Merge changes from topic "product_sepolicy.cil"
* changes:
Separate product_sepolicy.cil out of system sepolicy
Replace "grep -f" with python util.
diff --git a/private/compat/28.0/28.0.ignore.cil b/private/compat/28.0/28.0.ignore.cil
index 461b53e..222f381 100644
--- a/private/compat/28.0/28.0.ignore.cil
+++ b/private/compat/28.0/28.0.ignore.cil
@@ -19,6 +19,7 @@
apexd_tmpfs
biometric_service
content_capture_service
+ content_suggestions_service
cpu_variant_prop
dev_cpu_variant
device_config_boot_count_prop
@@ -62,8 +63,11 @@
mediaswcodec_tmpfs
mnt_product_file
overlayfs_file
+ permissionmgr_service
recovery_socket
role_service
+ rss_hwm_reset
+ rss_hwm_reset_exec
runtime_service
super_block_device
system_lmk_prop
diff --git a/private/file_contexts b/private/file_contexts
index fac31a0..0d0835d 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -251,6 +251,7 @@
/system/bin/usbd u:object_r:usbd_exec:s0
/system/bin/inputflinger u:object_r:inputflinger_exec:s0
/system/bin/logd u:object_r:logd_exec:s0
+/system/bin/rss_hwm_reset u:object_r:rss_hwm_reset_exec:s0
/system/bin/perfetto u:object_r:perfetto_exec:s0
/system/bin/traced u:object_r:traced_exec:s0
/system/bin/traced_probes u:object_r:traced_probes_exec:s0
diff --git a/private/perfetto.te b/private/perfetto.te
index 4d8720a..2e43d90 100644
--- a/private/perfetto.te
+++ b/private/perfetto.te
@@ -3,7 +3,6 @@
# This command line client accesses the privileged socket of the traced
# daemon.
-type perfetto, domain, coredomain;
type perfetto_exec, system_file_type, exec_type, file_type;
tmpfs_domain(perfetto);
diff --git a/private/rss_hwm_reset.te b/private/rss_hwm_reset.te
new file mode 100644
index 0000000..30818c2
--- /dev/null
+++ b/private/rss_hwm_reset.te
@@ -0,0 +1,14 @@
+type rss_hwm_reset_exec, system_file_type, exec_type, file_type;
+
+# Start rss_hwm_reset from init.
+init_daemon_domain(rss_hwm_reset)
+
+# Search /proc/pid directories.
+allow rss_hwm_reset domain:dir search;
+
+# Write to /proc/pid/clear_refs of other processes.
+# /proc/pid/clear_refs is S_IWUSER, see: fs/proc/base.c
+allow rss_hwm_reset self:global_capability_class_set { dac_override };
+
+# Write to /prc/pid/clear_refs.
+allow rss_hwm_reset domain:file w_file_perms;
diff --git a/private/service_contexts b/private/service_contexts
index 1a9be8c..c90f93b 100644
--- a/private/service_contexts
+++ b/private/service_contexts
@@ -33,6 +33,7 @@
consumer_ir u:object_r:consumer_ir_service:s0
content u:object_r:content_service:s0
content_capture u:object_r:content_capture_service:s0
+content_suggestions u:object_r:content_suggestions_service:s0
contexthub u:object_r:contexthub_service:s0
country_detector u:object_r:country_detector_service:s0
coverage u:object_r:coverage_service:s0
@@ -129,6 +130,7 @@
package_native u:object_r:package_native_service:s0
perfprofd u:object_r:perfprofd_service:s0
permission u:object_r:permission_service:s0
+permissionmgr u:object_r:permissionmgr_service:s0
persistent_data_block u:object_r:persistent_data_block_service:s0
phone_msim u:object_r:radio_service:s0
phone1 u:object_r:radio_service:s0
diff --git a/private/shell.te b/private/shell.te
index 8867112..95e0d40 100644
--- a/private/shell.te
+++ b/private/shell.te
@@ -44,6 +44,8 @@
# transition into its own domain, so that it behaves consistently to
# when exec()-d by statsd.
domain_auto_trans(shell, perfetto_exec, perfetto)
+# Allow to send SIGINT to perfetto when daemonized.
+allow shell perfetto:process signal;
# Allow shell to run adb shell cmd stats commands. Needed for CTS.
binder_call(shell, statsd);
diff --git a/private/untrusted_app_25.te b/private/untrusted_app_25.te
index 8825e2e..0db825a 100644
--- a/private/untrusted_app_25.te
+++ b/private/untrusted_app_25.te
@@ -49,6 +49,7 @@
# directories for targetApi<=25. This is also allowed for targetAPIs 26,
# 27, and 28 in untrusted_app_27.te.
allow untrusted_app_25 app_data_file:file { execute execute_no_trans };
+userdebug_or_eng(`auditallow untrusted_app_25 app_data_file:file { execute execute_no_trans };')
# The ability to invoke dex2oat. Historically required by ART, now only
# allowed for targetApi<=28 for compat reasons.
diff --git a/private/untrusted_app_27.te b/private/untrusted_app_27.te
index fab6acc..f3b9df8 100644
--- a/private/untrusted_app_27.te
+++ b/private/untrusted_app_27.te
@@ -30,6 +30,7 @@
# The ability to call exec() or dlopen() on files in the apps home
# directories for targetApi 26, 27, and 28.
allow untrusted_app_27 app_data_file:file { execute execute_no_trans };
+userdebug_or_eng(`auditallow untrusted_app_27 app_data_file:file { execute execute_no_trans };')
# The ability to invoke dex2oat. Historically required by ART, now only
# allowed for targetApi<=28 for compat reasons.
diff --git a/public/app.te b/public/app.te
index aa735b4..94acac7 100644
--- a/public/app.te
+++ b/public/app.te
@@ -432,7 +432,9 @@
# sigchld allowed for parent death notification.
# signull allowed for kill(pid, 0) existence test.
# All others prohibited.
-neverallow appdomain { domain -appdomain }:process
+# -perfetto is to allow shell (which is an appdomain) to kill perfetto
+# (see private/shell.te).
+neverallow appdomain { domain -appdomain -perfetto }:process
{ sigkill sigstop signal };
# Write to rootfs.
diff --git a/public/domain.te b/public/domain.te
index d0e4e41..ab6610f 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -1354,6 +1354,7 @@
perfprofd
postinstall_dexopt
recovery
+ rss_hwm_reset
sdcardd
tee
ueventd
diff --git a/public/mediaextractor.te b/public/mediaextractor.te
index e86becf..4edab55 100644
--- a/public/mediaextractor.te
+++ b/public/mediaextractor.te
@@ -16,6 +16,7 @@
allow mediaextractor system_server:fd use;
hal_client_domain(mediaextractor, hal_cas)
+hal_client_domain(mediaextractor, hal_allocator)
r_dir_file(mediaextractor, cgroup)
allow mediaextractor proc_meminfo:file r_file_perms;
diff --git a/public/perfetto.te b/public/perfetto.te
new file mode 100644
index 0000000..cec0e6f
--- /dev/null
+++ b/public/perfetto.te
@@ -0,0 +1 @@
+type perfetto, domain, coredomain;
diff --git a/public/property_contexts b/public/property_contexts
index 1533a0f..da12ae3 100644
--- a/public/property_contexts
+++ b/public/property_contexts
@@ -309,6 +309,7 @@
ro.hardware.vibrator u:object_r:exported_default_prop:s0 exact string
ro.hardware.virtual_device u:object_r:exported_default_prop:s0 exact string
ro.hardware.vulkan u:object_r:exported_default_prop:s0 exact string
+ro.hwui.use_vulkan u:object_r:exported_default_prop:s0 exact bool
ro.kernel.qemu u:object_r:exported_default_prop:s0 exact bool
ro.kernel.qemu. u:object_r:exported_default_prop:s0
ro.kernel.android.bootanim u:object_r:exported_default_prop:s0 exact int
diff --git a/public/rss_hwm_reset.te b/public/rss_hwm_reset.te
new file mode 100644
index 0000000..163e1ac
--- /dev/null
+++ b/public/rss_hwm_reset.te
@@ -0,0 +1,2 @@
+# rss_hwm_reset resets RSS high-water mark counters for all procesess.
+type rss_hwm_reset, domain, coredomain, mlstrustedsubject;
diff --git a/public/service.te b/public/service.te
index 3844bfa..cf98261 100644
--- a/public/service.te
+++ b/public/service.te
@@ -66,6 +66,7 @@
type connmetrics_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type consumer_ir_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type content_capture_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type content_suggestions_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type content_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type country_detector_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
# Note: The coverage_service should only be enabled for userdebug / eng builds that were compiled
@@ -125,6 +126,7 @@
type package_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type package_native_service, system_server_service, service_manager_type;
type permission_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type permissionmgr_service, system_server_service, service_manager_type;
type persistent_data_block_service, system_api_service, system_server_service, service_manager_type;
type pinner_service, system_server_service, service_manager_type;
type power_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
diff --git a/vendor/hal_cas_default.te b/vendor/hal_cas_default.te
index fc548bf..cc1a2c8 100644
--- a/vendor/hal_cas_default.te
+++ b/vendor/hal_cas_default.te
@@ -6,3 +6,5 @@
# Allow CAS HAL's default implementation to use vendor-binder service
vndbinder_use(hal_cas_default);
+
+allow hal_cas_default hal_allocator:fd use;