Merge "surfaceflinger: allow to be profiled by perfetto on release builds"
diff --git a/README b/README
deleted file mode 100644
index f14ac67..0000000
--- a/README
+++ /dev/null
@@ -1,114 +0,0 @@
-This directory contains the core Android SELinux policy configuration.
-It defines the domains and types for the AOSP services and apps common to
-all devices. Device-specific policy should be placed under a
-separate device/<vendor>/<board>/sepolicy subdirectory and linked
-into the policy build as described below.
-
-Policy Generation:
-
-Additional, per device, policy files can be added into the
-policy build. These files should have each line including the
-final line terminated by a newline character (0x0A). This
-will allow files to be concatenated and processed whenever
-the m4(1) macro processor is called by the build process.
-Adding the newline will also make the intermediate text files
-easier to read when debugging build failures. The sets of file,
-service and property contexts files will automatically have a
-newline inserted between each file as these are common failure
-points.
-
-These device policy files can be configured through the use of
-the BOARD_VENDOR_SEPOLICY_DIRS variable. This variable should be set
-in the BoardConfig.mk file in the device or vendor directories.
-
-BOARD_VENDOR_SEPOLICY_DIRS contains a list of directories to search
-for additional policy files. Order matters in this list.
-For example, if you have 2 instances of widget.te files in the
-BOARD_VENDOR_SEPOLICY_DIRS search path, then the first one found (at the
-first search dir containing the file) will be concatenated first.
-Reviewing out/target/product/<device>/obj/ETC/sepolicy_intermediates/policy.conf
-will help sort out ordering issues.
-
-Example BoardConfig.mk Usage:
-From the Tuna device BoardConfig.mk, device/samsung/tuna/BoardConfig.mk
-
-BOARD_VENDOR_SEPOLICY_DIRS += device/samsung/tuna/sepolicy
-
-Alongside vendor sepolicy dirs, OEMs can also amend the public and private
-policy of the product and system_ext partitions:
-
-SYSTEM_EXT_PUBLIC_SEPOLICY_DIRS += device/acme/roadrunner-sepolicy/systemext/public
-SYSTEM_EXT_PRIVATE_SEPOLICY_DIRS += device/acme/roadrunner-sepolicy/systemext/private
-PRODUCT_PUBLIC_SEPOLICY_DIRS += device/acme/roadrunner-sepolicy/product/public
-PRODUCT_PRIVATE_SEPOLICY_DIRS += device/acme/roadrunner-sepolicy/product/private
-
-The old BOARD_PLAT_PUBLIC_SEPOLICY_DIR and BOARD_PLAT_PRIVATE_SEPOLICY_DIR
-variables have been deprecated in favour of SYSTEM_EXT_*.
-
-Additionally, OEMs can specify BOARD_SEPOLICY_M4DEFS to pass arbitrary m4
-definitions during the build. A definition consists of a string in the form
-of macro-name=value. Spaces must NOT be present. This is useful for building modular
-policies, policy generation, conditional file paths, etc. It is supported in
-the following file types:
- * All *.te and SE Linux policy files as passed to checkpolicy
- * file_contexts
- * service_contexts
- * property_contexts
- * keys.conf
-
-Example BoardConfig.mk Usage:
-BOARD_SEPOLICY_M4DEFS += btmodule=foomatic \
- btdevice=/dev/gps
-
-SPECIFIC POLICY FILE INFORMATION
-
-mac_permissions.xml:
- ABOUT:
- The mac_permissions.xml file is used for controlling the mmac solutions
- as well as mapping a public base16 signing key with an arbitrary seinfo
- string. Details of the files contents can be found in a comment at the
- top of that file. The seinfo string, previously mentioned, is the same string
- that is referenced in seapp_contexts.
-
- It is important to note the final processed version of this file
- is stripped of comments and whitespace. This is to preserve space on the
- system.img. If one wishes to view it in a more human friendly format,
- the "tidy" or "xmllint" command will assist you.
-
- TOOLING:
- insertkeys.py
- Is a helper script for mapping arbitrary tags in the signature stanzas of
- mac_permissions.xml to public keys found in pem files. This script takes
- a mac_permissions.xml file(s) and configuration file in order to operate.
- Details of the configuration file (keys.conf) can be found in the subsection
- keys.conf. This tool is also responsible for stripping the comments and
- whitespace during processing.
-
- keys.conf
- The keys.conf file is used for controlling the mapping of "tags" found in
- the mac_permissions.xml signature stanzas with actual public keys found in
- pem files. The configuration file is processed via m4.
-
- The script allows for mapping any string contained in TARGET_BUILD_VARIANT
- with specific path to a pem file. Typically TARGET_BUILD_VARIANT is either
- user, eng or userdebug. Additionally, one can specify "ALL" to map a path to
- any string specified in TARGET_BUILD_VARIANT. All tags are matched verbatim
- and all options are matched lowercase. The options are "tolowered" automatically
- for the user, it is convention to specify tags and options in all uppercase
- and tags start with @. The option arguments can also use environment variables
- via the familiar $VARIABLE syntax. This is often useful for setting a location
- to ones release keys.
-
- Often times, one will need to integrate an application that was signed by a separate
- organization and may need to extract the pem file for the insertkeys/keys.conf tools.
- Extraction of the public key in the pem format is possible via openssl. First you need
- to unzip the apk, once it is unzipped, cd into the META_INF directory and then execute
- openssl pkcs7 -inform DER -in CERT.RSA -out CERT.pem -outform PEM -print_certs
- On some occasions CERT.RSA has a different name, and you will need to adjust for that.
- After extracting the pem, you can rename it, and configure keys.conf and
- mac_permissions.xml to pick up the change. You MUST open the generated pem file in a text
- editor and strip out anything outside the opening and closing scissor lines. Failure to do
- so WILL cause a compile time issue thrown by insertkeys.py
-
- NOTE: The pem files are base64 encoded and PackageManagerService, mac_permissions.xml
- and setool all use base16 encodings.
diff --git a/README.md b/README.md
new file mode 100644
index 0000000..16d7e45
--- /dev/null
+++ b/README.md
@@ -0,0 +1,117 @@
+# Android SEPolicy
+
+This directory contains the core Android SELinux policy configuration.
+It defines the domains and types for the AOSP services and apps common to
+all devices. Device-specific policy should be placed under a
+separate `device/<vendor>/<board>/sepolicy` subdirectory and linked
+into the policy build as described below.
+
+## Policy Generation
+
+Additional, per device, policy files can be added into the
+policy build. These files should have each line including the
+final line terminated by a newline character (`0x0A`). This
+will allow files to be concatenated and processed whenever
+the `m4`(1) macro processor is called by the build process.
+Adding the newline will also make the intermediate text files
+easier to read when debugging build failures. The sets of file,
+service and property contexts files will automatically have a
+newline inserted between each file as these are common failure
+points.
+
+These device policy files can be configured through the use of
+the `BOARD_VENDOR_SEPOLICY_DIRS` variable. This variable should be set
+in the BoardConfig.mk file in the device or vendor directories.
+
+`BOARD_VENDOR_SEPOLICY_DIRS` contains a list of directories to search
+for additional policy files. Order matters in this list.
+For example, if you have 2 instances of widget.te files in the
+`BOARD_VENDOR_SEPOLICY_DIRS` search path, then the first one found (at the
+first search dir containing the file) will be concatenated first.
+Reviewing `out/target/product/<device>/obj/ETC/vendor_sepolicy.conf_intermediates/vendor_sepolicy.conf`
+will help sort out ordering issues.
+
+Example `BoardConfig.mk` Usage:
+From the Tuna device `BoardConfig.mk`, `device/samsung/tuna/BoardConfig.mk`
+
+ BOARD_VENDOR_SEPOLICY_DIRS += device/samsung/tuna/sepolicy
+
+Alongside vendor sepolicy dirs, OEMs can also amend the public and private
+policy of the product and system_ext partitions:
+
+ SYSTEM_EXT_PUBLIC_SEPOLICY_DIRS += device/acme/roadrunner-sepolicy/systemext/public
+ SYSTEM_EXT_PRIVATE_SEPOLICY_DIRS += device/acme/roadrunner-sepolicy/systemext/private
+ PRODUCT_PUBLIC_SEPOLICY_DIRS += device/acme/roadrunner-sepolicy/product/public
+ PRODUCT_PRIVATE_SEPOLICY_DIRS += device/acme/roadrunner-sepolicy/product/private
+
+The old `BOARD_PLAT_PUBLIC_SEPOLICY_DIR` and `BOARD_PLAT_PRIVATE_SEPOLICY_DIR`
+variables have been deprecated in favour of `SYSTEM_EXT_*`.
+
+Additionally, OEMs can specify `BOARD_SEPOLICY_M4DEFS` to pass arbitrary `m4`
+definitions during the build. A definition consists of a string in the form
+of `macro-name=value`. Spaces must **NOT** be present. This is useful for building modular
+policies, policy generation, conditional file paths, etc. It is supported in
+the following file types:
+* All `*.te` and SELinux policy files as passed to `checkpolicy`
+* `file_contexts`
+* `service_contexts`
+* `property_contexts`
+* `keys.conf`
+
+Example BoardConfig.mk Usage:
+
+ BOARD_SEPOLICY_M4DEFS += btmodule=foomatic \
+ btdevice=/dev/gps
+
+## SPECIFIC POLICY FILE INFORMATION
+
+### mac_permissions.xml
+The `mac_permissions.xml` file is used for controlling the mmac solutions
+as well as mapping a public base16 signing key with an arbitrary seinfo
+string. Details of the files contents can be found in a comment at the
+top of that file. The seinfo string, previously mentioned, is the same string
+that is referenced in seapp_contexts.
+
+It is important to note the final processed version of this file
+is stripped of comments and whitespace. This is to preserve space on the
+system.img. If one wishes to view it in a more human friendly format,
+the `tidy` or `xmllint` command will assist you.
+
+### insertkeys.py
+Is a helper script for mapping arbitrary tags in the signature stanzas of
+`mac_permissions.xml` to public keys found in pem files. This script takes
+a `mac_permissions.xml` file(s) and configuration file in order to operate.
+Details of the configuration file (`keys.conf`) can be found in the subsection
+keys.conf. This tool is also responsible for stripping the comments and
+whitespace during processing.
+
+### keys.conf
+The `keys.conf` file is used for controlling the mapping of "tags" found in
+the `mac_permissions.xml` signature stanzas with actual public keys found in
+pem files. The configuration file is processed via `m4`.
+
+The script allows for mapping any string contained in `TARGET_BUILD_VARIANT`
+with specific path to a pem file. Typically `TARGET_BUILD_VARIANT` is either
+user, eng or userdebug. Additionally, one can specify "ALL" to map a path to
+any string specified in `TARGET_BUILD_VARIANT`. All tags are matched verbatim
+and all options are matched lowercase. The options are **tolowered** automatically
+for the user, it is convention to specify tags and options in all uppercase
+and tags start with @. The option arguments can also use environment variables
+via the familiar `$VARIABLE` syntax. This is often useful for setting a location
+to ones release keys.
+
+Often times, one will need to integrate an application that was signed by a separate
+organization and may need to extract the pem file for the `insertkeys/keys.conf` tools.
+Extraction of the public key in the pem format is possible via `openssl`. First you need
+to unzip the apk, once it is unzipped, `cd` into the `META_INF` directory and then execute
+
+ openssl pkcs7 -inform DER -in CERT.RSA -out CERT.pem -outform PEM -print_certs
+
+On some occasions `CERT.RSA` has a different name, and you will need to adjust for that.
+After extracting the pem, you can rename it, and configure `keys.conf` and
+`mac_permissions.xml` to pick up the change. You **MUST** open the generated pem file in a text
+editor and strip out anything outside the opening and closing scissor lines. Failure to do
+so **WILL** cause a compile time issue thrown by insertkeys.py
+
+**NOTE:** The pem files are base64 encoded and `PackageManagerService`, `mac_permissions.xml`
+ and `setool` all use base16 encodings.
diff --git a/microdroid/system/private/file_contexts b/microdroid/system/private/file_contexts
index 4f7a0ff..83eceb0 100644
--- a/microdroid/system/private/file_contexts
+++ b/microdroid/system/private/file_contexts
@@ -103,6 +103,7 @@
/system/lib(64)?(/.*)? u:object_r:system_lib_file:s0
/system/lib(64)?/bootstrap(/.*)? u:object_r:system_bootstrap_lib_file:s0
/system/bin/apexd u:object_r:apexd_exec:s0
+/system/bin/tombstone_transmit.microdroid u:object_r:tombstone_transmit_exec:s0
/system/bin/linker(64)? u:object_r:system_linker_exec:s0
/system/bin/linkerconfig u:object_r:linkerconfig_exec:s0
/system/bin/bootstrap/linker(64)? u:object_r:system_linker_exec:s0
diff --git a/microdroid/system/private/property_contexts b/microdroid/system/private/property_contexts
index 3c80273..e4f0bb0 100644
--- a/microdroid/system/private/property_contexts
+++ b/microdroid/system/private/property_contexts
@@ -92,6 +92,7 @@
ro.boot.microdroid.app_debuggable u:object_r:bootloader_prop:s0 exact bool
ro.boot.microdroid.debuggable u:object_r:bootloader_prop:s0 exact bool
ro.boot.slot_suffix u:object_r:bootloader_prop:s0 exact string
+ro.boot.tombstone_transmit.enabled u:object_r:bootloader_prop:s0 exact bool
ro.boot.vbmeta.avb_version u:object_r:bootloader_prop:s0 exact string
ro.boot.vbmeta.device_state u:object_r:bootloader_prop:s0 exact string
ro.boot.vbmeta.digest u:object_r:bootloader_prop:s0 exact string
diff --git a/microdroid/system/private/tombstone_transmit.te b/microdroid/system/private/tombstone_transmit.te
new file mode 100644
index 0000000..588ebff
--- /dev/null
+++ b/microdroid/system/private/tombstone_transmit.te
@@ -0,0 +1,8 @@
+type tombstone_transmit, domain, coredomain;
+type tombstone_transmit_exec, exec_type, system_file_type, file_type;
+
+init_daemon_domain(tombstone_transmit)
+
+r_dir_file(tombstone_transmit, tombstone_data_file)
+
+allow tombstone_transmit self:{ vsock_socket } create_socket_perms_no_ioctl;
diff --git a/microdroid/vendor/file_contexts b/microdroid/vendor/file_contexts
index c86f862..002fb14 100644
--- a/microdroid/vendor/file_contexts
+++ b/microdroid/vendor/file_contexts
@@ -1,38 +1,8 @@
-# TODO(jiyong): clean this up
#############################
# Vendor files
#
(/.*)? u:object_r:vendor_file:s0
-/bin/sh u:object_r:vendor_shell_exec:s0
-/bin/toybox_vendor u:object_r:vendor_toolbox_exec:s0
-/bin/toolbox u:object_r:vendor_toolbox_exec:s0
/etc(/.*)? u:object_r:vendor_configs_file:s0
-/etc/cgroups\.json u:object_r:vendor_cgroup_desc_file:s0
-/etc/task_profiles\.json u:object_r:vendor_task_profiles_file:s0
-
-/lib(64)?/egl(/.*)? u:object_r:same_process_hal_file:s0
-
-/lib(64)?/vndk-sp(/.*)? u:object_r:vndk_sp_file:s0
-
-/manifest\.xml u:object_r:vendor_configs_file:s0
-/compatibility_matrix\.xml u:object_r:vendor_configs_file:s0
-/etc/vintf(/.*)? u:object_r:vendor_configs_file:s0
-/app(/.*)? u:object_r:vendor_app_file:s0
-/priv-app(/.*)? u:object_r:vendor_app_file:s0
-/overlay(/.*)? u:object_r:vendor_overlay_file:s0
-/framework(/.*)? u:object_r:vendor_framework_file:s0
-
-/apex(/[^/]+){0,2} u:object_r:vendor_apex_file:s0
-/bin/misc_writer u:object_r:vendor_misc_writer_exec:s0
-/bin/boringssl_self_test(32|64) u:object_r:vendor_boringssl_self_test_exec:s0
# HAL location
-/lib(64)?/hw u:object_r:vendor_hal_file:s0
-
-/etc/selinux/nonplat_service_contexts u:object_r:nonplat_service_contexts_file:s0
-
-/etc/selinux/vendor_service_contexts u:object_r:vendor_service_contexts_file:s0
-
-/bin/install-recovery\.sh u:object_r:vendor_install_recovery_exec:s0
-
/bin/hw/android\.hardware\.security\.dice-service\.microdroid u:object_r:hal_dice_default_exec:s0
diff --git a/private/bluetooth.te b/private/bluetooth.te
index 5522e32..0c02de3 100644
--- a/private/bluetooth.te
+++ b/private/bluetooth.te
@@ -15,7 +15,7 @@
# Data file accesses.
allow bluetooth bluetooth_data_file:dir create_dir_perms;
-allow bluetooth bluetooth_data_file:notdevfile_class_set create_file_perms;
+allow bluetooth bluetooth_data_file:notdevfile_class_set { create_file_perms link };
allow bluetooth bluetooth_logs_data_file:dir rw_dir_perms;
allow bluetooth bluetooth_logs_data_file:file create_file_perms;
diff --git a/private/compat/32.0/32.0.ignore.cil b/private/compat/32.0/32.0.ignore.cil
index 5a1d863..58dba59 100644
--- a/private/compat/32.0/32.0.ignore.cil
+++ b/private/compat/32.0/32.0.ignore.cil
@@ -65,6 +65,7 @@
smart_idle_maint_enabled_prop
snapuserd_proxy_socket
sysfs_fs_fuse_bpf
+ sysfs_lru_gen_enabled
system_dlkm_file
tare_service
tv_iapp_service
diff --git a/private/crosvm.te b/private/crosvm.te
index 26b1df3..0fd146e 100644
--- a/private/crosvm.te
+++ b/private/crosvm.te
@@ -63,6 +63,9 @@
allow crosvm adbd:fd use;
allow crosvm adbd:unix_stream_socket { read write };
+# For ACPI
+allow crosvm self:netlink_generic_socket create_socket_perms_no_ioctl;
+
# The console log can also be written to /data/local/tmp. This is not safe as the log then can be
# visible to the processes which don't own the VM. Therefore, this is a debugging only feature.
userdebug_or_eng(`allow crosvm shell_data_file:file w_file_perms;')
diff --git a/private/file.te b/private/file.te
index 54d6df6..5a843f9 100644
--- a/private/file.te
+++ b/private/file.te
@@ -76,6 +76,9 @@
# /data/misc/odsign
type odsign_data_file, file_type, data_file_type, core_data_file_type;
+# /data/misc/odsign_metrics
+type odsign_metrics_file, file_type, data_file_type, core_data_file_type;
+
# /data/misc/virtualizationservice
type virtualizationservice_data_file, file_type, data_file_type, core_data_file_type;
diff --git a/private/file_contexts b/private/file_contexts
index b075839..2b765f6 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -623,6 +623,7 @@
/data/misc/nfc/logs(/.*)? u:object_r:nfc_logs_data_file:s0
/data/misc/odrefresh(/.*)? u:object_r:odrefresh_data_file:s0
/data/misc/odsign(/.*)? u:object_r:odsign_data_file:s0
+/data/misc/odsign/metrics(/.*)? u:object_r:odsign_metrics_file:s0
/data/misc/perfetto-traces/bugreport(.*)? u:object_r:perfetto_traces_bugreport_data_file:s0
/data/misc/perfetto-traces(/.*)? u:object_r:perfetto_traces_data_file:s0
/data/misc/perfetto-configs(/.*)? u:object_r:perfetto_configs_data_file:s0
diff --git a/private/flags_health_check.te b/private/flags_health_check.te
index 69ff58c..de02e1e 100644
--- a/private/flags_health_check.te
+++ b/private/flags_health_check.te
@@ -12,6 +12,7 @@
set_prop(flags_health_check, device_config_nnapi_native_prop)
set_prop(flags_health_check, device_config_activity_manager_native_boot_prop)
set_prop(flags_health_check, device_config_media_native_prop)
+set_prop(flags_health_check, device_config_mglru_native_prop)
set_prop(flags_health_check, device_config_profcollect_native_boot_prop)
set_prop(flags_health_check, device_config_statsd_native_prop)
set_prop(flags_health_check, device_config_statsd_native_boot_prop)
diff --git a/private/genfs_contexts b/private/genfs_contexts
index ca64733..2f1f84d 100644
--- a/private/genfs_contexts
+++ b/private/genfs_contexts
@@ -162,6 +162,7 @@
genfscon sysfs /kernel/ion u:object_r:sysfs_ion:s0
genfscon sysfs /kernel/ipv4 u:object_r:sysfs_ipv4:s0
genfscon sysfs /kernel/mm/transparent_hugepage u:object_r:sysfs_transparent_hugepage:s0
+genfscon sysfs /kernel/mm/lru_gen/enabled u:object_r:sysfs_lru_gen_enabled:s0
genfscon sysfs /kernel/notes u:object_r:sysfs_kernel_notes:s0
genfscon sysfs /kernel/uevent_helper u:object_r:sysfs_usermodehelper:s0
genfscon sysfs /kernel/wakeup_reasons u:object_r:sysfs_wakeup_reasons:s0
diff --git a/private/gmscore_app.te b/private/gmscore_app.te
index a05f3de..114c184 100644
--- a/private/gmscore_app.te
+++ b/private/gmscore_app.te
@@ -129,7 +129,7 @@
allow gmscore_app cache_file:lnk_file r_file_perms;
# Write to /data/ota_package for OTA packages.
-allow gmscore_app ota_package_file:dir rw_dir_perms;
+allow gmscore_app ota_package_file:dir create_dir_perms;
allow gmscore_app ota_package_file:file create_file_perms;
# Write the checkin metadata to /data/misc_ce/<userid>/checkin
diff --git a/private/odsign.te b/private/odsign.te
index 86a0a6b..f06795c 100644
--- a/private/odsign.te
+++ b/private/odsign.te
@@ -13,6 +13,10 @@
allow odsign odsign_data_file:dir create_dir_perms;
allow odsign odsign_data_file:file create_file_perms;
+# Allow using persistent storage in /data/odsign/metrics - to add metrics related files
+allow odsign odsign_metrics_file:dir rw_dir_perms;
+allow odsign odsign_metrics_file:file create_file_perms;
+
# Create and use pty created by android_fork_execvp().
create_pty(odsign)
@@ -61,5 +65,5 @@
set_prop(odsign, ctl_odsign_prop)
# Neverallows
-neverallow { domain -odsign -init -fsverity_init } odsign_data_file:dir *;
-neverallow { domain -odsign -init -fsverity_init } odsign_data_file:file *;
+neverallow { domain -odsign -init -fsverity_init} odsign_data_file:dir ~search;
+neverallow { domain -odsign -init -fsverity_init} odsign_data_file:file *;
diff --git a/private/property.te b/private/property.te
index 834d2df..2e8db3f 100644
--- a/private/property.te
+++ b/private/property.te
@@ -3,6 +3,7 @@
system_internal_prop(apexd_payload_metadata_prop)
system_internal_prop(ctl_snapuserd_prop)
system_internal_prop(device_config_lmkd_native_prop)
+system_internal_prop(device_config_mglru_native_prop)
system_internal_prop(device_config_profcollect_native_boot_prop)
system_internal_prop(device_config_statsd_native_prop)
system_internal_prop(device_config_statsd_native_boot_prop)
diff --git a/private/property_contexts b/private/property_contexts
index d244108..a92ad6b 100644
--- a/private/property_contexts
+++ b/private/property_contexts
@@ -261,6 +261,9 @@
# F2FS smart idle maint prop
persist.device_config.storage_native_boot.smart_idle_maint_enabled u:object_r:smart_idle_maint_enabled_prop:s0 exact bool
+# MGLRU experiment prop
+persist.device_config.mglru_native.lru_gen_config u:object_r:device_config_mglru_native_prop:s0 exact enum none core core_and_mm_walk core_and_nonleaf_young all
+
# MM Events config props
persist.mm_events.enabled u:object_r:mm_events_config_prop:s0 exact bool
@@ -480,6 +483,8 @@
bluetooth.framework.support_persisted_state u:object_r:bluetooth_config_prop:s0 exact bool
bluetooth.framework.adapter_address_validation u:object_r:bluetooth_config_prop:s0 exact bool
+bluetooth.core.gap.le.privacy.enabled u:object_r:bluetooth_config_prop:s0 exact bool
+
bluetooth.device.default_name u:object_r:bluetooth_config_prop:s0 exact string
bluetooth.device.class_of_device u:object_r:bluetooth_config_prop:s0 exact string
diff --git a/private/system_app.te b/private/system_app.te
index 77cca3d..01956f4 100644
--- a/private/system_app.te
+++ b/private/system_app.te
@@ -176,6 +176,10 @@
# Allow system apps to act as Perfetto producers.
perfetto_producer(system_app)
+# TODO(b/217368496): remove this.
+can_profile_heap(system_app)
+can_profile_perf(system_app)
+
###
### Neverallow rules
###
diff --git a/private/system_server.te b/private/system_server.te
index 7ca6019..179cbea 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -221,6 +221,11 @@
allow system_server stats_data_file:dir { open read remove_name search write };
allow system_server stats_data_file:file unlink;
+# Read metric file & upload to statsd
+allow system_server odsign_data_file:dir search;
+allow system_server odsign_metrics_file:dir { r_dir_perms write remove_name };
+allow system_server odsign_metrics_file:file { r_file_perms unlink };
+
# Read /sys/kernel/debug/wakeup_sources.
no_debugfs_restriction(`
allow system_server debugfs_wakeup_sources:file r_file_perms;
@@ -726,6 +731,7 @@
set_prop(system_server, device_config_runtime_native_prop)
set_prop(system_server, device_config_lmkd_native_prop)
set_prop(system_server, device_config_media_native_prop)
+set_prop(system_server, device_config_mglru_native_prop)
set_prop(system_server, device_config_profcollect_native_boot_prop)
set_prop(system_server, device_config_statsd_native_prop)
set_prop(system_server, device_config_statsd_native_boot_prop)
@@ -1260,6 +1266,7 @@
device_config_runtime_native_boot_prop
device_config_runtime_native_prop
device_config_media_native_prop
+ device_config_mglru_native_prop
device_config_storage_native_boot_prop
device_config_surface_flinger_native_boot_prop
device_config_sys_traced_prop
diff --git a/private/virtualizationservice.te b/private/virtualizationservice.te
index 05e1664..c369a90 100644
--- a/private/virtualizationservice.te
+++ b/private/virtualizationservice.te
@@ -70,6 +70,13 @@
# Allow writing stats to statsd
unix_socket_send(virtualizationservice, statsdw, statsd)
+# Allow virtualization service to talk to tombstoned to push guest tombstones
+unix_socket_connect(virtualizationservice, tombstoned_crash, tombstoned)
+
+# Append to tombstone files passed as fds from tombstoned
+allow virtualizationservice tombstone_data_file:file { append getattr };
+allow virtualizationservice tombstoned:fd use;
+
neverallow {
domain
-init
diff --git a/public/file.te b/public/file.te
index 55f65b6..8867ebb 100644
--- a/public/file.te
+++ b/public/file.te
@@ -115,6 +115,7 @@
type sysfs_suspend_stats, fs_type, sysfs_type;
type sysfs_switch, fs_type, sysfs_type;
type sysfs_transparent_hugepage, fs_type, sysfs_type;
+type sysfs_lru_gen_enabled, fs_type, sysfs_type;
type sysfs_usb, fs_type, sysfs_type;
type sysfs_wakeup, fs_type, sysfs_type;
type sysfs_wakeup_reasons, fs_type, sysfs_type;
diff --git a/public/init.te b/public/init.te
index 5139038..e2010f3 100644
--- a/public/init.te
+++ b/public/init.te
@@ -423,6 +423,7 @@
sysfs_power
sysfs_fs_f2fs
sysfs_dm
+ sysfs_lru_gen_enabled
}:file w_file_perms;
allow init {