Merge "hal_vehicle_default: enabled communication with statsd"
diff --git a/prebuilts/api/33.0/private/compat/32.0/32.0.ignore.cil b/prebuilts/api/33.0/private/compat/32.0/32.0.ignore.cil
index 94a8fea..a07f5ae 100644
--- a/prebuilts/api/33.0/private/compat/32.0/32.0.ignore.cil
+++ b/prebuilts/api/33.0/private/compat/32.0/32.0.ignore.cil
@@ -27,6 +27,7 @@
evsmanagerd_service
extra_free_kbytes
extra_free_kbytes_exec
+ framework_status_prop
fs_bpf_vendor
game_mode_intervention_list_file
gesture_prop
diff --git a/prebuilts/api/33.0/private/property_contexts b/prebuilts/api/33.0/private/property_contexts
index f19a60a..1b2360d 100644
--- a/prebuilts/api/33.0/private/property_contexts
+++ b/prebuilts/api/33.0/private/property_contexts
@@ -1205,6 +1205,9 @@
framework_watchdog.fatal_count u:object_r:framework_watchdog_config_prop:s0 exact int
framework_watchdog.fatal_window.second u:object_r:framework_watchdog_config_prop:s0 exact int
+# Framework configuration properties.
+framework.pause_bg_animations.enabled u:object_r:framework_status_prop:s0 exact bool
+
gsm.operator.iso-country u:object_r:telephony_status_prop:s0 exact string
gsm.sim.operator.iso-country u:object_r:telephony_status_prop:s0 exact string
gsm.sim.operator.numeric u:object_r:telephony_status_prop:s0 exact string
diff --git a/prebuilts/api/33.0/public/domain.te b/prebuilts/api/33.0/public/domain.te
index 6258c7a..8e1fcf7 100644
--- a/prebuilts/api/33.0/public/domain.te
+++ b/prebuilts/api/33.0/public/domain.te
@@ -116,6 +116,7 @@
get_prop(domain, exported_secure_prop)
get_prop(domain, exported_system_prop)
get_prop(domain, fingerprint_prop)
+get_prop(domain, framework_status_prop)
get_prop(domain, gwp_asan_prop)
get_prop(domain, hal_instrumentation_prop)
get_prop(domain, hw_timeout_multiplier_prop)
diff --git a/prebuilts/api/33.0/public/property.te b/prebuilts/api/33.0/public/property.te
index b18f142..a235634 100644
--- a/prebuilts/api/33.0/public/property.te
+++ b/prebuilts/api/33.0/public/property.te
@@ -199,6 +199,7 @@
system_public_prop(exported_overlay_prop)
system_public_prop(exported_pm_prop)
system_public_prop(ffs_control_prop)
+system_public_prop(framework_status_prop)
system_public_prop(gesture_prop)
system_public_prop(hal_dumpstate_config_prop)
system_public_prop(sota_prop)
diff --git a/private/access_vectors b/private/access_vectors
index 6cd8c4e..0f8dd5f 100644
--- a/private/access_vectors
+++ b/private/access_vectors
@@ -729,6 +729,7 @@
get_state
list
lock
+ migrate_any_key
pull_metrics
report_off_body
reset
diff --git a/private/artd.te b/private/artd.te
index 0d26234..4f0db69 100644
--- a/private/artd.te
+++ b/private/artd.te
@@ -34,9 +34,10 @@
# Read access to /vendor/app.
r_dir_file(artd, vendor_app_file)
-# Read access to all compilation artifacts generated on device for apps' primary
-# dex'es. (/data/dalvik-cache/..., /data/app/.../oat/..., etc.)
-r_dir_file(artd, dalvikcache_data_file)
+# Read/write access to all compilation artifacts generated on device for apps'
+# primary dex'es. (/data/dalvik-cache/..., /data/app/.../oat/..., etc.)
+allow artd dalvikcache_data_file:dir create_dir_perms;
+allow artd dalvikcache_data_file:file create_file_perms;
# Read access to the ART APEX data directory.
# Needed for reading the boot image generated on device.
@@ -46,3 +47,14 @@
# Read access to /apex/apex-info-list.xml
# Needed for getting APEX versions.
allow artd apex_info_file:file r_file_perms;
+
+# Allow getting root capabilities to bypass permission checks.
+# - "dac_override" and "dac_read_search" are for
+# - reading secondary dex'es in app data directories (reading primary dex'es
+# doesn't need root capabilities)
+# - managing (CRUD) compilation artifacts in both APK directories for primary
+# dex'es and in app data directories for secondary dex'es
+# - managing (CRUD) profile files for both primary dex'es and secondary dex'es
+# - "fowner" is for adjusting the file permissions of compilation artifacts and
+# profile files based on whether they include user data or not.
+allow artd self:global_capability_class_set { dac_override dac_read_search fowner };
diff --git a/private/compat/32.0/32.0.ignore.cil b/private/compat/32.0/32.0.ignore.cil
index 3488b46..805ca7c 100644
--- a/private/compat/32.0/32.0.ignore.cil
+++ b/private/compat/32.0/32.0.ignore.cil
@@ -27,6 +27,7 @@
evsmanagerd_service
extra_free_kbytes
extra_free_kbytes_exec
+ framework_status_prop
fs_bpf_vendor
game_mode_intervention_list_file
gesture_prop
diff --git a/private/compat/33.0/33.0.ignore.cil b/private/compat/33.0/33.0.ignore.cil
index 3beb247..606cdaf 100644
--- a/private/compat/33.0/33.0.ignore.cil
+++ b/private/compat/33.0/33.0.ignore.cil
@@ -6,6 +6,7 @@
(typeattributeset new_objects
( new_objects
device_config_vendor_system_native_prop
+ hal_bootctl_service
virtual_face_hal_prop
virtual_fingerprint_hal_prop
))
diff --git a/private/domain.te b/private/domain.te
index 5f369e3..af50226 100644
--- a/private/domain.te
+++ b/private/domain.te
@@ -303,6 +303,7 @@
-cppreopts
-dex2oat
-otapreopt_slot
+ -artd
} dalvikcache_data_file:file no_w_file_perms;
neverallow {
@@ -314,6 +315,7 @@
-dex2oat
-zygote
-otapreopt_slot
+ -artd
} dalvikcache_data_file:dir no_w_dir_perms;
# Only authorized processes should be writing to /data/misc/apexdata/com.android.art as it
@@ -361,6 +363,7 @@
# a Unix group or change the permissions of a file.
define(`dac_override_allowed', `{
apexd
+ artd
dnsmasq
dumpstate
init
diff --git a/private/property_contexts b/private/property_contexts
index b45cd0f..6d53f7f 100644
--- a/private/property_contexts
+++ b/private/property_contexts
@@ -1208,6 +1208,9 @@
framework_watchdog.fatal_count u:object_r:framework_watchdog_config_prop:s0 exact int
framework_watchdog.fatal_window.second u:object_r:framework_watchdog_config_prop:s0 exact int
+# Framework configuration properties.
+framework.pause_bg_animations.enabled u:object_r:framework_status_prop:s0 exact bool
+
gsm.operator.iso-country u:object_r:telephony_status_prop:s0 exact string
gsm.sim.operator.iso-country u:object_r:telephony_status_prop:s0 exact string
gsm.sim.operator.numeric u:object_r:telephony_status_prop:s0 exact string
diff --git a/private/service_contexts b/private/service_contexts
index 1094151..247f22f 100644
--- a/private/service_contexts
+++ b/private/service_contexts
@@ -2,6 +2,7 @@
android.hardware.audio.core.IModule/default u:object_r:hal_audio_service:s0
android.hardware.authsecret.IAuthSecret/default u:object_r:hal_authsecret_service:s0
android.hardware.automotive.evs.IEvsEnumerator/hw/0 u:object_r:hal_evs_service:s0
+android.hardware.boot.IBootControl/default u:object_r:hal_bootctl_service:s0
android.hardware.automotive.evs.IEvsEnumerator/hw/1 u:object_r:hal_evs_service:s0
android.hardware.automotive.vehicle.IVehicle/default u:object_r:hal_vehicle_service:s0
android.hardware.automotive.audiocontrol.IAudioControl/default u:object_r:hal_audiocontrol_service:s0
diff --git a/private/system_server.te b/private/system_server.te
index bbf33ba..81cde09 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -966,7 +966,9 @@
clear_ns
clear_uid
get_state
+ list
lock
+ migrate_any_key
pull_metrics
reset
unlock
diff --git a/private/update_engine.te b/private/update_engine.te
index c3f575f..8d6341c 100644
--- a/private/update_engine.te
+++ b/private/update_engine.te
@@ -30,3 +30,7 @@
# capex decompression
allow update_engine apex_service:service_manager find;
binder_call(update_engine, apexd)
+
+# let this domain use the hal service
+binder_use(update_engine)
+hal_client_domain(update_engine, hal_bootctl)
diff --git a/private/update_verifier.te b/private/update_verifier.te
index 5e1b27b..a8cef37 100644
--- a/private/update_verifier.te
+++ b/private/update_verifier.te
@@ -7,3 +7,10 @@
# Allow to set the OTA related properties e.g. ota.warm_reset.
set_prop(update_verifier, ota_prop)
+
+# allow update_verifier to connect to snapuserd daemon
+allow update_verifier snapuserd_socket:sock_file write;
+allow update_verifier snapuserd:unix_stream_socket connectto;
+
+# virtual a/b properties
+get_prop(update_verifier, virtual_ab_prop)
diff --git a/public/domain.te b/public/domain.te
index 4f60d9d..5054aa6 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -116,6 +116,7 @@
get_prop(domain, exported_secure_prop)
get_prop(domain, exported_system_prop)
get_prop(domain, fingerprint_prop)
+get_prop(domain, framework_status_prop)
get_prop(domain, gwp_asan_prop)
get_prop(domain, hal_instrumentation_prop)
get_prop(domain, hw_timeout_multiplier_prop)
diff --git a/public/hal_bootctl.te b/public/hal_bootctl.te
index a1f3d7f..1ef10a7 100644
--- a/public/hal_bootctl.te
+++ b/public/hal_bootctl.te
@@ -1,6 +1,7 @@
# HwBinder IPC from client to server, and callbacks
binder_call(hal_bootctl_client, hal_bootctl_server)
binder_call(hal_bootctl_server, hal_bootctl_client)
+binder_use(hal_bootctl_server)
hal_attribute_hwservice(hal_bootctl, hal_bootctl_hwservice)
allow hal_bootctl_server proc_bootconfig:file r_file_perms;
diff --git a/public/property.te b/public/property.te
index 7de6540..98cabd1 100644
--- a/public/property.te
+++ b/public/property.te
@@ -199,6 +199,7 @@
system_public_prop(exported_overlay_prop)
system_public_prop(exported_pm_prop)
system_public_prop(ffs_control_prop)
+system_public_prop(framework_status_prop)
system_public_prop(gesture_prop)
system_public_prop(hal_dumpstate_config_prop)
system_public_prop(sota_prop)
diff --git a/public/service.te b/public/service.te
index 8dc3e04..97dddc1 100644
--- a/public/service.te
+++ b/public/service.te
@@ -269,6 +269,7 @@
type hal_audio_service, vendor_service, protected_service, hal_service_type, service_manager_type;
type hal_audiocontrol_service, vendor_service, hal_service_type, service_manager_type;
type hal_authsecret_service, vendor_service, protected_service, hal_service_type, service_manager_type;
+type hal_bootctl_service, vendor_service, protected_service, hal_service_type, service_manager_type;
type hal_camera_service, vendor_service, protected_service, hal_service_type, service_manager_type;
type hal_contexthub_service, vendor_service, protected_service, hal_service_type, service_manager_type;
type hal_dice_service, vendor_service, protected_service, hal_service_type, service_manager_type;
diff --git a/vendor/file_contexts b/vendor/file_contexts
index 392a750..dd1e4a1 100644
--- a/vendor/file_contexts
+++ b/vendor/file_contexts
@@ -20,6 +20,7 @@
/(vendor|system/vendor)/bin/hw/android\.hardware\.biometrics\.fingerprint@2\.2-service\.example u:object_r:hal_fingerprint_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.biometrics\.fingerprint-service\.example u:object_r:hal_fingerprint_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.boot@1\.[0-9]+-service u:object_r:hal_bootctl_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.boot-service.default u:object_r:hal_bootctl_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.broadcastradio@\d+\.\d+-service u:object_r:hal_broadcastradio_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.camera\.provider@2\.[0-9]+-service_64 u:object_r:hal_camera_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.camera\.provider@2\.[0-9]+-service u:object_r:hal_camera_default_exec:s0