Merge "Updates hal_evs sepolicy"
diff --git a/private/apexd.te b/private/apexd.te
index 80e115a..5b27101 100644
--- a/private/apexd.te
+++ b/private/apexd.te
@@ -45,11 +45,6 @@
# because it doesn't have write permission for staging_data_file object.
allow apexd staging_data_file:file unlink;
-# allow apexd to relabel apk_tmp_file to apex_data_file.
-# TODO(b/112669193) remove this when APEXes are staged via file descriptor
-allow apexd apk_tmp_file:file relabelfrom;
-allow apexd apex_data_file:file relabelto;
-
# allow apexd to read files from /data/pkg_staging and hardlink them to /data/apex.
allow apexd staging_data_file:dir r_dir_perms;
allow apexd staging_data_file:file { r_file_perms link };
diff --git a/private/cameraserver.te b/private/cameraserver.te
index ef44bfa..2be3c9e 100644
--- a/private/cameraserver.te
+++ b/private/cameraserver.te
@@ -1,4 +1,6 @@
typeattribute cameraserver coredomain;
+typeattribute cameraserver camera_service_server;
+
init_daemon_domain(cameraserver)
tmpfs_domain(cameraserver)
diff --git a/private/compat/28.0/28.0.ignore.cil b/private/compat/28.0/28.0.ignore.cil
index f7f3a54..fd42fff 100644
--- a/private/compat/28.0/28.0.ignore.cil
+++ b/private/compat/28.0/28.0.ignore.cil
@@ -48,6 +48,7 @@
flags_health_check
flags_health_check_exec
fwk_bufferhub_hwservice
+ fwk_camera_hwservice
fwk_stats_hwservice
gpuservice
gsi_data_file
diff --git a/private/domain.te b/private/domain.te
index bc05875..3b340c5 100644
--- a/private/domain.te
+++ b/private/domain.te
@@ -19,6 +19,10 @@
-keystore
-llkd
-logd
+ -logpersist
+ -recovery
+ -recovery_persist
+ -recovery_refresh
-ueventd
-vendor_init
-vold
diff --git a/private/file_contexts b/private/file_contexts
index 83be009..39244c1 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -434,6 +434,8 @@
/data/adb(/.*)? u:object_r:adb_data_file:s0
/data/anr(/.*)? u:object_r:anr_data_file:s0
/data/apex(/.*)? u:object_r:apex_data_file:s0
+/data/apex/active/(.*)? u:object_r:staging_data_file:s0
+/data/apex/backup/(.*)? u:object_r:staging_data_file:s0
/data/app(/.*)? u:object_r:apk_data_file:s0
/data/app/[^/]+/oat(/.*)? u:object_r:dalvikcache_data_file:s0
/data/app/vmdl[^/]+\.tmp(/.*)? u:object_r:apk_tmp_file:s0
diff --git a/private/heapprofd.te b/private/heapprofd.te
index 7f8d8d6..1339673 100644
--- a/private/heapprofd.te
+++ b/private/heapprofd.te
@@ -10,8 +10,14 @@
# On debug builds, this central daemon performs profiling for all target
# processes (which talk directly to this daemon).
type heapprofd_exec, exec_type, file_type, system_file_type;
+type heapprofd_tmpfs, file_type;
init_daemon_domain(heapprofd)
+tmpfs_domain(heapprofd)
+
+# Allow apps in other MLS contexts (for multi-user) to access
+# shared memory buffers created by heapprofd.
+typeattribute heapprofd_tmpfs mlstrustedobject;
set_prop(heapprofd, heapprofd_prop);
diff --git a/private/hwservice_contexts b/private/hwservice_contexts
index 859293d..f3745a3 100644
--- a/private/hwservice_contexts
+++ b/private/hwservice_contexts
@@ -1,4 +1,5 @@
android.frameworks.bufferhub::IBufferHub u:object_r:fwk_bufferhub_hwservice:s0
+android.frameworks.cameraservice.service::ICameraService u:object_r:fwk_camera_hwservice:s0
android.frameworks.displayservice::IDisplayService u:object_r:fwk_display_hwservice:s0
android.frameworks.schedulerservice::ISchedulingPolicyService u:object_r:fwk_scheduler_hwservice:s0
android.frameworks.sensorservice::ISensorManager u:object_r:fwk_sensor_hwservice:s0
diff --git a/private/postinstall_dexopt.te b/private/postinstall_dexopt.te
index 14e54be..c0836ec 100644
--- a/private/postinstall_dexopt.te
+++ b/private/postinstall_dexopt.te
@@ -62,3 +62,7 @@
# Allow otapreopt to use file descriptors from otapreopt_chroot.
# TODO: Probably we can actually close file descriptors...
allow postinstall_dexopt otapreopt_chroot:fd use;
+
+# Allow postinstall_dexopt to access the runtime feature flag properties.
+get_prop(postinstall_dexopt, device_config_runtime_native_prop)
+get_prop(postinstall_dexopt, device_config_runtime_native_boot_prop)
diff --git a/public/attributes b/public/attributes
index 8f52637..4cae0ff 100644
--- a/public/attributes
+++ b/public/attributes
@@ -307,3 +307,4 @@
attribute wifi_keystore_service_server;
attribute mediaswcodec_server;
attribute system_suspend_server;
+attribute camera_service_server;
diff --git a/public/camera_service_server.te b/public/camera_service_server.te
new file mode 100644
index 0000000..352e1b7
--- /dev/null
+++ b/public/camera_service_server.te
@@ -0,0 +1 @@
+add_hwservice(camera_service_server, fwk_camera_hwservice)
diff --git a/public/hwservice.te b/public/hwservice.te
index 80bd3dc..7425878 100644
--- a/public/hwservice.te
+++ b/public/hwservice.te
@@ -1,5 +1,6 @@
type default_android_hwservice, hwservice_manager_type;
type fwk_bufferhub_hwservice, hwservice_manager_type, coredomain_hwservice;
+type fwk_camera_hwservice, hwservice_manager_type, coredomain_hwservice;
type fwk_display_hwservice, hwservice_manager_type, coredomain_hwservice;
type fwk_scheduler_hwservice, hwservice_manager_type, coredomain_hwservice;
type fwk_sensor_hwservice, hwservice_manager_type, coredomain_hwservice;
diff --git a/public/te_macros b/public/te_macros
index b9a6c05..cd4bf61 100644
--- a/public/te_macros
+++ b/public/te_macros
@@ -661,14 +661,8 @@
allow heapprofd $1:file r_file_perms;
allow heapprofd $1:dir r_dir_perms;
- # On debug builds, central daemon can handle profiling of all processes
- # directly.
- userdebug_or_eng(`
- # Allow connecting to the daemon.
- unix_socket_connect($1, heapprofd, heapprofd)
- # Allow daemon to use the passed fds.
- allow heapprofd $1:fd use;
- ')
+ # Profilability on user implies profilability on userdebug and eng.
+ can_profile_heap_userdebug_or_eng($1)
')
###################################
@@ -686,6 +680,11 @@
unix_socket_connect($1, heapprofd, heapprofd)
# Allow daemon to use the passed fds.
allow heapprofd $1:fd use;
+ # Allow to read and write to heapprofd shmem.
+ # The client needs to read the read and write pointers in order to write.
+ allow $1 heapprofd_tmpfs:file { read write getattr map };
+ # Use shared memory received over the unix socket.
+ allow $1 heapprofd:fd use;
# To read from the received file descriptors.
# /proc/[pid]/maps and /proc/[pid]/mem have the same SELinux label as the
diff --git a/tools/build_policies.sh b/tools/build_policies.sh
index 77f0fc6..f39b679 100755
--- a/tools/build_policies.sh
+++ b/tools/build_policies.sh
@@ -54,7 +54,7 @@
# This heuristic could probably be improved.
cores=$(nproc --all)
num_targets=$(echo "$targets" | sed 's/ /\n/g' | wc -l)
-parallel_jobs=$(expr $cores / 2)
+parallel_jobs=$(expr $cores / 4)
if [[ $num_targets -lt $parallel_jobs ]]; then
export mmma_jobs=$(expr $cores / $num_targets \* 2)
else