Merge "Add rkpdapp access to remote_prov_prop"

commit: 9a63dcb2ee410d521ead03761d5325258670b4ac [log] [tgz]
author: Tri Vo <trong@google.com> Fri Jan 13 18:16:19 2023 +0000
committer: Gerrit Code Review <noreply-gerritcodereview@google.com> Fri Jan 13 18:16:19 2023 +0000
tree: 986a1f8947aa7c9423f655dba3da45c8a09a8065
parent: 28e9b9799375a3473595a4539770e6492311006c [diff]
parent: 7b9b6a04ed830baae57a574d0f099555f1616491 [diff]
diff --git a/build/soong/service_fuzzer_bindings.go b/build/soong/service_fuzzer_bindings.go
index f7176e8..f13c23c 100644
--- a/build/soong/service_fuzzer_bindings.go
+++ b/build/soong/service_fuzzer_bindings.go

@@ -90,6 +90,9 @@
 		"android.hardware.radio.network.IRadioNetwork/slot1":                      EXCEPTION_NO_FUZZER,
 		"android.hardware.radio.network.IRadioNetwork/slot2":                      EXCEPTION_NO_FUZZER,
 		"android.hardware.radio.network.IRadioNetwork/slot3":                      EXCEPTION_NO_FUZZER,
+		"android.hardware.radio.satellite.IRadioSatellite/slot1":                  EXCEPTION_NO_FUZZER,
+		"android.hardware.radio.satellite.IRadioSatellite/slot2":                  EXCEPTION_NO_FUZZER,
+		"android.hardware.radio.satellite.IRadioSatellite/slot3":                  EXCEPTION_NO_FUZZER,
 		"android.hardware.radio.sim.IRadioSim/slot1":                              EXCEPTION_NO_FUZZER,
 		"android.hardware.radio.sim.IRadioSim/slot2":                              EXCEPTION_NO_FUZZER,
 		"android.hardware.radio.sim.IRadioSim/slot3":                              EXCEPTION_NO_FUZZER,

diff --git a/private/bpfdomain.te b/private/bpfdomain.te
index ada65ae..7c8f5c0 100644
--- a/private/bpfdomain.te
+++ b/private/bpfdomain.te

@@ -19,3 +19,7 @@
 # so let's allow all bpffs_type's instead,
 # this will keep things working even if this is fixed.
 allow bpfdomain bpffs_type:lnk_file read;
+
+# Needed for //frameworks/libs/net:
+# common/native/bpf_headers/include/bpf/WaitForProgsLoaded.h
+get_prop(bpfdomain, bpf_progs_loaded_prop)

diff --git a/private/gpuservice.te b/private/gpuservice.te
index 76a2370..8388e89 100644
--- a/private/gpuservice.te
+++ b/private/gpuservice.te

@@ -59,9 +59,6 @@
 # Needed for enabling bpf programs and accessing bpf maps (read-only and read/write).
 allow gpuservice bpfloader:bpf { map_read map_write prog_run };
 
-# Needed for getting a prop to ensure bpf programs loaded.
-get_prop(gpuservice, bpf_progs_loaded_prop)
-
 add_service(gpuservice, gpu_service)
 
 # Only uncomment below line when in development

diff --git a/private/netd.te b/private/netd.te
index 4aa288b..ae43e47 100644
--- a/private/netd.te
+++ b/private/netd.te

@@ -23,7 +23,6 @@
 set_prop(netd, netd_stable_secret_prop)
 
 get_prop(netd, adbd_config_prop)
-get_prop(netd, bpf_progs_loaded_prop)
 get_prop(netd, hwservicemanager_prop)
 get_prop(netd, device_config_netd_native_prop)
 

diff --git a/private/service_contexts b/private/service_contexts
index 85cd7cb..a144db1 100644
--- a/private/service_contexts
+++ b/private/service_contexts

@@ -70,6 +70,9 @@
 android.hardware.radio.network.IRadioNetwork/slot1                   u:object_r:hal_radio_service:s0
 android.hardware.radio.network.IRadioNetwork/slot2                   u:object_r:hal_radio_service:s0
 android.hardware.radio.network.IRadioNetwork/slot3                   u:object_r:hal_radio_service:s0
+android.hardware.radio.satellite.IRadioSatellite/slot1               u:object_r:hal_radio_service:s0
+android.hardware.radio.satellite.IRadioSatellite/slot2               u:object_r:hal_radio_service:s0
+android.hardware.radio.satellite.IRadioSatellite/slot3               u:object_r:hal_radio_service:s0
 android.hardware.radio.sim.IRadioSim/slot1                           u:object_r:hal_radio_service:s0
 android.hardware.radio.sim.IRadioSim/slot2                           u:object_r:hal_radio_service:s0
 android.hardware.radio.sim.IRadioSim/slot3                           u:object_r:hal_radio_service:s0

diff --git a/private/snapuserd.te b/private/snapuserd.te
index 1be5a5e..2f2d3e7 100644
--- a/private/snapuserd.te
+++ b/private/snapuserd.te

@@ -55,3 +55,8 @@
 } snapuserd_prop:property_service set;
 
 allow snapuserd self:anon_inode create_file_perms;
+
+# Allow to read/write/create OTA metadata files
+allow snapuserd metadata_file:dir search;
+allow snapuserd ota_metadata_file:dir rw_dir_perms;
+allow snapuserd ota_metadata_file:file create_file_perms;

diff --git a/private/virtualizationservice.te b/private/virtualizationservice.te
index 28982bc..561e778 100644
--- a/private/virtualizationservice.te
+++ b/private/virtualizationservice.te

@@ -15,6 +15,10 @@
 # Let the virtualizationservice domain register the virtualization_service with ServiceManager.
 add_service(virtualizationservice, virtualization_service)
 
+# Allow calling into the system server to find "permission_service".
+binder_call(virtualizationservice, system_server)
+allow virtualizationservice permission_service:service_manager find;
+
 # Let virtualizationservice remove memlock rlimit of virtualizationmanager. This is necessary
 # to mlock VM memory and page tables.
 allow virtualizationservice self:capability sys_resource;
commit	9a63dcb2ee410d521ead03761d5325258670b4ac	[log] [tgz]
author	Tri Vo <trong@google.com>	Fri Jan 13 18:16:19 2023 +0000
committer	Gerrit Code Review <noreply-gerritcodereview@google.com>	Fri Jan 13 18:16:19 2023 +0000
tree	986a1f8947aa7c9423f655dba3da45c8a09a8065
parent	28e9b9799375a3473595a4539770e6492311006c [diff]
parent	7b9b6a04ed830baae57a574d0f099555f1616491 [diff]