Merge "Allow psi monitor users to setched kernel threads" into qt-dev
diff --git a/Android.mk b/Android.mk
index ab88003..361cc30 100644
--- a/Android.mk
+++ b/Android.mk
@@ -309,6 +309,11 @@
selinux_denial_metadata \
endif
+
+# Builds an addtional userdebug sepolicy into the debug ramdisk.
+LOCAL_REQUIRED_MODULES += \
+ userdebug_plat_sepolicy.cil \
+
include $(BUILD_PHONY_PACKAGE)
#################################
@@ -525,6 +530,47 @@
#################################
include $(CLEAR_VARS)
+LOCAL_MODULE := userdebug_plat_sepolicy.cil
+LOCAL_MODULE_CLASS := ETC
+LOCAL_MODULE_TAGS := optional
+LOCAL_MODULE_PATH := $(TARGET_DEBUG_RAMDISK_OUT)
+
+include $(BUILD_SYSTEM)/base_rules.mk
+
+# userdebug_plat_policy.conf - the userdebug version plat_sepolicy.cil
+userdebug_plat_policy.conf := $(intermediates)/userdebug_plat_policy.conf
+$(userdebug_plat_policy.conf): PRIVATE_MLS_SENS := $(MLS_SENS)
+$(userdebug_plat_policy.conf): PRIVATE_MLS_CATS := $(MLS_CATS)
+$(userdebug_plat_policy.conf): PRIVATE_TARGET_BUILD_VARIANT := userdebug
+$(userdebug_plat_policy.conf): PRIVATE_TGT_ARCH := $(my_target_arch)
+$(userdebug_plat_policy.conf): PRIVATE_TGT_WITH_ASAN := $(with_asan)
+$(userdebug_plat_policy.conf): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
+$(userdebug_plat_policy.conf): PRIVATE_SEPOLICY_SPLIT := $(PRODUCT_SEPOLICY_SPLIT)
+$(userdebug_plat_policy.conf): PRIVATE_COMPATIBLE_PROPERTY := $(PRODUCT_COMPATIBLE_PROPERTY)
+$(userdebug_plat_policy.conf): $(call build_policy, $(sepolicy_build_files), \
+$(PLAT_PUBLIC_POLICY) $(PLAT_PRIVATE_POLICY))
+ $(transform-policy-to-conf)
+ $(hide) sed '/^\s*dontaudit.*;/d' $@ | sed '/^\s*dontaudit/,/;/d' > $@.dontaudit
+
+$(LOCAL_BUILT_MODULE): PRIVATE_ADDITIONAL_CIL_FILES := \
+ $(call build_policy, $(sepolicy_build_cil_workaround_files), $(PLAT_PRIVATE_POLICY))
+$(LOCAL_BUILT_MODULE): PRIVATE_NEVERALLOW_ARG := $(NEVERALLOW_ARG)
+$(LOCAL_BUILT_MODULE): $(userdebug_plat_policy.conf) $(HOST_OUT_EXECUTABLES)/checkpolicy \
+ $(HOST_OUT_EXECUTABLES)/secilc \
+ $(call build_policy, $(sepolicy_build_cil_workaround_files), $(PLAT_PRIVATE_POLICY)) \
+ $(built_sepolicy_neverallows)
+ @mkdir -p $(dir $@)
+ $(hide) $(CHECKPOLICY_ASAN_OPTIONS) $(HOST_OUT_EXECUTABLES)/checkpolicy -M -C -c \
+ $(POLICYVERS) -o $@.tmp $<
+ $(hide) cat $(PRIVATE_ADDITIONAL_CIL_FILES) >> $@.tmp
+ $(hide) $(HOST_OUT_EXECUTABLES)/secilc -m -M true -G -c $(POLICYVERS) $(PRIVATE_NEVERALLOW_ARG) $@.tmp -o /dev/null -f /dev/null
+ $(hide) mv $@.tmp $@
+
+userdebug_plat_policy.conf :=
+
+#################################
+include $(CLEAR_VARS)
+
ifdef HAS_PRODUCT_SEPOLICY
LOCAL_MODULE := product_sepolicy.cil
LOCAL_MODULE_CLASS := ETC
diff --git a/private/compat/28.0/28.0.ignore.cil b/private/compat/28.0/28.0.ignore.cil
index 6d60a66..2633bcf 100644
--- a/private/compat/28.0/28.0.ignore.cil
+++ b/private/compat/28.0/28.0.ignore.cil
@@ -46,6 +46,7 @@
device_config_service
dnsresolver_service
dynamic_system_service
+ dynamic_system_prop
face_service
face_vendor_data_file
fastbootd
diff --git a/private/file_contexts b/private/file_contexts
index ceb330b..ae105d1 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -24,6 +24,7 @@
/lost\+found u:object_r:rootfs:s0
/acct u:object_r:cgroup:s0
/config u:object_r:rootfs:s0
+/debug_ramdisk u:object_r:tmpfs:s0
/mnt u:object_r:tmpfs:s0
/postinstall u:object_r:postinstall_mnt_dir:s0
/postinstall/apex u:object_r:postinstall_apex_mnt_dir:s0
@@ -533,6 +534,7 @@
# Face vendor data file
/data/vendor_de/[0-9]+/facedata(/.*)? u:object_r:face_vendor_data_file:s0
+/data/vendor_ce/[0-9]+/facedata(/.*)? u:object_r:face_vendor_data_file:s0
# Iris vendor data file
/data/vendor_de/[0-9]+/irisdata(/.*)? u:object_r:iris_vendor_data_file:s0
diff --git a/private/netd.te b/private/netd.te
index a00cb69..4c129b7 100644
--- a/private/netd.te
+++ b/private/netd.te
@@ -12,6 +12,10 @@
# the map created by bpfloader
allow netd bpfloader:bpf { prog_run map_read map_write };
+# in order to invoke side effect of close() on such a socket calling synchronize_rcu()
+# TODO: Remove this permission when 4.9 kernel is deprecated.
+allow netd self:key_socket create;
+
get_prop(netd, bpf_progs_loaded_prop)
# Allow netd to write to statsd.
diff --git a/private/netutils_wrapper.te b/private/netutils_wrapper.te
index a773f96..ca3b515 100644
--- a/private/netutils_wrapper.te
+++ b/private/netutils_wrapper.te
@@ -15,8 +15,10 @@
allow netutils_wrapper self:netlink_xfrm_socket ~ioctl;
# For netutils (ndc) to be able to talk to netd
-allow netutils_wrapper netd_socket:sock_file { open getattr read write append };
-allow netutils_wrapper netd:unix_stream_socket { read getattr connectto };
+allow netutils_wrapper netd_service:service_manager find;
+allow netutils_wrapper dnsresolver_service:service_manager find;
+binder_use(netutils_wrapper);
+binder_call(netutils_wrapper, netd);
# For vendor code that update the iptables rules at runtime. They need to reload
# the whole chain including the xt_bpf rules. They need to access to the pinned
diff --git a/private/priv_app.te b/private/priv_app.te
index c5251a9..ab3847b 100644
--- a/private/priv_app.te
+++ b/private/priv_app.te
@@ -162,6 +162,9 @@
# profileable/debuggable.
can_profile_heap(priv_app)
+# Allow priv_apps to check whether Dynamic System Update is enabled
+get_prop(priv_app, dynamic_system_prop)
+
# suppress denials for non-API accesses.
dontaudit priv_app exec_type:file getattr;
dontaudit priv_app device:dir read;
diff --git a/private/property_contexts b/private/property_contexts
index c1f1228..7c56234 100644
--- a/private/property_contexts
+++ b/private/property_contexts
@@ -59,6 +59,7 @@
persist.netd.stable_secret u:object_r:netd_stable_secret_prop:s0
persist.sys. u:object_r:system_prop:s0
persist.sys.safemode u:object_r:safemode_prop:s0
+persist.sys.fflag.override.settings_dynamic_system u:object_r:dynamic_system_prop:s0
ro.sys.safemode u:object_r:safemode_prop:s0
persist.sys.audit_safemode u:object_r:safemode_prop:s0
persist.service. u:object_r:system_prop:s0
diff --git a/private/statsd.te b/private/statsd.te
index 16d3aeb..99548a0 100644
--- a/private/statsd.te
+++ b/private/statsd.te
@@ -1,4 +1,5 @@
typeattribute statsd coredomain;
+typeattribute statsd stats_service_server;
init_daemon_domain(statsd)
diff --git a/private/system_app.te b/private/system_app.te
index d71ef72..e8627151 100644
--- a/private/system_app.te
+++ b/private/system_app.te
@@ -49,6 +49,8 @@
auditallow system_app net_radio_prop:property_service set;
auditallow system_app system_radio_prop:property_service set;
auditallow system_app exported_system_radio_prop:property_service set;
+# Allow Settings to enable Dynamic System Update
+set_prop(system_app, dynamic_system_prop)
# ctl interface
set_prop(system_app, ctl_default_prop)
diff --git a/private/system_server.te b/private/system_server.te
index 2791c75..0b27847 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -5,6 +5,8 @@
typeattribute system_server coredomain;
typeattribute system_server mlstrustedsubject;
+typeattribute system_server scheduler_service_server;
+typeattribute system_server sensor_service_server;
# Define a type for tmpfs-backed ashmem regions.
tmpfs_domain(system_server)
@@ -243,10 +245,6 @@
allow system_server hal_renderscript_hwservice:hwservice_manager find;
allow system_server same_process_hal_file:file { execute read open getattr map };
-# Offer HwBinder services
-add_hwservice(system_server, fwk_scheduler_hwservice)
-add_hwservice(system_server, fwk_sensor_hwservice)
-
# Talk to tombstoned to get ANR traces.
unix_socket_connect(system_server, tombstoned_intercept, tombstoned)
@@ -265,8 +263,9 @@
inputflinger
mediadrmserver
mediaextractor
- mediaserver
mediametrics
+ mediaserver
+ mediaswcodec
sdcardd
statsd
surfaceflinger
@@ -877,10 +876,6 @@
allow system_server fs_bpf:dir search;
allow system_server fs_bpf:file { read write };
allow system_server bpfloader:bpf { map_read map_write };
-# in order to invoke side effect of close() on such a socket calling synchronize_rcu()
-# TODO: Remove this permission when 4.9 kernel is deprecated.
-allow system_server self:key_socket create;
-
# ART Profiles.
# Allow system_server to open profile snapshots for read.
diff --git a/private/zygote.te b/private/zygote.te
index 759fc34..0466372 100644
--- a/private/zygote.te
+++ b/private/zygote.te
@@ -118,6 +118,9 @@
# System file accesses.
r_dir_file(zygote, system_file)
+# /oem accesses.
+allow zygote oemfs:dir search;
+
userdebug_or_eng(`
# Allow zygote to create and write method traces in /data/misc/trace.
allow zygote method_trace_data_file:dir w_dir_perms;
diff --git a/public/attributes b/public/attributes
index dbb9356..67979da 100644
--- a/public/attributes
+++ b/public/attributes
@@ -303,11 +303,14 @@
# from one core domain to another, without having to update the vendor image
# which contains clients of this service.
-attribute display_service_server;
-attribute wifi_keystore_service_server;
-attribute mediaswcodec_server;
-attribute system_suspend_server;
attribute camera_service_server;
+attribute display_service_server;
+attribute mediaswcodec_server;
+attribute scheduler_service_server;
+attribute sensor_service_server;
+attribute stats_service_server;
+attribute system_suspend_server;
+attribute wifi_keystore_service_server;
# All types used for super partition block devices.
attribute super_block_device_type;
diff --git a/public/dumpstate.te b/public/dumpstate.te
index ef95b78..2906b5b 100644
--- a/public/dumpstate.te
+++ b/public/dumpstate.te
@@ -69,6 +69,7 @@
mediaextractor
mediametrics
mediaserver
+ mediaswcodec
sdcardd
surfaceflinger
diff --git a/public/hal_neuralnetworks.te b/public/hal_neuralnetworks.te
index c2549ff..1ef6cad 100644
--- a/public/hal_neuralnetworks.te
+++ b/public/hal_neuralnetworks.te
@@ -8,6 +8,7 @@
# Allow NN HAL service to use a client-provided fd residing in /data/data/.
allow hal_neuralnetworks_server app_data_file:file { read write getattr map };
+allow hal_neuralnetworks_server privapp_data_file:file { read write getattr map };
# Allow NN HAL service to use a client-provided fd residing in /data/local/tmp/.
allow hal_neuralnetworks_server shell_data_file:file { read write getattr map };
diff --git a/public/idmap.te b/public/idmap.te
index d76558a..92c649c 100644
--- a/public/idmap.te
+++ b/public/idmap.te
@@ -2,7 +2,7 @@
type idmap, domain;
type idmap_exec, system_file_type, exec_type, file_type;
-# STOPSHIP remove /system/bin/idmap and the link between idmap and installd (b/118711077)
+# TODO remove /system/bin/idmap and the link between idmap and installd (b/118711077)
# Use open file to /data/resource-cache file inherited from installd.
allow idmap installd:fd use;
allow idmap resourcecache_data_file:file create_file_perms;
@@ -15,6 +15,10 @@
allow idmap apk_data_file:file r_file_perms;
allow idmap apk_data_file:dir search;
+# Allow /data/app/vmdl*.tmp, /data/app-private/vmdl*.tmp files
+allow idmap { apk_tmp_file apk_private_tmp_file }:file r_file_perms;
+allow idmap { apk_tmp_file apk_private_tmp_file }:dir search;
+
# Allow apps access to /vendor/app
r_dir_file(idmap, vendor_app_file)
diff --git a/public/init.te b/public/init.te
index bd95fe2..69c11d6 100644
--- a/public/init.te
+++ b/public/init.te
@@ -49,8 +49,8 @@
# setrlimit
allow init self:global_capability_class_set sys_resource;
-# Remove /dev/.booting, created before initial policy load or restorecon /dev.
-allow init tmpfs:file unlink;
+# Remove /dev/.booting and load /debug_ramdisk/* files
+allow init tmpfs:file { getattr unlink };
# Access pty created for fsck.
allow init devpts:chr_file { read write open };
diff --git a/public/mediaserver.te b/public/mediaserver.te
index 77aefe1..dbdb051 100644
--- a/public/mediaserver.te
+++ b/public/mediaserver.te
@@ -68,6 +68,7 @@
add_service(mediaserver, mediaserver_service)
allow mediaserver activity_service:service_manager find;
allow mediaserver appops_service:service_manager find;
+allow mediaserver audio_service:service_manager find;
allow mediaserver audioserver_service:service_manager find;
allow mediaserver cameraserver_service:service_manager find;
allow mediaserver batterystats_service:service_manager find;
diff --git a/public/netd.te b/public/netd.te
index 859cb65..c4a9136 100644
--- a/public/netd.te
+++ b/public/netd.te
@@ -138,6 +138,7 @@
-dumpstate
-network_stack
-netd
+ -netutils_wrapper
} netd_service:service_manager find;
# only system_server, dumpstate and network stack app may find dnsresolver service
@@ -147,6 +148,7 @@
-dumpstate
-network_stack
-netd
+ -netutils_wrapper
} dnsresolver_service:service_manager find;
# only netd can create the bpf maps
diff --git a/public/property.te b/public/property.te
index 12f0425..3ccaad7 100644
--- a/public/property.te
+++ b/public/property.te
@@ -42,6 +42,7 @@
type dhcp_prop, property_type, core_property_type;
type dumpstate_options_prop, property_type;
type dumpstate_prop, property_type, core_property_type;
+type dynamic_system_prop, property_type;
type exported_secure_prop, property_type;
type ffs_prop, property_type, core_property_type;
type fingerprint_prop, property_type, core_property_type;
@@ -421,6 +422,7 @@
-device_config_runtime_native_boot_prop
-device_config_runtime_native_prop
-device_config_media_native_prop
+ -dynamic_system_prop
-gsid_prop
-heapprofd_enabled_prop
-heapprofd_prop
diff --git a/public/property_contexts b/public/property_contexts
index be4e98e..34f6c54 100644
--- a/public/property_contexts
+++ b/public/property_contexts
@@ -214,9 +214,6 @@
ro.boot.vbmeta.avb_version u:object_r:exported2_default_prop:s0 exact string
ro.boot.verifiedbootstate u:object_r:exported2_default_prop:s0 exact string
ro.boot.veritymode u:object_r:exported2_default_prop:s0 exact string
-ro.bootimage.build.date u:object_r:exported2_default_prop:s0 exact string
-ro.bootimage.build.date.utc u:object_r:exported2_default_prop:s0 exact int
-ro.bootimage.build.fingerprint u:object_r:exported2_default_prop:s0 exact string
ro.bootloader u:object_r:exported2_default_prop:s0 exact string
ro.build.date u:object_r:exported2_default_prop:s0 exact string
ro.build.date.utc u:object_r:exported2_default_prop:s0 exact int
@@ -275,6 +272,11 @@
ro.boot.hardware.revision u:object_r:exported_default_prop:s0 exact string
ro.boot.product.hardware.sku u:object_r:exported_default_prop:s0 exact string
ro.boot.slot_suffix u:object_r:exported_default_prop:s0 exact string
+ro.bootimage.build.date u:object_r:exported_default_prop:s0 exact string
+ro.bootimage.build.date.utc u:object_r:exported_default_prop:s0 exact int
+ro.bootimage.build.fingerprint u:object_r:exported_default_prop:s0 exact string
+ro.build.expect.baseband u:object_r:exported_default_prop:s0 exact string
+ro.build.expect.bootloader u:object_r:exported_default_prop:s0 exact string
ro.carrier u:object_r:exported_default_prop:s0 exact string
ro.config.low_ram u:object_r:exported_config_prop:s0 exact bool
ro.config.vc_call_vol_steps u:object_r:exported_config_prop:s0 exact int
@@ -384,3 +386,5 @@
ro.surface_flinger.display_primary_blue u:object_r:exported_default_prop:s0 exact string
ro.surface_flinger.display_primary_white u:object_r:exported_default_prop:s0 exact string
ro.surface_flinger.protected_contents u:object_r:exported_default_prop:s0 exact bool
+ro.surface_flinger.set_idle_timer_ms u:object_r:exported_default_prop:s0 exact int
+ro.surface_flinger.use_smart_90_for_video u:object_r:exported_default_prop:s0 exact bool
diff --git a/public/scheduler_service_server.te b/public/scheduler_service_server.te
new file mode 100644
index 0000000..b3cede1
--- /dev/null
+++ b/public/scheduler_service_server.te
@@ -0,0 +1 @@
+add_hwservice(scheduler_service_server, fwk_scheduler_hwservice)
diff --git a/public/sensor_service_server.te b/public/sensor_service_server.te
new file mode 100644
index 0000000..7c526a5
--- /dev/null
+++ b/public/sensor_service_server.te
@@ -0,0 +1 @@
+add_hwservice(sensor_service_server, fwk_sensor_hwservice)
diff --git a/public/shell.te b/public/shell.te
index 42a19b0..56196c3 100644
--- a/public/shell.te
+++ b/public/shell.te
@@ -80,6 +80,8 @@
set_prop(shell, heapprofd_enabled_prop)
# Allow shell to start/stop gsid via ctl.start|stop|restart gsid.
set_prop(shell, ctl_gsid_prop)
+# Allow shell to enable Dynamic System Update
+set_prop(shell, dynamic_system_prop)
userdebug_or_eng(`
# "systrace --boot" support - allow boottrace service to run
diff --git a/public/stats_service_server.te b/public/stats_service_server.te
new file mode 100644
index 0000000..564ae23
--- /dev/null
+++ b/public/stats_service_server.te
@@ -0,0 +1 @@
+add_hwservice(stats_service_server, fwk_stats_hwservice)
diff --git a/public/statsd.te b/public/statsd.te
index 8ba7f63..089cae9 100644
--- a/public/statsd.te
+++ b/public/statsd.te
@@ -50,9 +50,6 @@
system_api_service
}:service_manager find;
-# Allow statsd to add as HIDL service.
-add_hwservice(statsd, fwk_stats_hwservice)
-
# Grant statsd to access health hal to access battery metrics.
allow statsd hal_health_hwservice:hwservice_manager find;
diff --git a/public/traceur_app.te b/public/traceur_app.te
index b6debfb..5333015 100644
--- a/public/traceur_app.te
+++ b/public/traceur_app.te
@@ -3,6 +3,9 @@
allow traceur_app servicemanager:service_manager list;
allow traceur_app hwservicemanager:hwservice_manager list;
+# Allow Traceur to enable traced if necessary.
+set_prop(traceur_app, traced_enabled_prop)
+
set_prop(traceur_app, debug_prop)
allow traceur_app {
diff --git a/vendor/file_contexts b/vendor/file_contexts
index 6de31a8..9da79f4 100644
--- a/vendor/file_contexts
+++ b/vendor/file_contexts
@@ -42,6 +42,7 @@
/(vendor|system/vendor)/bin/hw/android\.hardware\.memtrack@1\.0-service u:object_r:hal_memtrack_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.nfc@1\.0-service u:object_r:hal_nfc_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.nfc@1\.1-service u:object_r:hal_nfc_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.nfc@1\.2-service u:object_r:hal_nfc_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.media\.omx@1\.0-service u:object_r:mediacodec_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.power@1\.0-service u:object_r:hal_power_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.power\.stats@1\.0-service u:object_r:hal_power_stats_default_exec:s0