Merge "Restrict vsock permissions" into main
diff --git a/Android.bp b/Android.bp
index 1a2d1ef..dc6761c 100644
--- a/Android.bp
+++ b/Android.bp
@@ -123,7 +123,7 @@
"202404.compat.cil",
],
}) + select(soong_config_variable("ANDROID", "PRODUCT_PRECOMPILED_SEPOLICY"), {
- "true": ["plat_sepolicy_and_mapping.sha256"],
+ true: ["plat_sepolicy_and_mapping.sha256"],
default: [],
}),
}
diff --git a/OWNERS b/OWNERS
index 1f2ac9b..488be27 100644
--- a/OWNERS
+++ b/OWNERS
@@ -1,5 +1,4 @@
adamshih@google.com
-alanstokes@google.com
bowgotsai@google.com
inseob@google.com
jbires@google.com
diff --git a/build/soong/selinux_contexts.go b/build/soong/selinux_contexts.go
index a65de35..d4c81e8 100644
--- a/build/soong/selinux_contexts.go
+++ b/build/soong/selinux_contexts.go
@@ -231,6 +231,14 @@
}
}
+func (m *selinuxContextsModule) VendorVariantNeeded(ctx android.BaseModuleContext) bool {
+ return false
+}
+
+func (m *selinuxContextsModule) ProductVariantNeeded(ctx android.BaseModuleContext) bool {
+ return false
+}
+
func (m *selinuxContextsModule) CoreVariantNeeded(ctx android.BaseModuleContext) bool {
return !m.ModuleBase.InstallInRecovery()
}
@@ -706,6 +714,14 @@
func (m *contextsTestModule) ImageMutatorBegin(ctx android.BaseModuleContext) {
}
+func (m *contextsTestModule) VendorVariantNeeded(ctx android.BaseModuleContext) bool {
+ return false
+}
+
+func (m *contextsTestModule) ProductVariantNeeded(ctx android.BaseModuleContext) bool {
+ return false
+}
+
func (m *contextsTestModule) CoreVariantNeeded(ctx android.BaseModuleContext) bool {
return true
}
diff --git a/private/dexopt_chroot_setup.te b/private/dexopt_chroot_setup.te
index 4267d09..4a964fd 100644
--- a/private/dexopt_chroot_setup.te
+++ b/private/dexopt_chroot_setup.te
@@ -52,6 +52,7 @@
apex_mnt_dir
apk_data_file
binderfs
+ binfmt_miscfs
cgroup
cgroup_v2
userdebug_or_eng(debugfs)
@@ -81,6 +82,7 @@
allow dexopt_chroot_setup {
binderfs
+ binfmt_miscfs
cgroup
cgroup_v2
userdebug_or_eng(debugfs)
diff --git a/private/property.te b/private/property.te
index 19513d9..77fd497 100644
--- a/private/property.te
+++ b/private/property.te
@@ -66,6 +66,7 @@
system_internal_prop(game_manager_config_prop)
system_internal_prop(hidl_memory_prop)
system_internal_prop(suspend_debug_prop)
+system_internal_prop(system_service_enable_prop)
# Properties which can't be written outside system
system_restricted_prop(device_config_virtualization_framework_native_prop)
diff --git a/private/property_contexts b/private/property_contexts
index 9b48082..601dc99 100644
--- a/private/property_contexts
+++ b/private/property_contexts
@@ -1695,3 +1695,7 @@
# Properties for controlling snapshotctl.
sys.snapshotctl.map u:object_r:snapshotctl_prop:s0 exact string
sys.snapshotctl.unmap u:object_r:snapshotctl_prop:s0 exact string
+
+# Properties for enabling/disabling system services
+ro.system_settings.service.odp_enabled u:object_r:system_service_enable_prop:s0 exact bool
+ro.system_settings.service.backgound_install_control_enabled u:object_r:system_service_enable_prop:s0 exact bool
diff --git a/private/system_server.te b/private/system_server.te
index e7ae9fc..1298bf7 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -900,6 +900,9 @@
# configuration properties
get_prop(system_server, sensors_config_prop)
+# Allow system server to determine if system services are enabled
+get_prop(system_server, system_service_enable_prop)
+
# Create a socket for connections from debuggerd.
allow system_server system_ndebug_socket:sock_file create_file_perms;