Merge "[GWP-ASan] Add sysprop, allow shell and system apps to set it."
diff --git a/README b/README
deleted file mode 100644
index f14ac67..0000000
--- a/README
+++ /dev/null
@@ -1,114 +0,0 @@
-This directory contains the core Android SELinux policy configuration.
-It defines the domains and types for the AOSP services and apps common to
-all devices. Device-specific policy should be placed under a
-separate device/<vendor>/<board>/sepolicy subdirectory and linked
-into the policy build as described below.
-
-Policy Generation:
-
-Additional, per device, policy files can be added into the
-policy build. These files should have each line including the
-final line terminated by a newline character (0x0A). This
-will allow files to be concatenated and processed whenever
-the m4(1) macro processor is called by the build process.
-Adding the newline will also make the intermediate text files
-easier to read when debugging build failures. The sets of file,
-service and property contexts files will automatically have a
-newline inserted between each file as these are common failure
-points.
-
-These device policy files can be configured through the use of
-the BOARD_VENDOR_SEPOLICY_DIRS variable. This variable should be set
-in the BoardConfig.mk file in the device or vendor directories.
-
-BOARD_VENDOR_SEPOLICY_DIRS contains a list of directories to search
-for additional policy files. Order matters in this list.
-For example, if you have 2 instances of widget.te files in the
-BOARD_VENDOR_SEPOLICY_DIRS search path, then the first one found (at the
-first search dir containing the file) will be concatenated first.
-Reviewing out/target/product/<device>/obj/ETC/sepolicy_intermediates/policy.conf
-will help sort out ordering issues.
-
-Example BoardConfig.mk Usage:
-From the Tuna device BoardConfig.mk, device/samsung/tuna/BoardConfig.mk
-
-BOARD_VENDOR_SEPOLICY_DIRS += device/samsung/tuna/sepolicy
-
-Alongside vendor sepolicy dirs, OEMs can also amend the public and private
-policy of the product and system_ext partitions:
-
-SYSTEM_EXT_PUBLIC_SEPOLICY_DIRS += device/acme/roadrunner-sepolicy/systemext/public
-SYSTEM_EXT_PRIVATE_SEPOLICY_DIRS += device/acme/roadrunner-sepolicy/systemext/private
-PRODUCT_PUBLIC_SEPOLICY_DIRS += device/acme/roadrunner-sepolicy/product/public
-PRODUCT_PRIVATE_SEPOLICY_DIRS += device/acme/roadrunner-sepolicy/product/private
-
-The old BOARD_PLAT_PUBLIC_SEPOLICY_DIR and BOARD_PLAT_PRIVATE_SEPOLICY_DIR
-variables have been deprecated in favour of SYSTEM_EXT_*.
-
-Additionally, OEMs can specify BOARD_SEPOLICY_M4DEFS to pass arbitrary m4
-definitions during the build. A definition consists of a string in the form
-of macro-name=value. Spaces must NOT be present. This is useful for building modular
-policies, policy generation, conditional file paths, etc. It is supported in
-the following file types:
- * All *.te and SE Linux policy files as passed to checkpolicy
- * file_contexts
- * service_contexts
- * property_contexts
- * keys.conf
-
-Example BoardConfig.mk Usage:
-BOARD_SEPOLICY_M4DEFS += btmodule=foomatic \
- btdevice=/dev/gps
-
-SPECIFIC POLICY FILE INFORMATION
-
-mac_permissions.xml:
- ABOUT:
- The mac_permissions.xml file is used for controlling the mmac solutions
- as well as mapping a public base16 signing key with an arbitrary seinfo
- string. Details of the files contents can be found in a comment at the
- top of that file. The seinfo string, previously mentioned, is the same string
- that is referenced in seapp_contexts.
-
- It is important to note the final processed version of this file
- is stripped of comments and whitespace. This is to preserve space on the
- system.img. If one wishes to view it in a more human friendly format,
- the "tidy" or "xmllint" command will assist you.
-
- TOOLING:
- insertkeys.py
- Is a helper script for mapping arbitrary tags in the signature stanzas of
- mac_permissions.xml to public keys found in pem files. This script takes
- a mac_permissions.xml file(s) and configuration file in order to operate.
- Details of the configuration file (keys.conf) can be found in the subsection
- keys.conf. This tool is also responsible for stripping the comments and
- whitespace during processing.
-
- keys.conf
- The keys.conf file is used for controlling the mapping of "tags" found in
- the mac_permissions.xml signature stanzas with actual public keys found in
- pem files. The configuration file is processed via m4.
-
- The script allows for mapping any string contained in TARGET_BUILD_VARIANT
- with specific path to a pem file. Typically TARGET_BUILD_VARIANT is either
- user, eng or userdebug. Additionally, one can specify "ALL" to map a path to
- any string specified in TARGET_BUILD_VARIANT. All tags are matched verbatim
- and all options are matched lowercase. The options are "tolowered" automatically
- for the user, it is convention to specify tags and options in all uppercase
- and tags start with @. The option arguments can also use environment variables
- via the familiar $VARIABLE syntax. This is often useful for setting a location
- to ones release keys.
-
- Often times, one will need to integrate an application that was signed by a separate
- organization and may need to extract the pem file for the insertkeys/keys.conf tools.
- Extraction of the public key in the pem format is possible via openssl. First you need
- to unzip the apk, once it is unzipped, cd into the META_INF directory and then execute
- openssl pkcs7 -inform DER -in CERT.RSA -out CERT.pem -outform PEM -print_certs
- On some occasions CERT.RSA has a different name, and you will need to adjust for that.
- After extracting the pem, you can rename it, and configure keys.conf and
- mac_permissions.xml to pick up the change. You MUST open the generated pem file in a text
- editor and strip out anything outside the opening and closing scissor lines. Failure to do
- so WILL cause a compile time issue thrown by insertkeys.py
-
- NOTE: The pem files are base64 encoded and PackageManagerService, mac_permissions.xml
- and setool all use base16 encodings.
diff --git a/README.md b/README.md
new file mode 100644
index 0000000..16d7e45
--- /dev/null
+++ b/README.md
@@ -0,0 +1,117 @@
+# Android SEPolicy
+
+This directory contains the core Android SELinux policy configuration.
+It defines the domains and types for the AOSP services and apps common to
+all devices. Device-specific policy should be placed under a
+separate `device/<vendor>/<board>/sepolicy` subdirectory and linked
+into the policy build as described below.
+
+## Policy Generation
+
+Additional, per device, policy files can be added into the
+policy build. These files should have each line including the
+final line terminated by a newline character (`0x0A`). This
+will allow files to be concatenated and processed whenever
+the `m4`(1) macro processor is called by the build process.
+Adding the newline will also make the intermediate text files
+easier to read when debugging build failures. The sets of file,
+service and property contexts files will automatically have a
+newline inserted between each file as these are common failure
+points.
+
+These device policy files can be configured through the use of
+the `BOARD_VENDOR_SEPOLICY_DIRS` variable. This variable should be set
+in the BoardConfig.mk file in the device or vendor directories.
+
+`BOARD_VENDOR_SEPOLICY_DIRS` contains a list of directories to search
+for additional policy files. Order matters in this list.
+For example, if you have 2 instances of widget.te files in the
+`BOARD_VENDOR_SEPOLICY_DIRS` search path, then the first one found (at the
+first search dir containing the file) will be concatenated first.
+Reviewing `out/target/product/<device>/obj/ETC/vendor_sepolicy.conf_intermediates/vendor_sepolicy.conf`
+will help sort out ordering issues.
+
+Example `BoardConfig.mk` Usage:
+From the Tuna device `BoardConfig.mk`, `device/samsung/tuna/BoardConfig.mk`
+
+ BOARD_VENDOR_SEPOLICY_DIRS += device/samsung/tuna/sepolicy
+
+Alongside vendor sepolicy dirs, OEMs can also amend the public and private
+policy of the product and system_ext partitions:
+
+ SYSTEM_EXT_PUBLIC_SEPOLICY_DIRS += device/acme/roadrunner-sepolicy/systemext/public
+ SYSTEM_EXT_PRIVATE_SEPOLICY_DIRS += device/acme/roadrunner-sepolicy/systemext/private
+ PRODUCT_PUBLIC_SEPOLICY_DIRS += device/acme/roadrunner-sepolicy/product/public
+ PRODUCT_PRIVATE_SEPOLICY_DIRS += device/acme/roadrunner-sepolicy/product/private
+
+The old `BOARD_PLAT_PUBLIC_SEPOLICY_DIR` and `BOARD_PLAT_PRIVATE_SEPOLICY_DIR`
+variables have been deprecated in favour of `SYSTEM_EXT_*`.
+
+Additionally, OEMs can specify `BOARD_SEPOLICY_M4DEFS` to pass arbitrary `m4`
+definitions during the build. A definition consists of a string in the form
+of `macro-name=value`. Spaces must **NOT** be present. This is useful for building modular
+policies, policy generation, conditional file paths, etc. It is supported in
+the following file types:
+* All `*.te` and SELinux policy files as passed to `checkpolicy`
+* `file_contexts`
+* `service_contexts`
+* `property_contexts`
+* `keys.conf`
+
+Example BoardConfig.mk Usage:
+
+ BOARD_SEPOLICY_M4DEFS += btmodule=foomatic \
+ btdevice=/dev/gps
+
+## SPECIFIC POLICY FILE INFORMATION
+
+### mac_permissions.xml
+The `mac_permissions.xml` file is used for controlling the mmac solutions
+as well as mapping a public base16 signing key with an arbitrary seinfo
+string. Details of the files contents can be found in a comment at the
+top of that file. The seinfo string, previously mentioned, is the same string
+that is referenced in seapp_contexts.
+
+It is important to note the final processed version of this file
+is stripped of comments and whitespace. This is to preserve space on the
+system.img. If one wishes to view it in a more human friendly format,
+the `tidy` or `xmllint` command will assist you.
+
+### insertkeys.py
+Is a helper script for mapping arbitrary tags in the signature stanzas of
+`mac_permissions.xml` to public keys found in pem files. This script takes
+a `mac_permissions.xml` file(s) and configuration file in order to operate.
+Details of the configuration file (`keys.conf`) can be found in the subsection
+keys.conf. This tool is also responsible for stripping the comments and
+whitespace during processing.
+
+### keys.conf
+The `keys.conf` file is used for controlling the mapping of "tags" found in
+the `mac_permissions.xml` signature stanzas with actual public keys found in
+pem files. The configuration file is processed via `m4`.
+
+The script allows for mapping any string contained in `TARGET_BUILD_VARIANT`
+with specific path to a pem file. Typically `TARGET_BUILD_VARIANT` is either
+user, eng or userdebug. Additionally, one can specify "ALL" to map a path to
+any string specified in `TARGET_BUILD_VARIANT`. All tags are matched verbatim
+and all options are matched lowercase. The options are **tolowered** automatically
+for the user, it is convention to specify tags and options in all uppercase
+and tags start with @. The option arguments can also use environment variables
+via the familiar `$VARIABLE` syntax. This is often useful for setting a location
+to ones release keys.
+
+Often times, one will need to integrate an application that was signed by a separate
+organization and may need to extract the pem file for the `insertkeys/keys.conf` tools.
+Extraction of the public key in the pem format is possible via `openssl`. First you need
+to unzip the apk, once it is unzipped, `cd` into the `META_INF` directory and then execute
+
+ openssl pkcs7 -inform DER -in CERT.RSA -out CERT.pem -outform PEM -print_certs
+
+On some occasions `CERT.RSA` has a different name, and you will need to adjust for that.
+After extracting the pem, you can rename it, and configure `keys.conf` and
+`mac_permissions.xml` to pick up the change. You **MUST** open the generated pem file in a text
+editor and strip out anything outside the opening and closing scissor lines. Failure to do
+so **WILL** cause a compile time issue thrown by insertkeys.py
+
+**NOTE:** The pem files are base64 encoded and `PackageManagerService`, `mac_permissions.xml`
+ and `setool` all use base16 encodings.
diff --git a/microdroid/system/private/apkdmverity.te b/microdroid/system/private/apkdmverity.te
index c56f05e..0545744 100644
--- a/microdroid/system/private/apkdmverity.te
+++ b/microdroid/system/private/apkdmverity.te
@@ -26,9 +26,7 @@
# allow apkdmverity to access loop devices
allow apkdmverity loop_device:blk_file rw_file_perms;
allowxperm apkdmverity loop_device:blk_file ioctl {
- LOOP_SET_STATUS64
- LOOP_SET_FD
- LOOP_SET_DIRECT_IO
+ LOOP_CONFIGURE
};
# allow apkdmverity to log to the kernel
diff --git a/microdroid/system/private/file_contexts b/microdroid/system/private/file_contexts
index 4f7a0ff..83eceb0 100644
--- a/microdroid/system/private/file_contexts
+++ b/microdroid/system/private/file_contexts
@@ -103,6 +103,7 @@
/system/lib(64)?(/.*)? u:object_r:system_lib_file:s0
/system/lib(64)?/bootstrap(/.*)? u:object_r:system_bootstrap_lib_file:s0
/system/bin/apexd u:object_r:apexd_exec:s0
+/system/bin/tombstone_transmit.microdroid u:object_r:tombstone_transmit_exec:s0
/system/bin/linker(64)? u:object_r:system_linker_exec:s0
/system/bin/linkerconfig u:object_r:linkerconfig_exec:s0
/system/bin/bootstrap/linker(64)? u:object_r:system_linker_exec:s0
diff --git a/microdroid/system/private/logd.te b/microdroid/system/private/logd.te
index 06d4fa6..46cdb7d 100644
--- a/microdroid/system/private/logd.te
+++ b/microdroid/system/private/logd.te
@@ -40,3 +40,5 @@
# Logd sets defaults if certain properties are empty.
set_prop(logd, logd_prop)
+
+dontaudit domain runtime_event_log_tags_file:file { map open read };
diff --git a/microdroid/system/private/microdroid_manager.te b/microdroid/system/private/microdroid_manager.te
index bf344ac..21731cc 100644
--- a/microdroid/system/private/microdroid_manager.te
+++ b/microdroid/system/private/microdroid_manager.te
@@ -56,10 +56,11 @@
allow microdroid_manager apex_mnt_dir:dir w_dir_perms;
allow microdroid_manager apex_mnt_dir:file create_file_perms;
-# Allow microdroid_manager to start the services apexd-vm, apkdmverity and zipfuse
+# Allow microdroid_manager to start the services apexd-vm, apkdmverity,tombstone_transmit & zipfuse
set_prop(microdroid_manager, ctl_apexd_vm_prop)
set_prop(microdroid_manager, ctl_apkdmverity_prop)
set_prop(microdroid_manager, ctl_seriallogging_prop)
+set_prop(microdroid_manager, ctl_tombstone_transmit_prop)
set_prop(microdroid_manager, ctl_zipfuse_prop)
# Allow microdroid_manager to wait for linkerconfig to be ready
diff --git a/microdroid/system/private/property_contexts b/microdroid/system/private/property_contexts
index 3c80273..68d6df5 100644
--- a/microdroid/system/private/property_contexts
+++ b/microdroid/system/private/property_contexts
@@ -26,6 +26,7 @@
ctl.start$apexd-vm u:object_r:ctl_apexd_vm_prop:s0
ctl.start$apkdmverity u:object_r:ctl_apkdmverity_prop:s0
ctl.start$seriallogging u:object_r:ctl_seriallogging_prop:s0
+ctl.start$tombstone_transmit u:object_r:ctl_tombstone_transmit_prop:s0
ctl.start$zipfuse u:object_r:ctl_zipfuse_prop:s0
ctl.console u:object_r:ctl_console_prop:s0
@@ -92,6 +93,7 @@
ro.boot.microdroid.app_debuggable u:object_r:bootloader_prop:s0 exact bool
ro.boot.microdroid.debuggable u:object_r:bootloader_prop:s0 exact bool
ro.boot.slot_suffix u:object_r:bootloader_prop:s0 exact string
+ro.boot.tombstone_transmit.enabled u:object_r:bootloader_prop:s0 exact bool
ro.boot.vbmeta.avb_version u:object_r:bootloader_prop:s0 exact string
ro.boot.vbmeta.device_state u:object_r:bootloader_prop:s0 exact string
ro.boot.vbmeta.digest u:object_r:bootloader_prop:s0 exact string
diff --git a/microdroid/system/private/tombstone_transmit.te b/microdroid/system/private/tombstone_transmit.te
new file mode 100644
index 0000000..588ebff
--- /dev/null
+++ b/microdroid/system/private/tombstone_transmit.te
@@ -0,0 +1,8 @@
+type tombstone_transmit, domain, coredomain;
+type tombstone_transmit_exec, exec_type, system_file_type, file_type;
+
+init_daemon_domain(tombstone_transmit)
+
+r_dir_file(tombstone_transmit, tombstone_data_file)
+
+allow tombstone_transmit self:{ vsock_socket } create_socket_perms_no_ioctl;
diff --git a/microdroid/system/public/property.te b/microdroid/system/public/property.te
index d00a618..f85ba76 100644
--- a/microdroid/system/public/property.te
+++ b/microdroid/system/public/property.te
@@ -22,6 +22,7 @@
type ctl_sigstop_prop, property_type;
type ctl_start_prop, property_type;
type ctl_stop_prop, property_type;
+type ctl_tombstone_transmit_prop, property_type;
type ctl_zipfuse_prop, property_type;
type debug_prop, property_type;
type default_prop, property_type;
diff --git a/microdroid/vendor/file_contexts b/microdroid/vendor/file_contexts
index c86f862..002fb14 100644
--- a/microdroid/vendor/file_contexts
+++ b/microdroid/vendor/file_contexts
@@ -1,38 +1,8 @@
-# TODO(jiyong): clean this up
#############################
# Vendor files
#
(/.*)? u:object_r:vendor_file:s0
-/bin/sh u:object_r:vendor_shell_exec:s0
-/bin/toybox_vendor u:object_r:vendor_toolbox_exec:s0
-/bin/toolbox u:object_r:vendor_toolbox_exec:s0
/etc(/.*)? u:object_r:vendor_configs_file:s0
-/etc/cgroups\.json u:object_r:vendor_cgroup_desc_file:s0
-/etc/task_profiles\.json u:object_r:vendor_task_profiles_file:s0
-
-/lib(64)?/egl(/.*)? u:object_r:same_process_hal_file:s0
-
-/lib(64)?/vndk-sp(/.*)? u:object_r:vndk_sp_file:s0
-
-/manifest\.xml u:object_r:vendor_configs_file:s0
-/compatibility_matrix\.xml u:object_r:vendor_configs_file:s0
-/etc/vintf(/.*)? u:object_r:vendor_configs_file:s0
-/app(/.*)? u:object_r:vendor_app_file:s0
-/priv-app(/.*)? u:object_r:vendor_app_file:s0
-/overlay(/.*)? u:object_r:vendor_overlay_file:s0
-/framework(/.*)? u:object_r:vendor_framework_file:s0
-
-/apex(/[^/]+){0,2} u:object_r:vendor_apex_file:s0
-/bin/misc_writer u:object_r:vendor_misc_writer_exec:s0
-/bin/boringssl_self_test(32|64) u:object_r:vendor_boringssl_self_test_exec:s0
# HAL location
-/lib(64)?/hw u:object_r:vendor_hal_file:s0
-
-/etc/selinux/nonplat_service_contexts u:object_r:nonplat_service_contexts_file:s0
-
-/etc/selinux/vendor_service_contexts u:object_r:vendor_service_contexts_file:s0
-
-/bin/install-recovery\.sh u:object_r:vendor_install_recovery_exec:s0
-
/bin/hw/android\.hardware\.security\.dice-service\.microdroid u:object_r:hal_dice_default_exec:s0
diff --git a/private/adbd.te b/private/adbd.te
index c5c5cc2..48fa849 100644
--- a/private/adbd.te
+++ b/private/adbd.te
@@ -129,6 +129,7 @@
binder_call(adbd, gpuservice)
# b/13188914
allow adbd gpu_device:chr_file rw_file_perms;
+allow adbd gpu_device:dir r_dir_perms;
allow adbd ion_device:chr_file rw_file_perms;
r_dir_file(adbd, system_file)
diff --git a/private/app.te b/private/app.te
index 436af5a..5570544 100644
--- a/private/app.te
+++ b/private/app.te
@@ -302,6 +302,9 @@
# Grant GPU access to all processes started by Zygote.
# They need that to render the standard UI.
allow { appdomain -isolated_app } gpu_device:chr_file rw_file_perms;
+allow { appdomain -isolated_app } gpu_device:dir r_dir_perms;
+allow { appdomain -isolated_app } sysfs_gpu:file r_file_perms;
+
# Use the Binder.
binder_use(appdomain)
diff --git a/private/bluetooth.te b/private/bluetooth.te
index 5522e32..d548e80 100644
--- a/private/bluetooth.te
+++ b/private/bluetooth.te
@@ -15,7 +15,7 @@
# Data file accesses.
allow bluetooth bluetooth_data_file:dir create_dir_perms;
-allow bluetooth bluetooth_data_file:notdevfile_class_set create_file_perms;
+allow bluetooth bluetooth_data_file:notdevfile_class_set { create_file_perms link };
allow bluetooth bluetooth_logs_data_file:dir rw_dir_perms;
allow bluetooth bluetooth_logs_data_file:file create_file_perms;
@@ -36,6 +36,9 @@
# allow Bluetooth to access uhid device for HID profile
allow bluetooth uhid_device:chr_file rw_file_perms;
+allow bluetooth gpu_device:chr_file rw_file_perms;
+allow bluetooth gpu_device:dir r_dir_perms;
+
# proc access.
allow bluetooth proc_bluetooth_writable:file rw_file_perms;
diff --git a/private/bpfdomain.te b/private/bpfdomain.te
index f0888a7..2be7f88 100644
--- a/private/bpfdomain.te
+++ b/private/bpfdomain.te
@@ -11,3 +11,4 @@
# any domain which uses bpf is a bpfdomain
neverallow { domain -bpfdomain } *:bpf *;
+allow bpfdomain fs_bpf:dir search;
diff --git a/private/bug_map b/private/bug_map
index 5b042ae..083c213 100644
--- a/private/bug_map
+++ b/private/bug_map
@@ -25,9 +25,9 @@
netd untrusted_app_27 unix_stream_socket b/77870037
netd untrusted_app_29 unix_stream_socket b/77870037
platform_app nfc_data_file dir b/74331887
-system_server crash_dump process b/73128755
system_server overlayfs_file file b/142390309
system_server sdcardfs file b/77856826
+system_server system_server capability b/228030183
system_server zygote process b/77856826
untrusted_app untrusted_app netlink_route_socket b/155595000
vold system_data_file file b/124108085
diff --git a/private/cameraserver.te b/private/cameraserver.te
index 2be3c9e..96d7dbd 100644
--- a/private/cameraserver.te
+++ b/private/cameraserver.te
@@ -4,3 +4,6 @@
init_daemon_domain(cameraserver)
tmpfs_domain(cameraserver)
+
+allow cameraserver gpu_device:chr_file rw_file_perms;
+allow cameraserver gpu_device:dir r_dir_perms;
diff --git a/private/clatd.te b/private/clatd.te
index 57eee78..1f21d69 100644
--- a/private/clatd.te
+++ b/private/clatd.te
@@ -4,10 +4,10 @@
net_domain(clatd)
-# Access objects inherited from netd.
-allow clatd netd:fd use;
-allow clatd netd:packet_socket { read write };
-allow clatd netd:rawip_socket { read write };
+# Access objects inherited from system_server.
+allow clatd system_server:fd use;
+allow clatd system_server:packet_socket { read write };
+allow clatd system_server:rawip_socket { read write };
allow clatd self:netlink_route_socket nlmsg_write;
allow clatd tun_device:chr_file rw_file_perms;
diff --git a/private/compat/32.0/32.0.ignore.cil b/private/compat/32.0/32.0.ignore.cil
index 6f3049b..d29a3d3 100644
--- a/private/compat/32.0/32.0.ignore.cil
+++ b/private/compat/32.0/32.0.ignore.cil
@@ -5,6 +5,7 @@
(typeattribute new_objects)
(typeattributeset new_objects
( new_objects
+ adservices_manager_service
apexd_select_prop
artd_service
attestation_verification_service
@@ -13,6 +14,7 @@
charger_vendor
cloudsearch
cloudsearch_service
+ connectivity_native_service
device_config_nnapi_native_prop
device_config_surface_flinger_native_boot_prop
dice_maintenance_service
@@ -25,6 +27,7 @@
extra_free_kbytes
extra_free_kbytes_exec
fs_bpf_vendor
+ game_mode_intervention_list_file
gesture_prop
gwp_asan_prop
hal_contexthub_service
@@ -63,6 +66,8 @@
smart_idle_maint_enabled_prop
snapuserd_proxy_socket
sysfs_fs_fuse_bpf
+ sysfs_gpu
+ sysfs_lru_gen_enabled
system_dlkm_file
tare_service
tv_iapp_service
diff --git a/private/crosvm.te b/private/crosvm.te
index 26b1df3..167ad2f 100644
--- a/private/crosvm.te
+++ b/private/crosvm.te
@@ -32,7 +32,7 @@
apk_data_file
app_data_file
apex_compos_data_file
- userdebug_or_eng(`shell_data_file')
+ shell_data_file
}:file { getattr read ioctl lock };
# Allow searching the directory where the composite disk images are.
@@ -63,6 +63,9 @@
allow crosvm adbd:fd use;
allow crosvm adbd:unix_stream_socket { read write };
+# For ACPI
+allow crosvm self:netlink_generic_socket create_socket_perms_no_ioctl;
+
# The console log can also be written to /data/local/tmp. This is not safe as the log then can be
# visible to the processes which don't own the VM. Therefore, this is a debugging only feature.
userdebug_or_eng(`allow crosvm shell_data_file:file w_file_perms;')
@@ -81,15 +84,14 @@
}:file *;
')
-# app_data_file (and shell_data_file for debuggable builds) is the only
-# app_data_file_type that is allowed for crosvm to read. Note that the use of
-# app_data_file is allowed only for the instance disk image. This is enforced
-# inside the virtualizationservice by checking the file context of all disk
-# image files.
+# app_data_file and shell_data_file is the only app_data_file_type that is
+# allowed for crosvm to read. Note that the use of app_data_file is allowed
+# only for the instance disk image. This is enforced inside the
+# virtualizationservice by checking the file context of all disk image files.
neverallow crosvm {
app_data_file_type
-app_data_file
- userdebug_or_eng(`-shell_data_file')
+ -shell_data_file
}:file read;
# Only virtualizationservice can run crosvm
diff --git a/private/file.te b/private/file.te
index 54d6df6..5a843f9 100644
--- a/private/file.te
+++ b/private/file.te
@@ -76,6 +76,9 @@
# /data/misc/odsign
type odsign_data_file, file_type, data_file_type, core_data_file_type;
+# /data/misc/odsign_metrics
+type odsign_metrics_file, file_type, data_file_type, core_data_file_type;
+
# /data/misc/virtualizationservice
type virtualizationservice_data_file, file_type, data_file_type, core_data_file_type;
diff --git a/private/file_contexts b/private/file_contexts
index e2ffbc0..b4f42cf 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -527,6 +527,7 @@
/data/(.*)? u:object_r:system_data_file:s0
/data/system/environ(/.*)? u:object_r:environ_system_data_file:s0
/data/system/packages\.list u:object_r:packages_list_file:s0
+/data/system/game_mode_intervention\.list u:object_r:game_mode_intervention_list_file:s0
/data/unencrypted(/.*)? u:object_r:unencrypted_data_file:s0
/data/backup(/.*)? u:object_r:backup_data_file:s0
/data/secure/backup(/.*)? u:object_r:backup_data_file:s0
@@ -622,6 +623,7 @@
/data/misc/nfc/logs(/.*)? u:object_r:nfc_logs_data_file:s0
/data/misc/odrefresh(/.*)? u:object_r:odrefresh_data_file:s0
/data/misc/odsign(/.*)? u:object_r:odsign_data_file:s0
+/data/misc/odsign/metrics(/.*)? u:object_r:odsign_metrics_file:s0
/data/misc/perfetto-traces/bugreport(.*)? u:object_r:perfetto_traces_bugreport_data_file:s0
/data/misc/perfetto-traces(/.*)? u:object_r:perfetto_traces_data_file:s0
/data/misc/perfetto-configs(/.*)? u:object_r:perfetto_configs_data_file:s0
@@ -700,6 +702,8 @@
/data/misc_ce/[0-9]+/apexdata/com\.android\.permission(/.*)? u:object_r:apex_system_server_data_file:s0
/data/misc_de/[0-9]+/apexdata/com\.android\.wifi(/.*)? u:object_r:apex_system_server_data_file:s0
/data/misc_ce/[0-9]+/apexdata/com\.android\.wifi(/.*)? u:object_r:apex_system_server_data_file:s0
+/data/misc_de/[0-9]+/apexdata/com\.android\.uwb(/.*)? u:object_r:apex_system_server_data_file:s0
+/data/misc_ce/[0-9]+/apexdata/com\.android\.uwb(/.*)? u:object_r:apex_system_server_data_file:s0
# Apex rollback directories
/data/misc_de/[0-9]+/apexrollback(/.*)? u:object_r:apex_rollback_data_file:s0
diff --git a/private/flags_health_check.te b/private/flags_health_check.te
index 69ff58c..54ecd45 100644
--- a/private/flags_health_check.te
+++ b/private/flags_health_check.te
@@ -12,6 +12,7 @@
set_prop(flags_health_check, device_config_nnapi_native_prop)
set_prop(flags_health_check, device_config_activity_manager_native_boot_prop)
set_prop(flags_health_check, device_config_media_native_prop)
+set_prop(flags_health_check, device_config_mglru_native_prop)
set_prop(flags_health_check, device_config_profcollect_native_boot_prop)
set_prop(flags_health_check, device_config_statsd_native_prop)
set_prop(flags_health_check, device_config_statsd_native_boot_prop)
@@ -22,6 +23,7 @@
set_prop(flags_health_check, device_config_configuration_prop)
set_prop(flags_health_check, device_config_connectivity_prop)
set_prop(flags_health_check, device_config_surface_flinger_native_boot_prop)
+set_prop(flags_health_check, device_config_vendor_system_native_prop)
set_prop(flags_health_check, device_config_virtualization_framework_native_prop)
# system property device_config_boot_count_prop is used for deciding when to perform server
diff --git a/private/genfs_contexts b/private/genfs_contexts
index ca64733..1c604fc 100644
--- a/private/genfs_contexts
+++ b/private/genfs_contexts
@@ -123,6 +123,7 @@
genfscon sysfs /devices/system/cpu u:object_r:sysfs_devices_system_cpu:s0
genfscon sysfs /class/android_usb u:object_r:sysfs_android_usb:s0
genfscon sysfs /class/extcon u:object_r:sysfs_extcon:s0
+genfscon sysfs /class/gpu u:object_r:sysfs_gpu:s0
genfscon sysfs /class/leds u:object_r:sysfs_leds:s0
genfscon sysfs /class/net u:object_r:sysfs_net:s0
genfscon sysfs /class/rfkill/rfkill0/state u:object_r:sysfs_bluetooth_writable:s0
@@ -162,6 +163,7 @@
genfscon sysfs /kernel/ion u:object_r:sysfs_ion:s0
genfscon sysfs /kernel/ipv4 u:object_r:sysfs_ipv4:s0
genfscon sysfs /kernel/mm/transparent_hugepage u:object_r:sysfs_transparent_hugepage:s0
+genfscon sysfs /kernel/mm/lru_gen/enabled u:object_r:sysfs_lru_gen_enabled:s0
genfscon sysfs /kernel/notes u:object_r:sysfs_kernel_notes:s0
genfscon sysfs /kernel/uevent_helper u:object_r:sysfs_usermodehelper:s0
genfscon sysfs /kernel/wakeup_reasons u:object_r:sysfs_wakeup_reasons:s0
diff --git a/private/gmscore_app.te b/private/gmscore_app.te
index a05f3de..114c184 100644
--- a/private/gmscore_app.te
+++ b/private/gmscore_app.te
@@ -129,7 +129,7 @@
allow gmscore_app cache_file:lnk_file r_file_perms;
# Write to /data/ota_package for OTA packages.
-allow gmscore_app ota_package_file:dir rw_dir_perms;
+allow gmscore_app ota_package_file:dir create_dir_perms;
allow gmscore_app ota_package_file:file create_file_perms;
# Write the checkin metadata to /data/misc_ce/<userid>/checkin
diff --git a/private/gpuservice.te b/private/gpuservice.te
index 35167d5..76a2370 100644
--- a/private/gpuservice.te
+++ b/private/gpuservice.te
@@ -54,7 +54,6 @@
# Needed for interact with bpf fs.
# Write is needed to open read/write bpf maps.
-allow gpuservice fs_bpf:dir search;
allow gpuservice fs_bpf:file { read write };
# Needed for enabling bpf programs and accessing bpf maps (read-only and read/write).
diff --git a/private/isolated_app.te b/private/isolated_app.te
index 0d90756..828ffb1 100644
--- a/private/isolated_app.te
+++ b/private/isolated_app.te
@@ -11,7 +11,7 @@
app_domain(isolated_app)
# Access already open app data files received over Binder or local socket IPC.
-allow isolated_app { app_data_file privapp_data_file }:file { append read write getattr lock map };
+allow isolated_app { app_data_file privapp_data_file sdk_sandbox_data_file}:file { append read write getattr lock map };
# Allow access to network sockets received over IPC. New socket creation is not
# permitted.
@@ -72,7 +72,7 @@
#####
# Isolated apps should not directly open app data files themselves.
-neverallow isolated_app { app_data_file privapp_data_file }:file open;
+neverallow isolated_app { app_data_file privapp_data_file sdk_sandbox_data_file}:file open;
# Only allow appending to /data/anr/traces.txt (b/27853304, b/18340553)
# TODO: are there situations where isolated_apps write to this file?
diff --git a/private/keystore.te b/private/keystore.te
index 838712f..78c0198 100644
--- a/private/keystore.te
+++ b/private/keystore.te
@@ -17,6 +17,9 @@
# Allow to check whether security logging is enabled.
get_prop(keystore, device_logging_prop)
+# Allow keystore to check if the system is rkp only.
+get_prop(keystore, remote_prov_prop)
+
# Allow keystore to write to statsd.
unix_socket_send(keystore, statsdw, statsd)
diff --git a/private/lmkd.te b/private/lmkd.te
index 13828a4..51d6204 100644
--- a/private/lmkd.te
+++ b/private/lmkd.te
@@ -12,7 +12,6 @@
# Get persist.device_config.lmk_native.* properties.
get_prop(lmkd, device_config_lmkd_native_prop)
-allow lmkd fs_bpf:dir search;
allow lmkd fs_bpf:file read;
allow lmkd bpfloader:bpf map_read;
diff --git a/private/mediaprovider_app.te b/private/mediaprovider_app.te
index bcbbfcc..a9a52bb 100644
--- a/private/mediaprovider_app.te
+++ b/private/mediaprovider_app.te
@@ -59,12 +59,12 @@
get_prop(mediaprovider_app, drm_service_config_prop)
-allow mediaprovider_app gpu_device:dir search;
+allow mediaprovider_app gpu_device:chr_file rw_file_perms;
+allow mediaprovider_app gpu_device:dir r_dir_perms;
dontaudit mediaprovider_app sysfs_vendor_sched:dir search;
dontaudit mediaprovider_app sysfs_vendor_sched:file w_file_perms;
# bpfprog access for FUSE BPF
-allow mediaprovider_app fs_bpf:dir search;
allow mediaprovider_app fs_bpf:file read;
allow mediaprovider_app bpfloader:bpf { map_read map_write prog_run };
diff --git a/private/mediatranscoding.te b/private/mediatranscoding.te
index 817416d..829d948 100644
--- a/private/mediatranscoding.te
+++ b/private/mediatranscoding.te
@@ -42,7 +42,8 @@
# Allow mediatranscoding to access the DMA-BUF system heap
allow mediatranscoding dmabuf_system_heap_device:chr_file r_file_perms;
-allow mediatranscoding gpu_device:dir search;
+allow mediatranscoding gpu_device:chr_file rw_file_perms;
+allow mediatranscoding gpu_device:dir r_dir_perms;
# Allow mediatranscoding service to access media-related system properties
get_prop(mediatranscoding, media_config_prop)
diff --git a/private/netd.te b/private/netd.te
index 10ba20e..30dcd08 100644
--- a/private/netd.te
+++ b/private/netd.te
@@ -6,13 +6,6 @@
# Allow netd to spawn dnsmasq in it's own domain
domain_auto_trans(netd, dnsmasq_exec, dnsmasq)
-# Allow netd to start clatd in its own domain and kill it
-domain_auto_trans(netd, clatd_exec, clatd)
-allow netd clatd:process signal;
-
-# Allow netd to setup packet socket and pass to clatd
-allow netd self:packet_socket { bind create setopt };
-
# give netd permission to setup iptables rule with xt_bpf, attach program to cgroup, and read/write
# the map created by bpfloader
allow netd bpfloader:bpf { prog_run map_read map_write };
diff --git a/private/netutils_wrapper.te b/private/netutils_wrapper.te
index 06aadc2..af0360f 100644
--- a/private/netutils_wrapper.te
+++ b/private/netutils_wrapper.te
@@ -25,7 +25,6 @@
# For vendor code that update the iptables rules at runtime. They need to reload
# the whole chain including the xt_bpf rules. They need to access to the pinned
# program when reloading the rule.
-allow netutils_wrapper fs_bpf:dir search;
allow netutils_wrapper fs_bpf:file { read write };
allow netutils_wrapper bpfloader:bpf prog_run;
diff --git a/private/odsign.te b/private/odsign.te
index 86a0a6b..f06795c 100644
--- a/private/odsign.te
+++ b/private/odsign.te
@@ -13,6 +13,10 @@
allow odsign odsign_data_file:dir create_dir_perms;
allow odsign odsign_data_file:file create_file_perms;
+# Allow using persistent storage in /data/odsign/metrics - to add metrics related files
+allow odsign odsign_metrics_file:dir rw_dir_perms;
+allow odsign odsign_metrics_file:file create_file_perms;
+
# Create and use pty created by android_fork_execvp().
create_pty(odsign)
@@ -61,5 +65,5 @@
set_prop(odsign, ctl_odsign_prop)
# Neverallows
-neverallow { domain -odsign -init -fsverity_init } odsign_data_file:dir *;
-neverallow { domain -odsign -init -fsverity_init } odsign_data_file:file *;
+neverallow { domain -odsign -init -fsverity_init} odsign_data_file:dir ~search;
+neverallow { domain -odsign -init -fsverity_init} odsign_data_file:file *;
diff --git a/private/property.te b/private/property.te
index 2f7d512..63081bf 100644
--- a/private/property.te
+++ b/private/property.te
@@ -3,6 +3,7 @@
system_internal_prop(apexd_payload_metadata_prop)
system_internal_prop(ctl_snapuserd_prop)
system_internal_prop(device_config_lmkd_native_prop)
+system_internal_prop(device_config_mglru_native_prop)
system_internal_prop(device_config_profcollect_native_boot_prop)
system_internal_prop(device_config_statsd_native_prop)
system_internal_prop(device_config_statsd_native_boot_prop)
@@ -31,6 +32,7 @@
system_internal_prop(pm_prop)
system_internal_prop(profcollectd_node_id_prop)
system_internal_prop(radio_cdma_ecm_prop)
+system_internal_prop(remote_prov_prop)
system_internal_prop(rollback_test_prop)
system_internal_prop(setupwizard_prop)
system_internal_prop(snapuserd_prop)
@@ -45,7 +47,9 @@
system_internal_prop(virtualizationservice_prop)
# Properties which can't be written outside system
+system_restricted_prop(device_config_vendor_system_native_prop)
system_restricted_prop(device_config_virtualization_framework_native_prop)
+system_restricted_prop(system_user_mode_emulation_prop)
###
### Neverallow rules
@@ -118,6 +122,7 @@
-restorecon_prop
-shell_prop
-system_prop
+ -system_user_mode_emulation_prop
-usb_prop
-vold_prop
}:file no_rw_file_perms;
@@ -612,6 +617,13 @@
neverallow domain system_and_vendor_property_type:{file property_service} *;
neverallow {
+ # Only init and the remote provisioner can set the ro.remote_provisioning.* props
+ domain
+ -init
+ -remote_prov_app
+} remote_prov_prop:property_service set;
+
+neverallow {
# Only allow init and shell to set rollback_test_prop
domain
-init
diff --git a/private/property_contexts b/private/property_contexts
index e81ceb1..6e694ed 100644
--- a/private/property_contexts
+++ b/private/property_contexts
@@ -57,6 +57,7 @@
persist.nfc. u:object_r:nfc_prop:s0
persist.nfc_cfg. u:object_r:nfc_prop:s0
persist.debug. u:object_r:persist_debug_prop:s0
+persist.debug.user_mode_emulation u:object_r:system_user_mode_emulation_prop:s0
logd. u:object_r:logd_prop:s0
persist.logd. u:object_r:logd_prop:s0
ro.logd. u:object_r:logd_prop:s0
@@ -255,12 +256,16 @@
persist.device_config.storage_native_boot. u:object_r:device_config_storage_native_boot_prop:s0
persist.device_config.surface_flinger_native_boot. u:object_r:device_config_surface_flinger_native_boot_prop:s0
persist.device_config.swcodec_native. u:object_r:device_config_swcodec_native_prop:s0
+persist.device_config.vendor_system_native. u:object_r:device_config_vendor_system_native_prop:s0
persist.device_config.virtualization_framework_native. u:object_r:device_config_virtualization_framework_native_prop:s0
persist.device_config.window_manager_native_boot. u:object_r:device_config_window_manager_native_boot_prop:s0
# F2FS smart idle maint prop
persist.device_config.storage_native_boot.smart_idle_maint_enabled u:object_r:smart_idle_maint_enabled_prop:s0 exact bool
+# MGLRU experiment prop
+persist.device_config.mglru_native.lru_gen_config u:object_r:device_config_mglru_native_prop:s0 exact enum none core core_and_mm_walk core_and_nonleaf_young all
+
# MM Events config props
persist.mm_events.enabled u:object_r:mm_events_config_prop:s0 exact bool
@@ -480,6 +485,8 @@
bluetooth.framework.support_persisted_state u:object_r:bluetooth_config_prop:s0 exact bool
bluetooth.framework.adapter_address_validation u:object_r:bluetooth_config_prop:s0 exact bool
+bluetooth.core.gap.le.privacy.enabled u:object_r:bluetooth_config_prop:s0 exact bool
+
bluetooth.device.default_name u:object_r:bluetooth_config_prop:s0 exact string
bluetooth.device.class_of_device u:object_r:bluetooth_config_prop:s0 exact string
@@ -1253,6 +1260,10 @@
ro.zygote.disable_gl_preload u:object_r:zygote_config_prop:s0 exact bool
+# Allows a device to run without batch attestation keys
+remote_provisioning.strongbox.rkp_only u:object_r:remote_prov_prop:s0 exact bool
+remote_provisioning.tee.rkp_only u:object_r:remote_prov_prop:s0 exact bool
+
# Broadcast boot stages, which keystore listens to
keystore.boot_level u:object_r:keystore_listen_prop:s0 exact int
diff --git a/private/remote_prov_app.te b/private/remote_prov_app.te
index 010c9bc..43b69d2 100644
--- a/private/remote_prov_app.te
+++ b/private/remote_prov_app.te
@@ -4,6 +4,7 @@
app_domain(remote_prov_app)
net_domain(remote_prov_app)
+set_prop(remote_prov_app, remote_prov_prop)
# The app needs access to properly build a DeviceInfo package for the verifying server
get_prop(remote_prov_app, vendor_security_patch_level_prop)
diff --git a/private/sdk_sandbox.te b/private/sdk_sandbox.te
index 782bb46..b18b7dd 100644
--- a/private/sdk_sandbox.te
+++ b/private/sdk_sandbox.te
@@ -21,6 +21,7 @@
auditallow sdk_sandbox audio_service:service_manager find;
allow sdk_sandbox hint_service:service_manager find;
allow sdk_sandbox surfaceflinger_service:service_manager find;
+allow sdk_sandbox thermal_service:service_manager find;
allow sdk_sandbox trust_service:service_manager find;
allow sdk_sandbox uimode_service:service_manager find;
allow sdk_sandbox webviewupdate_service:service_manager find;
@@ -85,3 +86,5 @@
neverallow sdk_sandbox { media_rw_data_file }:file no_rw_file_perms;
neverallow { sdk_sandbox } tmpfs:dir no_rw_file_perms;
+
+neverallow sdk_sandbox hal_drm_service:service_manager find;
diff --git a/private/service_contexts b/private/service_contexts
index c7f8811..ee5b6a9 100644
--- a/private/service_contexts
+++ b/private/service_contexts
@@ -1,3 +1,5 @@
+android.hardware.audio.core.IConfig/default u:object_r:hal_audio_service:s0
+android.hardware.audio.core.IModule/default u:object_r:hal_audio_service:s0
android.hardware.authsecret.IAuthSecret/default u:object_r:hal_authsecret_service:s0
android.hardware.automotive.evs.IEvsEnumerator/hw/0 u:object_r:hal_evs_service:s0
android.hardware.automotive.evs.IEvsEnumerator/hw/1 u:object_r:hal_evs_service:s0
@@ -73,6 +75,7 @@
activity u:object_r:activity_service:s0
activity_task u:object_r:activity_task_service:s0
adb u:object_r:adb_service:s0
+adservices_manager u:object_r:adservices_manager_service:s0
aidl_lazy_test_1 u:object_r:aidl_lazy_test_service:s0
aidl_lazy_test_2 u:object_r:aidl_lazy_test_service:s0
aidl_lazy_cb_test u:object_r:aidl_lazy_test_service:s0
@@ -134,6 +137,7 @@
platform_compat u:object_r:platform_compat_service:s0
platform_compat_native u:object_r:platform_compat_service:s0
connectivity u:object_r:connectivity_service:s0
+connectivity_native u:object_r:connectivity_native_service:s0
connmetrics u:object_r:connmetrics_service:s0
consumer_ir u:object_r:consumer_ir_service:s0
content u:object_r:content_service:s0
diff --git a/private/shell.te b/private/shell.te
index 2ddd7bc..c20e612 100644
--- a/private/shell.te
+++ b/private/shell.te
@@ -85,6 +85,7 @@
# Allow (host-driven) ART run-tests to execute dex2oat, in order to
# check ART's compiler.
allow shell dex2oat_exec:file rx_file_perms;
+allow shell dex2oat_exec:lnk_file read;
# Allow shell to start and comminicate with lpdumpd.
set_prop(shell, lpdumpd_prop);
diff --git a/private/surfaceflinger.te b/private/surfaceflinger.te
index bc7543b..123fc69 100644
--- a/private/surfaceflinger.te
+++ b/private/surfaceflinger.te
@@ -38,6 +38,8 @@
# Access the GPU.
allow surfaceflinger gpu_device:chr_file rw_file_perms;
+allow surfaceflinger gpu_device:dir r_dir_perms;
+allow surfaceflinger sysfs_gpu:file r_file_perms;
# Access /dev/graphics/fb0.
allow surfaceflinger graphics_device:dir search;
@@ -72,9 +74,13 @@
allow surfaceflinger wm_trace_data_file:file { getattr setattr create w_file_perms };
')
-# Needed to register as a Perfetto producer.
+# Allow userspace tracing via perfetto.
perfetto_producer(surfaceflinger)
+# Allow to be profiled by performance tools.
+can_profile_heap(surfaceflinger)
+can_profile_perf(surfaceflinger)
+
# Use socket supplied by adbd, for cmd gpu vkjson etc.
allow surfaceflinger adbd:unix_stream_socket { read write getattr };
diff --git a/private/system_app.te b/private/system_app.te
index 77cca3d..01956f4 100644
--- a/private/system_app.te
+++ b/private/system_app.te
@@ -176,6 +176,10 @@
# Allow system apps to act as Perfetto producers.
perfetto_producer(system_app)
+# TODO(b/217368496): remove this.
+can_profile_heap(system_app)
+can_profile_perf(system_app)
+
###
### Neverallow rules
###
diff --git a/private/system_server.te b/private/system_server.te
index a927a83..a2645d2 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -221,6 +221,11 @@
allow system_server stats_data_file:dir { open read remove_name search write };
allow system_server stats_data_file:file unlink;
+# Read metric file & upload to statsd
+allow system_server odsign_data_file:dir search;
+allow system_server odsign_metrics_file:dir { r_dir_perms write remove_name };
+allow system_server odsign_metrics_file:file { r_file_perms unlink };
+
# Read /sys/kernel/debug/wakeup_sources.
no_debugfs_restriction(`
allow system_server debugfs_wakeup_sources:file r_file_perms;
@@ -446,6 +451,8 @@
allow system_server device:dir r_dir_perms;
allow system_server mdns_socket:sock_file rw_file_perms;
allow system_server gpu_device:chr_file rw_file_perms;
+allow system_server gpu_device:dir r_dir_perms;
+allow system_server sysfs_gpu:file r_file_perms;
allow system_server input_device:dir r_dir_perms;
allow system_server input_device:chr_file rw_file_perms;
allow system_server tty_device:chr_file rw_file_perms;
@@ -472,6 +479,7 @@
allow system_server system_data_file:dir create_dir_perms;
allow system_server system_data_file:notdevfile_class_set create_file_perms;
allow system_server packages_list_file:file create_file_perms;
+allow system_server game_mode_intervention_list_file:file create_file_perms;
allow system_server keychain_data_file:dir create_dir_perms;
allow system_server keychain_data_file:file create_file_perms;
allow system_server keychain_data_file:lnk_file create_file_perms;
@@ -707,6 +715,7 @@
set_prop(system_server, retaildemo_prop)
set_prop(system_server, dmesgd_start_prop)
userdebug_or_eng(`set_prop(system_server, wifi_log_prop)')
+userdebug_or_eng(`set_prop(system_server, system_user_mode_emulation_prop)')
# ctl interface
set_prop(system_server, ctl_default_prop)
@@ -725,6 +734,7 @@
set_prop(system_server, device_config_runtime_native_prop)
set_prop(system_server, device_config_lmkd_native_prop)
set_prop(system_server, device_config_media_native_prop)
+set_prop(system_server, device_config_mglru_native_prop)
set_prop(system_server, device_config_profcollect_native_boot_prop)
set_prop(system_server, device_config_statsd_native_prop)
set_prop(system_server, device_config_statsd_native_boot_prop)
@@ -735,6 +745,7 @@
set_prop(system_server, device_config_configuration_prop)
set_prop(system_server, device_config_connectivity_prop)
set_prop(system_server, device_config_surface_flinger_native_boot_prop)
+set_prop(system_server, device_config_vendor_system_native_prop)
set_prop(system_server, device_config_virtualization_framework_native_prop)
set_prop(system_server, smart_idle_maint_enabled_prop)
@@ -1134,12 +1145,15 @@
# allow system_server to read the eBPF maps that stores the traffic stats information and update
# the map after snapshot is recorded, and to read, update and run the maps and programs used for
# time in state accounting
-allow system_server fs_bpf:dir search;
allow system_server fs_bpf:file { read write };
allow system_server bpfloader:bpf { map_read map_write prog_run };
# in order to invoke side effect of close() on such a socket calling synchronize_rcu()
allow system_server self:key_socket create;
+# Allow system_server to start clatd in its own domain and kill it.
+domain_auto_trans(system_server, clatd_exec, clatd)
+allow system_server clatd:process signal;
+
# ART Profiles.
# Allow system_server to open profile snapshots for read.
# System server never reads the actual content. It passes the descriptor to
@@ -1227,8 +1241,8 @@
}:file execute_no_trans;
# Ensure that system_server doesn't perform any domain transitions other than
-# transitioning to the crash_dump domain when a crash occurs.
-neverallow system_server { domain -crash_dump }:process transition;
+# transitioning to the crash_dump domain when a crash occurs or fork clatd.
+neverallow system_server { domain -clatd -crash_dump }:process transition;
neverallow system_server *:process dyntransition;
# Only allow crash_dump to connect to system_ndebug_socket.
@@ -1260,6 +1274,7 @@
device_config_runtime_native_boot_prop
device_config_runtime_native_prop
device_config_media_native_prop
+ device_config_mglru_native_prop
device_config_storage_native_boot_prop
device_config_surface_flinger_native_boot_prop
device_config_sys_traced_prop
diff --git a/private/technical_debt.cil b/private/technical_debt.cil
index 4c746fb..fcd4fe7 100644
--- a/private/technical_debt.cil
+++ b/private/technical_debt.cil
@@ -20,9 +20,9 @@
; Unfortunately, we can't currently express this in module policy language:
(typeattributeset hal_codec2_client ((and (appdomain) ((not (isolated_app))))))
-; Apps, except isolated apps, are clients of Drm-related services
+; Apps, except isolated apps and SDK sandboxes, are clients of Drm-related services
; Unfortunately, we can't currently express this in module policy language:
-(typeattributeset hal_drm_client ((and (appdomain) ((not (isolated_app))))))
+(typeattributeset hal_drm_client ((and (appdomain) ((not (or (isolated_app) (sdk_sandbox)))))))
; Apps, except isolated apps, are clients of Configstore HAL
; Unfortunately, we can't currently express this in module policy language:
diff --git a/private/traced_probes.te b/private/traced_probes.te
index 730a45c..66d5ac4 100644
--- a/private/traced_probes.te
+++ b/private/traced_probes.te
@@ -43,6 +43,9 @@
# Allow to read packages.list file.
allow traced_probes packages_list_file:file r_file_perms;
+# Allow to read game_mode_intervention.list file.
+allow traced_probes game_mode_intervention_list_file:file r_file_perms;
+
# Allow to log to kernel dmesg when starting / stopping ftrace.
allow traced_probes kmsg_device:chr_file write;
@@ -144,6 +147,7 @@
-zoneinfo_data_file
-packages_list_file
with_native_coverage(`-method_trace_data_file')
+ -game_mode_intervention_list_file
}:file *;
# Only init is allowed to enter the traced_probes domain via exec()
diff --git a/private/virtualizationservice.te b/private/virtualizationservice.te
index 05e1664..c369a90 100644
--- a/private/virtualizationservice.te
+++ b/private/virtualizationservice.te
@@ -70,6 +70,13 @@
# Allow writing stats to statsd
unix_socket_send(virtualizationservice, statsdw, statsd)
+# Allow virtualization service to talk to tombstoned to push guest tombstones
+unix_socket_connect(virtualizationservice, tombstoned_crash, tombstoned)
+
+# Append to tombstone files passed as fds from tombstoned
+allow virtualizationservice tombstone_data_file:file { append getattr };
+allow virtualizationservice tombstoned:fd use;
+
neverallow {
domain
-init
diff --git a/private/vold.te b/private/vold.te
index 1ad1f43..cb7b1bc 100644
--- a/private/vold.te
+++ b/private/vold.te
@@ -24,7 +24,6 @@
get_prop(vold, incremental_prop);
get_prop(vold, gsid_prop);
-set_prop(vold, vold_post_fs_data_prop)
set_prop(vold, vold_prop)
set_prop(vold, vold_status_prop)
set_prop(vold, powerctl_prop)
diff --git a/public/bootanim.te b/public/bootanim.te
index 88fe173..9c7a0ee 100644
--- a/public/bootanim.te
+++ b/public/bootanim.te
@@ -13,6 +13,8 @@
hwbinder_use(bootanim)
allow bootanim gpu_device:chr_file rw_file_perms;
+allow bootanim gpu_device:dir r_dir_perms;
+allow bootanim sysfs_gpu:file r_file_perms;
# /oem access
allow bootanim oemfs:dir search;
diff --git a/public/device.te b/public/device.te
index 4ca8a6f..1bb386f 100644
--- a/public/device.te
+++ b/public/device.te
@@ -79,36 +79,35 @@
type frp_block_device, dev_type;
# System block device mounted on /system.
-# Documented at https://source.android.com/devices/bootloader/partitions-images
+# Documented at https://source.android.com/devices/bootloader/partitions
type system_block_device, dev_type;
# Recovery block device.
-# Documented at https://source.android.com/devices/bootloader/partitions-images
+# Documented at https://source.android.com/devices/bootloader/partitions
type recovery_block_device, dev_type;
# boot block device.
-# Documented at https://source.android.com/devices/bootloader/partitions-images
+# Documented at https://source.android.com/devices/bootloader/partitions
type boot_block_device, dev_type;
# Userdata block device mounted on /data.
-# Documented at https://source.android.com/devices/bootloader/partitions-images
+# Documented at https://source.android.com/devices/bootloader/partitions
type userdata_block_device, dev_type;
# Cache block device mounted on /cache.
-# Documented at https://source.android.com/devices/bootloader/partitions-images
+# Documented at https://source.android.com/devices/bootloader/partitions
type cache_block_device, dev_type;
# Block device for any swap partition.
type swap_block_device, dev_type;
-# Metadata block device used for encryption metadata.
-# Assign this type to the partition specified by the encryptable=
-# mount option in your fstab file in the entry for userdata.
-# Documented at https://source.android.com/devices/bootloader/partitions-images
+# Metadata block device mounted on /metadata, used for encryption metadata and
+# various other purposes.
+# Documented at https://source.android.com/devices/bootloader/partitions
type metadata_block_device, dev_type;
# The 'misc' partition used by recovery and A/B.
-# Documented at https://source.android.com/devices/bootloader/partitions-images
+# Documented at https://source.android.com/devices/bootloader/partitions
type misc_block_device, dev_type;
# 'super' partition to be used for logical partitioning.
diff --git a/public/dumpstate.te b/public/dumpstate.te
index 871403a..2c75f30 100644
--- a/public/dumpstate.te
+++ b/public/dumpstate.te
@@ -188,6 +188,7 @@
# Dumpstate calls screencap, which grabs a screenshot. Needs gpu access
allow dumpstate gpu_device:chr_file rw_file_perms;
+allow dumpstate gpu_device:dir r_dir_perms;
# logd access
read_logd(dumpstate)
diff --git a/public/file.te b/public/file.te
index 3c8fcc7..9d333f5 100644
--- a/public/file.te
+++ b/public/file.te
@@ -106,6 +106,7 @@
type sysfs_kernel_notes, fs_type, sysfs_type, mlstrustedobject;
type sysfs_leds, fs_type, sysfs_type;
type sysfs_loop, fs_type, sysfs_type;
+type sysfs_gpu, fs_type, sysfs_type;
type sysfs_hwrandom, fs_type, sysfs_type;
type sysfs_nfc_power_writable, fs_type, sysfs_type, mlstrustedobject;
type sysfs_wake_lock, fs_type, sysfs_type;
@@ -115,6 +116,7 @@
type sysfs_suspend_stats, fs_type, sysfs_type;
type sysfs_switch, fs_type, sysfs_type;
type sysfs_transparent_hugepage, fs_type, sysfs_type;
+type sysfs_lru_gen_enabled, fs_type, sysfs_type;
type sysfs_usb, fs_type, sysfs_type;
type sysfs_wakeup, fs_type, sysfs_type;
type sysfs_wakeup_reasons, fs_type, sysfs_type;
@@ -301,6 +303,7 @@
# TODO(b/129332765): Narrow down permissions to this.
# Find out users of system_data_file that should be granted only this.
type packages_list_file, file_type, data_file_type, core_data_file_type;
+type game_mode_intervention_list_file, file_type, data_file_type, core_data_file_type;
# Default type for anything under /data/vendor{_ce,_de}.
type vendor_data_file, file_type, data_file_type;
# Unencrypted data
diff --git a/public/hal_audio.te b/public/hal_audio.te
index d1970b9..52caa00 100644
--- a/public/hal_audio.te
+++ b/public/hal_audio.te
@@ -7,6 +7,8 @@
allow hal_audio ion_device:chr_file r_file_perms;
+binder_call(hal_audio_server, servicemanager)
+
r_dir_file(hal_audio, proc)
r_dir_file(hal_audio, proc_asound)
allow hal_audio_server audio_device:dir r_dir_perms;
diff --git a/public/hal_graphics_allocator.te b/public/hal_graphics_allocator.te
index b6d5d92..7ef27113 100644
--- a/public/hal_graphics_allocator.te
+++ b/public/hal_graphics_allocator.te
@@ -7,6 +7,7 @@
# GPU device access
allow hal_graphics_allocator gpu_device:chr_file rw_file_perms;
+allow hal_graphics_allocator gpu_device:dir r_dir_perms;
allow hal_graphics_allocator ion_device:chr_file r_file_perms;
allow hal_graphics_allocator dmabuf_system_heap_device:chr_file r_file_perms;
diff --git a/public/hal_graphics_composer.te b/public/hal_graphics_composer.te
index 3dbc1d8..e99d45f 100644
--- a/public/hal_graphics_composer.te
+++ b/public/hal_graphics_composer.te
@@ -15,6 +15,7 @@
# GPU device access
allow hal_graphics_composer gpu_device:chr_file rw_file_perms;
+allow hal_graphics_composer gpu_device:dir r_dir_perms;
allow hal_graphics_composer ion_device:chr_file r_file_perms;
allow hal_graphics_composer dmabuf_system_heap_device:chr_file r_file_perms;
allow hal_graphics_composer hal_graphics_allocator:fd use;
diff --git a/public/hal_health.te b/public/hal_health.te
index a31da4d..5d7aff5 100644
--- a/public/hal_health.te
+++ b/public/hal_health.te
@@ -28,7 +28,6 @@
allow hal_health_server self:capability2 wake_alarm;
# Use bpf programs
-allow hal_health_server fs_bpf:dir search;
allow hal_health_server fs_bpf_vendor:dir search;
allow hal_health_server fs_bpf_vendor:file read;
allow hal_health_server bpfloader:bpf prog_run;
diff --git a/public/init.te b/public/init.te
index 5139038..8dcdd33 100644
--- a/public/init.te
+++ b/public/init.te
@@ -144,7 +144,7 @@
# /metadata
allow init metadata_file:dir mounton;
-# Use tmpfs as /data, used for booting when /data is encrypted
+# Run restorecon on /dev
allow init tmpfs:dir relabelfrom;
# Create directories under /dev/cpuctl after chowning it to system.
@@ -423,6 +423,7 @@
sysfs_power
sysfs_fs_f2fs
sysfs_dm
+ sysfs_lru_gen_enabled
}:file w_file_perms;
allow init {
diff --git a/public/installd.te b/public/installd.te
index 84ef1fd..46796af 100644
--- a/public/installd.te
+++ b/public/installd.te
@@ -13,13 +13,6 @@
allow installd apk_data_file:file { create_file_perms relabelfrom link };
allow installd apk_data_file:lnk_file { create r_file_perms unlink };
-# FS_IOC_ENABLE_VERITY and FS_IOC_MEASURE_VERITY (or in old implementation used in installd,
-# FS_IOC_SET_VERITY_MEASUREMENT) ioctls on APKs in /data/app, to support fsverity.
-# TODO(b/120629632): this path is deprecated, remove when possible.
-allowxperm installd apk_data_file:file ioctl {
- FS_IOC_ENABLE_VERITY FS_IOC_MEASURE_VERITY
-};
-
allow installd asec_apk_file:file r_file_perms;
allow installd apk_tmp_file:file { r_file_perms unlink };
allow installd apk_tmp_file:dir { relabelfrom create_dir_perms };
diff --git a/public/mediaserver.te b/public/mediaserver.te
index 0275532..621b6d7 100644
--- a/public/mediaserver.te
+++ b/public/mediaserver.te
@@ -33,6 +33,7 @@
allow mediaserver { app_data_file privapp_data_file }:file { append getattr ioctl lock map read write };
allow mediaserver { sdcard_type fuse }:file write;
allow mediaserver gpu_device:chr_file rw_file_perms;
+allow mediaserver gpu_device:dir r_dir_perms;
allow mediaserver video_device:dir r_dir_perms;
allow mediaserver video_device:chr_file rw_file_perms;
diff --git a/public/mediaswcodec.te b/public/mediaswcodec.te
index 5726842..edbab03 100644
--- a/public/mediaswcodec.te
+++ b/public/mediaswcodec.te
@@ -25,3 +25,5 @@
allow mediaswcodec dmabuf_system_heap_device:chr_file r_file_perms;
allow mediaswcodec dmabuf_system_secure_heap_device:chr_file r_file_perms;
+allow mediaswcodec gpu_device:chr_file rw_file_perms;
+allow mediaswcodec gpu_device:dir r_dir_perms;
diff --git a/public/netd.te b/public/netd.te
index 899df88..64b4c7d 100644
--- a/public/netd.te
+++ b/public/netd.te
@@ -64,7 +64,6 @@
r_dir_file(netd, cgroup_v2)
-allow netd fs_bpf:dir search;
allow netd fs_bpf:file { read write };
# TODO: netd previously thought it needed these permissions to do WiFi related
diff --git a/public/service.te b/public/service.te
index 4583186..0fd2360 100644
--- a/public/service.te
+++ b/public/service.te
@@ -61,6 +61,7 @@
type activity_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type activity_task_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type adb_service, system_api_service, system_server_service, service_manager_type;
+type adservices_manager_service, system_api_service, system_server_service, service_manager_type;
type alarm_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type app_binding_service, system_server_service, service_manager_type;
type app_hibernation_service, app_api_service, system_api_service, system_server_service, service_manager_type;
@@ -89,6 +90,7 @@
type crossprofileapps_service, app_api_service, system_server_service, service_manager_type;
type IProxyService_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type companion_device_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type connectivity_native_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type connectivity_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type connmetrics_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type consumer_ir_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
@@ -161,7 +163,7 @@
type midi_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type mount_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type music_recognition_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type nearby_service, system_api_service, system_server_service, service_manager_type;
+type nearby_service, app_api_service, system_server_service, service_manager_type;
type netpolicy_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type netstats_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type network_management_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
diff --git a/public/te_macros b/public/te_macros
index e70c5d3..58d04b4 100644
--- a/public/te_macros
+++ b/public/te_macros
@@ -172,6 +172,8 @@
type_transition $1 $1:anon_inode $1_userfaultfd "[userfaultfd]";
# Allow domain to create/use userfaultfd anon_inode.
allow $1 $1_userfaultfd:anon_inode { create ioctl read };
+# Suppress errors generate during bugreport
+dontaudit su $1_userfaultfd:anon_inode *;
# Other domains may not use userfaultfd anon_inodes created by this domain.
neverallow { domain -$1 } $1_userfaultfd:anon_inode *;
# This domain may not use userfaultfd anon_inodes created by other domains.
diff --git a/public/vdc.te b/public/vdc.te
index e638e50..dfe6888 100644
--- a/public/vdc.te
+++ b/public/vdc.te
@@ -1,6 +1,6 @@
-# vdc spawned from init for the following services:
-# defaultcrypto
-# encrypt
+# vdc is a helper program for making Binder calls to vold. It is spawned from
+# init for various reasons, such as initializing file-based encryption and
+# metadata encryption, and managing userdata checkpointing.
#
# We also transition into this domain from dumpstate, when
# collecting bug reports.
diff --git a/public/vold.te b/public/vold.te
index c8ff749..b0fb6d0 100644
--- a/public/vold.te
+++ b/public/vold.te
@@ -168,17 +168,9 @@
allow vold fscklogs:dir rw_dir_perms;
allow vold fscklogs:file create_file_perms;
-#
-# Rules to support encrypted fs support.
-#
-
-# Unmount and mount the fs.
+# Mount and unmount filesystems.
allow vold labeledfs:filesystem { mount unmount remount };
-# Access /efs/userdata_footer.
-# XXX Split into a separate type?
-allow vold efs_file:file rw_file_perms;
-
# Create and mount on /data/tmp_mnt and management of expansion mounts
allow vold {
system_data_file
@@ -210,7 +202,7 @@
allow vold fusectlfs:file rw_file_perms;
allow vold fusectlfs:dir rw_dir_perms;
-# Handle wake locks (used for device encryption)
+# Allow vold to use wake locks. Needed for idle maintenance and moving storage.
wakelock_use(vold)
# Allow vold to publish a binder service and make binder calls.
@@ -221,9 +213,6 @@
binder_call(vold, system_server)
allow vold permission_service:service_manager find;
-# talk to keymaster
-hal_client_domain(vold, hal_keymaster)
-
# talk to health storage HAL
hal_client_domain(vold, hal_health_storage)
@@ -272,7 +261,7 @@
allow vold app_fuse_file:dir rw_dir_perms;
allow vold app_fuse_file:file { read write open getattr append };
-# MoveTask.cpp executes cp and rm
+# MoveStorage.cpp executes cp and rm
allow vold toolbox_exec:file rx_file_perms;
# Prepare profile dir for users.
@@ -338,7 +327,6 @@
neverallow vold {
domain
-hal_health_storage_server
- -hal_keymaster_server
-system_suspend_server
-hal_bootctl_server
-hwservicemanager
diff --git a/treble_sepolicy_tests_for_release.mk b/treble_sepolicy_tests_for_release.mk
index e221eae..c8d5b46 100644
--- a/treble_sepolicy_tests_for_release.mk
+++ b/treble_sepolicy_tests_for_release.mk
@@ -77,6 +77,8 @@
$(hide) cat $(PRIVATE_ADDITIONAL_CIL_FILES) >> $@
$(hide) $(HOST_OUT_EXECUTABLES)/secilc -m -M true -G -c $(POLICYVERS) $(PRIVATE_NEVERALLOW_ARG) $@ -o $@ -f /dev/null
+$(call declare-1p-target,$(built_$(version)_plat_sepolicy),system/sepolicy)
+
# TODO(b/214336258): move to Soong
$(call dist-for-goals,base-sepolicy-files-for-mapping,$(built_$(version)_plat_sepolicy):$(version)_plat_sepolicy)
diff --git a/vendor/file_contexts b/vendor/file_contexts
index 0cfb7cf..5a8d0aa 100644
--- a/vendor/file_contexts
+++ b/vendor/file_contexts
@@ -4,6 +4,7 @@
/(vendor|system/vendor)/bin/hw/android\.hardware\.atrace@1\.0-service u:object_r:hal_atrace_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.audio(@2\.0-|\.)service u:object_r:hal_audio_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.audio@7\.0-service\.example u:object_r:hal_audio_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.audio\.service-aidl.example u:object_r:hal_audio_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.automotive\.audiocontrol@1\.0-service u:object_r:hal_audiocontrol_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.automotive\.audiocontrol@2\.0-service u:object_r:hal_audiocontrol_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.automotive\.audiocontrol-service.example u:object_r:hal_audiocontrol_default_exec:s0
diff --git a/vendor/hal_camera_default.te b/vendor/hal_camera_default.te
index 5bc4a61..b0912d4 100644
--- a/vendor/hal_camera_default.te
+++ b/vendor/hal_camera_default.te
@@ -9,3 +9,6 @@
# For collecting bugreports.
allow hal_camera_default dumpstate:fd use;
allow hal_camera_default dumpstate:fifo_file write;
+
+allow hal_camera_default gpu_device:chr_file rw_file_perms;
+allow hal_camera_default gpu_device:dir r_dir_perms;
diff --git a/vendor/hal_evs_default.te b/vendor/hal_evs_default.te
index 176d611..59d6c39 100644
--- a/vendor/hal_evs_default.te
+++ b/vendor/hal_evs_default.te
@@ -14,6 +14,10 @@
# allow to use automotive display service
binder_call(hal_evs_default, automotive_display_service_server)
allow hal_evs_default fwk_automotive_display_hwservice:hwservice_manager find;
+allow hal_evs_default fwk_automotive_display_service:service_manager find;
+
+# allow to use hidl token service to retrieve HGBP object
+allow hal_evs_default hidl_token_hwservice:hwservice_manager find;
# allow to access data from surfaceflinger
allow hal_evs_default surfaceflinger:fd use;
diff --git a/vendor/hal_wifi_supplicant_default.te b/vendor/hal_wifi_supplicant_default.te
index b6b9e09..7c08468 100644
--- a/vendor/hal_wifi_supplicant_default.te
+++ b/vendor/hal_wifi_supplicant_default.te
@@ -30,3 +30,6 @@
# policy. This is dontaudited here to avoid conditional
# device-specific behavior in wpa_supplicant.
dontaudit hal_wifi_supplicant_default wifi_data_file:dir search;
+
+# Allow wpa supplicant to access Netlink Interceptor
+hal_client_domain(hal_wifi_supplicant_default, hal_nlinterceptor)
diff --git a/vendor/mediacodec.te b/vendor/mediacodec.te
index 8587e12..84f2421 100644
--- a/vendor/mediacodec.te
+++ b/vendor/mediacodec.te
@@ -17,6 +17,7 @@
hal_client_domain(mediacodec, hal_graphics_allocator)
allow mediacodec gpu_device:chr_file rw_file_perms;
+allow mediacodec gpu_device:dir r_dir_perms;
allow mediacodec ion_device:chr_file rw_file_perms;
allow mediacodec dmabuf_system_heap_device:chr_file r_file_perms;
allow mediacodec video_device:chr_file rw_file_perms;
diff --git a/vendor/tee.te b/vendor/tee.te
index 4b2e6c7..323c7e8 100644
--- a/vendor/tee.te
+++ b/vendor/tee.te
@@ -6,7 +6,7 @@
allow tee self:global_capability_class_set { dac_override };
allow tee tee_device:chr_file rw_file_perms;
-allow tee tee_data_file:dir rw_dir_perms;
+allow tee tee_data_file:dir create_dir_perms;
allow tee tee_data_file:file create_file_perms;
allow tee self:netlink_socket create_socket_perms_no_ioctl;
allow tee self:netlink_generic_socket create_socket_perms_no_ioctl;