Merge "Add Google specific module for RKPD for sepolicy."
diff --git a/build/soong/service_fuzzer_bindings.go b/build/soong/service_fuzzer_bindings.go
index 7f6d98d..2ee0ae2 100644
--- a/build/soong/service_fuzzer_bindings.go
+++ b/build/soong/service_fuzzer_bindings.go
@@ -29,6 +29,7 @@
 		"android.hardware.authsecret.IAuthSecret/default":                         EXCEPTION_NO_FUZZER,
 		"android.hardware.automotive.evs.IEvsEnumerator/hw/0":                     EXCEPTION_NO_FUZZER,
 		"android.hardware.boot.IBootControl/default":                              EXCEPTION_NO_FUZZER,
+		"android.hardware.automotive.can.ICanController/default":                  EXCEPTION_NO_FUZZER,
 		"android.hardware.automotive.evs.IEvsEnumerator/hw/1":                     EXCEPTION_NO_FUZZER,
 		"android.hardware.automotive.remoteaccess.IRemoteAccess/default":          EXCEPTION_NO_FUZZER,
 		"android.hardware.automotive.vehicle.IVehicle/default":                    EXCEPTION_NO_FUZZER,
diff --git a/microdroid/system/private/net.te b/microdroid/system/private/net.te
index 1b2fd41..8e783cb 100644
--- a/microdroid/system/private/net.te
+++ b/microdroid/system/private/net.te
@@ -2,15 +2,3 @@
 type node, node_type;
 type netif, netif_type;
 type port, port_type;
-
-###
-### Domain with network access
-###
-
-allow netdomain self:tcp_socket create_stream_socket_perms;
-allow netdomain self:{ icmp_socket udp_socket rawip_socket } create_socket_perms;
-
-allow netdomain port_type:tcp_socket name_connect;
-allow netdomain node_type:{ icmp_socket rawip_socket tcp_socket udp_socket } node_bind;
-allow netdomain port_type:udp_socket name_bind;
-allow netdomain port_type:tcp_socket name_bind;
diff --git a/microdroid/system/private/property_contexts b/microdroid/system/private/property_contexts
index 9222bdb..c2a3f4c 100644
--- a/microdroid/system/private/property_contexts
+++ b/microdroid/system/private/property_contexts
@@ -85,7 +85,6 @@
 ro.boot.first_stage_console        u:object_r:bootloader_prop:s0 exact string
 ro.boot.force_normal_boot          u:object_r:bootloader_prop:s0 exact string
 ro.boot.hardware                   u:object_r:bootloader_prop:s0 exact string
-ro.boot.microdroid.app_debuggable  u:object_r:bootloader_prop:s0 exact bool
 ro.boot.microdroid.debuggable      u:object_r:bootloader_prop:s0 exact bool
 ro.boot.slot_suffix                u:object_r:bootloader_prop:s0 exact string
 ro.boot.tombstone_transmit.enabled u:object_r:bootloader_prop:s0 exact bool
diff --git a/microdroid/system/public/attributes b/microdroid/system/public/attributes
index 419caa1..61bf8fb 100644
--- a/microdroid/system/public/attributes
+++ b/microdroid/system/public/attributes
@@ -120,9 +120,6 @@
 attribute vendor_public_property_type;
 expandattribute vendor_public_property_type false;
 
-# All domains used for apps with network access.
-attribute netdomain;
-
 # All domains used for apps with bluetooth access.
 attribute bluetoothdomain;
 
diff --git a/microdroid/system/public/shell.te b/microdroid/system/public/shell.te
index bde9cd9..0bcb29d 100644
--- a/microdroid/system/public/shell.te
+++ b/microdroid/system/public/shell.te
@@ -2,9 +2,6 @@
 type shell, domain;
 type shell_exec, system_file_type, exec_type, file_type;
 
-# Create and use network sockets.
-net_domain(shell)
-
 # Root fs.
 allow shell rootfs:dir r_dir_perms;
 
diff --git a/microdroid/system/public/su.te b/microdroid/system/public/su.te
index 152de51..5f41e37 100644
--- a/microdroid/system/public/su.te
+++ b/microdroid/system/public/su.te
@@ -6,8 +6,6 @@
 type su, domain;
 
 # Add su to various domains
-net_domain(su)
-
 dontaudit su self:capability_class_set *;
 dontaudit su self:capability2 *;
 dontaudit su kernel:security *;
diff --git a/prebuilts/api/33.0/private/system_server.te b/prebuilts/api/33.0/private/system_server.te
index 8a7947d..6d3bc78 100644
--- a/prebuilts/api/33.0/private/system_server.te
+++ b/prebuilts/api/33.0/private/system_server.te
@@ -396,6 +396,7 @@
   hal_graphics_allocator_server
   hal_graphics_composer_server
   hal_health_server
+  hal_input_processor_server
   hal_light_server
   hal_neuralnetworks_server
   hal_omx_server
diff --git a/prebuilts/api/33.0/public/dumpstate.te b/prebuilts/api/33.0/public/dumpstate.te
index 8d3e556..05a7317 100644
--- a/prebuilts/api/33.0/public/dumpstate.te
+++ b/prebuilts/api/33.0/public/dumpstate.te
@@ -113,9 +113,6 @@
   sysfs_zram
 }:file r_file_perms;
 
-# Ignore other file access under /sys.
-dontaudit dumpstate sysfs:file r_file_perms;
-
 # Other random bits of data we want to collect
 no_debugfs_restriction(`
   allow dumpstate debugfs:file r_file_perms;
diff --git a/private/artd.te b/private/artd.te
index 63045af..96b2990 100644
--- a/private/artd.te
+++ b/private/artd.te
@@ -29,12 +29,21 @@
 # Allow testing userfaultfd support.
 userfaultfd_use(artd)
 
-# Read access to primary dex'es on writable partitions (e.g., /data/app/...).
+# Read access to primary dex'es on writable partitions
+# ({/data,/mnt/expand/<volume-uuid>}/app/...).
+allow artd mnt_expand_file:dir { getattr search };
 r_dir_file(artd, apk_data_file)
 
-# Read access to /vendor/app.
+# Read access to vendor APKs ({/vendor,/odm}/{app,priv-app}/...).
 r_dir_file(artd, vendor_app_file)
 
+# Read access to vendor overlay APKs ({/vendor,/odm,/oem}/overlay/...).
+allow artd oemfs:dir { getattr search };
+r_dir_file(artd, vendor_overlay_file)
+
+# Read access to vendor shared libraries ({/vendor,/odm}/framework/...).
+r_dir_file(artd, vendor_framework_file)
+
 # Read/write access to all compilation artifacts generated on device for apps'
 # primary dex'es. (/data/dalvik-cache/..., /data/app/.../oat/..., etc.)
 allow artd dalvikcache_data_file:dir create_dir_perms;
diff --git a/private/canhalconfigurator.te b/private/canhalconfigurator.te
index 9ba60ac..5673ccd 100644
--- a/private/canhalconfigurator.te
+++ b/private/canhalconfigurator.te
@@ -5,3 +5,6 @@
 # This allows the configurator to look up the CAN HAL controller via
 # hwservice_manager and communicate with it.
 hal_client_domain(canhalconfigurator, hal_can_controller)
+
+binder_use(canhalconfigurator)
+binder_call(hal_can_controller, canhalconfigurator)
diff --git a/private/compat/33.0/33.0.cil b/private/compat/33.0/33.0.cil
index 849be82..2f8887b 100644
--- a/private/compat/33.0/33.0.cil
+++ b/private/compat/33.0/33.0.cil
@@ -2116,7 +2116,7 @@
 (typeattributeset proc_drop_caches_33_0 (proc_drop_caches))
 (typeattributeset proc_extra_free_kbytes_33_0 (proc_extra_free_kbytes))
 (typeattributeset proc_filesystems_33_0 (proc_filesystems))
-(typeattributeset proc_fs_verity_33_0 (proc_fs_verity))
+(typeattributeset proc_fs_verity_33_0 (proc))
 (typeattributeset proc_hostname_33_0 (proc_hostname))
 (typeattributeset proc_hung_task_33_0 (proc_hung_task))
 (typeattributeset proc_interrupts_33_0 (proc_interrupts))
diff --git a/private/compat/33.0/33.0.ignore.cil b/private/compat/33.0/33.0.ignore.cil
index 786dc14..4e6c053 100644
--- a/private/compat/33.0/33.0.ignore.cil
+++ b/private/compat/33.0/33.0.ignore.cil
@@ -42,4 +42,5 @@
     hal_broadcastradio_service
     hal_confirmationui_service
     hal_fastboot_service
+    hal_can_controller_service
   ))
diff --git a/private/coredomain.te b/private/coredomain.te
index c041ca3..55f715d 100644
--- a/private/coredomain.te
+++ b/private/coredomain.te
@@ -92,6 +92,7 @@
     neverallow {
         coredomain
         -appdomain
+        -artd
         -idmap
         -init
         -installd
@@ -110,6 +111,7 @@
     neverallow {
         coredomain
         -appdomain
+        -artd
         -idmap
         -init
         -installd
diff --git a/private/crosvm.te b/private/crosvm.te
index 9c45131..d4d29b0 100644
--- a/private/crosvm.te
+++ b/private/crosvm.te
@@ -42,6 +42,12 @@
 # Note that the open permission is not given as the socket is passed by FD.
 allow crosvm virtualizationservice:unix_stream_socket { accept read write getattr getopt };
 
+# Let crosvm open test artifacts under /data/local/tmp with file path. (e.g. custom pvmfw.img)
+userdebug_or_eng(`
+  allow crosvm shell_data_file:dir search;
+  allow crosvm shell_data_file:file open;
+')
+
 # The instance image and the composite image should be writable as well because they could represent
 # mutable disks.
 allow crosvm {
diff --git a/private/domain.te b/private/domain.te
index 9de23ba..787a559 100644
--- a/private/domain.te
+++ b/private/domain.te
@@ -650,7 +650,7 @@
 # Restrict write access to etm sysfs interface.
 neverallow { domain -ueventd -vendor_init } sysfs_devices_cs_etm:file no_w_file_perms;
 
-# Restrict write access to shell owned files. The /data/local/tmp directory is
+# Restrict direct access to shell owned files. The /data/local/tmp directory is
 # untrustworthy, and non-allowed domains should not be trusting any content in
 # those directories. We allow shell files to be passed around by file
 # descriptor, but not directly opened.
@@ -669,6 +669,51 @@
   userdebug_or_eng(`-crosvm')
 } shell_data_file:file open;
 
+# In addition to the symlink reading restrictions above, restrict
+# write access to shell owned directories. The /data/local/tmp
+# directory is untrustworthy, and non-allowed domains should
+# not be trusting any content in those directories.
+# artd doesn't need to access /data/local/tmp, but it needs to access
+# /data/{user,user_de}/<user-id>/com.android.shell/... for compiling secondary
+# dex files.
+neverallow {
+  domain
+  -adbd
+  -artd
+  -dumpstate
+  -installd
+  -init
+  -shell
+  -vold
+} shell_data_file:dir no_w_dir_perms;
+
+neverallow {
+  domain
+  -adbd
+  -appdomain
+  -artd
+  -dumpstate
+  -init
+  -installd
+  -simpleperf_app_runner
+  -system_server # why?
+  userdebug_or_eng(`-uncrypt')
+} shell_data_file:dir open;
+
+neverallow {
+  domain
+  -adbd
+  -appdomain
+  -artd
+  -dumpstate
+  -init
+  -installd
+  -simpleperf_app_runner
+  -system_server # why?
+  userdebug_or_eng(`-uncrypt')
+  userdebug_or_eng(`-crosvm')
+} shell_data_file:dir search;
+
 # respect system_app sandboxes
 neverallow {
   domain
diff --git a/private/file_contexts b/private/file_contexts
index 72fae62..632e069 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -223,7 +223,7 @@
 /system/bin/boringssl_self_test(32|64) u:object_r:boringssl_self_test_exec:s0
 /system/bin/prng_seeder		u:object_r:prng_seeder_exec:s0
 /system/bin/charger		u:object_r:charger_exec:s0
-/system/bin/canhalconfigurator  u:object_r:canhalconfigurator_exec:s0
+/system/bin/canhalconfigurator(-aidl)?  u:object_r:canhalconfigurator_exec:s0
 /system/bin/e2fsdroid		u:object_r:e2fs_exec:s0
 /system/bin/mke2fs		u:object_r:e2fs_exec:s0
 /system/bin/e2fsck	--	u:object_r:fsck_exec:s0
diff --git a/private/genfs_contexts b/private/genfs_contexts
index d0af186..6fa98ea 100644
--- a/private/genfs_contexts
+++ b/private/genfs_contexts
@@ -43,7 +43,6 @@
 genfscon proc /sys/fs/protected_hardlinks u:object_r:proc_security:s0
 genfscon proc /sys/fs/protected_symlinks u:object_r:proc_security:s0
 genfscon proc /sys/fs/suid_dumpable u:object_r:proc_security:s0
-genfscon proc /sys/fs/verity/require_signatures u:object_r:proc_fs_verity:s0
 genfscon proc /sys/kernel/bpf_ u:object_r:proc_bpf:s0
 genfscon proc /sys/kernel/core_pattern u:object_r:usermodehelper:s0
 genfscon proc /sys/kernel/core_pipe_limit u:object_r:usermodehelper:s0
diff --git a/private/property_contexts b/private/property_contexts
index a6a6ce4..38ed8d5 100644
--- a/private/property_contexts
+++ b/private/property_contexts
@@ -321,6 +321,8 @@
 ro.virtual_ab.compression.xor.enabled   u:object_r:virtual_ab_prop:s0 exact bool
 ro.virtual_ab.userspace.snapshots.enabled u:object_r:virtual_ab_prop:s0 exact bool
 ro.virtual_ab.io_uring.enabled u:object_r:virtual_ab_prop:s0 exact bool
+ro.virtual_ab.compression.threads u:object_r:virtual_ab_prop:s0 exact bool
+ro.virtual_ab.batch_writes u:object_r:virtual_ab_prop:s0 exact bool
 snapuserd.ready         u:object_r:snapuserd_prop:s0 exact bool
 snapuserd.proxy_ready   u:object_r:snapuserd_prop:s0 exact bool
 snapuserd.test.dm.snapshots u:object_r:snapuserd_prop:s0 exact bool
diff --git a/private/service_contexts b/private/service_contexts
index 4f907d1..e9fc83c 100644
--- a/private/service_contexts
+++ b/private/service_contexts
@@ -6,6 +6,7 @@
 android.hardware.authsecret.IAuthSecret/default                      u:object_r:hal_authsecret_service:s0
 android.hardware.automotive.evs.IEvsEnumerator/hw/0                  u:object_r:hal_evs_service:s0
 android.hardware.boot.IBootControl/default                           u:object_r:hal_bootctl_service:s0
+android.hardware.automotive.can.ICanController/default               u:object_r:hal_can_controller_service:s0
 android.hardware.automotive.evs.IEvsEnumerator/hw/1                  u:object_r:hal_evs_service:s0
 android.hardware.automotive.audiocontrol.IAudioControl/default       u:object_r:hal_audiocontrol_service:s0
 android.hardware.automotive.remoteaccess.IRemoteAccess/default       u:object_r:hal_remoteaccess_service:s0
diff --git a/public/domain.te b/public/domain.te
index 1e135b0..f99243b 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -1111,37 +1111,6 @@
   -installd
 } shell_data_file:lnk_file read;
 
-# In addition to the symlink reading restrictions above, restrict
-# write access to shell owned directories. The /data/local/tmp
-# directory is untrustworthy, and non-allowed domains should
-# not be trusting any content in those directories.
-# artd doesn't need to access /data/local/tmp, but it needs to access
-# /data/{user,user_de}/<user-id>/com.android.shell/... for compiling secondary
-# dex files.
-neverallow {
-  domain
-  -adbd
-  -artd
-  -dumpstate
-  -installd
-  -init
-  -shell
-  -vold
-} shell_data_file:dir no_w_dir_perms;
-
-neverallow {
-  domain
-  -adbd
-  -appdomain
-  -artd
-  -dumpstate
-  -init
-  -installd
-  -simpleperf_app_runner
-  -system_server # why?
-  userdebug_or_eng(`-uncrypt')
-} shell_data_file:dir { open search };
-
 # servicemanager and vndservicemanager are the only processes which handle the
 # service_manager list request
 neverallow * ~{
diff --git a/public/hal_can.te b/public/hal_can.te
index 959d1d9..6d4cc89 100644
--- a/public/hal_can.te
+++ b/public/hal_can.te
@@ -7,3 +7,8 @@
 binder_call(hal_can_bus_client, hal_can_bus_server)
 binder_call(hal_can_bus_server, hal_can_bus_client)
 hal_attribute_hwservice(hal_can_bus, hal_can_bus_hwservice)
+
+# AIDL HAL for CAN buses (ICanController)
+hal_attribute_service(hal_can_controller, hal_can_controller_service)
+binder_call(hal_can_controller, servicemanager)
+
diff --git a/public/service.te b/public/service.te
index 819498c..1fcaaf1 100644
--- a/public/service.te
+++ b/public/service.te
@@ -275,6 +275,7 @@
 type hal_bootctl_service, protected_service, hal_service_type, service_manager_type;
 type hal_broadcastradio_service, protected_service, hal_service_type, service_manager_type;
 type hal_camera_service, protected_service, hal_service_type, service_manager_type;
+type hal_can_controller_service, protected_service, hal_service_type, service_manager_type;
 type hal_cas_service, hal_service_type, service_manager_type;
 type hal_confirmationui_service, protected_service, hal_service_type, service_manager_type;
 type hal_contexthub_service, protected_service, hal_service_type, service_manager_type;
diff --git a/vendor/file_contexts b/vendor/file_contexts
index 5b2df7e..a8655b0 100644
--- a/vendor/file_contexts
+++ b/vendor/file_contexts
@@ -10,6 +10,7 @@
 /(vendor|system/vendor)/bin/hw/android\.hardware\.automotive\.audiocontrol@2\.0-service    u:object_r:hal_audiocontrol_default_exec:s0
 /(vendor|system/vendor)/bin/hw/android\.hardware\.automotive\.audiocontrol-service.example u:object_r:hal_audiocontrol_default_exec:s0
 /(vendor|system/vendor)/bin/hw/android\.hardware\.automotive\.can@1\.0-service  u:object_r:hal_can_socketcan_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.automotive\.can-service  u:object_r:hal_can_socketcan_exec:s0
 /(vendor|system/vendor)/bin/hw/android\.hardware\.automotive\.evs(.*)?          u:object_r:hal_evs_default_exec:s0
 /(vendor|system/vendor)/bin/hw/android\.hardware\.automotive\.vehicle@2\.0-((default|emulator)-)*(service|protocan-service)  u:object_r:hal_vehicle_default_exec:s0
 /(vendor|system/vendor)/bin/hw/android\.hardware\.automotive\.vehicle@V1-(default|emulator)-service u:object_r:hal_vehicle_default_exec:s0
diff --git a/vendor/hal_can_socketcan.te b/vendor/hal_can_socketcan.te
index 7498788..12bb028 100644
--- a/vendor/hal_can_socketcan.te
+++ b/vendor/hal_can_socketcan.te
@@ -9,10 +9,12 @@
 allow hal_can_socketcan self:capability net_admin;
 allow hal_can_socketcan self:netlink_route_socket { create bind write nlmsg_write read };
 
-# Calling if_nametoindex(3) to open CAN sockets
+# See man page for netdevice(7) for more info on ioctls
 allow hal_can_socketcan self:udp_socket { create ioctl };
 allowxperm hal_can_socketcan self:udp_socket ioctl {
     SIOCGIFINDEX
+    SIOCGIFFLAGS
+    SIOCSIFFLAGS
 };
 
 # Communicating with SocketCAN interfaces and bringing them up/down