Merge "Allow TunerService to find and call TunerResourceManager Service"
diff --git a/prebuilts/api/30.0/private/file_contexts b/prebuilts/api/30.0/private/file_contexts
index 9620b75..71a72b4 100644
--- a/prebuilts/api/30.0/private/file_contexts
+++ b/prebuilts/api/30.0/private/file_contexts
@@ -625,6 +625,7 @@
/data/incremental(/.*)? u:object_r:apk_data_file:s0
/data/incremental/MT_[^/]+/mount/.pending_reads u:object_r:incremental_control_file:s0
/data/incremental/MT_[^/]+/mount/.log u:object_r:incremental_control_file:s0
+/data/incremental/MT_[^/]+/mount/.blocks_written u:object_r:incremental_control_file:s0
#############################
# Expanded data files
diff --git a/private/app.te b/private/app.te
index 30ef991..c635aed 100644
--- a/private/app.te
+++ b/private/app.te
@@ -63,6 +63,10 @@
# Allow to read db.log.detailed, db.log.slow_query_threshold*
get_prop(appdomain, sqlite_log_prop)
+# Allow font file read by apps.
+allow appdomain font_data_file:file r_file_perms;
+allow appdomain font_data_file:dir r_dir_perms;
+
# Read /data/misc/apexdata/com.android.art
allow appdomain { apex_art_data_file apex_module_data_file }:dir search;
allow appdomain apex_art_data_file:file r_file_perms;
diff --git a/private/bug_map b/private/bug_map
index a404de3..5b042ae 100644
--- a/private/bug_map
+++ b/private/bug_map
@@ -11,7 +11,6 @@
init shell_data_file lnk_file b/77873135
init shell_data_file sock_file b/77873135
init system_data_file chr_file b/77873135
-installd device file b/177187042
isolated_app privapp_data_file dir b/119596573
isolated_app app_data_file dir b/120394782
mediaextractor app_data_file file b/77923736
diff --git a/private/compat/30.0/30.0.cil b/private/compat/30.0/30.0.cil
index 6c95364..a2ae272 100644
--- a/private/compat/30.0/30.0.cil
+++ b/private/compat/30.0/30.0.cil
@@ -2000,7 +2000,7 @@
(typeattributeset surfaceflinger_service_30_0 (surfaceflinger_service))
(typeattributeset surfaceflinger_tmpfs_30_0 (surfaceflinger_tmpfs))
(typeattributeset swap_block_device_30_0 (swap_block_device))
-(typeattributeset sysfs_30_0 (sysfs))
+(typeattributeset sysfs_30_0 (sysfs sysfs_fs_incfs_features))
(typeattributeset sysfs_android_usb_30_0 (sysfs_android_usb))
(typeattributeset sysfs_batteryinfo_30_0 (sysfs_batteryinfo))
(typeattributeset sysfs_bluetooth_writable_30_0 (sysfs_bluetooth_writable))
diff --git a/private/compat/30.0/30.0.ignore.cil b/private/compat/30.0/30.0.ignore.cil
index c19413c..57ffc45 100644
--- a/private/compat/30.0/30.0.ignore.cil
+++ b/private/compat/30.0/30.0.ignore.cil
@@ -17,28 +17,34 @@
cgroup_v2
ctl_snapuserd_prop
debugfs_kprobes
+ debugfs_mm_events_tracing
device_config_profcollect_native_boot_prop
device_state_service
dm_user_device
dmabuf_heap_device
dmabuf_system_heap_device
dmabuf_system_secure_heap_device
+ domain_verification_service
dumpstate_tmpfs
framework_watchdog_config_prop
game_service
+ font_data_file
gki_apex_prepostinstall
gki_apex_prepostinstall_exec
hal_authsecret_service
hal_audiocontrol_service
hal_face_service
hal_fingerprint_service
+ hal_health_storage_service
hal_memtrack_service
hal_oemlock_service
gnss_device
hal_dumpstate_config_prop
hal_gnss_service
hal_keymint_service
+ hal_neuralnetworks_service
hal_power_stats_service
+ hal_weaver_service
keystore_compat_hal_service
keystore2_key_contexts_file
legacy_permission_service
@@ -64,16 +70,20 @@
profcollectd_service
radio_core_data_file
reboot_readiness_service
+ resolver_service
search_ui_service
shell_test_data_file
smartspace_service
snapuserd
snapuserd_exec
snapuserd_socket
+ speech_recognition_service
sysfs_devices_cs_etm
+ sysfs_uhid
system_server_dumper_service
system_suspend_control_internal_service
task_profiles_api_file
+ texttospeech_service
transformer_service
update_engine_stable_service
userspace_reboot_metadata_file
diff --git a/private/file.te b/private/file.te
index 284a9ee..87443ef 100644
--- a/private/file.te
+++ b/private/file.te
@@ -41,3 +41,6 @@
# /data/misc/apexdata/com.android.art/staging
type apex_art_staging_data_file, file_type, data_file_type, core_data_file_type;
+
+# /data/font/files
+type font_data_file, file_type, data_file_type, core_data_file_type;
diff --git a/private/file_contexts b/private/file_contexts
index 7aeba99..89c67fc 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -551,6 +551,7 @@
# to avoid restorecon conflicts
/data/rollback/\d+/[^/]+/.*\.apk u:object_r:apk_data_file:s0
/data/rollback/\d+/[^/]+/.*\.apex u:object_r:staging_data_file:s0
+/data/fonts/files(/.*)? u:object_r:font_data_file:s0
# Misc data
/data/misc/adb(/.*)? u:object_r:adb_keys_file:s0
@@ -668,6 +669,7 @@
/data/incremental(/.*)? u:object_r:apk_data_file:s0
/data/incremental/MT_[^/]+/mount/.pending_reads u:object_r:incremental_control_file:s0
/data/incremental/MT_[^/]+/mount/.log u:object_r:incremental_control_file:s0
+/data/incremental/MT_[^/]+/mount/.blocks_written u:object_r:incremental_control_file:s0
#############################
# Expanded data files
diff --git a/private/genfs_contexts b/private/genfs_contexts
index 900b25b..c5baf79 100644
--- a/private/genfs_contexts
+++ b/private/genfs_contexts
@@ -140,6 +140,7 @@
genfscon sysfs /firmware/devicetree/base/firmware/android u:object_r:sysfs_dt_firmware_android:s0
genfscon sysfs /fs/ext4/features u:object_r:sysfs_fs_ext4_features:s0
genfscon sysfs /fs/f2fs u:object_r:sysfs_fs_f2fs:s0
+genfscon sysfs /fs/incremental-fs/features u:object_r:sysfs_fs_incfs_features:s0
genfscon sysfs /power/autosleep u:object_r:sysfs_power:s0
genfscon sysfs /power/state u:object_r:sysfs_power:s0
genfscon sysfs /power/suspend_stats u:object_r:sysfs_suspend_stats:s0
@@ -158,6 +159,7 @@
genfscon sysfs /module/tcp_cubic/parameters u:object_r:sysfs_net:s0
genfscon sysfs /module/wlan/parameters/fwpath u:object_r:sysfs_wlan_fwpath:s0
genfscon sysfs /devices/virtual/timed_output/vibrator/enable u:object_r:sysfs_vibrator:s0
+genfscon sysfs /devices/virtual/misc/uhid u:object_r:sysfs_uhid:s0
genfscon debugfs /kprobes u:object_r:debugfs_kprobes:s0
genfscon debugfs /mmc0 u:object_r:debugfs_mmc:s0
@@ -172,6 +174,8 @@
genfscon debugfs /tracing/instances u:object_r:debugfs_tracing_instances:s0
genfscon tracefs /instances u:object_r:debugfs_tracing_instances:s0
+genfscon debugfs /tracing/instances/mm_events u:object_r:debugfs_mm_events_tracing:s0
+genfscon tracefs /instances/mm_events u:object_r:debugfs_mm_events_tracing:s0
genfscon debugfs /tracing/instances/wifi u:object_r:debugfs_wifi_tracing:s0
genfscon tracefs /instances/wifi u:object_r:debugfs_wifi_tracing:s0
genfscon debugfs /tracing/trace_marker u:object_r:debugfs_trace_marker:s0
diff --git a/private/mediatranscoding.te b/private/mediatranscoding.te
index b2f6cea..5f4a943 100644
--- a/private/mediatranscoding.te
+++ b/private/mediatranscoding.te
@@ -24,6 +24,7 @@
allow mediatranscoding mediametrics_service:service_manager find;
allow mediatranscoding mediaextractor_service:service_manager find;
allow mediatranscoding package_native_service:service_manager find;
+allow mediatranscoding thermal_service:service_manager find;
allow mediatranscoding system_server:fd use;
allow mediatranscoding activity_service:service_manager find;
diff --git a/private/priv_app.te b/private/priv_app.te
index 46362a0..9fd319f 100644
--- a/private/priv_app.te
+++ b/private/priv_app.te
@@ -152,9 +152,16 @@
allow priv_app system_server:udp_socket {
connect getattr read recvfrom sendto write getopt setopt };
+# Access the IncFS list of features
+r_dir_file(priv_app, sysfs_fs_incfs_features)
+
# allow apps like Phonesky to check the file signature of an apk installed on
-# the Incremental File System, and fill missing blocks in the apk
-allowxperm priv_app apk_data_file:file ioctl { INCFS_IOCTL_READ_SIGNATURE INCFS_IOCTL_FILL_BLOCKS };
+# the Incremental File System, fill missing blocks and get the app status
+allowxperm priv_app apk_data_file:file ioctl {
+ INCFS_IOCTL_READ_SIGNATURE
+ INCFS_IOCTL_FILL_BLOCKS
+ INCFS_IOCTL_GET_BLOCK_COUNT
+};
# allow privileged data loader apps (e.g. com.android.vending) to read logs from Incremental File System
allow priv_app incremental_control_file:file { read getattr ioctl };
diff --git a/private/property_contexts b/private/property_contexts
index cea1b6e..6b2b883 100644
--- a/private/property_contexts
+++ b/private/property_contexts
@@ -111,6 +111,7 @@
# adbd protoctl configuration property
service.adb.tcp.port u:object_r:adbd_config_prop:s0 exact int
+service.adb.transport u:object_r:adbd_config_prop:s0 exact string
# Boolean property set by system server upon boot indicating
# if device is fully owned by organization instead of being
diff --git a/private/service.te b/private/service.te
index f17fe86..821b740 100644
--- a/private/service.te
+++ b/private/service.te
@@ -4,6 +4,7 @@
type incidentcompanion_service, system_api_service, system_server_service, service_manager_type;
type mediatuner_service, app_api_service, service_manager_type;
type profcollectd_service, service_manager_type;
+type resolver_service, system_server_service, service_manager_type;
type stats_service, service_manager_type;
type statscompanion_service, system_server_service, service_manager_type;
type statsmanager_service, system_api_service, system_server_service, service_manager_type;
diff --git a/private/service_contexts b/private/service_contexts
index 5d65e35..494644a 100644
--- a/private/service_contexts
+++ b/private/service_contexts
@@ -3,6 +3,7 @@
android.hardware.biometrics.face.IFace/default u:object_r:hal_face_service:s0
android.hardware.biometrics.fingerprint.IFingerprint/default u:object_r:hal_fingerprint_service:s0
android.hardware.gnss.IGnss/default u:object_r:hal_gnss_service:s0
+android.hardware.health.storage.IStorage/default u:object_r:hal_health_storage_service:s0
android.hardware.identity.IIdentityCredentialStore/default u:object_r:hal_identity_service:s0
android.hardware.light.ILights/default u:object_r:hal_light_service:s0
android.hardware.memtrack.IMemtrack/default u:object_r:hal_memtrack_service:s0
@@ -13,6 +14,7 @@
android.hardware.security.keymint.IKeyMintDevice/default u:object_r:hal_keymint_service:s0
android.hardware.vibrator.IVibrator/default u:object_r:hal_vibrator_service:s0
android.hardware.vibrator.IVibratorManager/default u:object_r:hal_vibrator_service:s0
+android.hardware.weaver.IWeaver/default u:object_r:hal_weaver_service:s0
accessibility u:object_r:accessibility_service:s0
account u:object_r:account_service:s0
@@ -84,6 +86,7 @@
diskstats u:object_r:diskstats_service:s0
display u:object_r:display_service:s0
dnsresolver u:object_r:dnsresolver_service:s0
+domain_verification u:object_r:domain_verification_service:s0
color_display u:object_r:color_display_service:s0
netd_listener u:object_r:netd_listener_service:s0
network_watchlist u:object_r:network_watchlist_service:s0
@@ -201,6 +204,7 @@
rcs u:object_r:radio_service:s0
reboot_readiness u:object_r:reboot_readiness_service:s0
recovery u:object_r:recovery_service:s0
+resolver u:object_r:resolver_service:s0
restrictions u:object_r:restrictions_service:s0
role u:object_r:role_service:s0
rollback u:object_r:rollback_service:s0
@@ -225,6 +229,7 @@
sip u:object_r:radio_service:s0
slice u:object_r:slice_service:s0
smartspace u:object_r:smartspace_service:s0
+speech_recognition u:object_r:speech_recognition_service:s0
stats u:object_r:stats_service:s0
statscompanion u:object_r:statscompanion_service:s0
statsmanager u:object_r:statsmanager_service:s0
@@ -248,6 +253,7 @@
tethering u:object_r:tethering_service:s0
textclassification u:object_r:textclassification_service:s0
textservices u:object_r:textservices_service:s0
+texttospeech u:object_r:texttospeech_service:s0
time_detector u:object_r:timedetector_service:s0
time_zone_detector u:object_r:timezonedetector_service:s0
timezone u:object_r:timezone_service:s0
diff --git a/private/system_server.te b/private/system_server.te
index bf5c8e8..6767cd1 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -24,12 +24,27 @@
# For Incremental Service to check if incfs is available
allow system_server proc_filesystems:file r_file_perms;
-# To create files and get permission to fill blocks on Incremental File System
-allow system_server incremental_control_file:file { ioctl r_file_perms };
-allowxperm system_server incremental_control_file:file ioctl { INCFS_IOCTL_CREATE_FILE INCFS_IOCTL_PERMIT_FILL };
+# Access the IncFS list of features
+r_dir_file(system_server, sysfs_fs_incfs_features);
-# To get signature of an APK installed on Incremental File System and fill in data blocks
-allowxperm system_server apk_data_file:file ioctl { INCFS_IOCTL_READ_SIGNATURE INCFS_IOCTL_FILL_BLOCKS INCFS_IOCTL_GET_FILLED_BLOCKS };
+# To create files, get permission to fill blocks, and configure Incremental File System
+allow system_server incremental_control_file:file { ioctl r_file_perms };
+allowxperm system_server incremental_control_file:file ioctl {
+ INCFS_IOCTL_CREATE_FILE
+ INCFS_IOCTL_CREATE_MAPPED_FILE
+ INCFS_IOCTL_PERMIT_FILL
+ INCFS_IOCTL_GET_READ_TIMEOUTS
+ INCFS_IOCTL_SET_READ_TIMEOUTS
+};
+
+# To get signature of an APK installed on Incremental File System, and fill in data
+# blocks and get the filesystem state
+allowxperm system_server apk_data_file:file ioctl {
+ INCFS_IOCTL_READ_SIGNATURE
+ INCFS_IOCTL_FILL_BLOCKS
+ INCFS_IOCTL_GET_FILLED_BLOCKS
+ INCFS_IOCTL_GET_BLOCK_COUNT
+};
# For art.
allow system_server { apex_art_data_file dalvikcache_data_file }:dir r_dir_perms;
@@ -260,6 +275,10 @@
hal_client_domain(system_server, hal_wifi)
hal_client_domain(system_server, hal_wifi_hostapd)
hal_client_domain(system_server, hal_wifi_supplicant)
+# The bootctl is a pass through HAL mode under recovery mode. So we skip the
+# permission for recovery in order not to give system server the access to
+# the low level block devices.
+not_recovery(`hal_client_domain(system_server, hal_bootctl)')
# Talk with graphics composer fences
allow system_server hal_graphics_composer:fd use;
@@ -355,6 +374,8 @@
allow system_server sysfs_power:file rw_file_perms;
allow system_server sysfs_thermal:dir search;
allow system_server sysfs_thermal:file r_file_perms;
+allow system_server sysfs_uhid:dir r_dir_perms;
+allow system_server sysfs_uhid:file rw_file_perms;
# TODO: Remove when HALs are forced into separate processes
allow system_server sysfs_vibrator:file { write append };
@@ -1024,6 +1045,13 @@
# Watchdog reads sysprops framework_watchdog.fatal_* to handle watchdog timeout loop.
get_prop(system_server, framework_watchdog_config_prop)
+
+# Font files are written by system server
+allow system_server font_data_file:file create_file_perms;
+allow system_server font_data_file:dir create_dir_perms;
+# Allow system process to setup fs-verity for font files
+allowxperm system_server font_data_file:file ioctl FS_IOC_ENABLE_VERITY;
+
###
### Neverallow rules
###
@@ -1181,6 +1209,9 @@
allow system_server watchdog_metadata_file:dir rw_dir_perms;
allow system_server watchdog_metadata_file:file create_file_perms;
+# Allow system server r access to /system/bin/surfaceflinger for PinnerService.
+allow system_server surfaceflinger_exec:file r_file_perms;
+
# Allow init to set sysprop used to compute stats about userspace reboot.
set_prop(system_server, userspace_reboot_log_prop)
@@ -1247,8 +1278,21 @@
-system_server
} wifi_config_prop:file no_rw_file_perms;
+# Only allow system server to write uhid sysfs files
+neverallow {
+ domain
+ -init
+ -system_server
+ -ueventd
+ -vendor_init
+} sysfs_uhid:file no_w_file_perms;
+
# BINDER_FREEZE is used to block ipc transactions to frozen processes, so it
# can be accessed by system_server only (b/143717177)
# BINDER_GET_FROZEN_INFO is used by system_server to determine the state of a frozen binder
# interface
neverallowxperm { domain -system_server } binder_device:chr_file ioctl { BINDER_FREEZE BINDER_GET_FROZEN_INFO };
+
+# Only system server can write the font files.
+neverallow { domain -init -system_server } font_data_file:file no_w_file_perms;
+neverallow { domain -init -system_server } font_data_file:dir no_w_dir_perms;
diff --git a/private/traced_probes.te b/private/traced_probes.te
index d192bfd..da9c635 100644
--- a/private/traced_probes.te
+++ b/private/traced_probes.te
@@ -16,6 +16,11 @@
allow traced_probes debugfs_trace_marker:file getattr;
allow traced_probes debugfs_tracing_printk_formats:file r_file_perms;
+# Allow traced_probes to access mm_events trace instance
+allow traced_probes debugfs_tracing_instances:dir search;
+allow traced_probes debugfs_mm_events_tracing:dir search;
+allow traced_probes debugfs_mm_events_tracing:file rw_file_perms;
+
# TODO(primiano): temporarily I/O tracing categories are still
# userdebug only until we nail down the denylist/allowlist.
userdebug_or_eng(`
@@ -137,3 +142,4 @@
# Only init is allowed to enter the traced_probes domain via exec()
neverallow { domain -init } traced_probes:process transition;
neverallow * traced_probes:process dyntransition;
+
diff --git a/public/file.te b/public/file.te
index ccd65e2..dceb96e 100644
--- a/public/file.te
+++ b/public/file.te
@@ -109,6 +109,7 @@
type sysfs_wakeup_reasons, fs_type, sysfs_type;
type sysfs_fs_ext4_features, sysfs_type, fs_type;
type sysfs_fs_f2fs, sysfs_type, fs_type;
+type sysfs_fs_incfs_features, sysfs_type, fs_type;
type fs_bpf, fs_type;
type configfs, fs_type;
# /sys/devices/cs_etm
@@ -120,7 +121,7 @@
# /sys/module/wlan/parameters/fwpath
type sysfs_wlan_fwpath, fs_type, sysfs_type;
type sysfs_vibrator, fs_type, sysfs_type;
-
+type sysfs_uhid, fs_type, sysfs_type;
type sysfs_thermal, sysfs_type, fs_type;
type sysfs_zram, fs_type, sysfs_type;
@@ -137,6 +138,7 @@
type debugfs, fs_type, debugfs_type;
type debugfs_kprobes, fs_type, debugfs_type;
type debugfs_mmc, fs_type, debugfs_type;
+type debugfs_mm_events_tracing, fs_type, debugfs_type;
type debugfs_trace_marker, fs_type, debugfs_type, mlstrustedobject;
type debugfs_tracing, fs_type, debugfs_type, mlstrustedobject;
type debugfs_tracing_debug, fs_type, debugfs_type, mlstrustedobject;
diff --git a/public/hal_health_storage.te b/public/hal_health_storage.te
index 61e609b..cb7c01d 100644
--- a/public/hal_health_storage.te
+++ b/public/hal_health_storage.te
@@ -2,4 +2,7 @@
binder_call(hal_health_storage_client, hal_health_storage_server)
binder_call(hal_health_storage_server, hal_health_storage_client)
+binder_use(hal_health_storage_server)
+
hal_attribute_hwservice(hal_health_storage, hal_health_storage_hwservice)
+hal_attribute_service(hal_health_storage, hal_health_storage_service)
diff --git a/public/hal_neuralnetworks.te b/public/hal_neuralnetworks.te
index 228d990..416448a 100644
--- a/public/hal_neuralnetworks.te
+++ b/public/hal_neuralnetworks.te
@@ -28,3 +28,9 @@
# This property is only expected to be found in /product/build.prop,
# allow to be set only by init.
neverallow { domain -init } nnapi_ext_deny_product_prop:property_service set;
+
+# Define sepolicy for NN AIDL HAL service
+hal_attribute_service(hal_neuralnetworks, hal_neuralnetworks_service)
+binder_call(hal_neuralnetworks_server, servicemanager)
+
+allow hal_neuralnetworks_server dumpstate:fifo_file write;
diff --git a/public/hal_weaver.te b/public/hal_weaver.te
index 36d1306..2b34989 100644
--- a/public/hal_weaver.te
+++ b/public/hal_weaver.te
@@ -2,3 +2,6 @@
binder_call(hal_weaver_client, hal_weaver_server)
hal_attribute_hwservice(hal_weaver, hal_weaver_hwservice)
+hal_attribute_service(hal_weaver, hal_weaver_service)
+
+binder_call(hal_weaver_server, servicemanager)
diff --git a/public/ioctl_defines b/public/ioctl_defines
index a2e2c4e..62c4e66 100644
--- a/public/ioctl_defines
+++ b/public/ioctl_defines
@@ -1066,6 +1066,10 @@
define(`INCFS_IOCTL_FILL_BLOCKS', `0x00006720')
define(`INCFS_IOCTL_PERMIT_FILL', `0x00006721')
define(`INCFS_IOCTL_GET_FILLED_BLOCKS', `0x00006722')
+define(`INCFS_IOCTL_CREATE_MAPPED_FILE', `0x00006723')
+define(`INCFS_IOCTL_GET_BLOCK_COUNT', `0x00006724')
+define(`INCFS_IOCTL_GET_READ_TIMEOUTS', `0x00006725')
+define(`INCFS_IOCTL_SET_READ_TIMEOUTS', `0x00006726')
define(`IOCTL_EVTCHN_BIND_INTERDOMAIN', `0x00084501')
define(`IOCTL_EVTCHN_BIND_UNBOUND_PORT', `0x00044502')
define(`IOCTL_EVTCHN_BIND_VIRQ', `0x00044500')
diff --git a/public/service.te b/public/service.te
index 03e659d..a2bb54b 100644
--- a/public/service.te
+++ b/public/service.te
@@ -95,6 +95,7 @@
type devicestoragemonitor_service, system_server_service, service_manager_type;
type diskstats_service, system_api_service, system_server_service, service_manager_type;
type display_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type domain_verification_service, system_api_service, system_server_service, service_manager_type;
type color_display_service, system_api_service, system_server_service, service_manager_type;
type external_vibrator_service, system_server_service, service_manager_type;
type file_integrity_service, app_api_service, system_server_service, service_manager_type;
@@ -116,7 +117,7 @@
type graphicsstats_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type hardware_service, system_server_service, service_manager_type;
type hardware_properties_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type hdmi_control_service, system_api_service, system_server_service, service_manager_type;
+type hdmi_control_service, app_api_service, system_server_service, service_manager_type;
type imms_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type incremental_service, system_server_service, service_manager_type;
type input_method_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
@@ -188,10 +189,12 @@
type system_server_dumper_service, system_api_service, system_server_service, service_manager_type;
type system_update_service, system_server_service, service_manager_type;
type soundtrigger_middleware_service, system_server_service, service_manager_type;
+type speech_recognition_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type task_service, system_server_service, service_manager_type;
type testharness_service, system_server_service, service_manager_type;
type textclassification_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type textservices_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type texttospeech_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type telecom_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type thermal_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type timedetector_service, system_server_service, service_manager_type;
@@ -234,15 +237,18 @@
type hal_face_service, vendor_service, protected_service, service_manager_type;
type hal_fingerprint_service, vendor_service, protected_service, service_manager_type;
type hal_gnss_service, vendor_service, protected_service, service_manager_type;
+type hal_health_storage_service, vendor_service, protected_service, service_manager_type;
type hal_identity_service, vendor_service, protected_service, service_manager_type;
type hal_keymint_service, vendor_service, protected_service, service_manager_type;
type hal_light_service, vendor_service, protected_service, service_manager_type;
type hal_memtrack_service, vendor_service, protected_service, service_manager_type;
+type hal_neuralnetworks_service, vendor_service, service_manager_type;
type hal_oemlock_service, vendor_service, protected_service, service_manager_type;
type hal_power_service, vendor_service, protected_service, service_manager_type;
type hal_power_stats_service, vendor_service, protected_service, service_manager_type;
type hal_rebootescrow_service, vendor_service, protected_service, service_manager_type;
type hal_vibrator_service, vendor_service, protected_service, service_manager_type;
+type hal_weaver_service, vendor_service, protected_service, service_manager_type;
###
### Neverallow rules
diff --git a/public/te_macros b/public/te_macros
index 1966f20..c6035f8 100644
--- a/public/te_macros
+++ b/public/te_macros
@@ -467,6 +467,12 @@
define(`recovery_only', ifelse(target_recovery, `true', $1, ))
#####################################
+# Not recovery
+# SELinux rules which apply only to non-recovery (normal) mode
+#
+define(`not_recovery', ifelse(target_recovery, `true', , $1))
+
+#####################################
# Full TREBLE only
# SELinux rules which apply only to full TREBLE devices
#
diff --git a/public/vold.te b/public/vold.te
index 9ec6bd1..030e572 100644
--- a/public/vold.te
+++ b/public/vold.te
@@ -126,6 +126,8 @@
allow vold apk_data_file:dir { create getattr setattr };
allow vold shell_data_file:dir { create getattr setattr };
+# Access the IncFS list of features
+r_dir_file(vold, sysfs_fs_incfs_features);
# Allow to mount incremental file system on /data/incremental and create files
allow vold apk_data_file:dir { mounton rw_dir_perms };
# Allow to create and write files in /data/incremental
@@ -294,6 +296,9 @@
allow vold gsi_metadata_file:dir r_dir_perms;
allow vold gsi_metadata_file:file r_file_perms;
+# vold might need to search loopback apex files
+allow vold vendor_apex_file:file r_file_perms;
+
neverallow {
domain
-vold
diff --git a/vendor/file_contexts b/vendor/file_contexts
index dd351cf..d05431c 100644
--- a/vendor/file_contexts
+++ b/vendor/file_contexts
@@ -43,6 +43,7 @@
/(vendor|system/vendor)/bin/hw/android\.hardware\.health@2\.0-service u:object_r:hal_health_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.health@2\.1-service u:object_r:hal_health_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.health\.storage@1\.0-service u:object_r:hal_health_storage_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.health\.storage-service\.default u:object_r:hal_health_storage_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.identity-service.example u:object_r:hal_identity_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.input\.classifier@1\.0-service u:object_r:hal_input_classifier_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.ir@1\.0-service u:object_r:hal_ir_default_exec:s0
diff --git a/vendor/hal_weaver_default.te b/vendor/hal_weaver_default.te
new file mode 100644
index 0000000..0dd7679
--- /dev/null
+++ b/vendor/hal_weaver_default.te
@@ -0,0 +1,5 @@
+type hal_weaver_default, domain;
+hal_server_domain(hal_weaver_default, hal_weaver)
+
+type hal_weaver_default_exec, exec_type, vendor_file_type, file_type;
+init_daemon_domain(hal_weaver_default)