Merge "Allow vold to set RO flag on block devices" into main
diff --git a/apex/Android.bp b/apex/Android.bp
index c9c06e3..5b2a75e 100644
--- a/apex/Android.bp
+++ b/apex/Android.bp
@@ -286,3 +286,10 @@
"com.android.telephonymodules-file_contexts",
],
}
+
+filegroup {
+ name: "com.android.configinfrastructure-file_contexts",
+ srcs: [
+ "com.android.configinfrastructure-file_contexts",
+ ],
+}
diff --git a/apex/com.android.art-file_contexts b/apex/com.android.art-file_contexts
index 14b68ad..ed12f10 100644
--- a/apex/com.android.art-file_contexts
+++ b/apex/com.android.art-file_contexts
@@ -10,5 +10,4 @@
/bin/dexoptanalyzer u:object_r:dexoptanalyzer_exec:s0
/bin/odrefresh u:object_r:odrefresh_exec:s0
/bin/profman u:object_r:profman_exec:s0
-/bin/oatdump u:object_r:oatdump_exec:s0
/lib(64)?(/.*)? u:object_r:system_lib_file:s0
diff --git a/apex/com.android.configinfrastructure-file_contexts b/apex/com.android.configinfrastructure-file_contexts
new file mode 100644
index 0000000..23e7b89
--- /dev/null
+++ b/apex/com.android.configinfrastructure-file_contexts
@@ -0,0 +1 @@
+(/.*)? u:object_r:system_file:s0
\ No newline at end of file
diff --git a/apex/com.android.virt-file_contexts b/apex/com.android.virt-file_contexts
index d8fc8df..75f9c10 100644
--- a/apex/com.android.virt-file_contexts
+++ b/apex/com.android.virt-file_contexts
@@ -9,3 +9,6 @@
is_flag_enabled(RELEASE_AVF_ENABLE_NETWORK, `
/bin/vmnic u:object_r:vmnic_exec:s0
')
+is_flag_enabled(RELEASE_AVF_ENABLE_EARLY_VM, `
+ /bin/early_virtmgr u:object_r:early_virtmgr_exec:s0
+')
diff --git a/build/soong/compat_cil.go b/build/soong/compat_cil.go
index 3b9d5e2..fef2e69 100644
--- a/build/soong/compat_cil.go
+++ b/build/soong/compat_cil.go
@@ -136,46 +136,6 @@
compatTestTimestamp android.ModuleOutPath
}
-func (f *compatTestModule) createPlatPubVersionedModule(ctx android.LoadHookContext, ver string) {
- confName := fmt.Sprintf("pub_policy_%s.conf", ver)
- cilName := fmt.Sprintf("pub_policy_%s.cil", ver)
- platPubVersionedName := fmt.Sprintf("plat_pub_versioned_%s.cil", ver)
-
- ctx.CreateModule(policyConfFactory, &nameProperties{
- Name: proptools.StringPtr(confName),
- }, &policyConfProperties{
- Srcs: []string{
- fmt.Sprintf(":se_build_files{.plat_public_%s}", ver),
- fmt.Sprintf(":se_build_files{.system_ext_public_%s}", ver),
- fmt.Sprintf(":se_build_files{.product_public_%s}", ver),
- ":se_build_files{.reqd_mask}",
- },
- Installable: proptools.BoolPtr(false),
- }, &struct {
- Defaults []string
- }{
- Defaults: f.properties.Defaults,
- })
-
- ctx.CreateModule(policyCilFactory, &nameProperties{
- Name: proptools.StringPtr(cilName),
- }, &policyCilProperties{
- Src: proptools.StringPtr(":" + confName),
- Filter_out: []string{":reqd_policy_mask.cil"},
- Secilc_check: proptools.BoolPtr(false),
- Installable: proptools.BoolPtr(false),
- })
-
- ctx.CreateModule(versionedPolicyFactory, &nameProperties{
- Name: proptools.StringPtr(platPubVersionedName),
- }, &versionedPolicyProperties{
- Base: proptools.StringPtr(":" + cilName),
- Target_policy: proptools.StringPtr(":" + cilName),
- Version: proptools.StringPtr(ver),
- Installable: proptools.BoolPtr(false),
- })
-}
-
func (f *compatTestModule) createCompatTestModule(ctx android.LoadHookContext, ver string) {
srcs := []string{
":plat_sepolicy.cil",
@@ -195,7 +155,7 @@
":odm_sepolicy.cil",
)
} else {
- srcs = append(srcs, fmt.Sprintf(":plat_pub_versioned_%s.cil", ver))
+ srcs = append(srcs, fmt.Sprintf(":%s_plat_pub_versioned.cil", ver))
}
compatTestName := fmt.Sprintf("%s_compat_test", ver)
@@ -210,7 +170,6 @@
func (f *compatTestModule) loadHook(ctx android.LoadHookContext) {
for _, ver := range ctx.DeviceConfig().PlatformSepolicyCompatVersions() {
- f.createPlatPubVersionedModule(ctx, ver)
f.createCompatTestModule(ctx, ver)
}
}
diff --git a/build/soong/policy.go b/build/soong/policy.go
index 7b2122c..4476f94 100644
--- a/build/soong/policy.go
+++ b/build/soong/policy.go
@@ -33,6 +33,7 @@
// This order should be kept. checkpolicy syntax requires it.
var policyConfOrder = []string{
+ "flagging_macros",
"security_classes",
"initial_sids",
"access_vectors",
@@ -90,8 +91,9 @@
// Desired number of MLS categories. Defaults to 1024
Mls_cats *int64
- // Whether to turn on board_api_level guard or not. Defaults to false
- Board_api_level_guard *bool
+ // Board api level of policy files. Set "vendor" for RELEASE_BOARD_API_LEVEL, "system" for
+ // turning off the guard, or a direct version string (e.g. "202404"). Defaults to "system"
+ Board_api_level *string
}
type policyConf struct {
@@ -223,11 +225,17 @@
}
func (c *policyConf) boardApiLevel(ctx android.ModuleContext) string {
- if proptools.Bool(c.properties.Board_api_level_guard) {
+ level := proptools.StringDefault(c.properties.Board_api_level, "system")
+
+ if level == "system" {
+ // aribtrary value greater than any other vendor API levels
+ return "1000000"
+ } else if level == "vendor" {
return ctx.Config().VendorApiLevel()
+ } else {
+ return level
}
- // aribtrary value greater than any other vendor API levels
- return "1000000"
+
}
func findPolicyConfOrder(name string) int {
diff --git a/flagging/Android.bp b/flagging/Android.bp
index 26e8989..5117fab 100644
--- a/flagging/Android.bp
+++ b/flagging/Android.bp
@@ -18,6 +18,7 @@
name: "aosp_selinux_flags",
flags: [
"RELEASE_AVF_SUPPORT_CUSTOM_VM_WITH_PARAVIRTUALIZED_DEVICES",
+ "RELEASE_AVF_ENABLE_EARLY_VM",
"RELEASE_AVF_ENABLE_DEVICE_ASSIGNMENT",
"RELEASE_AVF_ENABLE_LLPVM_CHANGES",
"RELEASE_AVF_ENABLE_NETWORK",
@@ -43,7 +44,7 @@
name: "se_policy_conf_public_flags_defaults",
srcs: [":sepolicy_flagging_macros"],
build_flags: ["all_selinux_flags"],
- board_api_level_guard: true,
+ board_api_level: "vendor",
}
contexts_defaults {
@@ -55,5 +56,5 @@
filegroup {
name: "sepolicy_flagging_macros",
- srcs: ["te_macros"],
+ srcs: ["flagging_macros"],
}
diff --git a/flagging/te_macros b/flagging/flagging_macros
similarity index 100%
rename from flagging/te_macros
rename to flagging/flagging_macros
diff --git a/microdroid/Android.bp b/microdroid/Android.bp
index dce4898..e9b4b1e 100644
--- a/microdroid/Android.bp
+++ b/microdroid/Android.bp
@@ -107,6 +107,7 @@
se_policy_conf {
name: "microdroid_reqd_policy_mask.conf",
+ defaults: ["se_policy_conf_flags_defaults"],
srcs: reqd_mask_files,
installable: false,
mls_cats: 1,
@@ -121,6 +122,7 @@
se_policy_conf {
name: "microdroid_plat_sepolicy.conf",
+ defaults: ["se_policy_conf_flags_defaults"],
srcs: system_policy_files,
installable: false,
mls_cats: 1,
@@ -135,6 +137,7 @@
se_policy_conf {
name: "microdroid_plat_pub_policy.conf",
+ defaults: ["se_policy_conf_flags_defaults"],
srcs: system_public_policy_files,
installable: false,
mls_cats: 1,
@@ -172,6 +175,7 @@
se_policy_conf {
name: "microdroid_vendor_sepolicy.conf",
+ defaults: ["se_policy_conf_flags_defaults"],
srcs: vendor_policy_files,
installable: false,
mls_cats: 1,
diff --git a/prebuilts/api/202404/202404_general_sepolicy.conf b/prebuilts/api/202404/202404_general_sepolicy.conf
index e418549..5ce168c 100644
--- a/prebuilts/api/202404/202404_general_sepolicy.conf
+++ b/prebuilts/api/202404/202404_general_sepolicy.conf
@@ -20767,6 +20767,7 @@
# TODO(b/196225233): Remove hal_uwb_vendor_server
-hal_uwb_vendor_server
-hal_nlinterceptor_server
+ -hal_tv_tuner_server
} self:{ capability cap_userns } { net_admin net_raw };
# Unless a HAL's job is to communicate over the network, or control network
@@ -20789,6 +20790,7 @@
-hal_uwb_vendor_server
-hal_nlinterceptor_server
-hal_bluetooth_server
+ -hal_tv_tuner_server
} domain:{ udp_socket rawip_socket } *;
neverallow {
@@ -20802,6 +20804,7 @@
-hal_telephony_server
-hal_nlinterceptor_server
-hal_bluetooth_server
+ -hal_tv_tuner_server
} {
domain
@@ -46100,24 +46103,12 @@
neverallow { domain -bpfdomain } bpffs_type:lnk_file read;
neverallow { domain -bpfloader } *:bpf { map_create prog_load };
+neverallow { domain -bpfdomain } *:bpf { map_read map_write prog_run };
# 'fs_bpf_loader' is for internal use of the BpfLoader oneshot boot time process.
neverallow { domain -bpfloader } fs_bpf_loader:bpf *;
neverallow { domain -bpfloader } fs_bpf_loader:file *;
-neverallow {
- domain
- -bpfloader
- -gpuservice
- -hal_health_server
- -mediaprovider_app
- -netd
- -netutils_wrapper
- -network_stack
- -system_server
- -uprobestats
-} *:bpf prog_run;
-neverallow { domain -bpfloader -gpuservice -lmkd -mediaprovider_app -netd -network_stack -system_server -uprobestats } *:bpf { map_read map_write };
neverallow { domain -bpfloader -init } bpfloader_exec:file { execute execute_no_trans };
neverallow { coredomain -bpfloader -netd -netutils_wrapper } fs_bpf_vendor:file *;
diff --git a/prebuilts/api/202404/Android.bp b/prebuilts/api/202404/Android.bp
index c0fb5a2..bca377e 100644
--- a/prebuilts/api/202404/Android.bp
+++ b/prebuilts/api/202404/Android.bp
@@ -1,4 +1,33 @@
-// Automatically generated file, do not edit!
+// Copyright (C) 2024 The Android Open Source Project
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+se_policy_conf {
+ name: "202404_reqd_policy_mask.conf",
+ defaults: ["se_policy_conf_flags_defaults"],
+ srcs: reqd_mask_policy,
+ installable: false,
+ build_variant: "user",
+ board_api_level: "202404",
+}
+
+se_policy_cil {
+ name: "202404_reqd_policy_mask.cil",
+ src: ":202404_reqd_policy_mask.conf",
+ secilc_check: false,
+ installable: false,
+}
+
se_policy_conf {
name: "202404_plat_pub_policy.conf",
defaults: ["se_policy_conf_flags_defaults"],
@@ -8,12 +37,13 @@
],
installable: false,
build_variant: "user",
+ board_api_level: "202404",
}
se_policy_cil {
name: "202404_plat_pub_policy.cil",
src: ":202404_plat_pub_policy.conf",
- filter_out: [":reqd_policy_mask.cil"],
+ filter_out: [":202404_reqd_policy_mask.cil"],
secilc_check: false,
installable: false,
}
@@ -29,16 +59,25 @@
],
installable: false,
build_variant: "user",
+ board_api_level: "202404",
}
se_policy_cil {
name: "202404_product_pub_policy.cil",
src: ":202404_product_pub_policy.conf",
- filter_out: [":reqd_policy_mask.cil"],
+ filter_out: [":202404_reqd_policy_mask.cil"],
secilc_check: false,
installable: false,
}
+se_versioned_policy {
+ name: "202404_plat_pub_versioned.cil",
+ base: ":202404_product_pub_policy.cil",
+ target_policy: ":202404_product_pub_policy.cil",
+ version: "202404",
+ installable: false,
+}
+
se_policy_conf {
name: "202404_plat_policy.conf",
defaults: ["se_policy_conf_flags_defaults"],
@@ -52,6 +91,7 @@
],
installable: false,
build_variant: "user",
+ board_api_level: "202404",
}
se_policy_cil {
diff --git a/prebuilts/api/29.0/Android.bp b/prebuilts/api/29.0/Android.bp
index 8acca29..e835288 100644
--- a/prebuilts/api/29.0/Android.bp
+++ b/prebuilts/api/29.0/Android.bp
@@ -13,25 +13,44 @@
// limitations under the License.
se_policy_conf {
+ name: "29.0_reqd_policy_mask.conf",
+ defaults: ["se_policy_conf_flags_defaults"],
+ srcs: reqd_mask_policy,
+ installable: false,
+ build_variant: "user",
+ board_api_level: "29",
+}
+
+se_policy_cil {
+ name: "29.0_reqd_policy_mask.cil",
+ src: ":29.0_reqd_policy_mask.conf",
+ secilc_check: false,
+ installable: false,
+}
+
+se_policy_conf {
name: "29.0_plat_pub_policy.conf",
+ defaults: ["se_policy_conf_flags_defaults"],
srcs: [
":se_build_files{.plat_public_29.0}",
":se_build_files{.reqd_mask}",
],
installable: false,
build_variant: "user",
+ board_api_level: "29",
}
se_policy_cil {
name: "29.0_plat_pub_policy.cil",
src: ":29.0_plat_pub_policy.conf",
- filter_out: [":reqd_policy_mask.cil"],
+ filter_out: [":29.0_reqd_policy_mask.cil"],
secilc_check: false,
installable: false,
}
se_policy_conf {
name: "29.0_product_pub_policy.conf",
+ defaults: ["se_policy_conf_flags_defaults"],
srcs: [
":se_build_files{.plat_public_29.0}",
":se_build_files{.system_ext_public_29.0}",
@@ -40,18 +59,28 @@
],
installable: false,
build_variant: "user",
+ board_api_level: "29",
}
se_policy_cil {
name: "29.0_product_pub_policy.cil",
src: ":29.0_product_pub_policy.conf",
- filter_out: [":reqd_policy_mask.cil"],
+ filter_out: [":29.0_reqd_policy_mask.cil"],
secilc_check: false,
installable: false,
}
+se_versioned_policy {
+ name: "29.0_plat_pub_versioned.cil",
+ base: ":29.0_product_pub_policy.cil",
+ target_policy: ":29.0_product_pub_policy.cil",
+ version: "29.0",
+ installable: false,
+}
+
se_policy_conf {
name: "29.0_plat_policy.conf",
+ defaults: ["se_policy_conf_flags_defaults"],
srcs: [
":se_build_files{.plat_public_29.0}",
":se_build_files{.plat_private_29.0}",
@@ -62,6 +91,7 @@
],
installable: false,
build_variant: "user",
+ board_api_level: "29",
}
se_policy_cil {
diff --git a/prebuilts/api/30.0/Android.bp b/prebuilts/api/30.0/Android.bp
index 6f3254d..df13756 100644
--- a/prebuilts/api/30.0/Android.bp
+++ b/prebuilts/api/30.0/Android.bp
@@ -13,25 +13,44 @@
// limitations under the License.
se_policy_conf {
+ name: "30.0_reqd_policy_mask.conf",
+ defaults: ["se_policy_conf_flags_defaults"],
+ srcs: reqd_mask_policy,
+ installable: false,
+ build_variant: "user",
+ board_api_level: "30",
+}
+
+se_policy_cil {
+ name: "30.0_reqd_policy_mask.cil",
+ src: ":30.0_reqd_policy_mask.conf",
+ secilc_check: false,
+ installable: false,
+}
+
+se_policy_conf {
name: "30.0_plat_pub_policy.conf",
+ defaults: ["se_policy_conf_flags_defaults"],
srcs: [
":se_build_files{.plat_public_30.0}",
":se_build_files{.reqd_mask}",
],
installable: false,
build_variant: "user",
+ board_api_level: "30",
}
se_policy_cil {
name: "30.0_plat_pub_policy.cil",
src: ":30.0_plat_pub_policy.conf",
- filter_out: [":reqd_policy_mask.cil"],
+ filter_out: [":30.0_reqd_policy_mask.cil"],
secilc_check: false,
installable: false,
}
se_policy_conf {
name: "30.0_product_pub_policy.conf",
+ defaults: ["se_policy_conf_flags_defaults"],
srcs: [
":se_build_files{.plat_public_30.0}",
":se_build_files{.system_ext_public_30.0}",
@@ -40,18 +59,28 @@
],
installable: false,
build_variant: "user",
+ board_api_level: "30",
}
se_policy_cil {
name: "30.0_product_pub_policy.cil",
src: ":30.0_product_pub_policy.conf",
- filter_out: [":reqd_policy_mask.cil"],
+ filter_out: [":30.0_reqd_policy_mask.cil"],
secilc_check: false,
installable: false,
}
+se_versioned_policy {
+ name: "30.0_plat_pub_versioned.cil",
+ base: ":30.0_product_pub_policy.cil",
+ target_policy: ":30.0_product_pub_policy.cil",
+ version: "30.0",
+ installable: false,
+}
+
se_policy_conf {
name: "30.0_plat_policy.conf",
+ defaults: ["se_policy_conf_flags_defaults"],
srcs: [
":se_build_files{.plat_public_30.0}",
":se_build_files{.plat_private_30.0}",
@@ -62,6 +91,7 @@
],
installable: false,
build_variant: "user",
+ board_api_level: "30",
}
se_policy_cil {
diff --git a/prebuilts/api/31.0/Android.bp b/prebuilts/api/31.0/Android.bp
index caf1c10..ba8d67c 100644
--- a/prebuilts/api/31.0/Android.bp
+++ b/prebuilts/api/31.0/Android.bp
@@ -13,25 +13,44 @@
// limitations under the License.
se_policy_conf {
+ name: "31.0_reqd_policy_mask.conf",
+ defaults: ["se_policy_conf_flags_defaults"],
+ srcs: reqd_mask_policy,
+ installable: false,
+ build_variant: "user",
+ board_api_level: "31",
+}
+
+se_policy_cil {
+ name: "31.0_reqd_policy_mask.cil",
+ src: ":31.0_reqd_policy_mask.conf",
+ secilc_check: false,
+ installable: false,
+}
+
+se_policy_conf {
name: "31.0_plat_pub_policy.conf",
+ defaults: ["se_policy_conf_flags_defaults"],
srcs: [
":se_build_files{.plat_public_31.0}",
":se_build_files{.reqd_mask}",
],
installable: false,
build_variant: "user",
+ board_api_level: "31",
}
se_policy_cil {
name: "31.0_plat_pub_policy.cil",
src: ":31.0_plat_pub_policy.conf",
- filter_out: [":reqd_policy_mask.cil"],
+ filter_out: [":31.0_reqd_policy_mask.cil"],
secilc_check: false,
installable: false,
}
se_policy_conf {
name: "31.0_product_pub_policy.conf",
+ defaults: ["se_policy_conf_flags_defaults"],
srcs: [
":se_build_files{.plat_public_31.0}",
":se_build_files{.system_ext_public_31.0}",
@@ -40,18 +59,28 @@
],
installable: false,
build_variant: "user",
+ board_api_level: "31",
}
se_policy_cil {
name: "31.0_product_pub_policy.cil",
src: ":31.0_product_pub_policy.conf",
- filter_out: [":reqd_policy_mask.cil"],
+ filter_out: [":31.0_reqd_policy_mask.cil"],
secilc_check: false,
installable: false,
}
+se_versioned_policy {
+ name: "31.0_plat_pub_versioned.cil",
+ base: ":31.0_product_pub_policy.cil",
+ target_policy: ":31.0_product_pub_policy.cil",
+ version: "31.0",
+ installable: false,
+}
+
se_policy_conf {
name: "31.0_plat_policy.conf",
+ defaults: ["se_policy_conf_flags_defaults"],
srcs: [
":se_build_files{.plat_public_31.0}",
":se_build_files{.plat_private_31.0}",
@@ -62,6 +91,7 @@
],
installable: false,
build_variant: "user",
+ board_api_level: "31",
}
se_policy_cil {
diff --git a/prebuilts/api/32.0/Android.bp b/prebuilts/api/32.0/Android.bp
index 9a2b4e2..053e094 100644
--- a/prebuilts/api/32.0/Android.bp
+++ b/prebuilts/api/32.0/Android.bp
@@ -13,25 +13,44 @@
// limitations under the License.
se_policy_conf {
+ name: "32.0_reqd_policy_mask.conf",
+ defaults: ["se_policy_conf_flags_defaults"],
+ srcs: reqd_mask_policy,
+ installable: false,
+ build_variant: "user",
+ board_api_level: "32",
+}
+
+se_policy_cil {
+ name: "32.0_reqd_policy_mask.cil",
+ src: ":32.0_reqd_policy_mask.conf",
+ secilc_check: false,
+ installable: false,
+}
+
+se_policy_conf {
name: "32.0_plat_pub_policy.conf",
+ defaults: ["se_policy_conf_flags_defaults"],
srcs: [
":se_build_files{.plat_public_32.0}",
":se_build_files{.reqd_mask}",
],
installable: false,
build_variant: "user",
+ board_api_level: "32",
}
se_policy_cil {
name: "32.0_plat_pub_policy.cil",
src: ":32.0_plat_pub_policy.conf",
- filter_out: [":reqd_policy_mask.cil"],
+ filter_out: [":32.0_reqd_policy_mask.cil"],
secilc_check: false,
installable: false,
}
se_policy_conf {
name: "32.0_product_pub_policy.conf",
+ defaults: ["se_policy_conf_flags_defaults"],
srcs: [
":se_build_files{.plat_public_32.0}",
":se_build_files{.system_ext_public_32.0}",
@@ -40,18 +59,28 @@
],
installable: false,
build_variant: "user",
+ board_api_level: "32",
}
se_policy_cil {
name: "32.0_product_pub_policy.cil",
src: ":32.0_product_pub_policy.conf",
- filter_out: [":reqd_policy_mask.cil"],
+ filter_out: [":32.0_reqd_policy_mask.cil"],
secilc_check: false,
installable: false,
}
+se_versioned_policy {
+ name: "32.0_plat_pub_versioned.cil",
+ base: ":32.0_product_pub_policy.cil",
+ target_policy: ":32.0_product_pub_policy.cil",
+ version: "32.0",
+ installable: false,
+}
+
se_policy_conf {
name: "32.0_plat_policy.conf",
+ defaults: ["se_policy_conf_flags_defaults"],
srcs: [
":se_build_files{.plat_public_32.0}",
":se_build_files{.plat_private_32.0}",
@@ -62,6 +91,7 @@
],
installable: false,
build_variant: "user",
+ board_api_level: "32",
}
se_policy_cil {
diff --git a/prebuilts/api/33.0/Android.bp b/prebuilts/api/33.0/Android.bp
index 0a01a44..0824e9c 100644
--- a/prebuilts/api/33.0/Android.bp
+++ b/prebuilts/api/33.0/Android.bp
@@ -13,25 +13,44 @@
// limitations under the License.
se_policy_conf {
+ name: "33.0_reqd_policy_mask.conf",
+ defaults: ["se_policy_conf_flags_defaults"],
+ srcs: reqd_mask_policy,
+ installable: false,
+ build_variant: "user",
+ board_api_level: "33",
+}
+
+se_policy_cil {
+ name: "33.0_reqd_policy_mask.cil",
+ src: ":33.0_reqd_policy_mask.conf",
+ secilc_check: false,
+ installable: false,
+}
+
+se_policy_conf {
name: "33.0_plat_pub_policy.conf",
+ defaults: ["se_policy_conf_flags_defaults"],
srcs: [
":se_build_files{.plat_public_33.0}",
":se_build_files{.reqd_mask}",
],
installable: false,
build_variant: "user",
+ board_api_level: "33",
}
se_policy_cil {
name: "33.0_plat_pub_policy.cil",
src: ":33.0_plat_pub_policy.conf",
- filter_out: [":reqd_policy_mask.cil"],
+ filter_out: [":33.0_reqd_policy_mask.cil"],
secilc_check: false,
installable: false,
}
se_policy_conf {
name: "33.0_product_pub_policy.conf",
+ defaults: ["se_policy_conf_flags_defaults"],
srcs: [
":se_build_files{.plat_public_33.0}",
":se_build_files{.system_ext_public_33.0}",
@@ -40,18 +59,28 @@
],
installable: false,
build_variant: "user",
+ board_api_level: "33",
}
se_policy_cil {
name: "33.0_product_pub_policy.cil",
src: ":33.0_product_pub_policy.conf",
- filter_out: [":reqd_policy_mask.cil"],
+ filter_out: [":33.0_reqd_policy_mask.cil"],
secilc_check: false,
installable: false,
}
+se_versioned_policy {
+ name: "33.0_plat_pub_versioned.cil",
+ base: ":33.0_product_pub_policy.cil",
+ target_policy: ":33.0_product_pub_policy.cil",
+ version: "33.0",
+ installable: false,
+}
+
se_policy_conf {
name: "33.0_plat_policy.conf",
+ defaults: ["se_policy_conf_flags_defaults"],
srcs: [
":se_build_files{.plat_public_33.0}",
":se_build_files{.plat_private_33.0}",
@@ -62,6 +91,7 @@
],
installable: false,
build_variant: "user",
+ board_api_level: "33",
}
se_policy_cil {
diff --git a/prebuilts/api/34.0/Android.bp b/prebuilts/api/34.0/Android.bp
index b3be5bb..efd3c25 100644
--- a/prebuilts/api/34.0/Android.bp
+++ b/prebuilts/api/34.0/Android.bp
@@ -13,25 +13,44 @@
// limitations under the License.
se_policy_conf {
+ name: "34.0_reqd_policy_mask.conf",
+ defaults: ["se_policy_conf_flags_defaults"],
+ srcs: reqd_mask_policy,
+ installable: false,
+ build_variant: "user",
+ board_api_level: "34",
+}
+
+se_policy_cil {
+ name: "34.0_reqd_policy_mask.cil",
+ src: ":34.0_reqd_policy_mask.conf",
+ secilc_check: false,
+ installable: false,
+}
+
+se_policy_conf {
name: "34.0_plat_pub_policy.conf",
+ defaults: ["se_policy_conf_flags_defaults"],
srcs: [
":se_build_files{.plat_public_34.0}",
":se_build_files{.reqd_mask}",
],
installable: false,
build_variant: "user",
+ board_api_level: "34",
}
se_policy_cil {
name: "34.0_plat_pub_policy.cil",
src: ":34.0_plat_pub_policy.conf",
- filter_out: [":reqd_policy_mask.cil"],
+ filter_out: [":34.0_reqd_policy_mask.cil"],
secilc_check: false,
installable: false,
}
se_policy_conf {
name: "34.0_product_pub_policy.conf",
+ defaults: ["se_policy_conf_flags_defaults"],
srcs: [
":se_build_files{.plat_public_34.0}",
":se_build_files{.system_ext_public_34.0}",
@@ -40,18 +59,28 @@
],
installable: false,
build_variant: "user",
+ board_api_level: "34",
}
se_policy_cil {
name: "34.0_product_pub_policy.cil",
src: ":34.0_product_pub_policy.conf",
- filter_out: [":reqd_policy_mask.cil"],
+ filter_out: [":34.0_reqd_policy_mask.cil"],
secilc_check: false,
installable: false,
}
+se_versioned_policy {
+ name: "34.0_plat_pub_versioned.cil",
+ base: ":34.0_product_pub_policy.cil",
+ target_policy: ":34.0_product_pub_policy.cil",
+ version: "34.0",
+ installable: false,
+}
+
se_policy_conf {
name: "34.0_plat_policy.conf",
+ defaults: ["se_policy_conf_flags_defaults"],
srcs: [
":se_build_files{.plat_public_34.0}",
":se_build_files{.plat_private_34.0}",
@@ -62,6 +91,7 @@
],
installable: false,
build_variant: "user",
+ board_api_level: "34",
}
se_policy_cil {
diff --git a/private/access_vectors b/private/access_vectors
index 7a280c5..9d82ac8 100644
--- a/private/access_vectors
+++ b/private/access_vectors
@@ -139,8 +139,8 @@
block_suspend
audit_read
perfmon
- checkpoint_restore
- bpf
+ starting_at_board_api(202504, `checkpoint_restore')
+ starting_at_board_api(202504, `bpf')
}
#
diff --git a/private/artd.te b/private/artd.te
index e6a6aaa..bc4a7a2 100644
--- a/private/artd.te
+++ b/private/artd.te
@@ -4,6 +4,9 @@
type artd_exec, system_file_type, exec_type, file_type;
type artd_tmpfs, file_type;
+# All types of artd subprocesses, which artd can kill.
+attribute artd_subprocess_type;
+
# Allow artd to publish a binder service and make binder calls.
binder_use(artd)
add_service(artd, artd_service)
@@ -131,7 +134,7 @@
domain_auto_trans(artd, dex2oat_exec, dex2oat)
# Allow sending sigkill to subprocesses.
-allow artd { profman dex2oat }:process sigkill;
+allow artd artd_subprocess_type:process sigkill;
# Allow reading process info (/proc/<pid>/...).
# This is needed for getting CPU time and wall time spent on subprocesses.
@@ -159,9 +162,6 @@
domain_auto_trans(artd, derive_classpath_exec, derive_classpath)
domain_auto_trans(artd, odrefresh_exec, odrefresh)
-# Allow sending sigkill to subprocesses.
-allow artd { derive_classpath odrefresh }:process sigkill;
-
# Allow accessing Pre-reboot Dexopt files.
allow artd pre_reboot_dexopt_file:dir { getattr search };
@@ -185,3 +185,15 @@
# Never allow running other binaries without a domain transition.
# The exception for art_exec_exec is explained above.
neverallow artd ~{art_exec_exec}:file execute_no_trans;
+
+# Make sure artd_subprocess_type is complete, in a sense that it includes all
+# types of artd subprocesses.
+neverallow artd ~{artd_subprocess_type crash_dump}:process transition;
+
+# artd uses process groups to manage subprocesses and kill them. To ensure
+# successful kill, we need to prevent subprocesses from changing their
+# process groups or transitioning to other domains.
+# Transitioning crash_dump is allowed because it is transient and is only used
+# upon crashes.
+neverallow artd_subprocess_type self:process setpgid;
+neverallow artd_subprocess_type ~{artd_subprocess_type crash_dump}:process transition;
diff --git a/private/compat/33.0/33.0.compat.cil b/private/compat/33.0/33.0.compat.cil
index 53ee8ff..f102b02 100644
--- a/private/compat/33.0/33.0.compat.cil
+++ b/private/compat/33.0/33.0.compat.cil
@@ -1,3 +1,12 @@
;; complement CIL file for compatibility between ToT policy and 33.0 vendors.
;; will be compiled along with other normal policy files, on 33.0 vendors.
;;
+
+;; This type may or may not already exist in vendor policy. The 202404 sepolicy
+;; (well, the 24Q1 release) added hidraw_device, but existing vendor policy
+;; may still label the relevant devices with the old label.
+(type vendor_hidraw_device)
+(typeattributeset dev_type (vendor_hidraw_device))
+
+(allow system_server vendor_hidraw_device (dir (open getattr read search ioctl lock watch watch_reads)))
+(allow system_server vendor_hidraw_device (chr_file (getattr open read ioctl lock map watch watch_reads append write)))
\ No newline at end of file
diff --git a/private/coredomain.te b/private/coredomain.te
index d89e9ca..93cbff5 100644
--- a/private/coredomain.te
+++ b/private/coredomain.te
@@ -55,7 +55,6 @@
-appdomain
-artd
-dex2oat
- -dexoptanalyzer
-idmap
-init
-installd
@@ -73,7 +72,6 @@
-appdomain
-artd
-dex2oat
- -dexoptanalyzer
-idmap
-init
-installd
@@ -96,7 +94,6 @@
-appdomain
-artd
-dex2oat
- -dexoptanalyzer
-idmap
-init
-installd
@@ -117,7 +114,6 @@
-appdomain
-artd
-dex2oat
- -dexoptanalyzer
-idmap
-init
-installd
diff --git a/private/derive_classpath.te b/private/derive_classpath.te
index 8dd6572..d7c29c2 100644
--- a/private/derive_classpath.te
+++ b/private/derive_classpath.te
@@ -1,6 +1,6 @@
# Domain for derive_classpath
-type derive_classpath, domain, coredomain;
+type derive_classpath, domain, coredomain, artd_subprocess_type;
type derive_classpath_exec, system_file_type, exec_type, file_type;
init_daemon_domain(derive_classpath)
diff --git a/private/dex2oat.te b/private/dex2oat.te
index 18600d8..3a841ce 100644
--- a/private/dex2oat.te
+++ b/private/dex2oat.te
@@ -1,5 +1,5 @@
# dex2oat
-type dex2oat, domain, coredomain;
+type dex2oat, domain, coredomain, artd_subprocess_type;
type dex2oat_exec, system_file_type, exec_type, file_type;
userfaultfd_use(dex2oat)
diff --git a/private/dexoptanalyzer.te b/private/dexoptanalyzer.te
index ca715c1..4c87f99 100644
--- a/private/dexoptanalyzer.te
+++ b/private/dexoptanalyzer.te
@@ -1,60 +1,3 @@
-# dexoptanalyzer
-type dexoptanalyzer, domain, coredomain, mlstrustedsubject;
+# Deprecated file type for the legacy dexoptanalyzer binary, used by Android T-. We need to keep it
+# for compatibility because the file type is burnt into the apex image.
type dexoptanalyzer_exec, system_file_type, exec_type, file_type;
-type dexoptanalyzer_tmpfs, file_type;
-
-r_dir_file(dexoptanalyzer, apk_data_file)
-# Access to /vendor/app
-r_dir_file(dexoptanalyzer, vendor_app_file)
-
-# Reading an APK opens a ZipArchive, which unpack to tmpfs.
-# Use tmpfs_domain() which will give tmpfs files created by dexoptanalyzer their
-# own label, which differs from other labels created by other processes.
-# This allows to distinguish in policy files created by dexoptanalyzer vs other
-# processes.
-tmpfs_domain(dexoptanalyzer)
-
-userfaultfd_use(dexoptanalyzer)
-
-# Allow dexoptanalyzer to read files in the dalvik cache.
-allow dexoptanalyzer dalvikcache_data_file:dir { getattr search };
-allow dexoptanalyzer dalvikcache_data_file:file r_file_perms;
-
-# Read symlinks in /data/dalvik-cache. This is required for PIC mode boot
-# app_data_file the oat file is symlinked to the original file in /system.
-allow dexoptanalyzer dalvikcache_data_file:lnk_file read;
-
-# Allow dexoptanalyzer to read files in the ART APEX data directory.
-allow dexoptanalyzer { apex_art_data_file apex_module_data_file }:dir { getattr search };
-allow dexoptanalyzer apex_art_data_file:file r_file_perms;
-
-# Allow dexoptanalyzer to use file descriptors from odrefresh.
-allow dexoptanalyzer odrefresh:fd use;
-
-# Use devpts and fd from odsign (which exec()'s odrefresh)
-allow dexoptanalyzer odsign:fd use;
-allow dexoptanalyzer odsign_devpts:chr_file { read write };
-
-allow dexoptanalyzer installd:fd use;
-allow dexoptanalyzer installd:fifo_file { getattr write };
-
-# Acquire advisory lock on /system/framework/arm/*
-allow dexoptanalyzer system_file:file lock;
-
-# Allow reading secondary dex files that were reported by the app to the
-# package manager.
-allow dexoptanalyzer { privapp_data_file app_data_file }:file { getattr read map };
-
-# dexoptanalyzer checks the DM files next to dex files. We don't need this check
-# for secondary dex files, but it's not harmful. Just deny it and ignore it.
-dontaudit dexoptanalyzer { privapp_data_file app_data_file }:dir search;
-
-# Allow testing /data/user/0 which symlinks to /data/data
-allow dexoptanalyzer system_data_file:lnk_file { getattr };
-
-# Allow query ART device config properties
-get_prop(dexoptanalyzer, device_config_runtime_native_prop)
-get_prop(dexoptanalyzer, device_config_runtime_native_boot_prop)
-
-# Allow dexoptanalyzer to read /apex/apex-info-list.xml
-allow dexoptanalyzer apex_info_file:file r_file_perms;
diff --git a/private/domain.te b/private/domain.te
index 4cf9138..94f96d9 100644
--- a/private/domain.te
+++ b/private/domain.te
@@ -15,12 +15,12 @@
setsched
getsession
getpgid
- setpgid
getcap
setcap
getattr
setrlimit
};
+allow { domain -artd_subprocess_type } self:process setpgid;
allow domain self:fd use;
allow domain proc:dir r_dir_perms;
allow domain proc_net_type:dir search;
@@ -1633,7 +1633,6 @@
-appdomain
-app_zygote
-artd # compile secondary dex files
- -dexoptanalyzer
-installd
-profman
-rs # spawned by appdomain, so carryover the exception above
diff --git a/private/early_virtmgr.te b/private/early_virtmgr.te
new file mode 100644
index 0000000..4e332f6
--- /dev/null
+++ b/private/early_virtmgr.te
@@ -0,0 +1,8 @@
+is_flag_enabled(RELEASE_AVF_ENABLE_EARLY_VM, `
+ # Domain for a child process that manages early VMs available before /data mount, on behalf of
+ # its parent.
+ type early_virtmgr, domain, coredomain;
+ type early_virtmgr_exec, system_file_type, exec_type, file_type;
+
+ use_bootstrap_libs(early_virtmgr)
+')
diff --git a/private/ferrochrome_app.te b/private/ferrochrome_app.te
new file mode 100644
index 0000000..e12c84c
--- /dev/null
+++ b/private/ferrochrome_app.te
@@ -0,0 +1,11 @@
+type ferrochrome_app, domain;
+typeattribute ferrochrome_app coredomain;
+
+app_domain(ferrochrome_app)
+
+allow ferrochrome_app app_api_service:service_manager find;
+allow ferrochrome_app system_api_service:service_manager find;
+
+# TODO(b/348113995): after remove sysprop usage, we can use just (priv_)app.te
+set_prop(ferrochrome_app, debug_prop);
+get_prop(ferrochrome_app, debug_prop);
diff --git a/private/file.te b/private/file.te
index f8a48cd..d30465b 100644
--- a/private/file.te
+++ b/private/file.te
@@ -38,6 +38,7 @@
type uprobestats_configs_data_file, file_type, data_file_type, core_data_file_type;
# /apex/com.android.art/bin/oatdump
+# TODO (b/350628688): Remove this once it's safe to do so.
type oatdump_exec, system_file_type, exec_type, file_type;
# /data/misc_{ce/de}/<user>/sdksandbox root data directory for sdk sandbox processes
diff --git a/private/file_contexts b/private/file_contexts
index 76f412a..ce5ed96 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -432,7 +432,6 @@
/(vendor|system/vendor)/overlay(/.*)? u:object_r:vendor_overlay_file:s0
/(vendor|system/vendor)/framework(/.*)? u:object_r:vendor_framework_file:s0
-/(vendor|system/vendor)/apex(/[^/]+){0,2} u:object_r:vendor_apex_file:s0
/(vendor|system/vendor)/bin/misc_writer u:object_r:vendor_misc_writer_exec:s0
/(vendor|system/vendor)/bin/boringssl_self_test(32|64) u:object_r:vendor_boringssl_self_test_exec:s0
@@ -462,6 +461,8 @@
# secure-element service: vendor uuid mapping config file
/(odm|vendor/odm|vendor|system/vendor)/etc/hal_uuid_map_(.*)?\.xml u:object_r:vendor_uuid_mapping_config_file:s0
+# APEX packages
+/(odm|vendor/odm|vendor|system/vendor)/apex(/[^/]+){0,2} u:object_r:vendor_apex_file:s0
# Input configuration
/(odm|vendor/odm|vendor|system/vendor)/usr/keylayout(/.*)?\.kl u:object_r:vendor_keylayout_file:s0
diff --git a/private/hal_neverallows.te b/private/hal_neverallows.te
index 6730c32..3562888 100644
--- a/private/hal_neverallows.te
+++ b/private/hal_neverallows.te
@@ -12,6 +12,7 @@
# TODO(b/196225233): Remove hal_uwb_vendor_server
-hal_uwb_vendor_server
-hal_nlinterceptor_server
+ -hal_tv_tuner_server
} self:global_capability_class_set { net_admin net_raw };
# Unless a HAL's job is to communicate over the network, or control network
@@ -34,6 +35,7 @@
-hal_uwb_vendor_server
-hal_nlinterceptor_server
-hal_bluetooth_server
+ -hal_tv_tuner_server
} domain:{ udp_socket rawip_socket } *;
neverallow {
@@ -47,6 +49,7 @@
-hal_telephony_server
-hal_nlinterceptor_server
-hal_bluetooth_server
+ -hal_tv_tuner_server
} {
domain
userdebug_or_eng(`-su')
diff --git a/private/installd.te b/private/installd.te
index 742c897..55e962a 100644
--- a/private/installd.te
+++ b/private/installd.te
@@ -9,9 +9,6 @@
# Run dex2oat in its own sandbox.
domain_auto_trans(installd, dex2oat_exec, dex2oat)
-# Run dexoptanalyzer in its own sandbox.
-domain_auto_trans(installd, dexoptanalyzer_exec, dexoptanalyzer)
-
# Run profman in its own sandbox.
domain_auto_trans(installd, profman_exec, profman)
@@ -44,11 +41,6 @@
allow installd staging_data_file:file unlink;
allow installd staging_data_file:dir { open read add_name remove_name rename rmdir search write getattr };
-allow installd { dex2oat dexoptanalyzer }:process signal;
-
-# installd kills subprocesses if they time out.
-allow installd { dex2oat dexoptanalyzer profman }:process sigkill;
-
# Allow installd manage dirs in /data/misc_ce/0/sdksandbox
allow installd sdk_sandbox_system_data_file:dir { create_dir_perms relabelfrom };
diff --git a/private/netd.te b/private/netd.te
index 37581a6..8b6ea4c 100644
--- a/private/netd.te
+++ b/private/netd.te
@@ -79,13 +79,6 @@
allow netd system_file:file lock;
dontaudit netd system_file:dir write;
-# Allow netd to write to qtaguid ctrl file.
-# TODO: Add proper rules to prevent other process to access qtaguid_proc file
-# after migration complete
-allow netd proc_qtaguid_ctrl:file rw_file_perms;
-# Allow netd to read /dev/qtaguid. This is the same privilege level that normal apps have.
-allow netd qtaguid_device:chr_file r_file_perms;
-
r_dir_file(netd, proc_net_type)
# For /proc/sys/net/ipv[46]/route/flush.
allow netd proc_net_type:file rw_file_perms;
diff --git a/private/odrefresh.te b/private/odrefresh.te
index 899b0d9..97205c2 100644
--- a/private/odrefresh.te
+++ b/private/odrefresh.te
@@ -1,5 +1,5 @@
# odrefresh
-type odrefresh, domain, coredomain;
+type odrefresh, domain, coredomain, artd_subprocess_type;
type odrefresh_exec, system_file_type, exec_type, file_type;
# Allow odrefresh to create files and directories for on device signing.
@@ -24,12 +24,6 @@
# Allow odrefresh to kill dex2oat if compilation times out.
allow odrefresh dex2oat:process sigkill;
-# Run dexoptanalyzer in its own sandbox.
-domain_auto_trans(odrefresh, dexoptanalyzer_exec, dexoptanalyzer)
-
-# Allow odrefresh to kill dexoptanalyzer if analysis times out.
-allow odrefresh dexoptanalyzer:process sigkill;
-
# Use devpts and fd from odsign (which exec()'s odrefresh)
allow odrefresh odsign_devpts:chr_file { read write };
allow odrefresh odsign:fd use;
diff --git a/private/profman.te b/private/profman.te
index af53646..7071334 100644
--- a/private/profman.te
+++ b/private/profman.te
@@ -1,4 +1,5 @@
typeattribute profman coredomain;
+typeattribute profman artd_subprocess_type;
# Allow profman to read APKs and profile files next to them by FDs passed from
# other programs. In addition, allow profman to acquire flocks on those files.
diff --git a/private/property_contexts b/private/property_contexts
index 7a27625..7e18be3 100644
--- a/private/property_contexts
+++ b/private/property_contexts
@@ -361,7 +361,7 @@
ro.virtual_ab.num_merge_threads u:object_r:virtual_ab_prop:s0 exact int
ro.virtual_ab.num_verify_threads u:object_r:virtual_ab_prop:s0 exact int
ro.virtual_ab.cow_op_merge_size u:object_r:virtual_ab_prop:s0 exact int
-ro.virtual_ab.verify_threshold_block_size u:object_r:virtual_ab_prop:s0 exact int
+ro.virtual_ab.verify_threshold_size u:object_r:virtual_ab_prop:s0 exact int
ro.virtual_ab.verify_block_size u:object_r:virtual_ab_prop:s0 exact int
# OEMs can set this prop at build time to configure how many seconds to delay
diff --git a/private/seapp_contexts b/private/seapp_contexts
index 291e097..907861c 100644
--- a/private/seapp_contexts
+++ b/private/seapp_contexts
@@ -223,3 +223,4 @@
user=_app fromRunAs=true domain=runas_app levelFrom=user
user=_app isPrivApp=true name=com.android.virtualization.vmlauncher domain=vmlauncher_app type=privapp_data_file levelFrom=all
user=_app isPrivApp=true name=com.google.android.virtualization.vmlauncher domain=vmlauncher_app type=privapp_data_file levelFrom=all
+user=_app isPrivApp=true name=com.android.virtualization.ferrochrome domain=ferrochrome_app type=privapp_data_file levelFrom=all
diff --git a/private/shell.te b/private/shell.te
index d613a94..18e3462 100644
--- a/private/shell.te
+++ b/private/shell.te
@@ -198,6 +198,14 @@
# Allow shell to execute the remote key provisioning factory tool
binder_call(shell, hal_keymint)
+# Allow shell to run the AVF RKP HAL during the execution of the remote key
+# provisioning factory tool.
+# TODO(b/351113293): Remove this once the AVF RKP HAL registration is moved to
+# a separate process.
+binder_call(shell, virtualizationservice)
+# Allow the shell to inspect whether AVF remote attestation is supported
+# through the system property.
+get_prop(shell, avf_virtualizationservice_prop)
# Allow reading the outcome of perf_event_open LSM support test for CTS.
get_prop(shell, init_perf_lsm_hooks_prop)
@@ -262,6 +270,7 @@
get_prop(shell, build_attestation_prop)
# Allow shell to execute oatdump.
+# TODO (b/350628688): Remove this once it's safe to do so.
allow shell oatdump_exec:file rx_file_perms;
# Allow shell access to socket for test
@@ -359,6 +368,7 @@
-virtual_touchpad_service
-vold_service
-default_android_service
+ -virtualization_service
}:service_manager find;
allow shell dumpstate:binder call;
@@ -488,6 +498,7 @@
hal_keymint_service
hal_secureclock_service
hal_sharedsecret_service
+ virtualization_service
}:service_manager find;
# Do not allow shell to hard link to any files.
diff --git a/private/surfaceflinger.te b/private/surfaceflinger.te
index 91e9aba..f6f1d9b 100644
--- a/private/surfaceflinger.te
+++ b/private/surfaceflinger.te
@@ -85,6 +85,10 @@
# Use socket supplied by adbd, for cmd gpu vkjson etc.
allow surfaceflinger adbd:unix_stream_socket { read write getattr };
+# Allow reading and writing to sockets used for BLAST buffer releases
+allow surfaceflinger { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox_all }:unix_stream_socket { read write };
+allow surfaceflinger bootanim:unix_stream_socket { read write };
+
# Allow a dumpstate triggered screenshot
binder_call(surfaceflinger, dumpstate)
binder_call(surfaceflinger, shell)
diff --git a/private/system_server.te b/private/system_server.te
index 436cfa7..1c9f732 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -1545,10 +1545,6 @@
# Read /proc/pressure/cpu and /proc/pressure/io
allow system_server { proc_pressure_cpu proc_pressure_io }:file r_file_perms;
-# dexoptanalyzer is currently used only for secondary dex files which
-# system_server should never access.
-neverallow system_server dexoptanalyzer_exec:file no_x_file_perms;
-
# No ptracing others
neverallow system_server { domain -system_server }:process ptrace;
diff --git a/private/uprobestats.te b/private/uprobestats.te
index f6dd906..2c5711f 100644
--- a/private/uprobestats.te
+++ b/private/uprobestats.te
@@ -16,7 +16,7 @@
allow uprobestats sysfs_uprobe:dir { search };
# Allow uprobestats to popen oatdump.
-allow uprobestats oatdump_exec:file rx_file_perms;
+allow uprobestats system_file:file rx_file_perms;
# Allow uprobestats to write atoms to statsd
unix_socket_send(uprobestats, statsdw, statsd)
diff --git a/private/virtual_camera.te b/private/virtual_camera.te
index 6b3be0c..0faf0c5 100644
--- a/private/virtual_camera.te
+++ b/private/virtual_camera.te
@@ -30,6 +30,7 @@
# Allow virtual_camera to use fd from surface flinger
allow virtual_camera surfaceflinger:fd use;
+allow virtual_camera surfaceflinger:binder call;
# Only allow virtual_camera to add a virtual_camera_service and no one else.
add_service(virtual_camera, virtual_camera_service);
diff --git a/tools/sepolicy-analyze/neverallow.c b/tools/sepolicy-analyze/neverallow.c
index 745ab13..4b88206 100644
--- a/tools/sepolicy-analyze/neverallow.c
+++ b/tools/sepolicy-analyze/neverallow.c
@@ -382,7 +382,6 @@
char *p, *start;
int result;
- int non_comment_len = 0, cur_non_comment_len = 0;
char *cur_non_comment_text = calloc(1, (end - text) + 1);
char *non_comment_text = cur_non_comment_text;
if (!cur_non_comment_text)
diff --git a/vendor/hal_tv_tuner_default.te b/vendor/hal_tv_tuner_default.te
index e11d4dd..5e149a6 100644
--- a/vendor/hal_tv_tuner_default.te
+++ b/vendor/hal_tv_tuner_default.te
@@ -11,3 +11,6 @@
# Allow servicemanager to notify hal_tv_tuner_default clients status
binder_use(hal_tv_tuner_default)
+
+# Allow network communication
+net_domain(hal_tv_tuner_default)
\ No newline at end of file