Merge "[Sepolicy] Change sepolicy name back to formal name."
diff --git a/private/adbd.te b/private/adbd.te
index 52070cb..c2c6164 100644
--- a/private/adbd.te
+++ b/private/adbd.te
@@ -217,6 +217,9 @@
allow adbd apex_data_file:dir search;
allow adbd staging_data_file:file r_file_perms;
+# Allow adbd to pull /apex/apex-info-list.xml for CTS tests.
+allow adbd apex_info_file:file r_file_perms;
+
###
### Neverallow rules
###
diff --git a/private/bpfloader.te b/private/bpfloader.te
index ae9b52c..343ec7a 100644
--- a/private/bpfloader.te
+++ b/private/bpfloader.te
@@ -27,13 +27,13 @@
# TODO: get rid of init & vendor_init
neverallow { domain -bpfloader -init -vendor_init } { fs_bpf fs_bpf_tethering }:file { map open setattr };
neverallow { domain -bpfloader } { fs_bpf fs_bpf_tethering }:file create;
-neverallow { domain -bpfloader -gpuservice -init -netd -netutils_wrapper -network_stack -system_server -vendor_init } { fs_bpf fs_bpf_tethering }:file read;
+neverallow { domain -bpfloader -gpuservice -init -lmkd -netd -netutils_wrapper -network_stack -system_server -vendor_init } { fs_bpf fs_bpf_tethering }:file read;
neverallow { domain -bpfloader -gpuservice -netd -netutils_wrapper -network_stack -system_server } { fs_bpf fs_bpf_tethering }:file write;
neverallow domain { fs_bpf fs_bpf_tethering }:file ~{ create map open read setattr write };
neverallow { domain -bpfloader } *:bpf { map_create prog_load };
neverallow { domain -bpfloader -gpuservice -netd -netutils_wrapper -network_stack -system_server } *:bpf prog_run;
-neverallow { domain -bpfloader -gpuservice -netd -network_stack -system_server } *:bpf { map_read map_write };
+neverallow { domain -bpfloader -gpuservice -lmkd -netd -network_stack -system_server } *:bpf { map_read map_write };
neverallow { domain -bpfloader -init } bpfloader_exec:file { execute execute_no_trans };
diff --git a/private/compat/30.0/30.0.ignore.cil b/private/compat/30.0/30.0.ignore.cil
index f11372b..7c508cd 100644
--- a/private/compat/30.0/30.0.ignore.cil
+++ b/private/compat/30.0/30.0.ignore.cil
@@ -68,6 +68,7 @@
hal_remotelyprovisionedcomponent_service
hal_secureclock_service
hal_sharedsecret_service
+ hal_uwb_service
hal_weaver_service
hw_timeout_multiplier_prop
keystore_compat_hal_service
diff --git a/private/file_contexts b/private/file_contexts
index 89b63d6..d34f64f 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -361,7 +361,6 @@
/system/bin/stats u:object_r:stats_exec:s0
/system/bin/statsd u:object_r:statsd_exec:s0
/system/bin/bpfloader u:object_r:bpfloader_exec:s0
-/system/bin/wait_for_keymaster u:object_r:wait_for_keymaster_exec:s0
/system/bin/watchdogd u:object_r:watchdogd_exec:s0
/system/bin/apexd u:object_r:apexd_exec:s0
/system/bin/gsid u:object_r:gsid_exec:s0
diff --git a/private/keystore.te b/private/keystore.te
index 3fccf59..0e57045 100644
--- a/private/keystore.te
+++ b/private/keystore.te
@@ -29,7 +29,6 @@
get_prop(keystore, keystore_listen_prop)
-# Keystore needs to transfer binder references to vold and wait_for_keymaster so that they
+# Keystore needs to transfer binder references to vold so that it
# can call keystore methods on those references.
allow keystore vold:binder transfer;
-allow keystore wait_for_keymaster:binder transfer;
diff --git a/private/lmkd.te b/private/lmkd.te
index fef3a89..ec9a93e 100644
--- a/private/lmkd.te
+++ b/private/lmkd.te
@@ -8,4 +8,8 @@
# Set lmkd.* properties.
set_prop(lmkd, lmkd_prop)
+allow lmkd fs_bpf:dir search;
+allow lmkd fs_bpf:file read;
+allow lmkd bpfloader:bpf map_read;
+
neverallow { domain -init -lmkd -vendor_init } lmkd_prop:property_service set;
diff --git a/private/platform_app.te b/private/platform_app.te
index a112081..f746f1c 100644
--- a/private/platform_app.te
+++ b/private/platform_app.te
@@ -99,6 +99,9 @@
# suppress denials caused by debugfs_tracing
dontaudit platform_app debugfs_tracing:file rw_file_perms;
+# Allow platform apps to act as Perfetto producers.
+perfetto_producer(platform_app)
+
###
### Neverallow rules
###
diff --git a/private/priv_app.te b/private/priv_app.te
index 63a9cbf..3ceb7a3 100644
--- a/private/priv_app.te
+++ b/private/priv_app.te
@@ -189,6 +189,14 @@
# allow priv app to access the system app data files for ContentProvider case.
allow priv_app system_app_data_file:file { read getattr };
+# Allow the renderscript compiler to be run.
+domain_auto_trans(priv_app, rs_exec, rs)
+
+# Allow loading and deleting executable shared libraries
+# within an application home directory. Such shared libraries would be
+# created by things like renderscript or via other mechanisms.
+allow priv_app app_exec_data_file:file { r_file_perms execute unlink };
+
###
### neverallow rules
###
diff --git a/private/property_contexts b/private/property_contexts
index 56f3398..0799e57 100644
--- a/private/property_contexts
+++ b/private/property_contexts
@@ -843,6 +843,7 @@
ro.vendor.build.version.release u:object_r:build_vendor_prop:s0 exact string
ro.vendor.build.version.release_or_codename u:object_r:build_vendor_prop:s0 exact string
ro.vendor.build.version.sdk u:object_r:build_vendor_prop:s0 exact int
+ro.vendor.build.dont_use_vabc u:object_r:build_vendor_prop:s0 exact bool
# All vendor CPU abilist props are set by /vendor/build.prop
ro.vendor.product.cpu.abilist u:object_r:build_vendor_prop:s0 exact string
diff --git a/private/rs.te b/private/rs.te
index bf10841..268f040 100644
--- a/private/rs.te
+++ b/private/rs.te
@@ -1,18 +1,19 @@
-# Any files which would have been created as app_data_file
-# will be created as app_exec_data_file instead.
-allow rs app_data_file:dir ra_dir_perms;
+# Any files which would have been created as app_data_file and
+# privapp_data_file will be created as app_exec_data_file instead.
+allow rs { app_data_file privapp_data_file }:dir ra_dir_perms;
allow rs app_exec_data_file:file create_file_perms;
type_transition rs app_data_file:file app_exec_data_file;
+type_transition rs privapp_data_file:file app_exec_data_file;
# Follow /data/user/0 symlink
allow rs system_data_file:lnk_file read;
# Read files from the app home directory.
-allow rs app_data_file:file r_file_perms;
-allow rs app_data_file:dir r_dir_perms;
+allow rs { app_data_file privapp_data_file }:file r_file_perms;
+allow rs { app_data_file privapp_data_file }:dir r_dir_perms;
# Cleanup app_exec_data_file files in the app home directory.
-allow rs app_data_file:dir remove_name;
+allow rs { app_data_file privapp_data_file }:dir remove_name;
# Use vendor resources
allow rs vendor_file:dir r_dir_perms;
@@ -27,7 +28,7 @@
allow rs same_process_hal_file:file { r_file_perms execute };
# File descriptors passed from app to renderscript
-allow rs { untrusted_app_all ephemeral_app }:fd use;
+allow rs { untrusted_app_all ephemeral_app priv_app }:fd use;
# rs can access app data, so ensure it can only be entered via an app domain and cannot have
# CAP_DAC_OVERRIDE.
diff --git a/private/shell.te b/private/shell.te
index 26f6d95..40b19fd 100644
--- a/private/shell.te
+++ b/private/shell.te
@@ -114,8 +114,10 @@
allow shell self:perf_event { open read write kernel };
neverallow shell self:perf_event ~{ open read write kernel };
-# Allow shell to read /apex/apex-info-list.xml
+# Allow shell to read /apex/apex-info-list.xml and the vendor apexes
allow shell apex_info_file:file r_file_perms;
+allow shell vendor_apex_file:file r_file_perms;
+allow shell vendor_apex_file:dir r_dir_perms;
# Set properties.
set_prop(shell, shell_prop)
@@ -200,3 +202,6 @@
# Allow ReadDefaultFstab() for CTS.
read_fstab(shell)
+
+# Allow shell read access to /apex/apex-info-list.xml for CTS.
+allow shell apex_info_file:file r_file_perms;
diff --git a/private/system_app.te b/private/system_app.te
index 48d5f9d..10b8177 100644
--- a/private/system_app.te
+++ b/private/system_app.te
@@ -169,6 +169,9 @@
# Settings app reads ro.oem_unlock_supported
get_prop(system_app, oem_unlock_prop)
+# Allow system apps to act as Perfetto producers.
+perfetto_producer(system_app)
+
###
### Neverallow rules
###
diff --git a/private/system_server.te b/private/system_server.te
index f22eab9..f35f9a8 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -222,6 +222,9 @@
# for dumpsys meminfo
allow system_server dmabuf_heap_device:dir r_dir_perms;
+# Allow reading /proc/vmstat for the oom kill count
+allow system_server proc_vmstat:file r_file_perms;
+
# The DhcpClient and WifiWatchdog use packet_sockets
allow system_server self:packet_socket create_socket_perms_no_ioctl;
diff --git a/private/wait_for_keymaster.te b/private/wait_for_keymaster.te
index da98e2e..974a297 100644
--- a/private/wait_for_keymaster.te
+++ b/private/wait_for_keymaster.te
@@ -1,15 +1,5 @@
-# wait_for_keymaster service
+# wait_for_keymaster service. No longer used;
+# here only so that downstream code compiles.
type wait_for_keymaster, domain, coredomain;
type wait_for_keymaster_exec, system_file_type, exec_type, file_type;
-init_daemon_domain(wait_for_keymaster)
-
-hal_client_domain(wait_for_keymaster, hal_keymaster)
-
-allow wait_for_keymaster kmsg_device:chr_file w_file_perms;
-
-# wait_for_keymaster needs to find keystore and call methods with the returned
-# binder reference.
-binder_use(wait_for_keymaster)
-allow wait_for_keymaster keystore_service:service_manager find;
-binder_call(wait_for_keymaster, keystore)
diff --git a/private/zygote.te b/private/zygote.te
index 9038c4f..dd42a81 100644
--- a/private/zygote.te
+++ b/private/zygote.te
@@ -69,8 +69,8 @@
# Zygote opens /mnt/expand to mount CE DE storage on each vol
allow zygote mnt_expand_file:dir { open read search relabelto };
-# Bind mount subdirectories on /data/misc/profiles/cur
-allow zygote user_profile_root_file:dir { mounton search };
+# Bind mount subdirectories on /data/misc/profiles/cur and /data/misc/profiles/ref
+allow zygote { user_profile_root_file user_profile_data_file }:dir { mounton search };
# Create and bind dirs on /data/data
allow zygote tmpfs:dir { create_dir_perms mounton };
diff --git a/public/app.te b/public/app.te
index ae8d7fd..a49faaf 100644
--- a/public/app.te
+++ b/public/app.te
@@ -70,7 +70,7 @@
allow { appdomain -isolated_app -mlstrustedsubject } { app_data_file privapp_data_file }:file create_file_perms;
# Access via already open fds is ok even for mlstrustedsubject.
-allow { appdomain -isolated_app } { app_data_file privapp_data_file }:file { getattr map read write };
+allow { appdomain -isolated_app } { app_data_file privapp_data_file system_app_data_file }:file { getattr map read write };
# Traverse into expanded storage
allow appdomain mnt_expand_file:dir r_dir_perms;
diff --git a/public/attributes b/public/attributes
index daef4bb..2e01f1e 100644
--- a/public/attributes
+++ b/public/attributes
@@ -358,6 +358,7 @@
hal_attribute(tv_tuner);
hal_attribute(usb);
hal_attribute(usb_gadget);
+hal_attribute(uwb);
hal_attribute(vehicle);
hal_attribute(vibrator);
hal_attribute(vr);
diff --git a/public/cameraserver.te b/public/cameraserver.te
index d7451df..b7e555f 100644
--- a/public/cameraserver.te
+++ b/public/cameraserver.te
@@ -28,6 +28,7 @@
allow cameraserver cameraproxy_service:service_manager find;
allow cameraserver mediaserver_service:service_manager find;
allow cameraserver package_native_service:service_manager find;
+allow cameraserver permission_checker_service:service_manager find;
allow cameraserver processinfo_service:service_manager find;
allow cameraserver scheduling_policy_service:service_manager find;
allow cameraserver sensor_privacy_service:service_manager find;
diff --git a/public/hal_neverallows.te b/public/hal_neverallows.te
index 0214e2a..a895ad0 100644
--- a/public/hal_neverallows.te
+++ b/public/hal_neverallows.te
@@ -8,6 +8,7 @@
-hal_wifi_hostapd_server
-hal_wifi_supplicant_server
-hal_telephony_server
+ -hal_uwb_server
} self:global_capability_class_set { net_admin net_raw };
# Unless a HAL's job is to communicate over the network, or control network
@@ -25,6 +26,7 @@
-hal_wifi_hostapd_server
-hal_wifi_supplicant_server
-hal_telephony_server
+ -hal_uwb_server
} domain:{ udp_socket rawip_socket } *;
neverallow {
@@ -36,6 +38,7 @@
-hal_wifi_hostapd_server
-hal_wifi_supplicant_server
-hal_telephony_server
+ -hal_uwb_server
} {
domain
userdebug_or_eng(`-su')
diff --git a/public/installd.te b/public/installd.te
index eb13cfa..08060e3 100644
--- a/public/installd.te
+++ b/public/installd.te
@@ -160,6 +160,10 @@
#add for move app to sd card
get_prop(installd, storage_config_prop)
+# Allow installd to access apps installed on the Incremental File System
+# Accessing files on the Incremental File System uses fds opened in the context of vold.
+allow installd vold:fd use;
+
###
### Neverallow rules
###
diff --git a/public/service.te b/public/service.te
index befc213..4fa6a13 100644
--- a/public/service.te
+++ b/public/service.te
@@ -160,7 +160,7 @@
type oem_lock_service, system_api_service, system_server_service, service_manager_type;
type otadexopt_service, system_server_service, service_manager_type;
type overlay_service, system_api_service, system_server_service, service_manager_type;
-type pac_proxy_service, system_server_service, service_manager_type;
+type pac_proxy_service, app_api_service, system_server_service, service_manager_type;
type package_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type package_native_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type people_service, app_api_service, system_server_service, service_manager_type;