Merge "Simplify out path of checked vendor property_contexts" into main
diff --git a/build/soong/service_fuzzer_bindings.go b/build/soong/service_fuzzer_bindings.go
index 008e443..81d90d4 100644
--- a/build/soong/service_fuzzer_bindings.go
+++ b/build/soong/service_fuzzer_bindings.go
@@ -464,7 +464,7 @@
"vibrator_manager": EXCEPTION_NO_FUZZER,
"virtualdevice": EXCEPTION_NO_FUZZER,
"virtualdevice_native": EXCEPTION_NO_FUZZER,
- "virtual_camera": EXCEPTION_NO_FUZZER,
+ "virtual_camera_service": EXCEPTION_NO_FUZZER,
"virtual_touchpad": EXCEPTION_NO_FUZZER,
"voiceinteraction": EXCEPTION_NO_FUZZER,
"vold": []string{"vold_native_service_fuzzer"},
diff --git a/contexts/plat_file_contexts_test b/contexts/plat_file_contexts_test
index 50d9de4..d9767ed 100644
--- a/contexts/plat_file_contexts_test
+++ b/contexts/plat_file_contexts_test
@@ -538,6 +538,8 @@
/vendor/framework/test vendor_framework_file
/system/vendor/framework vendor_framework_file
/system/vendor/framework/test vendor_framework_file
+/vendor/etc/avf/microdroid vendor_microdroid_file
+/vendor/etc/avf/microdroid/test vendor_microdroid_file
/vendor/apex vendor_apex_file
/vendor/apex/test vendor_apex_file
diff --git a/private/compat/34.0/34.0.ignore.cil b/private/compat/34.0/34.0.ignore.cil
index ddaa7e2..83e3b3d 100644
--- a/private/compat/34.0/34.0.ignore.cil
+++ b/private/compat/34.0/34.0.ignore.cil
@@ -27,4 +27,5 @@
binderfs_logs_stats
drm_forcel3_prop
proc_percpu_pagelist_high_fraction
+ vendor_microdroid_file
))
diff --git a/private/crosvm.te b/private/crosvm.te
index afcaa3d..ed89b87 100644
--- a/private/crosvm.te
+++ b/private/crosvm.te
@@ -27,7 +27,7 @@
# Let crosvm read the composite disk images (virtualizationservice_data_file), APEXes
# (staging_data_file), APKs (apk_data_file and shell_data_file where the latter is for test apks in
-# /data/local/tmp), and instance.img (app_data_file).
+# /data/local/tmp), instance.img (app_data_file), and microdroid vendor image (vendor_microdroid_file).
# Allow crosvm to read the instance image of the service VM saved in apex_virt_data_file.
# Note that the open permission is not given as the files are passed as file descriptors.
allow crosvm {
@@ -39,6 +39,7 @@
apex_compos_data_file
apex_virt_data_file
shell_data_file
+ vendor_microdroid_file
}:file { getattr read ioctl lock };
# Allow searching the directory where the composite disk images are.
@@ -126,6 +127,7 @@
# These types are not required for crosvm, but the access is granted to globally in domain.te
# thus should be exempted here.
-vendor_configs_file
+ -vendor_microdroid_file
-vndk_sp_file
-vendor_task_profiles_file
}:file *;
diff --git a/private/domain.te b/private/domain.te
index 0861fa5..2f107dd 100644
--- a/private/domain.te
+++ b/private/domain.te
@@ -610,6 +610,7 @@
-vendor_apex_file
-vendor_apex_metadata_file
-vendor_configs_file
+ -vendor_microdroid_file
-vendor_service_contexts_file
-vendor_framework_file
-vendor_idc_file
diff --git a/private/file_contexts b/private/file_contexts
index b7f1a34..32092da 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -412,6 +412,7 @@
/(vendor|system/vendor)/etc(/.*)? u:object_r:vendor_configs_file:s0
/(vendor|system/vendor)/etc/cgroups\.json u:object_r:vendor_cgroup_desc_file:s0
/(vendor|system/vendor)/etc/task_profiles\.json u:object_r:vendor_task_profiles_file:s0
+/(vendor|system/vendor)/etc/avf/microdroid(/.*)? u:object_r:vendor_microdroid_file:s0
/(vendor|system/vendor)/lib(64)?/egl(/.*)? u:object_r:same_process_hal_file:s0
diff --git a/private/seapp_contexts b/private/seapp_contexts
index 26cff1f..74701df 100644
--- a/private/seapp_contexts
+++ b/private/seapp_contexts
@@ -172,6 +172,7 @@
user=_app seinfo=platform name=com.android.traceur domain=traceur_app type=app_data_file levelFrom=all
user=system seinfo=platform domain=system_app type=system_app_data_file
user=system seinfo=platform isPrivApp=true name=com.android.DeviceAsWebcam domain=device_as_webcam type=system_app_data_file levelFrom=all
+user=system seinfo=platform isPrivApp=true name=com.android.virtualcamera domain=virtual_camera type=app_data_file levelFrom=all
user=bluetooth seinfo=bluetooth domain=bluetooth type=bluetooth_data_file
user=network_stack seinfo=network_stack domain=network_stack type=radio_data_file
user=nfc seinfo=platform domain=nfc type=nfc_data_file
diff --git a/private/service_contexts b/private/service_contexts
index a803d51..898cb14 100644
--- a/private/service_contexts
+++ b/private/service_contexts
@@ -438,7 +438,6 @@
vibrator u:object_r:vibrator_service:s0
vibrator_control u:object_r:vibrator_control_service:s0
vibrator_manager u:object_r:vibrator_manager_service:s0
-virtual_camera u:object_r:virtual_camera_service:s0
virtualdevice u:object_r:virtual_device_service:s0
virtualdevice_native u:object_r:virtual_device_native_service:s0
virtual_touchpad u:object_r:virtual_touchpad_service:s0
diff --git a/private/shell.te b/private/shell.te
index aa6bef8..e410862 100644
--- a/private/shell.te
+++ b/private/shell.te
@@ -132,6 +132,9 @@
allow shell self:perf_event { open read write kernel };
neverallow shell self:perf_event ~{ open read write kernel };
+# Allow shell to read microdroid vendor image
+r_dir_file(shell, vendor_microdroid_file)
+
# Allow shell to read /apex/apex-info-list.xml and the vendor apexes
allow shell apex_info_file:file r_file_perms;
allow shell vendor_apex_file:file r_file_perms;
diff --git a/private/system_server.te b/private/system_server.te
index 2a9da11..97e64af 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -298,7 +298,6 @@
binder_call(system_server, statsd)
binder_call(system_server, storaged)
binder_call(system_server, update_engine)
-binder_call(system_server, virtual_camera)
binder_call(system_server, vold)
binder_call(system_server, logd)
binder_call(system_server, wificond)
diff --git a/private/virtual_camera.te b/private/virtual_camera.te
index c6a1abb..765a59f 100644
--- a/private/virtual_camera.te
+++ b/private/virtual_camera.te
@@ -9,8 +9,6 @@
# hal_server_domain(virtual_camera, hal_camera) macro but only the rules that
# we actually need from halserverdomain and hal_camera_server:
binder_use(virtual_camera)
-binder_call(virtual_camera, cameraserver)
-binder_call(virtual_camera, system_server)
# Allow virtual_camera to use fd from apps
allow virtual_camera { appdomain -isolated_app }:fd use;
diff --git a/private/virtualizationmanager.te b/private/virtualizationmanager.te
index d6f0e19..871d3f2 100644
--- a/private/virtualizationmanager.te
+++ b/private/virtualizationmanager.te
@@ -94,6 +94,9 @@
allow virtualizationmanager shell_data_file:file open;
')
+# Allow virtualizationmanager to read microdroid related files in vendor partition
+r_dir_file(virtualizationmanager, vendor_microdroid_file)
+
# Allow reading files under /proc/[crosvm pid]/, for collecting CPU & memory usage inside VM.
r_dir_file(virtualizationmanager, crosvm);
diff --git a/public/file.te b/public/file.te
index 091c557..142e167 100644
--- a/public/file.te
+++ b/public/file.te
@@ -255,6 +255,8 @@
# Type for all vendor public libraries for system. These libs should only be exposed to
# system. ABI stability of these libs is vendor's responsibility.
type vendor_public_framework_file, vendor_file_type, file_type;
+# Type for all microdroid related files in the vendor partition.
+type vendor_microdroid_file, vendor_file_type, file_type;
# Input configuration
type vendor_keylayout_file, vendor_file_type, file_type;
diff --git a/vendor/file_contexts b/vendor/file_contexts
index 28613c9..1c393f1 100644
--- a/vendor/file_contexts
+++ b/vendor/file_contexts
@@ -171,7 +171,7 @@
/(vendor|system/vendor)/lib(64)?/android\.hardware\.graphics\.mapper@4\.0\.so u:object_r:same_process_hal_file:s0
/(vendor|system/vendor)/lib(64)?/android\.hardware\.renderscript@1\.0\.so u:object_r:same_process_hal_file:s0
/(vendor|system/vendor)/lib(64)?/android\.hidl\.memory\.token@1\.0\.so u:object_r:same_process_hal_file:s0
-/(vendor|system/vendor)/lib(64)?/android\.hidl\.memory@1\.0-impl\.so u:object_r:same_process_hal_file:s0
+/(vendor|system/vendor)/lib(64)?/hw/android\.hidl\.memory@1\.0-impl\.so u:object_r:same_process_hal_file:s0
/(vendor|system/vendor)/lib(64)?/android\.hidl\.memory@1\.0\.so u:object_r:same_process_hal_file:s0
/(vendor|system/vendor)/lib(64)?/android\.hidl\.safe_union@1\.0\.so u:object_r:same_process_hal_file:s0
/(vendor|system/vendor)/lib(64)?/libRSCpuRef\.so u:object_r:same_process_hal_file:s0