Merge "Create a separate SELinux domain for gmscore"
diff --git a/Android.mk b/Android.mk
index c4d6fd3..e3b4143 100644
--- a/Android.mk
+++ b/Android.mk
@@ -226,12 +226,12 @@
# Convert a file_context file for a non-flattened APEX into a file for
# flattened APEX. /system/apex/<apex_name> path is prepended to the original paths
# $(1): path to the input file_contexts file for non-flattened APEX
-# $(2): name of the APEX
-# $(3): path to the generated file_contexs file for flattened APEX
+# $(2): path to the flattened APEX
+# $(3): path to the generated file_contexts file for flattened APEX
# $(4): variable where $(3) is added to
define build_flattened_apex_file_contexts
$(4) += $(3)
-$(3): PRIVATE_APEX_PATH := /system/apex/$(subst .,\\.,$(2))
+$(3): PRIVATE_APEX_PATH := $(subst .,\\.,$(2))
$(3): $(1)
$(hide) awk '/object_r/{printf("$$(PRIVATE_APEX_PATH)%s\n",$$$$0)}' $$< > $$@
endef
@@ -1416,15 +1416,16 @@
ifneq (,$(filter userdebug eng,$(TARGET_BUILD_VARIANT)))
local_fc_files += $(wildcard $(addsuffix /file_contexts_overlayfs, $(PLAT_PRIVATE_POLICY)))
endif
-ifeq ($(TARGET_FLATTEN_APEX),true)
- $(foreach _pair,$(APEX_FILE_CONTEXTS_INFOS),\
- $(eval _apex_name := $(call word-colon,1,$(_pair)))\
- $(eval _fc_name := $(call word-colon,2,$(_pair)))\
- $(eval _input := $(LOCAL_PATH)/apex/$(_fc_name)-file_contexts)\
- $(eval _output := $(intermediates)/$(_apex_name)-flattened)\
- $(eval $(call build_flattened_apex_file_contexts,$(_input),$(_apex_name),$(_output),local_fc_files))\
- )
-endif
+
+# Even if TARGET_FLATTEN_APEX is not turned on, "flattened" APEXes are installed
+$(foreach _tuple,$(APEX_FILE_CONTEXTS_INFOS),\
+ $(eval _apex_name := $(call word-colon,1,$(_tuple)))\
+ $(eval _apex_path := $(call word-colon,2,$(_tuple)))\
+ $(eval _fc_path := $(call word-colon,3,$(_tuple)))\
+ $(eval _input := $(_fc_path))\
+ $(eval _output := $(intermediates)/$(_apex_name)-flattened)\
+ $(eval $(call build_flattened_apex_file_contexts,$(_input),$(_apex_path),$(_output),local_fc_files))\
+ )
file_contexts.local.tmp := $(intermediates)/file_contexts.local.tmp
$(file_contexts.local.tmp): PRIVATE_FC_FILES := $(local_fc_files)
diff --git a/apex/Android.bp b/apex/Android.bp
new file mode 100644
index 0000000..8eedfab
--- /dev/null
+++ b/apex/Android.bp
@@ -0,0 +1,133 @@
+// Copyright (C) 2019 The Android Open Source Project
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+
+filegroup {
+ name: "apex.test-file_contexts",
+ srcs: [
+ "apex.test-file_contexts",
+ ],
+}
+
+filegroup {
+ name: "com.android.adbd-file_contexts",
+ srcs: [
+ "com.android.adbd-file_contexts",
+ ],
+}
+
+filegroup {
+ name: "com.android.art.debug-file_contexts",
+ srcs: [
+ "com.android.art.debug-file_contexts",
+ ],
+}
+
+filegroup {
+ name: "com.android.art.release-file_contexts",
+ srcs: [
+ "com.android.art.release-file_contexts",
+ ],
+}
+
+filegroup {
+ name: "com.android.bootanimation-file_contexts",
+ srcs: [
+ "com.android.bootanimation-file_contexts",
+ ],
+}
+
+filegroup {
+ name: "com.android.cellbroadcast-file_contexts",
+ srcs: [
+ "com.android.cellbroadcast-file_contexts",
+ ],
+}
+
+filegroup {
+ name: "com.android.conscrypt-file_contexts",
+ srcs: [
+ "com.android.conscrypt-file_contexts",
+ ],
+}
+
+filegroup {
+ name: "com.android.i18n-file_contexts",
+ srcs: [
+ "com.android.i18n-file_contexts",
+ ],
+}
+
+filegroup {
+ name: "com.android.media-file_contexts",
+ srcs: [
+ "com.android.media-file_contexts",
+ ],
+}
+
+filegroup {
+ name: "com.android.media.swcodec-file_contexts",
+ srcs: [
+ "com.android.media.swcodec-file_contexts",
+ ],
+}
+
+filegroup {
+ name: "com.android.neuralnetworks-file_contexts",
+ srcs: [
+ "com.android.neuralnetworks-file_contexts",
+ ],
+}
+
+filegroup {
+ name: "com.android.os.statsd-file_contexts",
+ srcs: [
+ "com.android.os.statsd-file_contexts",
+ ],
+}
+
+filegroup {
+ name: "com.android.permission-file_contexts",
+ srcs: [
+ "com.android.permission-file_contexts",
+ ],
+}
+
+filegroup {
+ name: "com.android.resolv-file_contexts",
+ srcs: [
+ "com.android.resolv-file_contexts",
+ ],
+}
+
+filegroup {
+ name: "com.android.runtime-file_contexts",
+ srcs: [
+ "com.android.runtime-file_contexts",
+ ],
+}
+
+filegroup {
+ name: "com.android.tzdata-file_contexts",
+ srcs: [
+ "com.android.tzdata-file_contexts",
+ ],
+}
+
+filegroup {
+ name: "com.android.vndk-file_contexts",
+ srcs: [
+ "com.android.vndk-file_contexts",
+ ],
+}
diff --git a/apex/com.android.ipsec-file_contexts b/apex/com.android.ipsec-file_contexts
new file mode 100644
index 0000000..270f0e1
--- /dev/null
+++ b/apex/com.android.ipsec-file_contexts
@@ -0,0 +1,2 @@
+(/.*)? u:object_r:system_file:s0
+/lib(64)?(/.*)? u:object_r:system_lib_file:s0
diff --git a/private/compat/29.0/29.0.ignore.cil b/private/compat/29.0/29.0.ignore.cil
index 524b84a..bd950dd 100644
--- a/private/compat/29.0/29.0.ignore.cil
+++ b/private/compat/29.0/29.0.ignore.cil
@@ -5,6 +5,8 @@
(typeattribute new_objects)
(typeattributeset new_objects
( new_objects
+ app_search_service
+ auth_service
ashmem_libcutils_device
blob_store_service
boringssl_self_test
@@ -27,10 +29,14 @@
linker_prop
mock_ota_prop
ota_metadata_file
+ ota_prop
art_apex_dir
service_manager_service
system_group_file
system_passwd_file
+ timezonedetector_service
+ userspace_reboot_prop
+ userspace_reboot_exported_prop
vendor_apex_file
vendor_boringssl_self_test
vendor_install_recovery
diff --git a/private/domain.te b/private/domain.te
index a621ae6..2389ec9 100644
--- a/private/domain.te
+++ b/private/domain.te
@@ -73,6 +73,8 @@
get_prop({coredomain appdomain shell}, exported3_default_prop)
get_prop({coredomain appdomain shell}, exported3_radio_prop)
get_prop({coredomain appdomain shell}, exported3_system_prop)
+ get_prop({coredomain shell}, userspace_reboot_exported_prop)
+ get_prop({coredomain shell}, userspace_reboot_prop)
get_prop({domain -coredomain -appdomain}, vendor_default_prop)
')
diff --git a/private/fsverity_init.te b/private/fsverity_init.te
index aafaf53..2559525 100644
--- a/private/fsverity_init.te
+++ b/private/fsverity_init.te
@@ -24,8 +24,3 @@
# already registered algorithm with that name. If it fails, the kernel creates
# an implementation of the algorithm from templates.
dontaudit fsverity_init kernel:system module_request;
-
-# TODO(b/132323675): remove once kernel bug is fixed.
-userdebug_or_eng(`
- dontaudit fsverity_init self:capability sys_admin;
-')
diff --git a/private/init.te b/private/init.te
index 374b207..3edd021 100644
--- a/private/init.te
+++ b/private/init.te
@@ -32,3 +32,9 @@
# Allow the BoringSSL self test to request a reboot upon failure
set_prop(init, powerctl_prop)
+
+# Only init is allowed to set userspace reboot related properties.
+set_prop(init, userspace_reboot_prop)
+set_prop(init, userspace_reboot_exported_prop)
+neverallow { domain -init } userspace_reboot_prop:property_service set;
+neverallow { domain -init } userspace_reboot_exported_prop:property_service set;
diff --git a/private/permissioncontroller_app.te b/private/permissioncontroller_app.te
index 15bb9e1..9d88248 100644
--- a/private/permissioncontroller_app.te
+++ b/private/permissioncontroller_app.te
@@ -1,7 +1,15 @@
###
### A domain for further sandboxing the GooglePermissionController app.
###
-type permissioncontroller_app, domain;
+type permissioncontroller_app, domain, coredomain;
+
+# Allow everything.
+# TODO(b/142672293): remove when no selinux denials are triggered for this
+# domain
+# STOPSHIP(b/142672293): monitor http://go/sedenials for any denials around
+# `permissioncontroller_app` and remove this line once we are confident about
+# this having the right set of permissions.
+userdebug_or_eng(`permissive permissioncontroller_app;')
app_domain(permissioncontroller_app)
@@ -21,7 +29,11 @@
allow permissioncontroller_app activity_task_service:service_manager find;
allow permissioncontroller_app audio_service:service_manager find;
allow permissioncontroller_app autofill_service:service_manager find;
+allow permissioncontroller_app content_capture_service:service_manager find;
allow permissioncontroller_app device_policy_service:service_manager find;
+allow permissioncontroller_app incidentcompanion_service:service_manager find;
allow permissioncontroller_app location_service:service_manager find;
+allow permissioncontroller_app media_session_service:service_manager find;
allow permissioncontroller_app surfaceflinger_service:service_manager find;
+allow permissioncontroller_app telecom_service:service_manager find;
allow permissioncontroller_app trust_service:service_manager find;
diff --git a/private/property_contexts b/private/property_contexts
index 16c8d93..06c662e 100644
--- a/private/property_contexts
+++ b/private/property_contexts
@@ -22,6 +22,7 @@
hw. u:object_r:system_prop:s0
ro.hw. u:object_r:system_prop:s0
sys. u:object_r:system_prop:s0
+sys.init.userspace_reboot u:object_r:userspace_reboot_prop:s0
sys.cppreopt u:object_r:cppreopt_prop:s0
sys.linker. u:object_r:linker_prop:s0
sys.lpdumpd u:object_r:lpdumpd_prop:s0
@@ -219,3 +220,6 @@
# Virtual A/B properties
ro.virtual_ab.enabled u:object_r:virtual_ab_prop:s0
ro.virtual_ab.retrofit u:object_r:virtual_ab_prop:s0
+
+# Property to set/clear the warm reset flag after an OTA update.
+ota.warm_reset u:object_r:ota_prop:s0
diff --git a/private/seapp_contexts b/private/seapp_contexts
index 1e035dc..2893278 100644
--- a/private/seapp_contexts
+++ b/private/seapp_contexts
@@ -158,6 +158,7 @@
user=_app isEphemeralApp=true domain=ephemeral_app type=app_data_file levelFrom=all
user=_app isPrivApp=true domain=priv_app type=privapp_data_file levelFrom=user
user=_app isPrivApp=true name=com.google.android.permissioncontroller domain=permissioncontroller_app type=privapp_data_file levelFrom=all
+user=_app isPrivApp=true name=com.android.permissioncontroller domain=permissioncontroller_app type=privapp_data_file levelFrom=all
user=_app isPrivApp=true name=com.android.vzwomatrigger domain=vzwomatrigger_app type=privapp_data_file levelFrom=all
user=_app isPrivApp=true name=com.google.android.gms domain=gmscore_app type=privapp_data_file levelFrom=user
user=_app isPrivApp=true name=com.google.android.gms.* domain=gmscore_app type=privapp_data_file levelFrom=user
diff --git a/private/service_contexts b/private/service_contexts
index b7cd10f..dd71111 100644
--- a/private/service_contexts
+++ b/private/service_contexts
@@ -11,6 +11,7 @@
android.service.gatekeeper.IGateKeeperService u:object_r:gatekeeper_service:s0
app_binding u:object_r:app_binding_service:s0
app_prediction u:object_r:app_prediction_service:s0
+app_search u:object_r:app_search_service:s0
apexservice u:object_r:apex_service:s0
blob_store u:object_r:blob_store_service:s0
gsiservice u:object_r:gsi_service:s0
@@ -19,6 +20,7 @@
assetatlas u:object_r:assetatlas_service:s0
attention u:object_r:attention_service:s0
audio u:object_r:audio_service:s0
+auth u:object_r:auth_service:s0
autofill u:object_r:autofill_service:s0
backup u:object_r:backup_service:s0
batteryproperties u:object_r:batteryproperties_service:s0
@@ -197,6 +199,7 @@
textclassification u:object_r:textclassification_service:s0
textservices u:object_r:textservices_service:s0
time_detector u:object_r:timedetector_service:s0
+time_zone_detector u:object_r:timezonedetector_service:s0
timezone u:object_r:timezone_service:s0
thermalservice u:object_r:thermal_service:s0
trust u:object_r:trust_service:s0
diff --git a/private/system_server.te b/private/system_server.te
index f0a447a..5544279 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -265,6 +265,7 @@
mediametrics
mediaserver
mediaswcodec
+ netd
sdcardd
statsd
surfaceflinger
diff --git a/private/zygote.te b/private/zygote.te
index d5e5420..5d7ecac 100644
--- a/private/zygote.te
+++ b/private/zygote.te
@@ -100,11 +100,8 @@
allow zygote storage_file:dir { search mounton };
# Allow mounting and creating files, dirs on sdcardfs.
-# TODO: reduce this back to only sdcardfs once b/123533205 is root-caused
-# (Technically "sdcardfs" and "media_rw_data_file" are equivalent, since
-# sdcardfs simply wraps files stored under /data/media.)
-allow zygote { sdcard_type media_rw_data_file }:dir { create_dir_perms mounton };
-allow zygote { sdcard_type media_rw_data_file }:file { create_file_perms };
+allow zygote { sdcard_type }:dir { create_dir_perms mounton };
+allow zygote { sdcard_type }:file { create_file_perms };
# Allow zygote to expand app files while preloading libraries
allow zygote mnt_expand_file:dir getattr;
diff --git a/public/property.te b/public/property.te
index d417628..29d1718 100644
--- a/public/property.te
+++ b/public/property.te
@@ -17,6 +17,7 @@
system_internal_prop(last_boot_reason_prop)
system_internal_prop(netd_stable_secret_prop)
system_internal_prop(pm_prop)
+system_internal_prop(userspace_reboot_prop)
compatible_property_only(`
# DO NOT ADD ANY PROPERTIES HERE
@@ -62,6 +63,7 @@
system_restricted_prop(nnapi_ext_deny_product_prop)
system_restricted_prop(restorecon_prop)
system_restricted_prop(system_boot_reason_prop)
+system_restricted_prop(userspace_reboot_exported_prop)
compatible_property_only(`
# DO NOT ADD ANY PROPERTIES HERE
@@ -130,6 +132,7 @@
system_public_prop(log_tag_prop)
system_public_prop(lowpan_prop)
system_public_prop(nfc_prop)
+system_public_prop(ota_prop)
system_public_prop(powerctl_prop)
system_public_prop(radio_prop)
system_public_prop(serialno_prop)
@@ -287,6 +290,7 @@
typeattribute logd_prop core_property_type;
typeattribute net_radio_prop core_property_type;
typeattribute nfc_prop core_property_type;
+typeattribute ota_prop core_property_type;
typeattribute pan_result_prop core_property_type;
typeattribute persist_debug_prop core_property_type;
typeattribute powerctl_prop core_property_type;
@@ -313,6 +317,7 @@
-logd_prop
-net_radio_prop
-nfc_prop
+ -ota_prop
-pan_result_prop
-persist_debug_prop
-powerctl_prop
@@ -625,6 +630,7 @@
-net_radio_prop
-netd_stable_secret_prop
-nfc_prop
+ -ota_prop
-overlay_prop
-pan_result_prop
-persist_debug_prop
diff --git a/public/property_contexts b/public/property_contexts
index 7a2badd..2951d33 100644
--- a/public/property_contexts
+++ b/public/property_contexts
@@ -11,11 +11,13 @@
camera.fifo.disable u:object_r:exported3_default_prop:s0 exact int
dalvik.vm.appimageformat u:object_r:exported_dalvik_prop:s0 exact string
dalvik.vm.backgroundgctype u:object_r:exported_dalvik_prop:s0 exact string
+dalvik.vm.boot-dex2oat-cpu-set u:object_r:exported_dalvik_prop:s0 exact string
dalvik.vm.boot-dex2oat-threads u:object_r:exported_dalvik_prop:s0 exact int
dalvik.vm.boot-image u:object_r:exported_dalvik_prop:s0 exact string
dalvik.vm.checkjni u:object_r:exported_dalvik_prop:s0 exact bool
dalvik.vm.dex2oat-Xms u:object_r:exported_dalvik_prop:s0 exact string
dalvik.vm.dex2oat-Xmx u:object_r:exported_dalvik_prop:s0 exact string
+dalvik.vm.dex2oat-cpu-set u:object_r:exported_dalvik_prop:s0 exact string
dalvik.vm.dex2oat-filter u:object_r:exported_dalvik_prop:s0 exact string
dalvik.vm.dex2oat-flags u:object_r:exported_dalvik_prop:s0 exact string
dalvik.vm.dex2oat-threads u:object_r:exported_dalvik_prop:s0 exact int
@@ -33,6 +35,7 @@
dalvik.vm.hot-startup-method-samples u:object_r:exported_dalvik_prop:s0 exact int
dalvik.vm.image-dex2oat-Xms u:object_r:exported_dalvik_prop:s0 exact string
dalvik.vm.image-dex2oat-Xmx u:object_r:exported_dalvik_prop:s0 exact string
+dalvik.vm.image-dex2oat-cpu-set u:object_r:exported_dalvik_prop:s0 exact string
dalvik.vm.image-dex2oat-filter u:object_r:exported_dalvik_prop:s0 exact string
dalvik.vm.image-dex2oat-flags u:object_r:exported_dalvik_prop:s0 exact string
dalvik.vm.image-dex2oat-threads u:object_r:exported_dalvik_prop:s0 exact int
@@ -61,6 +64,8 @@
dalvik.vm.method-trace-file u:object_r:exported_dalvik_prop:s0 exact string
dalvik.vm.method-trace-file-siz u:object_r:exported_dalvik_prop:s0 exact int
dalvik.vm.method-trace-stream u:object_r:exported_dalvik_prop:s0 exact bool
+dalvik.vm.profilesystemserver u:object_r:exported_dalvik_prop:s0 exact bool
+dalvik.vm.profilebootclasspath u:object_r:exported_dalvik_prop:s0 exact bool
dalvik.vm.usejit u:object_r:exported_dalvik_prop:s0 exact bool
dalvik.vm.usejitprofiles u:object_r:exported_dalvik_prop:s0 exact bool
dalvik.vm.zygote.max-boot-retry u:object_r:exported_dalvik_prop:s0 exact int
@@ -266,6 +271,7 @@
ro.secure u:object_r:exported_secure_prop:s0 exact int
service.bootanim.exit u:object_r:exported_system_prop:s0 exact int
sys.boot_from_charger_mode u:object_r:exported_system_prop:s0 exact int
+sys.init.userspace_reboot.in_progress u:object_r:userspace_reboot_exported_prop:s0 exact bool
sys.use_memfd u:object_r:use_memfd_prop:s0 exact bool
vold.decrypt u:object_r:exported_vold_prop:s0 exact string
diff --git a/public/radio.te b/public/radio.te
index 4527707..34eaf83 100644
--- a/public/radio.te
+++ b/public/radio.te
@@ -35,6 +35,7 @@
allow radio app_api_service:service_manager find;
allow radio system_api_service:service_manager find;
allow radio timedetector_service:service_manager find;
+allow radio timezonedetector_service:service_manager find;
# Perform HwBinder IPC.
hwbinder_use(radio)
diff --git a/public/service.te b/public/service.te
index aace214..c025530 100644
--- a/public/service.te
+++ b/public/service.te
@@ -45,10 +45,12 @@
type alarm_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type app_binding_service, system_server_service, service_manager_type;
type app_prediction_service, app_api_service, system_server_service, service_manager_type;
+type app_search_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type appops_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type appwidget_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type assetatlas_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type audio_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type auth_service, app_api_service, system_server_service, service_manager_type;
type autofill_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type backup_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type batterystats_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
@@ -167,6 +169,7 @@
type thermal_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type timedetector_service, system_server_service, service_manager_type;
type timezone_service, system_server_service, service_manager_type;
+type timezonedetector_service, system_server_service, service_manager_type;
type trust_service, app_api_service, system_server_service, service_manager_type;
type tv_input_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type uimode_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
diff --git a/public/update_engine.te b/public/update_engine.te
index 5410bde..8aafe34 100644
--- a/public/update_engine.te
+++ b/public/update_engine.te
@@ -58,6 +58,9 @@
# Allow to start gsid service.
set_prop(update_engine, ctl_gsid_prop)
+# Allow to set the OTA related properties, e.g. ota.warm_reset.
+set_prop(update_engine, ota_prop)
+
# update_engine tries to determine the parent path for all devices (e.g.
# /dev/block/by-name) by reading the default fstab and looking for the misc
# device. ReadDefaultFstab() checks whether a GSI is running by checking
diff --git a/public/update_verifier.te b/public/update_verifier.te
index 8d40cdd..f881aeb 100644
--- a/public/update_verifier.te
+++ b/public/update_verifier.te
@@ -27,6 +27,9 @@
# Allow update_verifier to reboot the device.
set_prop(update_verifier, powerctl_prop)
+# Allow to set the OTA related properties e.g. ota.warm_reset.
+set_prop(update_verifier, ota_prop)
+
# Use Boot Control HAL
hal_client_domain(update_verifier, hal_bootctl)
diff --git a/public/vendor_init.te b/public/vendor_init.te
index 21a9222..1af56fe 100644
--- a/public/vendor_init.te
+++ b/public/vendor_init.te
@@ -220,6 +220,8 @@
-nnapi_ext_deny_product_prop
-init_svc_debug_prop
-linker_prop
+ -userspace_reboot_exported_prop
+ -userspace_reboot_prop
})
')
@@ -258,6 +260,8 @@
get_prop(vendor_init, exported3_system_prop)
get_prop(vendor_init, theme_prop)
+get_prop(vendor_init, ota_prop)
+
###
### neverallow rules
###
diff --git a/public/vold.te b/public/vold.te
index 9e68d65..9f4489d 100644
--- a/public/vold.te
+++ b/public/vold.te
@@ -92,6 +92,8 @@
# Access to storage that backs emulated FUSE daemons for migration optimization
allow vold media_rw_data_file:dir create_dir_perms;
allow vold media_rw_data_file:file create_file_perms;
+# Allow mounting (lower filesystem) on parts of media for performance
+allow vold media_rw_data_file:dir mounton;
# Allow mounting of storage devices
allow vold { mnt_media_rw_stub_file storage_stub_file }:dir { mounton create rmdir getattr setattr };
@@ -174,6 +176,7 @@
set_prop(vold, powerctl_prop)
set_prop(vold, ctl_fuse_prop)
set_prop(vold, restorecon_prop)
+set_prop(vold, ota_prop)
# ASEC
allow vold asec_image_file:file create_file_perms;
diff --git a/tests/Android.bp b/tests/Android.bp
index d27f333..926b5e4 100644
--- a/tests/Android.bp
+++ b/tests/Android.bp
@@ -11,7 +11,6 @@
"libbase",
"libsepol",
],
- stl: "libc++_static",
sanitize: {
never: true,
},
diff --git a/vendor/file_contexts b/vendor/file_contexts
index 07aaf5b..d05e47f 100644
--- a/vendor/file_contexts
+++ b/vendor/file_contexts
@@ -6,7 +6,7 @@
/(vendor|system/vendor)/bin/hw/android\.hardware\.automotive\.audiocontrol@1\.0-service u:object_r:hal_audiocontrol_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.automotive\.can@1\.0-service u:object_r:hal_can_socketcan_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.automotive\.evs@1\.[0-9]-service u:object_r:hal_evs_default_exec:s0
-/(vendor|system/vendor)/bin/hw/android\.hardware\.automotive\.vehicle@2\.0-service u:object_r:hal_vehicle_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.automotive\.vehicle@2\.0-(service|protocan-service) u:object_r:hal_vehicle_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.bluetooth@1\.0-service u:object_r:hal_bluetooth_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.bluetooth@1\.0-service\.btlinux u:object_r:hal_bluetooth_btlinux_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.biometrics\.fingerprint@2\.1-service u:object_r:hal_fingerprint_default_exec:s0
@@ -39,6 +39,7 @@
/(vendor|system/vendor)/bin/hw/android\.hardware\.ir@1\.0-service u:object_r:hal_ir_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.keymaster@3\.0-service u:object_r:hal_keymaster_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.keymaster@4\.0-service u:object_r:hal_keymaster_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.keymaster@4\.1-service u:object_r:hal_keymaster_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.light@2\.0-service u:object_r:hal_light_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.light@2\.0-service-lazy u:object_r:hal_light_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.lowpan@1\.0-service u:object_r:hal_lowpan_default_exec:s0
diff --git a/vendor/hal_vehicle_default.te b/vendor/hal_vehicle_default.te
index e605ecb..dcb03a8 100644
--- a/vendor/hal_vehicle_default.te
+++ b/vendor/hal_vehicle_default.te
@@ -5,3 +5,8 @@
# may be started by init
type hal_vehicle_default_exec, exec_type, vendor_file_type, file_type;
init_daemon_domain(hal_vehicle_default)
+
+# communication with CAN bus HAL
+allow hal_vehicle_default hal_can_bus_hwservice:hwservice_manager find;
+allow hal_vehicle_default hal_can_socketcan:binder { call transfer };
+allow hal_can_socketcan hal_vehicle_default:binder { call transfer };