Merge "Allow apexd to read ro.cold_boot_done prop"
diff --git a/Android.mk b/Android.mk
index ef1ff1b..ad7d9bd 100644
--- a/Android.mk
+++ b/Android.mk
@@ -1402,13 +1402,15 @@
# The file_contexts.bin is built in the following way:
# 1. Collect all file_contexts files in THIS repository and process them with
# m4 into a tmp file called file_contexts.local.tmp.
-# 2. Collect all device specific file_contexts files and process them with m4
+# 2. Collect all file_contexts files from LOCAL_FILE_CONTEXTS of installed
+# modules with m4 with a tmp file called file_contexts.modules.tmp.
+# 3. Collect all device specific file_contexts files and process them with m4
# into a tmp file called file_contexts.device.tmp.
-# 3. Run checkfc -e (allow no device fc entries ie empty) and fc_sort on
+# 4. Run checkfc -e (allow no device fc entries ie empty) and fc_sort on
# file_contexts.device.tmp and output to file_contexts.device.sorted.tmp.
-# 4. Concatenate file_contexts.local.tmp and file_contexts.device.tmp into
-# file_contexts.concat.tmp.
-# 5. Run checkfc and sefcontext_compile on file_contexts.concat.tmp to produce
+# 5. Concatenate file_contexts.local.tmp, file_contexts.modules.tmp and
+# file_contexts.device.tmp into file_contexts.concat.tmp.
+# 6. Run checkfc and sefcontext_compile on file_contexts.concat.tmp to produce
# file_contexts.bin.
#
# Note: That a newline file is placed between each file_context file found to
@@ -1431,21 +1433,12 @@
local_fc_files += $(wildcard $(addsuffix /file_contexts_overlayfs, $(PLAT_PRIVATE_POLICY)))
endif
-# Even if TARGET_FLATTEN_APEX is not turned on, "flattened" APEXes are installed
-$(foreach _tuple,$(APEX_FILE_CONTEXTS_INFOS),\
- $(eval _apex_name := $(call word-colon,1,$(_tuple)))\
- $(eval _apex_path := $(call word-colon,2,$(_tuple)))\
- $(eval _fc_path := $(call word-colon,3,$(_tuple)))\
- $(eval _input := $(_fc_path))\
- $(eval _output := $(intermediates)/$(_apex_name)-flattened)\
- $(eval $(call build_flattened_apex_file_contexts,$(_input),$(_apex_path),$(_output),local_fc_files))\
- )
-
file_contexts.local.tmp := $(intermediates)/file_contexts.local.tmp
-$(file_contexts.local.tmp): PRIVATE_FC_FILES := $(local_fc_files)
-$(file_contexts.local.tmp): $(local_fc_files) $(M4)
- @mkdir -p $(dir $@)
- $(hide) $(M4) --fatal-warnings -s $(PRIVATE_FC_FILES) > $@
+$(call merge-fc-files,$(local_fc_files),$(file_contexts.local.tmp))
+
+# The rule for file_contexts.modules.tmp is defined in build/make/core/Makefile.
+# it gathers LOCAL_FILE_CONTEXTS from product_MODULES
+file_contexts.modules.tmp := $(intermediates)/file_contexts.modules.tmp
device_fc_files := $(call build_vendor_policy, file_contexts)
@@ -1469,10 +1462,9 @@
$(hide) $(HOST_OUT_EXECUTABLES)/fc_sort -i $< -o $@
file_contexts.concat.tmp := $(intermediates)/file_contexts.concat.tmp
-$(file_contexts.concat.tmp): PRIVATE_CONTEXTS := $(file_contexts.local.tmp) $(file_contexts.device.sorted.tmp)
-$(file_contexts.concat.tmp): $(file_contexts.local.tmp) $(file_contexts.device.sorted.tmp) $(M4)
- @mkdir -p $(dir $@)
- $(hide) $(M4) --fatal-warnings -s $(PRIVATE_CONTEXTS) > $@
+$(call merge-fc-files,\
+ $(file_contexts.local.tmp) $(file_contexts.modules.tmp) $(file_contexts.device.sorted.tmp),\
+ $(file_contexts.concat.tmp))
$(LOCAL_BUILT_MODULE): PRIVATE_SEPOLICY := $(built_sepolicy)
$(LOCAL_BUILT_MODULE): $(file_contexts.concat.tmp) $(built_sepolicy) $(HOST_OUT_EXECUTABLES)/sefcontext_compile $(HOST_OUT_EXECUTABLES)/checkfc
@@ -1489,6 +1481,7 @@
file_contexts.device.sorted.tmp :=
file_contexts.device.tmp :=
file_contexts.local.tmp :=
+file_contexts.modules.tmp :=
##################################
include $(CLEAR_VARS)
diff --git a/definitions.mk b/definitions.mk
index 2ecdbdc..f6b80d0 100644
--- a/definitions.mk
+++ b/definitions.mk
@@ -18,3 +18,20 @@
-s $(PRIVATE_POLICY_FILES) > $@
endef
.KATI_READONLY := transform-policy-to-conf
+
+###########################################################
+## Collect file_contexts files into a single tmp file with m4
+##
+## $(1): list of file_contexts files
+## $(2): filename into which file_contexts files are merged
+###########################################################
+
+define _merge-fc-files
+$(2): $(1) $(M4)
+ $(hide) mkdir -p $$(dir $$@)
+ $(hide) $(M4) --fatal-warnings -s $(1) > $$@
+endef
+
+define merge-fc-files
+$(eval $(call _merge-fc-files,$(1),$(2)))
+endef
diff --git a/private/genfs_contexts b/private/genfs_contexts
index accd02e..136da2b 100644
--- a/private/genfs_contexts
+++ b/private/genfs_contexts
@@ -256,6 +256,8 @@
genfscon tracefs /events/thermal/cdev_update/ u:object_r:debugfs_tracing:s0
genfscon tracefs /events/cpuhp/cpuhp_enter/ u:object_r:debugfs_tracing:s0
genfscon tracefs /events/cpuhp/cpuhp_exit/ u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/ipi/ u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/irq/ u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/trace_clock u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/buffer_size_kb u:object_r:debugfs_tracing:s0
@@ -306,6 +308,8 @@
genfscon debugfs /tracing/events/thermal/cdev_update/ u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/events/cpuhp/cpuhp_enter/ u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/events/cpuhp/cpuhp_exit/ u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/ipi/ u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/irq/ u:object_r:debugfs_tracing:s0
genfscon debugfs /kcov u:object_r:debugfs_kcov:s0
diff --git a/private/property_contexts b/private/property_contexts
index 1fe3e0c..4f7a1dc 100644
--- a/private/property_contexts
+++ b/private/property_contexts
@@ -115,6 +115,9 @@
vold. u:object_r:vold_prop:s0
ro.crypto. u:object_r:vold_prop:s0
+# TODO(b/141677108): Remove once true everywhere
+ro.vold.level_from_user u:object_r:vold_config_prop:s0
+
# ro.build.fingerprint is either set in /system/build.prop, or is
# set at runtime by system_server.
ro.build.fingerprint u:object_r:fingerprint_prop:s0 exact string
diff --git a/private/service_contexts b/private/service_contexts
index f5cd873..a2c8455 100644
--- a/private/service_contexts
+++ b/private/service_contexts
@@ -20,8 +20,8 @@
android.os.UpdateEngineStableService u:object_r:update_engine_stable_service:s0
android.security.identity u:object_r:credstore_service:s0
android.security.keystore u:object_r:keystore_service:s0
-android.security.keystore2 u:object_r:keystore_service:s0
android.service.gatekeeper.IGateKeeperService u:object_r:gatekeeper_service:s0
+android.system.keystore2 u:object_r:keystore_service:s0
app_binding u:object_r:app_binding_service:s0
app_integrity u:object_r:app_integrity_service:s0
app_prediction u:object_r:app_prediction_service:s0
diff --git a/private/system_server.te b/private/system_server.te
index dcdf501..cadc6cd 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -566,6 +566,9 @@
# Relabel apk files.
allow system_server { apk_tmp_file apk_private_tmp_file }:{ dir file } { relabelfrom relabelto };
allow system_server { apk_data_file apk_private_data_file }:{ dir file } { relabelfrom relabelto };
+# Allow PackageManager to rename file from /data/app-staging folder to /data/app during
+# staged apk install.
+allow system_server { staging_data_file }:{ dir file } { relabelfrom };
# Relabel wallpaper.
allow system_server system_data_file:file relabelfrom;
diff --git a/private/vold_prepare_subdirs.te b/private/vold_prepare_subdirs.te
index f3ec058..4197ddd 100644
--- a/private/vold_prepare_subdirs.te
+++ b/private/vold_prepare_subdirs.te
@@ -1,5 +1,7 @@
domain_auto_trans(vold, vold_prepare_subdirs_exec, vold_prepare_subdirs)
+typeattribute vold_prepare_subdirs mlstrustedsubject;
+
allow vold_prepare_subdirs system_file:file execute_no_trans;
allow vold_prepare_subdirs shell_exec:file rx_file_perms;
allow vold_prepare_subdirs toolbox_exec:file rx_file_perms;
@@ -24,6 +26,7 @@
iris_vendor_data_file
rollback_data_file
storaged_data_file
+ system_data_file
vold_data_file
}:dir { create_dir_perms relabelto };
allow vold_prepare_subdirs {
@@ -41,5 +44,9 @@
vold_data_file
}:file { getattr unlink };
allow vold_prepare_subdirs apex_mnt_dir:dir { open read };
+allow vold_prepare_subdirs mnt_expand_file:dir search;
+allow vold_prepare_subdirs user_profile_data_file:dir { search getattr relabelfrom relabelto };
+# /data/misc is unlabeled during early boot.
+allow vold_prepare_subdirs unlabeled:dir search;
dontaudit vold_prepare_subdirs { proc unlabeled }:file r_file_perms;
diff --git a/public/service.te b/public/service.te
index 7d40854..b7a287b 100644
--- a/public/service.te
+++ b/public/service.te
@@ -183,7 +183,7 @@
type thermal_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type timedetector_service, system_server_service, service_manager_type;
type timezone_service, system_server_service, service_manager_type;
-type timezonedetector_service, system_server_service, service_manager_type;
+type timezonedetector_service, app_api_service, system_server_service, service_manager_type;
type trust_service, app_api_service, system_server_service, service_manager_type;
type tv_input_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type tv_tuner_resource_mgr_service, app_api_service, system_server_service, service_manager_type;