Merge "Build userdebug_plat_sepolicy.cil with Android.bp"
diff --git a/OWNERS b/OWNERS
index d7cde74..a0326af 100644
--- a/OWNERS
+++ b/OWNERS
@@ -2,6 +2,7 @@
alanstokes@google.com
bowgotsai@google.com
cbrubaker@google.com
+inseob@google.com
jbires@google.com
jeffv@google.com
jgalenson@google.com
diff --git a/build/soong/build_files.go b/build/soong/build_files.go
index 88c07fa..5de6122 100644
--- a/build/soong/build_files.go
+++ b/build/soong/build_files.go
@@ -44,7 +44,7 @@
// system/sepolicy/{public, private, vendor, reqd_mask}
// and directories specified by following config variables:
// BOARD_SEPOLICY_DIRS, BOARD_ODM_SEPOLICY_DIRS
- // BOARD_PLAT_PUBLIC_SEPOLICY_DIR, BOARD_PLAT_PRIVATE_SEPOLICY_DIR
+ // SYSTEM_EXT_PUBLIC_SEPOLICY_DIR, SYSTEM_EXT_PRIVATE_SEPOLICY_DIR
Srcs []string
}
diff --git a/build/soong/compat_cil.go b/build/soong/compat_cil.go
index 230fdc3..5cc73f9 100644
--- a/build/soong/compat_cil.go
+++ b/build/soong/compat_cil.go
@@ -87,6 +87,15 @@
srcPaths := c.expandSeSources(ctx)
out := android.PathForModuleGen(ctx, c.Name())
+
+ // TODO(b/183362912): Patch secilc to handle empty cil files.
+ // Put a header so that the generated cil mustn't be empty.
+ header := android.PathForModuleGen(ctx, c.Name()+"_header")
+ rule := android.NewRuleBuilder(pctx, ctx)
+ rule.Command().Text("echo").Flag(proptools.ShellEscape(";; " + c.stem())).Text(">").Output(header)
+ rule.Build(c.Name()+"_header", "Generate cil header")
+ srcPaths = append(android.Paths{header}, srcPaths...)
+
ctx.Build(pctx, android.BuildParams{
Rule: android.Cat,
Inputs: srcPaths,
diff --git a/build/soong/filegroup.go b/build/soong/filegroup.go
index 700f8e0..0d426af 100644
--- a/build/soong/filegroup.go
+++ b/build/soong/filegroup.go
@@ -36,7 +36,7 @@
// system/sepolicy/{public, private, vendor, reqd_mask}
// and directories specified by following config variables:
// BOARD_SEPOLICY_DIRS, BOARD_ODM_SEPOLICY_DIRS
- // BOARD_PLAT_PUBLIC_SEPOLICY_DIR, BOARD_PLAT_PRIVATE_SEPOLICY_DIR
+ // SYSTEM_EXT_PUBLIC_SEPOLICY_DIR, SYSTEM_EXT_PRIVATE_SEPOLICY_DIR
Srcs []string
}
@@ -80,12 +80,12 @@
return fg.systemReqdMaskSrcs
}
-// Source files from BOARD_PLAT_PUBLIC_SEPOLICY_DIR
+// Source files from SYSTEM_EXT_PUBLIC_SEPOLICY_DIR
func (fg *fileGroup) SystemExtPublicSrcs() android.Paths {
return fg.systemExtPublicSrcs
}
-// Source files from BOARD_PLAT_PRIVATE_SEPOLICY_DIR
+// Source files from SYSTEM_EXT_PRIVATE_SEPOLICY_DIR
func (fg *fileGroup) SystemExtPrivateSrcs() android.Paths {
return fg.systemExtPrivateSrcs
}
diff --git a/private/compat/30.0/30.0.ignore.cil b/private/compat/30.0/30.0.ignore.cil
index 43775b1..3bf3a13 100644
--- a/private/compat/30.0/30.0.ignore.cil
+++ b/private/compat/30.0/30.0.ignore.cil
@@ -18,6 +18,7 @@
appcompat_data_file
arm64_memtag_prop
authorization_service
+ camerax_extensions_prop
cgroup_desc_api_file
cgroup_v2
codec2_config_prop
diff --git a/private/gsid.te b/private/gsid.te
index e6a395a..8a13cb1 100644
--- a/private/gsid.te
+++ b/private/gsid.te
@@ -183,7 +183,10 @@
} gsi_public_metadata_file:file_class_set ~{ r_file_perms };
# Prevent apps from accessing gsi_metadata_file_type.
-neverallow appdomain gsi_metadata_file_type:dir_file_class_set *;
+neverallow {
+ appdomain
+ -shell
+} gsi_metadata_file_type:dir_file_class_set *;
neverallow {
domain
diff --git a/private/keystore2_key_contexts b/private/keystore2_key_contexts
index 5695cc3..3833971 100644
--- a/private/keystore2_key_contexts
+++ b/private/keystore2_key_contexts
@@ -16,10 +16,13 @@
# odsign_key is a keystore2_key namespace for the on-device signing daemon.
101 u:object_r:odsign_key:s0
-# wifi_key is a keystore2_key namspace for the WI-FI subsystem. It replaces the WIFI_UID
+# wifi_key is a keystore2_key namespace for the WI-FI subsystem. It replaces the WIFI_UID
# namespace in keystore.
102 u:object_r:wifi_key:s0
+# locksettings_key is a keystore2_key namespace for the LockSettingsService.
+103 u:object_r:locksettings_key:s0
+
# resume_on_reboot_key is a keystore2_key namespace intended for resume on reboot.
120 u:object_r:resume_on_reboot_key:s0
diff --git a/private/keystore_keys.te b/private/keystore_keys.te
index 8d33d5d..2f97608 100644
--- a/private/keystore_keys.te
+++ b/private/keystore_keys.te
@@ -14,6 +14,9 @@
# A keystore2 namespace for the on-device signing daemon.
type odsign_key, keystore2_key_type;
+# A keystore2 namespace for LockSettingsService.
+type locksettings_key, keystore2_key_type;
+
# A keystore2 namespace for resume on reboot.
type resume_on_reboot_key, keystore2_key_type;
diff --git a/private/mediaprovider.te b/private/mediaprovider.te
index 978ae2a..78bbdb0 100644
--- a/private/mediaprovider.te
+++ b/private/mediaprovider.te
@@ -24,6 +24,7 @@
allow mediaprovider app_api_service:service_manager find;
allow mediaprovider audioserver_service:service_manager find;
+allow mediaprovider cameraserver_service:service_manager find;
allow mediaprovider drmserver_service:service_manager find;
allow mediaprovider mediaextractor_service:service_manager find;
allow mediaprovider mediaserver_service:service_manager find;
diff --git a/private/property_contexts b/private/property_contexts
index c7d6743..34efaac 100644
--- a/private/property_contexts
+++ b/private/property_contexts
@@ -323,6 +323,8 @@
ro.camera.notify_nfc u:object_r:camera_config_prop:s0 exact bool
ro.camera.enableLazyHal u:object_r:camera_config_prop:s0 exact bool
+ro.camerax.extensions.enabled u:object_r:camerax_extensions_prop:s0 exact bool
+
# Should always_debuggable be bool? It's checked against the string "1".
dalvik.vm.always_debuggable u:object_r:dalvik_config_prop:s0 exact int
dalvik.vm.appimageformat u:object_r:dalvik_config_prop:s0 exact string
diff --git a/private/shell.te b/private/shell.te
index 66e2d4d..5831d54 100644
--- a/private/shell.te
+++ b/private/shell.te
@@ -194,3 +194,6 @@
# Never allow others to set or get the perf.drop_caches property.
neverallow { domain -shell -init } perf_drop_caches_prop:property_service set;
neverallow { domain -shell -init -dumpstate } perf_drop_caches_prop:file read;
+
+# Allow ReadDefaultFstab() for CTS.
+read_fstab(shell)
diff --git a/private/system_server.te b/private/system_server.te
index 084ea22..1bab3e7 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -905,6 +905,16 @@
use
};
+# Allow lock_settings service to manage locksettings keys (e.g. the synthetic password key).
+allow system_server locksettings_key:keystore2_key {
+ delete
+ get_info
+ rebind
+ update
+ use
+};
+
+
# Allow system server to search and write to the persistent factory reset
# protection partition. This block device does not get wiped in a factory reset.
allow system_server block_device:dir search;
diff --git a/private/traced.te b/private/traced.te
index aa16966..6e3ad46 100644
--- a/private/traced.te
+++ b/private/traced.te
@@ -3,7 +3,6 @@
# type traced is defined under /public (because iorapd rules
# under public/ need to refer to it).
type traced_exec, system_file_type, exec_type, file_type;
-type traced_tmpfs, file_type;
# Allow init to exec the daemon.
init_daemon_domain(traced)
diff --git a/public/app.te b/public/app.te
index af19d10..ae8d7fd 100644
--- a/public/app.te
+++ b/public/app.te
@@ -592,3 +592,6 @@
{ open read write append execute execute_no_trans map };
neverallow appdomain system_bootstrap_lib_file:dir
{ open read getattr search };
+
+# Allow to ro.camerax.extensions.enabled
+get_prop(appdomain, camerax_extensions_prop)
diff --git a/public/hal_neuralnetworks.te b/public/hal_neuralnetworks.te
index 416448a..4eb8bb2 100644
--- a/public/hal_neuralnetworks.te
+++ b/public/hal_neuralnetworks.te
@@ -33,4 +33,6 @@
hal_attribute_service(hal_neuralnetworks, hal_neuralnetworks_service)
binder_call(hal_neuralnetworks_server, servicemanager)
+binder_use(hal_neuralnetworks_server)
+
allow hal_neuralnetworks_server dumpstate:fifo_file write;
diff --git a/public/property.te b/public/property.te
index 8cae47c..caa705a 100644
--- a/public/property.te
+++ b/public/property.te
@@ -122,6 +122,7 @@
system_vendor_config_prop(build_vendor_prop)
system_vendor_config_prop(camera_calibration_prop)
system_vendor_config_prop(camera_config_prop)
+system_vendor_config_prop(camerax_extensions_prop)
system_vendor_config_prop(charger_config_prop)
system_vendor_config_prop(codec2_config_prop)
system_vendor_config_prop(cpu_variant_prop)
diff --git a/public/traced.te b/public/traced.te
index ec5b850..922d46e 100644
--- a/public/traced.te
+++ b/public/traced.te
@@ -1,2 +1,3 @@
type traced, domain, coredomain, mlstrustedsubject;
+type traced_tmpfs, file_type;
diff --git a/public/vendor_init.te b/public/vendor_init.te
index 25d0dcb..a8f9418 100644
--- a/public/vendor_init.te
+++ b/public/vendor_init.te
@@ -223,6 +223,7 @@
set_prop(vendor_init, apk_verity_prop)
set_prop(vendor_init, bluetooth_a2dp_offload_prop)
set_prop(vendor_init, bluetooth_audio_hal_prop)
+set_prop(vendor_init, camerax_extensions_prop)
set_prop(vendor_init, cpu_variant_prop)
set_prop(vendor_init, dalvik_runtime_prop)
set_prop(vendor_init, debug_prop)