Merge changes from topics "norootintegrationtest", "profileshelltestdatafile"
* changes:
Allow shell to create shell_[test_]_data_file sockets.
Allow heapprofd to read shell_test_data_file.
diff --git a/Android.bp b/Android.bp
index 2ca424d..ac2e516 100644
--- a/Android.bp
+++ b/Android.bp
@@ -12,6 +12,36 @@
// See the License for the specific language governing permissions and
// limitations under the License.
+package {
+ default_applicable_licenses: ["system_sepolicy_license"],
+}
+
+// Added automatically by a large-scale-change that took the approach of
+// 'apply every license found to every target'. While this makes sure we respect
+// every license restriction, it may not be entirely correct.
+//
+// e.g. GPL in an MIT project might only apply to the contrib/ directory.
+//
+// Please consider splitting the single license below into multiple licenses,
+// taking care not to lose any license_kind information, and overriding the
+// default license using the 'licenses: [...]' property on targets as needed.
+//
+// For unused files, consider creating a 'filegroup' with "//visibility:private"
+// to attach the license to, and including a comment whether the files may be
+// used in the current project.
+// http://go/android-license-faq
+license {
+ name: "system_sepolicy_license",
+ visibility: [":__subpackages__"],
+ license_kinds: [
+ "SPDX-license-identifier-Apache-2.0",
+ "legacy_unencumbered",
+ ],
+ license_text: [
+ "NOTICE",
+ ],
+}
+
cc_defaults { name: "selinux_policy_version", cflags: ["-DSEPOLICY_VERSION=30"], }
se_filegroup {
diff --git a/Android.mk b/Android.mk
index 8afd5a8..77513a0 100644
--- a/Android.mk
+++ b/Android.mk
@@ -334,6 +334,9 @@
include $(CLEAR_VARS)
LOCAL_MODULE := selinux_policy
+LOCAL_LICENSE_KINDS := SPDX-license-identifier-Apache-2.0 legacy_unencumbered
+LOCAL_LICENSE_CONDITIONS := notice unencumbered
+LOCAL_NOTICE_FILE := $(LOCAL_PATH)/NOTICE
LOCAL_MODULE_TAGS := optional
LOCAL_REQUIRED_MODULES += \
selinux_policy_nonsystem \
@@ -348,6 +351,9 @@
include $(CLEAR_VARS)
LOCAL_MODULE := selinux_policy_system
+LOCAL_LICENSE_KINDS := SPDX-license-identifier-Apache-2.0 legacy_unencumbered
+LOCAL_LICENSE_CONDITIONS := notice unencumbered
+LOCAL_NOTICE_FILE := $(LOCAL_PATH)/NOTICE
# These build targets are not used on non-Treble devices. However, we build these to avoid
# divergence between Treble and non-Treble devices.
LOCAL_REQUIRED_MODULES += \
@@ -418,6 +424,9 @@
include $(CLEAR_VARS)
LOCAL_MODULE := selinux_policy_system_ext
+LOCAL_LICENSE_KINDS := SPDX-license-identifier-Apache-2.0 legacy_unencumbered
+LOCAL_LICENSE_CONDITIONS := notice unencumbered
+LOCAL_NOTICE_FILE := $(LOCAL_PATH)/NOTICE
# Include precompiled policy, unless told otherwise.
ifneq ($(PRODUCT_PRECOMPILED_SEPOLICY),false)
LOCAL_REQUIRED_MODULES += system_ext_sepolicy_and_mapping.sha256
@@ -459,6 +468,9 @@
include $(CLEAR_VARS)
LOCAL_MODULE := selinux_policy_product
+LOCAL_LICENSE_KINDS := SPDX-license-identifier-Apache-2.0 legacy_unencumbered
+LOCAL_LICENSE_CONDITIONS := notice unencumbered
+LOCAL_NOTICE_FILE := $(LOCAL_PATH)/NOTICE
# Include precompiled policy, unless told otherwise.
ifneq ($(PRODUCT_PRECOMPILED_SEPOLICY),false)
LOCAL_REQUIRED_MODULES += product_sepolicy_and_mapping.sha256
@@ -500,6 +512,9 @@
include $(CLEAR_VARS)
LOCAL_MODULE := selinux_policy_nonsystem
+LOCAL_LICENSE_KINDS := SPDX-license-identifier-Apache-2.0 legacy_unencumbered
+LOCAL_LICENSE_CONDITIONS := notice unencumbered
+LOCAL_NOTICE_FILE := $(LOCAL_PATH)/NOTICE
# Include precompiled policy, unless told otherwise.
ifneq ($(PRODUCT_PRECOMPILED_SEPOLICY),false)
LOCAL_REQUIRED_MODULES += \
@@ -573,6 +588,9 @@
include $(CLEAR_VARS)
LOCAL_MODULE := sepolicy_neverallows
+LOCAL_LICENSE_KINDS := SPDX-license-identifier-Apache-2.0 legacy_unencumbered
+LOCAL_LICENSE_CONDITIONS := notice unencumbered
+LOCAL_NOTICE_FILE := $(LOCAL_PATH)/NOTICE
LOCAL_MODULE_CLASS := FAKE
LOCAL_MODULE_TAGS := optional
@@ -651,6 +669,9 @@
include $(CLEAR_VARS)
LOCAL_MODULE := sepolicy_neverallows_vendor
+LOCAL_LICENSE_KINDS := SPDX-license-identifier-Apache-2.0 legacy_unencumbered
+LOCAL_LICENSE_CONDITIONS := notice unencumbered
+LOCAL_NOTICE_FILE := $(LOCAL_PATH)/NOTICE
LOCAL_MODULE_CLASS := FAKE
LOCAL_MODULE_TAGS := optional
@@ -875,6 +896,9 @@
include $(CLEAR_VARS)
LOCAL_MODULE := plat_sepolicy.cil
+LOCAL_LICENSE_KINDS := SPDX-license-identifier-Apache-2.0 legacy_unencumbered
+LOCAL_LICENSE_CONDITIONS := notice unencumbered
+LOCAL_NOTICE_FILE := $(LOCAL_PATH)/NOTICE
LOCAL_MODULE_CLASS := ETC
LOCAL_MODULE_TAGS := optional
LOCAL_MODULE_PATH := $(TARGET_OUT)/etc/selinux
@@ -925,6 +949,9 @@
include $(CLEAR_VARS)
LOCAL_MODULE := userdebug_plat_sepolicy.cil
+LOCAL_LICENSE_KINDS := SPDX-license-identifier-Apache-2.0 legacy_unencumbered
+LOCAL_LICENSE_CONDITIONS := notice unencumbered
+LOCAL_NOTICE_FILE := $(LOCAL_PATH)/NOTICE
LOCAL_MODULE_CLASS := ETC
LOCAL_MODULE_TAGS := optional
LOCAL_MODULE_PATH := $(TARGET_DEBUG_RAMDISK_OUT)
@@ -972,6 +999,9 @@
ifdef HAS_SYSTEM_EXT_SEPOLICY
LOCAL_MODULE := system_ext_sepolicy.cil
+LOCAL_LICENSE_KINDS := SPDX-license-identifier-Apache-2.0 legacy_unencumbered
+LOCAL_LICENSE_CONDITIONS := notice unencumbered
+LOCAL_NOTICE_FILE := $(LOCAL_PATH)/NOTICE
LOCAL_MODULE_CLASS := ETC
LOCAL_MODULE_TAGS := optional
LOCAL_MODULE_PATH := $(TARGET_OUT_SYSTEM_EXT)/etc/selinux
@@ -1029,6 +1059,9 @@
ifdef HAS_PRODUCT_SEPOLICY
LOCAL_MODULE := product_sepolicy.cil
+LOCAL_LICENSE_KINDS := SPDX-license-identifier-Apache-2.0 legacy_unencumbered
+LOCAL_LICENSE_CONDITIONS := notice unencumbered
+LOCAL_NOTICE_FILE := $(LOCAL_PATH)/NOTICE
LOCAL_MODULE_CLASS := ETC
LOCAL_MODULE_TAGS := optional
LOCAL_MODULE_PATH := $(TARGET_OUT_PRODUCT)/etc/selinux
@@ -1087,6 +1120,9 @@
include $(CLEAR_VARS)
LOCAL_MODULE := plat_sepolicy_vers.txt
+LOCAL_LICENSE_KINDS := SPDX-license-identifier-Apache-2.0 legacy_unencumbered
+LOCAL_LICENSE_CONDITIONS := notice unencumbered
+LOCAL_NOTICE_FILE := $(LOCAL_PATH)/NOTICE
LOCAL_MODULE_CLASS := ETC
LOCAL_MODULE_TAGS := optional
LOCAL_PROPRIETARY_MODULE := true
@@ -1103,6 +1139,9 @@
include $(CLEAR_VARS)
LOCAL_MODULE := plat_mapping_file
+LOCAL_LICENSE_KINDS := SPDX-license-identifier-Apache-2.0 legacy_unencumbered
+LOCAL_LICENSE_CONDITIONS := notice unencumbered
+LOCAL_NOTICE_FILE := $(LOCAL_PATH)/NOTICE
LOCAL_MODULE_STEM := $(PLATFORM_SEPOLICY_VERSION).cil
LOCAL_MODULE_CLASS := ETC
LOCAL_MODULE_TAGS := optional
@@ -1125,6 +1164,9 @@
ifdef HAS_SYSTEM_EXT_PUBLIC_SEPOLICY
LOCAL_MODULE := system_ext_mapping_file
+LOCAL_LICENSE_KINDS := SPDX-license-identifier-Apache-2.0 legacy_unencumbered
+LOCAL_LICENSE_CONDITIONS := notice unencumbered
+LOCAL_NOTICE_FILE := $(LOCAL_PATH)/NOTICE
LOCAL_MODULE_STEM := $(PLATFORM_SEPOLICY_VERSION).cil
LOCAL_MODULE_CLASS := ETC
LOCAL_MODULE_TAGS := optional
@@ -1152,6 +1194,9 @@
ifdef HAS_PRODUCT_PUBLIC_SEPOLICY
LOCAL_MODULE := product_mapping_file
+LOCAL_LICENSE_KINDS := SPDX-license-identifier-Apache-2.0 legacy_unencumbered
+LOCAL_LICENSE_CONDITIONS := notice unencumbered
+LOCAL_NOTICE_FILE := $(LOCAL_PATH)/NOTICE
LOCAL_MODULE_STEM := $(PLATFORM_SEPOLICY_VERSION).cil
LOCAL_MODULE_CLASS := ETC
LOCAL_MODULE_TAGS := optional
@@ -1180,6 +1225,9 @@
# plat_pub_versioned.cil - the exported platform policy associated with the version
# that non-platform policy targets.
LOCAL_MODULE := plat_pub_versioned.cil
+LOCAL_LICENSE_KINDS := SPDX-license-identifier-Apache-2.0 legacy_unencumbered
+LOCAL_LICENSE_CONDITIONS := notice unencumbered
+LOCAL_NOTICE_FILE := $(LOCAL_PATH)/NOTICE
LOCAL_MODULE_CLASS := ETC
LOCAL_MODULE_TAGS := optional
LOCAL_PROPRIETARY_MODULE := true
@@ -1210,6 +1258,9 @@
# with the platform-provided policy. It makes use of the reqd_policy_mask files from private
# policy and the platform public policy files in order to use checkpolicy.
LOCAL_MODULE := vendor_sepolicy.cil
+LOCAL_LICENSE_KINDS := SPDX-license-identifier-Apache-2.0 legacy_unencumbered
+LOCAL_LICENSE_CONDITIONS := notice unencumbered
+LOCAL_NOTICE_FILE := $(LOCAL_PATH)/NOTICE
LOCAL_MODULE_CLASS := ETC
LOCAL_MODULE_TAGS := optional
LOCAL_PROPRIETARY_MODULE := true
@@ -1271,6 +1322,9 @@
# with the platform-provided policy. It makes use of the reqd_policy_mask files from private
# policy and the platform public policy files in order to use checkpolicy.
LOCAL_MODULE := odm_sepolicy.cil
+LOCAL_LICENSE_KINDS := SPDX-license-identifier-Apache-2.0 legacy_unencumbered
+LOCAL_LICENSE_CONDITIONS := notice unencumbered
+LOCAL_NOTICE_FILE := $(LOCAL_PATH)/NOTICE
LOCAL_MODULE_CLASS := ETC
LOCAL_MODULE_TAGS := optional
LOCAL_PROPRIETARY_MODULE := true
@@ -1332,6 +1386,9 @@
include $(CLEAR_VARS)
LOCAL_MODULE := precompiled_sepolicy
+LOCAL_LICENSE_KINDS := SPDX-license-identifier-Apache-2.0 legacy_unencumbered
+LOCAL_LICENSE_CONDITIONS := notice unencumbered
+LOCAL_NOTICE_FILE := $(LOCAL_PATH)/NOTICE
LOCAL_MODULE_CLASS := ETC
LOCAL_MODULE_TAGS := optional
LOCAL_PROPRIETARY_MODULE := true
@@ -1395,6 +1452,9 @@
include $(CLEAR_VARS)
LOCAL_MODULE := plat_sepolicy_and_mapping.sha256
+LOCAL_LICENSE_KINDS := SPDX-license-identifier-Apache-2.0 legacy_unencumbered
+LOCAL_LICENSE_CONDITIONS := notice unencumbered
+LOCAL_NOTICE_FILE := $(LOCAL_PATH)/NOTICE
LOCAL_MODULE_CLASS := ETC
LOCAL_MODULE_TAGS := optional
LOCAL_MODULE_PATH = $(TARGET_OUT)/etc/selinux
@@ -1408,6 +1468,9 @@
include $(CLEAR_VARS)
LOCAL_MODULE := system_ext_sepolicy_and_mapping.sha256
+LOCAL_LICENSE_KINDS := SPDX-license-identifier-Apache-2.0 legacy_unencumbered
+LOCAL_LICENSE_CONDITIONS := notice unencumbered
+LOCAL_NOTICE_FILE := $(LOCAL_PATH)/NOTICE
LOCAL_MODULE_CLASS := ETC
LOCAL_MODULE_TAGS := optional
LOCAL_MODULE_PATH = $(TARGET_OUT_SYSTEM_EXT)/etc/selinux
@@ -1421,6 +1484,9 @@
include $(CLEAR_VARS)
LOCAL_MODULE := product_sepolicy_and_mapping.sha256
+LOCAL_LICENSE_KINDS := SPDX-license-identifier-Apache-2.0 legacy_unencumbered
+LOCAL_LICENSE_CONDITIONS := notice unencumbered
+LOCAL_NOTICE_FILE := $(LOCAL_PATH)/NOTICE
LOCAL_MODULE_CLASS := ETC
LOCAL_MODULE_TAGS := optional
LOCAL_MODULE_PATH = $(TARGET_OUT_PRODUCT)/etc/selinux
@@ -1436,6 +1502,9 @@
#################################
include $(CLEAR_VARS)
LOCAL_MODULE := precompiled_sepolicy.plat_sepolicy_and_mapping.sha256
+LOCAL_LICENSE_KINDS := SPDX-license-identifier-Apache-2.0 legacy_unencumbered
+LOCAL_LICENSE_CONDITIONS := notice unencumbered
+LOCAL_NOTICE_FILE := $(LOCAL_PATH)/NOTICE
LOCAL_MODULE_CLASS := ETC
LOCAL_MODULE_TAGS := optional
@@ -1457,6 +1526,9 @@
#################################
include $(CLEAR_VARS)
LOCAL_MODULE := precompiled_sepolicy.system_ext_sepolicy_and_mapping.sha256
+LOCAL_LICENSE_KINDS := SPDX-license-identifier-Apache-2.0 legacy_unencumbered
+LOCAL_LICENSE_CONDITIONS := notice unencumbered
+LOCAL_NOTICE_FILE := $(LOCAL_PATH)/NOTICE
LOCAL_MODULE_CLASS := ETC
LOCAL_MODULE_TAGS := optional
@@ -1478,6 +1550,9 @@
#################################
include $(CLEAR_VARS)
LOCAL_MODULE := precompiled_sepolicy.product_sepolicy_and_mapping.sha256
+LOCAL_LICENSE_KINDS := SPDX-license-identifier-Apache-2.0 legacy_unencumbered
+LOCAL_LICENSE_CONDITIONS := notice unencumbered
+LOCAL_NOTICE_FILE := $(LOCAL_PATH)/NOTICE
LOCAL_MODULE_CLASS := ETC
LOCAL_MODULE_TAGS := optional
@@ -1498,6 +1573,9 @@
# build this target so that we can still perform neverallow checks
LOCAL_MODULE := sepolicy
+LOCAL_LICENSE_KINDS := SPDX-license-identifier-Apache-2.0 legacy_unencumbered
+LOCAL_LICENSE_CONDITIONS := notice unencumbered
+LOCAL_NOTICE_FILE := $(LOCAL_PATH)/NOTICE
LOCAL_MODULE_CLASS := ETC
LOCAL_MODULE_TAGS := optional
LOCAL_MODULE_PATH := $(TARGET_ROOT_OUT)
@@ -1557,6 +1635,9 @@
# If SELINUX_IGNORE_NEVERALLOWS is set, we use sed to remove the neverallow lines before compiling.
LOCAL_MODULE := sepolicy.recovery
+LOCAL_LICENSE_KINDS := SPDX-license-identifier-Apache-2.0 legacy_unencumbered
+LOCAL_LICENSE_CONDITIONS := notice unencumbered
+LOCAL_NOTICE_FILE := $(LOCAL_PATH)/NOTICE
LOCAL_MODULE_STEM := sepolicy
LOCAL_MODULE_CLASS := ETC
LOCAL_MODULE_TAGS := optional
@@ -1613,6 +1694,9 @@
include $(CLEAR_VARS)
LOCAL_MODULE := general_sepolicy.conf
+LOCAL_LICENSE_KINDS := SPDX-license-identifier-Apache-2.0 legacy_unencumbered
+LOCAL_LICENSE_CONDITIONS := notice unencumbered
+LOCAL_NOTICE_FILE := $(LOCAL_PATH)/NOTICE
LOCAL_MODULE_CLASS := ETC
LOCAL_MODULE_TAGS := tests
@@ -1641,6 +1725,9 @@
include $(CLEAR_VARS)
LOCAL_MODULE := file_contexts.bin
+LOCAL_LICENSE_KINDS := SPDX-license-identifier-Apache-2.0 legacy_unencumbered
+LOCAL_LICENSE_CONDITIONS := notice unencumbered
+LOCAL_NOTICE_FILE := $(LOCAL_PATH)/NOTICE
LOCAL_MODULE_CLASS := ETC
LOCAL_MODULE_TAGS := optional
LOCAL_MODULE_PATH := $(TARGET_ROOT_OUT)
@@ -1735,6 +1822,9 @@
include $(CLEAR_VARS)
LOCAL_MODULE := selinux_denial_metadata
+LOCAL_LICENSE_KINDS := SPDX-license-identifier-Apache-2.0 legacy_unencumbered
+LOCAL_LICENSE_CONDITIONS := notice unencumbered
+LOCAL_NOTICE_FILE := $(LOCAL_PATH)/NOTICE
LOCAL_MODULE_CLASS := ETC
LOCAL_MODULE_PATH := $(TARGET_OUT_VENDOR)/etc/selinux
@@ -1758,6 +1848,9 @@
include $(CLEAR_VARS)
LOCAL_MODULE := vndservice_contexts
+LOCAL_LICENSE_KINDS := SPDX-license-identifier-Apache-2.0 legacy_unencumbered
+LOCAL_LICENSE_CONDITIONS := notice unencumbered
+LOCAL_NOTICE_FILE := $(LOCAL_PATH)/NOTICE
LOCAL_MODULE_CLASS := ETC
LOCAL_MODULE_TAGS := optional
LOCAL_MODULE_PATH := $(TARGET_OUT_VENDOR)/etc/selinux
@@ -1788,6 +1881,9 @@
#################################
include $(CLEAR_VARS)
LOCAL_MODULE := sepolicy_tests
+LOCAL_LICENSE_KINDS := SPDX-license-identifier-Apache-2.0 legacy_unencumbered
+LOCAL_LICENSE_CONDITIONS := notice unencumbered
+LOCAL_NOTICE_FILE := $(LOCAL_PATH)/NOTICE
LOCAL_MODULE_CLASS := FAKE
LOCAL_MODULE_TAGS := optional
@@ -1914,6 +2010,9 @@
#################################
include $(CLEAR_VARS)
LOCAL_MODULE := sepolicy_freeze_test
+LOCAL_LICENSE_KINDS := SPDX-license-identifier-Apache-2.0 legacy_unencumbered
+LOCAL_LICENSE_CONDITIONS := notice unencumbered
+LOCAL_NOTICE_FILE := $(LOCAL_PATH)/NOTICE
LOCAL_MODULE_CLASS := FAKE
LOCAL_MODULE_TAGS := optional
diff --git a/OWNERS b/OWNERS
index 0ad1d05..d7cde74 100644
--- a/OWNERS
+++ b/OWNERS
@@ -6,7 +6,6 @@
jeffv@google.com
jgalenson@google.com
jiyong@google.com
-nnk@google.com
smoreland@google.com
sspatil@google.com
trong@google.com
diff --git a/apex/Android.bp b/apex/Android.bp
index 762dd54..2ffaa9e 100644
--- a/apex/Android.bp
+++ b/apex/Android.bp
@@ -13,6 +13,14 @@
// limitations under the License.
+package {
+ // http://go/android-license-faq
+ // A large-scale-change added 'default_applicable_licenses' to import
+ // the below license kinds from "system_sepolicy_license":
+ // legacy_unencumbered
+ default_applicable_licenses: ["system_sepolicy_license"],
+}
+
filegroup {
name: "apex.test-file_contexts",
srcs: [
diff --git a/build/Android.bp b/build/Android.bp
index d3f1fc3..5298f71 100644
--- a/build/Android.bp
+++ b/build/Android.bp
@@ -12,6 +12,14 @@
// See the License for the specific language governing permissions and
// limitations under the License.
+package {
+ // http://go/android-license-faq
+ // A large-scale-change added 'default_applicable_licenses' to import
+ // the below license kinds from "system_sepolicy_license":
+ // SPDX-license-identifier-Apache-2.0
+ default_applicable_licenses: ["system_sepolicy_license"],
+}
+
python_binary_host {
name: "build_sepolicy",
srcs: [
diff --git a/build/soong/Android.bp b/build/soong/Android.bp
index 699a2a4..5f951ce 100644
--- a/build/soong/Android.bp
+++ b/build/soong/Android.bp
@@ -12,6 +12,14 @@
// See the License for the specific language governing permissions and
// limitations under the License.
+package {
+ // http://go/android-license-faq
+ // A large-scale-change added 'default_applicable_licenses' to import
+ // the below license kinds from "system_sepolicy_license":
+ // SPDX-license-identifier-Apache-2.0
+ default_applicable_licenses: ["system_sepolicy_license"],
+}
+
bootstrap_go_package {
name: "soong-selinux",
pkgPath: "android/soong/selinux",
diff --git a/compat.mk b/compat.mk
index 2b691ec..4aed864 100644
--- a/compat.mk
+++ b/compat.mk
@@ -5,6 +5,9 @@
# build this target to ensure the compat permissions files all build against the current policy
#
LOCAL_MODULE := $(version)_compat_test
+LOCAL_LICENSE_KINDS := SPDX-license-identifier-Apache-2.0 legacy_unencumbered
+LOCAL_LICENSE_CONDITIONS := notice unencumbered
+LOCAL_NOTICE_FILE := $(LOCAL_PATH)/NOTICE
LOCAL_REQUIRED_MODULES := $(version).compat.cil
LOCAL_MODULE_CLASS := FAKE
LOCAL_MODULE_TAGS := optional
diff --git a/contexts_tests.mk b/contexts_tests.mk
index 076408a..1189b83 100644
--- a/contexts_tests.mk
+++ b/contexts_tests.mk
@@ -36,6 +36,9 @@
##################################
LOCAL_MODULE := plat_file_contexts_test
+LOCAL_LICENSE_KINDS := SPDX-license-identifier-Apache-2.0 legacy_unencumbered
+LOCAL_LICENSE_CONDITIONS := notice unencumbered
+LOCAL_NOTICE_FILE := $(LOCAL_PATH)/NOTICE
LOCAL_MODULE_CLASS := FAKE
LOCAL_MODULE_TAGS := optional
@@ -46,6 +49,9 @@
include $(CLEAR_VARS)
LOCAL_MODULE := system_ext_file_contexts_test
+LOCAL_LICENSE_KINDS := SPDX-license-identifier-Apache-2.0 legacy_unencumbered
+LOCAL_LICENSE_CONDITIONS := notice unencumbered
+LOCAL_NOTICE_FILE := $(LOCAL_PATH)/NOTICE
LOCAL_MODULE_CLASS := FAKE
LOCAL_MODULE_TAGS := optional
@@ -57,6 +63,9 @@
include $(CLEAR_VARS)
LOCAL_MODULE := product_file_contexts_test
+LOCAL_LICENSE_KINDS := SPDX-license-identifier-Apache-2.0 legacy_unencumbered
+LOCAL_LICENSE_CONDITIONS := notice unencumbered
+LOCAL_NOTICE_FILE := $(LOCAL_PATH)/NOTICE
LOCAL_MODULE_CLASS := FAKE
LOCAL_MODULE_TAGS := optional
@@ -68,6 +77,9 @@
include $(CLEAR_VARS)
LOCAL_MODULE := vendor_file_contexts_test
+LOCAL_LICENSE_KINDS := SPDX-license-identifier-Apache-2.0 legacy_unencumbered
+LOCAL_LICENSE_CONDITIONS := notice unencumbered
+LOCAL_NOTICE_FILE := $(LOCAL_PATH)/NOTICE
LOCAL_MODULE_CLASS := FAKE
LOCAL_MODULE_TAGS := optional
@@ -79,6 +91,9 @@
include $(CLEAR_VARS)
LOCAL_MODULE := odm_file_contexts_test
+LOCAL_LICENSE_KINDS := SPDX-license-identifier-Apache-2.0 legacy_unencumbered
+LOCAL_LICENSE_CONDITIONS := notice unencumbered
+LOCAL_NOTICE_FILE := $(LOCAL_PATH)/NOTICE
LOCAL_MODULE_CLASS := FAKE
LOCAL_MODULE_TAGS := optional
@@ -91,6 +106,9 @@
include $(CLEAR_VARS)
LOCAL_MODULE := plat_hwservice_contexts_test
+LOCAL_LICENSE_KINDS := SPDX-license-identifier-Apache-2.0 legacy_unencumbered
+LOCAL_LICENSE_CONDITIONS := notice unencumbered
+LOCAL_NOTICE_FILE := $(LOCAL_PATH)/NOTICE
LOCAL_MODULE_CLASS := FAKE
LOCAL_MODULE_TAGS := optional
@@ -102,6 +120,9 @@
include $(CLEAR_VARS)
LOCAL_MODULE := system_ext_hwservice_contexts_test
+LOCAL_LICENSE_KINDS := SPDX-license-identifier-Apache-2.0 legacy_unencumbered
+LOCAL_LICENSE_CONDITIONS := notice unencumbered
+LOCAL_NOTICE_FILE := $(LOCAL_PATH)/NOTICE
LOCAL_MODULE_CLASS := FAKE
LOCAL_MODULE_TAGS := optional
@@ -113,6 +134,9 @@
include $(CLEAR_VARS)
LOCAL_MODULE := product_hwservice_contexts_test
+LOCAL_LICENSE_KINDS := SPDX-license-identifier-Apache-2.0 legacy_unencumbered
+LOCAL_LICENSE_CONDITIONS := notice unencumbered
+LOCAL_NOTICE_FILE := $(LOCAL_PATH)/NOTICE
LOCAL_MODULE_CLASS := FAKE
LOCAL_MODULE_TAGS := optional
@@ -124,6 +148,9 @@
include $(CLEAR_VARS)
LOCAL_MODULE := vendor_hwservice_contexts_test
+LOCAL_LICENSE_KINDS := SPDX-license-identifier-Apache-2.0 legacy_unencumbered
+LOCAL_LICENSE_CONDITIONS := notice unencumbered
+LOCAL_NOTICE_FILE := $(LOCAL_PATH)/NOTICE
LOCAL_MODULE_CLASS := FAKE
LOCAL_MODULE_TAGS := optional
@@ -135,6 +162,9 @@
include $(CLEAR_VARS)
LOCAL_MODULE := odm_hwservice_contexts_test
+LOCAL_LICENSE_KINDS := SPDX-license-identifier-Apache-2.0 legacy_unencumbered
+LOCAL_LICENSE_CONDITIONS := notice unencumbered
+LOCAL_NOTICE_FILE := $(LOCAL_PATH)/NOTICE
LOCAL_MODULE_CLASS := FAKE
LOCAL_MODULE_TAGS := optional
@@ -149,6 +179,9 @@
include $(CLEAR_VARS)
LOCAL_MODULE := plat_property_contexts_test
+LOCAL_LICENSE_KINDS := SPDX-license-identifier-Apache-2.0 legacy_unencumbered
+LOCAL_LICENSE_CONDITIONS := notice unencumbered
+LOCAL_NOTICE_FILE := $(LOCAL_PATH)/NOTICE
LOCAL_MODULE_CLASS := FAKE
LOCAL_MODULE_TAGS := optional
@@ -165,6 +198,9 @@
include $(CLEAR_VARS)
LOCAL_MODULE := system_ext_property_contexts_test
+LOCAL_LICENSE_KINDS := SPDX-license-identifier-Apache-2.0 legacy_unencumbered
+LOCAL_LICENSE_CONDITIONS := notice unencumbered
+LOCAL_NOTICE_FILE := $(LOCAL_PATH)/NOTICE
LOCAL_MODULE_CLASS := FAKE
LOCAL_MODULE_TAGS := optional
@@ -181,6 +217,9 @@
include $(CLEAR_VARS)
LOCAL_MODULE := vendor_property_contexts_test
+LOCAL_LICENSE_KINDS := SPDX-license-identifier-Apache-2.0 legacy_unencumbered
+LOCAL_LICENSE_CONDITIONS := notice unencumbered
+LOCAL_NOTICE_FILE := $(LOCAL_PATH)/NOTICE
LOCAL_MODULE_CLASS := FAKE
LOCAL_MODULE_TAGS := optional
@@ -197,6 +236,9 @@
include $(CLEAR_VARS)
LOCAL_MODULE := odm_property_contexts_test
+LOCAL_LICENSE_KINDS := SPDX-license-identifier-Apache-2.0 legacy_unencumbered
+LOCAL_LICENSE_CONDITIONS := notice unencumbered
+LOCAL_NOTICE_FILE := $(LOCAL_PATH)/NOTICE
LOCAL_MODULE_CLASS := FAKE
LOCAL_MODULE_TAGS := optional
@@ -215,6 +257,9 @@
include $(CLEAR_VARS)
LOCAL_MODULE := product_property_contexts_test
+LOCAL_LICENSE_KINDS := SPDX-license-identifier-Apache-2.0 legacy_unencumbered
+LOCAL_LICENSE_CONDITIONS := notice unencumbered
+LOCAL_NOTICE_FILE := $(LOCAL_PATH)/NOTICE
LOCAL_MODULE_CLASS := FAKE
LOCAL_MODULE_TAGS := optional
@@ -230,6 +275,9 @@
include $(CLEAR_VARS)
LOCAL_MODULE := plat_service_contexts_test
+LOCAL_LICENSE_KINDS := SPDX-license-identifier-Apache-2.0 legacy_unencumbered
+LOCAL_LICENSE_CONDITIONS := notice unencumbered
+LOCAL_NOTICE_FILE := $(LOCAL_PATH)/NOTICE
LOCAL_MODULE_CLASS := FAKE
LOCAL_MODULE_TAGS := optional
@@ -241,6 +289,9 @@
include $(CLEAR_VARS)
LOCAL_MODULE := system_ext_service_contexts_test
+LOCAL_LICENSE_KINDS := SPDX-license-identifier-Apache-2.0 legacy_unencumbered
+LOCAL_LICENSE_CONDITIONS := notice unencumbered
+LOCAL_NOTICE_FILE := $(LOCAL_PATH)/NOTICE
LOCAL_MODULE_CLASS := FAKE
LOCAL_MODULE_TAGS := optional
@@ -252,6 +303,9 @@
include $(CLEAR_VARS)
LOCAL_MODULE := product_service_contexts_test
+LOCAL_LICENSE_KINDS := SPDX-license-identifier-Apache-2.0 legacy_unencumbered
+LOCAL_LICENSE_CONDITIONS := notice unencumbered
+LOCAL_NOTICE_FILE := $(LOCAL_PATH)/NOTICE
LOCAL_MODULE_CLASS := FAKE
LOCAL_MODULE_TAGS := optional
@@ -266,6 +320,9 @@
include $(CLEAR_VARS)
LOCAL_MODULE := vendor_service_contexts_test
+LOCAL_LICENSE_KINDS := SPDX-license-identifier-Apache-2.0 legacy_unencumbered
+LOCAL_LICENSE_CONDITIONS := notice unencumbered
+LOCAL_NOTICE_FILE := $(LOCAL_PATH)/NOTICE
LOCAL_MODULE_CLASS := FAKE
LOCAL_MODULE_TAGS := optional
diff --git a/mac_permissions.mk b/mac_permissions.mk
index 02376bc..566c82b 100644
--- a/mac_permissions.mk
+++ b/mac_permissions.mk
@@ -1,6 +1,9 @@
include $(CLEAR_VARS)
LOCAL_MODULE := plat_mac_permissions.xml
+LOCAL_LICENSE_KINDS := SPDX-license-identifier-Apache-2.0 legacy_unencumbered
+LOCAL_LICENSE_CONDITIONS := notice unencumbered
+LOCAL_NOTICE_FILE := $(LOCAL_PATH)/NOTICE
LOCAL_MODULE_CLASS := ETC
LOCAL_MODULE_TAGS := optional
LOCAL_MODULE_PATH := $(TARGET_OUT)/etc/selinux
@@ -39,6 +42,9 @@
include $(CLEAR_VARS)
LOCAL_MODULE := system_ext_mac_permissions.xml
+LOCAL_LICENSE_KINDS := SPDX-license-identifier-Apache-2.0 legacy_unencumbered
+LOCAL_LICENSE_CONDITIONS := notice unencumbered
+LOCAL_NOTICE_FILE := $(LOCAL_PATH)/NOTICE
LOCAL_MODULE_CLASS := ETC
LOCAL_MODULE_TAGS := optional
LOCAL_MODULE_PATH := $(TARGET_OUT_SYSTEM_EXT)/etc/selinux
@@ -70,6 +76,9 @@
include $(CLEAR_VARS)
LOCAL_MODULE := product_mac_permissions.xml
+LOCAL_LICENSE_KINDS := SPDX-license-identifier-Apache-2.0 legacy_unencumbered
+LOCAL_LICENSE_CONDITIONS := notice unencumbered
+LOCAL_NOTICE_FILE := $(LOCAL_PATH)/NOTICE
LOCAL_MODULE_CLASS := ETC
LOCAL_MODULE_TAGS := optional
LOCAL_MODULE_PATH := $(TARGET_OUT_PRODUCT)/etc/selinux
@@ -101,6 +110,9 @@
include $(CLEAR_VARS)
LOCAL_MODULE := vendor_mac_permissions.xml
+LOCAL_LICENSE_KINDS := SPDX-license-identifier-Apache-2.0 legacy_unencumbered
+LOCAL_LICENSE_CONDITIONS := notice unencumbered
+LOCAL_NOTICE_FILE := $(LOCAL_PATH)/NOTICE
LOCAL_MODULE_CLASS := ETC
LOCAL_MODULE_TAGS := optional
LOCAL_MODULE_PATH := $(TARGET_OUT_VENDOR)/etc/selinux
@@ -133,6 +145,9 @@
include $(CLEAR_VARS)
LOCAL_MODULE := odm_mac_permissions.xml
+LOCAL_LICENSE_KINDS := SPDX-license-identifier-Apache-2.0 legacy_unencumbered
+LOCAL_LICENSE_CONDITIONS := notice unencumbered
+LOCAL_NOTICE_FILE := $(LOCAL_PATH)/NOTICE
LOCAL_MODULE_CLASS := ETC
LOCAL_MODULE_TAGS := optional
LOCAL_MODULE_PATH := $(TARGET_OUT_ODM)/etc/selinux
diff --git a/private/app.te b/private/app.te
index c635aed..710b94d 100644
--- a/private/app.te
+++ b/private/app.te
@@ -71,6 +71,9 @@
allow appdomain { apex_art_data_file apex_module_data_file }:dir search;
allow appdomain apex_art_data_file:file r_file_perms;
+# Allow APFE device info to read Virtual A/B props.
+get_prop(appdomain, virtual_ab_prop)
+
# Sensitive app domains are not allowed to execute from /data
# to prevent persistence attacks and ensure all code is executed
# from read-only locations.
@@ -88,3 +91,4 @@
-system_data_file # shared libs in apks
-apk_data_file
}:file no_x_file_perms;
+
diff --git a/private/compat/30.0/30.0.ignore.cil b/private/compat/30.0/30.0.ignore.cil
index 6648338..d1800df 100644
--- a/private/compat/30.0/30.0.ignore.cil
+++ b/private/compat/30.0/30.0.ignore.cil
@@ -21,6 +21,7 @@
debugfs_kprobes
debugfs_mm_events_tracing
device_config_profcollect_native_boot_prop
+ device_config_connectivity_prop
device_state_service
dm_user_device
dmabuf_heap_device
@@ -75,6 +76,8 @@
profcollectd_service
radio_core_data_file
reboot_readiness_service
+ remote_prov_app
+ remoteprovisioning_service
resolver_service
search_ui_service
shell_test_data_file
@@ -85,6 +88,7 @@
soc_prop
speech_recognition_service
sysfs_devices_cs_etm
+ sysfs_dma_heap
sysfs_dmabuf_stats
sysfs_uhid
system_server_dumper_service
@@ -96,6 +100,7 @@
userspace_reboot_metadata_file
vcn_management_service
vibrator_manager_service
- vpnmanager_service
+ vpn_management_service
watchdog_metadata_file
+ wifi_key
zygote_config_prop))
diff --git a/private/fastbootd.te b/private/fastbootd.te
index f0ba02c..98eb23c 100644
--- a/private/fastbootd.te
+++ b/private/fastbootd.te
@@ -28,6 +28,14 @@
allow fastbootd port:tcp_socket name_bind;
allow fastbootd self:tcp_socket { create_socket_perms_no_ioctl listen accept };
+ # Start snapuserd for merging VABC updates
+ set_prop(fastbootd, ctl_snapuserd_prop)
+
+ # Needed to communicate with snapuserd to complete merges.
+ allow fastbootd snapuserd_socket:sock_file write;
+ allow fastbootd snapuserd:unix_stream_socket connectto;
+ allow fastbootd dm_user_device:dir r_dir_perms;
+
# Get fastbootd protocol property
get_prop(fastbootd, fastbootd_protocol_prop)
')
diff --git a/private/flags_health_check.te b/private/flags_health_check.te
index de5f37e..983bad6 100644
--- a/private/flags_health_check.te
+++ b/private/flags_health_check.te
@@ -17,6 +17,7 @@
set_prop(flags_health_check, device_config_sys_traced_prop)
set_prop(flags_health_check, device_config_window_manager_native_boot_prop)
set_prop(flags_health_check, device_config_configuration_prop)
+set_prop(flags_health_check, device_config_connectivity_prop)
# system property device_config_boot_count_prop is used for deciding when to perform server
# configurable flags related disaster recovery. Mistakenly set up by unrelated components can, at a
diff --git a/private/genfs_contexts b/private/genfs_contexts
index 960110f..05dc06f 100644
--- a/private/genfs_contexts
+++ b/private/genfs_contexts
@@ -148,6 +148,7 @@
genfscon sysfs /power/wake_lock u:object_r:sysfs_wake_lock:s0
genfscon sysfs /power/wake_unlock u:object_r:sysfs_wake_lock:s0
genfscon sysfs /kernel/memory_state_time u:object_r:sysfs_power:s0
+genfscon sysfs /kernel/dma_heap u:object_r:sysfs_dma_heap:s0
genfscon sysfs /kernel/ion u:object_r:sysfs_ion:s0
genfscon sysfs /kernel/ipv4 u:object_r:sysfs_ipv4:s0
genfscon sysfs /kernel/mm/transparent_hugepage u:object_r:sysfs_transparent_hugepage:s0
diff --git a/private/keystore2_key_contexts b/private/keystore2_key_contexts
index 1c6573c..9612b90 100644
--- a/private/keystore2_key_contexts
+++ b/private/keystore2_key_contexts
@@ -13,3 +13,10 @@
# vold_key is a keystore2_key namespace for vold. It allows using raw Keymint blobs.
100 u:object_r:vold_key:s0
+# odsign_key is a keystore2_key namespace for the on-device signing daemon.
+101 u:object_r:odsign_key:s0
+
+# wifi_key is a keystore2_key namspace for the WI-FI subsystem. It replaces the WIFI_UID
+# namespace in keystore.
+102 u:object_r:wifi_key:s0
+
diff --git a/private/keystore_keys.te b/private/keystore_keys.te
index cff37eb..990bc29 100644
--- a/private/keystore_keys.te
+++ b/private/keystore_keys.te
@@ -10,3 +10,6 @@
# A keystore2 namespace for vold. Vold need special permission to handle
# its own Keymint blobs.
type vold_key, keystore2_key_type;
+
+# A keystore2 namespace for the on-device signing daemon.
+type odsign_key, keystore2_key_type;
diff --git a/private/network_stack.te b/private/network_stack.te
index ab5a56e..f130e80 100644
--- a/private/network_stack.te
+++ b/private/network_stack.te
@@ -44,3 +44,6 @@
# in order to invoke side effect of close() on such a socket calling synchronize_rcu()
# TODO: Remove this permission when 4.9 kernel is deprecated.
allow network_stack self:key_socket create;
+
+# Grant read permission of connectivity namespace system property prefix.
+get_prop(network_stack, device_config_connectivity_prop)
diff --git a/private/odsign.te b/private/odsign.te
index b7fd1f4..b35a3ca 100644
--- a/private/odsign.te
+++ b/private/odsign.te
@@ -21,6 +21,20 @@
FS_IOC_ENABLE_VERITY FS_IOC_MEASURE_VERITY FS_IOC_GETFLAGS
};
+# talk to binder services (for keystore)
+binder_use(odsign);
+
+# talk to keystore specifically
+use_keystore(odsign);
+
+# Use our dedicated keystore key
+allow odsign odsign_key:keystore2_key {
+ delete
+ get_info
+ rebind
+ use
+};
+
# talk to keymaster
hal_client_domain(odsign, hal_keymaster)
diff --git a/private/priv_app.te b/private/priv_app.te
index 4b0218e..1857af8 100644
--- a/private/priv_app.te
+++ b/private/priv_app.te
@@ -156,11 +156,12 @@
r_dir_file(priv_app, sysfs_fs_incfs_features)
# allow apps like Phonesky to check the file signature of an apk installed on
-# the Incremental File System, fill missing blocks and get the app status
+# the Incremental File System, fill missing blocks and get the app status and loading progress
allowxperm priv_app apk_data_file:file ioctl {
INCFS_IOCTL_READ_SIGNATURE
INCFS_IOCTL_FILL_BLOCKS
INCFS_IOCTL_GET_BLOCK_COUNT
+ INCFS_IOCTL_GET_FILLED_BLOCKS
};
# allow privileged data loader apps (e.g. com.android.vending) to read logs from Incremental File System
diff --git a/private/property.te b/private/property.te
index 0885b91..5dc75b8 100644
--- a/private/property.te
+++ b/private/property.te
@@ -8,6 +8,7 @@
system_internal_prop(device_config_sys_traced_prop)
system_internal_prop(device_config_window_manager_native_boot_prop)
system_internal_prop(device_config_configuration_prop)
+system_internal_prop(device_config_connectivity_prop)
system_internal_prop(fastbootd_protocol_prop)
system_internal_prop(gsid_prop)
system_internal_prop(init_perf_lsm_hooks_prop)
diff --git a/private/property_contexts b/private/property_contexts
index 5b832dc..8778016 100644
--- a/private/property_contexts
+++ b/private/property_contexts
@@ -221,6 +221,7 @@
persist.device_config.activity_manager_native_boot. u:object_r:device_config_activity_manager_native_boot_prop:s0
persist.device_config.attempted_boot_count u:object_r:device_config_boot_count_prop:s0
persist.device_config.configuration. u:object_r:device_config_configuration_prop:s0
+persist.device_config.connectivity. u:object_r:device_config_connectivity_prop:s0
persist.device_config.input_native_boot. u:object_r:device_config_input_native_boot_prop:s0
persist.device_config.media_native. u:object_r:device_config_media_native_prop:s0
persist.device_config.netd_native. u:object_r:device_config_netd_native_prop:s0
@@ -1059,8 +1060,8 @@
ro.zygote.disable_gl_preload u:object_r:zygote_config_prop:s0 exact bool
# Enable Keystore 2.0.
-# TODO remove this propertye when Keystore 2.0 migration is complete b/171563717
-ro.android.security.keystore2.enable u:object_r:keystore2_enable_prop:s0 exact bool
+# TODO remove this property when Keystore 2.0 migration is complete b/171563717
+persist.android.security.keystore2.enable u:object_r:keystore2_enable_prop:s0 exact bool
partition.system.verified u:object_r:verity_status_prop:s0 exact string
partition.system_ext.verified u:object_r:verity_status_prop:s0 exact string
diff --git a/private/recovery.te b/private/recovery.te
index 207dfb6..00d7132 100644
--- a/private/recovery.te
+++ b/private/recovery.te
@@ -31,6 +31,14 @@
allow recovery self:tcp_socket { create ioctl };
allowxperm recovery self:tcp_socket ioctl { SIOCGIFFLAGS SIOCSIFFLAGS };
+ # Start snapuserd for merging VABC updates
+ set_prop(recovery, ctl_snapuserd_prop)
+
+ # Needed to communicate with snapuserd to complete merges.
+ allow recovery snapuserd_socket:sock_file write;
+ allow recovery snapuserd:unix_stream_socket connectto;
+ allow recovery dm_user_device:dir r_dir_perms;
+
# Set fastbootd protocol property
set_prop(recovery, fastbootd_protocol_prop)
diff --git a/private/remote_prov_app.te b/private/remote_prov_app.te
new file mode 100644
index 0000000..e877981
--- /dev/null
+++ b/private/remote_prov_app.te
@@ -0,0 +1,10 @@
+type remote_prov_app, domain;
+typeattribute remote_prov_app coredomain;
+
+app_domain(remote_prov_app)
+net_domain(remote_prov_app)
+
+allow remote_prov_app {
+ activity_service
+ remoteprovisioning_service
+}:service_manager find;
diff --git a/private/seapp_contexts b/private/seapp_contexts
index 929f073..b8e42ea 100644
--- a/private/seapp_contexts
+++ b/private/seapp_contexts
@@ -143,6 +143,7 @@
isSystemServer=true domain=system_server_startup
user=_app isPrivApp=true name=com.android.traceur domain=traceur_app type=app_data_file levelFrom=all
+user=_app isPrivApp=true name=com.android.remoteprovisioner domain=remote_prov_app type=app_data_file levelFrom=all
user=system seinfo=platform domain=system_app type=system_app_data_file
user=bluetooth seinfo=platform domain=bluetooth type=bluetooth_data_file
user=network_stack seinfo=network_stack domain=network_stack type=radio_data_file
diff --git a/private/service.te b/private/service.te
index 821b740..7f692f3 100644
--- a/private/service.te
+++ b/private/service.te
@@ -8,4 +8,5 @@
type stats_service, service_manager_type;
type statscompanion_service, system_server_service, service_manager_type;
type statsmanager_service, system_api_service, system_server_service, service_manager_type;
+type tracingproxy_service, system_server_service, service_manager_type;
type uce_service, service_manager_type;
diff --git a/private/service_contexts b/private/service_contexts
index 3eee0d5..404f593 100644
--- a/private/service_contexts
+++ b/private/service_contexts
@@ -31,6 +31,7 @@
android.security.compat u:object_r:keystore_compat_hal_service:s0
android.security.identity u:object_r:credstore_service:s0
android.security.keystore u:object_r:keystore_service:s0
+android.security.remoteprovisioning u:object_r:remoteprovisioning_service:s0
android.service.gatekeeper.IGateKeeperService u:object_r:gatekeeper_service:s0
android.system.keystore2 u:object_r:keystore_service:s0
app_binding u:object_r:app_binding_service:s0
@@ -259,6 +260,7 @@
time_zone_detector u:object_r:timezonedetector_service:s0
timezone u:object_r:timezone_service:s0
thermalservice u:object_r:thermal_service:s0
+tracing.proxy u:object_r:tracingproxy_service:s0
transformer u:object_r:transformer_service:s0
trust u:object_r:trust_service:s0
tv_input u:object_r:tv_input_service:s0
@@ -276,7 +278,7 @@
virtual_touchpad u:object_r:virtual_touchpad_service:s0
voiceinteraction u:object_r:voiceinteraction_service:s0
vold u:object_r:vold_service:s0
-vpnmanager u:object_r:vpnmanager_service:s0
+vpn_management u:object_r:vpn_management_service:s0
vr_hwc u:object_r:vr_hwc_service:s0
vrflinger_vsync u:object_r:vrflinger_vsync_service:s0
vrmanager u:object_r:vr_manager_service:s0
diff --git a/private/system_app.te b/private/system_app.te
index 4284835..0aa46e3 100644
--- a/private/system_app.te
+++ b/private/system_app.te
@@ -142,6 +142,15 @@
use
};
+# Allow Settings to manage WI-FI keys.
+allow system_app wifi_key:keystore2_key {
+ delete
+ get_info
+ rebind
+ update
+ use
+};
+
# settings app reads /proc/version
allow system_app {
proc_version
diff --git a/private/system_server.te b/private/system_server.te
index abfafa9..06673c3 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -189,6 +189,9 @@
# Read /sys/kernel/ion/*.
allow system_server sysfs_ion:file r_file_perms;
+# Read /sys/kernel/dma_heap/*.
+allow system_server sysfs_dma_heap:file r_file_perms;
+
# The DhcpClient and WifiWatchdog use packet_sockets
allow system_server self:packet_socket create_socket_perms_no_ioctl;
@@ -529,6 +532,9 @@
allow system_server tombstone_data_file:dir r_dir_perms;
allow system_server tombstone_data_file:file r_file_perms;
+# Allow write access to be able to truncate tombstones.
+allow system_server tombstone_data_file:file write;
+
# Manage /data/misc/vpn.
allow system_server vpn_data_file:dir create_dir_perms;
allow system_server vpn_data_file:file create_file_perms;
@@ -664,6 +670,7 @@
set_prop(system_server, device_config_sys_traced_prop)
set_prop(system_server, device_config_window_manager_native_boot_prop)
set_prop(system_server, device_config_configuration_prop)
+set_prop(system_server, device_config_connectivity_prop)
# BootReceiver to read ro.boot.bootreason
get_prop(system_server, bootloader_boot_reason_prop)
@@ -864,6 +871,15 @@
use
};
+# Allow Wifi module to manage Wi-Fi keys.
+allow system_server wifi_key:keystore2_key {
+ delete
+ get_info
+ rebind
+ update
+ use
+};
+
# Allow system server to search and write to the persistent factory reset
# protection partition. This block device does not get wiped in a factory reset.
allow system_server block_device:dir search;
@@ -1113,6 +1129,7 @@
-flags_health_check
} {
device_config_activity_manager_native_boot_prop
+ device_config_connectivity_prop
device_config_input_native_boot_prop
device_config_netd_native_prop
device_config_runtime_native_boot_prop
diff --git a/private/traced.te b/private/traced.te
index 89d3cd2..aa16966 100644
--- a/private/traced.te
+++ b/private/traced.te
@@ -37,6 +37,11 @@
allow traced traceur_app:fd use;
allow traced trace_data_file:file { read write };
+# Allow perfetto to access the proxy service for notifying Traceur.
+allow traced tracingproxy_service:service_manager find;
+binder_use(traced);
+binder_call(traced, system_server);
+
# Allow iorapd to pass memfd descriptors to traced, so traced can directly
# write into the shmem buffer file without doing roundtrips over IPC.
allow traced iorapd:fd use;
diff --git a/public/file.te b/public/file.te
index 0cf465c..181979c 100644
--- a/public/file.te
+++ b/public/file.te
@@ -88,6 +88,7 @@
type sysfs_devices_block, fs_type, sysfs_type;
type sysfs_dm, fs_type, sysfs_type;
type sysfs_dm_verity, fs_type, sysfs_type;
+type sysfs_dma_heap, fs_type, sysfs_type;
type sysfs_dmabuf_stats, fs_type, sysfs_type;
type sysfs_dt_firmware_android, fs_type, sysfs_type;
type sysfs_extcon, fs_type, sysfs_type;
diff --git a/public/hal_wifi_supplicant.te b/public/hal_wifi_supplicant.te
index 79a0667..5fbe9f2 100644
--- a/public/hal_wifi_supplicant.te
+++ b/public/hal_wifi_supplicant.te
@@ -19,6 +19,14 @@
allow hal_wifi_supplicant self:packet_socket create_socket_perms;
allowxperm hal_wifi_supplicant self:packet_socket ioctl { unpriv_sock_ioctls priv_sock_ioctls unpriv_tty_ioctls };
+use_keystore(hal_wifi_supplicant)
+
+# Allow the WI-FI HAL to use keys in the keystore namespace wifi_key.
+allow hal_wifi_supplicant wifi_key:keystore2_key {
+ get_info
+ use
+};
+
###
### neverallow rules
###
diff --git a/public/keystore.te b/public/keystore.te
index 8c64090..b8c599c 100644
--- a/public/keystore.te
+++ b/public/keystore.te
@@ -13,6 +13,7 @@
allow keystore keystore_exec:file { getattr };
add_service(keystore, keystore_service)
+add_service(keystore, remoteprovisioning_service)
allow keystore sec_key_att_app_id_provider_service:service_manager find;
allow keystore dropbox_service:service_manager find;
add_service(keystore, apc_service)
diff --git a/public/keystore_keys.te b/public/keystore_keys.te
new file mode 100644
index 0000000..3c35984
--- /dev/null
+++ b/public/keystore_keys.te
@@ -0,0 +1,2 @@
+# A keystore2 namespace for WI-FI.
+type wifi_key, keystore2_key_type;
diff --git a/public/service.te b/public/service.te
index cf223da..cfc8a2f 100644
--- a/public/service.te
+++ b/public/service.te
@@ -29,6 +29,7 @@
type netd_service, service_manager_type;
type nfc_service, service_manager_type;
type radio_service, service_manager_type;
+type remoteprovisioning_service, service_manager_type;
type secure_element_service, service_manager_type;
type service_manager_service, service_manager_type;
type storaged_service, service_manager_type;
@@ -215,7 +216,7 @@
type vibrator_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type vibrator_manager_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type voiceinteraction_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type vpnmanager_service, app_api_service, system_server_service, service_manager_type;
+type vpn_management_service, app_api_service, system_server_service, service_manager_type;
type vr_manager_service, system_server_service, service_manager_type;
type wallpaper_service, app_api_service, system_server_service, service_manager_type;
type webviewupdate_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
diff --git a/seapp_contexts.mk b/seapp_contexts.mk
index 462fa27..b33b820 100644
--- a/seapp_contexts.mk
+++ b/seapp_contexts.mk
@@ -1,5 +1,8 @@
include $(CLEAR_VARS)
LOCAL_MODULE := plat_seapp_contexts
+LOCAL_LICENSE_KINDS := SPDX-license-identifier-Apache-2.0 legacy_unencumbered
+LOCAL_LICENSE_CONDITIONS := notice unencumbered
+LOCAL_NOTICE_FILE := $(LOCAL_PATH)/NOTICE
LOCAL_MODULE_CLASS := ETC
LOCAL_MODULE_TAGS := optional
LOCAL_MODULE_PATH := $(TARGET_OUT)/etc/selinux
@@ -20,6 +23,9 @@
##################################
include $(CLEAR_VARS)
LOCAL_MODULE := system_ext_seapp_contexts
+LOCAL_LICENSE_KINDS := SPDX-license-identifier-Apache-2.0 legacy_unencumbered
+LOCAL_LICENSE_CONDITIONS := notice unencumbered
+LOCAL_NOTICE_FILE := $(LOCAL_PATH)/NOTICE
LOCAL_MODULE_CLASS := ETC
LOCAL_MODULE_TAGS := optional
LOCAL_MODULE_PATH := $(TARGET_OUT_SYSTEM_EXT)/etc/selinux
@@ -43,6 +49,9 @@
##################################
include $(CLEAR_VARS)
LOCAL_MODULE := product_seapp_contexts
+LOCAL_LICENSE_KINDS := SPDX-license-identifier-Apache-2.0 legacy_unencumbered
+LOCAL_LICENSE_CONDITIONS := notice unencumbered
+LOCAL_NOTICE_FILE := $(LOCAL_PATH)/NOTICE
LOCAL_MODULE_CLASS := ETC
LOCAL_MODULE_TAGS := optional
LOCAL_MODULE_PATH := $(TARGET_OUT_PRODUCT)/etc/selinux
@@ -66,6 +75,9 @@
##################################
include $(CLEAR_VARS)
LOCAL_MODULE := vendor_seapp_contexts
+LOCAL_LICENSE_KINDS := SPDX-license-identifier-Apache-2.0 legacy_unencumbered
+LOCAL_LICENSE_CONDITIONS := notice unencumbered
+LOCAL_NOTICE_FILE := $(LOCAL_PATH)/NOTICE
LOCAL_MODULE_CLASS := ETC
LOCAL_MODULE_TAGS := optional
LOCAL_MODULE_PATH := $(TARGET_OUT_VENDOR)/etc/selinux
@@ -89,6 +101,9 @@
##################################
include $(CLEAR_VARS)
LOCAL_MODULE := odm_seapp_contexts
+LOCAL_LICENSE_KINDS := SPDX-license-identifier-Apache-2.0 legacy_unencumbered
+LOCAL_LICENSE_CONDITIONS := notice unencumbered
+LOCAL_NOTICE_FILE := $(LOCAL_PATH)/NOTICE
LOCAL_MODULE_CLASS := ETC
LOCAL_MODULE_TAGS := optional
LOCAL_MODULE_PATH := $(TARGET_OUT_ODM)/etc/selinux
@@ -112,6 +127,9 @@
##################################
include $(CLEAR_VARS)
LOCAL_MODULE := plat_seapp_neverallows
+LOCAL_LICENSE_KINDS := SPDX-license-identifier-Apache-2.0 legacy_unencumbered
+LOCAL_LICENSE_CONDITIONS := notice unencumbered
+LOCAL_NOTICE_FILE := $(LOCAL_PATH)/NOTICE
LOCAL_MODULE_CLASS := ETC
LOCAL_MODULE_TAGS := tests
diff --git a/tests/Android.bp b/tests/Android.bp
index 926b5e4..5925fc2 100644
--- a/tests/Android.bp
+++ b/tests/Android.bp
@@ -1,3 +1,11 @@
+package {
+ // http://go/android-license-faq
+ // A large-scale-change added 'default_applicable_licenses' to import
+ // the below license kinds from "system_sepolicy_license":
+ // SPDX-license-identifier-Apache-2.0
+ default_applicable_licenses: ["system_sepolicy_license"],
+}
+
cc_library_host_shared {
name: "libsepolwrap",
srcs: ["sepol_wrap.cpp"],
diff --git a/tools/Android.bp b/tools/Android.bp
index 2809c9d..a6a15a5 100644
--- a/tools/Android.bp
+++ b/tools/Android.bp
@@ -14,6 +14,14 @@
* limitations under the License.
*/
+package {
+ // http://go/android-license-faq
+ // A large-scale-change added 'default_applicable_licenses' to import
+ // the below license kinds from "system_sepolicy_license":
+ // SPDX-license-identifier-Apache-2.0
+ default_applicable_licenses: ["system_sepolicy_license"],
+}
+
cc_defaults {
name: "sepolicy_tools_defaults",
cflags: [
diff --git a/tools/sepolicy-analyze/Android.bp b/tools/sepolicy-analyze/Android.bp
index ff40c16..bb6b701 100644
--- a/tools/sepolicy-analyze/Android.bp
+++ b/tools/sepolicy-analyze/Android.bp
@@ -1,3 +1,11 @@
+package {
+ // http://go/android-license-faq
+ // A large-scale-change added 'default_applicable_licenses' to import
+ // the below license kinds from "system_sepolicy_license":
+ // legacy_unencumbered
+ default_applicable_licenses: ["system_sepolicy_license"],
+}
+
cc_binary_host {
name: "sepolicy-analyze",
defaults: ["sepolicy_tools_defaults"],
diff --git a/treble_sepolicy_tests_for_release.mk b/treble_sepolicy_tests_for_release.mk
index 0195e5f..fdfe9ee 100644
--- a/treble_sepolicy_tests_for_release.mk
+++ b/treble_sepolicy_tests_for_release.mk
@@ -5,6 +5,9 @@
# permissions granted do not violate the treble model. Also ensure that treble
# compatibility guarantees are upheld between SELinux version bumps.
LOCAL_MODULE := treble_sepolicy_tests_$(version)
+LOCAL_LICENSE_KINDS := SPDX-license-identifier-Apache-2.0 legacy_unencumbered
+LOCAL_LICENSE_CONDITIONS := notice unencumbered
+LOCAL_NOTICE_FILE := $(LOCAL_PATH)/NOTICE
LOCAL_MODULE_CLASS := FAKE
LOCAL_MODULE_TAGS := optional