Merge "Allow app_zygote to open vendor_overlay_file from vendor apex"
diff --git a/apex/Android.bp b/apex/Android.bp
index 2dcae6f..22de5d4 100644
--- a/apex/Android.bp
+++ b/apex/Android.bp
@@ -43,6 +43,13 @@
}
filegroup {
+ name: "com.android.threadnetwork-file_contexts",
+ srcs: [
+ "com.android.threadnetwork-file_contexts",
+ ],
+}
+
+filegroup {
name: "com.android.sdkext-file_contexts",
srcs: [
"com.android.sdkext-file_contexts",
diff --git a/apex/com.android.threadnetwork-file_contexts b/apex/com.android.threadnetwork-file_contexts
new file mode 100644
index 0000000..1aabee9
--- /dev/null
+++ b/apex/com.android.threadnetwork-file_contexts
@@ -0,0 +1,4 @@
+(/.*)? u:object_r:system_file:s0
+/bin/otbr-agent u:object_r:ot_daemon_exec:s0
+/bin/ot-ctl u:object_r:ot_ctl_exec:s0
+/bin/ot-rcp u:object_r:ot_rcp_exec:s0
diff --git a/build/soong/service_fuzzer_bindings.go b/build/soong/service_fuzzer_bindings.go
index 7eef4ea..2150d83 100644
--- a/build/soong/service_fuzzer_bindings.go
+++ b/build/soong/service_fuzzer_bindings.go
@@ -458,7 +458,7 @@
"wifip2p": EXCEPTION_NO_FUZZER,
"wifiscanner": EXCEPTION_NO_FUZZER,
"wifi": EXCEPTION_NO_FUZZER,
- "wifinl80211": EXCEPTION_NO_FUZZER,
+ "wifinl80211": []string{"wificond_service_fuzzer"},
"wifiaware": EXCEPTION_NO_FUZZER,
"wifirtt": EXCEPTION_NO_FUZZER,
"window": EXCEPTION_NO_FUZZER,
diff --git a/private/atrace.te b/private/atrace.te
index 50ab392..1712648 100644
--- a/private/atrace.te
+++ b/private/atrace.te
@@ -77,3 +77,5 @@
allow atrace debugfs_tracing_debug:dir r_dir_perms;
allow atrace debugfs_tracing_debug:file rw_file_perms;
')
+
+dontaudit atrace debugfs_tracing_debug:file audit_access;
diff --git a/private/file.te b/private/file.te
index f6781b0..e48fc4c 100644
--- a/private/file.te
+++ b/private/file.te
@@ -131,5 +131,8 @@
# in to satisfy MLS constraints for trusted domains.
type prng_seeder_socket, file_type, coredomain_socket, mlstrustedobject;
+# /data/misc/threadnetwork
+type threadnetwork_data_file, file_type, data_file_type, core_data_file_type;
+
# /sys/firmware/devicetree/base/avf
type sysfs_dt_avf, fs_type, sysfs_type;
diff --git a/private/file_contexts b/private/file_contexts
index c9c51e4..123e4ed 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -655,6 +655,7 @@
/data/misc/stats-metadata(/.*)? u:object_r:stats_data_file:s0
/data/misc/systemkeys(/.*)? u:object_r:systemkeys_data_file:s0
/data/misc/textclassifier(/.*)? u:object_r:textclassifier_data_file:s0
+/data/misc/threadnetwork(/.*)? u:object_r:threadnetwork_data_file:s0
/data/misc/train-info(/.*)? u:object_r:stats_data_file:s0
/data/misc/user(/.*)? u:object_r:misc_user_data_file:s0
/data/misc/virtualizationservice(/.*)? u:object_r:virtualizationservice_data_file:s0
diff --git a/private/ot_ctl.te b/private/ot_ctl.te
new file mode 100644
index 0000000..12e7ce2
--- /dev/null
+++ b/private/ot_ctl.te
@@ -0,0 +1,11 @@
+#
+# ot_ctl is the commandline tool for controling the native Thread network daemon (ot_daemon).
+#
+
+type ot_ctl, domain, coredomain;
+type ot_ctl_exec, exec_type, system_file_type, file_type;
+
+init_daemon_domain(ot_ctl)
+
+# Allow the ot_ctl to read/write the socket file.
+allow ot_ctl threadnetwork_data_file:sock_file {read write};
diff --git a/private/ot_daemon.te b/private/ot_daemon.te
new file mode 100644
index 0000000..98e1a0a
--- /dev/null
+++ b/private/ot_daemon.te
@@ -0,0 +1,24 @@
+#
+# ot_daemon is the native Thread network stack on the host (Android) side.
+# Refer to https://www.threadgroup.org for Thread network knowledge.
+#
+
+# ot_daemon
+type ot_daemon, domain, coredomain;
+type ot_daemon_exec, exec_type, file_type, system_file_type;
+
+# Allow init ot_daemon
+init_daemon_domain(ot_daemon)
+# Allow the ot_daemon to use the net domain.
+net_domain(ot_daemon)
+
+# Allow the ot_daemon to access the folder "/data/misc/threadnetwork".
+allow ot_daemon threadnetwork_data_file:dir rw_dir_perms;
+allow ot_daemon threadnetwork_data_file:file create_file_perms;
+allow ot_daemon threadnetwork_data_file:sock_file {create unlink};
+
+# used for simulation
+userdebug_or_eng(`
+create_pty(ot_daemon);
+domain_auto_trans(ot_daemon, ot_rcp_exec, ot_rcp);
+')
diff --git a/private/ot_rcp.te b/private/ot_rcp.te
new file mode 100644
index 0000000..0f6f1d3
--- /dev/null
+++ b/private/ot_rcp.te
@@ -0,0 +1,15 @@
+#
+# ot_rcp is the simulated Thread Radio Coprocessor device which is used by ot_daemon.
+#
+
+type ot_rcp, domain, coredomain;
+type ot_rcp_exec, exec_type, file_type, system_file_type;
+
+userdebug_or_eng(`
+allow ot_rcp ot_daemon:fd use;
+allow ot_rcp ot_daemon:fifo_file rw_file_perms;
+allow ot_rcp ot_daemon_devpts:chr_file {read write};
+allow ot_rcp self:udp_socket create_socket_perms_no_ioctl;
+allow ot_rcp port:udp_socket name_bind;
+allow ot_rcp node:udp_socket node_bind;
+')
diff --git a/private/seapp_contexts b/private/seapp_contexts
index 4454bd7..abd6c7b 100644
--- a/private/seapp_contexts
+++ b/private/seapp_contexts
@@ -183,8 +183,8 @@
user=_app isPrivApp=true name=com.google.android.providers.media.module:* domain=mediaprovider_app type=privapp_data_file levelFrom=all
user=_app seinfo=platform isPrivApp=true name=com.android.permissioncontroller domain=permissioncontroller_app type=privapp_data_file levelFrom=all
user=_app isPrivApp=true name=com.android.vzwomatrigger domain=vzwomatrigger_app type=privapp_data_file levelFrom=all
-user=_app isPrivApp=true name=com.android.rkpdapp domain=rkpdapp type=privapp_data_file levelFrom=user
-user=_app isPrivApp=true name=com.google.android.rkpdapp domain=rkpdapp type=privapp_data_file levelFrom=user
+user=_app isPrivApp=true name=com.android.rkpdapp domain=rkpdapp type=privapp_data_file levelFrom=all
+user=_app isPrivApp=true name=com.google.android.rkpdapp domain=rkpdapp type=privapp_data_file levelFrom=all
user=_app isPrivApp=true name=com.google.android.gms domain=gmscore_app type=privapp_data_file levelFrom=user
user=_app isPrivApp=true name=com.google.android.gms.* domain=gmscore_app type=privapp_data_file levelFrom=user
user=_app isPrivApp=true name=com.google.android.gms:* domain=gmscore_app type=privapp_data_file levelFrom=user
diff --git a/public/dumpstate.te b/public/dumpstate.te
index cc3678c..4877f14 100644
--- a/public/dumpstate.te
+++ b/public/dumpstate.te
@@ -56,7 +56,7 @@
allow dumpstate domain:process getattr;
# Signal java processes to dump their stack
-allow dumpstate { appdomain system_server zygote }:process signal;
+allow dumpstate { appdomain system_server zygote app_zygote }:process signal;
# Signal native processes to dump their stack.
allow dumpstate {