Merge "Split user_profile_data_file label."
diff --git a/apex/Android.bp b/apex/Android.bp
index 53303c6..762dd54 100644
--- a/apex/Android.bp
+++ b/apex/Android.bp
@@ -161,6 +161,13 @@
}
filegroup {
+ name: "com.android.scheduling-file_contexts",
+ srcs: [
+ "com.android.scheduling-file_contexts",
+ ],
+}
+
+filegroup {
name: "com.android.telephony-file_contexts",
srcs: [
"com.android.telephony-file_contexts",
@@ -175,6 +182,13 @@
}
filegroup {
+ name: "com.android.virt-file_contexts",
+ srcs: [
+ "com.android.virt-file_contexts",
+ ],
+}
+
+filegroup {
name: "com.android.vndk-file_contexts",
srcs: [
"com.android.vndk-file_contexts",
diff --git a/apex/com.android.scheduling-file_contexts b/apex/com.android.scheduling-file_contexts
new file mode 100644
index 0000000..9398505
--- /dev/null
+++ b/apex/com.android.scheduling-file_contexts
@@ -0,0 +1 @@
+(/.*)? u:object_r:system_file:s0
diff --git a/apex/com.android.virt-file_contexts b/apex/com.android.virt-file_contexts
new file mode 100644
index 0000000..83b4b58
--- /dev/null
+++ b/apex/com.android.virt-file_contexts
@@ -0,0 +1 @@
+(/.*)? u:object_r:system_file:s0
diff --git a/private/compat/30.0/30.0.ignore.cil b/private/compat/30.0/30.0.ignore.cil
index a19361c..d1d5f0f 100644
--- a/private/compat/30.0/30.0.ignore.cil
+++ b/private/compat/30.0/30.0.ignore.cil
@@ -7,6 +7,7 @@
( new_objects
ab_update_gki_prop
adbd_config_prop
+ apc_service
apex_info_file
cgroup_desc_api_file
cgroup_v2
@@ -22,6 +23,7 @@
hal_audiocontrol_service
hal_face_service
hal_fingerprint_service
+ hal_memtrack_service
gnss_device
hal_dumpstate_config_prop
hal_gnss_service
@@ -42,6 +44,7 @@
profcollectd_data_file
profcollectd_exec
profcollectd_service
+ search_ui_service
shell_test_data_file
snapuserd
snapuserd_exec
diff --git a/private/domain.te b/private/domain.te
index 84fa107..d4f9e0e 100644
--- a/private/domain.te
+++ b/private/domain.te
@@ -196,7 +196,7 @@
# that these files cannot be accessed by other domains to ensure that the files
# do not change between system_server staging the files and apexd processing
# the files.
-neverallow { domain -init -system_server -apexd -installd -iorap_inode2filename } staging_data_file:dir *;
+neverallow { domain -init -system_server -apexd -installd -iorap_inode2filename -priv_app } staging_data_file:dir *;
neverallow { domain -init -system_app -system_server -apexd -kernel -installd -iorap_inode2filename -priv_app } staging_data_file:file *;
neverallow { domain -init -system_server -installd} staging_data_file:dir no_w_dir_perms;
# apexd needs the link and unlink permissions, so list every `no_w_file_perms`
diff --git a/private/file_contexts b/private/file_contexts
index d2e0b62..80e805e 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -94,6 +94,7 @@
/dev/console u:object_r:console_device:s0
/dev/cpu_variant:.* u:object_r:dev_cpu_variant:s0
/dev/dma_heap/system u:object_r:dmabuf_system_heap_device:s0
+/dev/dma_heap/system-uncached u:object_r:dmabuf_system_heap_device:s0
/dev/dm-user(/.*)? u:object_r:dm_user_device:s0
/dev/device-mapper u:object_r:dm_device:s0
/dev/eac u:object_r:audio_device:s0
diff --git a/private/priv_app.te b/private/priv_app.te
index 07ed6c7..6a60cd1 100644
--- a/private/priv_app.te
+++ b/private/priv_app.te
@@ -156,6 +156,8 @@
# Required for Phonesky to be able to read APEX files under /data/apex/active/.
allow priv_app apex_data_file:dir search;
allow priv_app staging_data_file:file r_file_perms;
+# Required for Phonesky to be able to read staged files under /data/app-staging.
+allow priv_app staging_data_file:dir r_dir_perms;
# allow priv app to access the system app data files for ContentProvider case.
allow priv_app system_app_data_file:file { read getattr };
diff --git a/private/property_contexts b/private/property_contexts
index 32e4c5c..ae9e141 100644
--- a/private/property_contexts
+++ b/private/property_contexts
@@ -1090,6 +1090,6 @@
setupwizard.metrics_debug_mode u:object_r:setupwizard_prop:s0 exact bool
setupwizard.theme u:object_r:setupwizard_prop:s0 exact string
-db.log.detailed u:object_r:sqlite_log_prop:s0 exact bool
-db.log.slow_query_threshold u:object_r:sqlite_log_prop:s0 exact int
-db.log.slow_query_threshold.* u:object_r:sqlite_log_prop:s0 prefix int
+db.log.detailed u:object_r:sqlite_log_prop:s0 exact bool
+db.log.slow_query_threshold u:object_r:sqlite_log_prop:s0 exact int
+db.log.slow_query_threshold. u:object_r:sqlite_log_prop:s0 prefix int
diff --git a/private/service_contexts b/private/service_contexts
index 60890c4..47eb92d 100644
--- a/private/service_contexts
+++ b/private/service_contexts
@@ -5,6 +5,7 @@
android.hardware.identity.IIdentityCredentialStore/default u:object_r:hal_identity_service:s0
android.hardware.security.keymint.IKeyMintDevice/default u:object_r:hal_keymint_service:s0
android.hardware.light.ILights/default u:object_r:hal_light_service:s0
+android.hardware.memtrack.IMemtrack/default u:object_r:hal_memtrack_service:s0
android.hardware.power.IPower/default u:object_r:hal_power_service:s0
android.hardware.power.stats.IPowerStats/default u:object_r:hal_power_stats_service:s0
android.hardware.rebootescrow.IRebootEscrow/default u:object_r:hal_rebootescrow_service:s0
@@ -21,6 +22,7 @@
alarm u:object_r:alarm_service:s0
android.os.UpdateEngineService u:object_r:update_engine_service:s0
android.os.UpdateEngineStableService u:object_r:update_engine_stable_service:s0
+android.security.apc u:object_r:apc_service:s0
android.security.identity u:object_r:credstore_service:s0
android.security.keystore u:object_r:keystore_service:s0
android.service.gatekeeper.IGateKeeperService u:object_r:gatekeeper_service:s0
@@ -199,6 +201,7 @@
samplingprofiler u:object_r:samplingprofiler_service:s0
scheduling_policy u:object_r:scheduling_policy_service:s0
search u:object_r:search_service:s0
+search_ui u:object_r:search_ui_service:s0
secure_element u:object_r:secure_element_service:s0
sec_key_att_app_id_provider u:object_r:sec_key_att_app_id_provider_service:s0
sensorservice u:object_r:sensorservice_service:s0
diff --git a/private/untrusted_app_25.te b/private/untrusted_app_25.te
index a1abc41..41cabe8 100644
--- a/private/untrusted_app_25.te
+++ b/private/untrusted_app_25.te
@@ -51,3 +51,4 @@
# allow binding to netlink route sockets and sending RTM_GETLINK messages.
allow untrusted_app_25 self:netlink_route_socket { bind nlmsg_readpriv };
+auditallow untrusted_app_25 self:netlink_route_socket { bind nlmsg_readpriv };
diff --git a/private/untrusted_app_27.te b/private/untrusted_app_27.te
index b7b6d72..0993faa 100644
--- a/private/untrusted_app_27.te
+++ b/private/untrusted_app_27.te
@@ -39,3 +39,4 @@
# allow binding to netlink route sockets and sending RTM_GETLINK messages.
allow untrusted_app_27 self:netlink_route_socket { bind nlmsg_readpriv };
+auditallow untrusted_app_27 self:netlink_route_socket { bind nlmsg_readpriv };
diff --git a/private/untrusted_app_29.te b/private/untrusted_app_29.te
index 344ae89..c5652b1 100644
--- a/private/untrusted_app_29.te
+++ b/private/untrusted_app_29.te
@@ -17,3 +17,4 @@
# allow binding to netlink route sockets and sending RTM_GETLINK messages.
allow untrusted_app_29 self:netlink_route_socket { bind nlmsg_readpriv };
+auditallow untrusted_app_29 self:netlink_route_socket { bind nlmsg_readpriv };
diff --git a/public/domain.te b/public/domain.te
index d4274e1..ec4b379 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -682,6 +682,7 @@
-vendor_service # must be @VintfStability to be used by an app
-ephemeral_app_api_service
+ -apc_service
-audioserver_service # TODO(b/36783122) remove exemptions below once app_api_service is fixed
-cameraserver_service
-drmserver_service
diff --git a/public/hal_memtrack.te b/public/hal_memtrack.te
index ed93a29..549f0b9 100644
--- a/public/hal_memtrack.te
+++ b/public/hal_memtrack.te
@@ -2,3 +2,8 @@
binder_call(hal_memtrack_client, hal_memtrack_server)
hal_attribute_hwservice(hal_memtrack, hal_memtrack_hwservice)
+
+add_service(hal_memtrack_server, hal_memtrack_service)
+binder_call(hal_memtrack_server, servicemanager)
+
+allow hal_memtrack_client hal_memtrack_service:service_manager find;
diff --git a/public/keystore.te b/public/keystore.te
index 3fac95f..8f78551 100644
--- a/public/keystore.te
+++ b/public/keystore.te
@@ -15,6 +15,7 @@
add_service(keystore, keystore_service)
allow keystore sec_key_att_app_id_provider_service:service_manager find;
allow keystore dropbox_service:service_manager find;
+add_service(keystore, apc_service)
# Check SELinux permissions.
selinux_check_access(keystore)
diff --git a/public/service.te b/public/service.te
index 9159e6b..87e230c 100644
--- a/public/service.te
+++ b/public/service.te
@@ -1,4 +1,5 @@
type aidl_lazy_test_service, service_manager_type;
+type apc_service, service_manager_type;
type apex_service, service_manager_type;
type audioserver_service, service_manager_type;
type batteryproperties_service, app_api_service, ephemeral_app_api_service, service_manager_type;
@@ -166,6 +167,7 @@
type samplingprofiler_service, system_server_service, service_manager_type;
type scheduling_policy_service, system_server_service, service_manager_type;
type search_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type search_ui_service, app_api_service, system_server_service, service_manager_type;
type sec_key_att_app_id_provider_service, app_api_service, system_server_service, service_manager_type;
type sensorservice_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type sensor_privacy_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
@@ -227,6 +229,7 @@
type hal_identity_service, vendor_service, protected_service, service_manager_type;
type hal_keymint_service, vendor_service, protected_service, service_manager_type;
type hal_light_service, vendor_service, protected_service, service_manager_type;
+type hal_memtrack_service, vendor_service, protected_service, service_manager_type;
type hal_power_service, vendor_service, protected_service, service_manager_type;
type hal_power_stats_service, vendor_service, protected_service, service_manager_type;
type hal_rebootescrow_service, vendor_service, protected_service, service_manager_type;
diff --git a/public/te_macros b/public/te_macros
index 65b7b34..467ac44 100644
--- a/public/te_macros
+++ b/public/te_macros
@@ -594,6 +594,7 @@
allow keystore $1:dir search;
allow keystore $1:file { read open };
allow keystore $1:process getattr;
+ allow $1 apc_service:service_manager find;
allow $1 keystore_service:service_manager find;
binder_call($1, keystore)
binder_call(keystore, $1)
diff --git a/vendor/file_contexts b/vendor/file_contexts
index 49ba272..e60bb89 100644
--- a/vendor/file_contexts
+++ b/vendor/file_contexts
@@ -55,6 +55,7 @@
/(vendor|system/vendor)/bin/hw/android\.hardware\.lights-service\.example u:object_r:hal_light_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.lowpan@1\.0-service u:object_r:hal_lowpan_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.memtrack@1\.0-service u:object_r:hal_memtrack_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.memtrack-service.example u:object_r:hal_memtrack_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.nfc@1\.0-service u:object_r:hal_nfc_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.nfc@1\.1-service u:object_r:hal_nfc_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.nfc@1\.2-service u:object_r:hal_nfc_default_exec:s0