Merge "Add sepolicy for music recognition service."
diff --git a/private/compat/30.0/30.0.ignore.cil b/private/compat/30.0/30.0.ignore.cil
index 714da8e..9539add 100644
--- a/private/compat/30.0/30.0.ignore.cil
+++ b/private/compat/30.0/30.0.ignore.cil
@@ -9,6 +9,7 @@
apex_info_file
cgroup_v2
debugfs_kprobes
+ dmabuf_system_heap_device
gki_apex_prepostinstall
gki_apex_prepostinstall_exec
hal_fingerprint_service
diff --git a/private/dexoptanalyzer.te b/private/dexoptanalyzer.te
index a2b2b01..b8b7b30 100644
--- a/private/dexoptanalyzer.te
+++ b/private/dexoptanalyzer.te
@@ -11,7 +11,7 @@
# Use tmpfs_domain() which will give tmpfs files created by dexoptanalyzer their
# own label, which differs from other labels created by other processes.
# This allows to distinguish in policy files created by dexoptanalyzer vs other
-#processes.
+# processes.
tmpfs_domain(dexoptanalyzer)
# Read symlinks in /data/dalvik-cache. This is required for PIC mode boot
@@ -28,12 +28,7 @@
# Allow reading secondary dex files that were reported by the app to the
# package manager.
-allow dexoptanalyzer { privapp_data_file app_data_file }:dir { getattr search };
allow dexoptanalyzer { privapp_data_file app_data_file }:file { getattr read map };
-# dexoptanalyzer calls access(2) with W_OK flag on app data. We can use the
-# "dontaudit...audit_access" policy line to suppress the audit access without
-# suppressing denial on actual access.
-dontaudit dexoptanalyzer { privapp_data_file app_data_file }:dir audit_access;
# Allow testing /data/user/0 which symlinks to /data/data
allow dexoptanalyzer system_data_file:lnk_file { getattr };
diff --git a/private/file_contexts b/private/file_contexts
index 27bbb3d..efb2c14 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -92,6 +92,7 @@
/dev/bus/usb(.*)? u:object_r:usb_device:s0
/dev/console u:object_r:console_device:s0
/dev/cpu_variant:.* u:object_r:dev_cpu_variant:s0
+/dev/dma_heap/system u:object_r:dmabuf_system_heap_device:s0
/dev/device-mapper u:object_r:dm_device:s0
/dev/eac u:object_r:audio_device:s0
/dev/event-log-tags u:object_r:runtime_event_log_tags_file:s0
diff --git a/private/gmscore_app.te b/private/gmscore_app.te
index 5022160..ff7444f 100644
--- a/private/gmscore_app.te
+++ b/private/gmscore_app.te
@@ -127,3 +127,7 @@
# b/148974132: com.android.vending needs this
allow gmscore_app priv_app:tcp_socket { read write };
+
+# b/168059475 Allow GMSCore to read Virtual AB properties to determine
+# if device supports VAB.
+get_prop(gmscore_app, virtual_ab_prop)
diff --git a/private/mlstrustedsubject.te b/private/mlstrustedsubject.te
index b803dbc..22482d9 100644
--- a/private/mlstrustedsubject.te
+++ b/private/mlstrustedsubject.te
@@ -18,7 +18,6 @@
-iorap_inode2filename
} { app_data_file privapp_data_file }:dir ~{ read getattr search };
-# TODO(b/141677108): See if we can remove any of these.
neverallow {
mlstrustedsubject
-installd
@@ -27,6 +26,5 @@
-system_server
-adbd
-runas
- -dexoptanalyzer
-zygote
} { app_data_file privapp_data_file }:dir { read getattr search };
diff --git a/private/property_contexts b/private/property_contexts
index 4785707..5bf7807 100644
--- a/private/property_contexts
+++ b/private/property_contexts
@@ -235,8 +235,8 @@
ro.enable_boot_charger_mode u:object_r:charger_config_prop:s0 exact bool
# Virtual A/B properties
-ro.virtual_ab.enabled u:object_r:virtual_ab_prop:s0
-ro.virtual_ab.retrofit u:object_r:virtual_ab_prop:s0
+ro.virtual_ab.enabled u:object_r:virtual_ab_prop:s0 exact bool
+ro.virtual_ab.retrofit u:object_r:virtual_ab_prop:s0 exact bool
ro.product.ab_ota_partitions u:object_r:ota_prop:s0 exact string
# Property to set/clear the warm reset flag after an OTA update.
@@ -862,6 +862,8 @@
gsm.sim.operator.numeric u:object_r:telephony_status_prop:s0 exact string
persist.radio.airplane_mode_on u:object_r:telephony_status_prop:s0 exact bool
+ro.cdma.home.operator.alpha u:object_r:telephony_config_prop:s0 exact string
+ro.cdma.home.operator.numeric u:object_r:telephony_config_prop:s0 exact string
ro.com.android.dataroaming u:object_r:telephony_config_prop:s0 exact bool
ro.com.android.prov_mobiledata u:object_r:telephony_config_prop:s0 exact bool
ro.radio.noril u:object_r:telephony_config_prop:s0 exact string
diff --git a/private/system_server.te b/private/system_server.te
index 6042fff..f344bbb 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -933,6 +933,9 @@
allow system_server cgroup_v2:dir rw_dir_perms;
allow system_server cgroup_v2:file rw_file_perms;
+# Access to /dev/dma_heap/system
+allow system_server dmabuf_system_heap_device:chr_file r_file_perms;
+
r_dir_file(system_server, proc_asound)
r_dir_file(system_server, proc_net_type)
r_dir_file(system_server, proc_qtaguid_stat)
diff --git a/private/traceur_app.te b/private/traceur_app.te
index b7e58ba..2937e26 100644
--- a/private/traceur_app.te
+++ b/private/traceur_app.te
@@ -21,7 +21,4 @@
dontaudit traceur_app debugfs_tracing_debug:file audit_access;
-# Allow Traceur to enable traced if necessary.
-set_prop(traceur_app, traced_enabled_prop)
-
set_prop(traceur_app, debug_prop)
diff --git a/private/untrusted_app_all.te b/private/untrusted_app_all.te
index 4acc0e8..bc90450 100644
--- a/private/untrusted_app_all.te
+++ b/private/untrusted_app_all.te
@@ -2,7 +2,8 @@
### Untrusted_app_all.
###
### This file defines the rules shared by all untrusted app domains except
-### ephemeral_app for instant apps.
+### ephemeral_app for instant apps and isolated_app (which has a reduced
+### permission set).
### Apps are labeled based on mac_permissions.xml (maps signer and
### optionally package name to seinfo value) and seapp_contexts (maps UID
### and optionally seinfo value to domain for process and type for data
diff --git a/public/app.te b/public/app.te
index 8263c09..ad1696f 100644
--- a/public/app.te
+++ b/public/app.te
@@ -308,6 +308,7 @@
ioctl { unpriv_sock_ioctls unpriv_tty_ioctls };
allow { appdomain -isolated_app } ion_device:chr_file r_file_perms;
+allow { appdomain -isolated_app } dmabuf_system_heap_device:chr_file r_file_perms;
# Allow AAudio apps to use shared memory file descriptors from the HAL
allow { appdomain -isolated_app } hal_audio:fd use;
diff --git a/public/attributes b/public/attributes
index 75b0c25..3582a09 100644
--- a/public/attributes
+++ b/public/attributes
@@ -184,7 +184,7 @@
# All domains used for apps.
attribute appdomain;
-# All third party apps.
+# All third party apps (except isolated_app and ephemeral_app)
attribute untrusted_app_all;
# All domains used for apps with network access.
diff --git a/public/device.te b/public/device.te
index 43d6322..4282a25 100644
--- a/public/device.te
+++ b/public/device.te
@@ -44,6 +44,7 @@
type fuse_device, dev_type, mlstrustedobject;
type iio_device, dev_type;
type ion_device, dev_type, mlstrustedobject;
+type dmabuf_system_heap_device, dev_type, mlstrustedobject;
type qtaguid_device, dev_type;
type watchdog_device, dev_type;
type uhid_device, dev_type;
diff --git a/public/mediaserver.te b/public/mediaserver.te
index 86db99c..1978aa3 100644
--- a/public/mediaserver.te
+++ b/public/mediaserver.te
@@ -119,6 +119,7 @@
allow mediaserver preloads_media_file:file { getattr read ioctl };
allow mediaserver ion_device:chr_file r_file_perms;
+allow mediaserver dmabuf_system_heap_device:chr_file r_file_perms;
allow mediaserver hal_graphics_allocator:fd use;
allow mediaserver hal_graphics_composer:fd use;
allow mediaserver hal_camera:fd use;
diff --git a/public/mediaswcodec.te b/public/mediaswcodec.te
index 992baab..8e35225 100644
--- a/public/mediaswcodec.te
+++ b/public/mediaswcodec.te
@@ -23,3 +23,4 @@
# https://android-developers.googleblog.com/2016/05/hardening-media-stack.html
neverallow mediaswcodec domain:{ tcp_socket udp_socket rawip_socket } *;
+allow mediaswcodec dmabuf_system_heap_device:chr_file r_file_perms;
diff --git a/public/ueventd.te b/public/ueventd.te
index 1d75080..9c2575a 100644
--- a/public/ueventd.te
+++ b/public/ueventd.te
@@ -31,6 +31,9 @@
# Access for /vendor/ueventd.rc and /vendor/firmware
r_dir_file(ueventd, { vendor_file_type -vendor_app_file -vendor_overlay_file })
+# Access for /apex/*/firmware
+allow ueventd apex_mnt_dir:dir r_dir_perms;
+
# Get file contexts for new device nodes
allow ueventd file_contexts_file:file r_file_perms;