Merge "credstore: Add missing permissions"
diff --git a/build/soong/service_fuzzer_bindings.go b/build/soong/service_fuzzer_bindings.go
index f13c23c..f706339 100644
--- a/build/soong/service_fuzzer_bindings.go
+++ b/build/soong/service_fuzzer_bindings.go
@@ -116,6 +116,7 @@
"android.hardware.security.sharedsecret.ISharedSecret/default": EXCEPTION_NO_FUZZER,
"android.hardware.sensors.ISensors/default": EXCEPTION_NO_FUZZER,
"android.hardware.soundtrigger3.ISoundTriggerHw/default": EXCEPTION_NO_FUZZER,
+ "android.hardware.tetheroffload.IOffload/default": EXCEPTION_NO_FUZZER,
"android.hardware.thermal.IThermal/default": EXCEPTION_NO_FUZZER,
"android.hardware.tv.hdmi.cec.IHdmiCec/default": EXCEPTION_NO_FUZZER,
"android.hardware.tv.hdmi.connection.IHdmiConnection/default": EXCEPTION_NO_FUZZER,
diff --git a/private/artd.te b/private/artd.te
index c887258..ef54d8c 100644
--- a/private/artd.te
+++ b/private/artd.te
@@ -31,8 +31,10 @@
# Read access to primary dex'es on writable partitions
# ({/data,/mnt/expand/<volume-uuid>}/app/...).
+# Also allow creating the "oat" directory before restorecon.
allow artd mnt_expand_file:dir { getattr search };
-r_dir_file(artd, apk_data_file)
+allow artd apk_data_file:dir { rw_dir_perms create setattr relabelfrom };
+allow artd apk_data_file:file r_file_perms;
# Read access to vendor APKs ({/vendor,/odm}/{app,priv-app}/...).
r_dir_file(artd, vendor_app_file)
@@ -46,8 +48,8 @@
# Read/write access to all compilation artifacts generated on device for apps'
# primary dex'es. (/data/dalvik-cache/..., /data/app/.../oat/..., etc.)
-allow artd dalvikcache_data_file:dir create_dir_perms;
-allow artd dalvikcache_data_file:file create_file_perms;
+allow artd dalvikcache_data_file:dir { create_dir_perms relabelto };
+allow artd dalvikcache_data_file:file { create_file_perms relabelto };
# Read access to the ART APEX data directory.
# Needed for reading the boot image generated on device.
diff --git a/private/compat/33.0/33.0.ignore.cil b/private/compat/33.0/33.0.ignore.cil
index 11bff79..ede2284 100644
--- a/private/compat/33.0/33.0.ignore.cil
+++ b/private/compat/33.0/33.0.ignore.cil
@@ -8,6 +8,7 @@
adaptive_haptics_prop
apex_ready_prop
artd
+ bt_device
credential_service
device_config_camera_native_prop
device_config_memory_safety_native_prop
@@ -21,6 +22,7 @@
hal_cas_service
hal_remoteaccess_service
hal_secure_element_service
+ hal_tetheroffload_service
hal_thermal_service
hal_usb_gadget_service
hal_tv_input_service
@@ -48,4 +50,6 @@
hal_confirmationui_service
hal_fastboot_service
hal_can_controller_service
+ zoned_block_device
+ future_pm_prop
))
diff --git a/private/coredomain.te b/private/coredomain.te
index 55f715d..96ce488 100644
--- a/private/coredomain.te
+++ b/private/coredomain.te
@@ -93,6 +93,8 @@
coredomain
-appdomain
-artd
+ -dex2oat
+ -dexoptanalyzer
-idmap
-init
-installd
@@ -112,6 +114,8 @@
coredomain
-appdomain
-artd
+ -dex2oat
+ -dexoptanalyzer
-idmap
-init
-installd
diff --git a/private/crosvm.te b/private/crosvm.te
index c682bb5..aae8323 100644
--- a/private/crosvm.te
+++ b/private/crosvm.te
@@ -16,7 +16,7 @@
# Let crosvm receive file descriptors from VirtualizationService.
allow crosvm virtualizationmanager:fd use;
-# Allow sending VirtualizationService the failure reason from the VM via pipe.
+# Allow sending VirtualizationService the failure reason and console/log from the VM via pipe.
allow crosvm virtualizationmanager:fifo_file write;
# Let crosvm read the composite disk images (virtualizationservice_data_file), APEXes
@@ -74,6 +74,11 @@
# when the vm is created by the `vm` tool) and handed over to crosvm as FD.
allow crosvm shell_data_file:file write;
+# crosvm tries to read serial device, including the write-only pipe from virtualizationmanager (to
+# forward console/log to the host logcat).
+# crosvm only needs write permission, so dontaudit read
+dontaudit crosvm virtualizationmanager:fifo_file read;
+
# Don't allow crosvm to open files that it doesn't own.
# This is important because a malicious application could try to start a VM with a composite disk
# image referring by name to files which it doesn't have permission to open, trying to get crosvm to
diff --git a/private/dex2oat.te b/private/dex2oat.te
index 2ce2459..ea9ab9c 100644
--- a/private/dex2oat.te
+++ b/private/dex2oat.te
@@ -10,6 +10,8 @@
# Access /vendor/framework
allow dex2oat vendor_framework_file:dir { getattr search };
allow dex2oat vendor_framework_file:file { getattr open read map };
+# Access /vendor/overlay
+r_dir_file(dex2oat, vendor_overlay_file);
allow dex2oat tmpfs:file { read getattr map };
@@ -59,6 +61,9 @@
# Allow dex2oat to use file descriptors passed from privileged programs.
allow dex2oat { artd installd odrefresh odsign }:fd use;
+# Allow dex2oat to read the /proc filesystem for CPU features, etc.
+allow dex2oat proc_filesystems:file r_file_perms;
+
##################
# A/B OTA Dexopt #
##################
diff --git a/private/file_contexts b/private/file_contexts
index 632e069..7ce80ae 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -79,6 +79,7 @@
/dev/audio.* u:object_r:audio_device:s0
/dev/binder u:object_r:binder_device:s0
/dev/block(/.*)? u:object_r:block_device:s0
+/dev/block/by-name/zoned_device u:object_r:zoned_block_device:s0
/dev/block/dm-[0-9]+ u:object_r:dm_device:s0
/dev/block/loop[0-9]* u:object_r:loop_device:s0
/dev/block/vd[a-z][0-9]* u:object_r:vd_device:s0
@@ -373,7 +374,6 @@
/system/bin/simpleperf u:object_r:simpleperf_exec:s0
/system/bin/simpleperf_app_runner u:object_r:simpleperf_app_runner_exec:s0
/system/bin/migrate_legacy_obb_data u:object_r:migrate_legacy_obb_data_exec:s0
-/system/bin/android\.frameworks\.automotive\.display@1\.0-service u:object_r:automotive_display_service_exec:s0
/system/bin/snapuserd u:object_r:snapuserd_exec:s0
/system/bin/odsign u:object_r:odsign_exec:s0
/system/bin/vehicle_binding_util u:object_r:vehicle_binding_util_exec:s0
@@ -493,6 +493,8 @@
/(system_ext|system/system_ext)/bin/hidl_lazy_test_server u:object_r:hidl_lazy_test_server_exec:s0
/(system_ext|system/system_ext)/bin/hidl_lazy_cb_test_server u:object_r:hidl_lazy_test_server_exec:s0
+/(system_ext|system/system_ext)/bin/android\.frameworks\.automotive\.display@1\.0-service u:object_r:automotive_display_service_exec:s0
+
/(system_ext|system/system_ext)/lib(64)?(/.*)? u:object_r:system_lib_file:s0
#############################
diff --git a/private/property_contexts b/private/property_contexts
index f208e52..e8293c6 100644
--- a/private/property_contexts
+++ b/private/property_contexts
@@ -592,21 +592,32 @@
ro.hdmi.cec.source.send_standby_on_sleep u:object_r:hdmi_config_prop:s0 exact enum to_tv broadcast none
ro.hdmi.cec.source.playback_device_action_on_routing_control u:object_r:hdmi_config_prop:s0 exact enum none wake_up_only wake_up_and_send_active_source
-pm.dexopt.ab-ota u:object_r:exported_pm_prop:s0 exact string
-pm.dexopt.bg-dexopt u:object_r:exported_pm_prop:s0 exact string
-pm.dexopt.boot u:object_r:exported_pm_prop:s0 exact string
-pm.dexopt.cmdline u:object_r:exported_pm_prop:s0 exact string
-pm.dexopt.disable_bg_dexopt u:object_r:exported_pm_prop:s0 exact bool
-pm.dexopt.downgrade_after_inactive_days u:object_r:exported_pm_prop:s0 exact int
-pm.dexopt.first-boot u:object_r:exported_pm_prop:s0 exact string
-pm.dexopt.inactive u:object_r:exported_pm_prop:s0 exact string
-pm.dexopt.install u:object_r:exported_pm_prop:s0 exact string
-pm.dexopt.install-fast u:object_r:exported_pm_prop:s0 exact string
-pm.dexopt.install-bulk u:object_r:exported_pm_prop:s0 exact string
-pm.dexopt.install-bulk-secondary u:object_r:exported_pm_prop:s0 exact string
-pm.dexopt.install-bulk-downgraded u:object_r:exported_pm_prop:s0 exact string
-pm.dexopt.install-bulk-secondary-downgraded u:object_r:exported_pm_prop:s0 exact string
-pm.dexopt.shared u:object_r:exported_pm_prop:s0 exact string
+pm.dexopt.bg-dexopt u:object_r:exported_pm_prop:s0 exact string
+pm.dexopt.bg-dexopt.concurrency u:object_r:exported_pm_prop:s0 exact int
+pm.dexopt.first-boot u:object_r:exported_pm_prop:s0 exact string
+pm.dexopt.first-boot.concurrency u:object_r:exported_pm_prop:s0 exact int
+pm.dexopt.boot-after-ota u:object_r:exported_pm_prop:s0 exact string
+pm.dexopt.boot-after-ota.concurrency u:object_r:exported_pm_prop:s0 exact int
+pm.dexopt.boot-after-mainline-update u:object_r:exported_pm_prop:s0 exact string
+pm.dexopt.boot-after-mainline-update.concurrency u:object_r:exported_pm_prop:s0 exact int
+
+pm.dexopt.post-boot u:object_r:exported_pm_prop:s0 exact string
+pm.dexopt.ab-ota u:object_r:exported_pm_prop:s0 exact string
+pm.dexopt.cmdline u:object_r:exported_pm_prop:s0 exact string
+pm.dexopt.inactive u:object_r:exported_pm_prop:s0 exact string
+pm.dexopt.install u:object_r:exported_pm_prop:s0 exact string
+pm.dexopt.install-fast u:object_r:exported_pm_prop:s0 exact string
+pm.dexopt.install-bulk u:object_r:exported_pm_prop:s0 exact string
+pm.dexopt.install-bulk-secondary u:object_r:exported_pm_prop:s0 exact string
+pm.dexopt.install-bulk-downgraded u:object_r:exported_pm_prop:s0 exact string
+pm.dexopt.install-bulk-secondary-downgraded u:object_r:exported_pm_prop:s0 exact string
+
+pm.dexopt.shared u:object_r:exported_pm_prop:s0 exact string
+
+pm.dexopt.disable_bg_dexopt u:object_r:exported_pm_prop:s0 exact bool
+pm.dexopt.downgrade_after_inactive_days u:object_r:exported_pm_prop:s0 exact int
+
+pm.dexopt. u:object_r:future_pm_prop:s0 prefix
ro.apk_verity.mode u:object_r:apk_verity_prop:s0 exact int
diff --git a/private/remote_prov_app.te b/private/remote_prov_app.te
index f49eb63..d5f8e3f 100644
--- a/private/remote_prov_app.te
+++ b/private/remote_prov_app.te
@@ -8,6 +8,9 @@
# The app needs access to properly build a DeviceInfo package for the verifying server
get_prop(remote_prov_app, vendor_security_patch_level_prop)
+# if rkpd is enabled, remote provisioner is a noop
+get_prop(remote_prov_app, device_config_remote_key_provisioning_native_prop)
+
allow remote_prov_app {
app_api_service
mediametrics_service
diff --git a/private/service_contexts b/private/service_contexts
index a144db1..8de1d42 100644
--- a/private/service_contexts
+++ b/private/service_contexts
@@ -91,6 +91,7 @@
android.hardware.security.sharedsecret.ISharedSecret/default u:object_r:hal_sharedsecret_service:s0
android.hardware.sensors.ISensors/default u:object_r:hal_sensors_service:s0
android.hardware.soundtrigger3.ISoundTriggerHw/default u:object_r:hal_audio_service:s0
+android.hardware.tetheroffload.IOffload/default u:object_r:hal_tetheroffload_service:s0
android.hardware.thermal.IThermal/default u:object_r:hal_thermal_service:s0
android.hardware.tv.hdmi.cec.IHdmiCec/default u:object_r:hal_tv_hdmi_cec_service:s0
android.hardware.tv.hdmi.connection.IHdmiConnection/default u:object_r:hal_tv_hdmi_connection_service:s0
diff --git a/private/surfaceflinger.te b/private/surfaceflinger.te
index 26c781b..91e9aba 100644
--- a/private/surfaceflinger.te
+++ b/private/surfaceflinger.te
@@ -49,6 +49,9 @@
allow surfaceflinger video_device:dir r_dir_perms;
allow surfaceflinger video_device:chr_file rw_file_perms;
+# Access the secure heap.
+allow surfaceflinger dmabuf_system_secure_heap_device:chr_file r_file_perms;
+
# Create and use netlink kobject uevent sockets.
allow surfaceflinger self:netlink_kobject_uevent_socket create_socket_perms_no_ioctl;
diff --git a/public/device.te b/public/device.te
index 1bb386f..ead7fbc 100644
--- a/public/device.te
+++ b/public/device.te
@@ -7,6 +7,7 @@
type hwbinder_device, dev_type, mlstrustedobject;
type vndbinder_device, dev_type;
type block_device, dev_type;
+type bt_device, dev_type;
type camera_device, dev_type;
type dm_device, dev_type;
type dm_user_device, dev_type;
@@ -94,6 +95,9 @@
# Documented at https://source.android.com/devices/bootloader/partitions
type userdata_block_device, dev_type;
+# Zoned block device.
+type zoned_block_device, dev_type;
+
# Cache block device mounted on /cache.
# Documented at https://source.android.com/devices/bootloader/partitions
type cache_block_device, dev_type;
diff --git a/public/domain.te b/public/domain.te
index 79e62d0..56c3142 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -537,6 +537,14 @@
neverallow { domain -coredomain -vendor_init } exported_pm_prop:file no_rw_file_perms;
')
+# New "pm.dexopt." sysprops should be explicitly listed as exported_pm_prop.
+neverallow { domain -init -dumpstate -vendor_init } future_pm_prop:property_service set;
+neverallow { domain -init -dumpstate -vendor_init } future_pm_prop:file no_rw_file_perms;
+
+# ART may introduce new sysprops. SELinux denials due to reading new sysprops on
+# old platforms shouldn't be regarded as a problem.
+dontaudit domain future_pm_prop:file read;
+
neverallow { domain -init } aac_drc_prop:property_service set;
neverallow { domain -init } build_prop:property_service set;
neverallow { domain -init } userdebug_or_eng_prop:property_service set;
diff --git a/public/e2fs.te b/public/e2fs.te
index 20f70d9..8dcf0cc 100644
--- a/public/e2fs.te
+++ b/public/e2fs.te
@@ -8,6 +8,7 @@
allow e2fs userdata_block_device:blk_file rw_file_perms;
allow e2fs metadata_block_device:blk_file rw_file_perms;
allow e2fs dm_device:blk_file rw_file_perms;
+allow e2fs zoned_block_device:blk_file rw_file_perms;
allowxperm e2fs { userdata_block_device metadata_block_device dm_device }:blk_file ioctl {
BLKSECDISCARD BLKDISCARD BLKPBSZGET BLKDISCARDZEROES BLKROGET BLKREPORTZONE BLKRESETZONE
};
diff --git a/public/fsck.te b/public/fsck.te
index 4fb3817..1a74ba8 100644
--- a/public/fsck.te
+++ b/public/fsck.te
@@ -17,6 +17,7 @@
allow fsck userdata_block_device:blk_file rw_file_perms;
allow fsck cache_block_device:blk_file rw_file_perms;
allow fsck dm_device:blk_file rw_file_perms;
+allow fsck zoned_block_device:blk_file rw_file_perms;
userdebug_or_eng(`
allow fsck system_block_device:blk_file rw_file_perms;
')
diff --git a/public/hal_graphics_allocator.te b/public/hal_graphics_allocator.te
index 7ef27113..35a19de 100644
--- a/public/hal_graphics_allocator.te
+++ b/public/hal_graphics_allocator.te
@@ -11,6 +11,9 @@
allow hal_graphics_allocator ion_device:chr_file r_file_perms;
allow hal_graphics_allocator dmabuf_system_heap_device:chr_file r_file_perms;
+# Access the secure heap
+allow hal_graphics_allocator dmabuf_system_secure_heap_device:chr_file r_file_perms;
+
# allow to run with real-time scheduling policy
allow hal_graphics_allocator self:global_capability_class_set sys_nice;
diff --git a/public/hal_tetheroffload.te b/public/hal_tetheroffload.te
index cf51723..c9553dc 100644
--- a/public/hal_tetheroffload.te
+++ b/public/hal_tetheroffload.te
@@ -3,6 +3,9 @@
binder_call(hal_tetheroffload_server, hal_tetheroffload_client)
hal_attribute_hwservice(hal_tetheroffload, hal_tetheroffload_hwservice)
+hal_attribute_service(hal_tetheroffload, hal_tetheroffload_service)
+
+binder_use(hal_tetheroffload_server)
# allow the client to pass the server already open netlink sockets
allow hal_tetheroffload_server hal_tetheroffload_client:netlink_netfilter_socket { getattr read setopt write };
diff --git a/public/property.te b/public/property.te
index c0a3a6e..346cd77 100644
--- a/public/property.te
+++ b/public/property.te
@@ -208,6 +208,7 @@
system_public_prop(exported_bluetooth_prop)
system_public_prop(exported_overlay_prop)
system_public_prop(exported_pm_prop)
+system_public_prop(future_pm_prop)
system_public_prop(ffs_control_prop)
system_public_prop(framework_status_prop)
system_public_prop(gesture_prop)
diff --git a/public/service.te b/public/service.te
index 443a4f7..154ebb9 100644
--- a/public/service.te
+++ b/public/service.te
@@ -314,6 +314,7 @@
type hal_secure_element_service, protected_service, hal_service_type, service_manager_type;
type hal_sharedsecret_service, protected_service, hal_service_type, service_manager_type;
type hal_system_suspend_service, protected_service, hal_service_type, service_manager_type;
+type hal_tetheroffload_service, protected_service, hal_service_type, service_manager_type;
type hal_thermal_service, protected_service, hal_service_type, service_manager_type;
type hal_tv_hdmi_cec_service, protected_service, hal_service_type, service_manager_type;
type hal_tv_hdmi_connection_service, protected_service, hal_service_type, service_manager_type;
diff --git a/public/vold.te b/public/vold.te
index 41f95d3..209bf49 100644
--- a/public/vold.te
+++ b/public/vold.te
@@ -227,6 +227,9 @@
allow vold userdata_block_device:blk_file rw_file_perms;
allowxperm vold userdata_block_device:blk_file ioctl BLKSECDISCARD;
+# Access zoned block device.
+allow vold zoned_block_device:blk_file rw_file_perms;
+
# Access metadata block device used for encryption meta-data.
allow vold metadata_block_device:blk_file rw_file_perms;
allowxperm vold metadata_block_device:blk_file ioctl BLKSECDISCARD;
diff --git a/vendor/file_contexts b/vendor/file_contexts
index b21302c..f167e65 100644
--- a/vendor/file_contexts
+++ b/vendor/file_contexts
@@ -17,6 +17,7 @@
/(vendor|system/vendor)/bin/hw/android\.hardware\.automotive\.remoteaccess@V1-(.*)-service u:object_r:hal_remoteaccess_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.bluetooth@1\.[0-9]+-service u:object_r:hal_bluetooth_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.bluetooth@1\.[0-9]+-service\.btlinux u:object_r:hal_bluetooth_btlinux_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.bluetooth-service.default u:object_r:hal_bluetooth_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.biometrics\.face@1\.[0-9]+-service\.example u:object_r:hal_face_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.biometrics\.face-service\.example u:object_r:hal_face_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.biometrics\.fingerprint@2\.1-service u:object_r:hal_fingerprint_default_exec:s0
@@ -96,6 +97,7 @@
/(vendor|system/vendor)/bin/hw/android\.hardware\.security\.dice-service\.non-secure-software u:object_r:hal_dice_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.security\.keymint-service u:object_r:hal_keymint_default_exec:s0
/(vendor|system/vendor)/bin/hw/rild u:object_r:rild_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.tetheroffload-service\.example u:object_r:hal_tetheroffload_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.thermal@1\.[01]-service u:object_r:hal_thermal_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.thermal-service\.example u:object_r:hal_thermal_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.tv\.cec@1\.[01]-service u:object_r:hal_tv_cec_default_exec:s0
diff --git a/vendor/hal_bluetooth_default.te b/vendor/hal_bluetooth_default.te
index 01d60db..efa75a7 100644
--- a/vendor/hal_bluetooth_default.te
+++ b/vendor/hal_bluetooth_default.te
@@ -1,5 +1,8 @@
type hal_bluetooth_default, domain;
hal_server_domain(hal_bluetooth_default, hal_bluetooth)
+allow hal_bluetooth_default bt_device:chr_file { open read write };
+allow hal_bluetooth_default self:bluetooth_socket { create bind read write };
+
type hal_bluetooth_default_exec, exec_type, vendor_file_type, file_type;
init_daemon_domain(hal_bluetooth_default)