Merge changes from topic "custom_smcs_allowlist" into main
* changes:
Add test_pkvm_tee_service example tee service
Add plumbing for new tee_service_contexts
diff --git a/build/soong/compat_cil.go b/build/soong/compat_cil.go
index d02d61e..33c6d3b 100644
--- a/build/soong/compat_cil.go
+++ b/build/soong/compat_cil.go
@@ -29,7 +29,7 @@
func init() {
ctx := android.InitRegistrationContext
ctx.RegisterModuleType("se_compat_cil", compatCilFactory)
- ctx.RegisterParallelSingletonModuleType("se_compat_test", compatTestFactory)
+ ctx.RegisterModuleType("se_compat_test", compatTestFactory)
}
// se_compat_cil collects and installs backwards compatibility cil files.
@@ -116,7 +116,7 @@
// se_compat_test checks if compat files ({ver}.cil, {ver}.compat.cil) files are compatible with
// current policy.
-func compatTestFactory() android.SingletonModule {
+func compatTestFactory() android.Module {
f := &compatTestModule{}
f.AddProperties(&f.properties)
android.InitAndroidArchModule(f, android.DeviceSupported, android.MultilibCommon)
@@ -127,7 +127,7 @@
}
type compatTestModule struct {
- android.SingletonModuleBase
+ android.ModuleBase
properties struct {
// Default modules for conf
Defaults []string
@@ -180,11 +180,11 @@
}
}
-func (f *compatTestModule) GenerateSingletonBuildActions(ctx android.SingletonContext) {
- // does nothing; se_compat_test is a singeton because two compat test modules don't make sense.
-}
-
func (f *compatTestModule) GenerateAndroidBuildActions(ctx android.ModuleContext) {
+ if ctx.ModuleName() != "sepolicy_compat_test" || ctx.ModuleDir() != "system/sepolicy/compat" {
+ // two compat test modules don't make sense.
+ ctx.ModuleErrorf("There can only be 1 se_compat_test module named sepolicy_compat_test in system/sepolicy/compat")
+ }
var inputs android.Paths
ctx.VisitDirectDepsWithTag(compatTestDepTag, func(child android.Module) {
outputs := android.OutputFilesForModule(ctx, child, "")
diff --git a/build/soong/sepolicy_freeze.go b/build/soong/sepolicy_freeze.go
index bfbac97..41d460d 100644
--- a/build/soong/sepolicy_freeze.go
+++ b/build/soong/sepolicy_freeze.go
@@ -25,13 +25,13 @@
func init() {
ctx := android.InitRegistrationContext
- ctx.RegisterParallelSingletonModuleType("se_freeze_test", freezeTestFactory)
+ ctx.RegisterModuleType("se_freeze_test", freezeTestFactory)
}
// se_freeze_test compares the plat sepolicy with the prebuilt sepolicy. Additional directories can
// be specified via Makefile variables: SEPOLICY_FREEZE_TEST_EXTRA_DIRS and
// SEPOLICY_FREEZE_TEST_EXTRA_PREBUILT_DIRS.
-func freezeTestFactory() android.SingletonModule {
+func freezeTestFactory() android.Module {
f := &freezeTestModule{}
android.InitAndroidArchModule(f, android.DeviceSupported, android.MultilibCommon)
android.AddLoadHook(f, func(ctx android.LoadHookContext) {
@@ -41,7 +41,7 @@
}
type freezeTestModule struct {
- android.SingletonModuleBase
+ android.ModuleBase
freezeTestTimestamp android.ModuleOutPath
}
@@ -82,10 +82,6 @@
ctx.AddDependency(f, prebuiltCilTag, f.prebuiltCilModuleName(ctx))
}
-func (f *freezeTestModule) GenerateSingletonBuildActions(ctx android.SingletonContext) {
- // does nothing; se_freeze_test is a singeton because two freeze test modules don't make sense.
-}
-
func (f *freezeTestModule) outputFileOfDep(ctx android.ModuleContext, depTag dependencyTag) android.Path {
deps := ctx.GetDirectDepsWithTag(depTag)
if len(deps) != 1 {
@@ -104,6 +100,11 @@
}
func (f *freezeTestModule) GenerateAndroidBuildActions(ctx android.ModuleContext) {
+ if ctx.ModuleName() != "se_freeze_test" || ctx.ModuleDir() != "system/sepolicy" {
+ // two freeze test modules don't make sense.
+ ctx.ModuleErrorf("There can only be 1 se_freeze_test module named se_freeze_test in system/sepolicy")
+ }
+
f.freezeTestTimestamp = android.PathForModuleOut(ctx, "freeze_test")
if !f.shouldRunTest(ctx) {
diff --git a/microdroid/system/private/microdroid_app.te b/microdroid/system/private/microdroid_app.te
index d26154a..77667ff 100644
--- a/microdroid/system/private/microdroid_app.te
+++ b/microdroid/system/private/microdroid_app.te
@@ -8,3 +8,7 @@
type microdroid_app, domain, coredomain, microdroid_payload;
type microdroid_app_exec, exec_type, file_type, system_file_type;
+
+# Let microdroid_manager kernel-log.
+allow microdroid_app kmsg_device:chr_file w_file_perms;
+allow microdroid_app kmsg_debug_device:chr_file w_file_perms;
diff --git a/prebuilts/api/202404/202404_general_sepolicy.conf b/prebuilts/api/202404/202404_general_sepolicy.conf
index 5ce168c..2c418a8 100644
--- a/prebuilts/api/202404/202404_general_sepolicy.conf
+++ b/prebuilts/api/202404/202404_general_sepolicy.conf
@@ -56456,7 +56456,7 @@
}:service_manager find;
# Isolated apps shouldn't be able to access the driver directly.
-neverallow isolated_app_all gpu_device:chr_file { { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } } execute };
+neverallow { isolated_app_all -isolated_compute_app } gpu_device:chr_file { { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } } execute };
# Do not allow isolated_apps access to /cache
neverallow isolated_app_all cache_file:dir ~{ { open getattr read search ioctl lock watch watch_reads } };
diff --git a/private/property_contexts b/private/property_contexts
index 58a1858..6c74fb0 100644
--- a/private/property_contexts
+++ b/private/property_contexts
@@ -453,6 +453,10 @@
# to enable spatialization for stereo channel mask
ro.audio.stereo_spatialization_enabled u:object_r:audio_config_prop:s0 exact bool
+# Boolean property used in AudioPolicyInterfaceImpl to configure whether
+# to disable usecase validator for game mode
+ro.audio.usecase_validator_enabled u:object_r:audio_config_prop:s0 exact bool
+
# Boolean property used in UsbAlsaManager to decide if only one or multiple
# USB devices can be connected to audio system at a certain time
ro.audio.multi_usb_mode u:object_r:audio_config_prop:s0 exact bool
@@ -789,6 +793,7 @@
hypervisor.pvmfw.path u:object_r:hypervisor_pvmfw_prop:s0 exact string
hypervisor.virtualizationmanager.debug_policy.path u:object_r:hypervisor_virtualizationmanager_prop:s0 exact string
+hypervisor.virtualizationmanager.dump_device_tree u:object_r:hypervisor_virtualizationmanager_prop:s0 exact bool
# hypervisor.*: configured by the vendor to advertise capabilities of their
# hypervisor to virtualizationservice.
@@ -1022,12 +1027,12 @@
ro.boottime.init.fsck.data u:object_r:boottime_public_prop:s0 exact string
ro.fstype.data u:object_r:fstype_prop:s0 exact string
+ro.build.backported_fixes.alias_bitset.long_list u:object_r:build_prop:s0 exact string
ro.build.characteristics u:object_r:build_prop:s0 exact string
ro.build.date u:object_r:build_prop:s0 exact string
ro.build.date.utc u:object_r:build_prop:s0 exact int
ro.build.description u:object_r:build_prop:s0 exact string
ro.build.display.id u:object_r:build_prop:s0 exact string
-ro.build.critical_issues.fixed_issues.long_list u:object_r:build_prop:s0 exact string
ro.build.flavor u:object_r:build_prop:s0 exact string
ro.build.host u:object_r:build_prop:s0 exact string
ro.build.id u:object_r:build_prop:s0 exact string