commit 87441ca5f9619d694dd6f1215395897ef6aa4cbc
author Victor Hsieh <victorhsieh@google.com> Mon Aug 02 22:44:08 2021 +0000
committer Gerrit Code Review <noreply-gerritcodereview@google.com> Mon Aug 02 22:44:08 2021 +0000
tree d04d8de0b109fa730a5cd011d350bbc9b9338579
parent 7c53e0e83ae99d38b99320c1198890a1562889c7
parent 17ad9eb63e68afe869220624c05b296917c6ee4e

Merge "Allow odsign to rename & unlink CompOS files."

apex/Android.bp

diff --git a/apex/Android.bp b/apex/Android.bp
index b5199f0..8be5aa1 100644
--- a/apex/Android.bp
+++ b/apex/Android.bp
@@ -197,6 +197,13 @@
 }
 
 filegroup {
+  name: "com.android.uwb-file_contexts",
+  srcs: [
+    "com.android.uwb-file_contexts",
+  ],
+}
+
+filegroup {
   name: "com.android.virt-file_contexts",
   srcs: [
     "com.android.virt-file_contexts",

apex/com.android.uwb-file_contexts

diff --git a/apex/com.android.uwb-file_contexts b/apex/com.android.uwb-file_contexts
new file mode 100644
index 0000000..f6b21da
--- /dev/null
+++ b/apex/com.android.uwb-file_contexts
@@ -0,0 +1,2 @@
+(/.*)?                u:object_r:system_file:s0
+/lib(64)?(/.*)        u:object_r:system_lib_file:s0

microdroid/system/private/microdroid_manager.te

diff --git a/microdroid/system/private/microdroid_manager.te b/microdroid/system/private/microdroid_manager.te
index ac81c90..728d156 100644
--- a/microdroid/system/private/microdroid_manager.te
+++ b/microdroid/system/private/microdroid_manager.te
@@ -30,4 +30,8 @@
 # Let microdroid_manager to create a vsock connection back to the host VM
 allow microdroid_manager self:vsock_socket { create_socket_perms_no_ioctl };
 
+# microdroid_manager is using bootstrap bionic
+allow microdroid_manager system_bootstrap_lib_file:dir r_dir_perms;
+allow microdroid_manager system_bootstrap_lib_file:file { execute read open getattr map };
+
 neverallow microdroid_manager { file_type fs_type }:file execute_no_trans;

private/compat/31.0/31.0.ignore.cil

diff --git a/private/compat/31.0/31.0.ignore.cil b/private/compat/31.0/31.0.ignore.cil
index 06859d9..72994dd 100644
--- a/private/compat/31.0/31.0.ignore.cil
+++ b/private/compat/31.0/31.0.ignore.cil
@@ -9,6 +9,7 @@
     camera2_extensions_prop
     hal_system_suspend_service
     hal_tv_tuner_service
+    hal_wifi_hostapd_service
     power_stats_service
     snapuserd_prop
     snapuserd_proxy_socket
@@ -16,4 +17,6 @@
     transformer_service
     proc_watermark_boost_factor
     untrusted_app_30
+    proc_vendor_sched
+    sysfs_vendor_sched
   ))

private/fastbootd.te

diff --git a/private/fastbootd.te b/private/fastbootd.te
index 40b3945..2c65281 100644
--- a/private/fastbootd.te
+++ b/private/fastbootd.te
@@ -22,6 +22,7 @@
   # Determine allocation scheme (whether B partitions needs to be
   # at the second half of super.
   get_prop(fastbootd, virtual_ab_prop)
+  get_prop(fastbootd, snapuserd_prop)
 
   # Needed for TCP protocol
   allow fastbootd node:tcp_socket node_bind;

private/genfs_contexts

diff --git a/private/genfs_contexts b/private/genfs_contexts
index b890ba6..8af6198 100644
--- a/private/genfs_contexts
+++ b/private/genfs_contexts
@@ -104,6 +104,7 @@
 genfscon proc /vmallocinfo u:object_r:proc_vmallocinfo:s0
 genfscon proc /vmstat u:object_r:proc_vmstat:s0
 genfscon proc /zoneinfo u:object_r:proc_zoneinfo:s0
+genfscon proc /vendor_sched u:object_r:proc_vendor_sched:s0
 
 genfscon fusectl / u:object_r:fusectlfs:s0
 
@@ -165,6 +166,7 @@
 genfscon sysfs /module/wlan/parameters/fwpath u:object_r:sysfs_wlan_fwpath:s0
 genfscon sysfs /devices/virtual/timed_output/vibrator/enable u:object_r:sysfs_vibrator:s0
 genfscon sysfs /devices/virtual/misc/uhid u:object_r:sysfs_uhid:s0
+genfscon sysfs /kernel/vendor_sched u:object_r:sysfs_vendor_sched:s0
 
 genfscon debugfs /kprobes                             u:object_r:debugfs_kprobes:s0
 genfscon debugfs /mmc0                                u:object_r:debugfs_mmc:s0

private/recovery.te

diff --git a/private/recovery.te b/private/recovery.te
index bba2a0d..2dba93b 100644
--- a/private/recovery.te
+++ b/private/recovery.te
@@ -38,6 +38,7 @@
   allow recovery snapuserd_socket:sock_file write;
   allow recovery snapuserd:unix_stream_socket connectto;
   allow recovery dm_user_device:dir r_dir_perms;
+  get_prop(recovery, snapuserd_prop)
 
   # Set fastbootd protocol property
   set_prop(recovery, fastbootd_protocol_prop)

private/service_contexts

diff --git a/private/service_contexts b/private/service_contexts
index 4da2781..337ee80 100644
--- a/private/service_contexts
+++ b/private/service_contexts
@@ -20,6 +20,7 @@
 android.hardware.vibrator.IVibrator/default                          u:object_r:hal_vibrator_service:s0
 android.hardware.vibrator.IVibratorManager/default                   u:object_r:hal_vibrator_service:s0
 android.hardware.weaver.IWeaver/default                              u:object_r:hal_weaver_service:s0
+android.hardware.wifi.hostapd.IHostapd/default                       u:object_r:hal_wifi_hostapd_service:s0
 android.frameworks.stats.IStats/default                              u:object_r:fwk_stats_service:s0
 android.system.keystore2.IKeystoreService/default                    u:object_r:keystore_service:s0
 android.system.suspend.ISystemSuspend/default                        u:object_r:hal_system_suspend_service:s0

private/update_engine.te

diff --git a/private/update_engine.te b/private/update_engine.te
index d828e1f..c3f575f 100644
--- a/private/update_engine.te
+++ b/private/update_engine.te
@@ -24,6 +24,7 @@
 # Allow to communicate with the snapuserd service, for dm-user snapshots.
 allow update_engine snapuserd:unix_stream_socket connectto;
 allow update_engine snapuserd_socket:sock_file write;
+get_prop(update_engine, snapuserd_prop)
 
 # Allow to communicate with apexd for calculating and reserving space for
 # capex decompression

public/file.te

diff --git a/public/file.te b/public/file.te
index 2d98bb0..9bb1ff9 100644
--- a/public/file.te
+++ b/public/file.te
@@ -78,6 +78,7 @@
 type proc_vmallocinfo, fs_type, proc_type;
 type proc_vmstat, fs_type, proc_type;
 type proc_zoneinfo, fs_type, proc_type;
+type proc_vendor_sched, proc_type, fs_type;
 type selinuxfs, fs_type, mlstrustedobject;
 type fusectlfs, fs_type;
 type cgroup, fs_type, mlstrustedobject;
@@ -117,6 +118,10 @@
 type sysfs_fs_f2fs, sysfs_type, fs_type;
 type sysfs_fs_incfs_features, sysfs_type, fs_type;
 type sysfs_fs_incfs_metrics, sysfs_type, fs_type;
+type sysfs_vendor_sched, sysfs_type, fs_type;
+userdebug_or_eng(`
+    typeattribute sysfs_vendor_sched mlstrustedobject;
+')
 type fs_bpf, fs_type;
 type fs_bpf_tethering, fs_type;
 type configfs, fs_type;

public/hal_wifi_hostapd.te

diff --git a/public/hal_wifi_hostapd.te b/public/hal_wifi_hostapd.te
index 55efc3c..b508aa5 100644
--- a/public/hal_wifi_hostapd.te
+++ b/public/hal_wifi_hostapd.te
@@ -3,6 +3,11 @@
 binder_call(hal_wifi_hostapd_server, hal_wifi_hostapd_client)
 
 hal_attribute_hwservice(hal_wifi_hostapd, hal_wifi_hostapd_hwservice)
+hal_attribute_service(hal_wifi_hostapd, hal_wifi_hostapd_service)
+
+binder_call(hal_wifi_hostapd_server, servicemanager)
+
+allow hal_wifi_hostapd_server dumpstate:fifo_file write;
 
 allow hal_wifi_hostapd_server self:global_capability_class_set { net_admin net_raw };
 

public/service.te

diff --git a/public/service.te b/public/service.te
index f8f37f0..5cf379a 100644
--- a/public/service.te
+++ b/public/service.te
@@ -243,6 +243,7 @@
 type wpantund_service, system_api_service, service_manager_type;
 type tethering_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
 type emergency_affordance_service, system_server_service, service_manager_type;
+type hal_wifi_hostapd_service, vendor_service, protected_service, service_manager_type;
 
 ###
 ### HAL Services