Merge "Add property contexts for dex2oat cpu-set properties"
diff --git a/definitions.mk b/definitions.mk
index 6bb4f24..2ecdbdc 100644
--- a/definitions.mk
+++ b/definitions.mk
@@ -13,6 +13,7 @@
 	-D target_compatible_property=$(PRIVATE_COMPATIBLE_PROPERTY) \
 	-D target_treble_sysprop_neverallow=$(PRIVATE_TREBLE_SYSPROP_NEVERALLOW) \
 	-D target_exclude_build_test=$(PRIVATE_EXCLUDE_BUILD_TEST) \
+	-D target_requires_insecure_execmem_for_swiftshader=$(PRODUCT_REQUIRES_INSECURE_EXECMEM_FOR_SWIFTSHADER) \
 	$(PRIVATE_TGT_RECOVERY) \
 	-s $(PRIVATE_POLICY_FILES) > $@
 endef
diff --git a/private/apexd.te b/private/apexd.te
index 14778b2..31371d9 100644
--- a/private/apexd.te
+++ b/private/apexd.te
@@ -114,6 +114,9 @@
   domain_auto_trans(apexd, apex_test_prepostinstall_exec, apex_test_prepostinstall)
 ')
 
+# Allow apexd to be invoked with logwrapper from init during userspace reboot.
+allow apexd devpts:chr_file { read write };
+
 neverallow { domain -apexd -init } apex_data_file:dir no_w_dir_perms;
 neverallow { domain -apexd -init } apex_metadata_file:dir no_w_dir_perms;
 neverallow { domain -apexd -init -kernel } apex_data_file:file no_w_file_perms;
diff --git a/private/compat/29.0/29.0.ignore.cil b/private/compat/29.0/29.0.ignore.cil
index 83c76cb..8263d7a 100644
--- a/private/compat/29.0/29.0.ignore.cil
+++ b/private/compat/29.0/29.0.ignore.cil
@@ -5,6 +5,7 @@
 (typeattribute new_objects)
 (typeattributeset new_objects
   ( new_objects
+    auth_service
     ashmem_libcutils_device
     blob_store_service
     boringssl_self_test
@@ -26,10 +27,12 @@
     linker_prop
     mock_ota_prop
     ota_metadata_file
+    ota_prop
     art_apex_dir
     service_manager_service
     system_group_file
     system_passwd_file
+    timezonedetector_service
     vendor_apex_file
     vendor_boringssl_self_test
     vendor_install_recovery
diff --git a/private/gsid.te b/private/gsid.te
index cc255ca..306efb8 100644
--- a/private/gsid.te
+++ b/private/gsid.te
@@ -75,6 +75,8 @@
   -gsid
   -init
   -update_engine_common
+  -recovery
+  -fastbootd
 } gsid_prop:property_service set;
 
 # gsid needs to store images on /data, but cannot use file I/O. If it did, the
@@ -130,6 +132,7 @@
     -init
     -gsid
     -fastbootd
+    -recovery
     -vold
 } gsi_metadata_file:dir *;
 
diff --git a/private/permissioncontroller_app.te b/private/permissioncontroller_app.te
index 9b09ce3..15bb9e1 100644
--- a/private/permissioncontroller_app.te
+++ b/private/permissioncontroller_app.te
@@ -3,14 +3,6 @@
 ###
 type permissioncontroller_app, domain;
 
-# Allow everything.
-# TODO(b/142672293): remove when no selinux denials are triggered for this
-# domain
-# STOPSHIP(b/142672293): monitor http://go/sedenials for any denials around
-# `permissioncontroller_app` and remove this line once we are confident about
-# this having the right set of permissions.
-userdebug_or_eng(`permissive permissioncontroller_app;')
-
 app_domain(permissioncontroller_app)
 
 # Allow interaction with gpuservice
diff --git a/private/property_contexts b/private/property_contexts
index 16c8d93..0ecf0dd 100644
--- a/private/property_contexts
+++ b/private/property_contexts
@@ -219,3 +219,6 @@
 # Virtual A/B properties
 ro.virtual_ab.enabled   u:object_r:virtual_ab_prop:s0
 ro.virtual_ab.retrofit  u:object_r:virtual_ab_prop:s0
+
+# Property to set/clear the warm reset flag after an OTA update.
+ota.warm_reset  u:object_r:ota_prop:s0
diff --git a/private/seapp_contexts b/private/seapp_contexts
index 14b63e9..4980c93 100644
--- a/private/seapp_contexts
+++ b/private/seapp_contexts
@@ -158,6 +158,7 @@
 user=_app isEphemeralApp=true domain=ephemeral_app type=app_data_file levelFrom=all
 user=_app isPrivApp=true domain=priv_app type=privapp_data_file levelFrom=user
 user=_app isPrivApp=true name=com.google.android.permissioncontroller domain=permissioncontroller_app type=privapp_data_file levelFrom=all
+user=_app isPrivApp=true name=com.android.vzwomatrigger domain=vzwomatrigger_app type=privapp_data_file levelFrom=all
 user=_app minTargetSdkVersion=29 domain=untrusted_app type=app_data_file levelFrom=all
 user=_app minTargetSdkVersion=28 domain=untrusted_app_27 type=app_data_file levelFrom=all
 user=_app minTargetSdkVersion=26 domain=untrusted_app_27 type=app_data_file levelFrom=user
diff --git a/private/service_contexts b/private/service_contexts
index b7cd10f..83f2cc1 100644
--- a/private/service_contexts
+++ b/private/service_contexts
@@ -19,6 +19,7 @@
 assetatlas                                u:object_r:assetatlas_service:s0
 attention                                 u:object_r:attention_service:s0
 audio                                     u:object_r:audio_service:s0
+auth                                      u:object_r:auth_service:s0
 autofill                                  u:object_r:autofill_service:s0
 backup                                    u:object_r:backup_service:s0
 batteryproperties                         u:object_r:batteryproperties_service:s0
@@ -197,6 +198,7 @@
 textclassification                        u:object_r:textclassification_service:s0
 textservices                              u:object_r:textservices_service:s0
 time_detector                             u:object_r:timedetector_service:s0
+time_zone_detector                        u:object_r:timezonedetector_service:s0
 timezone                                  u:object_r:timezone_service:s0
 thermalservice                            u:object_r:thermal_service:s0
 trust                                     u:object_r:trust_service:s0
diff --git a/private/system_server.te b/private/system_server.te
index 9232843..f0a447a 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -983,7 +983,12 @@
 # system_server should never use JIT functionality
 # See https://googleprojectzero.blogspot.com/2016/12/bitunmap-attacking-android-ashmem.html
 # in the section titled "A Short ROP Chain" for why.
-neverallow system_server self:process execmem;
+# However, in emulator builds without OpenGL passthrough, we use software
+# rendering via SwiftShader, which requires JIT support. These builds are
+# never shipped to users.
+ifelse(target_requires_insecure_execmem_for_swiftshader, `true',
+  `allow system_server self:process execmem;',
+  `neverallow system_server self:process execmem;')
 neverallow system_server ashmem_device:chr_file execute;
 
 # TODO: deal with tmpfs_domain pub/priv split properly
diff --git a/private/vzwomatrigger_app.te b/private/vzwomatrigger_app.te
new file mode 100644
index 0000000..4a7d3f7
--- /dev/null
+++ b/private/vzwomatrigger_app.te
@@ -0,0 +1,14 @@
+###
+### A domain for further sandboxing the VzwOmaTrigger app.
+###
+type vzwomatrigger_app, domain;
+
+# Allow everything.
+# TODO(b/142672293): remove when no selinux denials are triggered for this
+# domain
+# STOPSHIP(b/142672293): monitor http://go/sedenials for any denials around
+# `vzwomatrigger_app` and remove this line once we are confident about
+# this having the right set of permissions.
+userdebug_or_eng(`permissive vzwomatrigger_app;')
+
+app_domain(vzwomatrigger_app)
diff --git a/public/fastbootd.te b/public/fastbootd.te
index 39abc5e..f08885a 100644
--- a/public/fastbootd.te
+++ b/public/fastbootd.te
@@ -107,6 +107,12 @@
     allow fastbootd labeledfs:filesystem { mount unmount };
     get_prop(fastbootd, persistent_properties_ready_prop)
   ')
+
+  # Allow using libfiemap/gsid directly (no binder in recovery).
+  set_prop(fastbootd, gsid_prop)
+  allow fastbootd gsi_metadata_file:dir search;
+  allow fastbootd ota_metadata_file:dir rw_dir_perms;
+  allow fastbootd ota_metadata_file:file create_file_perms;
 ')
 
 ###
diff --git a/public/property.te b/public/property.te
index d417628..f2c2353 100644
--- a/public/property.te
+++ b/public/property.te
@@ -130,6 +130,7 @@
 system_public_prop(log_tag_prop)
 system_public_prop(lowpan_prop)
 system_public_prop(nfc_prop)
+system_public_prop(ota_prop)
 system_public_prop(powerctl_prop)
 system_public_prop(radio_prop)
 system_public_prop(serialno_prop)
@@ -287,6 +288,7 @@
 typeattribute logd_prop          core_property_type;
 typeattribute net_radio_prop     core_property_type;
 typeattribute nfc_prop           core_property_type;
+typeattribute ota_prop           core_property_type;
 typeattribute pan_result_prop    core_property_type;
 typeattribute persist_debug_prop core_property_type;
 typeattribute powerctl_prop      core_property_type;
@@ -313,6 +315,7 @@
   -logd_prop
   -net_radio_prop
   -nfc_prop
+  -ota_prop
   -pan_result_prop
   -persist_debug_prop
   -powerctl_prop
@@ -625,6 +628,7 @@
     -net_radio_prop
     -netd_stable_secret_prop
     -nfc_prop
+    -ota_prop
     -overlay_prop
     -pan_result_prop
     -persist_debug_prop
diff --git a/public/radio.te b/public/radio.te
index 4527707..34eaf83 100644
--- a/public/radio.te
+++ b/public/radio.te
@@ -35,6 +35,7 @@
 allow radio app_api_service:service_manager find;
 allow radio system_api_service:service_manager find;
 allow radio timedetector_service:service_manager find;
+allow radio timezonedetector_service:service_manager find;
 
 # Perform HwBinder IPC.
 hwbinder_use(radio)
diff --git a/public/recovery.te b/public/recovery.te
index 2b77bc3..1193354 100644
--- a/public/recovery.te
+++ b/public/recovery.te
@@ -142,6 +142,12 @@
   # These are needed to update dynamic partitions in recovery.
   r_dir_file(recovery, sysfs_dm)
   allowxperm recovery super_block_device_type:blk_file ioctl { BLKIOMIN BLKALIGNOFF };
+
+  # Allow using libfiemap/gsid directly (no binder in recovery).
+  set_prop(recovery, gsid_prop)
+  allow recovery gsi_metadata_file:dir search;
+  allow recovery ota_metadata_file:dir rw_dir_perms;
+  allow recovery ota_metadata_file:file create_file_perms;
 ')
 
 ###
diff --git a/public/service.te b/public/service.te
index aace214..2ae27b4 100644
--- a/public/service.te
+++ b/public/service.te
@@ -49,6 +49,7 @@
 type appwidget_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
 type assetatlas_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
 type audio_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type auth_service, app_api_service, system_server_service, service_manager_type;
 type autofill_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
 type backup_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
 type batterystats_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
@@ -167,6 +168,7 @@
 type thermal_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
 type timedetector_service, system_server_service, service_manager_type;
 type timezone_service, system_server_service, service_manager_type;
+type timezonedetector_service, system_server_service, service_manager_type;
 type trust_service, app_api_service, system_server_service, service_manager_type;
 type tv_input_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
 type uimode_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
diff --git a/public/update_engine.te b/public/update_engine.te
index 5410bde..8aafe34 100644
--- a/public/update_engine.te
+++ b/public/update_engine.te
@@ -58,6 +58,9 @@
 # Allow to start gsid service.
 set_prop(update_engine, ctl_gsid_prop)
 
+# Allow to set the OTA related properties, e.g. ota.warm_reset.
+set_prop(update_engine, ota_prop)
+
 # update_engine tries to determine the parent path for all devices (e.g.
 # /dev/block/by-name) by reading the default fstab and looking for the misc
 # device. ReadDefaultFstab() checks whether a GSI is running by checking
diff --git a/public/update_verifier.te b/public/update_verifier.te
index 8d40cdd..f881aeb 100644
--- a/public/update_verifier.te
+++ b/public/update_verifier.te
@@ -27,6 +27,9 @@
 # Allow update_verifier to reboot the device.
 set_prop(update_verifier, powerctl_prop)
 
+# Allow to set the OTA related properties e.g. ota.warm_reset.
+set_prop(update_verifier, ota_prop)
+
 # Use Boot Control HAL
 hal_client_domain(update_verifier, hal_bootctl)
 
diff --git a/public/vendor_init.te b/public/vendor_init.te
index 21a9222..fe5755f 100644
--- a/public/vendor_init.te
+++ b/public/vendor_init.te
@@ -258,6 +258,8 @@
 get_prop(vendor_init, exported3_system_prop)
 get_prop(vendor_init, theme_prop)
 
+get_prop(vendor_init, ota_prop)
+
 ###
 ### neverallow rules
 ###
diff --git a/public/vold.te b/public/vold.te
index 9e68d65..bc4da1e 100644
--- a/public/vold.te
+++ b/public/vold.te
@@ -174,6 +174,7 @@
 set_prop(vold, powerctl_prop)
 set_prop(vold, ctl_fuse_prop)
 set_prop(vold, restorecon_prop)
+set_prop(vold, ota_prop)
 
 # ASEC
 allow vold asec_image_file:file create_file_perms;