Merge "Add fastbootd to the sys_rawio whitelist."
diff --git a/prebuilts/api/29.0/private/system_server.te b/prebuilts/api/29.0/private/system_server.te
index 5bec849..51cbd28 100644
--- a/prebuilts/api/29.0/private/system_server.te
+++ b/prebuilts/api/29.0/private/system_server.te
@@ -283,6 +283,7 @@
hal_graphics_composer_server
hal_health_server
hal_omx_server
+ hal_power_stats_server
hal_sensors_server
hal_vr_server
}:process { signal };
diff --git a/prebuilts/api/29.0/public/property_contexts b/prebuilts/api/29.0/public/property_contexts
index 3509cfc..111923f 100644
--- a/prebuilts/api/29.0/public/property_contexts
+++ b/prebuilts/api/29.0/public/property_contexts
@@ -396,5 +396,7 @@
ro.surface_flinger.protected_contents u:object_r:exported_default_prop:s0 exact bool
ro.surface_flinger.set_idle_timer_ms u:object_r:exported_default_prop:s0 exact int
ro.surface_flinger.set_touch_timer_ms u:object_r:exported_default_prop:s0 exact int
+ro.surface_flinger.set_display_power_timer_ms u:object_r:exported_default_prop:s0 exact int
ro.surface_flinger.support_kernel_idle_timer u:object_r:exported_default_prop:s0 exact bool
ro.surface_flinger.use_smart_90_for_video u:object_r:exported_default_prop:s0 exact bool
+ro.surface_flinger.color_space_agnostic_dataspace u:object_r:exported_default_prop:s0 exact int
diff --git a/prebuilts/api/29.0/public/service.te b/prebuilts/api/29.0/public/service.te
index 92f8a09..a2193d0 100644
--- a/prebuilts/api/29.0/public/service.te
+++ b/prebuilts/api/29.0/public/service.te
@@ -10,7 +10,7 @@
type fingerprintd_service, service_manager_type;
type hal_fingerprint_service, service_manager_type;
type gatekeeper_service, app_api_service, service_manager_type;
-type gpu_service, service_manager_type;
+type gpu_service, app_api_service, service_manager_type;
type idmap_service, service_manager_type;
type iorapd_service, service_manager_type;
type incident_service, service_manager_type;
diff --git a/private/keys.conf b/private/keys.conf
index 362e73d..8c899b6 100644
--- a/private/keys.conf
+++ b/private/keys.conf
@@ -17,6 +17,9 @@
[@NETWORK_STACK]
ALL : $MAINLINE_SEPOLICY_DEV_CERTIFICATES/networkstack.x509.pem
+[@PERMISSION_CONTROLLER]
+ALL: $DEFAULT_SYSTEM_DEV_CERTIFICATE/com_google_android_permissioncontroller-container.x509.pem
+
[@SHARED]
ALL : $DEFAULT_SYSTEM_DEV_CERTIFICATE/shared.x509.pem
diff --git a/private/keystore.te b/private/keystore.te
index 7f71028..ee6dbdf 100644
--- a/private/keystore.te
+++ b/private/keystore.te
@@ -11,9 +11,5 @@
# This is used for the ConfirmationUI async callback.
allow keystore platform_app:binder call;
-# Offer the Wifi Keystore HwBinder service
-typeattribute keystore wifi_keystore_service_server;
-add_hwservice(keystore, system_wifi_keystore_hwservice)
-
# Allow to check whether security logging is enabled.
get_prop(keystore, device_logging_prop)
diff --git a/private/mac_permissions.xml b/private/mac_permissions.xml
index 7fc37c1..5095a2a 100644
--- a/private/mac_permissions.xml
+++ b/private/mac_permissions.xml
@@ -59,4 +59,10 @@
<signer signature="@NETWORK_STACK" >
<seinfo value="network_stack" />
</signer>
+
+ <signer signature="@PERMISSION_CONTROLLER" >
+ <package name="com.google.android.permissioncontroller">
+ <seinfo value="permission_controller" />
+ </package>
+ </signer>
</policy>
diff --git a/private/permissioncontroller_app.te b/private/permissioncontroller_app.te
new file mode 100644
index 0000000..32fa9bd
--- /dev/null
+++ b/private/permissioncontroller_app.te
@@ -0,0 +1,27 @@
+###
+### A domain for further sandboxing the GooglePermissionController app.
+###
+type permissioncontroller_app, domain;
+
+# Allow everything.
+# TODO(b/142672293): remove when no selinux denials are triggered for this
+# domain
+# STOPSHIP(b/142672293): monitor http://go/sedenials for any denials around
+# `permissioncontroller_app` and remove this line once we are confident about
+# this having the right set of permissions.
+userdebug_or_eng(`permissive permissioncontroller_app;')
+
+app_domain(permissioncontroller_app)
+
+# Allow interaction with gpuservice
+binder_call(permissioncontroller_app, gpuservice)
+allow permissioncontroller_app gpu_service:service_manager find;
+
+# Allow interaction with role_service
+allow permissioncontroller_app role_service:service_manager find;
+
+# Allow interaction with usagestats_service
+allow permissioncontroller_app usagestats_service:service_manager find;
+
+# Allow interaction with activity_service
+allow permissioncontroller_app activity_service:service_manager find;
diff --git a/private/priv_app.te b/private/priv_app.te
index 6f0cb4f..bfa0669 100644
--- a/private/priv_app.te
+++ b/private/priv_app.te
@@ -168,6 +168,7 @@
dontaudit priv_app sysfs:dir read;
dontaudit priv_app sysfs:file read;
dontaudit priv_app sysfs_android_usb:file read;
+dontaudit priv_app sysfs_dm:file r_file_perms;
dontaudit priv_app wifi_prop:file read;
dontaudit priv_app { wifi_prop exported_wifi_prop }:file read;
diff --git a/private/seapp_contexts b/private/seapp_contexts
index c74bd2c..3651389 100644
--- a/private/seapp_contexts
+++ b/private/seapp_contexts
@@ -156,6 +156,7 @@
user=_app seinfo=platform domain=platform_app type=app_data_file levelFrom=user
user=_app isEphemeralApp=true domain=ephemeral_app type=app_data_file levelFrom=all
user=_app isPrivApp=true domain=priv_app type=privapp_data_file levelFrom=user
+user=_app seinfo=permission_controller isPrivApp=true name=com.google.android.permissioncontroller domain=permissioncontroller_app type=privapp_data_file levelFrom=all
user=_app minTargetSdkVersion=29 domain=untrusted_app type=app_data_file levelFrom=all
user=_app minTargetSdkVersion=28 domain=untrusted_app_27 type=app_data_file levelFrom=all
user=_app minTargetSdkVersion=26 domain=untrusted_app_27 type=app_data_file levelFrom=user
diff --git a/public/domain.te b/public/domain.te
index 1773de5..99274a8 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -1271,7 +1271,7 @@
# Enforce restrictions on kernel module origin.
# Do not allow kernel module loading except from system,
# vendor, and boot partitions.
-neverallow * ~{ system_file vendor_file rootfs }:system module_load;
+neverallow * ~{ system_file_type vendor_file_type rootfs }:system module_load;
# Only allow filesystem caps to be set at build time. Runtime changes
# to filesystem capabilities are not permitted.
diff --git a/public/logpersist.te b/public/logpersist.te
index c7cab80..c8e6af4 100644
--- a/public/logpersist.te
+++ b/public/logpersist.te
@@ -1,6 +1,10 @@
# android debug logging, logpersist domains
type logpersist, domain;
+# logcatd is a shell script that execs logcat with various parameters.
+allow logpersist shell_exec:file rx_file_perms;
+allow logpersist logcat_exec:file rx_file_perms;
+
###
### Neverallow rules
###
diff --git a/public/property_contexts b/public/property_contexts
index cae5ebc..7a2badd 100644
--- a/public/property_contexts
+++ b/public/property_contexts
@@ -116,7 +116,7 @@
ro.crypto.set_dun u:object_r:exported2_vold_prop:s0 exact bool
ro.crypto.volume.contents_mode u:object_r:exported2_vold_prop:s0 exact string
ro.crypto.volume.filenames_mode u:object_r:exported2_vold_prop:s0 exact string
-ro.crypto.volume.flags u:object_r:exported2_vold_prop:s0 exact string
+ro.crypto.volume.options u:object_r:exported2_vold_prop:s0 exact string
ro.dalvik.vm.native.bridge u:object_r:exported_dalvik_prop:s0 exact string
ro.enable_boot_charger_mode u:object_r:exported3_default_prop:s0 exact bool
ro.gfx.driver.0 u:object_r:exported3_default_prop:s0 exact string
@@ -419,6 +419,8 @@
ro.surface_flinger.protected_contents u:object_r:exported_default_prop:s0 exact bool
ro.surface_flinger.set_idle_timer_ms u:object_r:exported_default_prop:s0 exact int
ro.surface_flinger.set_touch_timer_ms u:object_r:exported_default_prop:s0 exact int
+ro.surface_flinger.set_display_power_timer_ms u:object_r:exported_default_prop:s0 exact int
ro.surface_flinger.support_kernel_idle_timer u:object_r:exported_default_prop:s0 exact bool
ro.surface_flinger.use_smart_90_for_video u:object_r:exported_default_prop:s0 exact bool
+ro.surface_flinger.color_space_agnostic_dataspace u:object_r:exported_default_prop:s0 exact int
ro.surface_flinger.refresh_rate_switching u:object_r:exported_default_prop:s0 exact bool
diff --git a/public/wificond.te b/public/wificond.te
index e11d45d..a55872a 100644
--- a/public/wificond.te
+++ b/public/wificond.te
@@ -30,3 +30,14 @@
# dumpstate support
allow wificond dumpstate:fd use;
allow wificond dumpstate:fifo_file write;
+
+#### Offer the Wifi Keystore HwBinder service ###
+hwbinder_use(wificond)
+get_prop(wificond, hwservicemanager_prop)
+typeattribute wificond wifi_keystore_service_server;
+add_hwservice(wificond, system_wifi_keystore_hwservice)
+
+# Allow keystore binder access to serve the HwBinder service.
+allow wificond keystore_service:service_manager find;
+allow wificond keystore:binder call;
+allow wificond keystore:keystore_key get;