Merge changes Iace4a45c,I007d3bab
* changes:
microdroid: Set mls_cats to 1
Add mls_cats property to se_policy_conf
diff --git a/apex/Android.bp b/apex/Android.bp
index b85b1f5..5d61303 100644
--- a/apex/Android.bp
+++ b/apex/Android.bp
@@ -263,3 +263,10 @@
"com.android.car.framework-file_contexts",
],
}
+
+filegroup {
+ name: "com.android.ondevicepersonalization-file_contexts",
+ srcs: [
+ "com.android.ondevicepersonalization-file_contexts",
+ ],
+}
diff --git a/apex/com.android.ondevicepersonalization-file_contexts b/apex/com.android.ondevicepersonalization-file_contexts
new file mode 100644
index 0000000..9398505
--- /dev/null
+++ b/apex/com.android.ondevicepersonalization-file_contexts
@@ -0,0 +1 @@
+(/.*)? u:object_r:system_file:s0
diff --git a/private/app_zygote.te b/private/app_zygote.te
index 004c108..8a62341 100644
--- a/private/app_zygote.te
+++ b/private/app_zygote.te
@@ -56,6 +56,9 @@
r_dir_file(app_zygote, dalvikcache_data_file);
allow app_zygote dalvikcache_data_file:file execute;
+# For ART (allow userfaultfd and related ioctls)
+userfaultfd_use(app_zygote)
+
# Read /data/misc/apexdata/ to (get to com.android.art/dalvik-cache).
allow app_zygote apex_module_data_file:dir search;
# For ART APEX (read /data/misc/apexdata/com.android.art/dalvik-cache).
diff --git a/private/compat/32.0/32.0.ignore.cil b/private/compat/32.0/32.0.ignore.cil
index 369b816..b77c97b 100644
--- a/private/compat/32.0/32.0.ignore.cil
+++ b/private/compat/32.0/32.0.ignore.cil
@@ -9,6 +9,7 @@
artd_service
attestation_verification_service
bluetooth_config_prop
+ binderfs_features
charger_vendor
cloudsearch
cloudsearch_service
diff --git a/private/dumpstate.te b/private/dumpstate.te
index ed3e996..149d389 100644
--- a/private/dumpstate.te
+++ b/private/dumpstate.te
@@ -120,3 +120,6 @@
# /dev/null.
allow perfetto dumpstate_tmpfs:file rw_file_perms;
allow perfetto dumpstate:fd use;
+
+# system_dlkm_file for /system_dlkm partition
+allow dumpstate system_dlkm_file:dir getattr;
diff --git a/private/genfs_contexts b/private/genfs_contexts
index f20251d..ca64733 100644
--- a/private/genfs_contexts
+++ b/private/genfs_contexts
@@ -377,6 +377,7 @@
genfscon binder /vndbinder u:object_r:vndbinder_device:s0
genfscon binder /binder_logs u:object_r:binderfs_logs:s0
genfscon binder /binder_logs/proc u:object_r:binderfs_logs_proc:s0
+genfscon binder /features u:object_r:binderfs_features:s0
genfscon inotifyfs / u:object_r:inotify:s0
genfscon vfat / u:object_r:vfat:s0
diff --git a/public/domain.te b/public/domain.te
index 2be67f5..705c13a 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -88,6 +88,8 @@
# /dev/binderfs needs to be accessed by everyone too!
allow domain binderfs:dir { getattr search };
allow domain binderfs_logs_proc:dir search;
+allow domain binderfs_features:dir search;
+allow domain binderfs_features:file r_file_perms;
allow { domain -servicemanager -vndservicemanager -isolated_app } hwbinder_device:chr_file rw_file_perms;
allow domain ptmx_device:chr_file rw_file_perms;
diff --git a/public/file.te b/public/file.te
index c0b7679..3c8fcc7 100644
--- a/public/file.te
+++ b/public/file.te
@@ -7,6 +7,7 @@
type binderfs, fs_type;
type binderfs_logs, fs_type;
type binderfs_logs_proc, fs_type;
+type binderfs_features, fs_type;
# Security-sensitive proc nodes that should not be writable to most.
type proc_security, fs_type, proc_type;
type proc_drop_caches, fs_type, proc_type;
diff --git a/vendor/file_contexts b/vendor/file_contexts
index d0c474c..0cfb7cf 100644
--- a/vendor/file_contexts
+++ b/vendor/file_contexts
@@ -32,7 +32,7 @@
/(vendor|system/vendor)/bin/hw/android\.hardware\.contexthub-service\.example u:object_r:hal_contexthub_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.drm@1\.0-service u:object_r:hal_drm_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.drm@1\.0-service-lazy u:object_r:hal_drm_default_exec:s0
-/(vendor|system/vendor)/bin/hw/android\.hardware\.drm-service\.clearkey(-lazy)? u:object_r:hal_drm_clearkey_aidl_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.drm-service(-lazy)?\.clearkey u:object_r:hal_drm_clearkey_aidl_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.cas@1\.[0-2]-service u:object_r:hal_cas_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.cas@1\.[0-2]-service-lazy u:object_r:hal_cas_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.dumpstate@1\.[0-1]-service\.example u:object_r:hal_dumpstate_default_exec:s0