service_manager find;
allow surfaceflinger permission_service:service_manager find;
allow surfaceflinger power_service:service_manager find;
diff --git a/private/system_app.te b/private/system_app.te
index 239686e..6cf993a 100644
--- a/private/system_app.te
+++ b/private/system_app.te
@@ -93,7 +93,6 @@
-tracingproxy_service
-virtual_touchpad_service
-vold_service
- -vr_hwc_service
-default_android_service
}:service_manager find;
# suppress denials for services system_app should not be accessing.
@@ -105,7 +104,6 @@
netd_service
virtual_touchpad_service
vold_service
- vr_hwc_service
}:service_manager find;
# suppress denials caused by debugfs_tracing
diff --git a/private/untrusted_app_all.te b/private/untrusted_app_all.te
index 98d83af..d6f237c 100644
--- a/private/untrusted_app_all.te
+++ b/private/untrusted_app_all.te
@@ -176,6 +176,15 @@
# the profiler (which would be profiling the app that is sending the signal).
allow untrusted_app_all simpleperf:process signal;
+# Allow running a VM for test/demo purposes. Note that access the service is
+# still guarded with the `android.permission.MANAGE_VIRTUAL_MACHINE`
+# permission. The protection level of the permission is `signature|development`
+# so that it can only be granted to either platform-key signed apps or
+# test-only apps having `android:testOnly="true"` in its manifest.
+userdebug_or_eng(`
+ virtualizationservice_use(untrusted_app_all)
+')
+
with_native_coverage(`
# Allow writing coverage information to /data/misc/trace
allow domain method_trace_data_file:dir create_dir_perms;
diff --git a/private/vold_prepare_subdirs.te b/private/vold_prepare_subdirs.te
index ad7e6bb..c6d482a 100644
--- a/private/vold_prepare_subdirs.te
+++ b/private/vold_prepare_subdirs.te
@@ -20,6 +20,7 @@
apex_module_data_file
apex_rollback_data_file
backup_data_file
+ checkin_data_file
face_vendor_data_file
fingerprint_vendor_data_file
iris_vendor_data_file
@@ -34,6 +35,7 @@
apex_module_data_file
apex_rollback_data_file
backup_data_file
+ checkin_data_file
face_vendor_data_file
fingerprint_vendor_data_file
iris_vendor_data_file
diff --git a/private/vr_hwc.te b/private/vr_hwc.te
deleted file mode 100644
index 053c03d..0000000
--- a/private/vr_hwc.te
+++ /dev/null
@@ -1,6 +0,0 @@
-typeattribute vr_hwc coredomain;
-
-# Daemon started by init.
-init_daemon_domain(vr_hwc)
-
-hal_server_domain(vr_hwc, hal_graphics_composer)
diff --git a/private/zygote.te b/private/zygote.te
index f2af506..8e2b15a 100644
--- a/private/zygote.te
+++ b/private/zygote.te
@@ -230,6 +230,11 @@
# Allow zygote to read /apex/apex-info-list.xml
allow zygote apex_info_file:file r_file_perms;
+# Allow zygote to canonicalize vendor APEX paths. This is used when zygote is checking the
+# preinstalled path of APEXes that contain runtime resource overlays for the 'android' package.
+allow zygote vendor_apex_file:dir { getattr search };
+allow zygote vendor_apex_file:file { getattr };
+
###
### neverallow rules
###
diff --git a/public/domain.te b/public/domain.te
index b789ebf..95b59d8 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -685,7 +685,6 @@
-nfc_service
-radio_service
-virtual_touchpad_service
- -vr_hwc_service
-vr_manager_service
userdebug_or_eng(`-hal_face_service')
}:service_manager find;
@@ -1359,6 +1358,8 @@
-shell
# For access to block device information under /sys/class/block.
-apexd
+ # Read sysfs block device information.
+ -init
# Generate uevents for health info
-ueventd
# Recovery uses health HAL passthrough implementation.
diff --git a/public/dumpstate.te b/public/dumpstate.te
index 23711c3..b1f186c 100644
--- a/public/dumpstate.te
+++ b/public/dumpstate.te
@@ -255,7 +255,6 @@
-gatekeeper_service
-virtual_touchpad_service
-vold_service
- -vr_hwc_service
-default_android_service
}:service_manager find;
# suppress denials for services dumpstate should not be accessing.
@@ -265,7 +264,6 @@
gatekeeper_service
virtual_touchpad_service
vold_service
- vr_hwc_service
}:service_manager find;
# Most of these are neverallowed.
diff --git a/public/hal_graphics_composer.te b/public/hal_graphics_composer.te
index 1c69c99..7327256 100644
--- a/public/hal_graphics_composer.te
+++ b/public/hal_graphics_composer.te
@@ -30,3 +30,8 @@
# allow self to set SCHED_FIFO
allow hal_graphics_composer self:global_capability_class_set sys_nice;
+
+binder_call(hal_graphics_composer_client, servicemanager)
+binder_call(hal_graphics_composer_server, servicemanager)
+
+hal_attribute_service(hal_graphics_composer, hal_graphics_composer_service)
diff --git a/public/hal_sensors.te b/public/hal_sensors.te
index 06e76f1..f25a2ea 100644
--- a/public/hal_sensors.te
+++ b/public/hal_sensors.te
@@ -12,3 +12,8 @@
# allow to run with real-time scheduling policy
allow hal_sensors self:global_capability_class_set sys_nice;
+
+add_service(hal_sensors_server, hal_sensors_service)
+binder_call(hal_sensors_server, servicemanager)
+
+allow hal_sensors_client hal_sensors_service:service_manager find;
diff --git a/public/init.te b/public/init.te
index 60a1a4d..193941a 100644
--- a/public/init.te
+++ b/public/init.te
@@ -651,7 +651,7 @@
neverallow init shell_data_file:dir { write add_name remove_name };
# Init should not access sysfs node that are not explicitly labeled.
-neverallow init sysfs:file { open read write };
+neverallow init sysfs:file { open write };
# No domain should be allowed to ptrace init.
neverallow * init:process ptrace;
diff --git a/public/service.te b/public/service.te
index 9fcf4d3..a821941 100644
--- a/public/service.te
+++ b/public/service.te
@@ -231,6 +231,7 @@
type vcn_management_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type vibrator_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type vibrator_manager_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type virtual_device_service, system_api_service, system_server_service, service_manager_type;
type voiceinteraction_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type vpn_management_service, app_api_service, system_server_service, service_manager_type;
type vr_manager_service, system_server_service, service_manager_type;
@@ -259,6 +260,7 @@
type hal_face_service, vendor_service, protected_service, service_manager_type;
type hal_fingerprint_service, vendor_service, protected_service, service_manager_type;
type hal_gnss_service, vendor_service, protected_service, service_manager_type;
+type hal_graphics_composer_service, vendor_service, protected_service, service_manager_type;
type hal_health_storage_service, vendor_service, protected_service, service_manager_type;
type hal_identity_service, vendor_service, protected_service, service_manager_type;
type hal_keymint_service, vendor_service, protected_service, service_manager_type;
@@ -270,6 +272,7 @@
type hal_power_stats_service, vendor_service, protected_service, service_manager_type;
type hal_rebootescrow_service, vendor_service, protected_service, service_manager_type;
type hal_remotelyprovisionedcomponent_service, vendor_service, protected_service, service_manager_type;
+type hal_sensors_service, vendor_service, protected_service, service_manager_type;
type hal_secureclock_service, vendor_service, protected_service, service_manager_type;
type hal_sharedsecret_service, vendor_service, protected_service, service_manager_type;
type hal_system_suspend_service, protected_service, service_manager_type;
diff --git a/public/shell.te b/public/shell.te
index 70a7fb4..5fd9079 100644
--- a/public/shell.te
+++ b/public/shell.te
@@ -89,7 +89,6 @@
-system_suspend_control_service
-virtual_touchpad_service
-vold_service
- -vr_hwc_service
-default_android_service
}:service_manager find;
allow shell dumpstate:binder call;
diff --git a/public/traceur_app.te b/public/traceur_app.te
index ce9b844..03c4944 100644
--- a/public/traceur_app.te
+++ b/public/traceur_app.te
@@ -15,7 +15,6 @@
-netd_service
-virtual_touchpad_service
-vold_service
- -vr_hwc_service
-default_android_service
}:service_manager find;
diff --git a/public/vr_hwc.te b/public/vr_hwc.te
deleted file mode 100644
index c146887..0000000
--- a/public/vr_hwc.te
+++ /dev/null
@@ -1,33 +0,0 @@
-type vr_hwc, domain;
-type vr_hwc_exec, system_file_type, exec_type, file_type;
-
-# Get buffer metadata.
-hal_client_domain(vr_hwc, hal_graphics_allocator)
-
-binder_use(vr_hwc)
-binder_service(vr_hwc)
-
-binder_call(vr_hwc, surfaceflinger)
-# Needed to check for app permissions.
-binder_call(vr_hwc, system_server)
-
-add_service(vr_hwc, vr_hwc_service)
-
-# Hosts the VR HWC implementation and provides a simple Binder interface for VR
-# Window Manager to receive the layers/buffers.
-hwbinder_use(vr_hwc)
-
-# Load vendor libraries.
-allow vr_hwc system_file:dir r_dir_perms;
-
-allow vr_hwc ion_device:chr_file r_file_perms;
-
-# Allow connection to VR DisplayClient to get the primary display metadata
-# (ie: size).
-pdx_client(vr_hwc, display_client)
-
-# Requires access to the permission service to validate that clients have the
-# appropriate VR permissions.
-allow vr_hwc permission_service:service_manager find;
-
-allow vr_hwc vrflinger_vsync_service:service_manager find;
diff --git a/vendor/file_contexts b/vendor/file_contexts
index 7c57618..59694ec 100644
--- a/vendor/file_contexts
+++ b/vendor/file_contexts
@@ -40,6 +40,7 @@
/(vendor|system/vendor)/bin/hw/android\.hardware\.graphics\.allocator@3\.0-service u:object_r:hal_graphics_allocator_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.graphics\.allocator@4\.0-service u:object_r:hal_graphics_allocator_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.graphics\.composer@[0-9]\.[0-9]-service u:object_r:hal_graphics_composer_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.graphics\.composer3-service\.example u:object_r:hal_graphics_composer_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.health@1\.0-service u:object_r:hal_health_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.health@2\.0-service u:object_r:hal_health_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.health@2\.1-service u:object_r:hal_health_default_exec:s0
@@ -70,6 +71,7 @@
/(vendor|system/vendor)/bin/hw/android\.hardware\.radio@1\.2-sap-service u:object_r:hal_radio_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.rebootescrow-service\.default u:object_r:hal_rebootescrow_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.sensors@[0-9]\.[0-9]-service(\.multihal)? u:object_r:hal_sensors_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.sensors-service\.example u:object_r:hal_sensors_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.secure_element@1\.0-service u:object_r:hal_secure_element_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.security\.keymint-service u:object_r:hal_keymint_default_exec:s0
/(vendor|system/vendor)/bin/hw/rild u:object_r:rild_exec:s0