commit b289dc4d1de4fcb66b679699797c10fed5407066
author Treehugger Robot <treehugger-gerrit@google.com> Fri Feb 04 19:26:00 2022 +0000
committer Gerrit Code Review <noreply-gerritcodereview@google.com> Fri Feb 04 19:26:00 2022 +0000
tree f6a1983611ae99a1fad6b53e97e7d8f12d25a83a
parent 391f2b26fc050a0b91fe7fadbdc5f55ef6c7de2b
parent be3ff9b93a8868f45e88f052b0388fc8501dec72

Merge "Grant system_app permission to access cgroup_v2 directories"

private/compat/32.0/32.0.ignore.cil

diff --git a/private/compat/32.0/32.0.ignore.cil b/private/compat/32.0/32.0.ignore.cil
index 4d55168..f834ca3 100644
--- a/private/compat/32.0/32.0.ignore.cil
+++ b/private/compat/32.0/32.0.ignore.cil
@@ -47,6 +47,7 @@
     nearby_service
     proc_watermark_boost_factor
     proc_watermark_scale_factor
+    remotelyprovisionedkeypool_service
     resources_manager_service
     selection_toolbar_service
     snapuserd_proxy_socket

private/credstore.te

diff --git a/private/credstore.te b/private/credstore.te
index 8d87e2f..c410d76 100644
--- a/private/credstore.te
+++ b/private/credstore.te
@@ -4,3 +4,9 @@
 
 # talk to Identity Credential
 hal_client_domain(credstore, hal_identity)
+
+# talk to keymint, specifically for IRemotelyProvisionedComponent/default
+hal_client_domain(credstore, hal_keymint)
+
+# credstore needs to get keys from the remotely provisioned pool
+allow credstore remotelyprovisionedkeypool_service:service_manager find;

private/property_contexts

diff --git a/private/property_contexts b/private/property_contexts
index 618794e..05e5179 100644
--- a/private/property_contexts
+++ b/private/property_contexts
@@ -473,7 +473,7 @@
 bluetooth.framework.adapter_address_validation       u:object_r:bluetooth_config_prop:s0 exact bool
 
 bluetooth.device.default_name                        u:object_r:bluetooth_config_prop:s0 exact string
-bluetooth.device.class_of_device                     u:object_r:bluetooth_config_prop:s0 exact uint
+bluetooth.device.class_of_device                     u:object_r:bluetooth_config_prop:s0 exact string
 
 bluetooth.profile.a2dp.sink.enabled                  u:object_r:bluetooth_config_prop:s0 exact bool
 bluetooth.profile.a2dp.source.enabled                u:object_r:bluetooth_config_prop:s0 exact bool

private/service_contexts

diff --git a/private/service_contexts b/private/service_contexts
index 982eae7..a22f272 100644
--- a/private/service_contexts
+++ b/private/service_contexts
@@ -86,6 +86,7 @@
 android.security.maintenance              u:object_r:keystore_maintenance_service:s0
 android.security.metrics                  u:object_r:keystore_metrics_service:s0
 android.security.remoteprovisioning       u:object_r:remoteprovisioning_service:s0
+android.security.remoteprovisioning.IRemotelyProvisionedKeyPool u:object_r:remotelyprovisionedkeypool_service:s0
 android.service.gatekeeper.IGateKeeperService    u:object_r:gatekeeper_service:s0
 android.system.composd                    u:object_r:compos_service:s0
 android.system.virtualizationservice      u:object_r:virtualization_service:s0

public/keystore.te

diff --git a/public/keystore.te b/public/keystore.te
index 9535491..e1c58a4 100644
--- a/public/keystore.te
+++ b/public/keystore.te
@@ -13,6 +13,7 @@
 allow keystore keystore_exec:file { getattr };
 
 add_service(keystore, keystore_service)
+add_service(keystore, remotelyprovisionedkeypool_service)
 add_service(keystore, remoteprovisioning_service)
 allow keystore sec_key_att_app_id_provider_service:service_manager find;
 allow keystore dropbox_service:service_manager find;

public/service.te

diff --git a/public/service.te b/public/service.te
index b7d700b..012a781 100644
--- a/public/service.te
+++ b/public/service.te
@@ -37,6 +37,7 @@
 type netd_service,              service_manager_type;
 type nfc_service,               service_manager_type;
 type radio_service,             service_manager_type;
+type remotelyprovisionedkeypool_service, service_manager_type;
 type remoteprovisioning_service,   service_manager_type;
 type secure_element_service,    service_manager_type;
 type service_manager_service,   service_manager_type;
@@ -61,7 +62,7 @@
 type adb_service, system_api_service, system_server_service, service_manager_type;
 type alarm_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
 type app_binding_service, system_server_service, service_manager_type;
-type app_hibernation_service, system_api_service, system_server_service, service_manager_type;
+type app_hibernation_service, app_api_service, system_api_service, system_server_service, service_manager_type;
 type app_integrity_service, system_api_service, system_server_service, service_manager_type;
 type app_prediction_service, app_api_service, system_server_service, service_manager_type;
 type app_search_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;

public/te_macros

diff --git a/public/te_macros b/public/te_macros
index 032534f..5c3438f 100644
--- a/public/te_macros
+++ b/public/te_macros
@@ -196,6 +196,8 @@
 # permission to create a vsock; the client can only connect to VMs
 # that it owns.
 allow $1 virtualizationservice:vsock_socket { getattr read write };
+# Allow client to inspect hypervisor capabilities
+get_prop($1, hypervisor_prop)
 ')
 
 #####################################