Gitiles
Code Review Sign In
gerrit.omnirom.org / android_system_sepolicy / afc5f155afda2e4f4889091924a3ea7d058d96fc^2..afc5f155afda2e4f4889091924a3ea7d058d96fc / .
commitafc5f155afda2e4f4889091924a3ea7d058d96fc[log] [tgz]
authorInseob Kim <inseob@google.com>Fri Aug 30 01:08:19 2024 +0000
committerGerrit Code Review <noreply-gerritcodereview@google.com>Fri Aug 30 01:08:19 2024 +0000
tree5ae2443dd279882066fb5de89f60eddcb8d70d60
parentd6e7260d1f69b4f512f020a9b48491a7b3ff7e2d [diff]
parent1b6a129777571c814fbb72d2256ae69bb036f845 [diff]
Merge "Move adb_keys to product partition" into main
diff --git a/Android.mk b/Android.mk
index dc62833..378102b 100644
--- a/Android.mk
+++ b/Android.mk

@@ -189,6 +189,11 @@
     selinux_policy_nonsystem \
     selinux_policy_system \
 
+# Runs checkfc against merged service_contexts files
+LOCAL_REQUIRED_MODULES += \
+    merged_service_contexts_test \
+    merged_hwservice_contexts_test
+
 include $(BUILD_PHONY_PACKAGE)
 
 # selinux_policy is a main goal and triggers lots of tests.

diff --git a/build/soong/service_fuzzer_bindings.go b/build/soong/service_fuzzer_bindings.go
index 9891388..726bbbc 100644
--- a/build/soong/service_fuzzer_bindings.go
+++ b/build/soong/service_fuzzer_bindings.go

@@ -392,7 +392,7 @@
 		"procstats":                              EXCEPTION_NO_FUZZER,
 		"profcollectd":                           EXCEPTION_NO_FUZZER,
 		"profiling_service":                      EXCEPTION_NO_FUZZER,
-		"protolog":                               EXCEPTION_NO_FUZZER,
+		"protolog_configuration":                 EXCEPTION_NO_FUZZER,
 		"radio.phonesubinfo":                     EXCEPTION_NO_FUZZER,
 		"radio.phone":                            EXCEPTION_NO_FUZZER,
 		"radio.sms":                              EXCEPTION_NO_FUZZER,

diff --git a/contexts/Android.bp b/contexts/Android.bp
index ca3cf57..850601f 100644
--- a/contexts/Android.bp
+++ b/contexts/Android.bp

@@ -206,6 +206,18 @@
     device_specific: true,
 }
 
+hwservice_contexts {
+    name: "merged_hwservice_contexts",
+    defaults: ["contexts_flags_defaults"],
+    srcs: [
+        ":plat_hwservice_contexts",
+        ":system_ext_hwservice_contexts",
+        ":product_hwservice_contexts",
+        ":vendor_hwservice_contexts",
+        ":odm_hwservice_contexts",
+    ],
+}
+
 property_contexts {
     name: "plat_property_contexts",
     defaults: ["contexts_flags_defaults"],
@@ -308,6 +320,18 @@
     recovery_available: true,
 }
 
+service_contexts {
+    name: "merged_service_contexts",
+    defaults: ["contexts_flags_defaults"],
+    srcs: [
+        ":plat_service_contexts",
+        ":system_ext_service_contexts",
+        ":product_service_contexts",
+        ":vendor_service_contexts",
+        ":odm_service_contexts",
+    ],
+}
+
 keystore2_key_contexts {
     name: "plat_keystore2_key_contexts",
     defaults: ["contexts_flags_defaults"],
@@ -490,6 +514,12 @@
     sepolicy: ":precompiled_sepolicy",
 }
 
+hwservice_contexts_test {
+    name: "merged_hwservice_contexts_test",
+    srcs: [":merged_hwservice_contexts"],
+    sepolicy: ":precompiled_sepolicy",
+}
+
 property_contexts_test {
     name: "plat_property_contexts_test",
     srcs: [":plat_property_contexts"],
@@ -568,6 +598,12 @@
     sepolicy: ":precompiled_sepolicy",
 }
 
+service_contexts_test {
+    name: "merged_service_contexts_test",
+    srcs: [":merged_service_contexts"],
+    sepolicy: ":precompiled_sepolicy",
+}
+
 vndservice_contexts_test {
     name: "vndservice_contexts_test",
     srcs: [":vndservice_contexts"],

diff --git a/contexts/plat_file_contexts_test b/contexts/plat_file_contexts_test
index c11e35e..e88b955 100644
--- a/contexts/plat_file_contexts_test
+++ b/contexts/plat_file_contexts_test

@@ -1304,6 +1304,11 @@
 /mnt/product                                                      mnt_product_file
 /mnt/product/test                                                 mnt_product_file
 
+
+/mnt/scratch_ota_metadata_super                                   ota_metadata_file
+/mnt/scratch_ota_metadata_super/ota                               ota_metadata_file
+/mnt/scratch_ota_metadata_super/ota/snapshots                     ota_metadata_file
+
 /system/bin/check_dynamic_partitions                              postinstall_exec
 /product/bin/check_dynamic_partitions                             postinstall_exec
 /system/bin/otapreopt_script                                      postinstall_exec

diff --git a/private/adbd.te b/private/adbd.te
index c852038..154a04c 100644
--- a/private/adbd.te
+++ b/private/adbd.te

@@ -216,8 +216,7 @@
 allow adbd shell:fd use;
 
 # Allow pull /vendor/apex files for CTS tests
-allow adbd vendor_apex_file:dir search;
-allow adbd vendor_apex_file:file r_file_perms;
+r_dir_file(adbd, vendor_apex_file)
 
 # Allow adb pull of updated apex files in /data/apex/active.
 allow adbd apex_data_file:dir search;

diff --git a/private/crosvm.te b/private/crosvm.te
index 6f07391..3cae672 100644
--- a/private/crosvm.te
+++ b/private/crosvm.te

@@ -5,6 +5,10 @@
 # Let crosvm open VM manager devices such as /dev/kvm.
 allow crosvm vm_manager_device_type:chr_file rw_file_perms;
 
+# TODO(b/357025924): This is a temporary workaround to allow the KeyMint VM to use crosvm
+# directly. It should be removed once the KeyMint VM can be started with early_virtmgr
+is_flag_enabled(RELEASE_AVF_ENABLE_EARLY_VM, init_daemon_domain(crosvm))
+
 # Most other domains shouldn't access /dev/kvm.
 neverallow { domain -crosvm -ueventd -shell } kvm_device:chr_file getattr;
 neverallow { domain -crosvm -ueventd } kvm_device:chr_file ~getattr;
@@ -194,4 +198,7 @@
   domain
   -crosvm
   -virtualizationmanager
+  # TODO(b/357025924): This is a temporary workaround to allow the KeyMint VM to use crosvm
+  # directly. It should be removed once the KeyMint VM can be started with early_virtmgr
+  is_flag_enabled(RELEASE_AVF_ENABLE_EARLY_VM, `-init')
 } crosvm_exec:file no_x_file_perms;

diff --git a/private/domain.te b/private/domain.te
index 94f96d9..0d2a1d3 100644
--- a/private/domain.te
+++ b/private/domain.te

@@ -342,6 +342,10 @@
 allow domain sysfs_pgsize_migration:dir search;
 allow domain sysfs_pgsize_migration:file r_file_perms;
 
+# Linker is executed from the context of the process requesting the dynamic linking,
+# so this prop must be "world-readable".
+get_prop(domain, bionic_linker_16kb_app_compat_prop)
+
 # Allow everyone to read media server-configurable flags, so that libstagefright can be
 # configured using server-configurable flags
 get_prop(domain, device_config_media_native_prop)

diff --git a/private/file_contexts b/private/file_contexts
index 48f00ed..25ed6e8 100644
--- a/private/file_contexts
+++ b/private/file_contexts

@@ -885,6 +885,12 @@
 /metadata/aconfig/flags(/.*)?    u:object_r:aconfig_storage_flags_metadata_file:s0
 /metadata/aconfig_test_missions(/.*)?    u:object_r:aconfig_test_mission_files:s0
 
+############################
+# mount point for ota metadata
+/mnt/scratch_ota_metadata_super(/.*)?                 u:object_r:ota_metadata_file:s0
+/mnt/scratch_ota_metadata_super/ota(/.*)?             u:object_r:ota_metadata_file:s0
+/mnt/scratch_ota_metadata_super/ota/snapshots(/.*)?   u:object_r:ota_metadata_file:s0
+
 #############################
 # asec containers
 /mnt/asec(/.*)?             u:object_r:asec_apk_file:s0

diff --git a/private/init.te b/private/init.te
index 8ab1aab..73ab049 100644
--- a/private/init.te
+++ b/private/init.te

@@ -82,6 +82,9 @@
 set_prop(init, init_perf_lsm_hooks_prop)
 set_prop(init, vts_status_prop)
 
+# Allow init to set 16kb app compatibility props
+set_prop(init, bionic_linker_16kb_app_compat_prop)
+
 # Allow accessing /sys/kernel/tracing/instances/bootreceiver to set up tracing.
 allow init debugfs_bootreceiver_tracing:file w_file_perms;
 

diff --git a/private/platform_app.te b/private/platform_app.te
index eb1a7c7..320624c 100644
--- a/private/platform_app.te
+++ b/private/platform_app.te

@@ -51,6 +51,7 @@
 userdebug_or_eng(`
   set_prop(platform_app, persist_sysui_ranking_update_prop)
 ')
+set_prop(platform_app, debug_tracing_desktop_mode_visible_tasks_prop)
 
 # com.android.captiveportallogin reads /proc/vmstat
 allow platform_app {

diff --git a/private/property.te b/private/property.te
index acb8d79..7c2d6d1 100644
--- a/private/property.te
+++ b/private/property.te

@@ -3,6 +3,7 @@
 system_internal_prop(apexd_payload_metadata_prop)
 system_internal_prop(ctl_snapuserd_prop)
 system_internal_prop(crashrecovery_prop)
+system_internal_prop(debug_tracing_desktop_mode_visible_tasks_prop)
 system_internal_prop(device_config_core_experiments_team_internal_prop)
 system_internal_prop(device_config_lmkd_native_prop)
 system_internal_prop(device_config_mglru_native_prop)
@@ -70,6 +71,7 @@
 
 
 # Properties which can't be written outside system
+system_restricted_prop(bionic_linker_16kb_app_compat_prop)
 system_restricted_prop(device_config_virtualization_framework_native_prop)
 system_restricted_prop(fstype_prop)
 system_restricted_prop(log_file_logger_prop)
@@ -833,3 +835,9 @@
   -init
   -vendor_init
 } pm_archiving_enabled_prop:property_service set;
+
+neverallow {
+  domain
+  -init
+  userdebug_or_eng(`-su')
+} bionic_linker_16kb_app_compat_prop:property_service set;

diff --git a/private/property_contexts b/private/property_contexts
index f0a4281..bfe2a52 100644
--- a/private/property_contexts
+++ b/private/property_contexts

@@ -33,6 +33,7 @@
 
 debug.                  u:object_r:debug_prop:s0
 debug.db.               u:object_r:debuggerd_prop:s0
+debug.tracing.desktop_mode_visible_tasks u:object_r:debug_tracing_desktop_mode_visible_tasks_prop:s0 exact uint
 dumpstate.              u:object_r:dumpstate_prop:s0
 dumpstate.options       u:object_r:dumpstate_options_prop:s0
 init.svc_debug_pid.     u:object_r:init_svc_debug_prop:s0
@@ -1266,6 +1267,8 @@
 ro.bionic.arch            u:object_r:cpu_variant_prop:s0 exact string
 ro.bionic.cpu_variant     u:object_r:cpu_variant_prop:s0 exact string
 
+bionic.linker.16kb.app_compat.enabled u:object_r:bionic_linker_16kb_app_compat_prop:s0 exact bool
+
 ro.board.platform u:object_r:exported_default_prop:s0 exact string
 
 ro.boot.fake_battery         u:object_r:exported_default_prop:s0 exact int

diff --git a/private/service.te b/private/service.te
index a3754e4..63259c6 100644
--- a/private/service.te
+++ b/private/service.te

@@ -1,27 +1,27 @@
-type adaptive_auth_service,         system_server_service, service_manager_type;
-type ambient_context_service,       app_api_service, system_server_service, service_manager_type;
-type attention_service,             system_server_service, service_manager_type;
-type bg_install_control_service,    system_api_service, system_server_service, service_manager_type;
-type compos_service,                service_manager_type;
-type communal_service,              app_api_service, system_server_service, service_manager_type;
-type dynamic_system_service,        system_api_service, system_server_service, service_manager_type;
-type feature_flags_service,         app_api_service, system_server_service, service_manager_type;
-type gsi_service,                   service_manager_type;
-type incidentcompanion_service,     app_api_service, system_api_service, system_server_service, service_manager_type;
-type logcat_service,                system_server_service, service_manager_type;
-type logd_service,                  service_manager_type;
-type mediatuner_service,            app_api_service, service_manager_type;
+type adaptive_auth_service,          system_server_service, service_manager_type;
+type ambient_context_service,        app_api_service, system_server_service, service_manager_type;
+type attention_service,              system_server_service, service_manager_type;
+type bg_install_control_service,     system_api_service, system_server_service, service_manager_type;
+type compos_service,                 service_manager_type;
+type communal_service,               app_api_service, system_server_service, service_manager_type;
+type dynamic_system_service,         system_api_service, system_server_service, service_manager_type;
+type feature_flags_service,          app_api_service, system_server_service, service_manager_type;
+type gsi_service,                    service_manager_type;
+type incidentcompanion_service,      app_api_service, system_api_service, system_server_service, service_manager_type;
+type logcat_service,                 system_server_service, service_manager_type;
+type logd_service,                   service_manager_type;
+type mediatuner_service,             app_api_service, service_manager_type;
 type on_device_intelligence_service, app_api_service, system_server_service, service_manager_type, isolated_compute_allowed_service;
-type profcollectd_service,          service_manager_type;
-type protolog_service,              system_api_service, system_server_service, service_manager_type;
-type resolver_service,              system_server_service, service_manager_type;
-type rkpd_registrar_service,        service_manager_type;
-type rkpd_refresh_service,          service_manager_type;
-type safety_center_service,         app_api_service, system_api_service, system_server_service, service_manager_type;
-type stats_service,                 service_manager_type;
-type statsbootstrap_service,        system_server_service, service_manager_type;
-type statscompanion_service,        system_server_service, service_manager_type;
-type statsmanager_service,          system_api_service, system_server_service, service_manager_type;
+type profcollectd_service,           service_manager_type;
+type protolog_configuration_service, app_api_service, system_api_service, system_server_service, service_manager_type;
+type resolver_service,               system_server_service, service_manager_type;
+type rkpd_registrar_service,         service_manager_type;
+type rkpd_refresh_service,           service_manager_type;
+type safety_center_service,          app_api_service, system_api_service, system_server_service, service_manager_type;
+type stats_service,                  service_manager_type;
+type statsbootstrap_service,         system_server_service, service_manager_type;
+type statscompanion_service,         system_server_service, service_manager_type;
+type statsmanager_service,           system_api_service, system_server_service, service_manager_type;
 
 is_flag_enabled(RELEASE_SUPERVISION_SERVICE, `
     type supervision_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;

diff --git a/private/service_contexts b/private/service_contexts
index 78d2c5a..71abb42 100644
--- a/private/service_contexts
+++ b/private/service_contexts

@@ -373,7 +373,7 @@
 powerstats                                u:object_r:powerstats_service:s0
 power                                     u:object_r:power_service:s0
 profiling_service                         u:object_r:profiling_service:s0
-protolog                                  u:object_r:protolog_service:s0
+protolog_configuration                    u:object_r:protolog_configuration_service:s0
 print                                     u:object_r:print_service:s0
 processinfo                               u:object_r:processinfo_service:s0
 procstats                                 u:object_r:procstats_service:s0

diff --git a/private/traced_probes.te b/private/traced_probes.te
index 003e992..6540420 100644
--- a/private/traced_probes.te
+++ b/private/traced_probes.te

@@ -111,6 +111,10 @@
 binder_call(traced_probes, statsd)
 allow traced_probes stats_service:service_manager find;
 
+# Allow reading the system property representing number of desktop windows to
+# set the initial value for the counter in traces.
+get_prop(traced_probes, debug_tracing_desktop_mode_visible_tasks_prop)
+
 ###
 ### Neverallow rules
 ###

diff --git a/private/update_engine_common.te b/private/update_engine_common.te
index 5bba84a..6de0292 100644
--- a/private/update_engine_common.te
+++ b/private/update_engine_common.te

@@ -107,5 +107,5 @@
 
 # Allow to read/write/create OTA metadata files for snapshot status and COW file status.
 allow update_engine_common metadata_file:dir search;
-allow update_engine_common ota_metadata_file:dir rw_dir_perms;
+allow update_engine_common ota_metadata_file:dir { rw_dir_perms rmdir };
 allow update_engine_common ota_metadata_file:file create_file_perms;