Merge "Add remount.te to allow adb remount-related operations"
diff --git a/build/soong/selinux_contexts.go b/build/soong/selinux_contexts.go
index bbb8639..5859fc1 100644
--- a/build/soong/selinux_contexts.go
+++ b/build/soong/selinux_contexts.go
@@ -219,25 +219,19 @@
}
func (m *selinuxContextsModule) AndroidMk() android.AndroidMkData {
+ nameSuffix := ""
+ if m.InRecovery() && !m.onlyInRecovery() {
+ nameSuffix = ".recovery"
+ }
return android.AndroidMkData{
- Custom: func(w io.Writer, name, prefix, moduleDir string, data android.AndroidMkData) {
- nameSuffix := ""
- if m.InRecovery() && !m.onlyInRecovery() {
- nameSuffix = ".recovery"
- }
- fmt.Fprintln(w, "\ninclude $(CLEAR_VARS)")
- fmt.Fprintln(w, "LOCAL_PATH :=", moduleDir)
- fmt.Fprintln(w, "LOCAL_MODULE :=", name+nameSuffix)
- data.Entries.WriteLicenseVariables(w)
- fmt.Fprintln(w, "LOCAL_MODULE_CLASS := ETC")
- if m.Owner() != "" {
- fmt.Fprintln(w, "LOCAL_MODULE_OWNER :=", m.Owner())
- }
- fmt.Fprintln(w, "LOCAL_MODULE_TAGS := optional")
- fmt.Fprintln(w, "LOCAL_PREBUILT_MODULE_FILE :=", m.outputPath.String())
- fmt.Fprintln(w, "LOCAL_MODULE_PATH :=", m.installPath.ToMakePath().String())
- fmt.Fprintln(w, "LOCAL_INSTALLED_MODULE_STEM :=", name)
- fmt.Fprintln(w, "include $(BUILD_PREBUILT)")
+ Class: "ETC",
+ OutputFile: android.OptionalPathForPath(m.outputPath),
+ SubName: nameSuffix,
+ Extra: []android.AndroidMkExtraFunc{
+ func(w io.Writer, outputFile android.Path) {
+ fmt.Fprintln(w, "LOCAL_MODULE_PATH :=", m.installPath.ToMakePath().String())
+ fmt.Fprintln(w, "LOCAL_INSTALLED_MODULE_STEM :=", m.Name())
+ },
},
}
}
diff --git a/microdroid/system/private/file_contexts b/microdroid/system/private/file_contexts
index 1066367..8a5f628 100644
--- a/microdroid/system/private/file_contexts
+++ b/microdroid/system/private/file_contexts
@@ -53,6 +53,7 @@
/dev/fuse u:object_r:fuse_device:s0
/dev/hvc0 u:object_r:serial_device:s0
/dev/hvc1 u:object_r:serial_device:s0
+/dev/hvc2 u:object_r:serial_device:s0
/dev/hw_random u:object_r:hw_random_device:s0
/dev/hwbinder u:object_r:hwbinder_device:s0
/dev/loop-control u:object_r:loop_control_device:s0
@@ -84,7 +85,6 @@
/dev/uinput u:object_r:uhid_device:s0
/dev/uio[0-9]* u:object_r:uio_device:s0
/dev/urandom u:object_r:random_device:s0
-/dev/hvc0 u:object_r:serial_device:s0
/dev/vhost-vsock u:object_r:kvm_device:s0
/dev/vndbinder u:object_r:vndbinder_device:s0
/dev/vsock u:object_r:vsock_device:s0
diff --git a/microdroid/system/public/attributes b/microdroid/system/public/attributes
index ffc2b3b..50c2c81 100644
--- a/microdroid/system/public/attributes
+++ b/microdroid/system/public/attributes
@@ -7,7 +7,7 @@
# in tools/checkfc.c
attribute dev_type;
-# Attribute for block devices.
+# TODO(b/202520796) Remove this attribute once the sc-dev branch stops using it.
attribute bdev_type;
# All types used for processes.
diff --git a/microdroid/system/public/device.te b/microdroid/system/public/device.te
index 898224c..c03fb4d 100644
--- a/microdroid/system/public/device.te
+++ b/microdroid/system/public/device.te
@@ -1,7 +1,7 @@
type ashmem_device, dev_type, mlstrustedobject;
type ashmem_libcutils_device, dev_type, mlstrustedobject;
type binder_device, dev_type, mlstrustedobject;
-type block_device, dev_type, bdev_type;
+type block_device, dev_type;
type console_device, dev_type;
type device, dev_type, fs_type;
type dm_device, dev_type;
@@ -34,7 +34,7 @@
type uhid_device, dev_type, mlstrustedobject;
type uio_device, dev_type;
type userdata_sysdev, dev_type;
-type vd_device, dev_type, bdev_type;
+type vd_device, dev_type;
type vndbinder_device, dev_type;
type vsock_device, dev_type;
type zero_device, dev_type, mlstrustedobject;
diff --git a/private/apexd.te b/private/apexd.te
index 50a7a72..feee8ff 100644
--- a/private/apexd.te
+++ b/private/apexd.te
@@ -186,3 +186,6 @@
allow apexd postinstall_apex_mnt_dir:file { create_file_perms relabelfrom };
allow apexd postinstall_apex_mnt_dir:lnk_file create;
allow apexd proc_filesystems:file r_file_perms;
+
+# Allow calling derive_classpath to gather BCP information for staged sessions
+domain_auto_trans(apexd, derive_classpath_exec, apexd_derive_classpath);
diff --git a/private/apexd_derive_classpath.te b/private/apexd_derive_classpath.te
new file mode 100644
index 0000000..d4c5496
--- /dev/null
+++ b/private/apexd_derive_classpath.te
@@ -0,0 +1,9 @@
+# Exclusive domain for apexd calling into derive_classpath binary
+type apexd_derive_classpath, domain, coredomain;
+
+# Allow the binary to write into output file at location /apex/derive_classpath_temp
+allow apexd_derive_classpath apexd:fd use;
+allow apexd_derive_classpath apex_mnt_dir:file { write open };
+# Allow the binary to log using logwrap
+allow apexd_derive_classpath apexd_devpts:chr_file { read write };
+
diff --git a/private/compat/31.0/31.0.cil b/private/compat/31.0/31.0.cil
index a71eec4..061edca 100644
--- a/private/compat/31.0/31.0.cil
+++ b/private/compat/31.0/31.0.cil
@@ -4,6 +4,7 @@
(type apex_scheduling_data_file)
(type apex_wifi_data_file)
(type healthd_exec)
+(type nonplat_service_contexts_file)
(type vr_hwc)
(type vr_hwc_exec)
diff --git a/private/compat/31.0/31.0.ignore.cil b/private/compat/31.0/31.0.ignore.cil
index 5860761..f9645f4 100644
--- a/private/compat/31.0/31.0.ignore.cil
+++ b/private/compat/31.0/31.0.ignore.cil
@@ -16,10 +16,13 @@
hal_health_service
hal_sensors_service
hal_system_suspend_service
+ hal_radio_service
hal_tv_tuner_service
hal_uwb_service
hal_uwb_vendor_service
hal_wifi_hostapd_service
+ hal_wifi_supplicant_service
+ hal_nlinterceptor_service
hypervisor_prop
locale_service
power_stats_service
diff --git a/private/file_contexts b/private/file_contexts
index 1fb6b8d..e7045e0 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -48,29 +48,21 @@
# SELinux policy files
/vendor_file_contexts u:object_r:file_contexts_file:s0
-/nonplat_file_contexts u:object_r:file_contexts_file:s0
/plat_file_contexts u:object_r:file_contexts_file:s0
/product_file_contexts u:object_r:file_contexts_file:s0
/mapping_sepolicy\.cil u:object_r:sepolicy_file:s0
-/nonplat_sepolicy\.cil u:object_r:sepolicy_file:s0
/plat_sepolicy\.cil u:object_r:sepolicy_file:s0
/plat_property_contexts u:object_r:property_contexts_file:s0
/product_property_contexts u:object_r:property_contexts_file:s0
-/nonplat_property_contexts u:object_r:property_contexts_file:s0
/vendor_property_contexts u:object_r:property_contexts_file:s0
/seapp_contexts u:object_r:seapp_contexts_file:s0
-/nonplat_seapp_contexts u:object_r:seapp_contexts_file:s0
/vendor_seapp_contexts u:object_r:seapp_contexts_file:s0
/plat_seapp_contexts u:object_r:seapp_contexts_file:s0
/sepolicy u:object_r:sepolicy_file:s0
/plat_service_contexts u:object_r:service_contexts_file:s0
/plat_hwservice_contexts u:object_r:hwservice_contexts_file:s0
/plat_keystore2_key_contexts u:object_r:keystore2_key_contexts_file:s0
-/nonplat_service_contexts u:object_r:nonplat_service_contexts_file:s0
-# Use nonplat_service_contexts_file to allow servicemanager to read it
-# on non full-treble devices.
-/vendor_service_contexts u:object_r:nonplat_service_contexts_file:s0
-/nonplat_hwservice_contexts u:object_r:hwservice_contexts_file:s0
+/vendor_service_contexts u:object_r:vendor_service_contexts_file:s0
/vendor_hwservice_contexts u:object_r:hwservice_contexts_file:s0
/vndservice_contexts u:object_r:vndservice_contexts_file:s0
@@ -403,8 +395,6 @@
# HAL location
/(vendor|system/vendor)/lib(64)?/hw u:object_r:vendor_hal_file:s0
-/(vendor|system/vendor)/etc/selinux/nonplat_service_contexts u:object_r:nonplat_service_contexts_file:s0
-
/(vendor|system/vendor)/etc/selinux/vendor_service_contexts u:object_r:vendor_service_contexts_file:s0
#############################
diff --git a/private/genfs_contexts b/private/genfs_contexts
index 3e2dbe4..2006ffe 100644
--- a/private/genfs_contexts
+++ b/private/genfs_contexts
@@ -120,7 +120,6 @@
genfscon sysfs /devices/system/cpu u:object_r:sysfs_devices_system_cpu:s0
genfscon sysfs /class/android_usb u:object_r:sysfs_android_usb:s0
genfscon sysfs /class/extcon u:object_r:sysfs_extcon:s0
-genfscon sysfs /class/block u:object_r:sysfs_block:s0
genfscon sysfs /class/leds u:object_r:sysfs_leds:s0
genfscon sysfs /class/net u:object_r:sysfs_net:s0
genfscon sysfs /class/rfkill/rfkill0/state u:object_r:sysfs_bluetooth_writable:s0
diff --git a/private/gsid.te b/private/gsid.te
index 2ccc51c..fa76da0 100644
--- a/private/gsid.te
+++ b/private/gsid.te
@@ -55,8 +55,15 @@
# Needed to stat /data/gsi/* and realpath on /dev/block/by-name/*
allow gsid block_device:dir r_dir_perms;
+# Allow querying the size of super_block_device_type.
+allow gsid super_block_device_type:blk_file r_file_perms;
+
# liblp queries these block alignment properties.
-allowxperm gsid { userdata_block_device sdcard_block_device }:blk_file ioctl {
+allowxperm gsid {
+ userdata_block_device
+ sdcard_block_device
+ super_block_device_type
+}:blk_file ioctl {
BLKIOMIN
BLKALIGNOFF
};
diff --git a/private/mediatranscoding.te b/private/mediatranscoding.te
index 6f7d027..817416d 100644
--- a/private/mediatranscoding.te
+++ b/private/mediatranscoding.te
@@ -18,6 +18,7 @@
hal_client_domain(mediatranscoding, hal_configstore)
hal_client_domain(mediatranscoding, hal_omx)
hal_client_domain(mediatranscoding, hal_codec2)
+hal_client_domain(mediatranscoding, hal_allocator)
allow mediatranscoding mediaserver_service:service_manager find;
allow mediatranscoding mediametrics_service:service_manager find;
diff --git a/private/property_contexts b/private/property_contexts
index 54eb0a4..040ffe6 100644
--- a/private/property_contexts
+++ b/private/property_contexts
@@ -44,6 +44,8 @@
log.tag u:object_r:log_tag_prop:s0
log.tag.WifiHAL u:object_r:wifi_log_prop:s0
security.perf_harden u:object_r:shell_prop:s0
+persist.simpleperf.profile_app_uid u:object_r:shell_prop:s0
+persist.simpleperf.profile_app_expiration_time u:object_r:shell_prop:s0
security.lower_kptr_restrict u:object_r:lower_kptr_restrict_prop:s0
service.adb.root u:object_r:shell_prop:s0
service.adb.tls.port u:object_r:adbd_prop:s0
diff --git a/private/service_contexts b/private/service_contexts
index 4470e1c..50002d4 100644
--- a/private/service_contexts
+++ b/private/service_contexts
@@ -10,9 +10,11 @@
android.hardware.identity.IIdentityCredentialStore/default u:object_r:hal_identity_service:s0
android.hardware.light.ILights/default u:object_r:hal_light_service:s0
android.hardware.memtrack.IMemtrack/default u:object_r:hal_memtrack_service:s0
+android.hardware.net.nlinterceptor.IInterceptor/default u:object_r:hal_nlinterceptor_service:s0
android.hardware.oemlock.IOemLock/default u:object_r:hal_oemlock_service:s0
android.hardware.power.IPower/default u:object_r:hal_power_service:s0
android.hardware.power.stats.IPowerStats/default u:object_r:hal_power_stats_service:s0
+android.hardware.radio.config.IRadioConfig/default u:object_r:hal_radio_service:s0
android.hardware.rebootescrow.IRebootEscrow/default u:object_r:hal_rebootescrow_service:s0
android.hardware.security.keymint.IKeyMintDevice/default u:object_r:hal_keymint_service:s0
android.hardware.security.keymint.IRemotelyProvisionedComponent/default u:object_r:hal_remotelyprovisionedcomponent_service:s0
@@ -26,6 +28,7 @@
android.hardware.vibrator.IVibratorManager/default u:object_r:hal_vibrator_service:s0
android.hardware.weaver.IWeaver/default u:object_r:hal_weaver_service:s0
android.hardware.wifi.hostapd.IHostapd/default u:object_r:hal_wifi_hostapd_service:s0
+android.hardware.wifi.supplicant.ISupplicant/default u:object_r:hal_wifi_supplicant_service:s0
android.frameworks.stats.IStats/default u:object_r:fwk_stats_service:s0
android.system.keystore2.IKeystoreService/default u:object_r:keystore_service:s0
android.system.suspend.ISystemSuspend/default u:object_r:hal_system_suspend_service:s0
diff --git a/private/virtualizationservice.te b/private/virtualizationservice.te
index 0b02745..1e00dcd 100644
--- a/private/virtualizationservice.te
+++ b/private/virtualizationservice.te
@@ -22,9 +22,6 @@
# When virtualizationservice execs a file with the crosvm_exec label, run it in the crosvm domain.
domain_auto_trans(virtualizationservice, crosvm_exec, crosvm)
-# Let virtualizationservice exec other files (e.g. mk_cdisk) in the same domain.
-allow virtualizationservice system_file:file execute_no_trans;
-
# Let virtualizationservice kill crosvm.
allow virtualizationservice crosvm:process sigkill;
diff --git a/public/attributes b/public/attributes
index 6c37db1..a68a6fc 100644
--- a/public/attributes
+++ b/public/attributes
@@ -7,7 +7,7 @@
# in tools/checkfc.c
attribute dev_type;
-# Attribute for block devices.
+# TODO(b/202520796) Remove this attribute once the sc-dev branch stops using it.
attribute bdev_type;
# All types used for processes.
@@ -68,7 +68,7 @@
# All types used for sysfs files.
attribute sysfs_type;
-# Attribute for /sys/class/block files.
+# TODO(b/202520796) Remove this attribute once the sc-dev branch stops using it.
attribute sysfs_block_type;
# All types use for debugfs files.
@@ -354,6 +354,7 @@
hal_attribute(memtrack);
hal_attribute(neuralnetworks);
hal_attribute(nfc);
+hal_attribute(nlinterceptor);
hal_attribute(oemlock);
hal_attribute(omx);
hal_attribute(power);
diff --git a/public/device.te b/public/device.te
index 1a71a40..686f955 100644
--- a/public/device.te
+++ b/public/device.te
@@ -6,18 +6,18 @@
type binder_device, dev_type, mlstrustedobject;
type hwbinder_device, dev_type, mlstrustedobject;
type vndbinder_device, dev_type;
-type block_device, dev_type, bdev_type;
+type block_device, dev_type;
type camera_device, dev_type;
-type dm_device, dev_type, bdev_type;
-type dm_user_device, dev_type, bdev_type;
+type dm_device, dev_type;
+type dm_user_device, dev_type;
type keychord_device, dev_type;
type loop_control_device, dev_type;
-type loop_device, dev_type, bdev_type;
+type loop_device, dev_type;
type pmsg_device, dev_type, mlstrustedobject;
type radio_device, dev_type;
-type ram_device, dev_type, bdev_type;
+type ram_device, dev_type;
type rtc_device, dev_type;
-type vd_device, dev_type, bdev_type;
+type vd_device, dev_type;
type vold_device, dev_type;
type console_device, dev_type;
type fscklogs, dev_type;
@@ -73,51 +73,51 @@
type rpmsg_device, dev_type;
# Partition layout block device
-type root_block_device, dev_type, bdev_type;
+type root_block_device, dev_type;
# factory reset protection block device
-type frp_block_device, dev_type, bdev_type;
+type frp_block_device, dev_type;
# System block device mounted on /system.
# Documented at https://source.android.com/devices/bootloader/partitions-images
-type system_block_device, dev_type, bdev_type;
+type system_block_device, dev_type;
# Recovery block device.
# Documented at https://source.android.com/devices/bootloader/partitions-images
-type recovery_block_device, dev_type, bdev_type;
+type recovery_block_device, dev_type;
# boot block device.
# Documented at https://source.android.com/devices/bootloader/partitions-images
-type boot_block_device, dev_type, bdev_type;
+type boot_block_device, dev_type;
# Userdata block device mounted on /data.
# Documented at https://source.android.com/devices/bootloader/partitions-images
-type userdata_block_device, dev_type, bdev_type;
+type userdata_block_device, dev_type;
# Cache block device mounted on /cache.
# Documented at https://source.android.com/devices/bootloader/partitions-images
-type cache_block_device, dev_type, bdev_type;
+type cache_block_device, dev_type;
# Block device for any swap partition.
-type swap_block_device, dev_type, bdev_type;
+type swap_block_device, dev_type;
# Metadata block device used for encryption metadata.
# Assign this type to the partition specified by the encryptable=
# mount option in your fstab file in the entry for userdata.
# Documented at https://source.android.com/devices/bootloader/partitions-images
-type metadata_block_device, dev_type, bdev_type;
+type metadata_block_device, dev_type;
# The 'misc' partition used by recovery and A/B.
# Documented at https://source.android.com/devices/bootloader/partitions-images
-type misc_block_device, dev_type, bdev_type;
+type misc_block_device, dev_type;
# 'super' partition to be used for logical partitioning.
-type super_block_device, super_block_device_type, dev_type, bdev_type;
+type super_block_device, super_block_device_type, dev_type;
# sdcard devices; normally vold uses the vold_block_device label and creates a
# separate device node. gsid, however, accesses the original devide node
# created through uevents, so we use a separate label.
-type sdcard_block_device, dev_type, bdev_type;
+type sdcard_block_device, dev_type;
# Userdata device file for filesystem tunables
type userdata_sysdev, dev_type;
diff --git a/public/file.te b/public/file.te
index 6e2adde..bfc20d4 100644
--- a/public/file.te
+++ b/public/file.te
@@ -89,11 +89,10 @@
type sysfs_android_usb, fs_type, sysfs_type;
type sysfs_uio, sysfs_type, fs_type;
type sysfs_batteryinfo, fs_type, sysfs_type;
-type sysfs_block, fs_type, sysfs_type, sysfs_block_type;
type sysfs_bluetooth_writable, fs_type, sysfs_type, mlstrustedobject;
type sysfs_devfreq_cur, fs_type, sysfs_type;
type sysfs_devfreq_dir, fs_type, sysfs_type;
-type sysfs_devices_block, fs_type, sysfs_type, sysfs_block_type;
+type sysfs_devices_block, fs_type, sysfs_type;
type sysfs_dm, fs_type, sysfs_type;
type sysfs_dm_verity, fs_type, sysfs_type;
type sysfs_dma_heap, fs_type, sysfs_type;
@@ -566,9 +565,6 @@
# vendor service_contexts file
type vendor_service_contexts_file, vendor_file_type, file_type;
-# nonplat service_contexts file (only accessible on non full-treble devices)
-type nonplat_service_contexts_file, vendor_file_type, file_type;
-
# hwservice_contexts file
type hwservice_contexts_file, system_file_type, file_type;
diff --git a/public/hal_neverallows.te b/public/hal_neverallows.te
index cd15910..e77ea9d 100644
--- a/public/hal_neverallows.te
+++ b/public/hal_neverallows.te
@@ -11,6 +11,7 @@
-hal_uwb_server
# TODO(b/196225233): Remove hal_uwb_vendor_server
-hal_uwb_vendor_server
+ -hal_nlinterceptor_server
} self:global_capability_class_set { net_admin net_raw };
# Unless a HAL's job is to communicate over the network, or control network
@@ -31,6 +32,7 @@
-hal_uwb_server
# TODO(b/196225233): Remove hal_uwb_vendor_server
-hal_uwb_vendor_server
+ -hal_nlinterceptor_server
} domain:{ udp_socket rawip_socket } *;
neverallow {
@@ -42,6 +44,7 @@
-hal_wifi_hostapd_server
-hal_wifi_supplicant_server
-hal_telephony_server
+ -hal_nlinterceptor_server
} {
domain
userdebug_or_eng(`-su')
diff --git a/public/hal_nlinterceptor.te b/public/hal_nlinterceptor.te
new file mode 100644
index 0000000..2076de8
--- /dev/null
+++ b/public/hal_nlinterceptor.te
@@ -0,0 +1,8 @@
+binder_call(hal_nlinterceptor_client, hal_nlinterceptor_server)
+
+hal_attribute_service(hal_nlinterceptor, hal_nlinterceptor_service)
+binder_call(hal_nlinterceptor, servicemanager)
+
+allow hal_nlinterceptor self:global_capability_class_set net_admin;
+allow hal_nlinterceptor self:netlink_generic_socket create_socket_perms_no_ioctl;
+allow hal_nlinterceptor self:netlink_route_socket { nlmsg_readpriv nlmsg_write };
diff --git a/public/hal_telephony.te b/public/hal_telephony.te
index f0cf075..e21796a 100644
--- a/public/hal_telephony.te
+++ b/public/hal_telephony.te
@@ -3,6 +3,7 @@
binder_call(hal_telephony_server, hal_telephony_client)
hal_attribute_hwservice(hal_telephony, hal_telephony_hwservice)
+hal_attribute_service(hal_telephony, hal_radio_service)
allowxperm hal_telephony_server self:udp_socket ioctl priv_sock_ioctls;
@@ -42,3 +43,6 @@
# granting the ioctl permission for hal_telephony_server should be device specific
allow hal_telephony_server self:socket create_socket_perms_no_ioctl;
+
+# Allow AIDL HAL shim to call HIDL HAL implementation
+binder_call(hal_telephony_server, hal_telephony_server)
diff --git a/public/hal_wifi_supplicant.te b/public/hal_wifi_supplicant.te
index f7c444e..b4ff7aa 100644
--- a/public/hal_wifi_supplicant.te
+++ b/public/hal_wifi_supplicant.te
@@ -3,6 +3,9 @@
binder_call(hal_wifi_supplicant_server, hal_wifi_supplicant_client)
hal_attribute_hwservice(hal_wifi_supplicant, hal_wifi_supplicant_hwservice)
+hal_attribute_service(hal_wifi_supplicant, hal_wifi_supplicant_service)
+
+binder_call(hal_wifi_supplicant_server, servicemanager)
# in addition to ioctls allowlisted for all domains, grant hal_wifi_supplicant priv_sock_ioctls.
allowxperm hal_wifi_supplicant self:udp_socket ioctl priv_sock_ioctls;
diff --git a/public/keystore.te b/public/keystore.te
index b7d5090..9535491 100644
--- a/public/keystore.te
+++ b/public/keystore.te
@@ -43,3 +43,7 @@
# TODO(b/186868271): Remove the crash dump exception soon-ish (maybe by May 14, 2021?)
neverallow { domain userdebug_or_eng(`-crash_dump') } keystore:process ptrace;
+
+# The software KeyMint implementation used in km_compat needs
+# to read the vendor security patch level.
+get_prop(keystore, vendor_security_patch_level_prop);
diff --git a/public/service.te b/public/service.te
index 083de1d..19f7aaa 100644
--- a/public/service.te
+++ b/public/service.te
@@ -249,6 +249,7 @@
type tethering_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type emergency_affordance_service, system_server_service, service_manager_type;
type hal_wifi_hostapd_service, vendor_service, protected_service, service_manager_type;
+type hal_wifi_supplicant_service, vendor_service, protected_service, service_manager_type;
###
### HAL Services
@@ -278,10 +279,12 @@
type hal_secureclock_service, vendor_service, protected_service, service_manager_type;
type hal_sharedsecret_service, vendor_service, protected_service, service_manager_type;
type hal_system_suspend_service, protected_service, service_manager_type;
+type hal_radio_service, vendor_service, protected_service, service_manager_type;
type hal_tv_tuner_service, vendor_service, protected_service, service_manager_type;
type hal_uwb_service, vendor_service, protected_service, service_manager_type;
type hal_vibrator_service, vendor_service, protected_service, service_manager_type;
type hal_weaver_service, vendor_service, protected_service, service_manager_type;
+type hal_nlinterceptor_service, vendor_service, protected_service, service_manager_type;
###
### Neverallow rules
diff --git a/public/servicemanager.te b/public/servicemanager.te
index 63fc227..a085a61 100644
--- a/public/servicemanager.te
+++ b/public/servicemanager.te
@@ -22,7 +22,7 @@
allow servicemanager vendor_service_contexts_file:file r_file_perms;
# nonplat_service_contexts only accessible on non full-treble devices
-not_full_treble(`allow servicemanager nonplat_service_contexts_file:file r_file_perms;')
+not_full_treble(`allow servicemanager vendor_service_contexts_file:file r_file_perms;')
add_service(servicemanager, service_manager_service)
allow servicemanager dumpstate:fd use;
diff --git a/public/shell.te b/public/shell.te
index 5fd9079..7751d63 100644
--- a/public/shell.te
+++ b/public/shell.te
@@ -157,9 +157,6 @@
allow shell sysfs_batteryinfo:dir r_dir_perms;
allow shell sysfs_batteryinfo:file r_file_perms;
-# allow shell to list /sys/class/block/ to get storage type for CTS
-allow shell sysfs_block:dir r_dir_perms;
-
# Allow access to ion memory allocation device.
allow shell ion_device:chr_file rw_file_perms;
diff --git a/public/wificond.te b/public/wificond.te
index 254fcbc..98db0d7 100644
--- a/public/wificond.te
+++ b/public/wificond.te
@@ -7,6 +7,7 @@
binder_call(wificond, keystore)
add_service(wificond, wifinl80211_service)
+hal_client_domain(wificond, hal_nlinterceptor)
# create sockets to set interfaces up and down
allow wificond self:udp_socket create_socket_perms;
diff --git a/vendor/file_contexts b/vendor/file_contexts
index a2587e1..e2f14da 100644
--- a/vendor/file_contexts
+++ b/vendor/file_contexts
@@ -70,6 +70,7 @@
/(vendor|system/vendor)/bin/hw/android\.hardware\.radio\.config@1\.0-service u:object_r:hal_radio_config_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.radio@1\.2-radio-service u:object_r:hal_radio_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.radio@1\.2-sap-service u:object_r:hal_radio_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.radio-service\.compat u:object_r:hal_radio_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.rebootescrow-service\.default u:object_r:hal_rebootescrow_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.sensors@[0-9]\.[0-9]-service(\.multihal)? u:object_r:hal_sensors_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.sensors-service\.example u:object_r:hal_sensors_default_exec:s0