Merge "Add CEC HAL 1.1"
diff --git a/Android.bp b/Android.bp
index 2ca424d..ac2e516 100644
--- a/Android.bp
+++ b/Android.bp
@@ -12,6 +12,36 @@
// See the License for the specific language governing permissions and
// limitations under the License.
+package {
+ default_applicable_licenses: ["system_sepolicy_license"],
+}
+
+// Added automatically by a large-scale-change that took the approach of
+// 'apply every license found to every target'. While this makes sure we respect
+// every license restriction, it may not be entirely correct.
+//
+// e.g. GPL in an MIT project might only apply to the contrib/ directory.
+//
+// Please consider splitting the single license below into multiple licenses,
+// taking care not to lose any license_kind information, and overriding the
+// default license using the 'licenses: [...]' property on targets as needed.
+//
+// For unused files, consider creating a 'filegroup' with "//visibility:private"
+// to attach the license to, and including a comment whether the files may be
+// used in the current project.
+// http://go/android-license-faq
+license {
+ name: "system_sepolicy_license",
+ visibility: [":__subpackages__"],
+ license_kinds: [
+ "SPDX-license-identifier-Apache-2.0",
+ "legacy_unencumbered",
+ ],
+ license_text: [
+ "NOTICE",
+ ],
+}
+
cc_defaults { name: "selinux_policy_version", cflags: ["-DSEPOLICY_VERSION=30"], }
se_filegroup {
diff --git a/Android.mk b/Android.mk
index 8afd5a8..77513a0 100644
--- a/Android.mk
+++ b/Android.mk
@@ -334,6 +334,9 @@
include $(CLEAR_VARS)
LOCAL_MODULE := selinux_policy
+LOCAL_LICENSE_KINDS := SPDX-license-identifier-Apache-2.0 legacy_unencumbered
+LOCAL_LICENSE_CONDITIONS := notice unencumbered
+LOCAL_NOTICE_FILE := $(LOCAL_PATH)/NOTICE
LOCAL_MODULE_TAGS := optional
LOCAL_REQUIRED_MODULES += \
selinux_policy_nonsystem \
@@ -348,6 +351,9 @@
include $(CLEAR_VARS)
LOCAL_MODULE := selinux_policy_system
+LOCAL_LICENSE_KINDS := SPDX-license-identifier-Apache-2.0 legacy_unencumbered
+LOCAL_LICENSE_CONDITIONS := notice unencumbered
+LOCAL_NOTICE_FILE := $(LOCAL_PATH)/NOTICE
# These build targets are not used on non-Treble devices. However, we build these to avoid
# divergence between Treble and non-Treble devices.
LOCAL_REQUIRED_MODULES += \
@@ -418,6 +424,9 @@
include $(CLEAR_VARS)
LOCAL_MODULE := selinux_policy_system_ext
+LOCAL_LICENSE_KINDS := SPDX-license-identifier-Apache-2.0 legacy_unencumbered
+LOCAL_LICENSE_CONDITIONS := notice unencumbered
+LOCAL_NOTICE_FILE := $(LOCAL_PATH)/NOTICE
# Include precompiled policy, unless told otherwise.
ifneq ($(PRODUCT_PRECOMPILED_SEPOLICY),false)
LOCAL_REQUIRED_MODULES += system_ext_sepolicy_and_mapping.sha256
@@ -459,6 +468,9 @@
include $(CLEAR_VARS)
LOCAL_MODULE := selinux_policy_product
+LOCAL_LICENSE_KINDS := SPDX-license-identifier-Apache-2.0 legacy_unencumbered
+LOCAL_LICENSE_CONDITIONS := notice unencumbered
+LOCAL_NOTICE_FILE := $(LOCAL_PATH)/NOTICE
# Include precompiled policy, unless told otherwise.
ifneq ($(PRODUCT_PRECOMPILED_SEPOLICY),false)
LOCAL_REQUIRED_MODULES += product_sepolicy_and_mapping.sha256
@@ -500,6 +512,9 @@
include $(CLEAR_VARS)
LOCAL_MODULE := selinux_policy_nonsystem
+LOCAL_LICENSE_KINDS := SPDX-license-identifier-Apache-2.0 legacy_unencumbered
+LOCAL_LICENSE_CONDITIONS := notice unencumbered
+LOCAL_NOTICE_FILE := $(LOCAL_PATH)/NOTICE
# Include precompiled policy, unless told otherwise.
ifneq ($(PRODUCT_PRECOMPILED_SEPOLICY),false)
LOCAL_REQUIRED_MODULES += \
@@ -573,6 +588,9 @@
include $(CLEAR_VARS)
LOCAL_MODULE := sepolicy_neverallows
+LOCAL_LICENSE_KINDS := SPDX-license-identifier-Apache-2.0 legacy_unencumbered
+LOCAL_LICENSE_CONDITIONS := notice unencumbered
+LOCAL_NOTICE_FILE := $(LOCAL_PATH)/NOTICE
LOCAL_MODULE_CLASS := FAKE
LOCAL_MODULE_TAGS := optional
@@ -651,6 +669,9 @@
include $(CLEAR_VARS)
LOCAL_MODULE := sepolicy_neverallows_vendor
+LOCAL_LICENSE_KINDS := SPDX-license-identifier-Apache-2.0 legacy_unencumbered
+LOCAL_LICENSE_CONDITIONS := notice unencumbered
+LOCAL_NOTICE_FILE := $(LOCAL_PATH)/NOTICE
LOCAL_MODULE_CLASS := FAKE
LOCAL_MODULE_TAGS := optional
@@ -875,6 +896,9 @@
include $(CLEAR_VARS)
LOCAL_MODULE := plat_sepolicy.cil
+LOCAL_LICENSE_KINDS := SPDX-license-identifier-Apache-2.0 legacy_unencumbered
+LOCAL_LICENSE_CONDITIONS := notice unencumbered
+LOCAL_NOTICE_FILE := $(LOCAL_PATH)/NOTICE
LOCAL_MODULE_CLASS := ETC
LOCAL_MODULE_TAGS := optional
LOCAL_MODULE_PATH := $(TARGET_OUT)/etc/selinux
@@ -925,6 +949,9 @@
include $(CLEAR_VARS)
LOCAL_MODULE := userdebug_plat_sepolicy.cil
+LOCAL_LICENSE_KINDS := SPDX-license-identifier-Apache-2.0 legacy_unencumbered
+LOCAL_LICENSE_CONDITIONS := notice unencumbered
+LOCAL_NOTICE_FILE := $(LOCAL_PATH)/NOTICE
LOCAL_MODULE_CLASS := ETC
LOCAL_MODULE_TAGS := optional
LOCAL_MODULE_PATH := $(TARGET_DEBUG_RAMDISK_OUT)
@@ -972,6 +999,9 @@
ifdef HAS_SYSTEM_EXT_SEPOLICY
LOCAL_MODULE := system_ext_sepolicy.cil
+LOCAL_LICENSE_KINDS := SPDX-license-identifier-Apache-2.0 legacy_unencumbered
+LOCAL_LICENSE_CONDITIONS := notice unencumbered
+LOCAL_NOTICE_FILE := $(LOCAL_PATH)/NOTICE
LOCAL_MODULE_CLASS := ETC
LOCAL_MODULE_TAGS := optional
LOCAL_MODULE_PATH := $(TARGET_OUT_SYSTEM_EXT)/etc/selinux
@@ -1029,6 +1059,9 @@
ifdef HAS_PRODUCT_SEPOLICY
LOCAL_MODULE := product_sepolicy.cil
+LOCAL_LICENSE_KINDS := SPDX-license-identifier-Apache-2.0 legacy_unencumbered
+LOCAL_LICENSE_CONDITIONS := notice unencumbered
+LOCAL_NOTICE_FILE := $(LOCAL_PATH)/NOTICE
LOCAL_MODULE_CLASS := ETC
LOCAL_MODULE_TAGS := optional
LOCAL_MODULE_PATH := $(TARGET_OUT_PRODUCT)/etc/selinux
@@ -1087,6 +1120,9 @@
include $(CLEAR_VARS)
LOCAL_MODULE := plat_sepolicy_vers.txt
+LOCAL_LICENSE_KINDS := SPDX-license-identifier-Apache-2.0 legacy_unencumbered
+LOCAL_LICENSE_CONDITIONS := notice unencumbered
+LOCAL_NOTICE_FILE := $(LOCAL_PATH)/NOTICE
LOCAL_MODULE_CLASS := ETC
LOCAL_MODULE_TAGS := optional
LOCAL_PROPRIETARY_MODULE := true
@@ -1103,6 +1139,9 @@
include $(CLEAR_VARS)
LOCAL_MODULE := plat_mapping_file
+LOCAL_LICENSE_KINDS := SPDX-license-identifier-Apache-2.0 legacy_unencumbered
+LOCAL_LICENSE_CONDITIONS := notice unencumbered
+LOCAL_NOTICE_FILE := $(LOCAL_PATH)/NOTICE
LOCAL_MODULE_STEM := $(PLATFORM_SEPOLICY_VERSION).cil
LOCAL_MODULE_CLASS := ETC
LOCAL_MODULE_TAGS := optional
@@ -1125,6 +1164,9 @@
ifdef HAS_SYSTEM_EXT_PUBLIC_SEPOLICY
LOCAL_MODULE := system_ext_mapping_file
+LOCAL_LICENSE_KINDS := SPDX-license-identifier-Apache-2.0 legacy_unencumbered
+LOCAL_LICENSE_CONDITIONS := notice unencumbered
+LOCAL_NOTICE_FILE := $(LOCAL_PATH)/NOTICE
LOCAL_MODULE_STEM := $(PLATFORM_SEPOLICY_VERSION).cil
LOCAL_MODULE_CLASS := ETC
LOCAL_MODULE_TAGS := optional
@@ -1152,6 +1194,9 @@
ifdef HAS_PRODUCT_PUBLIC_SEPOLICY
LOCAL_MODULE := product_mapping_file
+LOCAL_LICENSE_KINDS := SPDX-license-identifier-Apache-2.0 legacy_unencumbered
+LOCAL_LICENSE_CONDITIONS := notice unencumbered
+LOCAL_NOTICE_FILE := $(LOCAL_PATH)/NOTICE
LOCAL_MODULE_STEM := $(PLATFORM_SEPOLICY_VERSION).cil
LOCAL_MODULE_CLASS := ETC
LOCAL_MODULE_TAGS := optional
@@ -1180,6 +1225,9 @@
# plat_pub_versioned.cil - the exported platform policy associated with the version
# that non-platform policy targets.
LOCAL_MODULE := plat_pub_versioned.cil
+LOCAL_LICENSE_KINDS := SPDX-license-identifier-Apache-2.0 legacy_unencumbered
+LOCAL_LICENSE_CONDITIONS := notice unencumbered
+LOCAL_NOTICE_FILE := $(LOCAL_PATH)/NOTICE
LOCAL_MODULE_CLASS := ETC
LOCAL_MODULE_TAGS := optional
LOCAL_PROPRIETARY_MODULE := true
@@ -1210,6 +1258,9 @@
# with the platform-provided policy. It makes use of the reqd_policy_mask files from private
# policy and the platform public policy files in order to use checkpolicy.
LOCAL_MODULE := vendor_sepolicy.cil
+LOCAL_LICENSE_KINDS := SPDX-license-identifier-Apache-2.0 legacy_unencumbered
+LOCAL_LICENSE_CONDITIONS := notice unencumbered
+LOCAL_NOTICE_FILE := $(LOCAL_PATH)/NOTICE
LOCAL_MODULE_CLASS := ETC
LOCAL_MODULE_TAGS := optional
LOCAL_PROPRIETARY_MODULE := true
@@ -1271,6 +1322,9 @@
# with the platform-provided policy. It makes use of the reqd_policy_mask files from private
# policy and the platform public policy files in order to use checkpolicy.
LOCAL_MODULE := odm_sepolicy.cil
+LOCAL_LICENSE_KINDS := SPDX-license-identifier-Apache-2.0 legacy_unencumbered
+LOCAL_LICENSE_CONDITIONS := notice unencumbered
+LOCAL_NOTICE_FILE := $(LOCAL_PATH)/NOTICE
LOCAL_MODULE_CLASS := ETC
LOCAL_MODULE_TAGS := optional
LOCAL_PROPRIETARY_MODULE := true
@@ -1332,6 +1386,9 @@
include $(CLEAR_VARS)
LOCAL_MODULE := precompiled_sepolicy
+LOCAL_LICENSE_KINDS := SPDX-license-identifier-Apache-2.0 legacy_unencumbered
+LOCAL_LICENSE_CONDITIONS := notice unencumbered
+LOCAL_NOTICE_FILE := $(LOCAL_PATH)/NOTICE
LOCAL_MODULE_CLASS := ETC
LOCAL_MODULE_TAGS := optional
LOCAL_PROPRIETARY_MODULE := true
@@ -1395,6 +1452,9 @@
include $(CLEAR_VARS)
LOCAL_MODULE := plat_sepolicy_and_mapping.sha256
+LOCAL_LICENSE_KINDS := SPDX-license-identifier-Apache-2.0 legacy_unencumbered
+LOCAL_LICENSE_CONDITIONS := notice unencumbered
+LOCAL_NOTICE_FILE := $(LOCAL_PATH)/NOTICE
LOCAL_MODULE_CLASS := ETC
LOCAL_MODULE_TAGS := optional
LOCAL_MODULE_PATH = $(TARGET_OUT)/etc/selinux
@@ -1408,6 +1468,9 @@
include $(CLEAR_VARS)
LOCAL_MODULE := system_ext_sepolicy_and_mapping.sha256
+LOCAL_LICENSE_KINDS := SPDX-license-identifier-Apache-2.0 legacy_unencumbered
+LOCAL_LICENSE_CONDITIONS := notice unencumbered
+LOCAL_NOTICE_FILE := $(LOCAL_PATH)/NOTICE
LOCAL_MODULE_CLASS := ETC
LOCAL_MODULE_TAGS := optional
LOCAL_MODULE_PATH = $(TARGET_OUT_SYSTEM_EXT)/etc/selinux
@@ -1421,6 +1484,9 @@
include $(CLEAR_VARS)
LOCAL_MODULE := product_sepolicy_and_mapping.sha256
+LOCAL_LICENSE_KINDS := SPDX-license-identifier-Apache-2.0 legacy_unencumbered
+LOCAL_LICENSE_CONDITIONS := notice unencumbered
+LOCAL_NOTICE_FILE := $(LOCAL_PATH)/NOTICE
LOCAL_MODULE_CLASS := ETC
LOCAL_MODULE_TAGS := optional
LOCAL_MODULE_PATH = $(TARGET_OUT_PRODUCT)/etc/selinux
@@ -1436,6 +1502,9 @@
#################################
include $(CLEAR_VARS)
LOCAL_MODULE := precompiled_sepolicy.plat_sepolicy_and_mapping.sha256
+LOCAL_LICENSE_KINDS := SPDX-license-identifier-Apache-2.0 legacy_unencumbered
+LOCAL_LICENSE_CONDITIONS := notice unencumbered
+LOCAL_NOTICE_FILE := $(LOCAL_PATH)/NOTICE
LOCAL_MODULE_CLASS := ETC
LOCAL_MODULE_TAGS := optional
@@ -1457,6 +1526,9 @@
#################################
include $(CLEAR_VARS)
LOCAL_MODULE := precompiled_sepolicy.system_ext_sepolicy_and_mapping.sha256
+LOCAL_LICENSE_KINDS := SPDX-license-identifier-Apache-2.0 legacy_unencumbered
+LOCAL_LICENSE_CONDITIONS := notice unencumbered
+LOCAL_NOTICE_FILE := $(LOCAL_PATH)/NOTICE
LOCAL_MODULE_CLASS := ETC
LOCAL_MODULE_TAGS := optional
@@ -1478,6 +1550,9 @@
#################################
include $(CLEAR_VARS)
LOCAL_MODULE := precompiled_sepolicy.product_sepolicy_and_mapping.sha256
+LOCAL_LICENSE_KINDS := SPDX-license-identifier-Apache-2.0 legacy_unencumbered
+LOCAL_LICENSE_CONDITIONS := notice unencumbered
+LOCAL_NOTICE_FILE := $(LOCAL_PATH)/NOTICE
LOCAL_MODULE_CLASS := ETC
LOCAL_MODULE_TAGS := optional
@@ -1498,6 +1573,9 @@
# build this target so that we can still perform neverallow checks
LOCAL_MODULE := sepolicy
+LOCAL_LICENSE_KINDS := SPDX-license-identifier-Apache-2.0 legacy_unencumbered
+LOCAL_LICENSE_CONDITIONS := notice unencumbered
+LOCAL_NOTICE_FILE := $(LOCAL_PATH)/NOTICE
LOCAL_MODULE_CLASS := ETC
LOCAL_MODULE_TAGS := optional
LOCAL_MODULE_PATH := $(TARGET_ROOT_OUT)
@@ -1557,6 +1635,9 @@
# If SELINUX_IGNORE_NEVERALLOWS is set, we use sed to remove the neverallow lines before compiling.
LOCAL_MODULE := sepolicy.recovery
+LOCAL_LICENSE_KINDS := SPDX-license-identifier-Apache-2.0 legacy_unencumbered
+LOCAL_LICENSE_CONDITIONS := notice unencumbered
+LOCAL_NOTICE_FILE := $(LOCAL_PATH)/NOTICE
LOCAL_MODULE_STEM := sepolicy
LOCAL_MODULE_CLASS := ETC
LOCAL_MODULE_TAGS := optional
@@ -1613,6 +1694,9 @@
include $(CLEAR_VARS)
LOCAL_MODULE := general_sepolicy.conf
+LOCAL_LICENSE_KINDS := SPDX-license-identifier-Apache-2.0 legacy_unencumbered
+LOCAL_LICENSE_CONDITIONS := notice unencumbered
+LOCAL_NOTICE_FILE := $(LOCAL_PATH)/NOTICE
LOCAL_MODULE_CLASS := ETC
LOCAL_MODULE_TAGS := tests
@@ -1641,6 +1725,9 @@
include $(CLEAR_VARS)
LOCAL_MODULE := file_contexts.bin
+LOCAL_LICENSE_KINDS := SPDX-license-identifier-Apache-2.0 legacy_unencumbered
+LOCAL_LICENSE_CONDITIONS := notice unencumbered
+LOCAL_NOTICE_FILE := $(LOCAL_PATH)/NOTICE
LOCAL_MODULE_CLASS := ETC
LOCAL_MODULE_TAGS := optional
LOCAL_MODULE_PATH := $(TARGET_ROOT_OUT)
@@ -1735,6 +1822,9 @@
include $(CLEAR_VARS)
LOCAL_MODULE := selinux_denial_metadata
+LOCAL_LICENSE_KINDS := SPDX-license-identifier-Apache-2.0 legacy_unencumbered
+LOCAL_LICENSE_CONDITIONS := notice unencumbered
+LOCAL_NOTICE_FILE := $(LOCAL_PATH)/NOTICE
LOCAL_MODULE_CLASS := ETC
LOCAL_MODULE_PATH := $(TARGET_OUT_VENDOR)/etc/selinux
@@ -1758,6 +1848,9 @@
include $(CLEAR_VARS)
LOCAL_MODULE := vndservice_contexts
+LOCAL_LICENSE_KINDS := SPDX-license-identifier-Apache-2.0 legacy_unencumbered
+LOCAL_LICENSE_CONDITIONS := notice unencumbered
+LOCAL_NOTICE_FILE := $(LOCAL_PATH)/NOTICE
LOCAL_MODULE_CLASS := ETC
LOCAL_MODULE_TAGS := optional
LOCAL_MODULE_PATH := $(TARGET_OUT_VENDOR)/etc/selinux
@@ -1788,6 +1881,9 @@
#################################
include $(CLEAR_VARS)
LOCAL_MODULE := sepolicy_tests
+LOCAL_LICENSE_KINDS := SPDX-license-identifier-Apache-2.0 legacy_unencumbered
+LOCAL_LICENSE_CONDITIONS := notice unencumbered
+LOCAL_NOTICE_FILE := $(LOCAL_PATH)/NOTICE
LOCAL_MODULE_CLASS := FAKE
LOCAL_MODULE_TAGS := optional
@@ -1914,6 +2010,9 @@
#################################
include $(CLEAR_VARS)
LOCAL_MODULE := sepolicy_freeze_test
+LOCAL_LICENSE_KINDS := SPDX-license-identifier-Apache-2.0 legacy_unencumbered
+LOCAL_LICENSE_CONDITIONS := notice unencumbered
+LOCAL_NOTICE_FILE := $(LOCAL_PATH)/NOTICE
LOCAL_MODULE_CLASS := FAKE
LOCAL_MODULE_TAGS := optional
diff --git a/OWNERS b/OWNERS
index 0ad1d05..d7cde74 100644
--- a/OWNERS
+++ b/OWNERS
@@ -6,7 +6,6 @@
jeffv@google.com
jgalenson@google.com
jiyong@google.com
-nnk@google.com
smoreland@google.com
sspatil@google.com
trong@google.com
diff --git a/apex/Android.bp b/apex/Android.bp
index 762dd54..2ffaa9e 100644
--- a/apex/Android.bp
+++ b/apex/Android.bp
@@ -13,6 +13,14 @@
// limitations under the License.
+package {
+ // http://go/android-license-faq
+ // A large-scale-change added 'default_applicable_licenses' to import
+ // the below license kinds from "system_sepolicy_license":
+ // legacy_unencumbered
+ default_applicable_licenses: ["system_sepolicy_license"],
+}
+
filegroup {
name: "apex.test-file_contexts",
srcs: [
diff --git a/build/Android.bp b/build/Android.bp
index d3f1fc3..5298f71 100644
--- a/build/Android.bp
+++ b/build/Android.bp
@@ -12,6 +12,14 @@
// See the License for the specific language governing permissions and
// limitations under the License.
+package {
+ // http://go/android-license-faq
+ // A large-scale-change added 'default_applicable_licenses' to import
+ // the below license kinds from "system_sepolicy_license":
+ // SPDX-license-identifier-Apache-2.0
+ default_applicable_licenses: ["system_sepolicy_license"],
+}
+
python_binary_host {
name: "build_sepolicy",
srcs: [
diff --git a/build/soong/Android.bp b/build/soong/Android.bp
index 699a2a4..5f951ce 100644
--- a/build/soong/Android.bp
+++ b/build/soong/Android.bp
@@ -12,6 +12,14 @@
// See the License for the specific language governing permissions and
// limitations under the License.
+package {
+ // http://go/android-license-faq
+ // A large-scale-change added 'default_applicable_licenses' to import
+ // the below license kinds from "system_sepolicy_license":
+ // SPDX-license-identifier-Apache-2.0
+ default_applicable_licenses: ["system_sepolicy_license"],
+}
+
bootstrap_go_package {
name: "soong-selinux",
pkgPath: "android/soong/selinux",
diff --git a/build/soong/selinux_contexts.go b/build/soong/selinux_contexts.go
index e07bbf0..5d32e11 100644
--- a/build/soong/selinux_contexts.go
+++ b/build/soong/selinux_contexts.go
@@ -26,11 +26,6 @@
"android/soong/sysprop"
)
-const (
- coreMode = "core"
- recoveryMode = "recovery"
-)
-
type selinuxContextsProperties struct {
// Filenames under sepolicy directories, which will be used to generate contexts file.
Srcs []string `android:"path"`
@@ -56,8 +51,6 @@
// Make this module available when building for recovery
Recovery_available *bool
-
- InRecovery bool `blueprint:"mutated"`
}
type fileContextsProperties struct {
@@ -93,32 +86,32 @@
android.RegisterModuleType("property_contexts", propertyFactory)
android.RegisterModuleType("service_contexts", serviceFactory)
android.RegisterModuleType("keystore2_key_contexts", keystoreKeyFactory)
-
- android.PreDepsMutators(func(ctx android.RegisterMutatorsContext) {
- ctx.BottomUp("selinux_contexts", selinuxContextsMutator).Parallel()
- })
-}
-
-func (m *selinuxContextsModule) inRecovery() bool {
- return m.properties.InRecovery || m.ModuleBase.InstallInRecovery()
-}
-
-func (m *selinuxContextsModule) onlyInRecovery() bool {
- return m.ModuleBase.InstallInRecovery()
-}
-
-func (m *selinuxContextsModule) InstallInRecovery() bool {
- return m.inRecovery()
}
func (m *selinuxContextsModule) InstallInRoot() bool {
- return m.inRecovery()
+ return m.InRecovery()
+}
+
+func (m *selinuxContextsModule) InstallInRecovery() bool {
+ // ModuleBase.InRecovery() checks the image variant
+ return m.InRecovery()
+}
+
+func (m *selinuxContextsModule) onlyInRecovery() bool {
+ // ModuleBase.InstallInRecovery() checks commonProperties.Recovery property
+ return m.ModuleBase.InstallInRecovery()
}
func (m *selinuxContextsModule) DepsMutator(ctx android.BottomUpMutatorContext) {
if m.deps != nil {
m.deps(ctx)
}
+
+ if m.InRecovery() && !m.onlyInRecovery() {
+ ctx.AddFarVariationDependencies([]blueprint.Variation{
+ {Mutator: "image", Variation: android.CoreVariation},
+ }, reuseContextsDepTag, ctx.ModuleName())
+ }
}
func (m *selinuxContextsModule) propertyContextsDeps(ctx android.BottomUpMutatorContext) {
@@ -128,14 +121,14 @@
}
func (m *selinuxContextsModule) GenerateAndroidBuildActions(ctx android.ModuleContext) {
- if m.inRecovery() {
+ if m.InRecovery() {
// Installing context files at the root of the recovery partition
m.installPath = android.PathForModuleInstall(ctx)
} else {
m.installPath = android.PathForModuleInstall(ctx, "etc", "selinux")
}
- if m.inRecovery() && !m.onlyInRecovery() {
+ if m.InRecovery() && !m.onlyInRecovery() {
dep := ctx.GetDirectDepWithTag(m.Name(), reuseContextsDepTag)
if reuseDeps, ok := dep.(*selinuxContextsModule); ok {
@@ -225,7 +218,7 @@
return android.AndroidMkData{
Custom: func(w io.Writer, name, prefix, moduleDir string, data android.AndroidMkData) {
nameSuffix := ""
- if m.inRecovery() && !m.onlyInRecovery() {
+ if m.InRecovery() && !m.onlyInRecovery() {
nameSuffix = ".recovery"
}
fmt.Fprintln(w, "\ninclude $(CLEAR_VARS)")
@@ -245,44 +238,38 @@
}
}
-func selinuxContextsMutator(ctx android.BottomUpMutatorContext) {
- m, ok := ctx.Module().(*selinuxContextsModule)
- if !ok {
- return
- }
-
- var coreVariantNeeded bool = true
- var recoveryVariantNeeded bool = false
- if proptools.Bool(m.properties.Recovery_available) {
- recoveryVariantNeeded = true
- }
-
- if m.ModuleBase.InstallInRecovery() {
- recoveryVariantNeeded = true
- coreVariantNeeded = false
- }
-
- var variants []string
- if coreVariantNeeded {
- variants = append(variants, coreMode)
- }
- if recoveryVariantNeeded {
- variants = append(variants, recoveryMode)
- }
- mod := ctx.CreateVariations(variants...)
-
- for i, v := range variants {
- if v == recoveryMode {
- m := mod[i].(*selinuxContextsModule)
- m.properties.InRecovery = true
-
- if coreVariantNeeded {
- ctx.AddInterVariantDependency(reuseContextsDepTag, m, mod[i-1])
- }
- }
+func (m *selinuxContextsModule) ImageMutatorBegin(ctx android.BaseModuleContext) {
+ if proptools.Bool(m.properties.Recovery_available) && m.InstallInRecovery() {
+ ctx.PropertyErrorf("recovery_available",
+ "doesn't make sense at the same time as `recovery: true`")
}
}
+func (m *selinuxContextsModule) CoreVariantNeeded(ctx android.BaseModuleContext) bool {
+ return !m.InstallInRecovery()
+}
+
+func (m *selinuxContextsModule) RamdiskVariantNeeded(ctx android.BaseModuleContext) bool {
+ return false
+}
+
+func (m *selinuxContextsModule) VendorRamdiskVariantNeeded(ctx android.BaseModuleContext) bool {
+ return false
+}
+
+func (m *selinuxContextsModule) RecoveryVariantNeeded(ctx android.BaseModuleContext) bool {
+ return m.InstallInRecovery() || proptools.Bool(m.properties.Recovery_available)
+}
+
+func (m *selinuxContextsModule) ExtraImageVariations(ctx android.BaseModuleContext) []string {
+ return nil
+}
+
+func (m *selinuxContextsModule) SetImageVariation(ctx android.BaseModuleContext, variation string, module android.Module) {
+}
+
+var _ android.ImageInterface = (*selinuxContextsModule)(nil)
+
func (m *selinuxContextsModule) buildGeneralContexts(ctx android.ModuleContext, inputs android.Paths) android.Path {
ret := android.PathForModuleGen(ctx, ctx.ModuleName()+"_m4out")
diff --git a/compat.mk b/compat.mk
index 2b691ec..4aed864 100644
--- a/compat.mk
+++ b/compat.mk
@@ -5,6 +5,9 @@
# build this target to ensure the compat permissions files all build against the current policy
#
LOCAL_MODULE := $(version)_compat_test
+LOCAL_LICENSE_KINDS := SPDX-license-identifier-Apache-2.0 legacy_unencumbered
+LOCAL_LICENSE_CONDITIONS := notice unencumbered
+LOCAL_NOTICE_FILE := $(LOCAL_PATH)/NOTICE
LOCAL_REQUIRED_MODULES := $(version).compat.cil
LOCAL_MODULE_CLASS := FAKE
LOCAL_MODULE_TAGS := optional
diff --git a/contexts_tests.mk b/contexts_tests.mk
index 076408a..1189b83 100644
--- a/contexts_tests.mk
+++ b/contexts_tests.mk
@@ -36,6 +36,9 @@
##################################
LOCAL_MODULE := plat_file_contexts_test
+LOCAL_LICENSE_KINDS := SPDX-license-identifier-Apache-2.0 legacy_unencumbered
+LOCAL_LICENSE_CONDITIONS := notice unencumbered
+LOCAL_NOTICE_FILE := $(LOCAL_PATH)/NOTICE
LOCAL_MODULE_CLASS := FAKE
LOCAL_MODULE_TAGS := optional
@@ -46,6 +49,9 @@
include $(CLEAR_VARS)
LOCAL_MODULE := system_ext_file_contexts_test
+LOCAL_LICENSE_KINDS := SPDX-license-identifier-Apache-2.0 legacy_unencumbered
+LOCAL_LICENSE_CONDITIONS := notice unencumbered
+LOCAL_NOTICE_FILE := $(LOCAL_PATH)/NOTICE
LOCAL_MODULE_CLASS := FAKE
LOCAL_MODULE_TAGS := optional
@@ -57,6 +63,9 @@
include $(CLEAR_VARS)
LOCAL_MODULE := product_file_contexts_test
+LOCAL_LICENSE_KINDS := SPDX-license-identifier-Apache-2.0 legacy_unencumbered
+LOCAL_LICENSE_CONDITIONS := notice unencumbered
+LOCAL_NOTICE_FILE := $(LOCAL_PATH)/NOTICE
LOCAL_MODULE_CLASS := FAKE
LOCAL_MODULE_TAGS := optional
@@ -68,6 +77,9 @@
include $(CLEAR_VARS)
LOCAL_MODULE := vendor_file_contexts_test
+LOCAL_LICENSE_KINDS := SPDX-license-identifier-Apache-2.0 legacy_unencumbered
+LOCAL_LICENSE_CONDITIONS := notice unencumbered
+LOCAL_NOTICE_FILE := $(LOCAL_PATH)/NOTICE
LOCAL_MODULE_CLASS := FAKE
LOCAL_MODULE_TAGS := optional
@@ -79,6 +91,9 @@
include $(CLEAR_VARS)
LOCAL_MODULE := odm_file_contexts_test
+LOCAL_LICENSE_KINDS := SPDX-license-identifier-Apache-2.0 legacy_unencumbered
+LOCAL_LICENSE_CONDITIONS := notice unencumbered
+LOCAL_NOTICE_FILE := $(LOCAL_PATH)/NOTICE
LOCAL_MODULE_CLASS := FAKE
LOCAL_MODULE_TAGS := optional
@@ -91,6 +106,9 @@
include $(CLEAR_VARS)
LOCAL_MODULE := plat_hwservice_contexts_test
+LOCAL_LICENSE_KINDS := SPDX-license-identifier-Apache-2.0 legacy_unencumbered
+LOCAL_LICENSE_CONDITIONS := notice unencumbered
+LOCAL_NOTICE_FILE := $(LOCAL_PATH)/NOTICE
LOCAL_MODULE_CLASS := FAKE
LOCAL_MODULE_TAGS := optional
@@ -102,6 +120,9 @@
include $(CLEAR_VARS)
LOCAL_MODULE := system_ext_hwservice_contexts_test
+LOCAL_LICENSE_KINDS := SPDX-license-identifier-Apache-2.0 legacy_unencumbered
+LOCAL_LICENSE_CONDITIONS := notice unencumbered
+LOCAL_NOTICE_FILE := $(LOCAL_PATH)/NOTICE
LOCAL_MODULE_CLASS := FAKE
LOCAL_MODULE_TAGS := optional
@@ -113,6 +134,9 @@
include $(CLEAR_VARS)
LOCAL_MODULE := product_hwservice_contexts_test
+LOCAL_LICENSE_KINDS := SPDX-license-identifier-Apache-2.0 legacy_unencumbered
+LOCAL_LICENSE_CONDITIONS := notice unencumbered
+LOCAL_NOTICE_FILE := $(LOCAL_PATH)/NOTICE
LOCAL_MODULE_CLASS := FAKE
LOCAL_MODULE_TAGS := optional
@@ -124,6 +148,9 @@
include $(CLEAR_VARS)
LOCAL_MODULE := vendor_hwservice_contexts_test
+LOCAL_LICENSE_KINDS := SPDX-license-identifier-Apache-2.0 legacy_unencumbered
+LOCAL_LICENSE_CONDITIONS := notice unencumbered
+LOCAL_NOTICE_FILE := $(LOCAL_PATH)/NOTICE
LOCAL_MODULE_CLASS := FAKE
LOCAL_MODULE_TAGS := optional
@@ -135,6 +162,9 @@
include $(CLEAR_VARS)
LOCAL_MODULE := odm_hwservice_contexts_test
+LOCAL_LICENSE_KINDS := SPDX-license-identifier-Apache-2.0 legacy_unencumbered
+LOCAL_LICENSE_CONDITIONS := notice unencumbered
+LOCAL_NOTICE_FILE := $(LOCAL_PATH)/NOTICE
LOCAL_MODULE_CLASS := FAKE
LOCAL_MODULE_TAGS := optional
@@ -149,6 +179,9 @@
include $(CLEAR_VARS)
LOCAL_MODULE := plat_property_contexts_test
+LOCAL_LICENSE_KINDS := SPDX-license-identifier-Apache-2.0 legacy_unencumbered
+LOCAL_LICENSE_CONDITIONS := notice unencumbered
+LOCAL_NOTICE_FILE := $(LOCAL_PATH)/NOTICE
LOCAL_MODULE_CLASS := FAKE
LOCAL_MODULE_TAGS := optional
@@ -165,6 +198,9 @@
include $(CLEAR_VARS)
LOCAL_MODULE := system_ext_property_contexts_test
+LOCAL_LICENSE_KINDS := SPDX-license-identifier-Apache-2.0 legacy_unencumbered
+LOCAL_LICENSE_CONDITIONS := notice unencumbered
+LOCAL_NOTICE_FILE := $(LOCAL_PATH)/NOTICE
LOCAL_MODULE_CLASS := FAKE
LOCAL_MODULE_TAGS := optional
@@ -181,6 +217,9 @@
include $(CLEAR_VARS)
LOCAL_MODULE := vendor_property_contexts_test
+LOCAL_LICENSE_KINDS := SPDX-license-identifier-Apache-2.0 legacy_unencumbered
+LOCAL_LICENSE_CONDITIONS := notice unencumbered
+LOCAL_NOTICE_FILE := $(LOCAL_PATH)/NOTICE
LOCAL_MODULE_CLASS := FAKE
LOCAL_MODULE_TAGS := optional
@@ -197,6 +236,9 @@
include $(CLEAR_VARS)
LOCAL_MODULE := odm_property_contexts_test
+LOCAL_LICENSE_KINDS := SPDX-license-identifier-Apache-2.0 legacy_unencumbered
+LOCAL_LICENSE_CONDITIONS := notice unencumbered
+LOCAL_NOTICE_FILE := $(LOCAL_PATH)/NOTICE
LOCAL_MODULE_CLASS := FAKE
LOCAL_MODULE_TAGS := optional
@@ -215,6 +257,9 @@
include $(CLEAR_VARS)
LOCAL_MODULE := product_property_contexts_test
+LOCAL_LICENSE_KINDS := SPDX-license-identifier-Apache-2.0 legacy_unencumbered
+LOCAL_LICENSE_CONDITIONS := notice unencumbered
+LOCAL_NOTICE_FILE := $(LOCAL_PATH)/NOTICE
LOCAL_MODULE_CLASS := FAKE
LOCAL_MODULE_TAGS := optional
@@ -230,6 +275,9 @@
include $(CLEAR_VARS)
LOCAL_MODULE := plat_service_contexts_test
+LOCAL_LICENSE_KINDS := SPDX-license-identifier-Apache-2.0 legacy_unencumbered
+LOCAL_LICENSE_CONDITIONS := notice unencumbered
+LOCAL_NOTICE_FILE := $(LOCAL_PATH)/NOTICE
LOCAL_MODULE_CLASS := FAKE
LOCAL_MODULE_TAGS := optional
@@ -241,6 +289,9 @@
include $(CLEAR_VARS)
LOCAL_MODULE := system_ext_service_contexts_test
+LOCAL_LICENSE_KINDS := SPDX-license-identifier-Apache-2.0 legacy_unencumbered
+LOCAL_LICENSE_CONDITIONS := notice unencumbered
+LOCAL_NOTICE_FILE := $(LOCAL_PATH)/NOTICE
LOCAL_MODULE_CLASS := FAKE
LOCAL_MODULE_TAGS := optional
@@ -252,6 +303,9 @@
include $(CLEAR_VARS)
LOCAL_MODULE := product_service_contexts_test
+LOCAL_LICENSE_KINDS := SPDX-license-identifier-Apache-2.0 legacy_unencumbered
+LOCAL_LICENSE_CONDITIONS := notice unencumbered
+LOCAL_NOTICE_FILE := $(LOCAL_PATH)/NOTICE
LOCAL_MODULE_CLASS := FAKE
LOCAL_MODULE_TAGS := optional
@@ -266,6 +320,9 @@
include $(CLEAR_VARS)
LOCAL_MODULE := vendor_service_contexts_test
+LOCAL_LICENSE_KINDS := SPDX-license-identifier-Apache-2.0 legacy_unencumbered
+LOCAL_LICENSE_CONDITIONS := notice unencumbered
+LOCAL_NOTICE_FILE := $(LOCAL_PATH)/NOTICE
LOCAL_MODULE_CLASS := FAKE
LOCAL_MODULE_TAGS := optional
diff --git a/mac_permissions.mk b/mac_permissions.mk
index 02376bc..566c82b 100644
--- a/mac_permissions.mk
+++ b/mac_permissions.mk
@@ -1,6 +1,9 @@
include $(CLEAR_VARS)
LOCAL_MODULE := plat_mac_permissions.xml
+LOCAL_LICENSE_KINDS := SPDX-license-identifier-Apache-2.0 legacy_unencumbered
+LOCAL_LICENSE_CONDITIONS := notice unencumbered
+LOCAL_NOTICE_FILE := $(LOCAL_PATH)/NOTICE
LOCAL_MODULE_CLASS := ETC
LOCAL_MODULE_TAGS := optional
LOCAL_MODULE_PATH := $(TARGET_OUT)/etc/selinux
@@ -39,6 +42,9 @@
include $(CLEAR_VARS)
LOCAL_MODULE := system_ext_mac_permissions.xml
+LOCAL_LICENSE_KINDS := SPDX-license-identifier-Apache-2.0 legacy_unencumbered
+LOCAL_LICENSE_CONDITIONS := notice unencumbered
+LOCAL_NOTICE_FILE := $(LOCAL_PATH)/NOTICE
LOCAL_MODULE_CLASS := ETC
LOCAL_MODULE_TAGS := optional
LOCAL_MODULE_PATH := $(TARGET_OUT_SYSTEM_EXT)/etc/selinux
@@ -70,6 +76,9 @@
include $(CLEAR_VARS)
LOCAL_MODULE := product_mac_permissions.xml
+LOCAL_LICENSE_KINDS := SPDX-license-identifier-Apache-2.0 legacy_unencumbered
+LOCAL_LICENSE_CONDITIONS := notice unencumbered
+LOCAL_NOTICE_FILE := $(LOCAL_PATH)/NOTICE
LOCAL_MODULE_CLASS := ETC
LOCAL_MODULE_TAGS := optional
LOCAL_MODULE_PATH := $(TARGET_OUT_PRODUCT)/etc/selinux
@@ -101,6 +110,9 @@
include $(CLEAR_VARS)
LOCAL_MODULE := vendor_mac_permissions.xml
+LOCAL_LICENSE_KINDS := SPDX-license-identifier-Apache-2.0 legacy_unencumbered
+LOCAL_LICENSE_CONDITIONS := notice unencumbered
+LOCAL_NOTICE_FILE := $(LOCAL_PATH)/NOTICE
LOCAL_MODULE_CLASS := ETC
LOCAL_MODULE_TAGS := optional
LOCAL_MODULE_PATH := $(TARGET_OUT_VENDOR)/etc/selinux
@@ -133,6 +145,9 @@
include $(CLEAR_VARS)
LOCAL_MODULE := odm_mac_permissions.xml
+LOCAL_LICENSE_KINDS := SPDX-license-identifier-Apache-2.0 legacy_unencumbered
+LOCAL_LICENSE_CONDITIONS := notice unencumbered
+LOCAL_NOTICE_FILE := $(LOCAL_PATH)/NOTICE
LOCAL_MODULE_CLASS := ETC
LOCAL_MODULE_TAGS := optional
LOCAL_MODULE_PATH := $(TARGET_OUT_ODM)/etc/selinux
diff --git a/private/apexd.te b/private/apexd.te
index c3da0fe..f6e8058 100644
--- a/private/apexd.te
+++ b/private/apexd.te
@@ -5,6 +5,8 @@
# Allow creating, reading and writing of APEX files/dirs in the APEX data dir
allow apexd apex_data_file:dir create_dir_perms;
allow apexd apex_data_file:file create_file_perms;
+# Allow relabeling file created in /data/apex/decompressed
+allow apexd apex_data_file:file relabelfrom;
# Allow creating, reading and writing of APEX files/dirs in the APEX metadata dir
allow apexd metadata_file:dir search;
@@ -78,6 +80,8 @@
# allow apexd to read files from /data/app-staging and hardlink them to /data/apex.
allow apexd staging_data_file:dir r_dir_perms;
allow apexd staging_data_file:file { r_file_perms link };
+# # Allow relabeling file created in /data/apex/decompressed
+allow apexd staging_data_file:file relabelto;
# allow apexd to read files from /vendor/apex
allow apexd vendor_apex_file:dir r_dir_perms;
diff --git a/private/app.te b/private/app.te
index c635aed..710b94d 100644
--- a/private/app.te
+++ b/private/app.te
@@ -71,6 +71,9 @@
allow appdomain { apex_art_data_file apex_module_data_file }:dir search;
allow appdomain apex_art_data_file:file r_file_perms;
+# Allow APFE device info to read Virtual A/B props.
+get_prop(appdomain, virtual_ab_prop)
+
# Sensitive app domains are not allowed to execute from /data
# to prevent persistence attacks and ensure all code is executed
# from read-only locations.
@@ -88,3 +91,4 @@
-system_data_file # shared libs in apks
-apk_data_file
}:file no_x_file_perms;
+
diff --git a/private/bpfloader.te b/private/bpfloader.te
index b2e5992..f1932bb 100644
--- a/private/bpfloader.te
+++ b/private/bpfloader.te
@@ -4,27 +4,32 @@
typeattribute bpfloader coredomain;
# These permissions are required to pin ebpf maps & programs.
-allow bpfloader fs_bpf:dir { create search write add_name };
-allow bpfloader fs_bpf:file { create setattr read };
+allow bpfloader { fs_bpf fs_bpf_tethering }:dir { add_name create search write };
+allow bpfloader { fs_bpf fs_bpf_tethering }:file { create read setattr };
+allow fs_bpf_tethering fs_bpf:filesystem associate;
# Allow bpfloader to create bpf maps and programs.
allow bpfloader self:bpf { map_create map_read map_write prog_load prog_run };
allow bpfloader self:capability { chown sys_admin };
+set_prop(bpfloader, bpf_progs_loaded_prop)
+
###
### Neverallow rules
###
-# TODO: get rid of init & vendor_init
-neverallow { domain -init -vendor_init } fs_bpf:dir setattr;
-neverallow { domain -bpfloader } fs_bpf:dir { create write add_name };
-neverallow domain fs_bpf:dir { reparent rename rmdir };
+# TODO: get rid of init & vendor_init; Note: we don't care about getattr/mounton/search
+neverallow { domain -init -vendor_init } { fs_bpf fs_bpf_tethering }:dir { open read setattr };
+neverallow { domain -bpfloader } { fs_bpf fs_bpf_tethering }:dir { add_name create write };
+neverallow domain { fs_bpf fs_bpf_tethering }:dir ~{ add_name create getattr mounton open read search setattr write };
# TODO: get rid of init & vendor_init
-neverallow { domain -bpfloader -init -vendor_init } fs_bpf:file setattr;
-neverallow { domain -bpfloader } fs_bpf:file create;
-neverallow domain fs_bpf:file { rename unlink };
+neverallow { domain -bpfloader -init -vendor_init } { fs_bpf fs_bpf_tethering }:file { map open setattr };
+neverallow { domain -bpfloader } { fs_bpf fs_bpf_tethering }:file create;
+neverallow { domain -bpfloader -gpuservice -init -netd -netutils_wrapper -network_stack -system_server -vendor_init } { fs_bpf fs_bpf_tethering }:file read;
+neverallow { domain -bpfloader -gpuservice -netd -netutils_wrapper -network_stack -system_server } { fs_bpf fs_bpf_tethering }:file write;
+neverallow domain { fs_bpf fs_bpf_tethering }:file ~{ create map open read setattr write };
neverallow { domain -bpfloader } *:bpf { map_create prog_load };
neverallow { domain -bpfloader -gpuservice -netd -netutils_wrapper -network_stack -system_server } *:bpf prog_run;
@@ -32,9 +37,7 @@
neverallow { domain -bpfloader -init } bpfloader_exec:file { execute execute_no_trans };
-neverallow bpfloader domain:{ tcp_socket udp_socket rawip_socket } *;
+neverallow bpfloader *:{ tcp_socket udp_socket rawip_socket } *;
# No domain should be allowed to ptrace bpfloader
neverallow { domain userdebug_or_eng(`-llkd') } bpfloader:process ptrace;
-
-set_prop(bpfloader, bpf_progs_loaded_prop)
diff --git a/private/compat/30.0/30.0.ignore.cil b/private/compat/30.0/30.0.ignore.cil
index 2a960e5..8dd2d2f 100644
--- a/private/compat/30.0/30.0.ignore.cil
+++ b/private/compat/30.0/30.0.ignore.cil
@@ -21,6 +21,7 @@
debugfs_kprobes
debugfs_mm_events_tracing
device_config_profcollect_native_boot_prop
+ device_config_connectivity_prop
device_state_service
dm_user_device
dmabuf_heap_device
@@ -29,6 +30,8 @@
domain_verification_service
dumpstate_tmpfs
framework_watchdog_config_prop
+ fs_bpf_tethering
+ fwk_stats_service
game_service
font_data_file
gki_apex_prepostinstall
@@ -46,12 +49,16 @@
hal_keymint_service
hal_neuralnetworks_service
hal_power_stats_service
+ hal_remotelyprovisionedcomponent_service
+ hal_secureclock_service
+ hal_sharedsecret_service
hal_weaver_service
keystore_compat_hal_service
keystore2_key_contexts_file
legacy_permission_service
location_time_zone_manager_service
media_communication_service
+ media_metrics_service
mediatuner_exec
mediatuner_service
mediatuner
@@ -60,6 +67,9 @@
nfc_logs_data_file
odrefresh
odrefresh_exec
+ odsign
+ odsign_data_file
+ odsign_exec
people_service
persist_vendor_debug_wifi_prop
power_debug_prop
@@ -72,6 +82,8 @@
profcollectd_service
radio_core_data_file
reboot_readiness_service
+ remote_prov_app
+ remoteprovisioning_service
resolver_service
search_ui_service
shell_test_data_file
@@ -82,6 +94,8 @@
soc_prop
speech_recognition_service
sysfs_devices_cs_etm
+ sysfs_dma_heap
+ sysfs_dmabuf_stats
sysfs_uhid
system_server_dumper_service
system_suspend_control_internal_service
@@ -92,5 +106,7 @@
userspace_reboot_metadata_file
vcn_management_service
vibrator_manager_service
+ vpn_management_service
watchdog_metadata_file
+ wifi_key
zygote_config_prop))
diff --git a/private/coredomain.te b/private/coredomain.te
index 4209ac7..de9b953 100644
--- a/private/coredomain.te
+++ b/private/coredomain.te
@@ -164,6 +164,7 @@
-dumpstate
-gpuservice
-init
+ -traced_perf
-traced_probes
-shell
-system_server
diff --git a/private/dex2oat.te b/private/dex2oat.te
index 27e4b0c..909f94c 100644
--- a/private/dex2oat.te
+++ b/private/dex2oat.te
@@ -38,6 +38,10 @@
# Allow dex2oat to use file descriptors passed from odrefresh.
allow dex2oat odrefresh:fd use;
+# Allow dex2oat to use devpts and file descriptors passed from odsign
+allow dex2oat odsign_devpts:chr_file { read write };
+allow dex2oat odsign:fd use;
+
# Allow dex2oat to write to file descriptors from odrefresh for files
# in the staging area.
allow dex2oat apex_art_staging_data_file:dir r_dir_perms;
@@ -47,6 +51,10 @@
allow dex2oat apex_art_data_file:dir r_dir_perms;
allow dex2oat apex_art_data_file:file r_file_perms;
+# Allow dex2oat to read runtime native flag properties.
+get_prop(dex2oat, device_config_runtime_native_prop)
+get_prop(dex2oat, device_config_runtime_native_boot_prop)
+
##################
# A/B OTA Dexopt #
##################
diff --git a/private/domain.te b/private/domain.te
index 0908661..94bd059 100644
--- a/private/domain.te
+++ b/private/domain.te
@@ -281,6 +281,7 @@
domain
# art processes
-odrefresh
+ -odsign
# others
-apexd
-init
@@ -291,6 +292,7 @@
domain
# art processes
-odrefresh
+ -odsign
# others
-apexd
-init
diff --git a/private/dumpstate.te b/private/dumpstate.te
index 2b7b228..16f4add 100644
--- a/private/dumpstate.te
+++ b/private/dumpstate.te
@@ -51,6 +51,7 @@
allow dumpstate debugfs_wakeup_sources:file r_file_perms;
allow dumpstate dev_type:blk_file getattr;
allow dumpstate webview_zygote:process signal;
+allow dumpstate sysfs_dmabuf_stats:file r_file_perms;
dontaudit dumpstate update_engine:binder call;
# Read files in /proc
diff --git a/private/fastbootd.te b/private/fastbootd.te
index f0ba02c..98eb23c 100644
--- a/private/fastbootd.te
+++ b/private/fastbootd.te
@@ -28,6 +28,14 @@
allow fastbootd port:tcp_socket name_bind;
allow fastbootd self:tcp_socket { create_socket_perms_no_ioctl listen accept };
+ # Start snapuserd for merging VABC updates
+ set_prop(fastbootd, ctl_snapuserd_prop)
+
+ # Needed to communicate with snapuserd to complete merges.
+ allow fastbootd snapuserd_socket:sock_file write;
+ allow fastbootd snapuserd:unix_stream_socket connectto;
+ allow fastbootd dm_user_device:dir r_dir_perms;
+
# Get fastbootd protocol property
get_prop(fastbootd, fastbootd_protocol_prop)
')
diff --git a/private/file.te b/private/file.te
index 87443ef..fd50649 100644
--- a/private/file.te
+++ b/private/file.te
@@ -44,3 +44,6 @@
# /data/font/files
type font_data_file, file_type, data_file_type, core_data_file_type;
+
+# /data/misc/odsign
+type odsign_data_file, file_type, data_file_type, core_data_file_type;
diff --git a/private/file_contexts b/private/file_contexts
index 1e16169..c9779c8 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -363,6 +363,7 @@
/system/bin/migrate_legacy_obb_data\.sh u:object_r:migrate_legacy_obb_data_exec:s0
/system/bin/android\.frameworks\.automotive\.display@1\.0-service u:object_r:automotive_display_service_exec:s0
/system/bin/snapuserd u:object_r:snapuserd_exec:s0
+/system/bin/odsign u:object_r:odsign_exec:s0
#############################
# Vendor files
@@ -518,6 +519,7 @@
/data/apex(/.*)? u:object_r:apex_data_file:s0
/data/apex/active/(.*)? u:object_r:staging_data_file:s0
/data/apex/backup/(.*)? u:object_r:staging_data_file:s0
+/data/apex/decompressed/(.*)? u:object_r:staging_data_file:s0
/data/app(/.*)? u:object_r:apk_data_file:s0
# Traditional /data/app/[packageName]-[randomString]/base.apk location
/data/app/[^/]+/oat(/.*)? u:object_r:dalvikcache_data_file:s0
@@ -588,6 +590,7 @@
/data/misc/net(/.*)? u:object_r:net_data_file:s0
/data/misc/network_watchlist(/.*)? u:object_r:network_watchlist_data_file:s0
/data/misc/nfc/logs(/.*)? u:object_r:nfc_logs_data_file:s0
+/data/misc/odsign(/.*)? u:object_r:odsign_data_file:s0
/data/misc/perfetto-traces/bugreport(.*)? u:object_r:perfetto_traces_bugreport_data_file:s0
/data/misc/perfetto-traces(/.*)? u:object_r:perfetto_traces_data_file:s0
/data/misc/perfetto-configs(/.*)? u:object_r:perfetto_configs_data_file:s0
diff --git a/private/flags_health_check.te b/private/flags_health_check.te
index de5f37e..983bad6 100644
--- a/private/flags_health_check.te
+++ b/private/flags_health_check.te
@@ -17,6 +17,7 @@
set_prop(flags_health_check, device_config_sys_traced_prop)
set_prop(flags_health_check, device_config_window_manager_native_boot_prop)
set_prop(flags_health_check, device_config_configuration_prop)
+set_prop(flags_health_check, device_config_connectivity_prop)
# system property device_config_boot_count_prop is used for deciding when to perform server
# configurable flags related disaster recovery. Mistakenly set up by unrelated components can, at a
diff --git a/private/fsverity_init.te b/private/fsverity_init.te
index 4bb3d0f..42d142f 100644
--- a/private/fsverity_init.te
+++ b/private/fsverity_init.te
@@ -15,6 +15,10 @@
# Allow init to write to /proc/sys/fs/verity/require_signatures
allow fsverity_init proc_fs_verity:file w_file_perms;
+# Read the on-device signing certificate, to be able to add it to the keyring
+allow fsverity_init odsign:fd use;
+allow fsverity_init odsign_data_file:file { getattr read };
+
# When kernel requests an algorithm, the crypto API first looks for an
# already registered algorithm with that name. If it fails, the kernel creates
# an implementation of the algorithm from templates.
diff --git a/private/genfs_contexts b/private/genfs_contexts
index c5baf79..d205cd5 100644
--- a/private/genfs_contexts
+++ b/private/genfs_contexts
@@ -148,12 +148,14 @@
genfscon sysfs /power/wake_lock u:object_r:sysfs_wake_lock:s0
genfscon sysfs /power/wake_unlock u:object_r:sysfs_wake_lock:s0
genfscon sysfs /kernel/memory_state_time u:object_r:sysfs_power:s0
+genfscon sysfs /kernel/dma_heap u:object_r:sysfs_dma_heap:s0
genfscon sysfs /kernel/ion u:object_r:sysfs_ion:s0
genfscon sysfs /kernel/ipv4 u:object_r:sysfs_ipv4:s0
genfscon sysfs /kernel/mm/transparent_hugepage u:object_r:sysfs_transparent_hugepage:s0
genfscon sysfs /kernel/notes u:object_r:sysfs_kernel_notes:s0
genfscon sysfs /kernel/uevent_helper u:object_r:sysfs_usermodehelper:s0
genfscon sysfs /kernel/wakeup_reasons u:object_r:sysfs_wakeup_reasons:s0
+genfscon sysfs /kernel/dmabuf/buffers u:object_r:sysfs_dmabuf_stats:s0
genfscon sysfs /module/dm_verity/parameters/prefetch_cluster u:object_r:sysfs_dm_verity:s0
genfscon sysfs /module/lowmemorykiller u:object_r:sysfs_lowmemorykiller:s0
genfscon sysfs /module/tcp_cubic/parameters u:object_r:sysfs_net:s0
@@ -347,3 +349,4 @@
genfscon usbfs / u:object_r:usbfs:s0
genfscon binfmt_misc / u:object_r:binfmt_miscfs:s0
genfscon bpf / u:object_r:fs_bpf:s0
+genfscon bpf /tethering u:object_r:fs_bpf_tethering:s0
diff --git a/private/gmscore_app.te b/private/gmscore_app.te
index ff7444f..10de777 100644
--- a/private/gmscore_app.te
+++ b/private/gmscore_app.te
@@ -75,6 +75,10 @@
# TODO: Tighten (b/112357170)
allow gmscore_app privapp_data_file:file execute;
+# Chrome Crashpad uses the the dynamic linker to load native executables
+# from an APK (b/112050209, crbug.com/928422)
+allow gmscore_app system_linker_exec:file execute_no_trans;
+
allow gmscore_app privapp_data_file:lnk_file create_file_perms;
# /proc access
diff --git a/private/heapprofd.te b/private/heapprofd.te
index d34830c..246f936 100644
--- a/private/heapprofd.te
+++ b/private/heapprofd.te
@@ -45,6 +45,7 @@
r_dir_file(heapprofd, apk_data_file)
r_dir_file(heapprofd, dalvikcache_data_file)
r_dir_file(heapprofd, vendor_file_type)
+r_dir_file(heapprofd, shell_test_data_file)
# Some dex files are not world-readable.
# We are still constrained by the SELinux rules above.
allow heapprofd self:global_capability_class_set dac_read_search;
diff --git a/private/keystore2_key_contexts b/private/keystore2_key_contexts
index 1c6573c..9612b90 100644
--- a/private/keystore2_key_contexts
+++ b/private/keystore2_key_contexts
@@ -13,3 +13,10 @@
# vold_key is a keystore2_key namespace for vold. It allows using raw Keymint blobs.
100 u:object_r:vold_key:s0
+# odsign_key is a keystore2_key namespace for the on-device signing daemon.
+101 u:object_r:odsign_key:s0
+
+# wifi_key is a keystore2_key namspace for the WI-FI subsystem. It replaces the WIFI_UID
+# namespace in keystore.
+102 u:object_r:wifi_key:s0
+
diff --git a/private/keystore_keys.te b/private/keystore_keys.te
index cff37eb..990bc29 100644
--- a/private/keystore_keys.te
+++ b/private/keystore_keys.te
@@ -10,3 +10,6 @@
# A keystore2 namespace for vold. Vold need special permission to handle
# its own Keymint blobs.
type vold_key, keystore2_key_type;
+
+# A keystore2 namespace for the on-device signing daemon.
+type odsign_key, keystore2_key_type;
diff --git a/private/network_stack.te b/private/network_stack.te
index ab5a56e..9598fa5 100644
--- a/private/network_stack.te
+++ b/private/network_stack.te
@@ -29,6 +29,13 @@
binder_call(network_stack, netd);
+# in order to invoke side effect of close() on such a socket calling synchronize_rcu()
+# TODO: Remove this permission when 4.9 kernel is deprecated.
+allow network_stack self:key_socket create;
+
+# Grant read permission of connectivity namespace system property prefix.
+get_prop(network_stack, device_config_connectivity_prop)
+
# Create/use netlink_tcpdiag_socket to get tcp info
allow network_stack self:netlink_tcpdiag_socket { create_socket_perms_no_ioctl nlmsg_read nlmsg_write };
############### Tethering Service app - Tethering.apk ##############
@@ -37,10 +44,15 @@
allow network_stack self:netlink_netfilter_socket create_socket_perms_no_ioctl;
allow network_stack network_stack_service:service_manager find;
# allow Tethering(network_stack process) to run/update/read the eBPF maps to offload tethering traffic by eBPF.
-allow network_stack fs_bpf:dir search;
-allow network_stack fs_bpf:file { read write };
+allow network_stack { fs_bpf fs_bpf_tethering }:dir search;
+allow network_stack { fs_bpf fs_bpf_tethering }:file { read write };
allow network_stack bpfloader:bpf { map_read map_write prog_run };
-# in order to invoke side effect of close() on such a socket calling synchronize_rcu()
-# TODO: Remove this permission when 4.9 kernel is deprecated.
-allow network_stack self:key_socket create;
+# Only the bpfloader and the network_stack should ever touch 'fs_bpf_tethering' programs/maps.
+# TODO: remove netd once netd/tethering mainline module split is complete
+# Unfortunately init/vendor_init have all sorts of extra privs
+neverallow { domain -bpfloader -init -netd -network_stack -vendor_init } fs_bpf_tethering:dir ~getattr;
+neverallow { domain -bpfloader -init -netd -network_stack -vendor_init } fs_bpf_tethering:file *;
+
+neverallow { domain -bpfloader -netd -network_stack } fs_bpf_tethering:dir ~{ getattr open read search setattr };
+neverallow { domain -bpfloader -netd -network_stack } fs_bpf_tethering:file ~{ map open read setattr };
diff --git a/private/odrefresh.te b/private/odrefresh.te
index c1ccc38..097098b 100644
--- a/private/odrefresh.te
+++ b/private/odrefresh.te
@@ -18,6 +18,10 @@
# Run dexoptanalyzer in its own sandbox.
domain_auto_trans(odrefresh, dexoptanalyzer_exec, dexoptanalyzer)
+# Use devpts and fd from odsign (which exec()'s odrefresh)
+allow odrefresh odsign_devpts:chr_file { read write };
+allow odrefresh odsign:fd use;
+
# Do not audit unused resources from parent processes (adb, shell, su).
# These appear to be unnecessary for odrefresh.
dontaudit odrefresh { adbd shell }:fd use;
diff --git a/private/odsign.te b/private/odsign.te
new file mode 100644
index 0000000..b35a3ca
--- /dev/null
+++ b/private/odsign.te
@@ -0,0 +1,55 @@
+# odsign - on-device signing.
+type odsign, domain;
+
+# odsign - Binary for signing ART artifacts.
+typeattribute odsign coredomain;
+
+type odsign_exec, exec_type, file_type, system_file_type;
+
+# Allow init to start odsign
+init_daemon_domain(odsign)
+
+# Allow using persistent storage in /data/odsign
+allow odsign odsign_data_file:dir create_dir_perms;
+allow odsign odsign_data_file:file create_file_perms;
+
+# Create and use pty created by android_fork_execvp().
+create_pty(odsign)
+
+# FS_IOC_ENABLE_VERITY and FS_IOC_MEASURE_VERITY on ART data files
+allowxperm odsign apex_art_data_file:file ioctl {
+ FS_IOC_ENABLE_VERITY FS_IOC_MEASURE_VERITY FS_IOC_GETFLAGS
+};
+
+# talk to binder services (for keystore)
+binder_use(odsign);
+
+# talk to keystore specifically
+use_keystore(odsign);
+
+# Use our dedicated keystore key
+allow odsign odsign_key:keystore2_key {
+ delete
+ get_info
+ rebind
+ use
+};
+
+# talk to keymaster
+hal_client_domain(odsign, hal_keymaster)
+
+# For ART apex data dir access
+allow odsign apex_module_data_file:dir { getattr search };
+
+allow odsign apex_art_data_file:dir { rw_dir_perms rmdir };
+allow odsign apex_art_data_file:file { rw_file_perms unlink };
+
+# Run odrefresh to refresh ART artifacts
+domain_auto_trans(odsign, odrefresh_exec, odrefresh)
+
+# Run fsverity_init to add key to fsverity keyring
+domain_auto_trans(odsign, fsverity_init_exec, fsverity_init)
+
+# Neverallows
+neverallow { domain -odsign -init -fsverity_init } odsign_data_file:dir *;
+neverallow { domain -odsign -init -fsverity_init } odsign_data_file:file *;
diff --git a/private/priv_app.te b/private/priv_app.te
index 4c1d782..e5889d1 100644
--- a/private/priv_app.te
+++ b/private/priv_app.te
@@ -25,6 +25,10 @@
# TODO: Tighten (b/112357170)
allow priv_app privapp_data_file:file execute;
+# Chrome Crashpad uses the the dynamic linker to load native executables
+# from an APK (b/112050209, crbug.com/928422)
+allow priv_app system_linker_exec:file execute_no_trans;
+
allow priv_app privapp_data_file:lnk_file create_file_perms;
# Priv apps can find services that expose both @SystemAPI and normal APIs.
@@ -156,11 +160,12 @@
r_dir_file(priv_app, sysfs_fs_incfs_features)
# allow apps like Phonesky to check the file signature of an apk installed on
-# the Incremental File System, fill missing blocks and get the app status
+# the Incremental File System, fill missing blocks and get the app status and loading progress
allowxperm priv_app apk_data_file:file ioctl {
INCFS_IOCTL_READ_SIGNATURE
INCFS_IOCTL_FILL_BLOCKS
INCFS_IOCTL_GET_BLOCK_COUNT
+ INCFS_IOCTL_GET_FILLED_BLOCKS
};
# allow privileged data loader apps (e.g. com.android.vending) to read logs from Incremental File System
@@ -170,6 +175,9 @@
# on the Incremental File System.
allowxperm priv_app incremental_control_file:file ioctl INCFS_IOCTL_PERMIT_FILL;
+# allow privileged apps to read the vendor property that indicates if Incremental File System is enabled
+get_prop(priv_app, incremental_prop)
+
# Required for Phonesky to be able to read APEX files under /data/apex/active/.
allow priv_app apex_data_file:dir search;
allow priv_app staging_data_file:file r_file_perms;
diff --git a/private/property.te b/private/property.te
index 0885b91..5dc75b8 100644
--- a/private/property.te
+++ b/private/property.te
@@ -8,6 +8,7 @@
system_internal_prop(device_config_sys_traced_prop)
system_internal_prop(device_config_window_manager_native_boot_prop)
system_internal_prop(device_config_configuration_prop)
+system_internal_prop(device_config_connectivity_prop)
system_internal_prop(fastbootd_protocol_prop)
system_internal_prop(gsid_prop)
system_internal_prop(init_perf_lsm_hooks_prop)
diff --git a/private/property_contexts b/private/property_contexts
index 5b832dc..7d99a24 100644
--- a/private/property_contexts
+++ b/private/property_contexts
@@ -221,6 +221,7 @@
persist.device_config.activity_manager_native_boot. u:object_r:device_config_activity_manager_native_boot_prop:s0
persist.device_config.attempted_boot_count u:object_r:device_config_boot_count_prop:s0
persist.device_config.configuration. u:object_r:device_config_configuration_prop:s0
+persist.device_config.connectivity. u:object_r:device_config_connectivity_prop:s0
persist.device_config.input_native_boot. u:object_r:device_config_input_native_boot_prop:s0
persist.device_config.media_native. u:object_r:device_config_media_native_prop:s0
persist.device_config.netd_native. u:object_r:device_config_netd_native_prop:s0
@@ -978,6 +979,7 @@
ro.surface_flinger.set_touch_timer_ms u:object_r:surfaceflinger_prop:s0 exact int
ro.surface_flinger.set_display_power_timer_ms u:object_r:surfaceflinger_prop:s0 exact int
ro.surface_flinger.support_kernel_idle_timer u:object_r:surfaceflinger_prop:s0 exact bool
+ro.surface_flinger.supports_background_blur u:object_r:surfaceflinger_prop:s0 exact bool
ro.surface_flinger.use_smart_90_for_video u:object_r:surfaceflinger_prop:s0 exact bool
ro.surface_flinger.use_content_detection_for_refresh_rate u:object_r:surfaceflinger_prop:s0 exact bool
ro.surface_flinger.color_space_agnostic_dataspace u:object_r:surfaceflinger_prop:s0 exact int
@@ -1059,8 +1061,8 @@
ro.zygote.disable_gl_preload u:object_r:zygote_config_prop:s0 exact bool
# Enable Keystore 2.0.
-# TODO remove this propertye when Keystore 2.0 migration is complete b/171563717
-ro.android.security.keystore2.enable u:object_r:keystore2_enable_prop:s0 exact bool
+# TODO remove this property when Keystore 2.0 migration is complete b/171563717
+persist.android.security.keystore2.enable u:object_r:keystore2_enable_prop:s0 exact bool
partition.system.verified u:object_r:verity_status_prop:s0 exact string
partition.system_ext.verified u:object_r:verity_status_prop:s0 exact string
diff --git a/private/recovery.te b/private/recovery.te
index 207dfb6..00d7132 100644
--- a/private/recovery.te
+++ b/private/recovery.te
@@ -31,6 +31,14 @@
allow recovery self:tcp_socket { create ioctl };
allowxperm recovery self:tcp_socket ioctl { SIOCGIFFLAGS SIOCSIFFLAGS };
+ # Start snapuserd for merging VABC updates
+ set_prop(recovery, ctl_snapuserd_prop)
+
+ # Needed to communicate with snapuserd to complete merges.
+ allow recovery snapuserd_socket:sock_file write;
+ allow recovery snapuserd:unix_stream_socket connectto;
+ allow recovery dm_user_device:dir r_dir_perms;
+
# Set fastbootd protocol property
set_prop(recovery, fastbootd_protocol_prop)
diff --git a/private/remote_prov_app.te b/private/remote_prov_app.te
new file mode 100644
index 0000000..e877981
--- /dev/null
+++ b/private/remote_prov_app.te
@@ -0,0 +1,10 @@
+type remote_prov_app, domain;
+typeattribute remote_prov_app coredomain;
+
+app_domain(remote_prov_app)
+net_domain(remote_prov_app)
+
+allow remote_prov_app {
+ activity_service
+ remoteprovisioning_service
+}:service_manager find;
diff --git a/private/seapp_contexts b/private/seapp_contexts
index 929f073..b8e42ea 100644
--- a/private/seapp_contexts
+++ b/private/seapp_contexts
@@ -143,6 +143,7 @@
isSystemServer=true domain=system_server_startup
user=_app isPrivApp=true name=com.android.traceur domain=traceur_app type=app_data_file levelFrom=all
+user=_app isPrivApp=true name=com.android.remoteprovisioner domain=remote_prov_app type=app_data_file levelFrom=all
user=system seinfo=platform domain=system_app type=system_app_data_file
user=bluetooth seinfo=platform domain=bluetooth type=bluetooth_data_file
user=network_stack seinfo=network_stack domain=network_stack type=radio_data_file
diff --git a/private/service.te b/private/service.te
index 821b740..7f692f3 100644
--- a/private/service.te
+++ b/private/service.te
@@ -8,4 +8,5 @@
type stats_service, service_manager_type;
type statscompanion_service, system_server_service, service_manager_type;
type statsmanager_service, system_api_service, system_server_service, service_manager_type;
+type tracingproxy_service, system_server_service, service_manager_type;
type uce_service, service_manager_type;
diff --git a/private/service_contexts b/private/service_contexts
index 5369b54..c1aab48 100644
--- a/private/service_contexts
+++ b/private/service_contexts
@@ -9,12 +9,16 @@
android.hardware.memtrack.IMemtrack/default u:object_r:hal_memtrack_service:s0
android.hardware.oemlock.IOemLock/default u:object_r:hal_oemlock_service:s0
android.hardware.power.IPower/default u:object_r:hal_power_service:s0
-android.hardware.power.stats.IPowerStats/default u:object_r:hal_power_stats_service:s0
+android.hardware.power.stats.IPowerStats/default u:object_r:hal_power_stats_service:s0
android.hardware.rebootescrow.IRebootEscrow/default u:object_r:hal_rebootescrow_service:s0
android.hardware.security.keymint.IKeyMintDevice/default u:object_r:hal_keymint_service:s0
+android.hardware.security.keymint.IRemotelyProvisionedComponent/default u:object_r:hal_remotelyprovisionedcomponent_service:s0
+android.hardware.security.secureclock.ISecureClock/default u:object_r:hal_secureclock_service:s0
+android.hardware.security.sharedsecret.ISharedSecret/default u:object_r:hal_sharedsecret_service:s0
android.hardware.vibrator.IVibrator/default u:object_r:hal_vibrator_service:s0
android.hardware.vibrator.IVibratorManager/default u:object_r:hal_vibrator_service:s0
android.hardware.weaver.IWeaver/default u:object_r:hal_weaver_service:s0
+android.frameworks.stats.IStats/default u:object_r:fwk_stats_service:s0
accessibility u:object_r:accessibility_service:s0
account u:object_r:account_service:s0
@@ -31,6 +35,7 @@
android.security.compat u:object_r:keystore_compat_hal_service:s0
android.security.identity u:object_r:credstore_service:s0
android.security.keystore u:object_r:keystore_service:s0
+android.security.remoteprovisioning u:object_r:remoteprovisioning_service:s0
android.service.gatekeeper.IGateKeeperService u:object_r:gatekeeper_service:s0
android.system.keystore2 u:object_r:keystore_service:s0
app_binding u:object_r:app_binding_service:s0
@@ -162,6 +167,7 @@
media.drm u:object_r:mediadrmserver_service:s0
media.tuner u:object_r:mediatuner_service:s0
media_communication u:object_r:media_communication_service:s0
+media_metrics u:object_r:media_metrics_service:s0
media_projection u:object_r:media_projection_service:s0
media_resource_monitor u:object_r:media_session_service:s0
media_router u:object_r:media_router_service:s0
@@ -259,6 +265,7 @@
time_zone_detector u:object_r:timezonedetector_service:s0
timezone u:object_r:timezone_service:s0
thermalservice u:object_r:thermal_service:s0
+tracing.proxy u:object_r:tracingproxy_service:s0
transformer u:object_r:transformer_service:s0
trust u:object_r:trust_service:s0
tv_input u:object_r:tv_input_service:s0
@@ -276,6 +283,7 @@
virtual_touchpad u:object_r:virtual_touchpad_service:s0
voiceinteraction u:object_r:voiceinteraction_service:s0
vold u:object_r:vold_service:s0
+vpn_management u:object_r:vpn_management_service:s0
vr_hwc u:object_r:vr_hwc_service:s0
vrflinger_vsync u:object_r:vrflinger_vsync_service:s0
vrmanager u:object_r:vr_manager_service:s0
diff --git a/private/system_app.te b/private/system_app.te
index 8938931..36208bf 100644
--- a/private/system_app.te
+++ b/private/system_app.te
@@ -142,6 +142,15 @@
use
};
+# Allow Settings to manage WI-FI keys.
+allow system_app wifi_key:keystore2_key {
+ delete
+ get_info
+ rebind
+ update
+ use
+};
+
# settings app reads /proc/version
allow system_app {
proc_version
diff --git a/private/system_server.te b/private/system_server.te
index 4eb2d38..a2aa259 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -189,6 +189,17 @@
# Read /sys/kernel/ion/*.
allow system_server sysfs_ion:file r_file_perms;
+# Read /sys/kernel/dma_heap/*.
+allow system_server sysfs_dma_heap:file r_file_perms;
+
+# Allow reading DMA-BUF sysfs stats from /sys/kernel/dmabuf.
+allow system_server sysfs_dmabuf_stats:dir r_dir_perms;
+allow system_server sysfs_dmabuf_stats:file r_file_perms;
+
+# Allow ActivityManager to look at the list of DMA-BUF heaps from /dev/dma_heap
+# for dumpsys meminfo
+allow system_server dmabuf_heap_device:dir r_dir_perms;
+
# The DhcpClient and WifiWatchdog use packet_sockets
allow system_server self:packet_socket create_socket_perms_no_ioctl;
@@ -292,6 +303,7 @@
# List HAL interfaces to get ANR traces.
allow system_server hwservicemanager:hwservice_manager list;
+allow system_server servicemanager:service_manager list;
# Send signals to trigger ANR traces.
allow system_server {
@@ -529,6 +541,9 @@
allow system_server tombstone_data_file:dir r_dir_perms;
allow system_server tombstone_data_file:file r_file_perms;
+# Allow write access to be able to truncate tombstones.
+allow system_server tombstone_data_file:file write;
+
# Manage /data/misc/vpn.
allow system_server vpn_data_file:dir create_dir_perms;
allow system_server vpn_data_file:file create_file_perms;
@@ -664,6 +679,7 @@
set_prop(system_server, device_config_sys_traced_prop)
set_prop(system_server, device_config_window_manager_native_boot_prop)
set_prop(system_server, device_config_configuration_prop)
+set_prop(system_server, device_config_connectivity_prop)
# BootReceiver to read ro.boot.bootreason
get_prop(system_server, bootloader_boot_reason_prop)
@@ -754,9 +770,6 @@
allow system_server usb_device:chr_file rw_file_perms;
allow system_server usb_device:dir r_dir_perms;
-# Read from HW RNG (needed by EntropyMixer).
-allow system_server hw_random_device:chr_file r_file_perms;
-
# Read and delete files under /dev/fscklogs.
r_dir_file(system_server, fscklogs)
allow system_server fscklogs:dir { write remove_name };
@@ -864,15 +877,25 @@
use
};
+# Allow Wifi module to manage Wi-Fi keys.
+allow system_server wifi_key:keystore2_key {
+ delete
+ get_info
+ rebind
+ update
+ use
+};
+
# Allow system server to search and write to the persistent factory reset
# protection partition. This block device does not get wiped in a factory reset.
allow system_server block_device:dir search;
allow system_server frp_block_device:blk_file rw_file_perms;
allowxperm system_server frp_block_device:blk_file ioctl { BLKSECDISCARD BLKDISCARD };
-# Clean up old cgroups
+# Create new process groups and clean up old cgroups
allow system_server cgroup:dir { remove_name rmdir };
-allow system_server cgroup_v2:dir { remove_name rmdir };
+allow system_server cgroup_v2:dir create_dir_perms;
+allow system_server cgroup_v2:file { r_file_perms setattr };
# /oem access
r_dir_file(system_server, oemfs)
@@ -1113,6 +1136,7 @@
-flags_health_check
} {
device_config_activity_manager_native_boot_prop
+ device_config_connectivity_prop
device_config_input_native_boot_prop
device_config_netd_native_prop
device_config_runtime_native_boot_prop
diff --git a/private/traced.te b/private/traced.te
index 89d3cd2..aa16966 100644
--- a/private/traced.te
+++ b/private/traced.te
@@ -37,6 +37,11 @@
allow traced traceur_app:fd use;
allow traced trace_data_file:file { read write };
+# Allow perfetto to access the proxy service for notifying Traceur.
+allow traced tracingproxy_service:service_manager find;
+binder_use(traced);
+binder_call(traced, system_server);
+
# Allow iorapd to pass memfd descriptors to traced, so traced can directly
# write into the shmem buffer file without doing roundtrips over IPC.
allow traced iorapd:fd use;
diff --git a/private/traced_perf.te b/private/traced_perf.te
index e5760f0..96a7263 100644
--- a/private/traced_perf.te
+++ b/private/traced_perf.te
@@ -38,6 +38,14 @@
userdebug_or_eng(`set_prop(traced_perf, lower_kptr_restrict_prop)')
allow traced_perf proc_kallsyms:file r_file_perms;
+# Allow reading tracefs files to get the format and numeric ids of tracepoints.
+allow traced_perf debugfs_tracing:dir r_dir_perms;
+allow traced_perf debugfs_tracing:file r_file_perms;
+userdebug_or_eng(`
+ allow traced_perf debugfs_tracing_debug:dir r_dir_perms;
+ allow traced_perf debugfs_tracing_debug:file r_file_perms;
+')
+
# Do not audit the cases where traced_perf attempts to access /proc/[pid] for
# domains that it cannot read.
dontaudit traced_perf domain:dir { search getattr open };
@@ -51,7 +59,7 @@
neverallow traced_perf { app_data_file privapp_data_file system_app_data_file }:file *;
# Never allow profiling highly privileged processes.
-never_profile_heap(`{
+never_profile_perf(`{
bpfloader
init
kernel
diff --git a/public/app.te b/public/app.te
index 39d67af..67a996a 100644
--- a/public/app.te
+++ b/public/app.te
@@ -318,6 +318,9 @@
# Allow app to access shared memory created by camera HAL1
allow { appdomain -isolated_app } hal_camera:fd use;
+# Allow apps to access shared memory file descriptor from the tuner HAL
+allow {appdomain -isolated_app} hal_tv_tuner_server:fd use;
+
# RenderScript always-passthrough HAL
allow { appdomain -isolated_app } hal_renderscript_hwservice:hwservice_manager find;
allow appdomain same_process_hal_file:file { execute read open getattr map };
diff --git a/public/domain.te b/public/domain.te
index 7c2e3fe..81163d1 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -403,13 +403,11 @@
# that could be set from init.rc.
neverallow { domain -init } kernel:security setsecparam;
-# Only init, ueventd, shell and system_server should be able to access HW RNG
+# Only the kernel hwrng thread should be able to read from the HW RNG.
neverallow {
domain
- -init
- -shell # For CTS and is restricted to getattr in shell.te
- -system_server
- -ueventd
+ -shell # For CTS, restricted to just getattr in shell.te
+ -ueventd # To create the /dev/hw_random file
} hw_random_device:chr_file *;
# b/78174219 b/64114943
neverallow {
@@ -478,7 +476,9 @@
neverallow { domain -shell -init -adbd } shell_test_data_file:file_class_set no_w_file_perms;
neverallow { domain -shell -init -adbd } shell_test_data_file:dir no_w_dir_perms;
-neverallow { domain -shell -init -adbd } shell_test_data_file:file *;
+neverallow { domain -shell -init -adbd -heapprofd } shell_test_data_file:file *;
+neverallow heapprofd shell_test_data_file:file { no_w_file_perms no_x_file_perms };
+neverallow { domain -shell -init -adbd } shell_test_data_file:sock_file *;
# Only the init property service should write to /data/property and /dev/__properties__
neverallow { domain -init } property_data_file:dir no_w_dir_perms;
diff --git a/public/dumpstate.te b/public/dumpstate.te
index 47071ed..45540b3 100644
--- a/public/dumpstate.te
+++ b/public/dumpstate.te
@@ -343,6 +343,26 @@
allow hal_rebootescrow_server dumpstate:fifo_file write;
allow hal_rebootescrow_server dumpstate:fd use;
+binder_call(dumpstate, hal_authsecret_server)
+allow hal_authsecret_server dumpstate:fifo_file write;
+allow hal_authsecret_server dumpstate:fd use;
+
+binder_call(dumpstate, hal_keymint_server)
+allow hal_keymint_server dumpstate:fifo_file write;
+allow hal_keymint_server dumpstate:fd use;
+
+binder_call(dumpstate, hal_memtrack_server)
+allow hal_memtrack_server dumpstate:fifo_file write;
+allow hal_memtrack_server dumpstate:fd use;
+
+binder_call(dumpstate, hal_oemlock_server)
+allow hal_oemlock_server dumpstate:fifo_file write;
+allow hal_oemlock_server dumpstate:fd use;
+
+binder_call(dumpstate, hal_weaver_server)
+allow hal_weaver_server dumpstate:fifo_file write;
+allow hal_weaver_server dumpstate:fd use;
+
#Access /data/misc/snapshotctl_log
allow dumpstate snapshotctl_log_data_file:dir r_dir_perms;
allow dumpstate snapshotctl_log_data_file:file r_file_perms;
diff --git a/public/file.te b/public/file.te
index 39581c4..a188c78 100644
--- a/public/file.te
+++ b/public/file.te
@@ -88,6 +88,8 @@
type sysfs_devices_block, fs_type, sysfs_type;
type sysfs_dm, fs_type, sysfs_type;
type sysfs_dm_verity, fs_type, sysfs_type;
+type sysfs_dma_heap, fs_type, sysfs_type;
+type sysfs_dmabuf_stats, fs_type, sysfs_type;
type sysfs_dt_firmware_android, fs_type, sysfs_type;
type sysfs_extcon, fs_type, sysfs_type;
type sysfs_ion, fs_type, sysfs_type;
@@ -111,6 +113,7 @@
type sysfs_fs_f2fs, sysfs_type, fs_type;
type sysfs_fs_incfs_features, sysfs_type, fs_type;
type fs_bpf, fs_type;
+type fs_bpf_tethering, fs_type;
type configfs, fs_type;
# /sys/devices/cs_etm
type sysfs_devices_cs_etm, fs_type, sysfs_type;
diff --git a/public/hal_keymint.te b/public/hal_keymint.te
index 7570188..e56ab99 100644
--- a/public/hal_keymint.te
+++ b/public/hal_keymint.te
@@ -1,4 +1,5 @@
binder_call(hal_keymint_client, hal_keymint_server)
hal_attribute_service(hal_keymint, hal_keymint_service)
+hal_attribute_service(hal_keymint, hal_remotelyprovisionedcomponent_service)
binder_call(hal_keymint_server, servicemanager)
diff --git a/public/hal_wifi_supplicant.te b/public/hal_wifi_supplicant.te
index 36bcc65..e19ad1c 100644
--- a/public/hal_wifi_supplicant.te
+++ b/public/hal_wifi_supplicant.te
@@ -20,6 +20,14 @@
allow hal_wifi_supplicant self:packet_socket create_socket_perms;
allowxperm hal_wifi_supplicant self:packet_socket ioctl { unpriv_sock_ioctls priv_sock_ioctls unpriv_tty_ioctls };
+use_keystore(hal_wifi_supplicant)
+
+# Allow the WI-FI HAL to use keys in the keystore namespace wifi_key.
+allow hal_wifi_supplicant wifi_key:keystore2_key {
+ get_info
+ use
+};
+
###
### neverallow rules
###
diff --git a/public/init.te b/public/init.te
index e546ece..069f17d 100644
--- a/public/init.te
+++ b/public/init.te
@@ -309,7 +309,6 @@
devpts
dm_device
hwbinder_device
- hw_random_device
input_device
kmsg_device
null_device
@@ -324,6 +323,7 @@
# chown/chmod on devices.
allow init {
dev_type
+ -hw_random_device
-keychord_device
-port_device
}:chr_file setattr;
@@ -533,10 +533,6 @@
# system/core/fs_mgr/fs_mgr.c - fs_mgr_swapon_all
allow init swap_block_device:blk_file rw_file_perms;
-# Read from /dev/hw_random if present.
-# system/core/init/init.c - mix_hwrng_into_linux_rng_action
-allow init hw_random_device:chr_file r_file_perms;
-
# Create and access /dev files without a specific type,
# e.g. /dev/.coldboot_done, /dev/.booting
# TODO: Move these files into their own type unless they are
diff --git a/public/keystore.te b/public/keystore.te
index c6e0daa..1c8d3bd 100644
--- a/public/keystore.te
+++ b/public/keystore.te
@@ -13,6 +13,7 @@
allow keystore keystore_exec:file { getattr };
add_service(keystore, keystore_service)
+add_service(keystore, remoteprovisioning_service)
allow keystore sec_key_att_app_id_provider_service:service_manager find;
allow keystore dropbox_service:service_manager find;
add_service(keystore, apc_service)
diff --git a/public/keystore_keys.te b/public/keystore_keys.te
new file mode 100644
index 0000000..3c35984
--- /dev/null
+++ b/public/keystore_keys.te
@@ -0,0 +1,2 @@
+# A keystore2 namespace for WI-FI.
+type wifi_key, keystore2_key_type;
diff --git a/public/netd.te b/public/netd.te
index ff0bff6..4472938 100644
--- a/public/netd.te
+++ b/public/netd.te
@@ -64,8 +64,9 @@
r_dir_file(netd, cgroup_v2)
-allow netd fs_bpf:dir search;
-allow netd fs_bpf:file { read write };
+# TODO: remove 'fs_bpf_tethering' once netd/tethering mainline module split is completed.
+allow netd { fs_bpf fs_bpf_tethering }:dir search;
+allow netd { fs_bpf fs_bpf_tethering }:file { read write };
# TODO: netd previously thought it needed these permissions to do WiFi related
# work. However, after all the WiFi stuff is gone, we still need them.
diff --git a/public/service.te b/public/service.te
index 87d9bcd..7292a97 100644
--- a/public/service.te
+++ b/public/service.te
@@ -29,6 +29,7 @@
type netd_service, service_manager_type;
type nfc_service, service_manager_type;
type radio_service, service_manager_type;
+type remoteprovisioning_service, service_manager_type;
type secure_element_service, service_manager_type;
type service_manager_service, service_manager_type;
type storaged_service, service_manager_type;
@@ -90,7 +91,7 @@
type dbinfo_service, system_api_service, system_server_service, service_manager_type;
type device_config_service, system_server_service, service_manager_type;
type device_policy_service, app_api_service, system_server_service, service_manager_type;
-type device_state_service, system_api_service, system_server_service, service_manager_type;
+type device_state_service, app_api_service, system_api_service, system_server_service, service_manager_type;
type deviceidle_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type device_identifiers_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type devicestoragemonitor_service, system_server_service, service_manager_type;
@@ -113,6 +114,7 @@
type platform_compat_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type face_service, app_api_service, system_server_service, service_manager_type;
type fingerprint_service, app_api_service, system_server_service, service_manager_type;
+type fwk_stats_service, system_server_service, service_manager_type;
type game_service, app_api_service, system_server_service, service_manager_type;
type gfxinfo_service, system_api_service, system_server_service, service_manager_type;
type graphicsstats_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
@@ -134,6 +136,7 @@
type lock_settings_service, system_api_service, system_server_service, service_manager_type;
type looper_stats_service, system_server_service, service_manager_type;
type media_communication_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type media_metrics_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type media_projection_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type media_router_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type media_session_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
@@ -215,6 +218,7 @@
type vibrator_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type vibrator_manager_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type voiceinteraction_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type vpn_management_service, app_api_service, system_server_service, service_manager_type;
type vr_manager_service, system_server_service, service_manager_type;
type wallpaper_service, app_api_service, system_server_service, service_manager_type;
type webviewupdate_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
@@ -248,6 +252,9 @@
type hal_power_service, vendor_service, protected_service, service_manager_type;
type hal_power_stats_service, vendor_service, protected_service, service_manager_type;
type hal_rebootescrow_service, vendor_service, protected_service, service_manager_type;
+type hal_remotelyprovisionedcomponent_service, vendor_service, protected_service, service_manager_type;
+type hal_secureclock_service, vendor_service, protected_service, service_manager_type;
+type hal_sharedsecret_service, vendor_service, protected_service, service_manager_type;
type hal_vibrator_service, vendor_service, protected_service, service_manager_type;
type hal_weaver_service, vendor_service, protected_service, service_manager_type;
diff --git a/public/shell.te b/public/shell.te
index 39ed2f6..29c07a4 100644
--- a/public/shell.te
+++ b/public/shell.te
@@ -30,6 +30,7 @@
allow shell shell_test_data_file:file create_file_perms;
allow shell shell_test_data_file:file rx_file_perms;
allow shell shell_test_data_file:lnk_file create_file_perms;
+allow shell shell_test_data_file:sock_file create_file_perms;
# Read and delete from /data/local/traces.
allow shell trace_data_file:file { r_file_perms unlink };
diff --git a/public/stats_service_server.te b/public/stats_service_server.te
index 564ae23..ab8e58a 100644
--- a/public/stats_service_server.te
+++ b/public/stats_service_server.te
@@ -1 +1,4 @@
add_hwservice(stats_service_server, fwk_stats_hwservice)
+add_service(stats_service_server, fwk_stats_service)
+
+binder_use(stats_service_server)
diff --git a/public/vendor_init.te b/public/vendor_init.te
index 16dca64..8d436b9 100644
--- a/public/vendor_init.te
+++ b/public/vendor_init.te
@@ -214,6 +214,9 @@
# Get file context
allow vendor_init file_contexts_file:file r_file_perms;
+# Allow vendor_init to (re)set nice
+allow vendor_init self:capability sys_nice;
+
set_prop(vendor_init, apk_verity_prop)
set_prop(vendor_init, bluetooth_a2dp_offload_prop)
set_prop(vendor_init, bluetooth_audio_hal_prop)
diff --git a/seapp_contexts.mk b/seapp_contexts.mk
index 462fa27..b33b820 100644
--- a/seapp_contexts.mk
+++ b/seapp_contexts.mk
@@ -1,5 +1,8 @@
include $(CLEAR_VARS)
LOCAL_MODULE := plat_seapp_contexts
+LOCAL_LICENSE_KINDS := SPDX-license-identifier-Apache-2.0 legacy_unencumbered
+LOCAL_LICENSE_CONDITIONS := notice unencumbered
+LOCAL_NOTICE_FILE := $(LOCAL_PATH)/NOTICE
LOCAL_MODULE_CLASS := ETC
LOCAL_MODULE_TAGS := optional
LOCAL_MODULE_PATH := $(TARGET_OUT)/etc/selinux
@@ -20,6 +23,9 @@
##################################
include $(CLEAR_VARS)
LOCAL_MODULE := system_ext_seapp_contexts
+LOCAL_LICENSE_KINDS := SPDX-license-identifier-Apache-2.0 legacy_unencumbered
+LOCAL_LICENSE_CONDITIONS := notice unencumbered
+LOCAL_NOTICE_FILE := $(LOCAL_PATH)/NOTICE
LOCAL_MODULE_CLASS := ETC
LOCAL_MODULE_TAGS := optional
LOCAL_MODULE_PATH := $(TARGET_OUT_SYSTEM_EXT)/etc/selinux
@@ -43,6 +49,9 @@
##################################
include $(CLEAR_VARS)
LOCAL_MODULE := product_seapp_contexts
+LOCAL_LICENSE_KINDS := SPDX-license-identifier-Apache-2.0 legacy_unencumbered
+LOCAL_LICENSE_CONDITIONS := notice unencumbered
+LOCAL_NOTICE_FILE := $(LOCAL_PATH)/NOTICE
LOCAL_MODULE_CLASS := ETC
LOCAL_MODULE_TAGS := optional
LOCAL_MODULE_PATH := $(TARGET_OUT_PRODUCT)/etc/selinux
@@ -66,6 +75,9 @@
##################################
include $(CLEAR_VARS)
LOCAL_MODULE := vendor_seapp_contexts
+LOCAL_LICENSE_KINDS := SPDX-license-identifier-Apache-2.0 legacy_unencumbered
+LOCAL_LICENSE_CONDITIONS := notice unencumbered
+LOCAL_NOTICE_FILE := $(LOCAL_PATH)/NOTICE
LOCAL_MODULE_CLASS := ETC
LOCAL_MODULE_TAGS := optional
LOCAL_MODULE_PATH := $(TARGET_OUT_VENDOR)/etc/selinux
@@ -89,6 +101,9 @@
##################################
include $(CLEAR_VARS)
LOCAL_MODULE := odm_seapp_contexts
+LOCAL_LICENSE_KINDS := SPDX-license-identifier-Apache-2.0 legacy_unencumbered
+LOCAL_LICENSE_CONDITIONS := notice unencumbered
+LOCAL_NOTICE_FILE := $(LOCAL_PATH)/NOTICE
LOCAL_MODULE_CLASS := ETC
LOCAL_MODULE_TAGS := optional
LOCAL_MODULE_PATH := $(TARGET_OUT_ODM)/etc/selinux
@@ -112,6 +127,9 @@
##################################
include $(CLEAR_VARS)
LOCAL_MODULE := plat_seapp_neverallows
+LOCAL_LICENSE_KINDS := SPDX-license-identifier-Apache-2.0 legacy_unencumbered
+LOCAL_LICENSE_CONDITIONS := notice unencumbered
+LOCAL_NOTICE_FILE := $(LOCAL_PATH)/NOTICE
LOCAL_MODULE_CLASS := ETC
LOCAL_MODULE_TAGS := tests
diff --git a/tests/Android.bp b/tests/Android.bp
index 926b5e4..5925fc2 100644
--- a/tests/Android.bp
+++ b/tests/Android.bp
@@ -1,3 +1,11 @@
+package {
+ // http://go/android-license-faq
+ // A large-scale-change added 'default_applicable_licenses' to import
+ // the below license kinds from "system_sepolicy_license":
+ // SPDX-license-identifier-Apache-2.0
+ default_applicable_licenses: ["system_sepolicy_license"],
+}
+
cc_library_host_shared {
name: "libsepolwrap",
srcs: ["sepol_wrap.cpp"],
diff --git a/tools/Android.bp b/tools/Android.bp
index 2809c9d..a6a15a5 100644
--- a/tools/Android.bp
+++ b/tools/Android.bp
@@ -14,6 +14,14 @@
* limitations under the License.
*/
+package {
+ // http://go/android-license-faq
+ // A large-scale-change added 'default_applicable_licenses' to import
+ // the below license kinds from "system_sepolicy_license":
+ // SPDX-license-identifier-Apache-2.0
+ default_applicable_licenses: ["system_sepolicy_license"],
+}
+
cc_defaults {
name: "sepolicy_tools_defaults",
cflags: [
diff --git a/tools/sepolicy-analyze/Android.bp b/tools/sepolicy-analyze/Android.bp
index ff40c16..bb6b701 100644
--- a/tools/sepolicy-analyze/Android.bp
+++ b/tools/sepolicy-analyze/Android.bp
@@ -1,3 +1,11 @@
+package {
+ // http://go/android-license-faq
+ // A large-scale-change added 'default_applicable_licenses' to import
+ // the below license kinds from "system_sepolicy_license":
+ // legacy_unencumbered
+ default_applicable_licenses: ["system_sepolicy_license"],
+}
+
cc_binary_host {
name: "sepolicy-analyze",
defaults: ["sepolicy_tools_defaults"],
diff --git a/treble_sepolicy_tests_for_release.mk b/treble_sepolicy_tests_for_release.mk
index 0195e5f..fdfe9ee 100644
--- a/treble_sepolicy_tests_for_release.mk
+++ b/treble_sepolicy_tests_for_release.mk
@@ -5,6 +5,9 @@
# permissions granted do not violate the treble model. Also ensure that treble
# compatibility guarantees are upheld between SELinux version bumps.
LOCAL_MODULE := treble_sepolicy_tests_$(version)
+LOCAL_LICENSE_KINDS := SPDX-license-identifier-Apache-2.0 legacy_unencumbered
+LOCAL_LICENSE_CONDITIONS := notice unencumbered
+LOCAL_NOTICE_FILE := $(LOCAL_PATH)/NOTICE
LOCAL_MODULE_CLASS := FAKE
LOCAL_MODULE_TAGS := optional
diff --git a/vendor/hal_keymint_default.te b/vendor/hal_keymint_default.te
index d86b7b4..3b86a1b 100644
--- a/vendor/hal_keymint_default.te
+++ b/vendor/hal_keymint_default.te
@@ -4,4 +4,7 @@
type hal_keymint_default_exec, exec_type, vendor_file_type, file_type;
init_daemon_domain(hal_keymint_default)
+hal_attribute_service(hal_keymint, hal_secureclock_service)
+hal_attribute_service(hal_keymint, hal_sharedsecret_service)
+
get_prop(hal_keymint_default, vendor_security_patch_level_prop);