Merge "HDMI: Refactor HDMI packages"
diff --git a/apex/com.android.conscrypt-file_contexts b/apex/com.android.conscrypt-file_contexts
index abf0085..7b81ab8 100644
--- a/apex/com.android.conscrypt-file_contexts
+++ b/apex/com.android.conscrypt-file_contexts
@@ -4,3 +4,4 @@
(/.*)? u:object_r:system_file:s0
/lib(64)?(/.*)? u:object_r:system_lib_file:s0
/bin/boringssl_self_test(32|64) u:object_r:boringssl_self_test_exec:s0
+/cacerts(/.*)? u:object_r:system_security_cacerts_file:s0
diff --git a/apex/com.android.virt-file_contexts b/apex/com.android.virt-file_contexts
index cc712ff..9c13bd5 100644
--- a/apex/com.android.virt-file_contexts
+++ b/apex/com.android.virt-file_contexts
@@ -1,4 +1,5 @@
(/.*)? u:object_r:system_file:s0
/bin/crosvm u:object_r:crosvm_exec:s0
/bin/fd_server u:object_r:fd_server_exec:s0
+/bin/virtmgr u:object_r:virtualizationmanager_exec:s0
/bin/virtualizationservice u:object_r:virtualizationservice_exec:s0
diff --git a/build/soong/selinux_contexts.go b/build/soong/selinux_contexts.go
index 463a978..6a971da 100644
--- a/build/soong/selinux_contexts.go
+++ b/build/soong/selinux_contexts.go
@@ -247,11 +247,21 @@
rule := android.NewRuleBuilder(pctx, ctx)
+ newlineFile := android.PathForModuleGen(ctx, "newline")
+
+ rule.Command().Text("echo").FlagWithOutput("> ", newlineFile)
+ rule.Temporary(newlineFile)
+
+ var inputsWithNewline android.Paths
+ for _, input := range inputs {
+ inputsWithNewline = append(inputsWithNewline, input, newlineFile)
+ }
+
rule.Command().
Tool(ctx.Config().PrebuiltBuildTool(ctx, "m4")).
Text("--fatal-warnings -s").
FlagForEachArg("-D", ctx.DeviceConfig().SepolicyM4Defs()).
- Inputs(inputs).
+ Inputs(inputsWithNewline).
FlagWithOutput("> ", builtContext)
if proptools.Bool(m.properties.Remove_comment) {
diff --git a/build/soong/service_fuzzer_bindings.go b/build/soong/service_fuzzer_bindings.go
index 63e3f7a..f7176e8 100644
--- a/build/soong/service_fuzzer_bindings.go
+++ b/build/soong/service_fuzzer_bindings.go
@@ -33,6 +33,7 @@
"android.hardware.audio.core.IModule/stub": EXCEPTION_NO_FUZZER,
"android.hardware.audio.core.IModule/usb": EXCEPTION_NO_FUZZER,
"android.hardware.audio.effect.IFactory/default": EXCEPTION_NO_FUZZER,
+ "android.hardware.audio.sounddose.ISoundDoseFactory/default": EXCEPTION_NO_FUZZER,
"android.hardware.authsecret.IAuthSecret/default": EXCEPTION_NO_FUZZER,
"android.hardware.automotive.evs.IEvsEnumerator/hw/0": EXCEPTION_NO_FUZZER,
"android.hardware.boot.IBootControl/default": EXCEPTION_NO_FUZZER,
@@ -127,6 +128,7 @@
"android.hardware.wifi.IWifi/default": EXCEPTION_NO_FUZZER,
"android.hardware.wifi.hostapd.IHostapd/default": EXCEPTION_NO_FUZZER,
"android.hardware.wifi.supplicant.ISupplicant/default": EXCEPTION_NO_FUZZER,
+ "android.frameworks.cameraservice.service.ICameraService/default": EXCEPTION_NO_FUZZER,
"android.frameworks.sensorservice.ISensorManager/default": []string{"libsensorserviceaidl_fuzzer"},
"android.frameworks.stats.IStats/default": EXCEPTION_NO_FUZZER,
"android.se.omapi.ISecureElementService/default": EXCEPTION_NO_FUZZER,
@@ -249,6 +251,7 @@
"game": EXCEPTION_NO_FUZZER,
"gfxinfo": EXCEPTION_NO_FUZZER,
"gnss_time_update_service": EXCEPTION_NO_FUZZER,
+ "grammatical_inflection": EXCEPTION_NO_FUZZER,
"graphicsstats": EXCEPTION_NO_FUZZER,
"gpu": EXCEPTION_NO_FUZZER,
"hardware": EXCEPTION_NO_FUZZER,
diff --git a/microdroid/system/private/domain.te b/microdroid/system/private/domain.te
index d300679..13e359a 100644
--- a/microdroid/system/private/domain.te
+++ b/microdroid/system/private/domain.te
@@ -233,6 +233,9 @@
allow domain task_profiles_file:file r_file_perms;
allow domain task_profiles_api_file:file r_file_perms;
+# Allow all processes to connect to PRNG seeder daemon.
+unix_socket_connect(domain, prng_seeder, prng_seeder)
+
# cgroupfs directories can be created, but not files within them.
neverallow domain cgroup:file create;
neverallow domain cgroup_v2:file create;
@@ -323,6 +326,7 @@
# Only the kernel hwrng thread should be able to read from the HW RNG.
neverallow {
domain
+ -prng_seeder # PRNG seeder daemon periodically reseeds itself from HW RNG
-shell # For CTS, restricted to just getattr in shell.te
-ueventd # To create the /dev/hw_random file
} hw_random_device:chr_file *;
diff --git a/microdroid/system/private/file.te b/microdroid/system/private/file.te
index da54361..6f037a3 100644
--- a/microdroid/system/private/file.te
+++ b/microdroid/system/private/file.te
@@ -24,3 +24,6 @@
type encryptedstore_file, file_type;
type encryptedstore_fs, fs_type, contextmount_type;
+
+# Filesystem entry for for PRNG seeder socket.
+type prng_seeder_socket, file_type, coredomain_socket;
diff --git a/microdroid/system/private/file_contexts b/microdroid/system/private/file_contexts
index 0ccb250..8d9ad85 100644
--- a/microdroid/system/private/file_contexts
+++ b/microdroid/system/private/file_contexts
@@ -66,6 +66,7 @@
/dev/rtc[0-9] u:object_r:rtc_device:s0
/dev/socket(/.*)? u:object_r:socket_device:s0
/dev/socket/adbd u:object_r:adbd_socket:s0
+/dev/socket/prng_seeder u:object_r:prng_seeder_socket:s0
/dev/socket/property_service u:object_r:property_socket:s0
/dev/socket/statsdw u:object_r:statsdw_socket:s0
/dev/socket/tombstoned_crash u:object_r:tombstoned_crash_socket:s0
@@ -120,6 +121,7 @@
/system/bin/encryptedstore u:object_r:encryptedstore_exec:s0
/system/bin/mke2fs u:object_r:e2fs_exec:s0
/system/bin/kexec_load u:object_r:kexec_exec:s0
+/system/bin/prng_seeder u:object_r:prng_seeder_exec:s0
/system/etc/cgroups\.json u:object_r:cgroup_desc_file:s0
/system/etc/task_profiles/cgroups_[0-9]+\.json u:object_r:cgroup_desc_api_file:s0
/system/etc/event-log-tags u:object_r:system_event_log_tags_file:s0
diff --git a/microdroid/system/private/init.te b/microdroid/system/private/init.te
index 283775e..5ad30e5 100644
--- a/microdroid/system/private/init.te
+++ b/microdroid/system/private/init.te
@@ -435,3 +435,6 @@
set_prop(init, property_type)
allow init self:netlink_audit_socket { create_socket_perms_no_ioctl nlmsg_relay };
+
+# PRNG seeder daemon socket is created and listened on by init before forking.
+allow init prng_seeder:unix_stream_socket { create bind listen };
diff --git a/microdroid/system/private/microdroid_manager.te b/microdroid/system/private/microdroid_manager.te
index baf8366..a5b71f0 100644
--- a/microdroid/system/private/microdroid_manager.te
+++ b/microdroid/system/private/microdroid_manager.te
@@ -31,6 +31,9 @@
allowxperm microdroid_manager vd_device:blk_file ioctl BLKFLSBUF;
allow microdroid_manager self:global_capability_class_set sys_admin;
+# Allow microdroid_manager to remove capabilities from it's capability bounding set.
+allow microdroid_manager self:global_capability_class_set setpcap;
+
# Allow microdroid_manager to start payload tasks
domain_auto_trans(microdroid_manager, microdroid_app_exec, microdroid_app)
domain_auto_trans(microdroid_manager, compos_exec, compos)
diff --git a/microdroid/system/private/prng_seeder.te b/microdroid/system/private/prng_seeder.te
new file mode 100644
index 0000000..ab4e275
--- /dev/null
+++ b/microdroid/system/private/prng_seeder.te
@@ -0,0 +1,17 @@
+# PRNG seeder daemon
+# Started from early init, maintains a FIPS approved DRBG which it periodically reseeds from
+# /dev/hw_random. When BoringSSL (libcrypto) in other processes needs seeding data for its
+# internal DRBGs it will connect to /dev/socket/prng_seeder and the daemon will write a
+# fixed size block of entropy then disconnect. No other IO is performed.
+type prng_seeder, domain, coredomain;
+
+type prng_seeder_exec, system_file_type, exec_type, file_type;
+init_daemon_domain(prng_seeder)
+
+# prng_seeder is using bootstrap bionic
+use_bootstrap_libs(prng_seeder)
+
+# Socket open and listen are performed by init.
+allow prng_seeder prng_seeder:unix_stream_socket { read write getattr accept };
+allow prng_seeder hw_random_device:chr_file { read open };
+allow prng_seeder kmsg_debug_device:chr_file { w_file_perms getattr ioctl };
diff --git a/microdroid/system/private/property_contexts b/microdroid/system/private/property_contexts
index c2a3f4c..0d5786c 100644
--- a/microdroid/system/private/property_contexts
+++ b/microdroid/system/private/property_contexts
@@ -1,7 +1,6 @@
# property contexts for microdroid
-# microdroid only uses much fewer properties than normal Android, so every property is listed as
-# an exact entry. The only wildcards are "debug.*", "init.svc_debug_pid.*", "ctl.*", and
-# process-dependent properties like "arm64.memtag.*" and "log.tag.*".
+# microdroid uses far fewer properties than normal Android, so almost
+# every property is listed as an exact entry.
debug. u:object_r:debug_prop:s0 prefix
persist.debug. u:object_r:debug_prop:s0 prefix
@@ -119,6 +118,7 @@
microdroid_manager.apk_root_hash u:object_r:microdroid_manager_roothash_prop:s0 exact string
microdroid_manager.apk.mounted u:object_r:microdroid_manager_zipfuse_prop:s0 exact bool
+microdroid_manager.extra_apk.mounted. u:object_r:microdroid_manager_zipfuse_prop:s0 prefix bool
microdroid_manager.authfs.enabled u:object_r:microdroid_config_prop:s0 exact bool
diff --git a/prebuilts/api/33.0/private/compat/32.0/32.0.ignore.cil b/prebuilts/api/33.0/private/compat/32.0/32.0.ignore.cil
index b5aa501..767bfe3 100644
--- a/prebuilts/api/33.0/private/compat/32.0/32.0.ignore.cil
+++ b/prebuilts/api/33.0/private/compat/32.0/32.0.ignore.cil
@@ -59,6 +59,7 @@
mdns_service
nearby_service
persist_wm_debug_prop
+ prng_seeder
proc_watermark_boost_factor
proc_watermark_scale_factor
prng_seeder
diff --git a/prebuilts/api/33.0/private/property_contexts b/prebuilts/api/33.0/private/property_contexts
index 4eda4a1..db71be4 100644
--- a/prebuilts/api/33.0/private/property_contexts
+++ b/prebuilts/api/33.0/private/property_contexts
@@ -347,6 +347,11 @@
audio.offload.video u:object_r:audio_config_prop:s0 exact bool
audio.offload.min.duration.secs u:object_r:audio_config_prop:s0 exact int
+# spatializer tuning
+audio.spatializer.priority u:object_r:audio_config_prop:s0 exact int
+audio.spatializer.effect.affinity u:object_r:audio_config_prop:s0 exact int
+audio.spatializer.effect.util_clamp_min u:object_r:audio_config_prop:s0 exact int
+
ro.audio.ignore_effects u:object_r:audio_config_prop:s0 exact bool
ro.audio.monitorRotation u:object_r:audio_config_prop:s0 exact bool
ro.audio.offload_wakelock u:object_r:audio_config_prop:s0 exact bool
diff --git a/prebuilts/api/33.0/public/hal_audio.te b/prebuilts/api/33.0/public/hal_audio.te
index 52caa00..aabc884 100644
--- a/prebuilts/api/33.0/public/hal_audio.te
+++ b/prebuilts/api/33.0/public/hal_audio.te
@@ -23,6 +23,9 @@
# Needed to allow sound trigger hal to access shared memory from apps.
allow hal_audio_server appdomain:fd use;
+# allow self to set scheduler (and allows Binder RT PI)
+allow hal_audio_server self:global_capability_class_set sys_nice;
+
# allow hal audio to use vnbinder
vndbinder_use(hal_audio)
diff --git a/private/app.te b/private/app.te
index ae8b206..8838782 100644
--- a/private/app.te
+++ b/private/app.te
@@ -95,8 +95,9 @@
# Exception for crash_dump to allow for app crash reporting.
# Exception for renderscript binaries (/system/bin/bcc, /system/bin/ld.mc)
# to allow renderscript to create privileged executable files.
+# Exception for virtualizationmanager to allow running VMs as child processes.
neverallow { appdomain -shell userdebug_or_eng(`-su') }
- { domain -appdomain -crash_dump -rs }:process { transition };
+ { domain -appdomain -crash_dump -rs -virtualizationmanager }:process { transition };
neverallow { appdomain -shell userdebug_or_eng(`-su') }
{ domain -appdomain }:process { dyntransition };
diff --git a/private/artd.te b/private/artd.te
index 88094e7..c887258 100644
--- a/private/artd.te
+++ b/private/artd.te
@@ -71,8 +71,9 @@
# profile files to the system or apps.
allow artd self:global_capability_class_set { dac_override dac_read_search fowner chown };
-# Read/write access to profiles (/data/misc/profiles/{ref,cur}/...).
-allow artd user_profile_root_file:dir { getattr search };
+# Read/write access to profiles (/data/misc/profiles/{ref,cur}/...). Also allow
+# scanning /data/misc/profiles/cur, for cleaning up obsolete managed files.
+allow artd user_profile_root_file:dir r_dir_perms;
allow artd user_profile_data_file:dir rw_dir_perms;
allow artd user_profile_data_file:file create_file_perms;
@@ -94,6 +95,26 @@
# Check validity of SELinux context, for restorecon.
selinux_check_context(artd)
+# Allow scanning /, for cleaning up obsolete managed files.
+allow artd rootfs:dir r_dir_perms;
+
+# Allow scanning /data, for cleaning up obsolete managed files.
+allow artd system_data_root_file:dir r_dir_perms;
+
+# Allow scanning /mnt, for cleaning up obsolete managed files.
+allow artd tmpfs:dir r_dir_perms;
+
+# Allow scanning /mnt/expand, for cleaning up obsolete managed files.
+allow artd mnt_expand_file:dir r_dir_perms;
+
+# Allow scanning {/data,/mnt/expand/<volume-uuid>}/{user,user_de}, for cleaning
+# up obsolete managed files.
+allow artd system_userdir_file:dir r_dir_perms;
+
+# Allow scanning {/data,/mnt/expand/<volume-uuid>}/{user,user_de}/<user-id> and
+# /mnt/expand/<volume-uuid>, for cleaning up obsolete managed files.
+allow artd system_data_file:dir r_dir_perms;
+
# Never allow running other binaries without a domain transition.
# The only exception is art_exec. It is allowed to use the artd domain because
# it is a thin wrapper that executes other binaries on behalf of artd.
diff --git a/private/compat/32.0/32.0.ignore.cil b/private/compat/32.0/32.0.ignore.cil
index 50e3be7..d810e0a 100644
--- a/private/compat/32.0/32.0.ignore.cil
+++ b/private/compat/32.0/32.0.ignore.cil
@@ -59,6 +59,7 @@
mdns_service
nearby_service
persist_wm_debug_prop
+ prng_seeder
proc_watermark_boost_factor
remotelyprovisionedkeypool_service
resources_manager_service
diff --git a/private/compat/33.0/33.0.ignore.cil b/private/compat/33.0/33.0.ignore.cil
index 8b623e8..11bff79 100644
--- a/private/compat/33.0/33.0.ignore.cil
+++ b/private/compat/33.0/33.0.ignore.cil
@@ -13,7 +13,9 @@
device_config_memory_safety_native_prop
device_config_vendor_system_native_prop
devicelock_service
+ fwk_camera_service
fwk_sensor_service
+ grammatical_inflection_service
hal_bluetooth_service
hal_bootctl_service
hal_cas_service
diff --git a/private/crosvm.te b/private/crosvm.te
index d4d29b0..c682bb5 100644
--- a/private/crosvm.te
+++ b/private/crosvm.te
@@ -14,10 +14,10 @@
tmpfs_domain(crosvm)
# Let crosvm receive file descriptors from VirtualizationService.
-allow crosvm virtualizationservice:fd use;
+allow crosvm virtualizationmanager:fd use;
# Allow sending VirtualizationService the failure reason from the VM via pipe.
-allow crosvm virtualizationservice:fifo_file write;
+allow crosvm virtualizationmanager:fifo_file write;
# Let crosvm read the composite disk images (virtualizationservice_data_file), APEXes
# (staging_data_file), APKs (apk_data_file and shell_data_file where the latter is for test apks in
@@ -36,11 +36,14 @@
# Allow searching the directory where the composite disk images are.
allow crosvm virtualizationservice_data_file:dir search;
+# Allow crosvm to mlock guest memory.
+allow crosvm self:capability ipc_lock;
+
# Let crosvm access its control socket as created by VS.
# read, write, getattr: listener socket polling
# accept: listener socket accepting new connection
# Note that the open permission is not given as the socket is passed by FD.
-allow crosvm virtualizationservice:unix_stream_socket { accept read write getattr getopt };
+allow crosvm virtualizationmanager:unix_stream_socket { accept read write getattr getopt };
# Let crosvm open test artifacts under /data/local/tmp with file path. (e.g. custom pvmfw.img)
userdebug_or_eng(`
@@ -110,9 +113,9 @@
-shell_data_file
}:file read;
-# Only virtualizationservice can run crosvm
+# Only virtualizationmanager can run crosvm
neverallow {
domain
-crosvm
- -virtualizationservice
+ -virtualizationmanager
} crosvm_exec:file no_x_file_perms;
diff --git a/private/domain.te b/private/domain.te
index 2b2619b..e0ba975 100644
--- a/private/domain.te
+++ b/private/domain.te
@@ -290,7 +290,7 @@
-apexd
-installd
-priv_app
- -virtualizationservice
+ -virtualizationmanager
} staging_data_file:dir *;
neverallow {
domain
@@ -303,7 +303,7 @@
-installd
-priv_app
-shell
- -virtualizationservice
+ -virtualizationmanager
-crosvm
} staging_data_file:file *;
neverallow { domain -init -system_server -installd} staging_data_file:dir no_w_dir_perms;
diff --git a/private/dumpstate.te b/private/dumpstate.te
index ee59cb7..fe442b3 100644
--- a/private/dumpstate.te
+++ b/private/dumpstate.te
@@ -30,6 +30,9 @@
# Allow dumpstate to make binder calls to incidentd
binder_call(dumpstate, incidentd)
+# Kill incident in case of a timeout
+allow dumpstate incident:process { signal sigkill };
+
# Allow dumpstate to make binder calls to storaged service
binder_call(dumpstate, storaged)
diff --git a/private/file.te b/private/file.te
index 134b377..e33469f 100644
--- a/private/file.te
+++ b/private/file.te
@@ -91,7 +91,9 @@
type odsign_metrics_file, file_type, data_file_type, core_data_file_type;
# /data/misc/virtualizationservice
-type virtualizationservice_data_file, file_type, data_file_type, core_data_file_type;
+# The type needs to be mlstrustedobject to allow for being accessed from
+# virtualizationmanager, which runs at a more constrained MLS level.
+type virtualizationservice_data_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
# /data/system/environ
type environ_system_data_file, file_type, data_file_type, core_data_file_type;
@@ -100,7 +102,9 @@
type bootanim_data_file, file_type, data_file_type, core_data_file_type;
# /dev/kvm
-type kvm_device, dev_type;
+# The type needs to be mlstrustedobject to allow for being accessed from
+# crosvm, which runs at a more constrained MLS level.
+type kvm_device, dev_type, mlstrustedobject;
# /apex/com.android.virt/bin/fd_server
type fd_server_exec, system_file_type, exec_type, file_type;
diff --git a/private/property.te b/private/property.te
index cac04d3..dee6369 100644
--- a/private/property.te
+++ b/private/property.te
@@ -432,6 +432,7 @@
-init
-shell
-system_app
+ -system_server
-mtectrl
} {
arm64_memtag_prop
diff --git a/private/property_contexts b/private/property_contexts
index 748148b..f208e52 100644
--- a/private/property_contexts
+++ b/private/property_contexts
@@ -363,6 +363,11 @@
audio.offload.video u:object_r:audio_config_prop:s0 exact bool
audio.offload.min.duration.secs u:object_r:audio_config_prop:s0 exact int
+# spatializer tuning
+audio.spatializer.priority u:object_r:audio_config_prop:s0 exact int
+audio.spatializer.effect.affinity u:object_r:audio_config_prop:s0 exact int
+audio.spatializer.effect.util_clamp_min u:object_r:audio_config_prop:s0 exact int
+
ro.audio.ignore_effects u:object_r:audio_config_prop:s0 exact bool
ro.audio.monitorRotation u:object_r:audio_config_prop:s0 exact bool
ro.audio.offload_wakelock u:object_r:audio_config_prop:s0 exact bool
@@ -469,7 +474,6 @@
dalvik.vm.restore-dex2oat-cpu-set u:object_r:dalvik_config_prop:s0 exact string
dalvik.vm.restore-dex2oat-threads u:object_r:dalvik_config_prop:s0 exact int
dalvik.vm.usejit u:object_r:dalvik_config_prop:s0 exact bool
-dalvik.vm.usejitprofiles u:object_r:dalvik_config_prop:s0 exact bool
dalvik.vm.zygote.max-boot-retry u:object_r:dalvik_config_prop:s0 exact int
persist.sys.dalvik.vm.lib.2 u:object_r:dalvik_runtime_prop:s0 exact string
@@ -508,6 +512,7 @@
bluetooth.core.gap.le.privacy.enabled u:object_r:bluetooth_config_prop:s0 exact bool
bluetooth.core.gap.le.conn.min.limit u:object_r:bluetooth_config_prop:s0 exact int
+bluetooth.core.gap.le.conn.only_init_1m_phy.enabled u:object_r:bluetooth_config_prop:s0 exact bool
bluetooth.device.default_name u:object_r:bluetooth_config_prop:s0 exact string
bluetooth.device.class_of_device u:object_r:bluetooth_config_prop:s0 exact string
diff --git a/private/rkpd_app.te b/private/rkpd_app.te
index 9064e5d..21f9b0c 100644
--- a/private/rkpd_app.te
+++ b/private/rkpd_app.te
@@ -16,6 +16,10 @@
# Grant access to the normal services that are available to all apps
allow rkpdapp app_api_service:service_manager find;
+# Grant access to media.metrics service, needed for widevine. This
+# access is granted to all other apps already (e.g. untrusted_app_all).
+allow rkpdapp mediametrics_service:service_manager find;
+
# Grant access to statsd
allow rkpdapp statsmanager_service:service_manager find;
binder_call(rkpdapp, statsd)
diff --git a/private/sdk_sandbox.te b/private/sdk_sandbox.te
index 12310d2..a0e77a2 100644
--- a/private/sdk_sandbox.te
+++ b/private/sdk_sandbox.te
@@ -213,6 +213,10 @@
allow sdk_sandbox system_linker_exec:file execute_no_trans;
+# Required to read CTS tests data from the shell_data_file location.
+allow sdk_sandbox shell_data_file:file r_file_perms;
+allow sdk_sandbox shell_data_file:dir r_dir_perms;
+
# Write app-specific trace data to the Perfetto traced damon. This requires
# connecting to its producer socket and obtaining a (per-process) tmpfs fd.
perfetto_producer(sdk_sandbox)
diff --git a/private/service_contexts b/private/service_contexts
index 9427c42..85cd7cb 100644
--- a/private/service_contexts
+++ b/private/service_contexts
@@ -1,3 +1,4 @@
+android.frameworks.cameraservice.service.ICameraService/default u:object_r:fwk_camera_service:s0
android.frameworks.stats.IStats/default u:object_r:fwk_stats_service:s0
android.frameworks.sensorservice.ISensorManager/default u:object_r:fwk_sensor_service:s0
android.hardware.audio.core.IConfig/default u:object_r:hal_audio_service:s0
@@ -11,6 +12,7 @@
android.hardware.audio.core.IModule/stub u:object_r:hal_audio_service:s0
android.hardware.audio.core.IModule/usb u:object_r:hal_audio_service:s0
android.hardware.audio.effect.IFactory/default u:object_r:hal_audio_service:s0
+android.hardware.audio.sounddose.ISoundDoseFactory/default u:object_r:hal_audio_service:s0
android.hardware.authsecret.IAuthSecret/default u:object_r:hal_authsecret_service:s0
android.hardware.automotive.evs.IEvsEnumerator/hw/0 u:object_r:hal_evs_service:s0
android.hardware.boot.IBootControl/default u:object_r:hal_bootctl_service:s0
@@ -228,6 +230,7 @@
game u:object_r:game_service:s0
gfxinfo u:object_r:gfxinfo_service:s0
gnss_time_update_service u:object_r:gnss_time_update_service:s0
+grammatical_inflection u:object_r:grammatical_inflection_service:s0
graphicsstats u:object_r:graphicsstats_service:s0
gpu u:object_r:gpu_service:s0
hardware u:object_r:hardware_service:s0
diff --git a/private/su.te b/private/su.te
index 2496473..cc00e10 100644
--- a/private/su.te
+++ b/private/su.te
@@ -19,6 +19,9 @@
# Put the perfetto command into its domain so it is the same on user, userdebug and eng.
domain_auto_trans(su, perfetto_exec, perfetto)
+ # Put the virtmgr command into its domain.
+ domain_auto_trans(su, virtualizationmanager_exec, virtualizationmanager)
+
# su is also permissive to permit setenforce.
permissive su;
diff --git a/private/system_server.te b/private/system_server.te
index 068999f..53acab0 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -763,6 +763,7 @@
set_prop(system_server, device_config_memory_safety_native_prop)
set_prop(system_server, device_config_remote_key_provisioning_native_prop)
set_prop(system_server, smart_idle_maint_enabled_prop)
+set_prop(system_server, arm64_memtag_prop)
# Allow query ART device config properties
get_prop(system_server, device_config_runtime_native_boot_prop)
@@ -1087,7 +1088,7 @@
allow system_server toolbox_exec:file rx_file_perms;
# Allow system process to setup fs-verity
-allowxperm system_server apk_data_file:file ioctl FS_IOC_ENABLE_VERITY;
+allowxperm system_server { apk_data_file system_data_file apex_system_server_data_file }:file ioctl FS_IOC_ENABLE_VERITY;
# Allow system process to measure fs-verity for apps, apps being installed and system files
allowxperm system_server { apk_data_file apk_tmp_file system_file }:file ioctl FS_IOC_MEASURE_VERITY;
@@ -1183,8 +1184,9 @@
# System server may dump profile data for debuggable apps in the /data/misc/profman.
# As such it needs to be able create files but it should never read from them.
+# It also needs to stat the directory to check if it has the right permissions.
allow system_server profman_dump_data_file:file { create getattr setattr w_file_perms};
-allow system_server profman_dump_data_file:dir w_dir_perms;
+allow system_server profman_dump_data_file:dir rw_dir_perms;
# On userdebug build we may profile system server. Allow it to write and create its own profile.
userdebug_or_eng(`
diff --git a/private/system_suspend.te b/private/system_suspend.te
index d924187..bef7c6d 100644
--- a/private/system_suspend.te
+++ b/private/system_suspend.te
@@ -29,6 +29,14 @@
allow system_suspend dumpstate:fd use;
allow system_suspend dumpstate:fifo_file write;
+# Allow init to take kernel wakelock and system suspend to
+# remove kenel wakelocks and the capability to access these
+# files
+allow init sysfs_wake_lock:file rw_file_perms;
+allow init self:global_capability2_class_set block_suspend;
+allow system_suspend sysfs_wake_lock:file rw_file_perms;
+allow system_suspend self:global_capability2_class_set block_suspend;
+
neverallow {
domain
-atrace # tracing
diff --git a/private/virtualizationmanager.te b/private/virtualizationmanager.te
new file mode 100644
index 0000000..4cd32b7
--- /dev/null
+++ b/private/virtualizationmanager.te
@@ -0,0 +1,77 @@
+# Domain for a child process that manages virtual machines on behalf of its parent.
+
+type virtualizationmanager, domain, coredomain;
+type virtualizationmanager_exec, system_file_type, exec_type, file_type;
+
+# Allow virtualizationmanager to communicate use, read and write over the adb connection.
+allow virtualizationmanager adbd:fd use;
+allow virtualizationmanager adbd:unix_stream_socket { read write };
+
+# Let the virtualizationmanager domain use Binder.
+binder_use(virtualizationmanager)
+
+# Let virtualizationmanager find and communicate with virtualizationservice.
+allow virtualizationmanager virtualization_service:service_manager find;
+binder_call(virtualizationmanager, virtualizationservice)
+
+# Allow calling into the system server to find native services. "permission_service" to check
+# permissions, and "package_native" for staged apex info.
+binder_call(virtualizationmanager, system_server)
+allow virtualizationmanager { package_native_service permission_service }:service_manager find;
+
+# When virtualizationmanager execs a file with the crosvm_exec label, run it in the crosvm domain.
+domain_auto_trans(virtualizationmanager, crosvm_exec, crosvm)
+
+# Let virtualizationmanager kill crosvm.
+allow virtualizationmanager crosvm:process sigkill;
+
+# Let virtualizationmanager create files inside virtualizationservice's temporary directories.
+allow virtualizationmanager virtualizationservice_data_file:dir rw_dir_perms;
+allow virtualizationmanager virtualizationservice_data_file:{ file sock_file } create_file_perms;
+
+# Let virtualizationmanager read and write files from its various clients, but not open them
+# directly as they must be passed over Binder by the client.
+allow virtualizationmanager apk_data_file:file { getattr read };
+
+# Write access is needed for mutable partitions like instance.img
+allow virtualizationmanager {
+ app_data_file
+ apex_compos_data_file
+ privapp_data_file
+}:file { getattr read write };
+
+# shell_data_file is used for automated tests and manual debugging.
+allow virtualizationmanager shell_data_file:file { getattr read write };
+
+# Allow virtualizationmanager to read apex-info-list.xml and access the APEX files listed there.
+allow virtualizationmanager apex_info_file:file r_file_perms;
+allow virtualizationmanager apex_data_file:dir search;
+allow virtualizationmanager staging_data_file:file r_file_perms;
+allow virtualizationmanager staging_data_file:dir search;
+
+# Run derive_classpath in our domain
+allow virtualizationmanager derive_classpath_exec:file rx_file_perms;
+allow virtualizationmanager apex_mnt_dir:dir r_dir_perms;
+# Ignore harmless denials on /proc/self/fd
+dontaudit virtualizationmanager self:dir write;
+
+# Let virtualizationmanager to accept vsock connection from the guest VMs
+allow virtualizationmanager self:vsock_socket { create_socket_perms_no_ioctl listen accept };
+
+# Allow virtualizationmanager to inspect all hypervisor capabilities.
+get_prop(virtualizationmanager, hypervisor_prop)
+get_prop(virtualizationmanager, hypervisor_restricted_prop)
+
+# Allow virtualizationmanager service to talk to tombstoned to push guest ramdumps
+unix_socket_connect(virtualizationmanager, tombstoned_crash, tombstoned)
+
+# Append ramdumps to tombstone files passed as fds from tombstoned
+allow virtualizationmanager tombstone_data_file:file { append getattr };
+allow virtualizationmanager tombstoned:fd use;
+
+# Allow reading files under /proc/[crosvm pid]/, for collecting CPU & memory usage inside VM.
+r_dir_file(virtualizationmanager, crosvm);
+
+# For debug purposes we try to get the canonical path from /proc/self/fd/N. That triggers
+# a harmless denial for CompOS log files, so ignore that.
+dontaudit virtualizationmanager apex_module_data_file:dir search;
diff --git a/private/virtualizationservice.te b/private/virtualizationservice.te
index 883ff56..28982bc 100644
--- a/private/virtualizationservice.te
+++ b/private/virtualizationservice.te
@@ -1,80 +1,45 @@
type virtualizationservice, domain, coredomain;
type virtualizationservice_exec, system_file_type, exec_type, file_type;
+# The domain needs to be a 'mlstrustedsubject' to change the memlock rlimit of
+# the virtualizationmanager domain running at a more constrained MLS level.
+typeattribute virtualizationservice mlstrustedsubject;
+
# When init runs a file labelled with virtualizationservice_exec, run it in the
# virtualizationservice domain.
init_daemon_domain(virtualizationservice)
# Let the virtualizationservice domain use Binder.
binder_use(virtualizationservice)
-# ... and host a binder service
-binder_service(virtualizationservice)
-
-# Allow calling into the system server so that it can check permissions.
-binder_call(virtualizationservice, system_server)
-allow virtualizationservice permission_service:service_manager find;
-# Allow virtualizationservice to access "package_native" service for staged apex info.
-allow virtualizationservice package_native_service:service_manager find;
# Let the virtualizationservice domain register the virtualization_service with ServiceManager.
add_service(virtualizationservice, virtualization_service)
-# When virtualizationservice execs a file with the crosvm_exec label, run it in the crosvm domain.
-domain_auto_trans(virtualizationservice, crosvm_exec, crosvm)
-
-# Let virtualizationservice (and specifically its children) mlock VM memory and page tables.
+# Let virtualizationservice remove memlock rlimit of virtualizationmanager. This is necessary
+# to mlock VM memory and page tables.
allow virtualizationservice self:capability sys_resource;
+allow virtualizationservice virtualizationmanager:process setrlimit;
-# Let virtualizationservice kill crosvm.
-allow virtualizationservice crosvm:process sigkill;
+# Let virtualizationservice set the owner of a VM's temporary directory.
+allow virtualizationservice self:capability chown;
-# Let virtualizationservice access its data directory.
-allow virtualizationservice virtualizationservice_data_file:file create_file_perms;
+# Let virtualizationservice create and delete temporary directories of VMs. To remove old
+# directories, it needs the permission to unlink the files created by virtualizationmanager.
allow virtualizationservice virtualizationservice_data_file:dir create_dir_perms;
-
-# Let virtualizationservice manage crosvm control sockets.
-allow virtualizationservice virtualizationservice_data_file:sock_file create_file_perms;
+allow virtualizationservice virtualizationservice_data_file:{ file sock_file } unlink;
# Allow to use fd (e.g. /dev/pts/0) inherited from adbd so that we can redirect output from
# crosvm to the console
allow virtualizationservice adbd:fd use;
allow virtualizationservice adbd:unix_stream_socket { read write };
-# Let virtualizationservice read and write files from its various clients, but not open them
-# directly as they must be passed over Binder by the client.
-allow virtualizationservice apk_data_file:file { getattr read };
-# Write access is needed for mutable partitions like instance.img
-allow virtualizationservice {
- app_data_file
- apex_compos_data_file
- privapp_data_file
-}:file { getattr read write };
-
-# shell_data_file is used for automated tests and manual debugging.
-allow virtualizationservice shell_data_file:file { getattr read write };
-
-# Allow virtualizationservice to read apex-info-list.xml and access the APEX files listed there.
-allow virtualizationservice apex_info_file:file r_file_perms;
-allow virtualizationservice apex_data_file:dir search;
-allow virtualizationservice staging_data_file:file r_file_perms;
-allow virtualizationservice staging_data_file:dir search;
-
-# Run derive_classpath in our domain
-allow virtualizationservice derive_classpath_exec:file rx_file_perms;
-allow virtualizationservice apex_mnt_dir:dir r_dir_perms;
-# Ignore harmless denials on /proc/self/fd
-dontaudit virtualizationservice self:dir write;
-
-# Let virtualizationservice to accept vsock connection from the guest VMs
+# Let virtualizationservice to accept vsock connection from the guest VMs to singleton services
+# such as the guest tombstone server.
allow virtualizationservice self:vsock_socket { create_socket_perms_no_ioctl listen accept };
# Allow virtualizationservice to read/write its own sysprop. Only the process can do so.
set_prop(virtualizationservice, virtualizationservice_prop)
-# Allow virtualizationservice to inspect all hypervisor capabilities.
-get_prop(virtualizationservice, hypervisor_prop)
-get_prop(virtualizationservice, hypervisor_restricted_prop)
-
# Allow writing stats to statsd
unix_socket_send(virtualizationservice, statsdw, statsd)
@@ -85,9 +50,6 @@
allow virtualizationservice tombstone_data_file:file { append getattr };
allow virtualizationservice tombstoned:fd use;
-# Allow reading files under /proc/[crosvm pid]/, for collecting CPU & memory usage inside VM.
-r_dir_file(virtualizationservice, crosvm);
-
neverallow {
domain
-init
@@ -97,5 +59,12 @@
neverallow {
domain
-init
+ -virtualizationmanager
-virtualizationservice
} virtualizationservice_data_file:file { open create };
+
+neverallow virtualizationservice {
+ domain
+ -virtualizationmanager
+ -virtualizationservice
+}:process setrlimit;
diff --git a/public/cameraserver.te b/public/cameraserver.te
index d41339a..c88e3f0 100644
--- a/public/cameraserver.te
+++ b/public/cameraserver.te
@@ -19,6 +19,7 @@
allow cameraserver hal_graphics_composer:fd use;
add_service(cameraserver, cameraserver_service)
+add_service(cameraserver, fwk_camera_service)
add_hwservice(cameraserver, fwk_camera_hwservice)
allow cameraserver activity_service:service_manager find;
diff --git a/public/hal_audio.te b/public/hal_audio.te
index 52caa00..aabc884 100644
--- a/public/hal_audio.te
+++ b/public/hal_audio.te
@@ -23,6 +23,9 @@
# Needed to allow sound trigger hal to access shared memory from apps.
allow hal_audio_server appdomain:fd use;
+# allow self to set scheduler (and allows Binder RT PI)
+allow hal_audio_server self:global_capability_class_set sys_nice;
+
# allow hal audio to use vnbinder
vndbinder_use(hal_audio)
diff --git a/public/hal_can.te b/public/hal_can.te
index 6d4cc89..d48c43f 100644
--- a/public/hal_can.te
+++ b/public/hal_can.te
@@ -10,5 +10,4 @@
# AIDL HAL for CAN buses (ICanController)
hal_attribute_service(hal_can_controller, hal_can_controller_service)
-binder_call(hal_can_controller, servicemanager)
-
+binder_use(hal_can_controller)
diff --git a/public/init.te b/public/init.te
index fa51ef5..a399b3a 100644
--- a/public/init.te
+++ b/public/init.te
@@ -379,7 +379,8 @@
userdebug_or_eng(`
# Overlayfs workdir write access check during mount to permit remount,rw
allow init overlayfs_file:dir { relabelfrom mounton write };
- allow init overlayfs_file:file { append };
+ allow init overlayfs_file:file { append rename };
+ allow init overlayfs_file:chr_file unlink;
allow init system_block_device:blk_file { write };
')
diff --git a/public/service.te b/public/service.te
index abd5156..443a4f7 100644
--- a/public/service.te
+++ b/public/service.te
@@ -7,6 +7,7 @@
type batteryproperties_service, app_api_service, ephemeral_app_api_service, service_manager_type;
type bluetooth_service, service_manager_type;
type cameraserver_service, service_manager_type;
+type fwk_camera_service, service_manager_type;
type default_android_service, service_manager_type;
type dice_maintenance_service, service_manager_type;
type dice_node_service, service_manager_type;
@@ -135,6 +136,7 @@
type game_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type gfxinfo_service, system_api_service, system_server_service, service_manager_type;
type gnss_time_update_service, system_server_service, service_manager_type;
+type grammatical_inflection_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type graphicsstats_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type hardware_service, system_server_service, service_manager_type;
type hardware_properties_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
diff --git a/public/te_macros b/public/te_macros
index ab42534..11041b6 100644
--- a/public/te_macros
+++ b/public/te_macros
@@ -183,26 +183,25 @@
####################################
# virtualizationservice_use(domain)
# Allow domain to create and communicate with a virtual machine using
-# virtualizationservice.
+# virtualizationservice and virtualizationmanager.
define(`virtualizationservice_use', `
-allow $1 virtualization_service:service_manager find;
-# Let the client call virtualizationservice.
-binder_call($1, virtualizationservice)
-# Let virtualizationservice call back to the client.
-binder_call(virtualizationservice, $1)
-# Let the client pass file descriptors to virtualizationservice and on
-# to crosvm
-allow { virtualizationservice crosvm } $1:fd use;
+# Transition to virtualizationmanager when the client executes it.
+domain_auto_trans($1, virtualizationmanager_exec, virtualizationmanager)
+# Allow virtualizationmanager to communicate over UDS with the client.
+allow { virtualizationmanager crosvm } $1:unix_stream_socket { getattr read write };
+# Let the client pass file descriptors to virtualizationmanager and on to crosvm.
+allow { virtualizationmanager crosvm } $1:fd use;
+# Let the client use file descriptors created by virtualizationmanager.
+allow $1 virtualizationmanager:fd use;
# Allow piping console log to the client
-allow { virtualizationservice crosvm } $1:fifo_file { getattr write};
-# Allow client to read/write vsock created by virtualizationservice to
-# communicate with the VM that it created. Notice that we do not grant
-# permission to create a vsock; the client can only connect to VMs
-# that it owns.
-allow $1 virtualizationservice:vsock_socket { getattr getopt read write };
+allow { virtualizationmanager crosvm } $1:fifo_file { getattr read write };
+# Allow client to read/write vsock created by virtualizationmanager to communicate with the VM
+# that it created. Notice that we do not grant permission to create a vsock;
+# the client can only connect to VMs that it owns.
+allow $1 virtualizationmanager:vsock_socket { getattr getopt read write };
# Allow client to inspect hypervisor capabilities
get_prop($1, hypervisor_prop)
-# Allow client to read (but not open) the crashdump provided by virtualizationservice
+# Allow client to read (but not open) the crashdump provided by virtualizationmanager
allow $1 virtualizationservice_data_file:file { getattr read };
')
diff --git a/public/usbd.te b/public/usbd.te
index 6f34954..ee36784 100644
--- a/public/usbd.te
+++ b/public/usbd.te
@@ -1,2 +1,4 @@
type usbd, domain;
type usbd_exec, system_file_type, exec_type, file_type;
+
+binder_call(usbd, servicemanager)
diff --git a/vendor/file_contexts b/vendor/file_contexts
index 7d083a5..b21302c 100644
--- a/vendor/file_contexts
+++ b/vendor/file_contexts
@@ -14,7 +14,7 @@
/(vendor|system/vendor)/bin/hw/android\.hardware\.automotive\.evs(.*)? u:object_r:hal_evs_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.automotive\.vehicle@2\.0-((default|emulator)-)*(service|protocan-service) u:object_r:hal_vehicle_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.automotive\.vehicle@V1-(default|emulator)-service u:object_r:hal_vehicle_default_exec:s0
-/(vendor|system/vendor)/bin/hw/android\.hardware\.automotive\.remoteaccess@V1-default-service u:object_r:hal_remoteaccess_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.automotive\.remoteaccess@V1-(.*)-service u:object_r:hal_remoteaccess_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.bluetooth@1\.[0-9]+-service u:object_r:hal_bluetooth_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.bluetooth@1\.[0-9]+-service\.btlinux u:object_r:hal_bluetooth_btlinux_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.biometrics\.face@1\.[0-9]+-service\.example u:object_r:hal_face_default_exec:s0
diff --git a/vendor/hal_audio_default.te b/vendor/hal_audio_default.te
index 82cbf8e..506c7e4 100644
--- a/vendor/hal_audio_default.te
+++ b/vendor/hal_audio_default.te
@@ -6,5 +6,8 @@
hal_client_domain(hal_audio_default, hal_allocator)
+# android.frameworks.sensorservice through libsensorndkbridge
+allow hal_audio_default fwk_sensor_service:service_manager find;
+
# allow audioserver to call hal_audio dump with its own fd to retrieve status
allow hal_audio_default audioserver:fifo_file write;
diff --git a/vendor/hal_camera_default.te b/vendor/hal_camera_default.te
index f0098a8..e7c5886 100644
--- a/vendor/hal_camera_default.te
+++ b/vendor/hal_camera_default.te
@@ -4,7 +4,10 @@
type hal_camera_default_exec, exec_type, vendor_file_type, file_type;
init_daemon_domain(hal_camera_default)
+# HIDL sensorservice
allow hal_camera_default fwk_sensor_hwservice:hwservice_manager find;
+# AIDL sensorservice
+allow hal_camera_default fwk_sensor_service:service_manager find;
get_prop(hal_camera_default, device_config_camera_native_prop);
diff --git a/vendor/hal_face_default.te b/vendor/hal_face_default.te
index ddfa62e..66ce40c 100644
--- a/vendor/hal_face_default.te
+++ b/vendor/hal_face_default.te
@@ -4,4 +4,7 @@
type hal_face_default_exec, exec_type, vendor_file_type, file_type;
init_daemon_domain(hal_face_default)
+# android.frameworks.sensorservice through libsensorndkbridge
+allow hal_face_default fwk_sensor_service:service_manager find;
+
set_prop(hal_face_default, virtual_face_hal_prop)
diff --git a/vendor/hal_fingerprint_default.te b/vendor/hal_fingerprint_default.te
index 812c528..7173223 100644
--- a/vendor/hal_fingerprint_default.te
+++ b/vendor/hal_fingerprint_default.te
@@ -4,4 +4,7 @@
type hal_fingerprint_default_exec, exec_type, vendor_file_type, file_type;
init_daemon_domain(hal_fingerprint_default)
+# android.frameworks.sensorservice through libsensorndkbridge
+allow hal_fingerprint_default fwk_sensor_service:service_manager find;
+
set_prop(hal_fingerprint_default, virtual_fingerprint_hal_prop)