Merge "Face Virtual HAL lockout support" into main
diff --git a/build/soong/service_fuzzer_bindings.go b/build/soong/service_fuzzer_bindings.go
index 48a3890..9e84fd0 100644
--- a/build/soong/service_fuzzer_bindings.go
+++ b/build/soong/service_fuzzer_bindings.go
@@ -53,6 +53,7 @@
"android.hardware.bluetooth.IBluetoothHci/default": EXCEPTION_NO_FUZZER,
"android.hardware.bluetooth.finder.IBluetoothFinder/default": EXCEPTION_NO_FUZZER,
"android.hardware.bluetooth.ranging.IBluetoothChannelSounding/default": EXCEPTION_NO_FUZZER,
+ "android.hardware.bluetooth.lmp_event.IBluetoothLmpEvent/default": EXCEPTION_NO_FUZZER,
"android.hardware.camera.provider.ICameraProvider/internal/0": EXCEPTION_NO_FUZZER,
"android.hardware.camera.provider.ICameraProvider/virtual/0": EXCEPTION_NO_FUZZER,
"android.hardware.cas.IMediaCasService/default": EXCEPTION_NO_FUZZER,
@@ -122,7 +123,7 @@
"android.hardware.security.keymint.IKeyMintDevice/default": EXCEPTION_NO_FUZZER,
"android.hardware.security.keymint.IRemotelyProvisionedComponent/default": EXCEPTION_NO_FUZZER,
"android.hardware.security.secretkeeper.ISecretkeeper/default": EXCEPTION_NO_FUZZER,
- "android.hardware.security.secretkeeper.ISecretkeeper/nonsecure": EXCEPTION_NO_FUZZER,
+ "android.hardware.security.secretkeeper.ISecretkeeper/nonsecure": []string{"android.hardware.security.secretkeeper-service.nonsecure_fuzzer"},
"android.hardware.security.secureclock.ISecureClock/default": EXCEPTION_NO_FUZZER,
"android.hardware.security.sharedsecret.ISharedSecret/default": EXCEPTION_NO_FUZZER,
"android.hardware.sensors.ISensors/default": EXCEPTION_NO_FUZZER,
diff --git a/contexts/plat_file_contexts_test b/contexts/plat_file_contexts_test
index e003d65..9558425 100644
--- a/contexts/plat_file_contexts_test
+++ b/contexts/plat_file_contexts_test
@@ -1271,3 +1271,5 @@
/product/bin/otapreopt postinstall_dexopt_exec
/data/misc/uprobestats-configs uprobestats_configs_data_file
/data/misc/uprobestats-configs/test uprobestats_configs_data_file
+
+/tmp shell_data_file
diff --git a/microdroid/system/private/init_debug_policy.te b/microdroid/system/private/init_debug_policy.te
index 33b8917..a9c5f4a 100644
--- a/microdroid/system/private/init_debug_policy.te
+++ b/microdroid/system/private/init_debug_policy.te
@@ -28,5 +28,5 @@
# Allow init_debug_policy to read AVF debug policy
allow init_debug_policy sysfs_dt_avf:dir search;
-allow init_debug_policy sysfs_dt_avf:file { open read };
+allow init_debug_policy sysfs_dt_avf:file r_file_perms;
diff --git a/microdroid/system/private/microdroid_manager.te b/microdroid/system/private/microdroid_manager.te
index 2aed367..b84474a 100644
--- a/microdroid/system/private/microdroid_manager.te
+++ b/microdroid/system/private/microdroid_manager.te
@@ -20,6 +20,9 @@
# microdroid_manager can query AVF flags in the device tree
allow microdroid_manager sysfs_dt_avf:file r_file_perms;
+# Allow microdroid_manager to read AVF debug policy
+allow microdroid_manager sysfs_dt_avf:dir search;
+
# Read config from the open-dice driver.
allow microdroid_manager open_dice_device:chr_file rw_file_perms;
@@ -123,10 +126,6 @@
# Allow microdroid_manager to write kmsg_debug (stdio_to_kmsg).
allow microdroid_manager kmsg_debug_device:chr_file w_file_perms;
-# Allow microdroid_manager to read AVF debug policy
-allow microdroid_manager sysfs_dt_avf:dir search;
-allow microdroid_manager sysfs_dt_avf:file { open read };
-
# Domains other than microdroid can't write extra_apks
neverallow { domain -microdroid_manager -init -vendor_init } extra_apk_file:file no_w_file_perms;
neverallow { domain -microdroid_manager -init -vendor_init } extra_apk_file:dir no_w_dir_perms;
diff --git a/private/bug_map b/private/bug_map
index b8be64a..172d9a7 100644
--- a/private/bug_map
+++ b/private/bug_map
@@ -19,9 +19,7 @@
mediaprovider cache_file blk_file b/77925342
mediaprovider mnt_media_rw_file dir b/77925342
mediaprovider shell_data_file dir b/77925342
-mediaprovider_app device_config_media_native_prop file b/308043377
mediaswcodec ashmem_device chr_file b/142679232
-platform_app device_config_media_native_prop file b/308043377
platform_app nfc_data_file dir b/74331887
platform_app system_data_file dir b/306090533
system_server overlayfs_file file b/142390309
diff --git a/private/file_contexts b/private/file_contexts
index 1fdeb14..a1bc85f 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -54,6 +54,7 @@
/sys u:object_r:sysfs:s0
/apex u:object_r:apex_mnt_dir:s0
/bootstrap-apex u:object_r:apex_mnt_dir:s0
+/tmp u:object_r:shell_data_file:s0
# Postinstall directories
/postinstall u:object_r:postinstall_mnt_dir:s0
diff --git a/private/service_contexts b/private/service_contexts
index ce151f0..5d3aaa7 100644
--- a/private/service_contexts
+++ b/private/service_contexts
@@ -33,6 +33,7 @@
is_flag_enabled(RELEASE_HARDWARE_BLUETOOTH_RANGING_SERVICE, `
android.hardware.bluetooth.ranging.IBluetoothChannelSounding/default u:object_r:hal_bluetooth_service:s0
')
+android.hardware.bluetooth.lmp_event.IBluetoothLmpEvent/default u:object_r:hal_bluetooth_service:s0
android.hardware.bluetooth.audio.IBluetoothAudioProviderFactory/default u:object_r:hal_audio_service:s0
android.hardware.broadcastradio.IBroadcastRadio/amfm u:object_r:hal_broadcastradio_service:s0
android.hardware.broadcastradio.IBroadcastRadio/dab u:object_r:hal_broadcastradio_service:s0
diff --git a/private/virtualizationmanager.te b/private/virtualizationmanager.te
index 725ca72..bbae070 100644
--- a/private/virtualizationmanager.te
+++ b/private/virtualizationmanager.te
@@ -85,7 +85,7 @@
# Allow virtualizationmanager to read AVF debug policy
allow virtualizationmanager sysfs_dt_avf:dir search;
-allow virtualizationmanager sysfs_dt_avf:file { open read };
+allow virtualizationmanager sysfs_dt_avf:file r_file_perms;
# virtualizationmanager to be client of secretkeeper HAL. It ferries SecretManagement messages
# from pVM to HAL.
diff --git a/public/init.te b/public/init.te
index 29dd42d..47b8603 100644
--- a/public/init.te
+++ b/public/init.te
@@ -105,6 +105,7 @@
vendor_file
postinstall_mnt_dir
mirror_data_file
+ shell_data_file
}:dir mounton;
# Mount bpf fs on sys/fs/bpf
diff --git a/vendor/file_contexts b/vendor/file_contexts
index 8e4ddb5..60e0339 100644
--- a/vendor/file_contexts
+++ b/vendor/file_contexts
@@ -21,6 +21,7 @@
/(vendor|system/vendor)/bin/hw/android\.hardware\.bluetooth-service.default u:object_r:hal_bluetooth_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.bluetooth\.finder-service\.default u:object_r:hal_bluetooth_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.bluetooth\.ranging-service\.default u:object_r:hal_bluetooth_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.bluetooth\.lmp_event-service\.default u:object_r:hal_bluetooth_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.biometrics\.face@1\.[0-9]+-service\.example u:object_r:hal_face_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.biometrics\.face-service\.example u:object_r:hal_face_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.biometrics\.fingerprint@2\.1-service u:object_r:hal_fingerprint_default_exec:s0