Merge "[rpc_binder] Enable connection with vm_payload_service"
diff --git a/build/soong/service_fuzzer_bindings.go b/build/soong/service_fuzzer_bindings.go
index 34fad7f..b02a9bf 100644
--- a/build/soong/service_fuzzer_bindings.go
+++ b/build/soong/service_fuzzer_bindings.go
@@ -46,6 +46,7 @@
"android.hardware.drm.IDrmFactory/clearkey": EXCEPTION_NO_FUZZER,
"android.hardware.drm.ICryptoFactory/clearkey": EXCEPTION_NO_FUZZER,
"android.hardware.dumpstate.IDumpstateDevice/default": EXCEPTION_NO_FUZZER,
+ "android.hardware.fastboot.IFastboot/default": EXCEPTION_NO_FUZZER,
"android.hardware.gatekeeper.IGatekeeper/default": EXCEPTION_NO_FUZZER,
"android.hardware.gnss.IGnss/default": EXCEPTION_NO_FUZZER,
"android.hardware.graphics.allocator.IAllocator/default": EXCEPTION_NO_FUZZER,
diff --git a/private/compat/33.0/33.0.ignore.cil b/private/compat/33.0/33.0.ignore.cil
index a58129e..444c89c 100644
--- a/private/compat/33.0/33.0.ignore.cil
+++ b/private/compat/33.0/33.0.ignore.cil
@@ -35,4 +35,5 @@
hal_gatekeeper_service
hal_broadcastradio_service
hal_confirmationui_service
+ hal_fastboot_service
))
diff --git a/private/crosvm.te b/private/crosvm.te
index 5971b91..9c45131 100644
--- a/private/crosvm.te
+++ b/private/crosvm.te
@@ -10,9 +10,6 @@
neverallow { domain -crosvm -ueventd } kvm_device:chr_file ~getattr;
neverallowxperm { domain -crosvm } kvm_device:chr_file ioctl ~{ KVM_CHECK_EXTENSION };
-# Let crosvm mlock VM memory and page tables.
-allow crosvm self:capability ipc_lock;
-
# Let crosvm create temporary files.
tmpfs_domain(crosvm)
diff --git a/private/fastbootd.te b/private/fastbootd.te
index c33e044..d93ee42 100644
--- a/private/fastbootd.te
+++ b/private/fastbootd.te
@@ -45,6 +45,9 @@
# Needed for reading boot properties.
allow fastbootd proc_bootconfig:file r_file_perms;
+ # Let this domain use the hal fastboot service
+ binder_use(fastbootd)
+ hal_client_domain(fastbootd, hal_fastboot)
')
# io_uring_setup needs ipc_lock and permission to operate anon inodes
diff --git a/private/init.te b/private/init.te
index f03a138..2fd2940 100644
--- a/private/init.te
+++ b/private/init.te
@@ -14,6 +14,7 @@
domain_trans(init, rootfs, hal_bootctl_server)
domain_trans(init, rootfs, charger)
domain_trans(init, rootfs, fastbootd)
+ domain_trans(init, rootfs, hal_fastboot_server)
domain_trans(init, rootfs, hal_health_server)
domain_trans(init, rootfs, recovery)
domain_trans(init, rootfs, linkerconfig)
diff --git a/private/property_contexts b/private/property_contexts
index 48eed1c..1442fa9 100644
--- a/private/property_contexts
+++ b/private/property_contexts
@@ -1438,17 +1438,29 @@
# properties for the virtual Fingerprint HAL
persist.vendor.fingerprint.virtual.type u:object_r:virtual_fingerprint_hal_prop:s0 exact string
persist.vendor.fingerprint.virtual.enrollments u:object_r:virtual_fingerprint_hal_prop:s0 exact string
+persist.vendor.fingerprint.virtual.lockout u:object_r:virtual_fingerprint_hal_prop:s0 exact bool
+persist.vendor.fingerprint.virtual.authenticator_id u:object_r:virtual_fingerprint_hal_prop:s0 exact int
+persist.vendor.fingerprint.virtual.sensor_location u:object_r:virtual_fingerprint_hal_prop:s0 exact string
+persist.vendor.fingerprint.virtual.sensor_id u:object_r:virtual_fingerprint_hal_prop:s0 exact int
+persist.vendor.fingerprint.virtual.sensor_strength u:object_r:virtual_fingerprint_hal_prop:s0 exact int
+persist.vendor.fingerprint.virtual.max_enrollments u:object_r:virtual_fingerprint_hal_prop:s0 exact int
+persist.vendor.fingerprint.virtual.navigation_guesture u:object_r:virtual_fingerprint_hal_prop:s0 exact bool
+persist.vendor.fingerprint.virtual.detect_interaction u:object_r:virtual_fingerprint_hal_prop:s0 exact bool
+persist.vendor.fingerprint.virtual.udfps.display_touch u:object_r:virtual_fingerprint_hal_prop:s0 exact bool
+persist.vendor.fingerprint.virtual.udfps.control_illumination u:object_r:virtual_fingerprint_hal_prop:s0 exact bool
+persist.vendor.fingerprint.virtual.lockout_enable u:object_r:virtual_fingerprint_hal_prop:s0 exact bool
+persist.vendor.fingerprint.virtual.lockout_timed_threshold u:object_r:virtual_fingerprint_hal_prop:s0 exact int
+persist.vendor.fingerprint.virtual.lockout_timed_duration u:object_r:virtual_fingerprint_hal_prop:s0 exact int
+persist.vendor.fingerprint.virtual.lockout_permanent_threshold u:object_r:virtual_fingerprint_hal_prop:s0 exact int
vendor.fingerprint.virtual.enrollment_hit u:object_r:virtual_fingerprint_hal_prop:s0 exact int
vendor.fingerprint.virtual.next_enrollment u:object_r:virtual_fingerprint_hal_prop:s0 exact string
-vendor.fingerprint.virtual.authenticator_id u:object_r:virtual_fingerprint_hal_prop:s0 exact int
vendor.fingerprint.virtual.challenge u:object_r:virtual_fingerprint_hal_prop:s0 exact int
-vendor.fingerprint.virtual.lockout u:object_r:virtual_fingerprint_hal_prop:s0 exact bool
vendor.fingerprint.virtual.operation_authenticate_fails u:object_r:virtual_fingerprint_hal_prop:s0 exact bool
vendor.fingerprint.virtual.operation_detect_interaction_fails u:object_r:virtual_fingerprint_hal_prop:s0 exact bool
vendor.fingerprint.virtual.operation_enroll_fails u:object_r:virtual_fingerprint_hal_prop:s0 exact bool
-vendor.fingerprint.virtual.operation_authenticate_latency u:object_r:virtual_fingerprint_hal_prop:s0 exact int
-vendor.fingerprint.virtual.operation_detect_interaction_latency u:object_r:virtual_fingerprint_hal_prop:s0 exact int
-vendor.fingerprint.virtual.operation_enroll_latency u:object_r:virtual_fingerprint_hal_prop:s0 exact int
+vendor.fingerprint.virtual.operation_authenticate_latency u:object_r:virtual_fingerprint_hal_prop:s0 exact string
+vendor.fingerprint.virtual.operation_detect_interaction_latency u:object_r:virtual_fingerprint_hal_prop:s0 exact string
+vendor.fingerprint.virtual.operation_enroll_latency u:object_r:virtual_fingerprint_hal_prop:s0 exact string
vendor.fingerprint.virtual.operation_authenticate_duration u:object_r:virtual_fingerprint_hal_prop:s0 exact int
# properties for tuner
diff --git a/private/service_contexts b/private/service_contexts
index 2b9e88f..f2023f3 100644
--- a/private/service_contexts
+++ b/private/service_contexts
@@ -24,6 +24,7 @@
android.hardware.drm.IDrmFactory/clearkey u:object_r:hal_drm_service:s0
android.hardware.drm.ICryptoFactory/clearkey u:object_r:hal_drm_service:s0
android.hardware.dumpstate.IDumpstateDevice/default u:object_r:hal_dumpstate_service:s0
+android.hardware.fastboot.IFastboot/default u:object_r:hal_fastboot_service:s0
android.hardware.gnss.IGnss/default u:object_r:hal_gnss_service:s0
android.hardware.graphics.allocator.IAllocator/default u:object_r:hal_graphics_allocator_service:s0
android.hardware.graphics.composer3.IComposer/default u:object_r:hal_graphics_composer_service:s0
diff --git a/private/virtualizationservice.te b/private/virtualizationservice.te
index 3e057fe..f41e7cc 100644
--- a/private/virtualizationservice.te
+++ b/private/virtualizationservice.te
@@ -22,6 +22,9 @@
# When virtualizationservice execs a file with the crosvm_exec label, run it in the crosvm domain.
domain_auto_trans(virtualizationservice, crosvm_exec, crosvm)
+# Let virtualizationservice (and specifically its children) mlock VM memory and page tables.
+allow virtualizationservice self:capability sys_resource;
+
# Let virtualizationservice kill crosvm.
allow virtualizationservice crosvm:process sigkill;
diff --git a/public/attributes b/public/attributes
index 121adc0..ae610e6 100644
--- a/public/attributes
+++ b/public/attributes
@@ -338,6 +338,7 @@
hal_attribute(dumpstate);
hal_attribute(evs);
hal_attribute(face);
+hal_attribute(fastboot);
hal_attribute(fingerprint);
hal_attribute(gatekeeper);
hal_attribute(gnss);
diff --git a/public/domain.te b/public/domain.te
index f9e4c46..b4fd977 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -593,6 +593,7 @@
-hal_camera_server
-hal_cas_server
-hal_drm_server
+ -hal_keymint_server
userdebug_or_eng(`-incidentd')
-init
-mediadrmserver
diff --git a/public/fastbootd.te b/public/fastbootd.te
index 68cb9e0..8452b97 100644
--- a/public/fastbootd.te
+++ b/public/fastbootd.te
@@ -13,6 +13,7 @@
# fastbootd can use AIDL HALs in binder mode
binder_use(fastbootd)
hal_client_domain(fastbootd, hal_health)
+ hal_client_domain(fastbootd, hal_fastboot)
# Access /dev/usb-ffs/fastbootd/ep0
allow fastbootd functionfs:dir search;
diff --git a/public/hal_fastboot.te b/public/hal_fastboot.te
new file mode 100644
index 0000000..7aecac1
--- /dev/null
+++ b/public/hal_fastboot.te
@@ -0,0 +1,7 @@
+# allow binder connection from client to server
+binder_call(hal_fastboot_client, hal_fastboot_server)
+# allow client to find the service, allow server to register the service
+hal_attribute_service(hal_fastboot, hal_fastboot_service)
+# allow binder communication from server to service_manager
+binder_call(hal_fastboot_server, servicemanager)
+
diff --git a/public/service.te b/public/service.te
index db7c298..8c8a430 100644
--- a/public/service.te
+++ b/public/service.te
@@ -281,6 +281,7 @@
type hal_dumpstate_service, protected_service, hal_service_type, service_manager_type;
type hal_evs_service, protected_service, hal_service_type, service_manager_type;
type hal_face_service, protected_service, hal_service_type, service_manager_type;
+type hal_fastboot_service, protected_service, hal_service_type, service_manager_type;
type hal_fingerprint_service, protected_service, hal_service_type, service_manager_type;
type hal_gnss_service, protected_service, hal_service_type, service_manager_type;
type hal_graphics_allocator_service, hal_service_type, service_manager_type;
diff --git a/vendor/hal_fastboot_default.te b/vendor/hal_fastboot_default.te
new file mode 100644
index 0000000..4a52642
--- /dev/null
+++ b/vendor/hal_fastboot_default.te
@@ -0,0 +1,6 @@
+type hal_fastboot_default, domain;
+
+hal_server_domain(hal_fastboot_default, hal_fastboot)
+
+type hal_fastboot_default_exec, exec_type, vendor_file_type, file_type;
+init_daemon_domain(hal_fastboot_default)