Merge "Allow `otapreopt` to use bind-mounted Bionic artifacts from the Runtime APEX."
diff --git a/private/apexd.te b/private/apexd.te
index 4a496e5..2290878 100644
--- a/private/apexd.te
+++ b/private/apexd.te
@@ -53,6 +53,8 @@
# Unmount and mount filesystems
allow apexd labeledfs:filesystem { mount unmount };
+# /sys directory tree traversal
+allow apexd sysfs_type:dir search;
# Configure read-ahead of dm-verity and loop devices
# for dm-X
allow apexd sysfs_dm:dir r_dir_perms;
diff --git a/private/compat/28.0/28.0.cil b/private/compat/28.0/28.0.cil
index d10ca35..f5b5d09 100644
--- a/private/compat/28.0/28.0.cil
+++ b/private/compat/28.0/28.0.cil
@@ -1377,6 +1377,7 @@
(typeattributeset priv_app_28_0 (priv_app))
(typeattributeset proc_28_0
( proc
+ proc_keys
proc_slabinfo))
(typeattributeset proc_abi_28_0 (proc_abi))
(typeattributeset proc_asound_28_0 (proc_asound))
diff --git a/private/compat/28.0/28.0.ignore.cil b/private/compat/28.0/28.0.ignore.cil
index 42f18a0..924726c 100644
--- a/private/compat/28.0/28.0.ignore.cil
+++ b/private/compat/28.0/28.0.ignore.cil
@@ -23,6 +23,8 @@
biometric_service
bpf_progs_loaded_prop
bugreport_service
+ cgroup_desc_file
+ cgroup_rc_file
content_capture_service
content_suggestions_service
cpu_variant_prop
@@ -32,7 +34,9 @@
device_config_input_native_boot_prop
device_config_netd_native_prop
device_config_reset_performed_prop
+ device_config_runtime_native_boot_prop
device_config_runtime_native_prop
+ device_config_media_native_prop
device_config_service
dynamic_android_service
face_service
@@ -104,6 +108,7 @@
system_lmk_prop
system_suspend_hwservice
staging_data_file
+ task_profiles_file
testharness_service
test_harness_prop
time_prop
diff --git a/private/domain.te b/private/domain.te
index dda8f21..39b7c75 100644
--- a/private/domain.te
+++ b/private/domain.te
@@ -29,6 +29,10 @@
allow { domain -appdomain -rs } cgroup:dir w_dir_perms;
allow { domain -appdomain -rs } cgroup:file w_file_perms;
+allow domain cgroup_rc_file:dir search;
+allow domain cgroup_rc_file:file r_file_perms;
+allow domain task_profiles_file:file r_file_perms;
+
# For now, everyone can access core property files
# Device specific properties are not granted by default
not_compatible_property(`
@@ -188,3 +192,10 @@
-exec_type
-postinstall_file
}:file execute;
+
+# Only init is allowed to write cgroup.rc file
+neverallow {
+ domain
+ -init
+ -vendor_init
+} cgroup_rc_file:file no_w_file_perms;
diff --git a/private/file_contexts b/private/file_contexts
index d206f2d..b793e82 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -93,6 +93,7 @@
/dev/device-mapper u:object_r:dm_device:s0
/dev/eac u:object_r:audio_device:s0
/dev/event-log-tags u:object_r:runtime_event_log_tags_file:s0
+/dev/cgroup_info(/.*)? u:object_r:cgroup_rc_file:s0
/dev/fscklogs(/.*)? u:object_r:fscklogs:s0
/dev/fuse u:object_r:fuse_device:s0
/dev/graphics(/.*)? u:object_r:graphics_device:s0
@@ -192,6 +193,7 @@
/system/bin/e2fsck -- u:object_r:fsck_exec:s0
/system/bin/fsck\.exfat -- u:object_r:fsck_exec:s0
/system/bin/fsck\.f2fs -- u:object_r:fsck_exec:s0
+/system/bin/mini-keyctl -- u:object_r:mini-keyctl_exec:s0
/system/bin/sload_f2fs -- u:object_r:e2fs_exec:s0
/system/bin/make_f2fs -- u:object_r:e2fs_exec:s0
/system/bin/fsck_msdos -- u:object_r:fsck_exec:s0
@@ -295,6 +297,7 @@
/system/bin/hw/android\.frameworks\.bufferhub@1\.0-service u:object_r:fwk_bufferhub_exec:s0
/system/bin/hw/android\.hidl\.allocator@1\.0-service u:object_r:hal_allocator_default_exec:s0
/system/bin/hw/android\.system\.suspend@1\.0-service u:object_r:hal_system_suspend_default_exec:s0
+/system/etc/cgroups\.json u:object_r:cgroup_desc_file:s0
/system/etc/event-log-tags u:object_r:system_event_log_tags_file:s0
/system/etc/ld\.config.* u:object_r:system_linker_config_file:s0
/system/etc/seccomp_policy(/.*)? u:object_r:system_seccomp_policy_file:s0
@@ -309,6 +312,7 @@
/system/etc/selinux/plat_seapp_contexts u:object_r:seapp_contexts_file:s0
/system/etc/selinux/plat_sepolicy\.cil u:object_r:sepolicy_file:s0
/system/etc/selinux/plat_and_mapping_sepolicy\.cil\.sha256 u:object_r:sepolicy_file:s0
+/system/etc/task_profiles\.json u:object_r:task_profiles_file:s0
/system/usr/share/zoneinfo(/.*)? u:object_r:system_zoneinfo_file:s0
/system/bin/vr_hwc u:object_r:vr_hwc_exec:s0
/system/bin/adbd u:object_r:adbd_exec:s0
diff --git a/private/genfs_contexts b/private/genfs_contexts
index 87b9cb3..2a74484 100644
--- a/private/genfs_contexts
+++ b/private/genfs_contexts
@@ -10,6 +10,7 @@
genfscon proc /filesystems u:object_r:proc_filesystems:s0
genfscon proc /interrupts u:object_r:proc_interrupts:s0
genfscon proc /iomem u:object_r:proc_iomem:s0
+genfscon proc /keys u:object_r:proc_keys:s0
genfscon proc /kmsg u:object_r:proc_kmsg:s0
genfscon proc /loadavg u:object_r:proc_loadavg:s0
genfscon proc /meminfo u:object_r:proc_meminfo:s0
diff --git a/private/installd.te b/private/installd.te
index c511b80..77889a3 100644
--- a/private/installd.te
+++ b/private/installd.te
@@ -31,3 +31,6 @@
# subsequently restore them.
allow installd rollback_data_file:dir create_dir_perms;
allow installd rollback_data_file:file create_file_perms;
+
+# Allow installd to access the runtime feature flag properties.
+get_prop(installd, device_config_runtime_native_prop)
diff --git a/private/mini_keyctl.te b/private/mini_keyctl.te
new file mode 100644
index 0000000..c81a17c
--- /dev/null
+++ b/private/mini_keyctl.te
@@ -0,0 +1,17 @@
+type mini-keyctl, domain, coredomain;
+type mini-keyctl_exec, exec_type, file_type, system_file_type;
+
+init_daemon_domain(mini-keyctl)
+
+allow mini-keyctl proc_keys:file r_file_perms;
+
+# Kernel only prints the keys that can be accessed and only kernel keyring is needed here.
+dontaudit mini-keyctl init:key view;
+dontaudit mini-keyctl vold:key view;
+allow mini-keyctl kernel:key { view search write };
+allow mini-keyctl mini-keyctl:key { view search write };
+
+# When kernel requests an algorithm, the crypto API first looks for an
+# already registered algorithm with that name. If it fails, the kernel creates
+# an implementation of the algorithm from templates.
+dontaudit mini-keyctl kernel:system module_request;
diff --git a/private/property_contexts b/private/property_contexts
index 74134ac..4eb10dd 100644
--- a/private/property_contexts
+++ b/private/property_contexts
@@ -173,6 +173,8 @@
persist.device_config.input_native_boot. u:object_r:device_config_input_native_boot_prop:s0
persist.device_config.netd_native. u:object_r:device_config_netd_native_prop:s0
persist.device_config.runtime_native. u:object_r:device_config_runtime_native_prop:s0
+persist.device_config.runtime_native_boot. u:object_r:device_config_runtime_native_boot_prop:s0
+persist.device_config.media_native. u:object_r:device_config_media_native_prop:s0
apexd. u:object_r:apexd_prop:s0
persist.apexd. u:object_r:apexd_prop:s0
diff --git a/private/system_server.te b/private/system_server.te
index 2a79460..49b5498 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -586,7 +586,9 @@
set_prop(system_server, device_config_input_native_boot_prop)
set_prop(system_server, device_config_netd_native_prop)
set_prop(system_server, device_config_activity_manager_native_boot_prop)
+set_prop(system_server, device_config_runtime_native_boot_prop)
set_prop(system_server, device_config_runtime_native_prop)
+set_prop(system_server, device_config_media_native_prop)
# BootReceiver to read ro.boot.bootreason
get_prop(system_server, bootloader_boot_reason_prop)
@@ -950,7 +952,9 @@
device_config_activity_manager_native_boot_prop
device_config_input_native_boot_prop
device_config_netd_native_prop
+ device_config_runtime_native_boot_prop
device_config_runtime_native_prop
+ device_config_media_native_prop
}:property_service set;
# system_server should never be executing dex2oat. This is either
diff --git a/private/zygote.te b/private/zygote.te
index 9f8a348..9bf6ef9 100644
--- a/private/zygote.te
+++ b/private/zygote.te
@@ -97,7 +97,10 @@
# Allowed to mount user-specific storage into place
allow zygote storage_file:dir { search mounton };
# Allow mounting on sdcardfs dirs
-allow zygote sdcardfs:dir { search mounton };
+# TODO: reduce this back to only sdcardfs once b/123533205 is root-caused
+# (Technically "sdcardfs" and "media_rw_data_file" are equivalent, since
+# sdcardfs simply wraps files stored under /data/media.)
+allow zygote { sdcardfs media_rw_data_file }:dir { search mounton };
# Handle --invoke-with command when launching Zygote with a wrapper command.
allow zygote zygote_exec:file rx_file_perms;
@@ -128,6 +131,7 @@
# Allow the zygote to access the runtime feature flag properties.
get_prop(zygote, device_config_runtime_native_prop)
+get_prop(zygote, device_config_runtime_native_boot_prop)
# ingore spurious denials
dontaudit zygote self:global_capability_class_set sys_resource;
diff --git a/public/domain.te b/public/domain.te
index 03e745c..e086ace 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -1051,6 +1051,7 @@
-system_seccomp_policy_file
-system_security_cacerts_file
-system_zoneinfo_file
+ -task_profiles_file
userdebug_or_eng(`-tcpdump_exec')
}:file *;
')
diff --git a/public/file.te b/public/file.te
index a264c91..a8f113b 100644
--- a/public/file.te
+++ b/public/file.te
@@ -28,6 +28,7 @@
type proc_hung_task, fs_type, proc_type;
type proc_interrupts, fs_type, proc_type;
type proc_iomem, fs_type, proc_type;
+type proc_keys, fs_type, proc_type;
type proc_kmsg, fs_type, proc_type;
type proc_loadavg, fs_type, proc_type;
type proc_max_map_count, fs_type, proc_type;
@@ -153,6 +154,10 @@
type tcpdump_exec, system_file_type, exec_type, file_type;
# Default type for zoneinfo files in /system/usr/share/zoneinfo/*.
type system_zoneinfo_file, system_file_type, file_type;
+# Cgroups description file under /system/etc/cgroups.json
+type cgroup_desc_file, system_file_type, file_type;
+# Task profiles file under /system/etc/task_profiles.json
+type task_profiles_file, system_file_type, file_type;
# Default type for directories search for
# HAL implementations
@@ -192,6 +197,8 @@
type runtime_event_log_tags_file, file_type;
# Type for /system/bin/logcat.
type logcat_exec, system_file_type, exec_type, file_type;
+# Speedup access to cgroup map file
+type cgroup_rc_file, file_type;
# /cores for coredumps on userdebug / eng builds
type coredump_file, file_type;
# Default type for anything under /data.
@@ -448,6 +455,7 @@
allow fs_type self:filesystem associate;
allow cgroup tmpfs:filesystem associate;
allow cgroup_bpf tmpfs:filesystem associate;
+allow cgroup_rc_file tmpfs:filesystem associate;
allow sysfs_type sysfs:filesystem associate;
allow debugfs_type { debugfs debugfs_tracing debugfs_tracing_debug }:filesystem associate;
allow file_type labeledfs:filesystem associate;
diff --git a/public/flags_heatlh_check.te b/public/flags_heatlh_check.te
index b189b0a..151c7c0 100644
--- a/public/flags_heatlh_check.te
+++ b/public/flags_heatlh_check.te
@@ -4,10 +4,12 @@
set_prop(flags_health_check, device_config_boot_count_prop)
set_prop(flags_health_check, device_config_reset_performed_prop)
+set_prop(flags_health_check, device_config_runtime_native_boot_prop)
set_prop(flags_health_check, device_config_runtime_native_prop)
set_prop(flags_health_check, device_config_input_native_boot_prop)
set_prop(flags_health_check, device_config_netd_native_prop)
set_prop(flags_health_check, device_config_activity_manager_native_boot_prop)
+set_prop(flags_health_check, device_config_media_native_prop)
allow flags_health_check server_configurable_flags_data_file:dir rw_dir_perms;
allow flags_health_check server_configurable_flags_data_file:file create_file_perms;
diff --git a/public/init.te b/public/init.te
index a089c8c..54125ac 100644
--- a/public/init.te
+++ b/public/init.te
@@ -107,6 +107,8 @@
allow init tmpfs:dir mounton;
allow init cgroup:dir create_dir_perms;
allow init cgroup:file rw_file_perms;
+allow init cgroup_rc_file:file rw_file_perms;
+allow init cgroup_desc_file:file r_file_perms;
# /config
allow init configfs:dir mounton;
diff --git a/public/mediaextractor.te b/public/mediaextractor.te
index ee5534c..c9ff732 100644
--- a/public/mediaextractor.te
+++ b/public/mediaextractor.te
@@ -37,6 +37,8 @@
# scan extractor library directory to dynamically load extractors
allow mediaextractor system_file:dir { read open };
+get_prop(mediaextractor, device_config_media_native_prop)
+
userdebug_or_eng(`
# Allow extractor to add update service.
allow mediaextractor mediaextractor_update_service:service_manager { find add };
diff --git a/public/mediaswcodec.te b/public/mediaswcodec.te
index 9702562..0086a72 100644
--- a/public/mediaswcodec.te
+++ b/public/mediaswcodec.te
@@ -7,6 +7,8 @@
hal_client_domain(mediaswcodec, hal_allocator)
hal_client_domain(mediaswcodec, hal_graphics_allocator)
+get_prop(mediaswcodec, device_config_media_native_prop)
+
userdebug_or_eng(`
binder_use(mediaswcodec)
# Add mediaextractor_update_service service
diff --git a/public/property.te b/public/property.te
index ffd8d95..6cc67ed 100644
--- a/public/property.te
+++ b/public/property.te
@@ -33,7 +33,9 @@
type device_config_reset_performed_prop, property_type;
type device_config_input_native_boot_prop, property_type;
type device_config_netd_native_prop, property_type;
+type device_config_runtime_native_boot_prop, property_type;
type device_config_runtime_native_prop, property_type;
+type device_config_media_native_prop, property_type;
type device_logging_prop, property_type;
type dhcp_prop, property_type, core_property_type;
type dumpstate_options_prop, property_type;
@@ -406,7 +408,9 @@
-device_config_boot_count_prop
-device_config_input_native_boot_prop
-device_config_netd_native_prop
+ -device_config_runtime_native_boot_prop
-device_config_runtime_native_prop
+ -device_config_media_native_prop
-heapprofd_enabled_prop
-heapprofd_prop
-hwservicemanager_prop
diff --git a/public/vendor_init.te b/public/vendor_init.te
index 94f6a25..b7c60c6 100644
--- a/public/vendor_init.te
+++ b/public/vendor_init.te
@@ -179,7 +179,9 @@
-device_config_reset_performed_prop
-device_config_input_native_boot_prop
-device_config_netd_native_prop
+ -device_config_runtime_native_boot_prop
-device_config_runtime_native_prop
+ -device_config_media_native_prop
-restorecon_prop
-netd_stable_secret_prop
-firstboot_prop
diff --git a/vendor/file_contexts b/vendor/file_contexts
index 03b0ac6..303f001 100644
--- a/vendor/file_contexts
+++ b/vendor/file_contexts
@@ -56,6 +56,7 @@
/(vendor|system/vendor)/bin/hw/android\.hardware\.vr@1\.0-service u:object_r:hal_vr_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.wifi\.offload@1\.0-service u:object_r:hal_wifi_offload_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.wifi@1\.0-service u:object_r:hal_wifi_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.wifi@1\.0-service-lazy u:object_r:hal_wifi_default_exec:s0
/(vendor|system/vendor)/bin/hw/hostapd u:object_r:hal_wifi_hostapd_default_exec:s0
/(vendor|system/vendor)/bin/hw/wpa_supplicant u:object_r:hal_wifi_supplicant_default_exec:s0
/(vendor|system/vendor)/bin/vndservicemanager u:object_r:vndservicemanager_exec:s0