Merge "SEPolicy updates for adding native flag namespace(media)."
diff --git a/private/compat/28.0/28.0.cil b/private/compat/28.0/28.0.cil
index d10ca35..f5b5d09 100644
--- a/private/compat/28.0/28.0.cil
+++ b/private/compat/28.0/28.0.cil
@@ -1377,6 +1377,7 @@
(typeattributeset priv_app_28_0 (priv_app))
(typeattributeset proc_28_0
( proc
+ proc_keys
proc_slabinfo))
(typeattributeset proc_abi_28_0 (proc_abi))
(typeattributeset proc_asound_28_0 (proc_asound))
diff --git a/private/file_contexts b/private/file_contexts
index d206f2d..edd3f57 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -192,6 +192,7 @@
/system/bin/e2fsck -- u:object_r:fsck_exec:s0
/system/bin/fsck\.exfat -- u:object_r:fsck_exec:s0
/system/bin/fsck\.f2fs -- u:object_r:fsck_exec:s0
+/system/bin/mini-keyctl -- u:object_r:mini-keyctl_exec:s0
/system/bin/sload_f2fs -- u:object_r:e2fs_exec:s0
/system/bin/make_f2fs -- u:object_r:e2fs_exec:s0
/system/bin/fsck_msdos -- u:object_r:fsck_exec:s0
diff --git a/private/genfs_contexts b/private/genfs_contexts
index 87b9cb3..2a74484 100644
--- a/private/genfs_contexts
+++ b/private/genfs_contexts
@@ -10,6 +10,7 @@
genfscon proc /filesystems u:object_r:proc_filesystems:s0
genfscon proc /interrupts u:object_r:proc_interrupts:s0
genfscon proc /iomem u:object_r:proc_iomem:s0
+genfscon proc /keys u:object_r:proc_keys:s0
genfscon proc /kmsg u:object_r:proc_kmsg:s0
genfscon proc /loadavg u:object_r:proc_loadavg:s0
genfscon proc /meminfo u:object_r:proc_meminfo:s0
diff --git a/private/hwservice_contexts b/private/hwservice_contexts
index 207e652..859293d 100644
--- a/private/hwservice_contexts
+++ b/private/hwservice_contexts
@@ -14,6 +14,7 @@
android.hardware.biometrics.fingerprint::IBiometricsFingerprint u:object_r:hal_fingerprint_hwservice:s0
android.hardware.bluetooth::IBluetoothHci u:object_r:hal_bluetooth_hwservice:s0
android.hardware.bluetooth.a2dp::IBluetoothAudioOffload u:object_r:hal_audio_hwservice:s0
+android.hardware.bluetooth.audio::IBluetoothAudioProvidersFactory u:object_r:hal_audio_hwservice:s0
android.hardware.boot::IBootControl u:object_r:hal_bootctl_hwservice:s0
android.hardware.broadcastradio::IBroadcastRadio u:object_r:hal_broadcastradio_hwservice:s0
android.hardware.broadcastradio::IBroadcastRadioFactory u:object_r:hal_broadcastradio_hwservice:s0
diff --git a/private/installd.te b/private/installd.te
index c511b80..77889a3 100644
--- a/private/installd.te
+++ b/private/installd.te
@@ -31,3 +31,6 @@
# subsequently restore them.
allow installd rollback_data_file:dir create_dir_perms;
allow installd rollback_data_file:file create_file_perms;
+
+# Allow installd to access the runtime feature flag properties.
+get_prop(installd, device_config_runtime_native_prop)
diff --git a/private/mini_keyctl.te b/private/mini_keyctl.te
new file mode 100644
index 0000000..c81a17c
--- /dev/null
+++ b/private/mini_keyctl.te
@@ -0,0 +1,17 @@
+type mini-keyctl, domain, coredomain;
+type mini-keyctl_exec, exec_type, file_type, system_file_type;
+
+init_daemon_domain(mini-keyctl)
+
+allow mini-keyctl proc_keys:file r_file_perms;
+
+# Kernel only prints the keys that can be accessed and only kernel keyring is needed here.
+dontaudit mini-keyctl init:key view;
+dontaudit mini-keyctl vold:key view;
+allow mini-keyctl kernel:key { view search write };
+allow mini-keyctl mini-keyctl:key { view search write };
+
+# When kernel requests an algorithm, the crypto API first looks for an
+# already registered algorithm with that name. If it fails, the kernel creates
+# an implementation of the algorithm from templates.
+dontaudit mini-keyctl kernel:system module_request;
diff --git a/private/zygote.te b/private/zygote.te
index 9f8a348..ab86f89 100644
--- a/private/zygote.te
+++ b/private/zygote.te
@@ -97,7 +97,10 @@
# Allowed to mount user-specific storage into place
allow zygote storage_file:dir { search mounton };
# Allow mounting on sdcardfs dirs
-allow zygote sdcardfs:dir { search mounton };
+# TODO: reduce this back to only sdcardfs once b/123533205 is root-caused
+# (Technically "sdcardfs" and "media_rw_data_file" are equivalent, since
+# sdcardfs simply wraps files stored under /data/media.)
+allow zygote { sdcardfs media_rw_data_file }:dir { search mounton };
# Handle --invoke-with command when launching Zygote with a wrapper command.
allow zygote zygote_exec:file rx_file_perms;
diff --git a/public/bluetooth.te b/public/bluetooth.te
index 28a169f..9b3442a 100644
--- a/public/bluetooth.te
+++ b/public/bluetooth.te
@@ -1,3 +1,2 @@
# bluetooth subsystem
type bluetooth, domain;
-type bluetooth_tmpfs, file_type;
diff --git a/public/ephemeral_app.te b/public/ephemeral_app.te
index 5993c0b..dc39a22 100644
--- a/public/ephemeral_app.te
+++ b/public/ephemeral_app.te
@@ -12,4 +12,3 @@
### PackageManager flags an app as ephemeral at install time.
type ephemeral_app, domain;
-type ephemeral_app_tmpfs, file_type;
diff --git a/public/file.te b/public/file.te
index a264c91..396e4d7 100644
--- a/public/file.te
+++ b/public/file.te
@@ -28,6 +28,7 @@
type proc_hung_task, fs_type, proc_type;
type proc_interrupts, fs_type, proc_type;
type proc_iomem, fs_type, proc_type;
+type proc_keys, fs_type, proc_type;
type proc_kmsg, fs_type, proc_type;
type proc_loadavg, fs_type, proc_type;
type proc_max_map_count, fs_type, proc_type;
diff --git a/public/isolated_app.te b/public/isolated_app.te
index 584d743..a907dac 100644
--- a/public/isolated_app.te
+++ b/public/isolated_app.te
@@ -7,4 +7,3 @@
###
type isolated_app, domain;
-type isolated_app_tmpfs, file_type;
diff --git a/public/mediaprovider.te b/public/mediaprovider.te
index 90eb053..24170a5 100644
--- a/public/mediaprovider.te
+++ b/public/mediaprovider.te
@@ -4,4 +4,3 @@
###
type mediaprovider, domain;
-type mediaprovider_tmpfs, file_type;
diff --git a/public/network_stack.te b/public/network_stack.te
index 61a40b0..feff664 100644
--- a/public/network_stack.te
+++ b/public/network_stack.te
@@ -1,3 +1,2 @@
# Network stack service app
type network_stack, domain;
-type network_stack_tmpfs, file_type;
diff --git a/public/nfc.te b/public/nfc.te
index 5c1aa24..e3a03e7 100644
--- a/public/nfc.te
+++ b/public/nfc.te
@@ -1,3 +1,2 @@
# nfc subsystem
type nfc, domain;
-type nfc_tmpfs, file_type;
diff --git a/public/platform_app.te b/public/platform_app.te
index b7d783d..9b1faf0 100644
--- a/public/platform_app.te
+++ b/public/platform_app.te
@@ -3,4 +3,3 @@
###
type platform_app, domain;
-type platform_app_tmpfs, file_type;
diff --git a/public/priv_app.te b/public/priv_app.te
index 7c7dd12..0761fc3 100644
--- a/public/priv_app.te
+++ b/public/priv_app.te
@@ -3,4 +3,3 @@
###
type priv_app, domain;
-type priv_app_tmpfs, file_type;
diff --git a/public/radio.te b/public/radio.te
index bbaa752..8a8bef3 100644
--- a/public/radio.te
+++ b/public/radio.te
@@ -1,6 +1,5 @@
# phone subsystem
type radio, domain, mlstrustedsubject;
-type radio_tmpfs, file_type;
net_domain(radio)
bluetooth_domain(radio)
diff --git a/public/runas_app.te b/public/runas_app.te
index ff03940..cdaa799 100644
--- a/public/runas_app.te
+++ b/public/runas_app.te
@@ -1,2 +1 @@
type runas_app, domain;
-type runas_app_tmpfs, file_type;
diff --git a/public/secure_element.te b/public/secure_element.te
index 985c66d..4ce6714 100644
--- a/public/secure_element.te
+++ b/public/secure_element.te
@@ -1,3 +1,2 @@
# secure_element subsystem
type secure_element, domain;
-type secure_element_tmpfs, file_type;
diff --git a/public/shared_relro.te b/public/shared_relro.te
index 422a375..8e58e42 100644
--- a/public/shared_relro.te
+++ b/public/shared_relro.te
@@ -1,6 +1,5 @@
# Process which creates/updates shared RELRO files to be used by other apps.
type shared_relro, domain;
-type shared_relro_tmpfs, file_type;
# Grant write access to the shared relro files/directory.
allow shared_relro shared_relro_file:dir rw_dir_perms;
diff --git a/public/shell.te b/public/shell.te
index 1c30d7a..7201df0 100644
--- a/public/shell.te
+++ b/public/shell.te
@@ -1,7 +1,6 @@
# Domain for shell processes spawned by ADB or console service.
type shell, domain, mlstrustedsubject;
type shell_exec, system_file_type, exec_type, file_type;
-type shell_tmpfs, file_type;
# Create and use network sockets.
net_domain(shell)
diff --git a/public/su.te b/public/su.te
index 41ae4ef..e09248b 100644
--- a/public/su.te
+++ b/public/su.te
@@ -1,7 +1,6 @@
# All types must be defined regardless of build variant to ensure
# policy compilation succeeds with userdebug/user combination at boot
type su, domain;
-type su_tmpfs, file_type;
# File types must be defined for file_contexts.
type su_exec, system_file_type, exec_type, file_type;
diff --git a/public/system_app.te b/public/system_app.te
index da781bc..023058e 100644
--- a/public/system_app.te
+++ b/public/system_app.te
@@ -5,4 +5,3 @@
###
type system_app, domain;
-type system_app_tmpfs, file_type;
diff --git a/public/traceur_app.te b/public/traceur_app.te
index 3396570..0bce885 100644
--- a/public/traceur_app.te
+++ b/public/traceur_app.te
@@ -1,5 +1,4 @@
type traceur_app, domain;
-type traceur_app_tmpfs, file_type;
allow traceur_app servicemanager:service_manager list;
allow traceur_app hwservicemanager:hwservice_manager list;
diff --git a/public/untrusted_app.te b/public/untrusted_app.te
index 3843f55..5289bf9 100644
--- a/public/untrusted_app.te
+++ b/public/untrusted_app.te
@@ -19,6 +19,3 @@
type untrusted_app, domain;
type untrusted_app_27, domain;
type untrusted_app_25, domain;
-type untrusted_app_tmpfs, file_type;
-type untrusted_app_27_tmpfs, file_type;
-type untrusted_app_25_tmpfs, file_type;
diff --git a/vendor/file_contexts b/vendor/file_contexts
index 03b0ac6..303f001 100644
--- a/vendor/file_contexts
+++ b/vendor/file_contexts
@@ -56,6 +56,7 @@
/(vendor|system/vendor)/bin/hw/android\.hardware\.vr@1\.0-service u:object_r:hal_vr_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.wifi\.offload@1\.0-service u:object_r:hal_wifi_offload_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.wifi@1\.0-service u:object_r:hal_wifi_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.wifi@1\.0-service-lazy u:object_r:hal_wifi_default_exec:s0
/(vendor|system/vendor)/bin/hw/hostapd u:object_r:hal_wifi_hostapd_default_exec:s0
/(vendor|system/vendor)/bin/hw/wpa_supplicant u:object_r:hal_wifi_supplicant_default_exec:s0
/(vendor|system/vendor)/bin/vndservicemanager u:object_r:vndservicemanager_exec:s0