Merge "Allow to signal perfetto from shell."
diff --git a/Android.mk b/Android.mk
index bb69f06..fcf9d9a 100644
--- a/Android.mk
+++ b/Android.mk
@@ -298,7 +298,8 @@
$(sepolicy_policy.conf): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
$(sepolicy_policy.conf): PRIVATE_SEPOLICY_SPLIT := $(PRODUCT_SEPOLICY_SPLIT)
$(sepolicy_policy.conf): $(call build_policy, $(sepolicy_build_files), \
-$(PLAT_PUBLIC_POLICY) $(PLAT_PRIVATE_POLICY) $(PLAT_VENDOR_POLICY) $(BOARD_SEPOLICY_DIRS))
+$(PLAT_PUBLIC_POLICY) $(PLAT_PRIVATE_POLICY) $(PLAT_VENDOR_POLICY) \
+$(BOARD_VENDOR_SEPOLICY_DIRS) $(BOARD_ODM_SEPOLICY_DIRS))
$(transform-policy-to-conf)
$(hide) sed '/^\s*dontaudit.*;/d' $@ | sed '/^\s*dontaudit/,/;/d' > $@.dontaudit
@@ -314,7 +315,8 @@
$(sepolicy_policy_2.conf): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
$(sepolicy_policy_2.conf): PRIVATE_SEPOLICY_SPLIT := $(PRODUCT_SEPOLICY_SPLIT)
$(sepolicy_policy_2.conf): $(call build_policy, $(sepolicy_build_files), \
-$(PLAT_PUBLIC_POLICY) $(PLAT_PRIVATE_POLICY) $(PLAT_VENDOR_POLICY) $(BOARD_SEPOLICY_DIRS))
+$(PLAT_PUBLIC_POLICY) $(PLAT_PRIVATE_POLICY) $(PLAT_VENDOR_POLICY) \
+$(BOARD_VENDOR_SEPOLICY_DIRS) $(BOARD_ODM_SEPOLICY_DIRS))
$(transform-policy-to-conf)
$(hide) sed '/^\s*dontaudit.*;/d' $@ | sed '/^\s*dontaudit/,/;/d' > $@.dontaudit
diff --git a/apex/com.android.conscrypt-file_contexts b/apex/com.android.conscrypt-file_contexts
new file mode 100644
index 0000000..ffc3109
--- /dev/null
+++ b/apex/com.android.conscrypt-file_contexts
@@ -0,0 +1,5 @@
+#############################
+# System files
+#
+(/.*)? u:object_r:system_file:s0
+/lib(64)?(/.*)? u:object_r:system_lib_file:s0
diff --git a/private/apexd.te b/private/apexd.te
index 7a1e4e2..702ba57 100644
--- a/private/apexd.te
+++ b/private/apexd.te
@@ -21,6 +21,7 @@
LOOP_SET_BLOCK_SIZE
LOOP_SET_DIRECT_IO
LOOP_CLR_FD
+ BLKFLSBUF
};
# allow apexd to access /dev/block
allow apexd block_device:dir r_dir_perms;
diff --git a/private/compat/26.0/26.0.ignore.cil b/private/compat/26.0/26.0.ignore.cil
index d3a6982..588c138 100644
--- a/private/compat/26.0/26.0.ignore.cil
+++ b/private/compat/26.0/26.0.ignore.cil
@@ -30,6 +30,7 @@
broadcastradio_service
cgroup_bpf
color_display_service
+ content_capture_service
crossprofileapps_service
ctl_interface_restart_prop
ctl_interface_start_prop
@@ -96,7 +97,6 @@
heapprofd_socket
incident_helper
incident_helper_exec
- intelligence_service
iorapd
iorapd_data_file
iorapd_exec
diff --git a/private/compat/27.0/27.0.ignore.cil b/private/compat/27.0/27.0.ignore.cil
index 764a9ea..e63d226 100644
--- a/private/compat/27.0/27.0.ignore.cil
+++ b/private/compat/27.0/27.0.ignore.cil
@@ -28,6 +28,7 @@
bpfloader_exec
cgroup_bpf
color_display_service
+ content_capture_service
crossprofileapps_service
ctl_interface_restart_prop
ctl_interface_start_prop
@@ -87,7 +88,6 @@
heapprofd_socket
incident_helper
incident_helper_exec
- intelligence_service
iorapd
iorapd_data_file
iorapd_exec
diff --git a/private/compat/28.0/28.0.ignore.cil b/private/compat/28.0/28.0.ignore.cil
index 900c8c2..1b07deb 100644
--- a/private/compat/28.0/28.0.ignore.cil
+++ b/private/compat/28.0/28.0.ignore.cil
@@ -18,6 +18,7 @@
apexd_prop
apexd_tmpfs
biometric_service
+ content_capture_service
cpu_variant_prop
dev_cpu_variant
device_config_boot_count_prop
@@ -44,7 +45,6 @@
heapprofd_prop
heapprofd_socket
idmap_service
- intelligence_service
iris_service
iris_vendor_data_file
llkd
@@ -62,8 +62,11 @@
mediaswcodec_tmpfs
mnt_product_file
overlayfs_file
+ permissionmgr_service
recovery_socket
role_service
+ rss_hwm_reset
+ rss_hwm_reset_exec
runtime_service
super_block_device
system_lmk_prop
diff --git a/private/file_contexts b/private/file_contexts
index fac31a0..0d0835d 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -251,6 +251,7 @@
/system/bin/usbd u:object_r:usbd_exec:s0
/system/bin/inputflinger u:object_r:inputflinger_exec:s0
/system/bin/logd u:object_r:logd_exec:s0
+/system/bin/rss_hwm_reset u:object_r:rss_hwm_reset_exec:s0
/system/bin/perfetto u:object_r:perfetto_exec:s0
/system/bin/traced u:object_r:traced_exec:s0
/system/bin/traced_probes u:object_r:traced_probes_exec:s0
diff --git a/private/rss_hwm_reset.te b/private/rss_hwm_reset.te
new file mode 100644
index 0000000..30818c2
--- /dev/null
+++ b/private/rss_hwm_reset.te
@@ -0,0 +1,14 @@
+type rss_hwm_reset_exec, system_file_type, exec_type, file_type;
+
+# Start rss_hwm_reset from init.
+init_daemon_domain(rss_hwm_reset)
+
+# Search /proc/pid directories.
+allow rss_hwm_reset domain:dir search;
+
+# Write to /proc/pid/clear_refs of other processes.
+# /proc/pid/clear_refs is S_IWUSER, see: fs/proc/base.c
+allow rss_hwm_reset self:global_capability_class_set { dac_override };
+
+# Write to /prc/pid/clear_refs.
+allow rss_hwm_reset domain:file w_file_perms;
diff --git a/private/service_contexts b/private/service_contexts
index 49087c8..9fe7855 100644
--- a/private/service_contexts
+++ b/private/service_contexts
@@ -32,6 +32,7 @@
connmetrics u:object_r:connmetrics_service:s0
consumer_ir u:object_r:consumer_ir_service:s0
content u:object_r:content_service:s0
+content_capture u:object_r:content_capture_service:s0
contexthub u:object_r:contexthub_service:s0
country_detector u:object_r:country_detector_service:s0
coverage u:object_r:coverage_service:s0
@@ -80,7 +81,6 @@
iphonesubinfo u:object_r:radio_service:s0
ims u:object_r:radio_service:s0
imms u:object_r:imms_service:s0
-intelligence u:object_r:intelligence_service:s0
ipsec u:object_r:ipsec_service:s0
iris u:object_r:iris_service:s0
isms_msim u:object_r:radio_service:s0
@@ -129,6 +129,7 @@
package_native u:object_r:package_native_service:s0
perfprofd u:object_r:perfprofd_service:s0
permission u:object_r:permission_service:s0
+permissionmgr u:object_r:permissionmgr_service:s0
persistent_data_block u:object_r:persistent_data_block_service:s0
phone_msim u:object_r:radio_service:s0
phone1 u:object_r:radio_service:s0
diff --git a/private/untrusted_app_25.te b/private/untrusted_app_25.te
index 8825e2e..0db825a 100644
--- a/private/untrusted_app_25.te
+++ b/private/untrusted_app_25.te
@@ -49,6 +49,7 @@
# directories for targetApi<=25. This is also allowed for targetAPIs 26,
# 27, and 28 in untrusted_app_27.te.
allow untrusted_app_25 app_data_file:file { execute execute_no_trans };
+userdebug_or_eng(`auditallow untrusted_app_25 app_data_file:file { execute execute_no_trans };')
# The ability to invoke dex2oat. Historically required by ART, now only
# allowed for targetApi<=28 for compat reasons.
diff --git a/private/untrusted_app_27.te b/private/untrusted_app_27.te
index fab6acc..f3b9df8 100644
--- a/private/untrusted_app_27.te
+++ b/private/untrusted_app_27.te
@@ -30,6 +30,7 @@
# The ability to call exec() or dlopen() on files in the apps home
# directories for targetApi 26, 27, and 28.
allow untrusted_app_27 app_data_file:file { execute execute_no_trans };
+userdebug_or_eng(`auditallow untrusted_app_27 app_data_file:file { execute execute_no_trans };')
# The ability to invoke dex2oat. Historically required by ART, now only
# allowed for targetApi<=28 for compat reasons.
diff --git a/private/zygote.te b/private/zygote.te
index d1e0f55..0c1e0df 100644
--- a/private/zygote.te
+++ b/private/zygote.te
@@ -91,6 +91,7 @@
# Allow creating user-specific storage source if started before vold.
allow zygote mnt_user_file:dir create_dir_perms;
allow zygote mnt_user_file:lnk_file create_file_perms;
+allow zygote mnt_user_file:file create_file_perms;
# Allowed to mount user-specific storage into place
allow zygote storage_file:dir { search mounton };
# Allow mounting on sdcardfs dirs
diff --git a/public/domain.te b/public/domain.te
index d0e4e41..ab6610f 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -1354,6 +1354,7 @@
perfprofd
postinstall_dexopt
recovery
+ rss_hwm_reset
sdcardd
tee
ueventd
diff --git a/public/property_contexts b/public/property_contexts
index 1533a0f..da12ae3 100644
--- a/public/property_contexts
+++ b/public/property_contexts
@@ -309,6 +309,7 @@
ro.hardware.vibrator u:object_r:exported_default_prop:s0 exact string
ro.hardware.virtual_device u:object_r:exported_default_prop:s0 exact string
ro.hardware.vulkan u:object_r:exported_default_prop:s0 exact string
+ro.hwui.use_vulkan u:object_r:exported_default_prop:s0 exact bool
ro.kernel.qemu u:object_r:exported_default_prop:s0 exact bool
ro.kernel.qemu. u:object_r:exported_default_prop:s0
ro.kernel.android.bootanim u:object_r:exported_default_prop:s0 exact int
diff --git a/public/rss_hwm_reset.te b/public/rss_hwm_reset.te
new file mode 100644
index 0000000..163e1ac
--- /dev/null
+++ b/public/rss_hwm_reset.te
@@ -0,0 +1,2 @@
+# rss_hwm_reset resets RSS high-water mark counters for all procesess.
+type rss_hwm_reset, domain, coredomain, mlstrustedsubject;
diff --git a/public/service.te b/public/service.te
index 7799c84..c244c0c 100644
--- a/public/service.te
+++ b/public/service.te
@@ -65,6 +65,7 @@
type connectivity_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type connmetrics_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type consumer_ir_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type content_capture_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type content_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type country_detector_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
# Note: The coverage_service should only be enabled for userdebug / eng builds that were compiled
@@ -99,7 +100,6 @@
type imms_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type input_method_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type input_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type intelligence_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type ipsec_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type iris_service, app_api_service, system_server_service, service_manager_type;
type jobscheduler_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
@@ -125,6 +125,7 @@
type package_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type package_native_service, system_server_service, service_manager_type;
type permission_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type permissionmgr_service, system_server_service, service_manager_type;
type persistent_data_block_service, system_api_service, system_server_service, service_manager_type;
type pinner_service, system_server_service, service_manager_type;
type power_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
diff --git a/vendor/file_contexts b/vendor/file_contexts
index 9ed0468..a6772ca 100644
--- a/vendor/file_contexts
+++ b/vendor/file_contexts
@@ -19,6 +19,7 @@
/(vendor|system/vendor)/bin/hw/android\.hardware\.contexthub@1\.0-service u:object_r:hal_contexthub_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.drm@1\.0-service u:object_r:hal_drm_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.cas@1\.0-service u:object_r:hal_cas_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.cas@1\.0-service-lazy u:object_r:hal_cas_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.dumpstate@1\.0-service u:object_r:hal_dumpstate_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.gatekeeper@1\.0-service u:object_r:hal_gatekeeper_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.gnss@[0-9]\.[0-9]-service u:object_r:hal_gnss_default_exec:s0