Merge "Add property contexts for dex2oat cpu-set properties"
diff --git a/definitions.mk b/definitions.mk
index 6bb4f24..2ecdbdc 100644
--- a/definitions.mk
+++ b/definitions.mk
@@ -13,6 +13,7 @@
-D target_compatible_property=$(PRIVATE_COMPATIBLE_PROPERTY) \
-D target_treble_sysprop_neverallow=$(PRIVATE_TREBLE_SYSPROP_NEVERALLOW) \
-D target_exclude_build_test=$(PRIVATE_EXCLUDE_BUILD_TEST) \
+ -D target_requires_insecure_execmem_for_swiftshader=$(PRODUCT_REQUIRES_INSECURE_EXECMEM_FOR_SWIFTSHADER) \
$(PRIVATE_TGT_RECOVERY) \
-s $(PRIVATE_POLICY_FILES) > $@
endef
diff --git a/private/apexd.te b/private/apexd.te
index 14778b2..31371d9 100644
--- a/private/apexd.te
+++ b/private/apexd.te
@@ -114,6 +114,9 @@
domain_auto_trans(apexd, apex_test_prepostinstall_exec, apex_test_prepostinstall)
')
+# Allow apexd to be invoked with logwrapper from init during userspace reboot.
+allow apexd devpts:chr_file { read write };
+
neverallow { domain -apexd -init } apex_data_file:dir no_w_dir_perms;
neverallow { domain -apexd -init } apex_metadata_file:dir no_w_dir_perms;
neverallow { domain -apexd -init -kernel } apex_data_file:file no_w_file_perms;
diff --git a/private/compat/29.0/29.0.ignore.cil b/private/compat/29.0/29.0.ignore.cil
index 83c76cb..8263d7a 100644
--- a/private/compat/29.0/29.0.ignore.cil
+++ b/private/compat/29.0/29.0.ignore.cil
@@ -5,6 +5,7 @@
(typeattribute new_objects)
(typeattributeset new_objects
( new_objects
+ auth_service
ashmem_libcutils_device
blob_store_service
boringssl_self_test
@@ -26,10 +27,12 @@
linker_prop
mock_ota_prop
ota_metadata_file
+ ota_prop
art_apex_dir
service_manager_service
system_group_file
system_passwd_file
+ timezonedetector_service
vendor_apex_file
vendor_boringssl_self_test
vendor_install_recovery
diff --git a/private/gsid.te b/private/gsid.te
index cc255ca..306efb8 100644
--- a/private/gsid.te
+++ b/private/gsid.te
@@ -75,6 +75,8 @@
-gsid
-init
-update_engine_common
+ -recovery
+ -fastbootd
} gsid_prop:property_service set;
# gsid needs to store images on /data, but cannot use file I/O. If it did, the
@@ -130,6 +132,7 @@
-init
-gsid
-fastbootd
+ -recovery
-vold
} gsi_metadata_file:dir *;
diff --git a/private/permissioncontroller_app.te b/private/permissioncontroller_app.te
index 9b09ce3..15bb9e1 100644
--- a/private/permissioncontroller_app.te
+++ b/private/permissioncontroller_app.te
@@ -3,14 +3,6 @@
###
type permissioncontroller_app, domain;
-# Allow everything.
-# TODO(b/142672293): remove when no selinux denials are triggered for this
-# domain
-# STOPSHIP(b/142672293): monitor http://go/sedenials for any denials around
-# `permissioncontroller_app` and remove this line once we are confident about
-# this having the right set of permissions.
-userdebug_or_eng(`permissive permissioncontroller_app;')
-
app_domain(permissioncontroller_app)
# Allow interaction with gpuservice
diff --git a/private/property_contexts b/private/property_contexts
index 16c8d93..0ecf0dd 100644
--- a/private/property_contexts
+++ b/private/property_contexts
@@ -219,3 +219,6 @@
# Virtual A/B properties
ro.virtual_ab.enabled u:object_r:virtual_ab_prop:s0
ro.virtual_ab.retrofit u:object_r:virtual_ab_prop:s0
+
+# Property to set/clear the warm reset flag after an OTA update.
+ota.warm_reset u:object_r:ota_prop:s0
diff --git a/private/seapp_contexts b/private/seapp_contexts
index 14b63e9..4980c93 100644
--- a/private/seapp_contexts
+++ b/private/seapp_contexts
@@ -158,6 +158,7 @@
user=_app isEphemeralApp=true domain=ephemeral_app type=app_data_file levelFrom=all
user=_app isPrivApp=true domain=priv_app type=privapp_data_file levelFrom=user
user=_app isPrivApp=true name=com.google.android.permissioncontroller domain=permissioncontroller_app type=privapp_data_file levelFrom=all
+user=_app isPrivApp=true name=com.android.vzwomatrigger domain=vzwomatrigger_app type=privapp_data_file levelFrom=all
user=_app minTargetSdkVersion=29 domain=untrusted_app type=app_data_file levelFrom=all
user=_app minTargetSdkVersion=28 domain=untrusted_app_27 type=app_data_file levelFrom=all
user=_app minTargetSdkVersion=26 domain=untrusted_app_27 type=app_data_file levelFrom=user
diff --git a/private/service_contexts b/private/service_contexts
index b7cd10f..83f2cc1 100644
--- a/private/service_contexts
+++ b/private/service_contexts
@@ -19,6 +19,7 @@
assetatlas u:object_r:assetatlas_service:s0
attention u:object_r:attention_service:s0
audio u:object_r:audio_service:s0
+auth u:object_r:auth_service:s0
autofill u:object_r:autofill_service:s0
backup u:object_r:backup_service:s0
batteryproperties u:object_r:batteryproperties_service:s0
@@ -197,6 +198,7 @@
textclassification u:object_r:textclassification_service:s0
textservices u:object_r:textservices_service:s0
time_detector u:object_r:timedetector_service:s0
+time_zone_detector u:object_r:timezonedetector_service:s0
timezone u:object_r:timezone_service:s0
thermalservice u:object_r:thermal_service:s0
trust u:object_r:trust_service:s0
diff --git a/private/system_server.te b/private/system_server.te
index 9232843..f0a447a 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -983,7 +983,12 @@
# system_server should never use JIT functionality
# See https://googleprojectzero.blogspot.com/2016/12/bitunmap-attacking-android-ashmem.html
# in the section titled "A Short ROP Chain" for why.
-neverallow system_server self:process execmem;
+# However, in emulator builds without OpenGL passthrough, we use software
+# rendering via SwiftShader, which requires JIT support. These builds are
+# never shipped to users.
+ifelse(target_requires_insecure_execmem_for_swiftshader, `true',
+ `allow system_server self:process execmem;',
+ `neverallow system_server self:process execmem;')
neverallow system_server ashmem_device:chr_file execute;
# TODO: deal with tmpfs_domain pub/priv split properly
diff --git a/private/vzwomatrigger_app.te b/private/vzwomatrigger_app.te
new file mode 100644
index 0000000..4a7d3f7
--- /dev/null
+++ b/private/vzwomatrigger_app.te
@@ -0,0 +1,14 @@
+###
+### A domain for further sandboxing the VzwOmaTrigger app.
+###
+type vzwomatrigger_app, domain;
+
+# Allow everything.
+# TODO(b/142672293): remove when no selinux denials are triggered for this
+# domain
+# STOPSHIP(b/142672293): monitor http://go/sedenials for any denials around
+# `vzwomatrigger_app` and remove this line once we are confident about
+# this having the right set of permissions.
+userdebug_or_eng(`permissive vzwomatrigger_app;')
+
+app_domain(vzwomatrigger_app)
diff --git a/public/fastbootd.te b/public/fastbootd.te
index 39abc5e..f08885a 100644
--- a/public/fastbootd.te
+++ b/public/fastbootd.te
@@ -107,6 +107,12 @@
allow fastbootd labeledfs:filesystem { mount unmount };
get_prop(fastbootd, persistent_properties_ready_prop)
')
+
+ # Allow using libfiemap/gsid directly (no binder in recovery).
+ set_prop(fastbootd, gsid_prop)
+ allow fastbootd gsi_metadata_file:dir search;
+ allow fastbootd ota_metadata_file:dir rw_dir_perms;
+ allow fastbootd ota_metadata_file:file create_file_perms;
')
###
diff --git a/public/property.te b/public/property.te
index d417628..f2c2353 100644
--- a/public/property.te
+++ b/public/property.te
@@ -130,6 +130,7 @@
system_public_prop(log_tag_prop)
system_public_prop(lowpan_prop)
system_public_prop(nfc_prop)
+system_public_prop(ota_prop)
system_public_prop(powerctl_prop)
system_public_prop(radio_prop)
system_public_prop(serialno_prop)
@@ -287,6 +288,7 @@
typeattribute logd_prop core_property_type;
typeattribute net_radio_prop core_property_type;
typeattribute nfc_prop core_property_type;
+typeattribute ota_prop core_property_type;
typeattribute pan_result_prop core_property_type;
typeattribute persist_debug_prop core_property_type;
typeattribute powerctl_prop core_property_type;
@@ -313,6 +315,7 @@
-logd_prop
-net_radio_prop
-nfc_prop
+ -ota_prop
-pan_result_prop
-persist_debug_prop
-powerctl_prop
@@ -625,6 +628,7 @@
-net_radio_prop
-netd_stable_secret_prop
-nfc_prop
+ -ota_prop
-overlay_prop
-pan_result_prop
-persist_debug_prop
diff --git a/public/radio.te b/public/radio.te
index 4527707..34eaf83 100644
--- a/public/radio.te
+++ b/public/radio.te
@@ -35,6 +35,7 @@
allow radio app_api_service:service_manager find;
allow radio system_api_service:service_manager find;
allow radio timedetector_service:service_manager find;
+allow radio timezonedetector_service:service_manager find;
# Perform HwBinder IPC.
hwbinder_use(radio)
diff --git a/public/recovery.te b/public/recovery.te
index 2b77bc3..1193354 100644
--- a/public/recovery.te
+++ b/public/recovery.te
@@ -142,6 +142,12 @@
# These are needed to update dynamic partitions in recovery.
r_dir_file(recovery, sysfs_dm)
allowxperm recovery super_block_device_type:blk_file ioctl { BLKIOMIN BLKALIGNOFF };
+
+ # Allow using libfiemap/gsid directly (no binder in recovery).
+ set_prop(recovery, gsid_prop)
+ allow recovery gsi_metadata_file:dir search;
+ allow recovery ota_metadata_file:dir rw_dir_perms;
+ allow recovery ota_metadata_file:file create_file_perms;
')
###
diff --git a/public/service.te b/public/service.te
index aace214..2ae27b4 100644
--- a/public/service.te
+++ b/public/service.te
@@ -49,6 +49,7 @@
type appwidget_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type assetatlas_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type audio_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type auth_service, app_api_service, system_server_service, service_manager_type;
type autofill_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type backup_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type batterystats_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
@@ -167,6 +168,7 @@
type thermal_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type timedetector_service, system_server_service, service_manager_type;
type timezone_service, system_server_service, service_manager_type;
+type timezonedetector_service, system_server_service, service_manager_type;
type trust_service, app_api_service, system_server_service, service_manager_type;
type tv_input_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type uimode_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
diff --git a/public/update_engine.te b/public/update_engine.te
index 5410bde..8aafe34 100644
--- a/public/update_engine.te
+++ b/public/update_engine.te
@@ -58,6 +58,9 @@
# Allow to start gsid service.
set_prop(update_engine, ctl_gsid_prop)
+# Allow to set the OTA related properties, e.g. ota.warm_reset.
+set_prop(update_engine, ota_prop)
+
# update_engine tries to determine the parent path for all devices (e.g.
# /dev/block/by-name) by reading the default fstab and looking for the misc
# device. ReadDefaultFstab() checks whether a GSI is running by checking
diff --git a/public/update_verifier.te b/public/update_verifier.te
index 8d40cdd..f881aeb 100644
--- a/public/update_verifier.te
+++ b/public/update_verifier.te
@@ -27,6 +27,9 @@
# Allow update_verifier to reboot the device.
set_prop(update_verifier, powerctl_prop)
+# Allow to set the OTA related properties e.g. ota.warm_reset.
+set_prop(update_verifier, ota_prop)
+
# Use Boot Control HAL
hal_client_domain(update_verifier, hal_bootctl)
diff --git a/public/vendor_init.te b/public/vendor_init.te
index 21a9222..fe5755f 100644
--- a/public/vendor_init.te
+++ b/public/vendor_init.te
@@ -258,6 +258,8 @@
get_prop(vendor_init, exported3_system_prop)
get_prop(vendor_init, theme_prop)
+get_prop(vendor_init, ota_prop)
+
###
### neverallow rules
###
diff --git a/public/vold.te b/public/vold.te
index 9e68d65..bc4da1e 100644
--- a/public/vold.te
+++ b/public/vold.te
@@ -174,6 +174,7 @@
set_prop(vold, powerctl_prop)
set_prop(vold, ctl_fuse_prop)
set_prop(vold, restorecon_prop)
+set_prop(vold, ota_prop)
# ASEC
allow vold asec_image_file:file create_file_perms;