Merge "[incfs] Allow everyone read the IncFS sysfs features"
diff --git a/OWNERS b/OWNERS
index d7cde74..a0326af 100644
--- a/OWNERS
+++ b/OWNERS
@@ -2,6 +2,7 @@
alanstokes@google.com
bowgotsai@google.com
cbrubaker@google.com
+inseob@google.com
jbires@google.com
jeffv@google.com
jgalenson@google.com
diff --git a/apex/com.android.virt-file_contexts b/apex/com.android.virt-file_contexts
index fe91fa2..4703eba 100644
--- a/apex/com.android.virt-file_contexts
+++ b/apex/com.android.virt-file_contexts
@@ -1,2 +1,3 @@
(/.*)? u:object_r:system_file:s0
+/bin/crosvm u:object_r:crosvm_exec:s0
/bin/virtmanager u:object_r:virtmanager_exec:s0
diff --git a/build/soong/build_files.go b/build/soong/build_files.go
index 88c07fa..5de6122 100644
--- a/build/soong/build_files.go
+++ b/build/soong/build_files.go
@@ -44,7 +44,7 @@
// system/sepolicy/{public, private, vendor, reqd_mask}
// and directories specified by following config variables:
// BOARD_SEPOLICY_DIRS, BOARD_ODM_SEPOLICY_DIRS
- // BOARD_PLAT_PUBLIC_SEPOLICY_DIR, BOARD_PLAT_PRIVATE_SEPOLICY_DIR
+ // SYSTEM_EXT_PUBLIC_SEPOLICY_DIR, SYSTEM_EXT_PRIVATE_SEPOLICY_DIR
Srcs []string
}
diff --git a/build/soong/compat_cil.go b/build/soong/compat_cil.go
index 230fdc3..5cc73f9 100644
--- a/build/soong/compat_cil.go
+++ b/build/soong/compat_cil.go
@@ -87,6 +87,15 @@
srcPaths := c.expandSeSources(ctx)
out := android.PathForModuleGen(ctx, c.Name())
+
+ // TODO(b/183362912): Patch secilc to handle empty cil files.
+ // Put a header so that the generated cil mustn't be empty.
+ header := android.PathForModuleGen(ctx, c.Name()+"_header")
+ rule := android.NewRuleBuilder(pctx, ctx)
+ rule.Command().Text("echo").Flag(proptools.ShellEscape(";; " + c.stem())).Text(">").Output(header)
+ rule.Build(c.Name()+"_header", "Generate cil header")
+ srcPaths = append(android.Paths{header}, srcPaths...)
+
ctx.Build(pctx, android.BuildParams{
Rule: android.Cat,
Inputs: srcPaths,
diff --git a/build/soong/filegroup.go b/build/soong/filegroup.go
index 700f8e0..0d426af 100644
--- a/build/soong/filegroup.go
+++ b/build/soong/filegroup.go
@@ -36,7 +36,7 @@
// system/sepolicy/{public, private, vendor, reqd_mask}
// and directories specified by following config variables:
// BOARD_SEPOLICY_DIRS, BOARD_ODM_SEPOLICY_DIRS
- // BOARD_PLAT_PUBLIC_SEPOLICY_DIR, BOARD_PLAT_PRIVATE_SEPOLICY_DIR
+ // SYSTEM_EXT_PUBLIC_SEPOLICY_DIR, SYSTEM_EXT_PRIVATE_SEPOLICY_DIR
Srcs []string
}
@@ -80,12 +80,12 @@
return fg.systemReqdMaskSrcs
}
-// Source files from BOARD_PLAT_PUBLIC_SEPOLICY_DIR
+// Source files from SYSTEM_EXT_PUBLIC_SEPOLICY_DIR
func (fg *fileGroup) SystemExtPublicSrcs() android.Paths {
return fg.systemExtPublicSrcs
}
-// Source files from BOARD_PLAT_PRIVATE_SEPOLICY_DIR
+// Source files from SYSTEM_EXT_PRIVATE_SEPOLICY_DIR
func (fg *fileGroup) SystemExtPrivateSrcs() android.Paths {
return fg.systemExtPrivateSrcs
}
diff --git a/private/apexd.te b/private/apexd.te
index b94970b..862bab9 100644
--- a/private/apexd.te
+++ b/private/apexd.te
@@ -52,6 +52,9 @@
# allow apexd to access /dev/block
allow apexd block_device:dir r_dir_perms;
+#allow apexd to access virtual disks
+allow apexd vd_device:blk_file r_file_perms;
+
# allow apexd to access /dev/block/dm-* (device-mapper entries)
allow apexd dm_device:chr_file rw_file_perms;
allow apexd dm_device:blk_file rw_file_perms;
diff --git a/private/app.te b/private/app.te
index 0c81515..126f11f 100644
--- a/private/app.te
+++ b/private/app.te
@@ -34,6 +34,9 @@
# Apps should not be reading vendor-defined properties.
dontaudit appdomain vendor_default_prop:file read;
+# Access to /mnt/media_rw/<vol> (limited by DAC to apps with external_storage gid)
+allow appdomain mnt_media_rw_file:dir search;
+
neverallow appdomain system_server:udp_socket {
accept append bind create ioctl listen lock name_bind
relabelfrom relabelto setattr shutdown };
diff --git a/private/bootanim.te b/private/bootanim.te
index 41c9179..cc6e0db 100644
--- a/private/bootanim.te
+++ b/private/bootanim.te
@@ -10,3 +10,5 @@
# Read ro.boot.bootreason b/30654343
get_prop(bootanim, bootloader_boot_reason_prop)
+
+get_prop(bootanim, bootanim_config_prop)
\ No newline at end of file
diff --git a/private/compat/26.0/26.0.ignore.cil b/private/compat/26.0/26.0.ignore.cil
index 1599a3e..98d5840 100644
--- a/private/compat/26.0/26.0.ignore.cil
+++ b/private/compat/26.0/26.0.ignore.cil
@@ -211,6 +211,7 @@
vndk_prop
vold_config_prop
vold_metadata_file
+ vold_post_fs_data_prop
vold_prepare_subdirs
vold_prepare_subdirs_exec
vold_service
diff --git a/private/compat/27.0/27.0.ignore.cil b/private/compat/27.0/27.0.ignore.cil
index 202baaf..9fda88e 100644
--- a/private/compat/27.0/27.0.ignore.cil
+++ b/private/compat/27.0/27.0.ignore.cil
@@ -227,6 +227,7 @@
vndk_prop
vold_config_prop
vold_metadata_file
+ vold_post_fs_data_prop
vold_prepare_subdirs
vold_prepare_subdirs_exec
vold_service
diff --git a/private/compat/29.0/29.0.cil b/private/compat/29.0/29.0.cil
index fb0fa44..0fb0a1c 100644
--- a/private/compat/29.0/29.0.cil
+++ b/private/compat/29.0/29.0.cil
@@ -1206,7 +1206,10 @@
(typeattributeset exported2_system_prop_29_0
( exported2_system_prop
surfaceflinger_color_prop))
-(typeattributeset exported2_vold_prop_29_0 (exported2_vold_prop vold_config_prop))
+(typeattributeset exported2_vold_prop_29_0
+ ( exported2_vold_prop
+ vold_config_prop
+ vold_post_fs_data_prop))
(typeattributeset exported3_default_prop_29_0 (exported3_default_prop lmkd_config_prop))
(typeattributeset exported3_radio_prop_29_0 (exported3_radio_prop))
(typeattributeset exported3_system_prop_29_0 (exported3_system_prop boot_status_prop))
diff --git a/private/compat/30.0/30.0.cil b/private/compat/30.0/30.0.cil
index 2b2b04a..c7a84ff 100644
--- a/private/compat/30.0/30.0.cil
+++ b/private/compat/30.0/30.0.cil
@@ -1299,6 +1299,7 @@
(typeattributeset default_android_vndservice_30_0 (default_android_vndservice))
(typeattributeset default_prop_30_0 (
default_prop
+ audio_config_prop
build_config_prop
suspend_prop
init_service_status_private_prop
@@ -1377,7 +1378,10 @@
dalvik_runtime_prop
surfaceflinger_color_prop
zram_control_prop))
-(typeattributeset exported2_vold_prop_30_0 (exported2_vold_prop vold_config_prop))
+(typeattributeset exported2_vold_prop_30_0
+ ( exported2_vold_prop
+ vold_config_prop
+ vold_post_fs_data_prop))
(typeattributeset exported3_default_prop_30_0
( exported3_default_prop
camera_calibration_prop
diff --git a/private/compat/30.0/30.0.ignore.cil b/private/compat/30.0/30.0.ignore.cil
index e5681de..e479f33 100644
--- a/private/compat/30.0/30.0.ignore.cil
+++ b/private/compat/30.0/30.0.ignore.cil
@@ -18,6 +18,8 @@
appcompat_data_file
arm64_memtag_prop
authorization_service
+ bootanim_config_prop
+ camerax_extensions_prop
cgroup_desc_api_file
cgroup_v2
codec2_config_prop
@@ -25,6 +27,7 @@
debugfs_kprobes
debugfs_mm_events_tracing
debugfs_bootreceiver_tracing
+ debugfs_restriction_prop
device_config_profcollect_native_boot_prop
device_config_connectivity_prop
device_config_swcodec_native_prop
@@ -83,6 +86,7 @@
odsign_data_file
odsign_exec
pac_proxy_service
+ permission_checker_service
people_service
persist_vendor_debug_wifi_prop
postinstall_dexopt_exec
@@ -113,6 +117,8 @@
snapuserd_socket
soc_prop
speech_recognition_service
+ sysfs_devfreq_cur
+ sysfs_devfreq_dir
sysfs_devices_cs_etm
sysfs_dma_heap
sysfs_dmabuf_stats
@@ -125,7 +131,9 @@
update_engine_stable_service
userdata_sysdev
userspace_reboot_metadata_file
+ uwb_service
vcn_management_service
+ vd_device
vendor_kernel_modules
vibrator_manager_service
virtualization_service
diff --git a/private/crosvm.te b/private/crosvm.te
new file mode 100644
index 0000000..5d7080a
--- /dev/null
+++ b/private/crosvm.te
@@ -0,0 +1,16 @@
+type crosvm, domain, coredomain;
+type crosvm_exec, system_file_type, exec_type, file_type;
+type crosvm_tmpfs, file_type;
+
+# Let crosvm create temporary files.
+tmpfs_domain(crosvm)
+
+# Let crosvm receive file descriptors from virtmanager.
+allow crosvm virtmanager:fd use;
+
+# Let crosvm open /dev/kvm.
+allow crosvm kvm_device:chr_file rw_file_perms;
+
+# Most other domains shouldn't access /dev/kvm.
+neverallow { domain -crosvm -ueventd -shell } kvm_device:chr_file getattr;
+neverallow { domain -crosvm -ueventd } kvm_device:chr_file ~getattr;
diff --git a/private/file.te b/private/file.te
index 984a7b6..a024600 100644
--- a/private/file.te
+++ b/private/file.te
@@ -51,8 +51,14 @@
# /data/font/files
type font_data_file, file_type, data_file_type, core_data_file_type;
+# /data/misc/odrefresh
+type odrefresh_data_file, file_type, data_file_type, core_data_file_type;
+
# /data/misc/odsign
type odsign_data_file, file_type, data_file_type, core_data_file_type;
# /data/system/environ
type environ_system_data_file, file_type, data_file_type, core_data_file_type;
+
+# /dev/kvm
+type kvm_device, dev_type;
diff --git a/private/file_contexts b/private/file_contexts
index 3786147..b3b7789 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -88,6 +88,7 @@
/dev/block(/.*)? u:object_r:block_device:s0
/dev/block/dm-[0-9]+ u:object_r:dm_device:s0
/dev/block/loop[0-9]* u:object_r:loop_device:s0
+/dev/block/vd[a-z][0-9]* u:object_r:vd_device:s0
/dev/block/vold/.+ u:object_r:vold_device:s0
/dev/block/ram[0-9]* u:object_r:ram_device:s0
/dev/block/zram[0-9]* u:object_r:ram_device:s0
@@ -125,6 +126,7 @@
/dev/pvrsrvkm u:object_r:gpu_device:s0
/dev/kmsg u:object_r:kmsg_device:s0
/dev/kmsg_debug u:object_r:kmsg_debug_device:s0
+/dev/kvm u:object_r:kvm_device:s0
/dev/null u:object_r:null_device:s0
/dev/nvhdcp1 u:object_r:video_device:s0
/dev/random u:object_r:random_device:s0
@@ -189,6 +191,7 @@
/dev/urandom u:object_r:random_device:s0
/dev/usb_accessory u:object_r:usbaccessory_device:s0
/dev/v4l-touch[0-9]* u:object_r:input_device:s0
+/dev/vhost-vsock u:object_r:kvm_device:s0
/dev/video[0-9]* u:object_r:video_device:s0
/dev/vndbinder u:object_r:vndbinder_device:s0
/dev/watchdog u:object_r:watchdog_device:s0
@@ -403,8 +406,6 @@
/(vendor|system/vendor)/etc/selinux/vendor_service_contexts u:object_r:vendor_service_contexts_file:s0
-/(vendor|system/vendor)/bin/install-recovery\.sh u:object_r:vendor_install_recovery_exec:s0
-
#############################
# OEM and ODM files
#
@@ -599,6 +600,7 @@
/data/misc/net(/.*)? u:object_r:net_data_file:s0
/data/misc/network_watchlist(/.*)? u:object_r:network_watchlist_data_file:s0
/data/misc/nfc/logs(/.*)? u:object_r:nfc_logs_data_file:s0
+/data/misc/odrefresh(/.*)? u:object_r:odrefresh_data_file:s0
/data/misc/odsign(/.*)? u:object_r:odsign_data_file:s0
/data/misc/perfetto-traces/bugreport(.*)? u:object_r:perfetto_traces_bugreport_data_file:s0
/data/misc/perfetto-traces(/.*)? u:object_r:perfetto_traces_data_file:s0
diff --git a/private/gsid.te b/private/gsid.te
index e6a395a..8a13cb1 100644
--- a/private/gsid.te
+++ b/private/gsid.te
@@ -183,7 +183,10 @@
} gsi_public_metadata_file:file_class_set ~{ r_file_perms };
# Prevent apps from accessing gsi_metadata_file_type.
-neverallow appdomain gsi_metadata_file_type:dir_file_class_set *;
+neverallow {
+ appdomain
+ -shell
+} gsi_metadata_file_type:dir_file_class_set *;
neverallow {
domain
diff --git a/private/init.te b/private/init.te
index 2627add..99afd84 100644
--- a/private/init.te
+++ b/private/init.te
@@ -66,6 +66,10 @@
# Allow for libsnapshot's use of flock() on /metadata/ota.
allow init ota_metadata_file:dir lock;
+# Allow init to restore contexts of vd_device(/dev/block/vd[..]) when labeling
+# /dev/block.
+allow init vd_device:blk_file relabelto;
+
# Only init is allowed to set the sysprop indicating whether perf_event_open()
# SELinux hooks were detected.
set_prop(init, init_perf_lsm_hooks_prop)
@@ -89,3 +93,12 @@
# Allow accessing /sys/kernel/tracing/instances/bootreceiver to set up tracing.
allow init debugfs_bootreceiver_tracing:file w_file_perms;
+
+# chown/chmod on devices.
+allow init {
+ dev_type
+ -hw_random_device
+ -keychord_device
+ -kvm_device
+ -port_device
+}:chr_file setattr;
diff --git a/private/keystore.te b/private/keystore.te
index aa902d5..3fccf59 100644
--- a/private/keystore.te
+++ b/private/keystore.te
@@ -20,6 +20,10 @@
# Allow keystore to write to statsd.
unix_socket_send(keystore, statsdw, statsd)
+# Allow keystore to register callbacks with statsd.
+allow keystore stats_service:service_manager find;
+binder_call(keystore, statsd);
+
# Keystore need access to the keystore_key context files to load the keystore key backend.
allow keystore keystore2_key_contexts_file:file r_file_perms;
diff --git a/private/keystore2_key_contexts b/private/keystore2_key_contexts
index 5695cc3..3833971 100644
--- a/private/keystore2_key_contexts
+++ b/private/keystore2_key_contexts
@@ -16,10 +16,13 @@
# odsign_key is a keystore2_key namespace for the on-device signing daemon.
101 u:object_r:odsign_key:s0
-# wifi_key is a keystore2_key namspace for the WI-FI subsystem. It replaces the WIFI_UID
+# wifi_key is a keystore2_key namespace for the WI-FI subsystem. It replaces the WIFI_UID
# namespace in keystore.
102 u:object_r:wifi_key:s0
+# locksettings_key is a keystore2_key namespace for the LockSettingsService.
+103 u:object_r:locksettings_key:s0
+
# resume_on_reboot_key is a keystore2_key namespace intended for resume on reboot.
120 u:object_r:resume_on_reboot_key:s0
diff --git a/private/keystore_keys.te b/private/keystore_keys.te
index 8d33d5d..2f97608 100644
--- a/private/keystore_keys.te
+++ b/private/keystore_keys.te
@@ -14,6 +14,9 @@
# A keystore2 namespace for the on-device signing daemon.
type odsign_key, keystore2_key_type;
+# A keystore2 namespace for LockSettingsService.
+type locksettings_key, keystore2_key_type;
+
# A keystore2 namespace for resume on reboot.
type resume_on_reboot_key, keystore2_key_type;
diff --git a/private/mediaprovider.te b/private/mediaprovider.te
index 978ae2a..78bbdb0 100644
--- a/private/mediaprovider.te
+++ b/private/mediaprovider.te
@@ -24,6 +24,7 @@
allow mediaprovider app_api_service:service_manager find;
allow mediaprovider audioserver_service:service_manager find;
+allow mediaprovider cameraserver_service:service_manager find;
allow mediaprovider drmserver_service:service_manager find;
allow mediaprovider mediaextractor_service:service_manager find;
allow mediaprovider mediaserver_service:service_manager find;
diff --git a/private/network_stack.te b/private/network_stack.te
index 9a22a19..09a98b5 100644
--- a/private/network_stack.te
+++ b/private/network_stack.te
@@ -23,7 +23,9 @@
allow network_stack app_api_service:service_manager find;
allow network_stack dnsresolver_service:service_manager find;
allow network_stack netd_service:service_manager find;
+allow network_stack network_watchlist_service:service_manager find;
allow network_stack radio_service:service_manager find;
+allow network_stack system_config_service:service_manager find;
allow network_stack radio_data_file:dir create_dir_perms;
allow network_stack radio_data_file:file create_file_perms;
diff --git a/private/odrefresh.te b/private/odrefresh.te
index e6b1023..3ae35fc 100644
--- a/private/odrefresh.te
+++ b/private/odrefresh.te
@@ -7,6 +7,10 @@
allow odrefresh apex_art_data_file:dir { create_dir_perms relabelfrom };
allow odrefresh apex_art_data_file:file create_file_perms;
+# Allow odrefresh to create data files (typically for metrics before statsd starts).
+allow odrefresh odrefresh_data_file:dir create_dir_perms;
+allow odrefresh odrefresh_data_file:file create_file_perms;
+
userfaultfd_use(odrefresh)
# Staging area labels (/data/misc/apexdata/com.android.art/staging). odrefresh
@@ -36,3 +40,11 @@
# No other processes should be creating files in the staging area.
neverallow { domain -init -odrefresh } apex_art_staging_data_file:file open;
+
+# No processes other than init, odrefresh and system_server access
+# odrefresh_data_files.
+neverallow { domain -init -odrefresh -system_server } odrefresh_data_file:dir *;
+neverallow { domain -init -odrefresh -system_server } odrefresh_data_file:file *;
+
+# Allow updating boot animation status.
+set_prop(odrefresh, exported_system_prop)
diff --git a/private/property.te b/private/property.te
index d6533e8..267ff85 100644
--- a/private/property.te
+++ b/private/property.te
@@ -298,7 +298,8 @@
neverallow {
domain
- -init
+ -coredomain
+ -vendor_init
} {
suspend_prop
}:property_service set;
diff --git a/private/property_contexts b/private/property_contexts
index c7d6743..70f8b9c 100644
--- a/private/property_contexts
+++ b/private/property_contexts
@@ -303,8 +303,9 @@
# history size.
ro.lib_gui.frame_event_history_size u:object_r:bq_config_prop:s0
-af.fast_track_multiplier u:object_r:audio_config_prop:s0 exact int
-ro.af.client_heap_size_kbyte u:object_r:audio_config_prop:s0 exact int
+af.fast_track_multiplier u:object_r:audio_config_prop:s0 exact int
+ro.af.client_heap_size_kbyte u:object_r:audio_config_prop:s0 exact int
+ro.audio.flinger_standbytime_ms u:object_r:audio_config_prop:s0 exact int
audio.camerasound.force u:object_r:audio_config_prop:s0 exact bool
audio.deep_buffer.media u:object_r:audio_config_prop:s0 exact bool
@@ -323,6 +324,8 @@
ro.camera.notify_nfc u:object_r:camera_config_prop:s0 exact bool
ro.camera.enableLazyHal u:object_r:camera_config_prop:s0 exact bool
+ro.camerax.extensions.enabled u:object_r:camerax_extensions_prop:s0 exact bool
+
# Should always_debuggable be bool? It's checked against the string "1".
dalvik.vm.always_debuggable u:object_r:dalvik_config_prop:s0 exact int
dalvik.vm.appimageformat u:object_r:dalvik_config_prop:s0 exact string
@@ -422,12 +425,16 @@
persist.radio.multisim.config u:object_r:radio_control_prop:s0 exact string
-persist.sys.hdmi.keep_awake u:object_r:hdmi_config_prop:s0 exact bool
-ro.hdmi.cec_device_types u:object_r:hdmi_config_prop:s0 exact string
-ro.hdmi.device_type u:object_r:hdmi_config_prop:s0 exact string
-ro.hdmi.cec.source.set_menu_language.enabled u:object_r:hdmi_config_prop:s0 exact bool
-ro.hdmi.wake_on_hotplug u:object_r:hdmi_config_prop:s0 exact bool
-ro.hdmi.cec.source.send_standby_on_sleep u:object_r:hdmi_config_prop:s0 exact enum to_tv broadcast none
+persist.sys.hdmi.keep_awake u:object_r:hdmi_config_prop:s0 exact bool
+ro.hdmi.cec_device_types u:object_r:hdmi_config_prop:s0 exact string
+ro.hdmi.device_type u:object_r:hdmi_config_prop:s0 exact string
+ro.hdmi.set_menu_language u:object_r:hdmi_config_prop:s0 exact bool
+ro.hdmi.cec.source.set_menu_language.enabled u:object_r:hdmi_config_prop:s0 exact bool
+ro.hdmi.property_sytem_audio_device_arc_port u:object_r:hdmi_config_prop:s0 exact string
+ro.hdmi.cec_audio_device_forward_volume_keys_system_audio_mode_off u:object_r:hdmi_config_prop:s0 exact bool
+ro.hdmi.property_is_device_hdmi_cec_switch u:object_r:hdmi_config_prop:s0 exact bool
+ro.hdmi.wake_on_hotplug u:object_r:hdmi_config_prop:s0 exact bool
+ro.hdmi.cec.source.send_standby_on_sleep u:object_r:hdmi_config_prop:s0 exact enum to_tv broadcast none
pm.dexopt.ab-ota u:object_r:exported_pm_prop:s0 exact string
pm.dexopt.bg-dexopt u:object_r:exported_pm_prop:s0 exact string
@@ -553,7 +560,7 @@
tombstoned.max_tombstone_count u:object_r:tombstone_config_prop:s0 exact int
-vold.post_fs_data_done u:object_r:vold_config_prop:s0 exact int
+vold.post_fs_data_done u:object_r:vold_post_fs_data_prop:s0 exact int
apexd.status u:object_r:apexd_prop:s0 exact enum starting activated ready
@@ -635,6 +642,8 @@
ro.boot.hardware.sku u:object_r:bootloader_prop:s0 exact string
ro.boot.keymaster u:object_r:bootloader_prop:s0 exact string
ro.boot.mode u:object_r:bootloader_prop:s0 exact string
+# Populated on Android Studio Emulator (for emulator specific workarounds)
+ro.boot.qemu u:object_r:bootloader_prop:s0 exact bool
ro.boot.revision u:object_r:bootloader_prop:s0 exact string
ro.boot.vbmeta.avb_version u:object_r:bootloader_prop:s0 exact string
ro.boot.verifiedbootstate u:object_r:bootloader_prop:s0 exact string
@@ -800,6 +809,9 @@
ro.old_dlkm.build.version.release_or_codename u:object_r:build_vendor_prop:s0 exact string
ro.old_dlkm.build.version.sdk u:object_r:build_vendor_prop:s0 exact int
+# enforces debugfs restrictions in non-user builds, set by /vendor/build.prop
+ro.product.debugfs_restrictions.enabled u:object_r:debugfs_restriction_prop:s0 exact bool
+
# All vendor build props are set by /vendor/build.prop
ro.vendor.build.date u:object_r:build_vendor_prop:s0 exact string
ro.vendor.build.date.utc u:object_r:build_vendor_prop:s0 exact int
@@ -950,6 +962,8 @@
ro.hwui.use_vulkan u:object_r:exported_default_prop:s0 exact bool
+# ro.kernel.* properties are emulator specific and deprecated. Do not use.
+# Should be retired once presubmit allows.
ro.kernel.qemu u:object_r:exported_default_prop:s0 exact bool
ro.kernel.qemu. u:object_r:exported_default_prop:s0
ro.kernel.android.bootanim u:object_r:exported_default_prop:s0 exact int
@@ -1152,3 +1166,6 @@
# set to true when running rollback tests to disable fallback-to-copy when enabling rollbacks
# to detect failures where hard linking should work otherwise
persist.rollback.is_test u:object_r:rollback_test_prop:s0 exact bool
+
+# bootanimation properties
+ro.bootanim.quiescent.enabled u:object_r:bootanim_config_prop:s0 exact bool
\ No newline at end of file
diff --git a/private/service_contexts b/private/service_contexts
index a4179b5..c9c6aef 100644
--- a/private/service_contexts
+++ b/private/service_contexts
@@ -200,6 +200,7 @@
performance_hint u:object_r:hint_service:s0
permission u:object_r:permission_service:s0
permissionmgr u:object_r:permissionmgr_service:s0
+permission_checker u:object_r:permission_checker_service:s0
persistent_data_block u:object_r:persistent_data_block_service:s0
phone_msim u:object_r:radio_service:s0
phone1 u:object_r:radio_service:s0
@@ -284,6 +285,7 @@
usagestats u:object_r:usagestats_service:s0
usb u:object_r:usb_service:s0
user u:object_r:user_service:s0
+uwb u:object_r:uwb_service:s0
vcn_management u:object_r:vcn_management_service:s0
vibrator u:object_r:vibrator_service:s0
vibrator_manager u:object_r:vibrator_manager_service:s0
diff --git a/private/shell.te b/private/shell.te
index 66e2d4d..5831d54 100644
--- a/private/shell.te
+++ b/private/shell.te
@@ -194,3 +194,6 @@
# Never allow others to set or get the perf.drop_caches property.
neverallow { domain -shell -init } perf_drop_caches_prop:property_service set;
neverallow { domain -shell -init -dumpstate } perf_drop_caches_prop:file read;
+
+# Allow ReadDefaultFstab() for CTS.
+read_fstab(shell)
diff --git a/private/stats.te b/private/stats.te
index 9b9d4ba..db29072 100644
--- a/private/stats.te
+++ b/private/stats.te
@@ -43,6 +43,7 @@
-gmscore_app
-gpuservice
-incidentd
+ -keystore
-mediametrics
-platform_app
-priv_app
diff --git a/private/system_app.te b/private/system_app.te
index 58322b8..48d5f9d 100644
--- a/private/system_app.te
+++ b/private/system_app.te
@@ -21,9 +21,6 @@
allow system_app misc_user_data_file:dir create_dir_perms;
allow system_app misc_user_data_file:file create_file_perms;
-# Access to vold-mounted storage for measuring free space
-allow system_app mnt_media_rw_file:dir search;
-
# Access to apex files stored on /data (b/136063500)
# Needed so that Settings can access NOTICE files inside apex
# files located in the assets/ directory.
diff --git a/private/system_server.te b/private/system_server.te
index 729f835..1d3cf09 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -902,6 +902,16 @@
use
};
+# Allow lock_settings service to manage locksettings keys (e.g. the synthetic password key).
+allow system_server locksettings_key:keystore2_key {
+ delete
+ get_info
+ rebind
+ update
+ use
+};
+
+
# Allow system server to search and write to the persistent factory reset
# protection partition. This block device does not get wiped in a factory reset.
allow system_server block_device:dir search;
@@ -1267,6 +1277,10 @@
allow system_server gsi_persistent_data_file:dir rw_dir_perms;
allow system_server gsi_persistent_data_file:file create_file_perms;
+# Allow system server read and remove files under /data/misc/odrefresh
+allow system_server odrefresh_data_file:dir rw_dir_perms;
+allow system_server odrefresh_data_file:file { r_file_perms unlink };
+
# Allow system server r access to /system/bin/surfaceflinger for PinnerService.
allow system_server surfaceflinger_exec:file r_file_perms;
diff --git a/private/traced.te b/private/traced.te
index aa16966..6e3ad46 100644
--- a/private/traced.te
+++ b/private/traced.te
@@ -3,7 +3,6 @@
# type traced is defined under /public (because iorapd rules
# under public/ need to refer to it).
type traced_exec, system_file_type, exec_type, file_type;
-type traced_tmpfs, file_type;
# Allow init to exec the daemon.
init_daemon_domain(traced)
diff --git a/private/traced_probes.te b/private/traced_probes.te
index da9c635..2c4ee9d 100644
--- a/private/traced_probes.te
+++ b/private/traced_probes.te
@@ -82,6 +82,10 @@
proc_stat
}:file r_file_perms;
+# Allow access to read /sys/class/devfreq/ and /$DEVICE/cur_freq files
+allow traced_probes sysfs_devfreq_dir:dir r_dir_perms;
+allow traced_probes sysfs_devfreq_cur:file r_file_perms;
+
# Allow access to the IHealth and IPowerStats HAL service for tracing battery counters.
hal_client_domain(traced_probes, hal_health)
hal_client_domain(traced_probes, hal_power_stats)
diff --git a/private/untrusted_app_all.te b/private/untrusted_app_all.te
index d57939b..6064c14 100644
--- a/private/untrusted_app_all.te
+++ b/private/untrusted_app_all.te
@@ -84,10 +84,6 @@
allow untrusted_app_all media_rw_data_file:dir create_dir_perms;
allow untrusted_app_all media_rw_data_file:file create_file_perms;
-# Traverse into /mnt/media_rw for bypassing FUSE daemon
-# TODO: narrow this to just MediaProvider
-allow untrusted_app_all mnt_media_rw_file:dir search;
-
# allow cts to query all services
allow untrusted_app_all servicemanager:service_manager list;
diff --git a/private/vendor_init.te b/private/vendor_init.te
index 83f001d..2e616f3 100644
--- a/private/vendor_init.te
+++ b/private/vendor_init.te
@@ -8,3 +8,13 @@
# Let vendor_init set service.adb.tcp.port.
set_prop(vendor_init, adbd_config_prop)
+
+# chown/chmod on devices, e.g. /dev/ttyHS0
+allow vendor_init {
+ dev_type
+ -keychord_device
+ -kvm_device
+ -port_device
+ -lowpan_device
+ -hw_random_device
+}:chr_file setattr;
diff --git a/private/virtmanager.te b/private/virtmanager.te
index b2331d4..467f7d4 100644
--- a/private/virtmanager.te
+++ b/private/virtmanager.te
@@ -1,8 +1,17 @@
type virtmanager, domain, coredomain;
type virtmanager_exec, system_file_type, exec_type, file_type;
+# When init runs a file labelled with virtmanager_exec, run it in the virtmanager domain.
init_daemon_domain(virtmanager)
+# Let the virtmanager domain use Binder.
binder_use(virtmanager)
+# Let the virtmanager domain register the virtualization_service with ServiceManager.
add_service(virtmanager, virtualization_service)
+
+# When virtmanager execs a file with the crosvm_exec label, run it in the crosvm domain.
+domain_auto_trans(virtmanager, crosvm_exec, crosvm)
+
+# Let virtmanager kill crosvm.
+allow virtmanager crosvm:process sigkill;
diff --git a/private/vold.te b/private/vold.te
index d794abf..a802bdb 100644
--- a/private/vold.te
+++ b/private/vold.te
@@ -23,6 +23,7 @@
get_prop(vold, storage_config_prop);
get_prop(vold, incremental_prop);
+set_prop(vold, vold_post_fs_data_prop)
set_prop(vold, vold_prop)
set_prop(vold, vold_status_prop)
set_prop(vold, powerctl_prop)
diff --git a/public/app.te b/public/app.te
index af19d10..ae8d7fd 100644
--- a/public/app.te
+++ b/public/app.te
@@ -592,3 +592,6 @@
{ open read write append execute execute_no_trans map };
neverallow appdomain system_bootstrap_lib_file:dir
{ open read getattr search };
+
+# Allow to ro.camerax.extensions.enabled
+get_prop(appdomain, camerax_extensions_prop)
diff --git a/public/device.te b/public/device.te
index 16cc492..686f955 100644
--- a/public/device.te
+++ b/public/device.te
@@ -17,6 +17,7 @@
type radio_device, dev_type;
type ram_device, dev_type;
type rtc_device, dev_type;
+type vd_device, dev_type;
type vold_device, dev_type;
type console_device, dev_type;
type fscklogs, dev_type;
diff --git a/public/file.te b/public/file.te
index 174a149..c31bb9d 100644
--- a/public/file.te
+++ b/public/file.te
@@ -86,6 +86,8 @@
type sysfs_uio, sysfs_type, fs_type;
type sysfs_batteryinfo, fs_type, sysfs_type;
type sysfs_bluetooth_writable, fs_type, sysfs_type, mlstrustedobject;
+type sysfs_devfreq_cur, fs_type, sysfs_type;
+type sysfs_devfreq_dir, fs_type, sysfs_type;
type sysfs_devices_block, fs_type, sysfs_type;
type sysfs_dm, fs_type, sysfs_type;
type sysfs_dm_verity, fs_type, sysfs_type;
diff --git a/public/hal_health_storage.te b/public/hal_health_storage.te
index cb7c01d..4938a16 100644
--- a/public/hal_health_storage.te
+++ b/public/hal_health_storage.te
@@ -6,3 +6,6 @@
hal_attribute_hwservice(hal_health_storage, hal_health_storage_hwservice)
hal_attribute_service(hal_health_storage, hal_health_storage_service)
+
+# Allow ReadDefaultFstab().
+read_fstab(hal_health_storage_server)
diff --git a/public/hal_neuralnetworks.te b/public/hal_neuralnetworks.te
index 416448a..4eb8bb2 100644
--- a/public/hal_neuralnetworks.te
+++ b/public/hal_neuralnetworks.te
@@ -33,4 +33,6 @@
hal_attribute_service(hal_neuralnetworks, hal_neuralnetworks_service)
binder_call(hal_neuralnetworks_server, servicemanager)
+binder_use(hal_neuralnetworks_server)
+
allow hal_neuralnetworks_server dumpstate:fifo_file write;
diff --git a/public/init.te b/public/init.te
index 1287ca3..893573e 100644
--- a/public/init.te
+++ b/public/init.te
@@ -320,14 +320,6 @@
zero_device
}:chr_file { read open };
-# chown/chmod on devices.
-allow init {
- dev_type
- -hw_random_device
- -keychord_device
- -port_device
-}:chr_file setattr;
-
# Unlabeled file access for upgrades from 4.2.
allow init unlabeled:dir { create_dir_perms relabelfrom };
allow init unlabeled:notdevfile_class_set { create_file_perms relabelfrom };
diff --git a/public/ioctl_defines b/public/ioctl_defines
index 62c4e66..d1c20b2 100644
--- a/public/ioctl_defines
+++ b/public/ioctl_defines
@@ -132,6 +132,7 @@
define(`BC_REPLY', `0x40406301')
define(`BC_REQUEST_DEATH_NOTIFICATION', `0x400c630e')
define(`BC_TRANSACTION', `0x40406300')
+define(`BINDER_ENABLE_ONEWAY_SPAM_DETECTION', `0x40046210')
define(`BINDER_FREEZE', `0x400c620e')
define(`BINDER_GET_FROZEN_INFO', `0xc00c620f')
define(`BINDER_GET_NODE_DEBUG_INFO', `0xc018620b')
@@ -191,6 +192,7 @@
define(`BR_INCREFS', `0x80107207')
define(`BR_NOOP', `0x0000720c')
define(`BR_OK', `0x00007201')
+define(`BR_ONEWAY_SPAM_SUSPECT', `0x00007213')
define(`BR_RELEASE', `0x80107209')
define(`BR_REPLY', `0x80407203')
define(`BR_SPAWN_LOOPER', `0x0000720d')
diff --git a/public/ioctl_macros b/public/ioctl_macros
index 52208c7..47a5157 100644
--- a/public/ioctl_macros
+++ b/public/ioctl_macros
@@ -72,5 +72,5 @@
BINDER_WRITE_READ BINDER_SET_IDLE_TIMEOUT BINDER_SET_MAX_THREADS
BINDER_SET_IDLE_PRIORITY BINDER_SET_CONTEXT_MGR BINDER_THREAD_EXIT
BINDER_VERSION BINDER_GET_NODE_DEBUG_INFO BINDER_GET_NODE_INFO_FOR_REF
-BINDER_SET_CONTEXT_MGR_EXT
+BINDER_SET_CONTEXT_MGR_EXT BINDER_ENABLE_ONEWAY_SPAM_DETECTION
}')
diff --git a/public/property.te b/public/property.te
index 8cae47c..6861d89 100644
--- a/public/property.te
+++ b/public/property.te
@@ -87,7 +87,6 @@
system_restricted_prop(userspace_reboot_exported_prop)
system_restricted_prop(vold_status_prop)
system_restricted_prop(vts_status_prop)
-system_restricted_prop(suspend_prop)
compatible_property_only(`
# DO NOT ADD ANY PROPERTIES HERE
@@ -117,15 +116,18 @@
system_vendor_config_prop(aaudio_config_prop)
system_vendor_config_prop(apk_verity_prop)
system_vendor_config_prop(audio_config_prop)
+system_vendor_config_prop(bootanim_config_prop)
system_vendor_config_prop(build_config_prop)
system_vendor_config_prop(build_odm_prop)
system_vendor_config_prop(build_vendor_prop)
system_vendor_config_prop(camera_calibration_prop)
system_vendor_config_prop(camera_config_prop)
+system_vendor_config_prop(camerax_extensions_prop)
system_vendor_config_prop(charger_config_prop)
system_vendor_config_prop(codec2_config_prop)
system_vendor_config_prop(cpu_variant_prop)
system_vendor_config_prop(dalvik_config_prop)
+system_vendor_config_prop(debugfs_restriction_prop)
system_vendor_config_prop(drm_service_config_prop)
system_vendor_config_prop(exported_camera_prop)
system_vendor_config_prop(exported_config_prop)
@@ -150,6 +152,7 @@
system_vendor_config_prop(storage_config_prop)
system_vendor_config_prop(storagemanager_config_prop)
system_vendor_config_prop(surfaceflinger_prop)
+system_vendor_config_prop(suspend_prop)
system_vendor_config_prop(systemsound_config_prop)
system_vendor_config_prop(telephony_config_prop)
system_vendor_config_prop(tombstone_config_prop)
@@ -205,6 +208,7 @@
system_public_prop(system_prop)
system_public_prop(telephony_status_prop)
system_public_prop(usb_control_prop)
+system_public_prop(vold_post_fs_data_prop)
system_public_prop(wifi_hal_prop)
system_public_prop(wifi_log_prop)
system_public_prop(wifi_prop)
diff --git a/public/service.te b/public/service.te
index 0b4f8e9..4012fca 100644
--- a/public/service.te
+++ b/public/service.te
@@ -165,6 +165,7 @@
type people_service, app_api_service, system_server_service, service_manager_type;
type permission_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type permissionmgr_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type permission_checker_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type persistent_data_block_service, system_api_service, system_server_service, service_manager_type;
type pinner_service, system_server_service, service_manager_type;
type power_stats_service, app_api_service, system_server_service, service_manager_type;
@@ -220,6 +221,7 @@
type usagestats_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type usb_service, app_api_service, system_server_service, service_manager_type;
type user_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type uwb_service, app_api_service, system_server_service, service_manager_type;
type vcn_management_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type vibrator_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type vibrator_manager_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
diff --git a/public/statsd.te b/public/statsd.te
index baf05d4..670f4c7 100644
--- a/public/statsd.te
+++ b/public/statsd.te
@@ -33,6 +33,10 @@
allow statsd gpu_service:service_manager find;
binder_call(statsd, gpuservice)
+# Allow statsd to interact with keystore to pull atoms
+allow statsd keystore_service:service_manager find;
+binder_call(statsd, keystore)
+
# Allow statsd to interact with mediametrics
allow statsd mediametrics_service:service_manager find;
binder_call(statsd, mediametrics)
diff --git a/public/traced.te b/public/traced.te
index ec5b850..922d46e 100644
--- a/public/traced.te
+++ b/public/traced.te
@@ -1,2 +1,3 @@
type traced, domain, coredomain, mlstrustedsubject;
+type traced_tmpfs, file_type;
diff --git a/public/vendor_init.te b/public/vendor_init.te
index 25d0dcb..ae523b9 100644
--- a/public/vendor_init.te
+++ b/public/vendor_init.te
@@ -155,15 +155,6 @@
-proc_uid_concurrent_policy_time
}:dir { open read setattr search };
-# chown/chmod on devices, e.g. /dev/ttyHS0
-allow vendor_init {
- dev_type
- -keychord_device
- -port_device
- -lowpan_device
- -hw_random_device
-}:chr_file setattr;
-
allow vendor_init dev_type:blk_file getattr;
# Write to /proc/sys/net/ping_group_range and other /proc/sys/net files.
@@ -223,6 +214,7 @@
set_prop(vendor_init, apk_verity_prop)
set_prop(vendor_init, bluetooth_a2dp_offload_prop)
set_prop(vendor_init, bluetooth_audio_hal_prop)
+set_prop(vendor_init, camerax_extensions_prop)
set_prop(vendor_init, cpu_variant_prop)
set_prop(vendor_init, dalvik_runtime_prop)
set_prop(vendor_init, debug_prop)
@@ -252,6 +244,7 @@
set_prop(vendor_init, vendor_security_patch_level_prop)
set_prop(vendor_init, vndk_prop)
set_prop(vendor_init, virtual_ab_prop)
+set_prop(vendor_init, vold_post_fs_data_prop)
set_prop(vendor_init, wifi_hal_prop)
set_prop(vendor_init, wifi_log_prop)
set_prop(vendor_init, zram_control_prop)
diff --git a/vendor/file_contexts b/vendor/file_contexts
index 785f4cb..12e5d9f 100644
--- a/vendor/file_contexts
+++ b/vendor/file_contexts
@@ -85,6 +85,7 @@
/(vendor|system/vendor)/bin/hw/android\.hardware\.wifi@1\.0-service-lazy u:object_r:hal_wifi_default_exec:s0
/(vendor|system/vendor)/bin/hw/hostapd u:object_r:hal_wifi_hostapd_default_exec:s0
/(vendor|system/vendor)/bin/hw/wpa_supplicant u:object_r:hal_wifi_supplicant_default_exec:s0
+/(vendor|system/vendor)/bin/install-recovery\.sh u:object_r:vendor_install_recovery_exec:s0
/(vendor|system/vendor)/bin/vndservicemanager u:object_r:vndservicemanager_exec:s0
#############################