Merge "sepolicy: Add new crypto type ro.crypto.type=managed"
diff --git a/TEST_MAPPING b/TEST_MAPPING
index db12ffe..83021d0 100644
--- a/TEST_MAPPING
+++ b/TEST_MAPPING
@@ -14,6 +14,9 @@
}
]
+ },
+ {
+ "name": "MicrodroidHostTestCases"
}
]
}
diff --git a/apex/com.android.compos-file_contexts b/apex/com.android.compos-file_contexts
index d678ca6..35d20c0 100644
--- a/apex/com.android.compos-file_contexts
+++ b/apex/com.android.compos-file_contexts
@@ -1,4 +1,2 @@
(/.*)? u:object_r:system_file:s0
-/bin/compos_key_main u:object_r:compos_exec:s0
/bin/compsvc u:object_r:compos_exec:s0
-/bin/compsvc_worker u:object_r:compos_exec:s0
diff --git a/microdroid/system/private/authfs.te b/microdroid/system/private/authfs.te
new file mode 100644
index 0000000..7bd39e4
--- /dev/null
+++ b/microdroid/system/private/authfs.te
@@ -0,0 +1,21 @@
+# authfs is a FUSE-based filesystem to support "remote" file access normally
+# over vsock, backed by a file server backend on Android.
+
+type authfs, domain, coredomain;
+type authfs_exec, exec_type, file_type, system_file_type;
+
+allow authfs self:vsock_socket create_socket_perms_no_ioctl;
+
+# Allow basic rules to implement FUSE.
+# TODO(195554831): Move the privilege to authfs_service
+allow authfs fuse_device:chr_file rw_file_perms;
+allow authfs self:global_capability_class_set sys_admin;
+
+# Allow mounting authfs.
+# TODO(195554831): Move the privilege to authfs_service.
+allow authfs fuse:filesystem relabelfrom;
+allow authfs authfs_fuse:filesystem { mount relabelfrom relabelto };
+allow authfs authfs_data_file:dir { mounton search };
+
+# TODO(195568812): Don't pass FD 0,1,2 unnecessarily.
+allow authfs authfs_service:fd use;
diff --git a/microdroid/system/private/authfs_service.te b/microdroid/system/private/authfs_service.te
new file mode 100644
index 0000000..f81a8f2
--- /dev/null
+++ b/microdroid/system/private/authfs_service.te
@@ -0,0 +1,35 @@
+# authfs_service is a binder service running on microdroid. It serves the
+# client's request and manages the mount/unmount of individual authfs instances
+# (a FUSE based filesystem). The service then can pass file descriptor on authfs
+# to the client for remote file access.
+
+type authfs_service, domain, coredomain;
+type authfs_service_exec, exec_type, file_type, system_file_type;
+
+# Allow domain transition from init.
+init_daemon_domain(authfs_service)
+
+# Allow running as a binder service.
+binder_call(authfs_service, servicemanager)
+add_service(authfs_service, authfs_binder_service)
+
+# Allow domain transition into authfs.
+domain_auto_trans(authfs_service, authfs_exec, authfs)
+
+# Allow mounting the FUSE filesystem.
+allow authfs_service self:global_capability_class_set sys_admin;
+
+# Allow creating/deleting mount directories.
+allow authfs_service authfs_data_file:dir create_dir_perms;
+
+# Allow opening a file from the FUSE mount.
+# Note: authfs_service doesn't really need to read and write the file, but the
+# check seems to happen on open anyway. It also doesn't need getattr, but it is
+# currently called internally by binder to estimate ashmem size.
+allow authfs_service authfs_fuse:dir search;
+# TODO(195752513): Remove getattr once the binder bug is fixed.
+allow authfs_service authfs_fuse:file { getattr open read write };
+
+# Allow killing the authfs process and unmount.
+allow authfs_service authfs:process sigkill;
+allow authfs_service authfs_fuse:filesystem unmount;
diff --git a/microdroid/system/private/compos.te b/microdroid/system/private/compos.te
index 9e6b2bb..b8ad335 100644
--- a/microdroid/system/private/compos.te
+++ b/microdroid/system/private/compos.te
@@ -4,11 +4,11 @@
allow compos self:vsock_socket { create_socket_perms_no_ioctl listen accept };
-# Talk to binder services (for keystore)
+# Allow using keystore and authfs_service binder services
binder_use(compos);
-
-# Allow payloads to use keystore
use_keystore(compos);
+allow compos authfs_binder_service:service_manager find;
+binder_call(compos, authfs_service);
# Allow payloads to use and manage their keys
allow compos vm_payload_key:keystore2_key {
@@ -18,3 +18,15 @@
rebind
use
};
+
+# Although the compos should not really read/write the FD on authfs_fuse, this
+# is apparently required for the binder driver to pass the FDs to compos from
+# authfs_service.
+allow compos authfs_fuse:file { read write };
+
+# Allow getattr (in fact, getxattr) as a workaround to retrieve fs-verity
+# metadata. See b/196635431.
+allow compos authfs_fuse:file getattr;
+
+# Allow domain transition into dex2oat.
+domain_auto_trans(compos, dex2oat_exec, dex2oat)
diff --git a/microdroid/system/private/dex2oat.te b/microdroid/system/private/dex2oat.te
index 6bfd05e..bf44251 100644
--- a/microdroid/system/private/dex2oat.te
+++ b/microdroid/system/private/dex2oat.te
@@ -3,3 +3,22 @@
type dex2oat_exec, system_file_type, exec_type, file_type;
allow dex2oat tmpfs:file { read getattr map };
+
+# Allow dex2oat to use FDs from authfs_service via compos.
+allow dex2oat authfs_service:fd use;
+allow dex2oat compos:fd use;
+
+# Allow dex2oat to read/write FDs on authfs_fuse filesystem.
+allow dex2oat authfs_fuse:file { read write getattr map };
+
+# Minijail uses pipe for the parent process to signal the child (as a fallback
+# mechanism, since Android does not support minijail's preload).
+# TODO(196109647): We can probably remove this once the minijail preload is
+# supported on Android.
+allow dex2oat compos:fifo_file read;
+
+# Allow acquiring advisory lock on /system/framework/<arch>/*
+allow dex2oat system_file:file lock;
+
+# Allow dex2oat to read /apex/apex-info-list.xml
+allow dex2oat apex_info_file:file r_file_perms;
diff --git a/microdroid/system/private/file.te b/microdroid/system/private/file.te
index 1989d7e..cbbd379 100644
--- a/microdroid/system/private/file.te
+++ b/microdroid/system/private/file.te
@@ -10,3 +10,5 @@
allow proc_net proc:filesystem associate;
allow sysfs_type sysfs:filesystem associate;
allow system_data_file tmpfs:filesystem associate;
+
+type authfs_fuse, fs_type, contextmount_type;
diff --git a/microdroid/system/private/file_contexts b/microdroid/system/private/file_contexts
index 97e756d..ffd75a1 100644
--- a/microdroid/system/private/file_contexts
+++ b/microdroid/system/private/file_contexts
@@ -117,6 +117,8 @@
/system/bin/microdroid_launcher u:object_r:microdroid_app_exec:s0
/system/bin/microdroid_manager u:object_r:microdroid_manager_exec:s0
/system/bin/apkdmverity u:object_r:apkdmverity_exec:s0
+/system/bin/authfs u:object_r:authfs_exec:s0
+/system/bin/authfs_service u:object_r:authfs_service_exec:s0
/system/etc/cgroups\.json u:object_r:cgroup_desc_file:s0
/system/etc/task_profiles/cgroups_[0-9]+\.json u:object_r:cgroup_desc_api_file:s0
/system/etc/event-log-tags u:object_r:system_event_log_tags_file:s0
@@ -158,6 +160,7 @@
/data/local/tmp/ltp(/.*)? u:object_r:nativetest_data_file:s0
/data/local/traces(/.*)? u:object_r:trace_data_file:s0
/data/misc/keystore(/.*)? u:object_r:keystore_data_file:s0
+/data/misc/authfs(/.*)? u:object_r:authfs_data_file:s0
/data/tombstones(/.*)? u:object_r:tombstone_data_file:s0
/data/vendor(/.*)? u:object_r:vendor_data_file:s0
diff --git a/microdroid/system/private/microdroid_app.te b/microdroid/system/private/microdroid_app.te
index d3ec74b..004aa3d 100644
--- a/microdroid/system/private/microdroid_app.te
+++ b/microdroid/system/private/microdroid_app.te
@@ -24,3 +24,6 @@
use
};
+# Microdroid manager connects vsock_socket to the host and app's output is redirected to it.
+# TODO(b/195751698) This is flaky; it seems this is not always necessary.
+dontaudit microdroid_app microdroid_manager:vsock_socket getattr;
diff --git a/microdroid/system/private/microdroid_manager.te b/microdroid/system/private/microdroid_manager.te
index 728d156..f84f5f0 100644
--- a/microdroid/system/private/microdroid_manager.te
+++ b/microdroid/system/private/microdroid_manager.te
@@ -10,6 +10,8 @@
allow microdroid_manager block_device:dir r_dir_perms;
allow microdroid_manager block_device:lnk_file r_file_perms;
allow microdroid_manager vd_device:blk_file r_file_perms;
+# microdroid_manager verifies DM-verity mounted APK payload
+allow microdroid_manager dm_device:blk_file r_file_perms;
# Allow microdroid_manager to start payload tasks
domain_auto_trans(microdroid_manager, microdroid_app_exec, microdroid_app)
@@ -34,4 +36,11 @@
allow microdroid_manager system_bootstrap_lib_file:dir r_dir_perms;
allow microdroid_manager system_bootstrap_lib_file:file { execute read open getattr map };
+# Allow microdroid_manager to ioctl /dev/vsock.
+# TODO(b/191845268): remove the below rules
+allow microdroid_manager device:chr_file r_file_perms;
+allowxperm microdroid_manager device:chr_file ioctl {
+ IOCTL_VM_SOCKETS_GET_LOCAL_CID
+};
+
neverallow microdroid_manager { file_type fs_type }:file execute_no_trans;
diff --git a/microdroid/system/private/property_contexts b/microdroid/system/private/property_contexts
index c8be9d9..61cd68d 100644
--- a/microdroid/system/private/property_contexts
+++ b/microdroid/system/private/property_contexts
@@ -32,6 +32,7 @@
ro.logd.kernel u:object_r:logd_prop:s0 exact bool
ro.boottime.adbd u:object_r:boottime_prop:s0 exact int
+ro.boottime.authfs_service u:object_r:boottime_prop:s0 exact int
ro.boottime.hwservicemanager u:object_r:boottime_prop:s0 exact int
ro.boottime.init u:object_r:boottime_prop:s0 exact int
ro.boottime.init.cold_boot_wait u:object_r:boottime_prop:s0 exact int
@@ -60,6 +61,7 @@
sys.usb.controller u:object_r:usb_control_prop:s0 exact string
+init.svc.authfs_service u:object_r:init_service_status_private_prop:s0 exact string
init.svc.hwservicemanager u:object_r:init_service_status_private_prop:s0 exact string
init.svc.keystore2 u:object_r:init_service_status_private_prop:s0 exact string
init.svc.logd u:object_r:init_service_status_private_prop:s0 exact string
diff --git a/microdroid/system/private/service_contexts b/microdroid/system/private/service_contexts
index 5857a0f..3489055 100644
--- a/microdroid/system/private/service_contexts
+++ b/microdroid/system/private/service_contexts
@@ -15,4 +15,6 @@
android.security.metrics u:object_r:keystore_metrics_service:s0
android.security.remoteprovisioning u:object_r:remoteprovisioning_service:s0
apexservice u:object_r:apex_service:s0
+authfs_service u:object_r:authfs_binder_service:s0
+manager u:object_r:service_manager_service:s0
* u:object_r:default_android_service:s0
diff --git a/microdroid/system/private/servicemanager.te b/microdroid/system/private/servicemanager.te
index 8ff964f..d014af5 100644
--- a/microdroid/system/private/servicemanager.te
+++ b/microdroid/system/private/servicemanager.te
@@ -21,3 +21,5 @@
allow servicemanager service_contexts_file:file r_file_perms;
allow servicemanager vendor_service_contexts_file:file r_file_perms;
+
+add_service(servicemanager, service_manager_service)
diff --git a/microdroid/system/private/shell.te b/microdroid/system/private/shell.te
index fc51ad8..3bb879d 100644
--- a/microdroid/system/private/shell.te
+++ b/microdroid/system/private/shell.te
@@ -29,3 +29,7 @@
# filesystem test for insucre blk_file's is done
# via hostside test
allow shell dev_type:blk_file getattr;
+
+# Test tool automatically tries to access /sys/class/power_supply.
+# Suppressing it as we don't need power_supply in microdroid.
+dontaudit shell sysfs:dir r_dir_perms;
diff --git a/microdroid/system/private/ueventd.te b/microdroid/system/private/ueventd.te
index eb06672..4ff417b 100644
--- a/microdroid/system/private/ueventd.te
+++ b/microdroid/system/private/ueventd.te
@@ -50,3 +50,5 @@
allow ueventd system_bootstrap_lib_file:dir r_dir_perms;
allow ueventd system_bootstrap_lib_file:file { execute read open getattr map };
+# TODO(b/193118220): find out why this happens.
+dontaudit ueventd tmpfs:chr_file { relabelfrom setattr };
diff --git a/microdroid/system/public/attributes b/microdroid/system/public/attributes
index cf516dd..ffc2b3b 100644
--- a/microdroid/system/public/attributes
+++ b/microdroid/system/public/attributes
@@ -7,6 +7,9 @@
# in tools/checkfc.c
attribute dev_type;
+# Attribute for block devices.
+attribute bdev_type;
+
# All types used for processes.
attribute domain;
diff --git a/microdroid/system/public/device.te b/microdroid/system/public/device.te
index 8d286a6..bdc3b28 100644
--- a/microdroid/system/public/device.te
+++ b/microdroid/system/public/device.te
@@ -1,7 +1,7 @@
type ashmem_device, dev_type, mlstrustedobject;
type ashmem_libcutils_device, dev_type, mlstrustedobject;
type binder_device, dev_type, mlstrustedobject;
-type block_device, dev_type;
+type block_device, dev_type, bdev_type;
type console_device, dev_type;
type device, dev_type, fs_type;
type dm_device, dev_type;
diff --git a/microdroid/system/public/file.te b/microdroid/system/public/file.te
index 67d5068..c750ccc 100644
--- a/microdroid/system/public/file.te
+++ b/microdroid/system/public/file.te
@@ -6,6 +6,7 @@
type anr_data_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
type apex_info_file, file_type;
type apex_mnt_dir, file_type;
+type authfs_data_file, file_type, data_file_type, core_data_file_type;
type cgroup_desc_api_file, file_type, system_file_type;
type cgroup_desc_file, file_type, system_file_type;
type cgroup_rc_file, file_type;
diff --git a/microdroid/system/public/type.te b/microdroid/system/public/type.te
index c31509c..0ee9f89 100644
--- a/microdroid/system/public/type.te
+++ b/microdroid/system/public/type.te
@@ -1,6 +1,7 @@
# Miscellaneous types
type adb_service, system_server_service, system_api_service, service_manager_type;
type apex_service, service_manager_type;
+type authfs_binder_service, service_manager_type;
type authorization_service, service_manager_type;
type credstore_service, app_api_service, service_manager_type;
type default_android_hwservice, hwservice_manager_type, protected_hwservice;
@@ -19,5 +20,6 @@
type keystore_service, service_manager_type;
type legacykeystore_service, service_manager_type;
type remoteprovisioning_service, service_manager_type;
+type service_manager_service, service_manager_type;
type system_linker;
type vm_payload_key;
diff --git a/prebuilts/api/31.0/private/access_vectors b/prebuilts/api/31.0/private/access_vectors
index 5ff7aef..7496c65 100644
--- a/prebuilts/api/31.0/private/access_vectors
+++ b/prebuilts/api/31.0/private/access_vectors
@@ -730,6 +730,7 @@
report_off_body
reset
unlock
+ delete_all_keys
}
class keystore2_key
diff --git a/prebuilts/api/31.0/private/apexd.te b/prebuilts/api/31.0/private/apexd.te
index b923cdb..09799bd 100644
--- a/prebuilts/api/31.0/private/apexd.te
+++ b/prebuilts/api/31.0/private/apexd.te
@@ -51,8 +51,9 @@
BLKFLSBUF
LOOP_CONFIGURE
};
-# allow apexd to access /dev/block
-allow apexd block_device:dir r_dir_perms;
+# Allow apexd to access /dev/block
+allow apexd bdev_type:dir r_dir_perms;
+allow apexd bdev_type:blk_file getattr;
#allow apexd to access virtual disks
allow apexd vd_device:blk_file r_file_perms;
@@ -106,6 +107,8 @@
# /sys directory tree traversal
allow apexd sysfs_type:dir search;
+allow apexd sysfs_block_type:dir r_dir_perms;
+allow apexd sysfs_block_type:file r_file_perms;
# Configure read-ahead of dm-verity and loop devices
# for dm-X
allow apexd sysfs_dm:dir r_dir_perms;
diff --git a/prebuilts/api/31.0/private/compat/30.0/30.0.ignore.cil b/prebuilts/api/31.0/private/compat/30.0/30.0.ignore.cil
index 4484823..ae54626 100644
--- a/prebuilts/api/31.0/private/compat/30.0/30.0.ignore.cil
+++ b/prebuilts/api/31.0/private/compat/30.0/30.0.ignore.cil
@@ -121,6 +121,7 @@
snapuserd_socket
soc_prop
speech_recognition_service
+ sysfs_block
sysfs_devfreq_cur
sysfs_devfreq_dir
sysfs_devices_cs_etm
diff --git a/prebuilts/api/31.0/private/genfs_contexts b/prebuilts/api/31.0/private/genfs_contexts
index 3499aa0..4644503 100644
--- a/prebuilts/api/31.0/private/genfs_contexts
+++ b/prebuilts/api/31.0/private/genfs_contexts
@@ -116,6 +116,7 @@
genfscon sysfs /devices/system/cpu u:object_r:sysfs_devices_system_cpu:s0
genfscon sysfs /class/android_usb u:object_r:sysfs_android_usb:s0
genfscon sysfs /class/extcon u:object_r:sysfs_extcon:s0
+genfscon sysfs /class/block u:object_r:sysfs_block:s0
genfscon sysfs /class/leds u:object_r:sysfs_leds:s0
genfscon sysfs /class/net u:object_r:sysfs_net:s0
genfscon sysfs /class/rfkill/rfkill0/state u:object_r:sysfs_bluetooth_writable:s0
diff --git a/prebuilts/api/31.0/private/init.te b/prebuilts/api/31.0/private/init.te
index 99afd84..f569e0c 100644
--- a/prebuilts/api/31.0/private/init.te
+++ b/prebuilts/api/31.0/private/init.te
@@ -38,6 +38,16 @@
# that userdata is mounted onto.
allow init sysfs_dm:file read;
+# Allow init to modify the properties of loop devices.
+allow init sysfs_loop:dir r_dir_perms;
+allow init sysfs_loop:file rw_file_perms;
+
+# Allow init to examine the properties of block devices.
+allow init sysfs_block_type:file { getattr read };
+# Allow init access /dev/block
+allow init bdev_type:dir r_dir_perms;
+allow init bdev_type:blk_file getattr;
+
# Allow init to write to the drop_caches file.
allow init proc_drop_caches:file rw_file_perms;
diff --git a/prebuilts/api/31.0/private/property_contexts b/prebuilts/api/31.0/private/property_contexts
index eedbe8a..9dc25f8 100644
--- a/prebuilts/api/31.0/private/property_contexts
+++ b/prebuilts/api/31.0/private/property_contexts
@@ -494,6 +494,7 @@
ro.crypto.dm_default_key.options_format.version u:object_r:vold_config_prop:s0 exact int
ro.crypto.fde_algorithm u:object_r:vold_config_prop:s0 exact string
ro.crypto.fde_sector_size u:object_r:vold_config_prop:s0 exact int
+ro.crypto.metadata_init_delete_all_keys.enabled u:object_r:vold_config_prop:s0 exact bool
ro.crypto.scrypt_params u:object_r:vold_config_prop:s0 exact string
ro.crypto.set_dun u:object_r:vold_config_prop:s0 exact bool
ro.crypto.volume.contents_mode u:object_r:vold_config_prop:s0 exact string
diff --git a/prebuilts/api/31.0/private/shell.te b/prebuilts/api/31.0/private/shell.te
index 40b19fd..f5b786d 100644
--- a/prebuilts/api/31.0/private/shell.te
+++ b/prebuilts/api/31.0/private/shell.te
@@ -171,6 +171,9 @@
# Allow shell to read boot image timestamps and fingerprints.
get_prop(shell, build_bootimage_prop)
+# Allow shell to read odsign verification properties
+get_prop(shell, odsign_prop)
+
userdebug_or_eng(`set_prop(shell, persist_debug_prop)')
# Allow to issue control commands to profcollectd binder service.
diff --git a/prebuilts/api/31.0/private/vold.te b/prebuilts/api/31.0/private/vold.te
index a802bdb..de0fde4 100644
--- a/prebuilts/api/31.0/private/vold.te
+++ b/prebuilts/api/31.0/private/vold.te
@@ -53,8 +53,9 @@
allow vold keystore_service:service_manager find;
allow vold keystore_maintenance_service:service_manager find;
-# vold needs to be able to call earlyBootEnded()
+# vold needs to be able to call earlyBootEnded() and deleteAllKeys()
allow vold keystore:keystore2 early_boot_ended;
+allow vold keystore:keystore2 delete_all_keys;
neverallow {
domain
diff --git a/prebuilts/api/31.0/public/attributes b/prebuilts/api/31.0/public/attributes
index 2e01f1e..b60c9cc 100644
--- a/prebuilts/api/31.0/public/attributes
+++ b/prebuilts/api/31.0/public/attributes
@@ -7,6 +7,9 @@
# in tools/checkfc.c
attribute dev_type;
+# Attribute for block devices.
+attribute bdev_type;
+
# All types used for processes.
attribute domain;
@@ -59,6 +62,9 @@
# All types used for sysfs files.
attribute sysfs_type;
+# Attribute for /sys/class/block files.
+attribute sysfs_block_type;
+
# All types use for debugfs files.
attribute debugfs_type;
diff --git a/prebuilts/api/31.0/public/device.te b/prebuilts/api/31.0/public/device.te
index 686f955..cc2ef57 100644
--- a/prebuilts/api/31.0/public/device.te
+++ b/prebuilts/api/31.0/public/device.te
@@ -6,16 +6,16 @@
type binder_device, dev_type, mlstrustedobject;
type hwbinder_device, dev_type, mlstrustedobject;
type vndbinder_device, dev_type;
-type block_device, dev_type;
+type block_device, dev_type, bdev_type;
type camera_device, dev_type;
-type dm_device, dev_type;
-type dm_user_device, dev_type;
+type dm_device, dev_type, bdev_type;
+type dm_user_device, dev_type, bdev_type;
type keychord_device, dev_type;
type loop_control_device, dev_type;
-type loop_device, dev_type;
+type loop_device, dev_type, bdev_type;
type pmsg_device, dev_type, mlstrustedobject;
type radio_device, dev_type;
-type ram_device, dev_type;
+type ram_device, dev_type, bdev_type;
type rtc_device, dev_type;
type vd_device, dev_type;
type vold_device, dev_type;
@@ -73,51 +73,51 @@
type rpmsg_device, dev_type;
# Partition layout block device
-type root_block_device, dev_type;
+type root_block_device, dev_type, bdev_type;
# factory reset protection block device
-type frp_block_device, dev_type;
+type frp_block_device, dev_type, bdev_type;
# System block device mounted on /system.
# Documented at https://source.android.com/devices/bootloader/partitions-images
-type system_block_device, dev_type;
+type system_block_device, dev_type, bdev_type;
# Recovery block device.
# Documented at https://source.android.com/devices/bootloader/partitions-images
-type recovery_block_device, dev_type;
+type recovery_block_device, dev_type, bdev_type;
# boot block device.
# Documented at https://source.android.com/devices/bootloader/partitions-images
-type boot_block_device, dev_type;
+type boot_block_device, dev_type, bdev_type;
# Userdata block device mounted on /data.
# Documented at https://source.android.com/devices/bootloader/partitions-images
-type userdata_block_device, dev_type;
+type userdata_block_device, dev_type, bdev_type;
# Cache block device mounted on /cache.
# Documented at https://source.android.com/devices/bootloader/partitions-images
-type cache_block_device, dev_type;
+type cache_block_device, dev_type, bdev_type;
# Block device for any swap partition.
-type swap_block_device, dev_type;
+type swap_block_device, dev_type, bdev_type;
# Metadata block device used for encryption metadata.
# Assign this type to the partition specified by the encryptable=
# mount option in your fstab file in the entry for userdata.
# Documented at https://source.android.com/devices/bootloader/partitions-images
-type metadata_block_device, dev_type;
+type metadata_block_device, dev_type, bdev_type;
# The 'misc' partition used by recovery and A/B.
# Documented at https://source.android.com/devices/bootloader/partitions-images
-type misc_block_device, dev_type;
+type misc_block_device, dev_type, bdev_type;
# 'super' partition to be used for logical partitioning.
-type super_block_device, super_block_device_type, dev_type;
+type super_block_device, super_block_device_type, dev_type, bdev_type;
# sdcard devices; normally vold uses the vold_block_device label and creates a
# separate device node. gsid, however, accesses the original devide node
# created through uevents, so we use a separate label.
-type sdcard_block_device, dev_type;
+type sdcard_block_device, dev_type, bdev_type;
# Userdata device file for filesystem tunables
type userdata_sysdev, dev_type;
diff --git a/prebuilts/api/31.0/public/file.te b/prebuilts/api/31.0/public/file.te
index 20348b5..767225f 100644
--- a/prebuilts/api/31.0/public/file.te
+++ b/prebuilts/api/31.0/public/file.te
@@ -85,6 +85,7 @@
type sysfs_android_usb, fs_type, sysfs_type;
type sysfs_uio, sysfs_type, fs_type;
type sysfs_batteryinfo, fs_type, sysfs_type;
+type sysfs_block, fs_type, sysfs_type, sysfs_block_type;
type sysfs_bluetooth_writable, fs_type, sysfs_type, mlstrustedobject;
type sysfs_devfreq_cur, fs_type, sysfs_type;
type sysfs_devfreq_dir, fs_type, sysfs_type;
diff --git a/prebuilts/api/31.0/public/shell.te b/prebuilts/api/31.0/public/shell.te
index 29c07a4..70a7fb4 100644
--- a/prebuilts/api/31.0/public/shell.te
+++ b/prebuilts/api/31.0/public/shell.te
@@ -158,6 +158,9 @@
allow shell sysfs_batteryinfo:dir r_dir_perms;
allow shell sysfs_batteryinfo:file r_file_perms;
+# allow shell to list /sys/class/block/ to get storage type for CTS
+allow shell sysfs_block:dir r_dir_perms;
+
# Allow access to ion memory allocation device.
allow shell ion_device:chr_file rw_file_perms;
diff --git a/private/access_vectors b/private/access_vectors
index 3732a52..6edcd1f 100644
--- a/private/access_vectors
+++ b/private/access_vectors
@@ -731,6 +731,7 @@
report_off_body
reset
unlock
+ delete_all_keys
}
class keystore2_key
diff --git a/private/apexd.te b/private/apexd.te
index d9017cb..3213241 100644
--- a/private/apexd.te
+++ b/private/apexd.te
@@ -43,8 +43,9 @@
BLKFLSBUF
LOOP_CONFIGURE
};
-# allow apexd to access /dev/block
-allow apexd block_device:dir r_dir_perms;
+# Allow apexd to access /dev/block
+allow apexd bdev_type:dir r_dir_perms;
+allow apexd bdev_type:blk_file getattr;
#allow apexd to access virtual disks
allow apexd vd_device:blk_file r_file_perms;
@@ -98,6 +99,8 @@
# /sys directory tree traversal
allow apexd sysfs_type:dir search;
+allow apexd sysfs_block_type:dir r_dir_perms;
+allow apexd sysfs_block_type:file r_file_perms;
# Configure read-ahead of dm-verity and loop devices
# for dm-X
allow apexd sysfs_dm:dir r_dir_perms;
diff --git a/private/bluetooth.te b/private/bluetooth.te
index 8fc6d20..0e0cf7f 100644
--- a/private/bluetooth.te
+++ b/private/bluetooth.te
@@ -39,6 +39,10 @@
# proc access.
allow bluetooth proc_bluetooth_writable:file rw_file_perms;
+# For Bluetooth to check what profile are available
+allow bluetooth proc_filesystems:file r_file_perms;
+get_prop(bluetooth, incremental_prop)
+
# Allow write access to bluetooth specific properties
set_prop(bluetooth, binder_cache_bluetooth_server_prop);
neverallow { domain -bluetooth -init }
diff --git a/private/compat/30.0/30.0.ignore.cil b/private/compat/30.0/30.0.ignore.cil
index 0eb5e64..f8696f8 100644
--- a/private/compat/30.0/30.0.ignore.cil
+++ b/private/compat/30.0/30.0.ignore.cil
@@ -126,6 +126,7 @@
snapuserd_socket
soc_prop
speech_recognition_service
+ sysfs_block
sysfs_devfreq_cur
sysfs_devfreq_dir
sysfs_devices_cs_etm
diff --git a/private/compat/31.0/31.0.ignore.cil b/private/compat/31.0/31.0.ignore.cil
index 72994dd..8010071 100644
--- a/private/compat/31.0/31.0.ignore.cil
+++ b/private/compat/31.0/31.0.ignore.cil
@@ -7,6 +7,9 @@
( new_objects
artd_service
camera2_extensions_prop
+ extra_free_kbytes
+ extra_free_kbytes_exec
+ hal_contexthub_service
hal_system_suspend_service
hal_tv_tuner_service
hal_wifi_hostapd_service
@@ -16,7 +19,10 @@
tare_service
transformer_service
proc_watermark_boost_factor
+ proc_watermark_scale_factor
untrusted_app_30
proc_vendor_sched
sysfs_vendor_sched
+ vendor_vm_file
+ vendor_vm_data_file
))
diff --git a/private/crosvm.te b/private/crosvm.te
index 7426ef9..6f3ab3d 100644
--- a/private/crosvm.te
+++ b/private/crosvm.te
@@ -31,14 +31,9 @@
# Allow searching the directory where the composite disk images are.
allow crosvm virtualizationservice_data_file:dir search;
-# TODO(b/193402941) delete this. This for now is required because crosvm needs to open the files for
-# the GPT headers of the composite disks.
-allow crosvm virtualizationservice_data_file:file open;
-
# Don't allow crosvm to open files that it doesn't own.
neverallow crosvm {
- #TODO(b/193402941) uncomment the following line
- #virtualizationservice_data_file
+ virtualizationservice_data_file
staging_data_file
apk_data_file
app_data_file
@@ -61,3 +56,17 @@
# The console log can also be written to /data/local/tmp. This is not safe as the log then can be
# visible to the processes which don't own the VM. Therefore, this is a debugging only feature.
userdebug_or_eng(`allow crosvm shell_data_file:file w_file_perms;')
+
+# Don't allow crosvm to have access to ordinary vendor files that are not for VMs.
+full_treble_only(`
+ neverallow crosvm {
+ vendor_file_type
+ -vendor_vm_file
+ -vendor_vm_data_file
+ # These types are not required for crosvm, but the access is granted to globally in domain.te
+ # thus should be exempted here.
+ -vendor_configs_file
+ -vndk_sp_file
+ -vendor_task_profiles_file
+ }:file *;
+')
diff --git a/private/domain.te b/private/domain.te
index 9eeee88..56e2ef0 100644
--- a/private/domain.te
+++ b/private/domain.te
@@ -476,6 +476,7 @@
coredomain
# TODO(b/37168747): clean up fwk access to /vendor
-crash_dump
+ -crosvm # loads vendor-specific disk images
-init # starts vendor executables
-iorap_inode2filename
-iorap_prefetcherd
diff --git a/private/extra_free_kbytes.te b/private/extra_free_kbytes.te
new file mode 100644
index 0000000..af3088b
--- /dev/null
+++ b/private/extra_free_kbytes.te
@@ -0,0 +1,3 @@
+typeattribute extra_free_kbytes coredomain;
+
+init_daemon_domain(extra_free_kbytes)
diff --git a/private/file_contexts b/private/file_contexts
index a5dd5a6..5433726 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -222,6 +222,7 @@
/system/bin/e2fsdroid u:object_r:e2fs_exec:s0
/system/bin/mke2fs u:object_r:e2fs_exec:s0
/system/bin/e2fsck -- u:object_r:fsck_exec:s0
+/system/bin/extra_free_kbytes\.sh u:object_r:extra_free_kbytes_exec:s0
/system/bin/fsck\.exfat -- u:object_r:fsck_exec:s0
/system/bin/fsck\.f2fs -- u:object_r:fsck_exec:s0
/system/bin/init u:object_r:init_exec:s0
diff --git a/private/flags_health_check.te b/private/flags_health_check.te
index f6675ac..aefbb3d 100644
--- a/private/flags_health_check.te
+++ b/private/flags_health_check.te
@@ -7,6 +7,7 @@
set_prop(flags_health_check, device_config_runtime_native_boot_prop)
set_prop(flags_health_check, device_config_runtime_native_prop)
set_prop(flags_health_check, device_config_input_native_boot_prop)
+set_prop(flags_health_check, device_config_lmkd_native_prop)
set_prop(flags_health_check, device_config_netd_native_prop)
set_prop(flags_health_check, device_config_activity_manager_native_boot_prop)
set_prop(flags_health_check, device_config_media_native_prop)
diff --git a/private/genfs_contexts b/private/genfs_contexts
index 8af6198..664a3b3 100644
--- a/private/genfs_contexts
+++ b/private/genfs_contexts
@@ -87,6 +87,7 @@
genfscon proc /sys/vm/overcommit_memory u:object_r:proc_overcommit_memory:s0
genfscon proc /sys/vm/min_free_order_shift u:object_r:proc_min_free_order_shift:s0
genfscon proc /sys/vm/watermark_boost_factor u:object_r:proc_watermark_boost_factor:s0
+genfscon proc /sys/vm/watermark_scale_factor u:object_r:proc_watermark_scale_factor:s0
genfscon proc /timer_list u:object_r:proc_timer:s0
genfscon proc /timer_stats u:object_r:proc_timer:s0
genfscon proc /tty/drivers u:object_r:proc_tty_drivers:s0
@@ -118,6 +119,7 @@
genfscon sysfs /devices/system/cpu u:object_r:sysfs_devices_system_cpu:s0
genfscon sysfs /class/android_usb u:object_r:sysfs_android_usb:s0
genfscon sysfs /class/extcon u:object_r:sysfs_extcon:s0
+genfscon sysfs /class/block u:object_r:sysfs_block:s0
genfscon sysfs /class/leds u:object_r:sysfs_leds:s0
genfscon sysfs /class/net u:object_r:sysfs_net:s0
genfscon sysfs /class/rfkill/rfkill0/state u:object_r:sysfs_bluetooth_writable:s0
diff --git a/private/init.te b/private/init.te
index 99afd84..f569e0c 100644
--- a/private/init.te
+++ b/private/init.te
@@ -38,6 +38,16 @@
# that userdata is mounted onto.
allow init sysfs_dm:file read;
+# Allow init to modify the properties of loop devices.
+allow init sysfs_loop:dir r_dir_perms;
+allow init sysfs_loop:file rw_file_perms;
+
+# Allow init to examine the properties of block devices.
+allow init sysfs_block_type:file { getattr read };
+# Allow init access /dev/block
+allow init bdev_type:dir r_dir_perms;
+allow init bdev_type:blk_file getattr;
+
# Allow init to write to the drop_caches file.
allow init proc_drop_caches:file rw_file_perms;
diff --git a/private/lmkd.te b/private/lmkd.te
index ec9a93e..aee1b7f 100644
--- a/private/lmkd.te
+++ b/private/lmkd.te
@@ -8,6 +8,9 @@
# Set lmkd.* properties.
set_prop(lmkd, lmkd_prop)
+# Get persist.device_config.lmk_native.* properties.
+get_prop(lmkd, device_config_lmkd_native_prop)
+
allow lmkd fs_bpf:dir search;
allow lmkd fs_bpf:file read;
allow lmkd bpfloader:bpf map_read;
diff --git a/private/mediaprovider_app.te b/private/mediaprovider_app.te
index e8a85e5..5f14ba4 100644
--- a/private/mediaprovider_app.te
+++ b/private/mediaprovider_app.te
@@ -57,3 +57,5 @@
get_prop(mediaprovider_app, drm_service_config_prop)
allow mediaprovider_app gpu_device:dir search;
+
+dontaudit mediaprovider_app sysfs_vendor_sched:dir search;
diff --git a/private/odrefresh.te b/private/odrefresh.te
index 7a64247..3db1ae8 100644
--- a/private/odrefresh.te
+++ b/private/odrefresh.te
@@ -21,9 +21,15 @@
# Run dex2oat in its own sandbox.
domain_auto_trans(odrefresh, dex2oat_exec, dex2oat)
+# Allow odrefresh to kill dex2oat if compilation times out.
+allow odrefresh dex2oat:process sigkill;
+
# Run dexoptanalyzer in its own sandbox.
domain_auto_trans(odrefresh, dexoptanalyzer_exec, dexoptanalyzer)
+# Allow odrefresh to kill dexoptanalyzer if analysis times out.
+allow odrefresh dexoptanalyzer:process sigkill;
+
# Use devpts and fd from odsign (which exec()'s odrefresh)
allow odrefresh odsign_devpts:chr_file { read write };
allow odrefresh odsign:fd use;
diff --git a/private/property.te b/private/property.te
index 671a24a..3ee6650 100644
--- a/private/property.te
+++ b/private/property.te
@@ -1,6 +1,7 @@
# Properties used only in /system
system_internal_prop(adbd_prop)
system_internal_prop(ctl_snapuserd_prop)
+system_internal_prop(device_config_lmkd_native_prop)
system_internal_prop(device_config_profcollect_native_boot_prop)
system_internal_prop(device_config_statsd_native_prop)
system_internal_prop(device_config_statsd_native_boot_prop)
diff --git a/private/property_contexts b/private/property_contexts
index 596a178..c6403dd 100644
--- a/private/property_contexts
+++ b/private/property_contexts
@@ -237,6 +237,7 @@
persist.device_config.configuration. u:object_r:device_config_configuration_prop:s0
persist.device_config.connectivity. u:object_r:device_config_connectivity_prop:s0
persist.device_config.input_native_boot. u:object_r:device_config_input_native_boot_prop:s0
+persist.device_config.lmkd_native. u:object_r:device_config_lmkd_native_prop:s0
persist.device_config.media_native. u:object_r:device_config_media_native_prop:s0
persist.device_config.netd_native. u:object_r:device_config_netd_native_prop:s0
persist.device_config.profcollect_native_boot. u:object_r:device_config_profcollect_native_boot_prop:s0
@@ -285,6 +286,7 @@
ro.virtual_ab.enabled u:object_r:virtual_ab_prop:s0 exact bool
ro.virtual_ab.retrofit u:object_r:virtual_ab_prop:s0 exact bool
ro.virtual_ab.compression.enabled u:object_r:virtual_ab_prop:s0 exact bool
+ro.virtual_ab.compression.xor.enabled u:object_r:virtual_ab_prop:s0 exact bool
snapuserd.ready u:object_r:snapuserd_prop:s0 exact bool
snapuserd.proxy_ready u:object_r:snapuserd_prop:s0 exact bool
@@ -503,6 +505,7 @@
ro.crypto.dm_default_key.options_format.version u:object_r:vold_config_prop:s0 exact int
ro.crypto.fde_algorithm u:object_r:vold_config_prop:s0 exact string
ro.crypto.fde_sector_size u:object_r:vold_config_prop:s0 exact int
+ro.crypto.metadata_init_delete_all_keys.enabled u:object_r:vold_config_prop:s0 exact bool
ro.crypto.scrypt_params u:object_r:vold_config_prop:s0 exact string
ro.crypto.set_dun u:object_r:vold_config_prop:s0 exact bool
ro.crypto.volume.contents_mode u:object_r:vold_config_prop:s0 exact string
@@ -1126,8 +1129,17 @@
telephony.active_modems.max_count u:object_r:telephony_config_prop:s0 exact int
telephony.lteOnCdmaDevice u:object_r:telephony_config_prop:s0 exact int
persist.dbg.volte_avail_ovr u:object_r:telephony_config_prop:s0 exact int
+persist.dbg.volte_avail_ovr0 u:object_r:telephony_config_prop:s0 exact int
+persist.dbg.volte_avail_ovr1 u:object_r:telephony_config_prop:s0 exact int
+persist.dbg.volte_avail_ovr2 u:object_r:telephony_config_prop:s0 exact int
persist.dbg.vt_avail_ovr u:object_r:telephony_config_prop:s0 exact int
+persist.dbg.vt_avail_ovr0 u:object_r:telephony_config_prop:s0 exact int
+persist.dbg.vt_avail_ovr1 u:object_r:telephony_config_prop:s0 exact int
+persist.dbg.vt_avail_ovr2 u:object_r:telephony_config_prop:s0 exact int
persist.dbg.wfc_avail_ovr u:object_r:telephony_config_prop:s0 exact int
+persist.dbg.wfc_avail_ovr0 u:object_r:telephony_config_prop:s0 exact int
+persist.dbg.wfc_avail_ovr1 u:object_r:telephony_config_prop:s0 exact int
+persist.dbg.wfc_avail_ovr2 u:object_r:telephony_config_prop:s0 exact int
# System locale list filter configuration
ro.localization.locale_filter u:object_r:localization_prop:s0 exact string
diff --git a/private/service_contexts b/private/service_contexts
index 337ee80..0ab9f53 100644
--- a/private/service_contexts
+++ b/private/service_contexts
@@ -2,6 +2,7 @@
android.hardware.automotive.audiocontrol.IAudioControl/default u:object_r:hal_audiocontrol_service:s0
android.hardware.biometrics.face.IFace/default u:object_r:hal_face_service:s0
android.hardware.biometrics.fingerprint.IFingerprint/default u:object_r:hal_fingerprint_service:s0
+android.hardware.contexthub.IContextHub/default u:object_r:hal_contexthub_service:s0
android.hardware.gnss.IGnss/default u:object_r:hal_gnss_service:s0
android.hardware.health.storage.IStorage/default u:object_r:hal_health_storage_service:s0
android.hardware.identity.IIdentityCredentialStore/default u:object_r:hal_identity_service:s0
diff --git a/private/shell.te b/private/shell.te
index bd4e5c0..08cf8ff 100644
--- a/private/shell.te
+++ b/private/shell.te
@@ -179,6 +179,9 @@
# Allow shell to read boot image timestamps and fingerprints.
get_prop(shell, build_bootimage_prop)
+# Allow shell to read odsign verification properties
+get_prop(shell, odsign_prop)
+
userdebug_or_eng(`set_prop(shell, persist_debug_prop)')
# Allow shell to read the keystore key contexts files. Used by native tests to test label lookup.
diff --git a/private/snapuserd.te b/private/snapuserd.te
index 78f4d76..f24986c 100644
--- a/private/snapuserd.te
+++ b/private/snapuserd.te
@@ -42,7 +42,7 @@
set_prop(snapuserd, snapuserd_prop)
# For inotify watching for /dev/socket/snapuserd_proxy to appear.
-allow snapuserd tmpfs:dir read;
+allow snapuserd tmpfs:dir { read watch };
# Forbid anything other than snapuserd and init setting snapuserd properties.
neverallow {
diff --git a/private/system_server.te b/private/system_server.te
index 0744bec..e899556 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -698,6 +698,7 @@
set_prop(system_server, device_config_activity_manager_native_boot_prop)
set_prop(system_server, device_config_runtime_native_boot_prop)
set_prop(system_server, device_config_runtime_native_prop)
+set_prop(system_server, device_config_lmkd_native_prop)
set_prop(system_server, device_config_media_native_prop)
set_prop(system_server, device_config_profcollect_native_boot_prop)
set_prop(system_server, device_config_statsd_native_prop)
@@ -1213,6 +1214,7 @@
device_config_activity_manager_native_boot_prop
device_config_connectivity_prop
device_config_input_native_boot_prop
+ device_config_lmkd_native_prop
device_config_netd_native_prop
device_config_runtime_native_boot_prop
device_config_runtime_native_prop
diff --git a/private/virtualizationservice.te b/private/virtualizationservice.te
index f92c94f..c51b995 100644
--- a/private/virtualizationservice.te
+++ b/private/virtualizationservice.te
@@ -9,8 +9,6 @@
binder_use(virtualizationservice)
# ... and host a binder service
binder_service(virtualizationservice)
-# It needs to call back to app
-binder_call(virtualizationservice, appdomain)
# Allow calling into the system server so that it can check permissions.
binder_call(virtualizationservice, system_server)
@@ -36,6 +34,8 @@
define(`virtualizationservice_use', `
# Let the client call virtualizationservice.
binder_call($1, virtualizationservice)
+# Let virtualizationservice call back to the client.
+binder_call(virtualizationservice, $1)
# Let the client pass file descriptors to virtualizationservice.
allow virtualizationservice $1:fd use;
')
@@ -43,7 +43,9 @@
# Let the shell user call virtualizationservice (and virtualizationservice call back to shell) for
# debugging.
virtualizationservice_use(shell)
-binder_call(virtualizationservice, shell)
+
+# Let apps use virtualizationservice.
+virtualizationservice_use(appdomain)
# Allow to use fd (e.g. /dev/pts/0) inherited from adbd so that we can redirect output from
# crosvm to the console
diff --git a/private/vold.te b/private/vold.te
index a802bdb..de0fde4 100644
--- a/private/vold.te
+++ b/private/vold.te
@@ -53,8 +53,9 @@
allow vold keystore_service:service_manager find;
allow vold keystore_maintenance_service:service_manager find;
-# vold needs to be able to call earlyBootEnded()
+# vold needs to be able to call earlyBootEnded() and deleteAllKeys()
allow vold keystore:keystore2 early_boot_ended;
+allow vold keystore:keystore2 delete_all_keys;
neverallow {
domain
diff --git a/public/attributes b/public/attributes
index e3ea547..c8f2f44 100644
--- a/public/attributes
+++ b/public/attributes
@@ -7,6 +7,9 @@
# in tools/checkfc.c
attribute dev_type;
+# Attribute for block devices.
+attribute bdev_type;
+
# All types used for processes.
attribute domain;
@@ -65,6 +68,9 @@
# All types used for sysfs files.
attribute sysfs_type;
+# Attribute for /sys/class/block files.
+attribute sysfs_block_type;
+
# All types use for debugfs files.
attribute debugfs_type;
diff --git a/public/crash_dump.te b/public/crash_dump.te
index a6f0a94..472e1dc 100644
--- a/public/crash_dump.te
+++ b/public/crash_dump.te
@@ -34,6 +34,9 @@
# Read APEX data directories.
allow crash_dump apex_module_data_file:dir { getattr search };
+# Read uptime
+allow crash_dump proc_uptime:file r_file_perms;
+
# Read APK files.
r_dir_file(crash_dump, apk_data_file);
@@ -65,10 +68,6 @@
dontaudit crash_dump system_data_file:{ lnk_file file } read;
dontaudit crash_dump property_type:file read;
-# Suppress denials for files in /proc that are passed
-# across exec().
-dontaudit crash_dump proc_type:file rw_file_perms;
-
###
### neverallow assertions
###
diff --git a/public/device.te b/public/device.te
index 686f955..cc2ef57 100644
--- a/public/device.te
+++ b/public/device.te
@@ -6,16 +6,16 @@
type binder_device, dev_type, mlstrustedobject;
type hwbinder_device, dev_type, mlstrustedobject;
type vndbinder_device, dev_type;
-type block_device, dev_type;
+type block_device, dev_type, bdev_type;
type camera_device, dev_type;
-type dm_device, dev_type;
-type dm_user_device, dev_type;
+type dm_device, dev_type, bdev_type;
+type dm_user_device, dev_type, bdev_type;
type keychord_device, dev_type;
type loop_control_device, dev_type;
-type loop_device, dev_type;
+type loop_device, dev_type, bdev_type;
type pmsg_device, dev_type, mlstrustedobject;
type radio_device, dev_type;
-type ram_device, dev_type;
+type ram_device, dev_type, bdev_type;
type rtc_device, dev_type;
type vd_device, dev_type;
type vold_device, dev_type;
@@ -73,51 +73,51 @@
type rpmsg_device, dev_type;
# Partition layout block device
-type root_block_device, dev_type;
+type root_block_device, dev_type, bdev_type;
# factory reset protection block device
-type frp_block_device, dev_type;
+type frp_block_device, dev_type, bdev_type;
# System block device mounted on /system.
# Documented at https://source.android.com/devices/bootloader/partitions-images
-type system_block_device, dev_type;
+type system_block_device, dev_type, bdev_type;
# Recovery block device.
# Documented at https://source.android.com/devices/bootloader/partitions-images
-type recovery_block_device, dev_type;
+type recovery_block_device, dev_type, bdev_type;
# boot block device.
# Documented at https://source.android.com/devices/bootloader/partitions-images
-type boot_block_device, dev_type;
+type boot_block_device, dev_type, bdev_type;
# Userdata block device mounted on /data.
# Documented at https://source.android.com/devices/bootloader/partitions-images
-type userdata_block_device, dev_type;
+type userdata_block_device, dev_type, bdev_type;
# Cache block device mounted on /cache.
# Documented at https://source.android.com/devices/bootloader/partitions-images
-type cache_block_device, dev_type;
+type cache_block_device, dev_type, bdev_type;
# Block device for any swap partition.
-type swap_block_device, dev_type;
+type swap_block_device, dev_type, bdev_type;
# Metadata block device used for encryption metadata.
# Assign this type to the partition specified by the encryptable=
# mount option in your fstab file in the entry for userdata.
# Documented at https://source.android.com/devices/bootloader/partitions-images
-type metadata_block_device, dev_type;
+type metadata_block_device, dev_type, bdev_type;
# The 'misc' partition used by recovery and A/B.
# Documented at https://source.android.com/devices/bootloader/partitions-images
-type misc_block_device, dev_type;
+type misc_block_device, dev_type, bdev_type;
# 'super' partition to be used for logical partitioning.
-type super_block_device, super_block_device_type, dev_type;
+type super_block_device, super_block_device_type, dev_type, bdev_type;
# sdcard devices; normally vold uses the vold_block_device label and creates a
# separate device node. gsid, however, accesses the original devide node
# created through uevents, so we use a separate label.
-type sdcard_block_device, dev_type;
+type sdcard_block_device, dev_type, bdev_type;
# Userdata device file for filesystem tunables
type userdata_sysdev, dev_type;
diff --git a/public/extra_free_kbytes.te b/public/extra_free_kbytes.te
new file mode 100644
index 0000000..ed0c935
--- /dev/null
+++ b/public/extra_free_kbytes.te
@@ -0,0 +1,13 @@
+# The extra_free_kbytes.sh script run by init.
+type extra_free_kbytes, domain;
+type extra_free_kbytes_exec, system_file_type, exec_type, file_type;
+
+# required permissions to run the script from init
+allow extra_free_kbytes shell_exec:file rx_file_perms;
+allow extra_free_kbytes system_file:file x_file_perms;
+allow extra_free_kbytes toolbox_exec:file rx_file_perms;
+
+# files used by the script
+allow extra_free_kbytes proc_extra_free_kbytes:file rw_file_perms;
+allow extra_free_kbytes proc_watermark_scale_factor:file rw_file_perms;
+allow extra_free_kbytes proc_zoneinfo:file r_file_perms;
diff --git a/public/file.te b/public/file.te
index 9bb1ff9..984b783 100644
--- a/public/file.te
+++ b/public/file.te
@@ -77,6 +77,7 @@
type proc_version, fs_type, proc_type;
type proc_vmallocinfo, fs_type, proc_type;
type proc_vmstat, fs_type, proc_type;
+type proc_watermark_scale_factor, fs_type, proc_type;
type proc_zoneinfo, fs_type, proc_type;
type proc_vendor_sched, proc_type, fs_type;
type selinuxfs, fs_type, mlstrustedobject;
@@ -87,6 +88,7 @@
type sysfs_android_usb, fs_type, sysfs_type;
type sysfs_uio, sysfs_type, fs_type;
type sysfs_batteryinfo, fs_type, sysfs_type;
+type sysfs_block, fs_type, sysfs_type, sysfs_block_type;
type sysfs_bluetooth_writable, fs_type, sysfs_type, mlstrustedobject;
type sysfs_devfreq_cur, fs_type, sysfs_type;
type sysfs_devfreq_dir, fs_type, sysfs_type;
@@ -246,6 +248,11 @@
type vendor_keychars_file, vendor_file_type, file_type;
type vendor_idc_file, vendor_file_type, file_type;
+# SoC-specific virtual machine disk files
+type vendor_vm_file, vendor_file_type, file_type;
+# SoC-specific virtual machine disk files that are mutable
+type vendor_vm_data_file, vendor_file_type, file_type;
+
# /metadata partition itself
type metadata_file, file_type;
# Vold files within /metadata
diff --git a/public/hal_contexthub.te b/public/hal_contexthub.te
index 34acb38..14c2dbc 100644
--- a/public/hal_contexthub.te
+++ b/public/hal_contexthub.te
@@ -2,4 +2,9 @@
binder_call(hal_contexthub_client, hal_contexthub_server)
binder_call(hal_contexthub_server, hal_contexthub_client)
+add_service(hal_contexthub_server, hal_contexthub_service)
+binder_call(hal_contexthub_server, servicemanager)
+
+allow hal_contexthub_client hal_contexthub_service:service_manager find;
+
hal_attribute_hwservice(hal_contexthub, hal_contexthub_hwservice)
diff --git a/public/service.te b/public/service.te
index 5cf379a..52cbf10 100644
--- a/public/service.te
+++ b/public/service.te
@@ -252,6 +252,7 @@
type hal_audio_service, vendor_service, protected_service, service_manager_type;
type hal_audiocontrol_service, vendor_service, service_manager_type;
type hal_authsecret_service, vendor_service, protected_service, service_manager_type;
+type hal_contexthub_service, vendor_service, protected_service, service_manager_type;
type hal_face_service, vendor_service, protected_service, service_manager_type;
type hal_fingerprint_service, vendor_service, protected_service, service_manager_type;
type hal_gnss_service, vendor_service, protected_service, service_manager_type;
diff --git a/public/shell.te b/public/shell.te
index 29c07a4..70a7fb4 100644
--- a/public/shell.te
+++ b/public/shell.te
@@ -158,6 +158,9 @@
allow shell sysfs_batteryinfo:dir r_dir_perms;
allow shell sysfs_batteryinfo:file r_file_perms;
+# allow shell to list /sys/class/block/ to get storage type for CTS
+allow shell sysfs_block:dir r_dir_perms;
+
# Allow access to ion memory allocation device.
allow shell ion_device:chr_file rw_file_perms;
diff --git a/vendor/file_contexts b/vendor/file_contexts
index 79bbda4..b75e61b 100644
--- a/vendor/file_contexts
+++ b/vendor/file_contexts
@@ -27,6 +27,7 @@
/(vendor|system/vendor)/bin/hw/android\.hardware\.configstore@1\.[0-9]+-service u:object_r:hal_configstore_default_exec:s0
/(vendor|sustem/vendor)/bin/hw/android\.hardware\.confirmationui@1\.0-service u:object_r:hal_confirmationui_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.contexthub@1\.[0-9]+-service u:object_r:hal_contexthub_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.contexthub-service\.example u:object_r:hal_contexthub_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.drm@1\.0-service u:object_r:hal_drm_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.drm@1\.0-service-lazy u:object_r:hal_drm_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.cas@1\.[0-2]-service u:object_r:hal_cas_default_exec:s0