Merge "The SE Policies to incorporate ISecureClock and ISharedSecret services along with IKeyMintDevice service into default keymint HAL Server. Test: Rebuild, execute and run atest VtsAidlSharedSecretTargetTest and atest VtsAidlSecureClockTargetTest. Bug: b/171844725, b/168673523."
diff --git a/private/compat/30.0/30.0.ignore.cil b/private/compat/30.0/30.0.ignore.cil
index 0077d4a..c90743d 100644
--- a/private/compat/30.0/30.0.ignore.cil
+++ b/private/compat/30.0/30.0.ignore.cil
@@ -30,6 +30,7 @@
domain_verification_service
dumpstate_tmpfs
framework_watchdog_config_prop
+ fwk_stats_service
game_service
font_data_file
gki_apex_prepostinstall
@@ -55,6 +56,7 @@
legacy_permission_service
location_time_zone_manager_service
media_communication_service
+ media_metrics_service
mediatuner_exec
mediatuner_service
mediatuner
diff --git a/private/gmscore_app.te b/private/gmscore_app.te
index ff7444f..10de777 100644
--- a/private/gmscore_app.te
+++ b/private/gmscore_app.te
@@ -75,6 +75,10 @@
# TODO: Tighten (b/112357170)
allow gmscore_app privapp_data_file:file execute;
+# Chrome Crashpad uses the the dynamic linker to load native executables
+# from an APK (b/112050209, crbug.com/928422)
+allow gmscore_app system_linker_exec:file execute_no_trans;
+
allow gmscore_app privapp_data_file:lnk_file create_file_perms;
# /proc access
diff --git a/private/priv_app.te b/private/priv_app.te
index 1857af8..6e85b42 100644
--- a/private/priv_app.te
+++ b/private/priv_app.te
@@ -25,6 +25,10 @@
# TODO: Tighten (b/112357170)
allow priv_app privapp_data_file:file execute;
+# Chrome Crashpad uses the the dynamic linker to load native executables
+# from an APK (b/112050209, crbug.com/928422)
+allow priv_app system_linker_exec:file execute_no_trans;
+
allow priv_app privapp_data_file:lnk_file create_file_perms;
# Priv apps can find services that expose both @SystemAPI and normal APIs.
diff --git a/private/service_contexts b/private/service_contexts
index d85d738..7e250db 100644
--- a/private/service_contexts
+++ b/private/service_contexts
@@ -9,7 +9,7 @@
android.hardware.memtrack.IMemtrack/default u:object_r:hal_memtrack_service:s0
android.hardware.oemlock.IOemLock/default u:object_r:hal_oemlock_service:s0
android.hardware.power.IPower/default u:object_r:hal_power_service:s0
-android.hardware.power.stats.IPowerStats/default u:object_r:hal_power_stats_service:s0
+android.hardware.power.stats.IPowerStats/default u:object_r:hal_power_stats_service:s0
android.hardware.rebootescrow.IRebootEscrow/default u:object_r:hal_rebootescrow_service:s0
android.hardware.security.keymint.IKeyMintDevice/default u:object_r:hal_keymint_service:s0
android.hardware.security.secureclock.ISecureClock/default u:object_r:hal_secureclock_service:s0
@@ -17,6 +17,7 @@
android.hardware.vibrator.IVibrator/default u:object_r:hal_vibrator_service:s0
android.hardware.vibrator.IVibratorManager/default u:object_r:hal_vibrator_service:s0
android.hardware.weaver.IWeaver/default u:object_r:hal_weaver_service:s0
+android.frameworks.stats.IStats/default u:object_r:fwk_stats_service:s0
accessibility u:object_r:accessibility_service:s0
account u:object_r:account_service:s0
@@ -165,6 +166,7 @@
media.drm u:object_r:mediadrmserver_service:s0
media.tuner u:object_r:mediatuner_service:s0
media_communication u:object_r:media_communication_service:s0
+media_metrics u:object_r:media_metrics_service:s0
media_projection u:object_r:media_projection_service:s0
media_resource_monitor u:object_r:media_session_service:s0
media_router u:object_r:media_router_service:s0
diff --git a/private/system_server.te b/private/system_server.te
index 06673c3..7a38024 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -192,6 +192,14 @@
# Read /sys/kernel/dma_heap/*.
allow system_server sysfs_dma_heap:file r_file_perms;
+# Allow reading DMA-BUF sysfs stats from /sys/kernel/dmabuf.
+allow system_server sysfs_dmabuf_stats:dir r_dir_perms;
+allow system_server sysfs_dmabuf_stats:file r_file_perms;
+
+# Allow ActivityManager to look at the list of DMA-BUF heaps from /dev/dma_heap
+# for dumpsys meminfo
+allow system_server dmabuf_heap_device:dir r_dir_perms;
+
# The DhcpClient and WifiWatchdog use packet_sockets
allow system_server self:packet_socket create_socket_perms_no_ioctl;
@@ -295,6 +303,7 @@
# List HAL interfaces to get ANR traces.
allow system_server hwservicemanager:hwservice_manager list;
+allow system_server servicemanager:service_manager list;
# Send signals to trigger ANR traces.
allow system_server {
diff --git a/public/service.te b/public/service.te
index 93e6cc0..2e7f8b1 100644
--- a/public/service.te
+++ b/public/service.te
@@ -114,6 +114,7 @@
type platform_compat_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type face_service, app_api_service, system_server_service, service_manager_type;
type fingerprint_service, app_api_service, system_server_service, service_manager_type;
+type fwk_stats_service, system_server_service, service_manager_type;
type game_service, app_api_service, system_server_service, service_manager_type;
type gfxinfo_service, system_api_service, system_server_service, service_manager_type;
type graphicsstats_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
@@ -135,6 +136,7 @@
type lock_settings_service, system_api_service, system_server_service, service_manager_type;
type looper_stats_service, system_server_service, service_manager_type;
type media_communication_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type media_metrics_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type media_projection_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type media_router_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type media_session_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
diff --git a/public/stats_service_server.te b/public/stats_service_server.te
index 564ae23..ab8e58a 100644
--- a/public/stats_service_server.te
+++ b/public/stats_service_server.te
@@ -1 +1,4 @@
add_hwservice(stats_service_server, fwk_stats_hwservice)
+add_service(stats_service_server, fwk_stats_service)
+
+binder_use(stats_service_server)