Merge "Wifi Keystore HAL is not a HAL" into oc-dev
diff --git a/private/adbd.te b/private/adbd.te
index b402335..5fa83e2 100644
--- a/private/adbd.te
+++ b/private/adbd.te
@@ -63,15 +63,6 @@
# Run /system/bin/bu
allow adbd system_file:file rx_file_perms;
-# Perform binder IPC to surfaceflinger (screencap)
-# XXX Run screencap in a separate domain?
-binder_use(adbd)
-binder_call(adbd, surfaceflinger)
-# b/13188914
-allow adbd gpu_device:chr_file rw_file_perms;
-allow adbd ion_device:chr_file rw_file_perms;
-r_dir_file(adbd, system_file)
-
# Needed for various screenshots
hal_client_domain(adbd, hal_graphics_allocator)
diff --git a/private/asan_extract.te b/private/asan_extract.te
new file mode 100644
index 0000000..1c20d78
--- /dev/null
+++ b/private/asan_extract.te
@@ -0,0 +1,8 @@
+# type_transition must be private policy the domain_trans rules could stay
+# public, but conceptually should go with this
+# Technically not a daemon but we do want the transition from init domain to
+# asan_extract to occur.
+with_asan(`
+typeattribute asan_extract coredomain;
+init_daemon_domain(asan_extract)
+')
diff --git a/private/bluetooth.te b/private/bluetooth.te
index b0048aa..d05a21f 100644
--- a/private/bluetooth.te
+++ b/private/bluetooth.te
@@ -49,10 +49,6 @@
allow bluetooth app_api_service:service_manager find;
allow bluetooth system_api_service:service_manager find;
-# TODO(b/36613472): Remove this once bluetooth daemon does not communicate with rild over sockets
-# Bluetooth Sim Access Profile Socket to the RIL
-unix_socket_connect(bluetooth, sap_uim, rild)
-
# already open bugreport file descriptors may be shared with
# the bluetooth process, from a file in
# /data/data/com.android.shell/files/bugreports/bugreport-*.
diff --git a/private/file_contexts b/private/file_contexts
index 1b61875..9feeef9 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -116,7 +116,6 @@
/dev/snd/audio_seq_device u:object_r:audio_seq_device:s0
/dev/socket(/.*)? u:object_r:socket_device:s0
/dev/socket/adbd u:object_r:adbd_socket:s0
-/dev/socket/sap_uim_socket[0-9] u:object_r:sap_uim_socket:s0
/dev/socket/cryptd u:object_r:vold_socket:s0
/dev/socket/dnsproxyd u:object_r:dnsproxyd_socket:s0
/dev/socket/dumpstate u:object_r:dumpstate_socket:s0
@@ -260,7 +259,20 @@
#############################
# Vendor files
#
-/vendor(/.*)? u:object_r:system_file:s0
+/(vendor|system/vendor)(/.*)? u:object_r:vendor_file:s0
+/(vendor|system/vendor)/etc(/.*)? u:object_r:vendor_configs_file:s0
+
+/(vendor|system/vendor)/lib(64)?/egl(/.*)? u:object_r:same_process_hal_file:s0
+
+# TODO: b/36790901 move this to /vendor/etc
+/(vendor|system/vendor)/manifest.xml u:object_r:vendor_configs_file:s0
+/(vendor|system/vendor)/app(/.*)? u:object_r:vendor_app_file:s0
+/(vendor|system/vendor)/overlay(/.*)? u:object_r:vendor_overlay_file:s0
+/(vendor|system/vendor)/framework(/.*)? u:object_r:vendor_framework_file:s0
+
+# HAL location
+/(vendor|system/vendor)/lib(64)?/hw u:object_r:vendor_hal_file:s0
+
/vendor/etc/selinux/mapping_sepolicy.cil u:object_r:sepolicy_file:s0
/vendor/etc/selinux/nonplat_mac_permissions.xml u:object_r:mac_perms_file:s0
/vendor/etc/selinux/nonplat_property_contexts u:object_r:property_contexts_file:s0
diff --git a/private/file_contexts_asan b/private/file_contexts_asan
index 5e756fc..d35cd3c 100644
--- a/private/file_contexts_asan
+++ b/private/file_contexts_asan
@@ -2,3 +2,4 @@
/data/asan/system/lib64(/.*)? u:object_r:system_file:s0
/data/asan/vendor/lib(/.*)? u:object_r:system_file:s0
/data/asan/vendor/lib64(/.*)? u:object_r:system_file:s0
+/system/bin/asan_extract u:object_r:asan_extract_exec:s0
diff --git a/private/property_contexts b/private/property_contexts
index c205e59..4c27b35 100644
--- a/private/property_contexts
+++ b/private/property_contexts
@@ -57,7 +57,6 @@
persist.service. u:object_r:system_prop:s0
persist.service.bdroid. u:object_r:bluetooth_prop:s0
persist.security. u:object_r:system_prop:s0
-persist.hal.binderization u:object_r:hal_binderization_prop:s0
persist.vendor.overlay. u:object_r:overlay_prop:s0
ro.boot.vendor.overlay. u:object_r:overlay_prop:s0
ro.boottime. u:object_r:boottime_prop:s0
@@ -112,3 +111,6 @@
# hwservicemanager properties
hwservicemanager. u:object_r:hwservicemanager_prop:s0
+
+# ASAN install trigger
+asan.restore_reboot u:object_r:asan_reboot_prop:s0
diff --git a/private/service_contexts b/private/service_contexts
index a65cb01..943cdee 100644
--- a/private/service_contexts
+++ b/private/service_contexts
@@ -66,6 +66,7 @@
iphonesubinfo u:object_r:radio_service:s0
ims u:object_r:radio_service:s0
imms u:object_r:imms_service:s0
+ipsec u:object_r:ipsec_service:s0
isms_msim u:object_r:radio_service:s0
isms2 u:object_r:radio_service:s0
isms u:object_r:radio_service:s0
diff --git a/private/system_app.te b/private/system_app.te
index bab49c1..02e6101 100644
--- a/private/system_app.te
+++ b/private/system_app.te
@@ -31,7 +31,6 @@
# Write to properties
set_prop(system_app, bluetooth_prop)
set_prop(system_app, debug_prop)
-set_prop(system_app, hal_binderization_prop)
set_prop(system_app, system_prop)
set_prop(system_app, logd_prop)
set_prop(system_app, net_radio_prop)
diff --git a/private/system_server.te b/private/system_server.te
index e9ffa82..4302343 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -294,6 +294,9 @@
allow system_server apk_tmp_file:dir create_dir_perms;
allow system_server apk_tmp_file:file create_file_perms;
+# Access /vendor/app
+r_dir_file(system_server, vendor_app_file)
+
# Manage /data/app-private.
allow system_server apk_private_data_file:dir create_dir_perms;
allow system_server apk_private_data_file:file create_file_perms;
@@ -452,9 +455,6 @@
allow system_server appdomain:{ tcp_socket udp_socket } { getattr getopt setopt read write shutdown };
allow system_server appdomain:{ fifo_file unix_stream_socket } { getattr read write };
-# Allow abstract socket connection
-allow system_server rild:unix_stream_socket connectto;
-
# BackupManagerService needs to manipulate backup data files
allow system_server cache_backup_file:dir rw_dir_perms;
allow system_server cache_backup_file:file create_file_perms;
diff --git a/public/asan_extract.te b/public/asan_extract.te
new file mode 100644
index 0000000..6d0de6c
--- /dev/null
+++ b/public/asan_extract.te
@@ -0,0 +1,36 @@
+# asan_extract
+#
+# This command set moves the artifact corresponding to the current slot
+# from /data/ota to /data/dalvik-cache.
+
+with_asan(`
+ type asan_extract, domain, coredomain;
+ type asan_extract_exec, exec_type, file_type;
+
+ # Allow asan_extract to execute itself using #!/system/bin/sh
+ allow asan_extract shell_exec:file rx_file_perms;
+
+ # We execute log, rm, gzip and tar.
+ allow asan_extract toolbox_exec:file rx_file_perms;
+ allow asan_extract system_file:file execute_no_trans;
+
+ # asan_extract deletes old /data/lib.
+ allow asan_extract system_file:dir { open read remove_name rmdir write };
+ allow asan_extract system_file:file unlink;
+
+ # asan_extract untars ASAN libraries into /data.
+ allow asan_extract system_data_file:dir create_dir_perms ;
+ allow asan_extract system_data_file:{ file lnk_file } create_file_perms ;
+
+ # Relabel the libraries with restorecon.
+ allow asan_extract file_contexts_file:file r_file_perms;
+ allow asan_extract system_data_file:{ dir file } relabelfrom;
+ allow asan_extract system_file:dir { relabelto setattr };
+ allow asan_extract system_file:file relabelto;
+
+ # Restorecon will actually already try to run with sanitized libraries (libpackagelistparser).
+ allow asan_extract system_data_file:file execute;
+
+ # We use asan.restore_reboot to signal a reboot is required.
+ set_prop(asan_extract, asan_reboot_prop)
+')
diff --git a/public/attributes b/public/attributes
index abb86d9..6bb8346 100644
--- a/public/attributes
+++ b/public/attributes
@@ -41,6 +41,9 @@
attribute data_file_type;
# All types in /data, not in /data/vendor
attribute core_data_file_type;
+# All types in /vendor
+attribute vendor_file_type;
+
# All vendor domains which violate the requirement of not accessing
# data outside /data/vendor.
# TODO(b/34980020): Remove this once there are no violations
diff --git a/public/crash_dump.te b/public/crash_dump.te
index a0e278a..ee617a1 100644
--- a/public/crash_dump.te
+++ b/public/crash_dump.te
@@ -34,6 +34,9 @@
# Read APK files.
r_dir_file(crash_dump, apk_data_file);
+# Read all /vendor
+r_dir_file(crash_dump, { vendor_file same_process_hal_file })
+
# Talk to tombstoned
unix_socket_connect(crash_dump, tombstoned_crash, tombstoned)
diff --git a/public/dex2oat.te b/public/dex2oat.te
index 6421d93..1d794e2 100644
--- a/public/dex2oat.te
+++ b/public/dex2oat.te
@@ -13,6 +13,9 @@
allow dex2oat dalvikcache_data_file:lnk_file read;
allow dex2oat installd:fd use;
+# Acquire advisory lock on /system/framework/arm/*
+allow dex2oat system_file:file lock;
+
# Read already open asec_apk_file file descriptors passed by installd.
# Also allow reading unlabeled files, to allow for upgrading forward
# locked APKs.
diff --git a/public/domain.te b/public/domain.te
index 30b3a98..4fc3bc0 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -102,6 +102,61 @@
allow domain system_file:file { execute read open getattr };
allow domain system_file:lnk_file { getattr read };
+# Make sure system/vendor split doesn not affect non-treble
+# devices
+not_full_treble(`
+ allow domain vendor_file_type:dir { search getattr };
+ allow domain vendor_file_type:file { execute read open getattr };
+ allow domain vendor_file_type:lnk_file { getattr read };
+')
+
+# All domains are allowed to open and read directories
+# that contain HAL implementations (e.g. passthrough
+# HALs require clients to have these permissions)
+allow domain vendor_hal_file:dir r_dir_perms;
+
+# Everyone can read and execute all same process HALs
+allow domain same_process_hal_file:dir r_dir_perms;
+allow domain same_process_hal_file:file { execute read open getattr };
+
+# All domains get access to /vendor/etc
+allow domain vendor_configs_file:dir r_dir_perms;
+allow domain vendor_configs_file:file { read open getattr };
+
+# TODO: (b/36681074) - Remove after this is resolved
+# TODO: (b/36680116, b/36656392, b/36681210) All need directory
+# lookup to find / open their libraries
+full_treble_only(`
+ # Everyone needs to lookup libraries in /vendor/lib(64)
+ # through linker/loader.
+ allow domain vendor_file:dir { getattr search };
+
+ # TODO: b/36681210, find out who needs access and only allow
+ # specific domains for Treble
+ allow domain vendor_app_file:dir r_dir_perms;
+ allow domain vendor_app_file:file { read open getattr };
+
+ # Some apps (com.android.phone) need to be able to open
+ # symlinked libraries
+ # TODO: b/36806861
+ allow domain vendor_app_file:lnk_file { open read };
+
+ # TODO: b/36656392, find out who needs access and only allow
+ # specific domains.
+ allow domain vendor_overlay_file:dir r_dir_perms;
+ allow domain vendor_overlay_file:file { read open getattr };
+
+ # TODO: b/36680116, find out who neeeds access and only allow
+ # specific domains
+ allow domain vendor_framework_file:dir r_dir_perms;
+ allow domain vendor_framework_file:file { read open getattr };
+
+ # Allow reading and executing out of /vendor to all vendor domains
+ allow { domain -coredomain } vendor_file_type:dir r_dir_perms;
+ allow { domain -coredomain } vendor_file_type:file { read open getattr execute };
+ allow { domain -coredomain } vendor_file_type:lnk_file { getattr read };
+')
+
# read any sysfs symlinks
allow domain sysfs:lnk_file read;
@@ -300,13 +355,21 @@
neverallow {
domain
-appdomain
+ with_asan(`-asan_extract')
-dumpstate
-shell
userdebug_or_eng(`-su')
-system_server
-webview_zygote
-zygote
-} { file_type -system_file -exec_type -postinstall_file }:file execute;
+} {
+ file_type
+ -system_file
+ -vendor_file_type
+ -exec_type
+ -postinstall_file
+}:file execute;
+
neverallow {
domain
-appdomain # for oemfs
@@ -335,14 +398,22 @@
neverallow { domain -init } properties_device:file { no_w_file_perms no_x_file_perms };
neverallow { domain -init } properties_serial:file { no_w_file_perms no_x_file_perms };
-# Only recovery should be doing writes to /system
-neverallow { domain -recovery } { system_file exec_type }:dir_file_class_set
- { create write setattr relabelfrom append unlink link rename };
-neverallow { domain -recovery -kernel } { system_file exec_type }:dir_file_class_set relabelto;
+# Only recovery should be doing writes to /system & /vendor
+neverallow {
+ domain
+ -recovery
+ with_asan(`-asan_extract')
+} {
+ system_file
+ vendor_file_type
+ exec_type
+}:dir_file_class_set { create write setattr relabelfrom append unlink link rename };
+
+neverallow { domain -recovery -kernel with_asan(`-asan_extract') } { system_file vendor_file_type exec_type }:dir_file_class_set relabelto;
# Don't allow mounting on top of /system files or directories
neverallow * exec_type:dir_file_class_set mounton;
-neverallow { domain -init } system_file:dir_file_class_set mounton;
+neverallow { domain -init } { system_file vendor_file_type }:dir_file_class_set mounton;
# Nothing should be writing to files in the rootfs.
neverallow * rootfs:file { create write setattr relabelto append unlink link rename };
@@ -739,6 +810,7 @@
-system_app
-init
-installd # for relabelfrom and unlink, check for this in explicit neverallow
+ with_asan(`-asan_extract')
} system_data_file:file no_w_file_perms;
# do not grant anything greater than r_file_perms and relabelfrom unlink
# to installd
@@ -895,7 +967,7 @@
# Enforce restrictions on kernel module origin.
# Do not allow kernel module loading except from system,
# vendor, and boot partitions.
-neverallow * ~{ system_file rootfs }:system module_load;
+neverallow * ~{ system_file vendor_file_type rootfs }:system module_load;
# Only allow filesystem caps to be set at build time or
# during upgrade by recovery.
diff --git a/public/domain_deprecated.te b/public/domain_deprecated.te
index aa6ec4e..9777753 100644
--- a/public/domain_deprecated.te
+++ b/public/domain_deprecated.te
@@ -71,7 +71,6 @@
# System file accesses.
allow domain_deprecated system_file:dir r_dir_perms;
-allow domain_deprecated system_file:file r_file_perms;
userdebug_or_eng(`
auditallow {
domain_deprecated
@@ -86,14 +85,6 @@
-vold
-zygote
} system_file:dir { open read ioctl lock }; # search getattr in domain
-auditallow {
- domain_deprecated
- -appdomain
- -rild
- -surfaceflinger
- -system_server
- -zygote
-} system_file:file { ioctl lock }; # read open getattr in domain
')
# Read files already opened under /data.
diff --git a/public/file.te b/public/file.te
index f776ef6..6468d16 100644
--- a/public/file.te
+++ b/public/file.te
@@ -78,8 +78,27 @@
# File types
type unlabeled, file_type;
+
# Default type for anything under /system.
type system_file, file_type;
+
+# Default type for directories search for
+# HAL implementations
+type vendor_hal_file, vendor_file_type, file_type;
+# Default type for under /vendor or /system/vendor
+type vendor_file, vendor_file_type, file_type;
+# Default type for everything in /vendor/app
+type vendor_app_file, vendor_file_type, file_type;
+# Default type for everything under /vendor/etc/
+type vendor_configs_file, vendor_file_type, file_type;
+# Default type for all *same process* HALs.
+# e.g. libEGL_xxx.so, android.hardware.graphics.mapper@2.0-impl.so
+type same_process_hal_file, vendor_file_type, file_type;
+# Default type for everything in /vendor/framework
+type vendor_framework_file, vendor_file_type, file_type;
+# Default type for everything in /vendor/overlay
+type vendor_overlay_file, vendor_file_type, file_type;
+
# Speedup access for trusted applications to the runtime event tags
type runtime_event_log_tags_file, file_type;
# Type for /system/bin/logcat.
@@ -254,7 +273,6 @@
type webview_zygote_socket, file_type, coredomain_socket;
type wpa_socket, file_type;
type zygote_socket, file_type, coredomain_socket;
-type sap_uim_socket, file_type;
# UART (for GPS) control proc file
type gps_control, file_type;
diff --git a/public/hal_sensors.te b/public/hal_sensors.te
index 0d6dfe0..567b0be 100644
--- a/public/hal_sensors.te
+++ b/public/hal_sensors.te
@@ -3,3 +3,7 @@
# Allow sensor hals to access ashmem memory allocated by apps
allow hal_sensors { appdomain -isolated_app }:fd use;
+
+# Allow sensor hals to access ashmem memory allocated by android.hidl.allocator
+# fd is passed in from framework sensorservice HAL.
+allow hal_sensors hal_allocator:fd use;
diff --git a/public/hwservicemanager.te b/public/hwservicemanager.te
index 77074f4..20a7229 100644
--- a/public/hwservicemanager.te
+++ b/public/hwservicemanager.te
@@ -2,9 +2,6 @@
type hwservicemanager, domain, mlstrustedsubject;
type hwservicemanager_exec, exec_type, file_type;
-# serving android.hidl.manager@1.0 and android.hidl.token@1.0
-typeattribute hwservicemanager halserverdomain;
-
# Note that we do not use the binder_* macros here.
# hwservicemanager provides name service (aka context manager)
# for hwbinder.
diff --git a/public/init.te b/public/init.te
index 4af41ec..0deb8cd 100644
--- a/public/init.te
+++ b/public/init.te
@@ -60,7 +60,7 @@
# Create and mount on directories in /.
allow init rootfs:dir create_dir_perms;
-allow init { rootfs cache_file cgroup storage_file system_data_file system_file postinstall_mnt_dir }:dir mounton;
+allow init { rootfs cache_file cgroup storage_file system_data_file system_file vendor_file postinstall_mnt_dir }:dir mounton;
# Mount on /dev/usb-ffs/adb.
allow init device:dir mounton;
@@ -127,6 +127,7 @@
-misc_logd_file
-system_app_data_file
-system_file
+ -vendor_file_type
}:dir { create search getattr open read setattr ioctl };
allow init {
@@ -138,6 +139,7 @@
-shell_data_file
-system_app_data_file
-system_file
+ -vendor_file_type
-vold_data_file
}:dir { write add_name remove_name rmdir relabelfrom };
@@ -151,6 +153,7 @@
-shell_data_file
-system_app_data_file
-system_file
+ -vendor_file_type
-vold_data_file
}:file { create getattr open read write setattr relabelfrom unlink };
@@ -163,6 +166,7 @@
-shell_data_file
-system_app_data_file
-system_file
+ -vendor_file_type
-vold_data_file
}:{ sock_file fifo_file } { create getattr open read setattr relabelfrom unlink };
@@ -175,12 +179,13 @@
-shell_data_file
-system_app_data_file
-system_file
+ -vendor_file_type
-vold_data_file
}:lnk_file { create getattr setattr relabelfrom unlink };
allow init cache_file:lnk_file r_file_perms;
-allow init { file_type -system_file -exec_type }:dir_file_class_set relabelto;
+allow init { file_type -system_file -vendor_file_type -exec_type }:dir_file_class_set relabelto;
allow init { sysfs debugfs debugfs_tracing }:{ dir file lnk_file } { getattr relabelfrom };
allow init { sysfs_type debugfs_type }:{ dir file lnk_file } { relabelto getattr };
allow init dev_type:dir create_dir_perms;
@@ -384,6 +389,7 @@
allow init misc_block_device:blk_file w_file_perms;
r_dir_file(init, system_file)
+r_dir_file(init, vendor_file_type)
allow init proc_meminfo:file r_file_perms;
allow init system_data_file:file { getattr read };
diff --git a/public/mediametrics.te b/public/mediametrics.te
index ce2dab7..4c10d87 100644
--- a/public/mediametrics.te
+++ b/public/mediametrics.te
@@ -14,6 +14,9 @@
r_dir_file(mediametrics, cgroup)
allow mediametrics proc_meminfo:file r_file_perms;
+# allows interactions with dumpsys to GMScore
+allow mediametrics app_data_file:file write;
+
###
### neverallow rules
###
diff --git a/public/mediaserver.te b/public/mediaserver.te
index e9aa421..01cc4d8 100644
--- a/public/mediaserver.te
+++ b/public/mediaserver.te
@@ -67,9 +67,6 @@
allow mediaserver qtaguid_proc:file rw_file_perms;
allow mediaserver qtaguid_device:chr_file r_file_perms;
-# Allow abstract socket connection
-allow mediaserver rild:unix_stream_socket { connectto read write setopt };
-
# Needed on some devices for playing DRM protected content,
# but seems expected and appropriate for all devices.
unix_socket_connect(mediaserver, drmserver, drmserver)
diff --git a/public/netd.te b/public/netd.te
index 81f4af4..3a48cd3 100644
--- a/public/netd.te
+++ b/public/netd.te
@@ -29,6 +29,9 @@
allow netd system_file:file x_file_perms;
allow netd devpts:chr_file rw_file_perms;
+# Acquire advisory lock on /system/etc/xtables.lock
+allow netd system_file:file lock;
+
r_dir_file(netd, proc_net)
# For /proc/sys/net/ipv[46]/route/flush.
allow netd proc_net:file rw_file_perms;
@@ -80,6 +83,9 @@
} { read write getattr setattr getopt setopt };
allow netd netdomain:fd use;
+# give netd permission to read and write netlink xfrm
+allow netd self:netlink_xfrm_socket { create_socket_perms_no_ioctl nlmsg_write nlmsg_read };
+
###
### Neverallow rules
###
diff --git a/public/property.te b/public/property.te
index a3f5a1e..d6fa868 100644
--- a/public/property.te
+++ b/public/property.te
@@ -1,3 +1,4 @@
+type asan_reboot_prop, property_type;
type audio_prop, property_type, core_property_type;
type boottime_prop, property_type;
type bluetooth_prop, property_type;
@@ -43,7 +44,6 @@
type shell_prop, property_type, core_property_type;
type system_prop, property_type, core_property_type;
type system_radio_prop, property_type, core_property_type;
-type hal_binderization_prop, property_type;
type vold_prop, property_type, core_property_type;
type wifi_log_prop, property_type, log_property_type;
type wifi_prop, property_type;
diff --git a/public/service.te b/public/service.te
index 9172353..96a692a 100644
--- a/public/service.te
+++ b/public/service.te
@@ -81,6 +81,7 @@
type input_method_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type input_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type imms_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type ipsec_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type jobscheduler_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type launcherapps_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type location_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
diff --git a/public/shell.te b/public/shell.te
index 7c3d8a1..cb1a086 100644
--- a/public/shell.te
+++ b/public/shell.te
@@ -64,8 +64,6 @@
userdebug_or_eng(`set_prop(shell, log_prop)')
# logpersist script
userdebug_or_eng(`set_prop(shell, logpersistd_logging_prop)')
-# hal binderization
-userdebug_or_eng(`set_prop(shell, hal_binderization_prop)')
userdebug_or_eng(`
# "systrace --boot" support - allow boottrace service to run
diff --git a/public/te_macros b/public/te_macros
index 57a038a..bc67278 100644
--- a/public/te_macros
+++ b/public/te_macros
@@ -181,6 +181,8 @@
typeattribute $1 $2;
# Find passthrough HAL implementations
allow $2 system_file:dir r_dir_perms;
+allow $2 vendor_file:dir r_dir_perms;
+allow $2 vendor_file:file { read open getattr execute };
')
#####################################
@@ -197,6 +199,8 @@
typeattribute $1 $2;
# Find passthrough HAL implementations
allow $2 system_file:dir r_dir_perms;
+allow $2 vendor_file:dir r_dir_perms;
+allow $2 vendor_file:file { read open getattr execute };
')
#####################################
@@ -282,13 +286,6 @@
allow hwservicemanager $1:dir search;
allow hwservicemanager $1:file { read open };
allow hwservicemanager $1:process getattr;
-# TODO(b/34274385): hals wait for data to be mounted so they can
-# start only if persist.hal.binderization is enabled. (for dogfood
-# stability). getService must also check for data to be mounted
-# if the vintf promises the hal will be registered over hwbinder.
-get_prop($1, hal_binderization_prop)
-get_prop($1, persistent_properties_ready_prop)
-get_prop($1, vold_prop)
# rw access to /dev/hwbinder and /dev/ashmem is presently granted to
# all domains in domain.te.
')
diff --git a/public/ueventd.te b/public/ueventd.te
index 512b019..8ec667e 100644
--- a/public/ueventd.te
+++ b/public/ueventd.te
@@ -29,6 +29,9 @@
# Get SELinux enforcing status.
r_dir_file(ueventd, selinuxfs)
+# Access for /vendor/ueventd.rc and /vendor/firmware
+r_dir_file(ueventd, vendor_file)
+
# Get file contexts for new device nodes
allow ueventd file_contexts_file:file r_file_perms;
diff --git a/public/update_verifier.te b/public/update_verifier.te
index 8c8e9a9..4d4e1f9 100644
--- a/public/update_verifier.te
+++ b/public/update_verifier.te
@@ -12,5 +12,8 @@
# Read all blocks in dm wrapped system partition.
allow update_verifier dm_device:blk_file r_file_perms;
+# Allow update_verifier to reboot the device.
+set_prop(update_verifier, powerctl_prop)
+
# Use Boot Control HAL
hal_client_domain(update_verifier, hal_bootctl)
diff --git a/vendor/file_contexts b/vendor/file_contexts
index ea0ef29..5ccfab4 100644
--- a/vendor/file_contexts
+++ b/vendor/file_contexts
@@ -33,6 +33,13 @@
/(vendor|system/vendor)/bin/hw/wpa_supplicant u:object_r:hal_wifi_supplicant_default_exec:s0
/(vendor|system/vendor)/bin/hostapd u:object_r:hostapd_exec:s0
/(vendor|system/vendor)/bin/vndservicemanager u:object_r:vndservicemanager_exec:s0
+
+#############################
+# Same process HALs installed by platform into /vendor
+#
+/(vendor|system/vendor)/lib(64)?/hw/android\.hardware\.graphics\.mapper@2\.0-impl\.so u:object_r:same_process_hal_file:s0
+/(vendor|system/vendor)/lib(64)?/hw/android\.hardware\.renderscript@1\.0-impl\.so u:object_r:same_process_hal_file:s0
+
#############################
# Data files
#
diff --git a/vendor/tee.te b/vendor/tee.te
index 6278d4b..ad43b24 100644
--- a/vendor/tee.te
+++ b/vendor/tee.te
@@ -6,10 +6,6 @@
type tee_exec, exec_type, file_type;
init_daemon_domain(tee)
-# TODO(b/36714625, b/36715266): Remove this once drmserver, mediaserver, and surfaceflinger no
-# longer communicate with tee daemon over sockets
-typeattribute tee socket_between_core_and_vendor_violators;
-
allow tee self:capability { dac_override };
allow tee tee_device:chr_file rw_file_perms;
allow tee tee_data_file:dir rw_dir_perms;