Merge "Add tests for merged {hw,}service_context files" into maindiff --git a/build/soong/service_fuzzer_bindings.go b/build/soong/service_fuzzer_bindings.go
index dab020e..726bbbc 100644
--- a/build/soong/service_fuzzer_bindings.go
+++ b/build/soong/service_fuzzer_bindings.go
@@ -184,6 +184,7 @@
"android.security.metrics": EXCEPTION_NO_FUZZER,
"android.service.gatekeeper.IGateKeeperService": []string{"gatekeeperd_service_fuzzer"},
"android.system.composd": EXCEPTION_NO_FUZZER,
+ "android.system.microfuchsiad": EXCEPTION_NO_FUZZER,
// TODO(b/294158658): add fuzzer
"android.hardware.security.keymint.IRemotelyProvisionedComponent/avf": EXCEPTION_NO_FUZZER,
"android.system.virtualizationservice": []string{"virtualizationmanager_fuzzer"},
@@ -391,7 +392,7 @@
"procstats": EXCEPTION_NO_FUZZER,
"profcollectd": EXCEPTION_NO_FUZZER,
"profiling_service": EXCEPTION_NO_FUZZER,
- "protolog": EXCEPTION_NO_FUZZER,
+ "protolog_configuration": EXCEPTION_NO_FUZZER,
"radio.phonesubinfo": EXCEPTION_NO_FUZZER,
"radio.phone": EXCEPTION_NO_FUZZER,
"radio.sms": EXCEPTION_NO_FUZZER,
diff --git a/contexts/plat_file_contexts_test b/contexts/plat_file_contexts_test
index cf74619..3e95ff8 100644
--- a/contexts/plat_file_contexts_test
+++ b/contexts/plat_file_contexts_test
@@ -1301,6 +1301,11 @@
/mnt/product mnt_product_file
/mnt/product/test mnt_product_file
+
+/mnt/scratch_ota_metadata_super ota_metadata_file
+/mnt/scratch_ota_metadata_super/ota ota_metadata_file
+/mnt/scratch_ota_metadata_super/ota/snapshots ota_metadata_file
+
/system/bin/check_dynamic_partitions postinstall_exec
/product/bin/check_dynamic_partitions postinstall_exec
/system/bin/otapreopt_script postinstall_exec
diff --git a/flagging/Android.bp b/flagging/Android.bp
index 93f4ddc..3dc73e5 100644
--- a/flagging/Android.bp
+++ b/flagging/Android.bp
@@ -22,6 +22,7 @@
"RELEASE_AVF_ENABLE_DEVICE_ASSIGNMENT",
"RELEASE_AVF_ENABLE_LLPVM_CHANGES",
"RELEASE_AVF_ENABLE_NETWORK",
+ "RELEASE_AVF_ENABLE_MICROFUCHSIA",
"RELEASE_READ_FROM_NEW_STORAGE",
"RELEASE_SUPERVISION_SERVICE",
"RELEASE_HARDWARE_BLUETOOTH_RANGING_SERVICE",
diff --git a/private/adbd.te b/private/adbd.te
index c852038..154a04c 100644
--- a/private/adbd.te
+++ b/private/adbd.te
@@ -216,8 +216,7 @@
allow adbd shell:fd use;
# Allow pull /vendor/apex files for CTS tests
-allow adbd vendor_apex_file:dir search;
-allow adbd vendor_apex_file:file r_file_perms;
+r_dir_file(adbd, vendor_apex_file)
# Allow adb pull of updated apex files in /data/apex/active.
allow adbd apex_data_file:dir search;
diff --git a/private/file_contexts b/private/file_contexts
index d49be64..394d3b7 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -883,6 +883,12 @@
/metadata/aconfig/flags(/.*)? u:object_r:aconfig_storage_flags_metadata_file:s0
/metadata/aconfig_test_missions(/.*)? u:object_r:aconfig_test_mission_files:s0
+############################
+# mount point for ota metadata
+/mnt/scratch_ota_metadata_super(/.*)? u:object_r:ota_metadata_file:s0
+/mnt/scratch_ota_metadata_super/ota(/.*)? u:object_r:ota_metadata_file:s0
+/mnt/scratch_ota_metadata_super/ota/snapshots(/.*)? u:object_r:ota_metadata_file:s0
+
#############################
# asec containers
/mnt/asec(/.*)? u:object_r:asec_apk_file:s0
diff --git a/private/gmscore_app.te b/private/gmscore_app.te
index f938ad5..90194f9 100644
--- a/private/gmscore_app.te
+++ b/private/gmscore_app.te
@@ -112,11 +112,6 @@
allow gmscore_app recovery_service:service_manager find;
allow gmscore_app stats_service:service_manager find;
-# Used by Finsky / Android "Verify Apps" functionality when
-# running "adb install foo.apk".
-allow gmscore_app shell_data_file:file r_file_perms;
-allow gmscore_app shell_data_file:dir r_dir_perms;
-
# Write to /cache.
allow gmscore_app { cache_file cache_recovery_file }:dir create_dir_perms;
allow gmscore_app { cache_file cache_recovery_file }:file create_file_perms;
diff --git a/private/hal_fingerprint.te b/private/hal_fingerprint.te
index 29abe4f..a1d68be 100644
--- a/private/hal_fingerprint.te
+++ b/private/hal_fingerprint.te
@@ -10,8 +10,8 @@
# For memory allocation
allow hal_fingerprint ion_device:chr_file r_file_perms;
-allow hal_fingerprint fingerprint_vendor_data_file:file { create_file_perms };
-allow hal_fingerprint fingerprint_vendor_data_file:dir rw_dir_perms;
+allow { hal_fingerprint -coredomain } fingerprint_vendor_data_file:file { create_file_perms };
+allow { hal_fingerprint -coredomain } fingerprint_vendor_data_file:dir rw_dir_perms;
r_dir_file(hal_fingerprint, cgroup)
r_dir_file(hal_fingerprint, cgroup_v2)
diff --git a/private/microfuchsiad.te b/private/microfuchsiad.te
new file mode 100644
index 0000000..f02acaf
--- /dev/null
+++ b/private/microfuchsiad.te
@@ -0,0 +1,18 @@
+is_flag_enabled(RELEASE_AVF_ENABLE_MICROFUCHSIA, `
+ type microfuchsiad, domain, coredomain;
+ type microfuchsiad_exec, system_file_type, exec_type, file_type;
+
+ # Host dynamic AIDL services
+ init_daemon_domain(microfuchsiad)
+ binder_use(microfuchsiad)
+ add_service(microfuchsiad, microfuchsia_service)
+
+ # Call back into system server
+ binder_call(microfuchsiad, system_server)
+
+ # Start a VM
+ virtualizationservice_use(microfuchsiad)
+
+ # Create pty devices
+ allow microfuchsiad devpts:chr_file { read write open getattr ioctl };
+')
diff --git a/private/platform_app.te b/private/platform_app.te
index eb1a7c7..320624c 100644
--- a/private/platform_app.te
+++ b/private/platform_app.te
@@ -51,6 +51,7 @@
userdebug_or_eng(`
set_prop(platform_app, persist_sysui_ranking_update_prop)
')
+set_prop(platform_app, debug_tracing_desktop_mode_visible_tasks_prop)
# com.android.captiveportallogin reads /proc/vmstat
allow platform_app {
diff --git a/private/property.te b/private/property.te
index acb8d79..1f94608 100644
--- a/private/property.te
+++ b/private/property.te
@@ -3,6 +3,7 @@
system_internal_prop(apexd_payload_metadata_prop)
system_internal_prop(ctl_snapuserd_prop)
system_internal_prop(crashrecovery_prop)
+system_internal_prop(debug_tracing_desktop_mode_visible_tasks_prop)
system_internal_prop(device_config_core_experiments_team_internal_prop)
system_internal_prop(device_config_lmkd_native_prop)
system_internal_prop(device_config_mglru_native_prop)
diff --git a/private/property_contexts b/private/property_contexts
index f0a4281..f631f8f 100644
--- a/private/property_contexts
+++ b/private/property_contexts
@@ -33,6 +33,7 @@
debug. u:object_r:debug_prop:s0
debug.db. u:object_r:debuggerd_prop:s0
+debug.tracing.desktop_mode_visible_tasks u:object_r:debug_tracing_desktop_mode_visible_tasks_prop:s0 exact uint
dumpstate. u:object_r:dumpstate_prop:s0
dumpstate.options u:object_r:dumpstate_options_prop:s0
init.svc_debug_pid. u:object_r:init_svc_debug_prop:s0
diff --git a/private/service.te b/private/service.te
index 533adde..63259c6 100644
--- a/private/service.te
+++ b/private/service.te
@@ -1,27 +1,27 @@
-type adaptive_auth_service, system_server_service, service_manager_type;
-type ambient_context_service, app_api_service, system_server_service, service_manager_type;
-type attention_service, system_server_service, service_manager_type;
-type bg_install_control_service, system_api_service, system_server_service, service_manager_type;
-type compos_service, service_manager_type;
-type communal_service, app_api_service, system_server_service, service_manager_type;
-type dynamic_system_service, system_api_service, system_server_service, service_manager_type;
-type feature_flags_service, app_api_service, system_server_service, service_manager_type;
-type gsi_service, service_manager_type;
-type incidentcompanion_service, app_api_service, system_api_service, system_server_service, service_manager_type;
-type logcat_service, system_server_service, service_manager_type;
-type logd_service, service_manager_type;
-type mediatuner_service, app_api_service, service_manager_type;
+type adaptive_auth_service, system_server_service, service_manager_type;
+type ambient_context_service, app_api_service, system_server_service, service_manager_type;
+type attention_service, system_server_service, service_manager_type;
+type bg_install_control_service, system_api_service, system_server_service, service_manager_type;
+type compos_service, service_manager_type;
+type communal_service, app_api_service, system_server_service, service_manager_type;
+type dynamic_system_service, system_api_service, system_server_service, service_manager_type;
+type feature_flags_service, app_api_service, system_server_service, service_manager_type;
+type gsi_service, service_manager_type;
+type incidentcompanion_service, app_api_service, system_api_service, system_server_service, service_manager_type;
+type logcat_service, system_server_service, service_manager_type;
+type logd_service, service_manager_type;
+type mediatuner_service, app_api_service, service_manager_type;
type on_device_intelligence_service, app_api_service, system_server_service, service_manager_type, isolated_compute_allowed_service;
-type profcollectd_service, service_manager_type;
-type protolog_service, system_api_service, system_server_service, service_manager_type;
-type resolver_service, system_server_service, service_manager_type;
-type rkpd_registrar_service, service_manager_type;
-type rkpd_refresh_service, service_manager_type;
-type safety_center_service, app_api_service, system_api_service, system_server_service, service_manager_type;
-type stats_service, service_manager_type;
-type statsbootstrap_service, system_server_service, service_manager_type;
-type statscompanion_service, system_server_service, service_manager_type;
-type statsmanager_service, system_api_service, system_server_service, service_manager_type;
+type profcollectd_service, service_manager_type;
+type protolog_configuration_service, app_api_service, system_api_service, system_server_service, service_manager_type;
+type resolver_service, system_server_service, service_manager_type;
+type rkpd_registrar_service, service_manager_type;
+type rkpd_refresh_service, service_manager_type;
+type safety_center_service, app_api_service, system_api_service, system_server_service, service_manager_type;
+type stats_service, service_manager_type;
+type statsbootstrap_service, system_server_service, service_manager_type;
+type statscompanion_service, system_server_service, service_manager_type;
+type statsmanager_service, system_api_service, system_server_service, service_manager_type;
is_flag_enabled(RELEASE_SUPERVISION_SERVICE, `
type supervision_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
@@ -39,6 +39,9 @@
type vm_tethering_service, system_server_service, service_manager_type;
type vmnic_service, service_manager_type;
')
+is_flag_enabled(RELEASE_AVF_ENABLE_MICROFUCHSIA, `
+ type microfuchsia_service, service_manager_type;
+')
type uce_service, service_manager_type;
type wearable_sensing_service, app_api_service, system_server_service, service_manager_type;
diff --git a/private/service_contexts b/private/service_contexts
index 4d1f1e5..71abb42 100644
--- a/private/service_contexts
+++ b/private/service_contexts
@@ -174,6 +174,9 @@
android.system.virtualizationservice_internal.IVmnic u:object_r:vmnic_service:s0
android.system.vmtethering.IVmTethering u:object_r:vm_tethering_service:s0
')
+is_flag_enabled(RELEASE_AVF_ENABLE_MICROFUCHSIA, `
+ android.system.microfuchsiad u:object_r:microfuchsia_service:s0
+')
ambient_context u:object_r:ambient_context_service:s0
app_binding u:object_r:app_binding_service:s0
app_function u:object_r:app_function_service:s0
@@ -370,7 +373,7 @@
powerstats u:object_r:powerstats_service:s0
power u:object_r:power_service:s0
profiling_service u:object_r:profiling_service:s0
-protolog u:object_r:protolog_service:s0
+protolog_configuration u:object_r:protolog_configuration_service:s0
print u:object_r:print_service:s0
processinfo u:object_r:processinfo_service:s0
procstats u:object_r:procstats_service:s0
diff --git a/private/traced_probes.te b/private/traced_probes.te
index 003e992..6540420 100644
--- a/private/traced_probes.te
+++ b/private/traced_probes.te
@@ -111,6 +111,10 @@
binder_call(traced_probes, statsd)
allow traced_probes stats_service:service_manager find;
+# Allow reading the system property representing number of desktop windows to
+# set the initial value for the counter in traces.
+get_prop(traced_probes, debug_tracing_desktop_mode_visible_tasks_prop)
+
###
### Neverallow rules
###
diff --git a/private/update_engine_common.te b/private/update_engine_common.te
index 5bba84a..6de0292 100644
--- a/private/update_engine_common.te
+++ b/private/update_engine_common.te
@@ -107,5 +107,5 @@
# Allow to read/write/create OTA metadata files for snapshot status and COW file status.
allow update_engine_common metadata_file:dir search;
-allow update_engine_common ota_metadata_file:dir rw_dir_perms;
+allow update_engine_common ota_metadata_file:dir { rw_dir_perms rmdir };
allow update_engine_common ota_metadata_file:file create_file_perms;