Merge "vmlauncher_app: Allow to find cameraserver_service" into main
diff --git a/build/soong/service_fuzzer_bindings.go b/build/soong/service_fuzzer_bindings.go
index 3d8c0ce..35b7d7f 100644
--- a/build/soong/service_fuzzer_bindings.go
+++ b/build/soong/service_fuzzer_bindings.go
@@ -132,6 +132,7 @@
"android.hardware.security.secretkeeper.ISecretkeeper/default": EXCEPTION_NO_FUZZER,
"android.hardware.security.secretkeeper.ISecretkeeper/nonsecure": []string{"android.hardware.security.secretkeeper-service.nonsecure_fuzzer"},
"android.hardware.security.secureclock.ISecureClock/default": EXCEPTION_NO_FUZZER,
+ "android.hardware.security.see.hwcrypto.IHwCryptoKey/default": []string{"android.hardware.trusty.hwcryptohal-service_fuzzer"},
"android.hardware.security.sharedsecret.ISharedSecret/default": EXCEPTION_NO_FUZZER,
"android.hardware.sensors.ISensors/default": EXCEPTION_NO_FUZZER,
"android.hardware.soundtrigger3.ISoundTriggerHw/default": EXCEPTION_NO_FUZZER,
@@ -523,7 +524,7 @@
"wifiaware": EXCEPTION_NO_FUZZER,
"wifi_usd": EXCEPTION_NO_FUZZER,
"wifirtt": EXCEPTION_NO_FUZZER,
- "wifi_mainline_supplicant": EXCEPTION_NO_FUZZER, // defined internally
+ "wifi_mainline_supplicant": []string{"mainline_supplicant_service_fuzzer"},
"window": EXCEPTION_NO_FUZZER,
"*": EXCEPTION_NO_FUZZER,
}
diff --git a/private/app.te b/private/app.te
index b359663..a32cdb2 100644
--- a/private/app.te
+++ b/private/app.te
@@ -371,7 +371,7 @@
# Write profiles /data/misc/profiles
allow appdomain user_profile_root_file:dir search;
-allow appdomain user_profile_data_file:dir w_dir_perms;
+allow appdomain user_profile_data_file:dir rw_dir_perms;
allow appdomain user_profile_data_file:file create_file_perms;
# Allow writing performance tracing data into the perfetto traced daemon.
diff --git a/private/crosvm.te b/private/crosvm.te
index 6051992..11c70ad 100644
--- a/private/crosvm.te
+++ b/private/crosvm.te
@@ -172,6 +172,9 @@
# Early VMs may print messages to kmsg_debug_device.
allow crosvm kmsg_debug_device:chr_file w_file_perms;
+# Allow crosvm to read /data/nativetest for VTS
+r_dir_file(crosvm, nativetest_data_file)
+
# Don't allow crosvm to open files that it doesn't own.
# This is important because a malicious application could try to start a VM with a composite disk
# image referring by name to files which it doesn't have permission to open, trying to get crosvm to
diff --git a/private/domain.te b/private/domain.te
index 4282b4d..b912aae 100644
--- a/private/domain.te
+++ b/private/domain.te
@@ -2318,7 +2318,7 @@
domain
# these are expected
- -early_virtmgr
+ is_flag_enabled(RELEASE_AVF_ENABLE_EARLY_VM, `-early_virtmgr')
-virtualizationmanager
-virtualizationservice
-adbd_common # maybe should move to emulator/virtual device specific policy
diff --git a/private/service_contexts b/private/service_contexts
index ad41229..67c84d5 100644
--- a/private/service_contexts
+++ b/private/service_contexts
@@ -110,6 +110,7 @@
android.hardware.security.keymint.IRemotelyProvisionedComponent/avf u:object_r:hal_remotelyprovisionedcomponent_avf_service:s0
android.hardware.gatekeeper.IGatekeeper/default u:object_r:hal_gatekeeper_service:s0
android.hardware.security.secureclock.ISecureClock/default u:object_r:hal_secureclock_service:s0
+android.hardware.security.see.hwcrypto.IHwCryptoKey/default u:object_r:hal_hwcrypto_service:s0
android.hardware.security.sharedsecret.ISharedSecret/default u:object_r:hal_sharedsecret_service:s0
android.hardware.sensors.ISensors/default u:object_r:hal_sensors_service:s0
android.hardware.soundtrigger3.ISoundTriggerHw/default u:object_r:hal_audio_service:s0
diff --git a/private/system_server.te b/private/system_server.te
index 7bdcaef..bdfec3b 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -1296,7 +1296,7 @@
# On userdebug build we may profile system server. Allow it to write and create its own profile.
userdebug_or_eng(`
- allow system_server user_profile_data_file:dir w_dir_perms;
+ allow system_server user_profile_data_file:dir rw_dir_perms;
allow system_server user_profile_data_file:file create_file_perms;
')
# Allow system server to load JVMTI agents under control of a property.
diff --git a/private/virtualizationmanager.te b/private/virtualizationmanager.te
index 95bdd1c..6e973d6 100644
--- a/private/virtualizationmanager.te
+++ b/private/virtualizationmanager.te
@@ -114,6 +114,9 @@
# Allow virtualizationmanager to read microdroid related files in vendor partition
r_dir_file(virtualizationmanager, vendor_microdroid_file)
+# Allow virtualizationmanager to read /data/nativetest for VTS
+r_dir_file(virtualizationmanager, nativetest_data_file)
+
# Do not allow writing vendor_microdroid_file from any process.
neverallow {
domain
diff --git a/vendor/file_contexts b/vendor/file_contexts
index b0c7a37..dc09d79 100644
--- a/vendor/file_contexts
+++ b/vendor/file_contexts
@@ -114,6 +114,7 @@
/(vendor|system/vendor)/bin/hw/android\.hardware\.thermal@1\.[01]-service u:object_r:hal_thermal_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.thermal-service\.example u:object_r:hal_thermal_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.threadnetwork-service(\.sim)? u:object_r:hal_threadnetwork_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.trusty\.hwcryptohal-service u:object_r:hal_hwcrypto_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.tv\.cec@1\.[01]-service u:object_r:hal_tv_cec_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.tv\.hdmi.cec-service u:object_r:hal_tv_hdmi_cec_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.tv\.hdmi.connection-service u:object_r:hal_tv_hdmi_connection_default_exec:s0
diff --git a/vendor/hal_hwcrypto_default.te b/vendor/hal_hwcrypto_default.te
new file mode 100644
index 0000000..7cb2eef
--- /dev/null
+++ b/vendor/hal_hwcrypto_default.te
@@ -0,0 +1,12 @@
+type hal_hwcrypto_default, domain;
+hal_server_domain(hal_hwcrypto_default, hal_hwcrypto)
+
+type hal_hwcrypto_default_exec, exec_type, vendor_file_type, file_type;
+init_daemon_domain(hal_hwcrypto_default)
+
+allow hal_hwcrypto_default tee_device:chr_file rw_file_perms;
+allow hal_hwcrypto_default ion_device:chr_file rw_file_perms;
+
+binder_call(hal_hwcrypto_client, hal_hwcrypto_server);
+hal_attribute_service(hal_hwcrypto, hal_hwcrypto_service);
+binder_use(hal_hwcrypto_server);