Merge "Use file_contexts files for flattened APEXes"
diff --git a/Android.mk b/Android.mk
index 567b305..ad7d9bd 100644
--- a/Android.mk
+++ b/Android.mk
@@ -145,6 +145,9 @@
genfs_contexts \
port_contexts
+sepolicy_compat_files := $(foreach ver, $(PLATFORM_SEPOLICY_COMPAT_VERSIONS), \
+ $(addprefix compat/$(ver)/, $(addsuffix .cil, $(ver))))
+
# Security classes and permissions defined outside of system/sepolicy.
security_class_extension_files := $(call build_policy, security_classes access_vectors, \
$(SYSTEM_EXT_PUBLIC_POLICY) $(SYSTEM_EXT_PRIVATE_POLICY) \
@@ -371,8 +374,11 @@
ifdef HAS_SYSTEM_EXT_PUBLIC_SEPOLICY
LOCAL_REQUIRED_MODULES += \
- system_ext_mapping_file \
- $(addprefix system_ext_,$(addsuffix .cil,$(PLATFORM_SEPOLICY_COMPAT_VERSIONS))) \
+ system_ext_mapping_file
+
+system_ext_compat_files := $(call build_policy, $(sepolicy_compat_files), $(SYSTEM_EXT_PRIVATE_POLICY))
+
+LOCAL_REQUIRED_MODULES += $(addprefix system_ext_, $(notdir $(system_ext_compat_files)))
endif
@@ -397,8 +403,11 @@
ifdef HAS_PRODUCT_PUBLIC_SEPOLICY
LOCAL_REQUIRED_MODULES += \
- product_mapping_file \
- $(addprefix product_,$(addsuffix .cil,$(PLATFORM_SEPOLICY_COMPAT_VERSIONS))) \
+ product_mapping_file
+
+product_compat_files := $(call build_policy, $(sepolicy_compat_files), $(PRODUCT_PRIVATE_POLICY))
+
+LOCAL_REQUIRED_MODULES += $(addprefix product_, $(notdir $(product_compat_files)))
endif
diff --git a/apex/com.android.art.debug-file_contexts b/apex/com.android.art.debug-file_contexts
index 8007efd..e47402f 100644
--- a/apex/com.android.art.debug-file_contexts
+++ b/apex/com.android.art.debug-file_contexts
@@ -6,5 +6,3 @@
/bin/dexoptanalyzer(d)? u:object_r:dexoptanalyzer_exec:s0
/bin/profman(d)? u:object_r:profman_exec:s0
/lib(64)?(/.*)? u:object_r:system_lib_file:s0
-/bin/art_preinstall_hook(.*)? u:object_r:art_apex_preinstall_exec:s0
-/bin/art_postinstall_hook(.*)? u:object_r:art_apex_postinstall_exec:s0
diff --git a/private/access_vectors b/private/access_vectors
index 8364bc5..1420360 100644
--- a/private/access_vectors
+++ b/private/access_vectors
@@ -716,6 +716,7 @@
add_auth
clear_ns
get_state
+ list
lock
reset
unlock
@@ -727,7 +728,6 @@
gen_unique_id
get_info
grant
- list
manage_blob
rebind
req_forced_op
diff --git a/private/apexd.te b/private/apexd.te
index b7d6702..7fc1183 100644
--- a/private/apexd.te
+++ b/private/apexd.te
@@ -125,11 +125,6 @@
allow apexd system_bootstrap_lib_file:dir r_dir_perms;
allow apexd system_bootstrap_lib_file:file { execute read open getattr map };
-# Allow transition to ART APEX preinstall domain.
-domain_auto_trans(apexd, art_apex_preinstall_exec, art_apex_preinstall)
-# Allow transition to ART APEX postinstall domain.
-domain_auto_trans(apexd, art_apex_postinstall_exec, art_apex_postinstall)
-
# Allow transition to test APEX preinstall domain.
userdebug_or_eng(`
domain_auto_trans(apexd, apex_test_prepostinstall_exec, apex_test_prepostinstall)
diff --git a/private/art_apex_boot_integrity.te b/private/art_apex_boot_integrity.te
deleted file mode 100644
index ba02083..0000000
--- a/private/art_apex_boot_integrity.te
+++ /dev/null
@@ -1,28 +0,0 @@
-# This command set checks the integrity of boot classpath ART
-# artifacts in /data, potentially removing them.
-
-type art_apex_boot_integrity, domain, coredomain;
-type art_apex_boot_integrity_exec, system_file_type, exec_type, file_type;
-
-# Technically not a daemon but we do want the transition from init domain to
-# art_apex_boot_integrity to occur.
-init_daemon_domain(art_apex_boot_integrity)
-
-# Read dalvik cache directories, remove entries.
-allow art_apex_boot_integrity dalvikcache_data_file:dir { r_dir_perms write remove_name };
-# Read and possibly delete dalvik cache files.
-allow art_apex_boot_integrity dalvikcache_data_file:file { r_file_perms unlink };
-
-# Allow art_apex_boot_integrity to execute itself using #!/system/bin/sh
-allow art_apex_boot_integrity shell_exec:file rx_file_perms;
-
-# Allow running the mv and rm/rmdir commands using art_apex_boot_integrity
-# permissions.
-allow art_apex_boot_integrity toolbox_exec:file rx_file_perms;
-
-# Fsverity in the same domain.
-allow art_apex_boot_integrity system_file:file execute_no_trans;
-# Fsverity work.
-allowxperm art_apex_boot_integrity dalvikcache_data_file:file ioctl {
- FS_IOC_ENABLE_VERITY FS_IOC_MEASURE_VERITY
-};
diff --git a/private/art_apex_postinstall.te b/private/art_apex_postinstall.te
deleted file mode 100644
index 576ed20..0000000
--- a/private/art_apex_postinstall.te
+++ /dev/null
@@ -1,31 +0,0 @@
-# ART APEX postinstall.
-#
-
-type art_apex_postinstall, domain, coredomain;
-type art_apex_postinstall_exec, system_file_type, exec_type, file_type;
-
-# /system/bin/sh (see b/126787589).
-allow art_apex_postinstall apexd:fd use;
-
-# Read temp dirs and files. Move directories.
-allow art_apex_postinstall ota_data_file:dir { r_dir_perms write rename remove_name relabelfrom reparent };
-allow art_apex_postinstall ota_data_file:file { r_file_perms relabelfrom };
-# We're deleting the old /data/dalvik-cache/* and move the new ones
-# over.
-allow art_apex_postinstall dalvikcache_data_file:dir { create_dir_perms relabelto };
-allow art_apex_postinstall dalvikcache_data_file:file { r_file_perms unlink relabelto };
-
-# Required for relabel.
-allow art_apex_postinstall file_contexts_file:file r_file_perms;
-allow art_apex_postinstall self:global_capability_class_set sys_admin;
-
-# Script helpers.
-allow art_apex_postinstall shell_exec:file rx_file_perms;
-allow art_apex_postinstall toolbox_exec:file rx_file_perms;
-
-# Fsverity in the same domain.
-allow art_apex_postinstall system_file:file execute_no_trans;
-# Fsverity work.
-allowxperm art_apex_postinstall ota_data_file:file ioctl {
- FS_IOC_ENABLE_VERITY FS_IOC_MEASURE_VERITY
-};
diff --git a/private/art_apex_preinstall.te b/private/art_apex_preinstall.te
deleted file mode 100644
index 12b1020..0000000
--- a/private/art_apex_preinstall.te
+++ /dev/null
@@ -1,33 +0,0 @@
-# ART APEX preinstall.
-#
-
-type art_apex_preinstall, domain, coredomain;
-type art_apex_preinstall_exec, system_file_type, exec_type, file_type;
-
-# /system/bin/sh (see b/126787589).
-allow art_apex_preinstall apexd:fd use;
-
-# Create temp dirs and files under /data/ota.
-allow art_apex_preinstall ota_data_file:dir create_dir_perms;
-allow art_apex_preinstall ota_data_file:file create_file_perms;
-# We mount /data/ota/dalvik-cache over /data/dalvik-cache in our
-# mount namespace.
-allow art_apex_preinstall dalvikcache_data_file:dir { r_dir_perms mounton };
-allow art_apex_preinstall self:capability sys_admin;
-
-# Script helpers.
-allow art_apex_preinstall shell_exec:file rx_file_perms;
-allow art_apex_preinstall toolbox_exec:file rx_file_perms;
-
-# Execute subscripts in the same domain.
-allow art_apex_preinstall art_apex_preinstall_exec:file execute_no_trans;
-
-# Run dex2oat.
-domain_auto_trans(art_apex_preinstall, dex2oat_exec, dex2oat)
-
-# Fsverity in the same domain.
-allow art_apex_preinstall system_file:file execute_no_trans;
-# Fsverity work.
-allowxperm art_apex_preinstall ota_data_file:file ioctl {
- FS_IOC_ENABLE_VERITY FS_IOC_MEASURE_VERITY
-};
diff --git a/private/binderservicedomain.te b/private/binderservicedomain.te
index cbe8ed7..7275954 100644
--- a/private/binderservicedomain.te
+++ b/private/binderservicedomain.te
@@ -19,6 +19,6 @@
allow binderservicedomain keystore:keystore_key { get_state get insert delete exist list sign verify };
allow binderservicedomain keystore:keystore2 { get_state };
-allow binderservicedomain keystore:keystore2_key { delete get_info list rebind use };
+allow binderservicedomain keystore:keystore2_key { delete get_info rebind use };
use_keystore(binderservicedomain)
diff --git a/private/compat/30.0/30.0.ignore.cil b/private/compat/30.0/30.0.ignore.cil
index 9539add..7db303c 100644
--- a/private/compat/30.0/30.0.ignore.cil
+++ b/private/compat/30.0/30.0.ignore.cil
@@ -5,6 +5,7 @@
(typeattribute new_objects)
(typeattributeset new_objects
( new_objects
+ ab_update_gki_prop
adbd_config_prop
apex_info_file
cgroup_v2
@@ -12,9 +13,11 @@
dmabuf_system_heap_device
gki_apex_prepostinstall
gki_apex_prepostinstall_exec
+ hal_face_service
hal_fingerprint_service
gnss_device
hal_dumpstate_config_prop
+ hal_gnss_service
hal_power_stats_service
keystore2_key_contexts_file
location_time_zone_manager_service
diff --git a/private/dex2oat.te b/private/dex2oat.te
index c257f1a..50e43ad 100644
--- a/private/dex2oat.te
+++ b/private/dex2oat.te
@@ -72,7 +72,6 @@
allow dex2oat apexd:fd use;
# Allow dex2oat to use file descriptors from preinstall.
-allow dex2oat art_apex_preinstall:fd use;
##############
# Neverallow #
diff --git a/private/domain.te b/private/domain.te
index 3669d76..5cc313a 100644
--- a/private/domain.te
+++ b/private/domain.te
@@ -257,8 +257,6 @@
-cppreopts
-dex2oat
-otapreopt_slot
- -art_apex_postinstall
- -art_apex_boot_integrity
} dalvikcache_data_file:file no_w_file_perms;
neverallow {
@@ -270,8 +268,6 @@
-dex2oat
-zygote
-otapreopt_slot
- -art_apex_boot_integrity
- -art_apex_postinstall
} dalvikcache_data_file:dir no_w_dir_perms;
# Minimize dac_override and dac_read_search.
diff --git a/private/file_contexts b/private/file_contexts
index efb2c14..84fb2a7 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -258,7 +258,6 @@
/system/bin/installd u:object_r:installd_exec:s0
/system/bin/otapreopt_chroot u:object_r:otapreopt_chroot_exec:s0
/system/bin/otapreopt_slot u:object_r:otapreopt_slot_exec:s0
-/system/bin/art_apex_boot_integrity u:object_r:art_apex_boot_integrity_exec:s0
/system/bin/credstore u:object_r:credstore_exec:s0
/system/bin/keystore u:object_r:keystore_exec:s0
/system/bin/keystore2 u:object_r:keystore_exec:s0
diff --git a/private/genfs_contexts b/private/genfs_contexts
index accd02e..136da2b 100644
--- a/private/genfs_contexts
+++ b/private/genfs_contexts
@@ -256,6 +256,8 @@
genfscon tracefs /events/thermal/cdev_update/ u:object_r:debugfs_tracing:s0
genfscon tracefs /events/cpuhp/cpuhp_enter/ u:object_r:debugfs_tracing:s0
genfscon tracefs /events/cpuhp/cpuhp_exit/ u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/ipi/ u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/irq/ u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/trace_clock u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/buffer_size_kb u:object_r:debugfs_tracing:s0
@@ -306,6 +308,8 @@
genfscon debugfs /tracing/events/thermal/cdev_update/ u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/events/cpuhp/cpuhp_enter/ u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/events/cpuhp/cpuhp_exit/ u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/ipi/ u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/irq/ u:object_r:debugfs_tracing:s0
genfscon debugfs /kcov u:object_r:debugfs_kcov:s0
diff --git a/private/property_contexts b/private/property_contexts
index 5bf7807..4f7a1dc 100644
--- a/private/property_contexts
+++ b/private/property_contexts
@@ -115,6 +115,9 @@
vold. u:object_r:vold_prop:s0
ro.crypto. u:object_r:vold_prop:s0
+# TODO(b/141677108): Remove once true everywhere
+ro.vold.level_from_user u:object_r:vold_config_prop:s0
+
# ro.build.fingerprint is either set in /system/build.prop, or is
# set at runtime by system_server.
ro.build.fingerprint u:object_r:fingerprint_prop:s0 exact string
@@ -237,6 +240,7 @@
# Virtual A/B properties
ro.virtual_ab.enabled u:object_r:virtual_ab_prop:s0 exact bool
ro.virtual_ab.retrofit u:object_r:virtual_ab_prop:s0 exact bool
+ro.virtual_ab.compression.enabled u:object_r:virtual_ab_prop:s0 exact bool
ro.product.ab_ota_partitions u:object_r:ota_prop:s0 exact string
# Property to set/clear the warm reset flag after an OTA update.
@@ -706,7 +710,11 @@
ro.boringcrypto.hwrand u:object_r:exported_default_prop:s0 exact bool
-ro.build.ab_update u:object_r:exported_default_prop:s0 exact string
+# Update related props
+ro.build.ab_update u:object_r:exported_default_prop:s0 exact string
+ro.build.ab_update.gki.prevent_downgrade_version u:object_r:ab_update_gki_prop:s0 exact bool
+ro.build.ab_update.gki.prevent_downgrade_spl u:object_r:ab_update_gki_prop:s0 exact bool
+
ro.build.expect.baseband u:object_r:exported_default_prop:s0 exact string
ro.build.expect.bootloader u:object_r:exported_default_prop:s0 exact string
diff --git a/private/seapp_contexts b/private/seapp_contexts
index 4b23e89..0b13600 100644
--- a/private/seapp_contexts
+++ b/private/seapp_contexts
@@ -141,7 +141,7 @@
isSystemServer=true domain=system_server_startup
-user=_app seinfo=platform name=com.android.traceur domain=traceur_app type=app_data_file levelFrom=all
+user=_app isPrivApp=true name=com.android.traceur domain=traceur_app type=app_data_file levelFrom=all
user=system seinfo=platform domain=system_app type=system_app_data_file
user=bluetooth seinfo=platform domain=bluetooth type=bluetooth_data_file
user=network_stack seinfo=network_stack domain=network_stack levelFrom=all type=radio_data_file
diff --git a/private/service_contexts b/private/service_contexts
index 7616f19..a2c8455 100644
--- a/private/service_contexts
+++ b/private/service_contexts
@@ -1,4 +1,6 @@
+android.hardware.biometrics.face.IFace/default u:object_r:hal_face_service:s0
android.hardware.biometrics.fingerprint.IFingerprint/default u:object_r:hal_fingerprint_service:s0
+android.hardware.gnss.IGnss/default u:object_r:hal_gnss_service:s0
android.hardware.identity.IIdentityCredentialStore/default u:object_r:hal_identity_service:s0
android.hardware.light.ILights/default u:object_r:hal_light_service:s0
android.hardware.power.IPower/default u:object_r:hal_power_service:s0
@@ -18,8 +20,8 @@
android.os.UpdateEngineStableService u:object_r:update_engine_stable_service:s0
android.security.identity u:object_r:credstore_service:s0
android.security.keystore u:object_r:keystore_service:s0
-android.security.keystore2 u:object_r:keystore_service:s0
android.service.gatekeeper.IGateKeeperService u:object_r:gatekeeper_service:s0
+android.system.keystore2 u:object_r:keystore_service:s0
app_binding u:object_r:app_binding_service:s0
app_integrity u:object_r:app_integrity_service:s0
app_prediction u:object_r:app_prediction_service:s0
diff --git a/private/shell.te b/private/shell.te
index a392665..dff6a9f 100644
--- a/private/shell.te
+++ b/private/shell.te
@@ -152,4 +152,4 @@
allow shell keystore2_key_contexts_file:file r_file_perms;
# Allow shell to access the keystore2_key namespace shell_key. Mainly used for native tests.
-allow shell shell_key:keystore2_key { delete rebind use get_info list update };
+allow shell shell_key:keystore2_key { delete rebind use get_info update };
diff --git a/private/system_app.te b/private/system_app.te
index 9298937..8fafce0 100644
--- a/private/system_app.te
+++ b/private/system_app.te
@@ -139,7 +139,6 @@
delete
get_info
grant
- list
rebind
update
use
diff --git a/private/system_server.te b/private/system_server.te
index f344bbb..cadc6cd 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -566,6 +566,9 @@
# Relabel apk files.
allow system_server { apk_tmp_file apk_private_tmp_file }:{ dir file } { relabelfrom relabelto };
allow system_server { apk_data_file apk_private_data_file }:{ dir file } { relabelfrom relabelto };
+# Allow PackageManager to rename file from /data/app-staging folder to /data/app during
+# staged apk install.
+allow system_server { staging_data_file }:{ dir file } { relabelfrom };
# Relabel wallpaper.
allow system_server system_data_file:file relabelfrom;
@@ -837,7 +840,6 @@
use_dev_id
grant
get_info
- list
rebind
update
use
diff --git a/private/vold.te b/private/vold.te
index ce451ac..0f464a9 100644
--- a/private/vold.te
+++ b/private/vold.te
@@ -37,7 +37,6 @@
allow vold vold_key:keystore2_key {
delete
get_info
- list
manage_blob
rebind
req_forced_op
diff --git a/private/vold_prepare_subdirs.te b/private/vold_prepare_subdirs.te
index f3ec058..4197ddd 100644
--- a/private/vold_prepare_subdirs.te
+++ b/private/vold_prepare_subdirs.te
@@ -1,5 +1,7 @@
domain_auto_trans(vold, vold_prepare_subdirs_exec, vold_prepare_subdirs)
+typeattribute vold_prepare_subdirs mlstrustedsubject;
+
allow vold_prepare_subdirs system_file:file execute_no_trans;
allow vold_prepare_subdirs shell_exec:file rx_file_perms;
allow vold_prepare_subdirs toolbox_exec:file rx_file_perms;
@@ -24,6 +26,7 @@
iris_vendor_data_file
rollback_data_file
storaged_data_file
+ system_data_file
vold_data_file
}:dir { create_dir_perms relabelto };
allow vold_prepare_subdirs {
@@ -41,5 +44,9 @@
vold_data_file
}:file { getattr unlink };
allow vold_prepare_subdirs apex_mnt_dir:dir { open read };
+allow vold_prepare_subdirs mnt_expand_file:dir search;
+allow vold_prepare_subdirs user_profile_data_file:dir { search getattr relabelfrom relabelto };
+# /data/misc is unlabeled during early boot.
+allow vold_prepare_subdirs unlabeled:dir search;
dontaudit vold_prepare_subdirs { proc unlabeled }:file r_file_perms;
diff --git a/public/app.te b/public/app.te
index ad1696f..5e12fbb 100644
--- a/public/app.te
+++ b/public/app.te
@@ -295,7 +295,7 @@
allow appdomain zygote:unix_dgram_socket write;
allow { appdomain -isolated_app -ephemeral_app } keystore:keystore_key { get_state get insert delete exist list sign verify };
-allow { appdomain -isolated_app -ephemeral_app } keystore:keystore2_key { delete use get_info list rebind update };
+allow { appdomain -isolated_app -ephemeral_app } keystore:keystore2_key { delete use get_info rebind update };
use_keystore({ appdomain -isolated_app -ephemeral_app })
diff --git a/public/attributes b/public/attributes
index 3582a09..45900a9 100644
--- a/public/attributes
+++ b/public/attributes
@@ -204,6 +204,9 @@
# All core domains (as opposed to vendor/device-specific domains)
attribute coredomain;
+# All vendor hwservice.
+attribute vendor_hwservice_type;
+
# All socket devices owned by core domain components
attribute coredomain_socket;
expandattribute coredomain_socket false;
diff --git a/public/domain.te b/public/domain.te
index 812f1a2..931a045 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -670,6 +670,7 @@
-ephemeral_app_api_service
-audioserver_service # TODO(b/36783122) remove exemptions below once app_api_service is fixed
-cameraserver_service
+ -hal_gnss_service # TODO(b/169256910) remove once all violators are gone
-drmserver_service
-hal_light_service # TODO(b/148154485) remove once all violators are gone
-credstore_service
@@ -683,6 +684,7 @@
-virtual_touchpad_service
-vr_hwc_service
-vr_manager_service
+ userdebug_or_eng(`-hal_face_service')
}:service_manager find;
')
diff --git a/public/hal_face.te b/public/hal_face.te
index b250586..0134576 100644
--- a/public/hal_face.te
+++ b/public/hal_face.te
@@ -3,6 +3,9 @@
binder_call(hal_face_server, hal_face_client)
hal_attribute_hwservice(hal_face, hal_face_hwservice)
+hal_attribute_service(hal_face, hal_face_service)
+
+binder_call(hal_face_server, servicemanager)
# Allow access to the ion memory allocation device.
allow hal_face ion_device:chr_file r_file_perms;
diff --git a/public/hal_gnss.te b/public/hal_gnss.te
index 9bfc4ec..832bc8d 100644
--- a/public/hal_gnss.te
+++ b/public/hal_gnss.te
@@ -3,3 +3,7 @@
binder_call(hal_gnss_server, hal_gnss_client)
hal_attribute_hwservice(hal_gnss, hal_gnss_hwservice)
+hal_attribute_service(hal_gnss, hal_gnss_service)
+binder_call(hal_gnss_server, servicemanager)
+binder_call(hal_gnss_client, servicemanager)
+
diff --git a/public/property.te b/public/property.te
index 708fc38..06df3d7 100644
--- a/public/property.te
+++ b/public/property.te
@@ -79,6 +79,7 @@
system_restricted_prop(surfaceflinger_display_prop)
system_restricted_prop(system_boot_reason_prop)
system_restricted_prop(system_jvmti_agent_prop)
+system_restricted_prop(ab_update_gki_prop)
system_restricted_prop(usb_prop)
system_restricted_prop(userspace_reboot_exported_prop)
system_restricted_prop(vold_status_prop)
diff --git a/public/service.te b/public/service.te
index 62c1b11..b7a287b 100644
--- a/public/service.te
+++ b/public/service.te
@@ -183,7 +183,7 @@
type thermal_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type timedetector_service, system_server_service, service_manager_type;
type timezone_service, system_server_service, service_manager_type;
-type timezonedetector_service, system_server_service, service_manager_type;
+type timezonedetector_service, app_api_service, system_server_service, service_manager_type;
type trust_service, app_api_service, system_server_service, service_manager_type;
type tv_input_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type tv_tuner_resource_mgr_service, app_api_service, system_server_service, service_manager_type;
@@ -213,7 +213,9 @@
### HAL Services
###
+type hal_face_service, vendor_service, service_manager_type;
type hal_fingerprint_service, vendor_service, service_manager_type;
+type hal_gnss_service, vendor_service, service_manager_type;
type hal_identity_service, vendor_service, service_manager_type;
type hal_light_service, vendor_service, service_manager_type;
type hal_power_service, vendor_service, service_manager_type;
diff --git a/public/update_engine_common.te b/public/update_engine_common.te
index 57d8e7e..d332771 100644
--- a/public/update_engine_common.te
+++ b/public/update_engine_common.te
@@ -80,6 +80,9 @@
# Allow to read Virtual A/B feature flags.
get_prop(update_engine_common, virtual_ab_prop)
+# Allow to read GKI related flags.
+get_prop(update_engine_common, ab_update_gki_prop)
+
# Allow to read/write/create OTA metadata files for snapshot status and COW file status.
allow update_engine_common metadata_file:dir search;
allow update_engine_common ota_metadata_file:dir rw_dir_perms;
diff --git a/vendor/file_contexts b/vendor/file_contexts
index a721fd5..3668b12 100644
--- a/vendor/file_contexts
+++ b/vendor/file_contexts
@@ -3,6 +3,7 @@
#
/(vendor|system/vendor)/bin/hw/android\.hardware\.atrace@1\.0-service u:object_r:hal_atrace_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.audio(@2\.0-|\.)service u:object_r:hal_audio_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.audio@7\.0-service\.example u:object_r:hal_audio_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.automotive\.audiocontrol@1\.0-service u:object_r:hal_audiocontrol_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.automotive\.audiocontrol@2\.0-service u:object_r:hal_audiocontrol_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.automotive\.can@1\.0-service u:object_r:hal_can_socketcan_exec:s0
@@ -11,8 +12,9 @@
/(vendor|system/vendor)/bin/hw/android\.hardware\.bluetooth@1\.[0-9]+-service u:object_r:hal_bluetooth_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.bluetooth@1\.[0-9]+-service\.btlinux u:object_r:hal_bluetooth_btlinux_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.biometrics\.face@1\.[0-9]+-service\.example u:object_r:hal_face_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.biometrics\.face-service\.example u:object_r:hal_face_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.biometrics\.fingerprint@2\.1-service u:object_r:hal_fingerprint_default_exec:s0
-/(vendor|system/vendor)/bin/hw/android\.hardware\.biometrics\.fingerprint-service u:object_r:hal_fingerprint_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.biometrics\.fingerprint-service\.example u:object_r:hal_fingerprint_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.boot@1\.[0-9]+-service u:object_r:hal_bootctl_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.broadcastradio@\d+\.\d+-service u:object_r:hal_broadcastradio_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.camera\.provider@2\.[0-9]+-service_64 u:object_r:hal_camera_default_exec:s0
@@ -29,6 +31,7 @@
/(vendor|system/vendor)/bin/hw/android\.hardware\.cas@1\.[0-2]-service-lazy u:object_r:hal_cas_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.dumpstate@1\.[0-1]-service\.example u:object_r:hal_dumpstate_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.gatekeeper@1\.0-service u:object_r:hal_gatekeeper_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.gnss-service.example u:object_r:hal_gnss_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.gnss@[0-9]\.[0-9]-service u:object_r:hal_gnss_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.graphics\.allocator@2\.0-service u:object_r:hal_graphics_allocator_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.graphics\.allocator@3\.0-service u:object_r:hal_graphics_allocator_default_exec:s0