Merge "[Thread] move ot-daemon socket to /dev/socket/ot-daemon" into main
diff --git a/build/soong/service_fuzzer_bindings.go b/build/soong/service_fuzzer_bindings.go
index a7d65cd..d32cc2c 100644
--- a/build/soong/service_fuzzer_bindings.go
+++ b/build/soong/service_fuzzer_bindings.go
@@ -263,6 +263,7 @@
"dumpstate": EXCEPTION_NO_FUZZER,
"dynamic_system": EXCEPTION_NO_FUZZER,
"econtroller": EXCEPTION_NO_FUZZER,
+ "ecm_enhanced_confirmation": EXCEPTION_NO_FUZZER,
"emergency_affordance": EXCEPTION_NO_FUZZER,
"euicc_card_controller": EXCEPTION_NO_FUZZER,
"external_vibrator_service": EXCEPTION_NO_FUZZER,
diff --git a/private/bpfloader.te b/private/bpfloader.te
index ccfe440..be6f77c 100644
--- a/private/bpfloader.te
+++ b/private/bpfloader.te
@@ -68,7 +68,7 @@
neverallow { domain -bpfloader -gpuservice -lmkd -mediaprovider_app -netd -network_stack -system_server -uprobestats } *:bpf { map_read map_write };
neverallow { domain -bpfloader -init } bpfloader_exec:file { execute execute_no_trans };
-neverallow { coredomain -bpfloader } fs_bpf_vendor:file *;
+neverallow { coredomain -bpfloader -netd -netutils_wrapper } fs_bpf_vendor:file *;
neverallow bpfloader *:{ tcp_socket udp_socket rawip_socket } *;
diff --git a/private/compat/34.0/34.0.ignore.cil b/private/compat/34.0/34.0.ignore.cil
index c236223..f7b4941 100644
--- a/private/compat/34.0/34.0.ignore.cil
+++ b/private/compat/34.0/34.0.ignore.cil
@@ -10,6 +10,7 @@
ota_build_prop
snapuserd_log_data_file
fwk_vibrator_control_service
+ ecm_enhanced_confirmation_service
hal_authgraph_service
hal_secretkeeper_service
hal_codec2_service
diff --git a/private/keys.conf b/private/keys.conf
index 18c1a8c..fc50ef3 100644
--- a/private/keys.conf
+++ b/private/keys.conf
@@ -23,6 +23,9 @@
[@NETWORK_STACK]
ALL : $MAINLINE_SEPOLICY_DEV_CERTIFICATES/networkstack.x509.pem
+[@NFC]
+ALL : $MAINLINE_SEPOLICY_DEV_CERTIFICATES/nfc.x509.pem
+
[@SHARED]
ALL : $DEFAULT_SYSTEM_DEV_CERTIFICATE/shared.x509.pem
diff --git a/private/mac_permissions.xml b/private/mac_permissions.xml
index c9a9aca..fa8ffcf 100644
--- a/private/mac_permissions.xml
+++ b/private/mac_permissions.xml
@@ -69,4 +69,9 @@
<signer signature="@NETWORK_STACK" >
<seinfo value="network_stack" />
</signer>
+
+ <!-- NFC key in AOSP -->
+ <signer signature="@NFC" >
+ <seinfo value="nfc" />
+ </signer>
</policy>
diff --git a/private/netd.te b/private/netd.te
index 8be8212..6d1c10c 100644
--- a/private/netd.te
+++ b/private/netd.te
@@ -6,9 +6,9 @@
# Allow netd to spawn dnsmasq in it's own domain
domain_auto_trans(netd, dnsmasq_exec, dnsmasq)
-allow netd { fs_bpf fs_bpf_netd_readonly fs_bpf_netd_shared }:dir search;
-allow netd { fs_bpf fs_bpf_netd_readonly fs_bpf_netd_shared }:file { getattr read };
-allow netd { fs_bpf fs_bpf_netd_shared }:file write;
+allow netd { fs_bpf fs_bpf_netd_readonly fs_bpf_netd_shared fs_bpf_vendor }:dir search;
+allow netd { fs_bpf fs_bpf_netd_readonly fs_bpf_netd_shared fs_bpf_vendor }:file { getattr read };
+allow netd { fs_bpf fs_bpf_netd_shared }:file write;
# give netd permission to setup iptables rule with xt_bpf, attach program to cgroup, and read/write
# the map created by bpfloader
diff --git a/private/netutils_wrapper.te b/private/netutils_wrapper.te
index 01f1915..a26181f 100644
--- a/private/netutils_wrapper.te
+++ b/private/netutils_wrapper.te
@@ -25,9 +25,9 @@
# For vendor code that update the iptables rules at runtime. They need to reload
# the whole chain including the xt_bpf rules. They need to access to the pinned
# program when reloading the rule.
-allow netutils_wrapper { fs_bpf fs_bpf_netd_shared }:dir search;
-allow netutils_wrapper { fs_bpf fs_bpf_netd_shared }:file { getattr read };
-allow netutils_wrapper { fs_bpf }:file write;
+allow netutils_wrapper { fs_bpf fs_bpf_netd_shared fs_bpf_vendor }:dir search;
+allow netutils_wrapper { fs_bpf fs_bpf_netd_shared fs_bpf_vendor }:file { getattr read };
+allow netutils_wrapper { fs_bpf }:file write;
allow netutils_wrapper bpfloader:bpf prog_run;
# For /data/misc/net access to ndc and ip
diff --git a/private/seapp_contexts b/private/seapp_contexts
index 957d005..2219631 100644
--- a/private/seapp_contexts
+++ b/private/seapp_contexts
@@ -184,7 +184,9 @@
user=system seinfo=platform isPrivApp=true name=com.android.DeviceAsWebcam domain=device_as_webcam type=system_app_data_file levelFrom=all
user=bluetooth seinfo=bluetooth domain=bluetooth type=bluetooth_data_file
user=network_stack seinfo=network_stack domain=network_stack type=radio_data_file
+# NFC stack signed with platform cert needed for maintaining backwards comptibility for -next release config.
user=nfc seinfo=platform domain=nfc type=nfc_data_file
+user=nfc seinfo=nfc domain=nfc type=nfc_data_file
user=secure_element seinfo=platform domain=secure_element levelFrom=all
user=radio seinfo=platform domain=radio type=radio_data_file
user=shared_relro domain=shared_relro levelFrom=all
diff --git a/private/service_contexts b/private/service_contexts
index 5d3aaa7..66215bc 100644
--- a/private/service_contexts
+++ b/private/service_contexts
@@ -242,6 +242,7 @@
dumpstate u:object_r:dumpstate_service:s0
dynamic_system u:object_r:dynamic_system_service:s0
econtroller u:object_r:radio_service:s0
+ecm_enhanced_confirmation u:object_r:ecm_enhanced_confirmation_service:s0
emergency_affordance u:object_r:emergency_affordance_service:s0
euicc_card_controller u:object_r:radio_service:s0
external_vibrator_service u:object_r:external_vibrator_service:s0
diff --git a/public/service.te b/public/service.te
index 1c7605e..5c63e9e 100644
--- a/public/service.te
+++ b/public/service.te
@@ -118,6 +118,7 @@
type display_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type domain_verification_service, app_api_service, system_server_service, service_manager_type;
type color_display_service, app_api_service, system_api_service, system_server_service, service_manager_type;
+type ecm_enhanced_confirmation_service, app_api_service, system_server_service, service_manager_type;
type external_vibrator_service, system_server_service, service_manager_type;
type file_integrity_service, app_api_service, system_server_service, service_manager_type;
type font_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;