Merge "Move adbd to an apex."
diff --git a/private/compat/29.0/29.0.ignore.cil b/private/compat/29.0/29.0.ignore.cil
index ffeccdb..06380de 100644
--- a/private/compat/29.0/29.0.ignore.cil
+++ b/private/compat/29.0/29.0.ignore.cil
@@ -16,6 +16,7 @@
hal_can_bus_hwservice
hal_can_controller_hwservice
hal_tv_tuner_hwservice
+ hal_vibrator_service
init_svc_debug_prop
iorap_prefetcherd
iorap_prefetcherd_data_file
diff --git a/private/domain.te b/private/domain.te
index 3fc55a2..5851d75 100644
--- a/private/domain.te
+++ b/private/domain.te
@@ -321,4 +321,5 @@
-uncrypt
-tee
-hal_bootctl_server
+ -fastbootd
} self:global_capability_class_set sys_rawio;
diff --git a/private/dumpstate.te b/private/dumpstate.te
index cfa05fc..72e508e 100644
--- a/private/dumpstate.te
+++ b/private/dumpstate.te
@@ -58,3 +58,5 @@
allow dumpstate gsid_exec:file rx_file_perms;
set_prop(dumpstate, ctl_gsid_prop)
binder_call(dumpstate, gsid)
+
+r_dir_file(dumpstate, ota_metadata_file)
diff --git a/private/keys.conf b/private/keys.conf
index 362e73d..8c899b6 100644
--- a/private/keys.conf
+++ b/private/keys.conf
@@ -17,6 +17,9 @@
[@NETWORK_STACK]
ALL : $MAINLINE_SEPOLICY_DEV_CERTIFICATES/networkstack.x509.pem
+[@PERMISSION_CONTROLLER]
+ALL: $DEFAULT_SYSTEM_DEV_CERTIFICATE/com_google_android_permissioncontroller-container.x509.pem
+
[@SHARED]
ALL : $DEFAULT_SYSTEM_DEV_CERTIFICATE/shared.x509.pem
diff --git a/private/keystore.te b/private/keystore.te
index 7f71028..ee6dbdf 100644
--- a/private/keystore.te
+++ b/private/keystore.te
@@ -11,9 +11,5 @@
# This is used for the ConfirmationUI async callback.
allow keystore platform_app:binder call;
-# Offer the Wifi Keystore HwBinder service
-typeattribute keystore wifi_keystore_service_server;
-add_hwservice(keystore, system_wifi_keystore_hwservice)
-
# Allow to check whether security logging is enabled.
get_prop(keystore, device_logging_prop)
diff --git a/private/mac_permissions.xml b/private/mac_permissions.xml
index 7fc37c1..5095a2a 100644
--- a/private/mac_permissions.xml
+++ b/private/mac_permissions.xml
@@ -59,4 +59,10 @@
<signer signature="@NETWORK_STACK" >
<seinfo value="network_stack" />
</signer>
+
+ <signer signature="@PERMISSION_CONTROLLER" >
+ <package name="com.google.android.permissioncontroller">
+ <seinfo value="permission_controller" />
+ </package>
+ </signer>
</policy>
diff --git a/private/mediaserver.te b/private/mediaserver.te
index 635cf4e..bf8be28 100644
--- a/private/mediaserver.te
+++ b/private/mediaserver.te
@@ -5,6 +5,7 @@
# allocate and use graphic buffers
hal_client_domain(mediaserver, hal_graphics_allocator)
+hal_client_domain(mediaserver, hal_configstore)
hal_client_domain(mediaserver, hal_omx)
hal_client_domain(mediaserver, hal_codec2)
diff --git a/private/perfetto.te b/private/perfetto.te
index 8c7c8af..2183b6d 100644
--- a/private/perfetto.te
+++ b/private/perfetto.te
@@ -34,9 +34,12 @@
allow perfetto adbd:fd use;
allow perfetto adbd:unix_stream_socket { read write };
-# Allow adbd to reap perfetto
+# Allow adbd to reap perfetto.
allow perfetto adbd:process { sigchld };
+# Allow perfetto to write to statsd.
+unix_socket_send(perfetto, statsdw, statsd)
+
# Allow to access /dev/pts when launched in an adb shell.
allow perfetto devpts:chr_file rw_file_perms;
diff --git a/private/permissioncontroller_app.te b/private/permissioncontroller_app.te
new file mode 100644
index 0000000..9b09ce3
--- /dev/null
+++ b/private/permissioncontroller_app.te
@@ -0,0 +1,35 @@
+###
+### A domain for further sandboxing the GooglePermissionController app.
+###
+type permissioncontroller_app, domain;
+
+# Allow everything.
+# TODO(b/142672293): remove when no selinux denials are triggered for this
+# domain
+# STOPSHIP(b/142672293): monitor http://go/sedenials for any denials around
+# `permissioncontroller_app` and remove this line once we are confident about
+# this having the right set of permissions.
+userdebug_or_eng(`permissive permissioncontroller_app;')
+
+app_domain(permissioncontroller_app)
+
+# Allow interaction with gpuservice
+binder_call(permissioncontroller_app, gpuservice)
+allow permissioncontroller_app gpu_service:service_manager find;
+
+# Allow interaction with role_service
+allow permissioncontroller_app role_service:service_manager find;
+
+# Allow interaction with usagestats_service
+allow permissioncontroller_app usagestats_service:service_manager find;
+
+# Allow interaction with activity_service
+allow permissioncontroller_app activity_service:service_manager find;
+
+allow permissioncontroller_app activity_task_service:service_manager find;
+allow permissioncontroller_app audio_service:service_manager find;
+allow permissioncontroller_app autofill_service:service_manager find;
+allow permissioncontroller_app device_policy_service:service_manager find;
+allow permissioncontroller_app location_service:service_manager find;
+allow permissioncontroller_app surfaceflinger_service:service_manager find;
+allow permissioncontroller_app trust_service:service_manager find;
diff --git a/private/seapp_contexts b/private/seapp_contexts
index c74bd2c..3651389 100644
--- a/private/seapp_contexts
+++ b/private/seapp_contexts
@@ -156,6 +156,7 @@
user=_app seinfo=platform domain=platform_app type=app_data_file levelFrom=user
user=_app isEphemeralApp=true domain=ephemeral_app type=app_data_file levelFrom=all
user=_app isPrivApp=true domain=priv_app type=privapp_data_file levelFrom=user
+user=_app seinfo=permission_controller isPrivApp=true name=com.google.android.permissioncontroller domain=permissioncontroller_app type=privapp_data_file levelFrom=all
user=_app minTargetSdkVersion=29 domain=untrusted_app type=app_data_file levelFrom=all
user=_app minTargetSdkVersion=28 domain=untrusted_app_27 type=app_data_file levelFrom=all
user=_app minTargetSdkVersion=26 domain=untrusted_app_27 type=app_data_file levelFrom=user
diff --git a/private/service_contexts b/private/service_contexts
index defdfa4..4041a60 100644
--- a/private/service_contexts
+++ b/private/service_contexts
@@ -1,3 +1,5 @@
+android.hardware.vibrator.IVibrator/default u:object_r:hal_vibrator_service:s0
+
accessibility u:object_r:accessibility_service:s0
account u:object_r:account_service:s0
activity u:object_r:activity_service:s0
diff --git a/private/snapshotctl.te b/private/snapshotctl.te
index 78bf6fd..d07af3b 100644
--- a/private/snapshotctl.te
+++ b/private/snapshotctl.te
@@ -12,10 +12,10 @@
allow snapshotctl gsi_service:service_manager find;
binder_call(snapshotctl, gsid)
-# Allow to read/write/delete OTA metadata files for snapshot status and COW file status.
+# Allow to create/read/write/delete OTA metadata files for snapshot status and COW file status.
allow snapshotctl metadata_file:dir search;
allow snapshotctl ota_metadata_file:dir rw_dir_perms;
-allow snapshotctl ota_metadata_file:file { rw_file_perms unlink };
+allow snapshotctl ota_metadata_file:file create_file_perms;
# Allow to get A/B slot suffix from device tree or kernel cmdline.
r_dir_file(snapshotctl, sysfs_dt_firmware_android);
diff --git a/public/charger.te b/public/charger.te
index 48d6ad8..4b341ea 100644
--- a/public/charger.te
+++ b/public/charger.te
@@ -44,3 +44,5 @@
set_prop(charger, exported3_system_prop)
get_prop(charger, charger_prop)
+
+hal_client_domain(charger, hal_health)
diff --git a/public/hal_vibrator.te b/public/hal_vibrator.te
index d4da8df..40d9c6b 100644
--- a/public/hal_vibrator.te
+++ b/public/hal_vibrator.te
@@ -4,6 +4,11 @@
hal_attribute_hwservice(hal_vibrator, hal_vibrator_hwservice)
+add_service(hal_vibrator_server, hal_vibrator_service)
+binder_call(hal_vibrator_server, servicemanager)
+
+allow hal_vibrator_client hal_vibrator_service:service_manager find;
+
# vibrator sysfs rw access
allow hal_vibrator sysfs_vibrator:file rw_file_perms;
allow hal_vibrator sysfs_vibrator:dir search;
diff --git a/public/logpersist.te b/public/logpersist.te
index c7cab80..c8e6af4 100644
--- a/public/logpersist.te
+++ b/public/logpersist.te
@@ -1,6 +1,10 @@
# android debug logging, logpersist domains
type logpersist, domain;
+# logcatd is a shell script that execs logcat with various parameters.
+allow logpersist shell_exec:file rx_file_perms;
+allow logpersist logcat_exec:file rx_file_perms;
+
###
### Neverallow rules
###
diff --git a/public/service.te b/public/service.te
index 624d949..9d4aaeb 100644
--- a/public/service.te
+++ b/public/service.te
@@ -190,6 +190,12 @@
type wpantund_service, system_api_service, service_manager_type;
###
+### HAL Services
+###
+
+type hal_vibrator_service, vendor_service, service_manager_type;
+
+###
### Neverallow rules
###
diff --git a/public/wificond.te b/public/wificond.te
index e11d45d..a55872a 100644
--- a/public/wificond.te
+++ b/public/wificond.te
@@ -30,3 +30,14 @@
# dumpstate support
allow wificond dumpstate:fd use;
allow wificond dumpstate:fifo_file write;
+
+#### Offer the Wifi Keystore HwBinder service ###
+hwbinder_use(wificond)
+get_prop(wificond, hwservicemanager_prop)
+typeattribute wificond wifi_keystore_service_server;
+add_hwservice(wificond, system_wifi_keystore_hwservice)
+
+# Allow keystore binder access to serve the HwBinder service.
+allow wificond keystore_service:service_manager find;
+allow wificond keystore:binder call;
+allow wificond keystore:keystore_key get;
diff --git a/vendor/file_contexts b/vendor/file_contexts
index 2d68011..07aaf5b 100644
--- a/vendor/file_contexts
+++ b/vendor/file_contexts
@@ -61,6 +61,7 @@
/(vendor|system/vendor)/bin/hw/android\.hardware\.tv\.tuner@1\.0-service u:object_r:hal_tv_tuner_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.usb@1\.0-service u:object_r:hal_usb_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.vibrator@1\.0-service u:object_r:hal_vibrator_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.vibrator-service.example u:object_r:hal_vibrator_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.vr@1\.0-service u:object_r:hal_vr_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.wifi\.offload@1\.0-service u:object_r:hal_wifi_offload_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.wifi@1\.0-service u:object_r:hal_wifi_default_exec:s0