Merge "Sepolicy for StatsBootstrapAtomService"
diff --git a/Android.bp b/Android.bp
index e517356..b9c5808 100644
--- a/Android.bp
+++ b/Android.bp
@@ -594,18 +594,21 @@
service_contexts {
name: "plat_service_contexts",
srcs: [":service_contexts_files"],
+ recovery_available: true,
}
service_contexts {
name: "system_ext_service_contexts",
srcs: [":service_contexts_files"],
system_ext_specific: true,
+ recovery_available: true,
}
service_contexts {
name: "product_service_contexts",
srcs: [":service_contexts_files"],
product_specific: true,
+ recovery_available: true,
}
service_contexts {
@@ -613,6 +616,7 @@
srcs: [":service_contexts_files"],
reqd_mask: true,
soc_specific: true,
+ recovery_available: true,
}
keystore2_key_contexts {
@@ -1156,6 +1160,33 @@
installable: false,
}
+// bug_map - Bug tracking information for selinux denials loaded by auditd.
+se_filegroup {
+ name: "bug_map_files",
+ srcs: ["bug_map"],
+}
+
+se_bug_map {
+ name: "plat_bug_map",
+ srcs: [":bug_map_files"],
+ stem: "bug_map",
+}
+
+se_bug_map {
+ name: "system_ext_bug_map",
+ srcs: [":bug_map_files"],
+ stem: "bug_map",
+ system_ext_specific: true,
+}
+
+se_bug_map {
+ name: "vendor_bug_map",
+ srcs: [":bug_map_files"],
+ // Legacy file name of the vendor partition bug_map.
+ stem: "selinux_denial_metadata",
+ vendor: true,
+}
+
//////////////////////////////////
// se_freeze_test compares the plat sepolicy with the prebuilt sepolicy
// Additional directories can be specified via Makefile variables:
diff --git a/Android.mk b/Android.mk
index 6fd84e9..efacc1b 100644
--- a/Android.mk
+++ b/Android.mk
@@ -381,6 +381,7 @@
plat_service_contexts_test \
plat_hwservice_contexts \
plat_hwservice_contexts_test \
+ plat_bug_map \
searchpolicy \
# This conditional inclusion closely mimics the conditional logic
@@ -455,6 +456,7 @@
system_ext_service_contexts \
system_ext_service_contexts_test \
system_ext_mac_permissions.xml \
+ system_ext_bug_map \
$(addprefix system_ext_,$(addsuffix .compat.cil,$(PLATFORM_SEPOLICY_COMPAT_VERSIONS))) \
endif
@@ -549,6 +551,7 @@
vendor_service_contexts \
vendor_hwservice_contexts \
vendor_hwservice_contexts_test \
+ vendor_bug_map \
vndservice_contexts \
ifdef BOARD_ODM_SEPOLICY_DIRS
@@ -567,9 +570,6 @@
LOCAL_REQUIRED_MODULES += selinux_policy_system_ext
LOCAL_REQUIRED_MODULES += selinux_policy_product
-LOCAL_REQUIRED_MODULES += \
- selinux_denial_metadata \
-
# Builds an addtional userdebug sepolicy into the debug ramdisk.
LOCAL_REQUIRED_MODULES += \
userdebug_plat_sepolicy.cil \
@@ -1212,26 +1212,6 @@
file_contexts.modules.tmp :=
##################################
-include $(CLEAR_VARS)
-
-LOCAL_MODULE := selinux_denial_metadata
-LOCAL_LICENSE_KINDS := SPDX-license-identifier-Apache-2.0 legacy_unencumbered
-LOCAL_LICENSE_CONDITIONS := notice unencumbered
-LOCAL_NOTICE_FILE := $(LOCAL_PATH)/NOTICE
-LOCAL_MODULE_CLASS := ETC
-LOCAL_MODULE_PATH := $(TARGET_OUT_VENDOR)/etc/selinux
-
-include $(BUILD_SYSTEM)/base_rules.mk
-
-bug_files := $(call build_policy, bug_map, $(LOCAL_PATH) $(PLAT_PRIVATE_POLICY) $(PLAT_VENDOR_POLICY) $(BOARD_VENDOR_SEPOLICY_DIRS) $(PLAT_PUBLIC_POLICY))
-
-$(LOCAL_BUILT_MODULE) : $(bug_files)
- @mkdir -p $(dir $@)
- cat $^ > $@
-
-bug_files :=
-
-##################################
include $(LOCAL_PATH)/seapp_contexts.mk
##################################
diff --git a/apex/Android.bp b/apex/Android.bp
index faff4a6..5276cca 100644
--- a/apex/Android.bp
+++ b/apex/Android.bp
@@ -183,6 +183,13 @@
}
filegroup {
+ name: "com.android.sepolicy-file_contexts",
+ srcs: [
+ "com.android.sepolicy-file_contexts",
+ ],
+}
+
+filegroup {
name: "com.android.telephony-file_contexts",
srcs: [
"com.android.telephony-file_contexts",
diff --git a/apex/com.android.sepolicy-file_contexts b/apex/com.android.sepolicy-file_contexts
new file mode 100644
index 0000000..83b4b58
--- /dev/null
+++ b/apex/com.android.sepolicy-file_contexts
@@ -0,0 +1 @@
+(/.*)? u:object_r:system_file:s0
diff --git a/build/soong/Android.bp b/build/soong/Android.bp
index 3126430..e3b6541 100644
--- a/build/soong/Android.bp
+++ b/build/soong/Android.bp
@@ -31,6 +31,7 @@
"soong-sysprop",
],
srcs: [
+ "bug_map.go",
"build_files.go",
"cil_compat_map.go",
"compat_cil.go",
diff --git a/build/soong/bug_map.go b/build/soong/bug_map.go
new file mode 100644
index 0000000..91c6347
--- /dev/null
+++ b/build/soong/bug_map.go
@@ -0,0 +1,112 @@
+// Copyright 2021 The Android Open Source Project
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package selinux
+
+import (
+ "github.com/google/blueprint/proptools"
+
+ "android/soong/android"
+)
+
+func init() {
+ android.RegisterModuleType("se_bug_map", bugMapFactory)
+}
+
+// se_bug_map collects and installs selinux denial bug tracking information to be loaded by auditd.
+func bugMapFactory() android.Module {
+ c := &bugMap{}
+ c.AddProperties(&c.properties)
+ android.InitAndroidArchModule(c, android.DeviceSupported, android.MultilibCommon)
+ return c
+}
+
+type bugMap struct {
+ android.ModuleBase
+ properties bugMapProperties
+ installSource android.Path
+ installPath android.InstallPath
+}
+
+type bugMapProperties struct {
+ // List of source files. Can reference se_filegroup type modules with the ":module" syntax.
+ Srcs []string `android:"path"`
+
+ // Output file name. Defaults to module name if unspecified.
+ Stem *string
+}
+
+func (b *bugMap) stem() string {
+ return proptools.StringDefault(b.properties.Stem, b.Name())
+}
+
+func (b *bugMap) expandSeSources(ctx android.ModuleContext) android.Paths {
+ srcPaths := make(android.Paths, 0, len(b.properties.Srcs))
+ for _, src := range b.properties.Srcs {
+ if m := android.SrcIsModule(src); m != "" {
+ module := android.GetModuleFromPathDep(ctx, m, "")
+ if module == nil {
+ // Error would have been handled by ExtractSourcesDeps
+ continue
+ }
+ if fg, ok := module.(*fileGroup); ok {
+ if b.SocSpecific() {
+ srcPaths = append(srcPaths, fg.VendorSrcs()...)
+ srcPaths = append(srcPaths, fg.SystemVendorSrcs()...)
+ } else if b.SystemExtSpecific() {
+ srcPaths = append(srcPaths, fg.SystemExtPrivateSrcs()...)
+ } else {
+ srcPaths = append(srcPaths, fg.SystemPrivateSrcs()...)
+ }
+ } else {
+ ctx.PropertyErrorf("srcs", "%q is not an se_filegroup", m)
+ }
+ } else {
+ srcPaths = append(srcPaths, android.PathForModuleSrc(ctx, src))
+ }
+ }
+ return android.FirstUniquePaths(srcPaths)
+}
+
+func (b *bugMap) GenerateAndroidBuildActions(ctx android.ModuleContext) {
+ if !b.SocSpecific() && !b.SystemExtSpecific() && !b.Platform() {
+ ctx.ModuleErrorf("Selinux bug_map can only be installed in system, system_ext and vendor partitions")
+ }
+
+ srcPaths := b.expandSeSources(ctx)
+ out := android.PathForModuleGen(ctx, b.Name())
+ ctx.Build(pctx, android.BuildParams{
+ Rule: android.Cat,
+ Inputs: srcPaths,
+ Output: out,
+ Description: "Combining bug_map for " + b.Name(),
+ })
+
+ b.installPath = android.PathForModuleInstall(ctx, "etc", "selinux")
+ b.installSource = out
+ ctx.InstallFile(b.installPath, b.stem(), b.installSource)
+}
+
+func (b *bugMap) AndroidMkEntries() []android.AndroidMkEntries {
+ return []android.AndroidMkEntries{android.AndroidMkEntries{
+ Class: "ETC",
+ OutputFile: android.OptionalPathForPath(b.installSource),
+ ExtraEntries: []android.AndroidMkExtraEntriesFunc{
+ func(ctx android.AndroidMkExtraEntriesContext, entries *android.AndroidMkEntries) {
+ entries.SetPath("LOCAL_MODULE_PATH", b.installPath.ToMakePath())
+ entries.SetString("LOCAL_INSTALLED_MODULE_STEM", b.stem())
+ },
+ },
+ }}
+}
diff --git a/build/soong/selinux_contexts.go b/build/soong/selinux_contexts.go
index bbb8639..5859fc1 100644
--- a/build/soong/selinux_contexts.go
+++ b/build/soong/selinux_contexts.go
@@ -219,25 +219,19 @@
}
func (m *selinuxContextsModule) AndroidMk() android.AndroidMkData {
+ nameSuffix := ""
+ if m.InRecovery() && !m.onlyInRecovery() {
+ nameSuffix = ".recovery"
+ }
return android.AndroidMkData{
- Custom: func(w io.Writer, name, prefix, moduleDir string, data android.AndroidMkData) {
- nameSuffix := ""
- if m.InRecovery() && !m.onlyInRecovery() {
- nameSuffix = ".recovery"
- }
- fmt.Fprintln(w, "\ninclude $(CLEAR_VARS)")
- fmt.Fprintln(w, "LOCAL_PATH :=", moduleDir)
- fmt.Fprintln(w, "LOCAL_MODULE :=", name+nameSuffix)
- data.Entries.WriteLicenseVariables(w)
- fmt.Fprintln(w, "LOCAL_MODULE_CLASS := ETC")
- if m.Owner() != "" {
- fmt.Fprintln(w, "LOCAL_MODULE_OWNER :=", m.Owner())
- }
- fmt.Fprintln(w, "LOCAL_MODULE_TAGS := optional")
- fmt.Fprintln(w, "LOCAL_PREBUILT_MODULE_FILE :=", m.outputPath.String())
- fmt.Fprintln(w, "LOCAL_MODULE_PATH :=", m.installPath.ToMakePath().String())
- fmt.Fprintln(w, "LOCAL_INSTALLED_MODULE_STEM :=", name)
- fmt.Fprintln(w, "include $(BUILD_PREBUILT)")
+ Class: "ETC",
+ OutputFile: android.OptionalPathForPath(m.outputPath),
+ SubName: nameSuffix,
+ Extra: []android.AndroidMkExtraFunc{
+ func(w io.Writer, outputFile android.Path) {
+ fmt.Fprintln(w, "LOCAL_MODULE_PATH :=", m.installPath.ToMakePath().String())
+ fmt.Fprintln(w, "LOCAL_INSTALLED_MODULE_STEM :=", m.Name())
+ },
},
}
}
diff --git a/microdroid/system/private/file_contexts b/microdroid/system/private/file_contexts
index 1066367..8a5f628 100644
--- a/microdroid/system/private/file_contexts
+++ b/microdroid/system/private/file_contexts
@@ -53,6 +53,7 @@
/dev/fuse u:object_r:fuse_device:s0
/dev/hvc0 u:object_r:serial_device:s0
/dev/hvc1 u:object_r:serial_device:s0
+/dev/hvc2 u:object_r:serial_device:s0
/dev/hw_random u:object_r:hw_random_device:s0
/dev/hwbinder u:object_r:hwbinder_device:s0
/dev/loop-control u:object_r:loop_control_device:s0
@@ -84,7 +85,6 @@
/dev/uinput u:object_r:uhid_device:s0
/dev/uio[0-9]* u:object_r:uio_device:s0
/dev/urandom u:object_r:random_device:s0
-/dev/hvc0 u:object_r:serial_device:s0
/dev/vhost-vsock u:object_r:kvm_device:s0
/dev/vndbinder u:object_r:vndbinder_device:s0
/dev/vsock u:object_r:vsock_device:s0
diff --git a/microdroid/system/public/attributes b/microdroid/system/public/attributes
index ffc2b3b..50c2c81 100644
--- a/microdroid/system/public/attributes
+++ b/microdroid/system/public/attributes
@@ -7,7 +7,7 @@
# in tools/checkfc.c
attribute dev_type;
-# Attribute for block devices.
+# TODO(b/202520796) Remove this attribute once the sc-dev branch stops using it.
attribute bdev_type;
# All types used for processes.
diff --git a/microdroid/system/public/device.te b/microdroid/system/public/device.te
index 898224c..c03fb4d 100644
--- a/microdroid/system/public/device.te
+++ b/microdroid/system/public/device.te
@@ -1,7 +1,7 @@
type ashmem_device, dev_type, mlstrustedobject;
type ashmem_libcutils_device, dev_type, mlstrustedobject;
type binder_device, dev_type, mlstrustedobject;
-type block_device, dev_type, bdev_type;
+type block_device, dev_type;
type console_device, dev_type;
type device, dev_type, fs_type;
type dm_device, dev_type;
@@ -34,7 +34,7 @@
type uhid_device, dev_type, mlstrustedobject;
type uio_device, dev_type;
type userdata_sysdev, dev_type;
-type vd_device, dev_type, bdev_type;
+type vd_device, dev_type;
type vndbinder_device, dev_type;
type vsock_device, dev_type;
type zero_device, dev_type, mlstrustedobject;
diff --git a/prebuilts/api/31.0/private/apexd.te b/prebuilts/api/31.0/private/apexd.te
index 09799bd..d43ed33 100644
--- a/prebuilts/api/31.0/private/apexd.te
+++ b/prebuilts/api/31.0/private/apexd.te
@@ -86,6 +86,7 @@
allow apexd apex_info_file:file relabelto;
# apexd needs to update /apex/apex-info-list.xml after non-staged APEX update.
allow apexd apex_info_file:file rw_file_perms;
+allow apexd apex_info_file:file mounton;
# allow apexd to unlink apex files in /data/apex/active
# note that apexd won't be able to unlink files in /data/app-staging/session_XXXX,
diff --git a/private/access_vectors b/private/access_vectors
index 6edcd1f..fc17c1d 100644
--- a/private/access_vectors
+++ b/private/access_vectors
@@ -727,6 +727,7 @@
get_state
list
lock
+ migrate_any_key
pull_metrics
report_off_body
reset
@@ -749,6 +750,16 @@
use_dev_id
}
+class diced
+{
+ demote
+ demote_self
+ derive
+ get_attestation_chain
+ use_seal
+ use_sign
+}
+
class drmservice {
consumeRights
setPlaybackStatus
diff --git a/private/apexd.te b/private/apexd.te
index feee8ff..2e890a0 100644
--- a/private/apexd.te
+++ b/private/apexd.te
@@ -78,6 +78,7 @@
allow apexd apex_info_file:file relabelto;
# apexd needs to update /apex/apex-info-list.xml after non-staged APEX update.
allow apexd apex_info_file:file rw_file_perms;
+allow apexd apex_info_file:file mounton;
# allow apexd to unlink apex files in /data/apex/active
# note that apexd won't be able to unlink files in /data/app-staging/session_XXXX,
@@ -154,6 +155,10 @@
# Allow apexd to read per-device configuration properties.
get_prop(apexd, apexd_config_prop)
+# Allow apexd to read apex selection properties.
+# These are used to choose between multi-installed APEXes at activation time.
+get_prop(apexd, apexd_select_prop)
+
neverallow { domain -apexd -init } apex_data_file:dir no_w_dir_perms;
neverallow { domain -apexd -init } apex_metadata_file:dir no_w_dir_perms;
neverallow { domain -apexd -init -kernel } apex_data_file:file no_w_file_perms;
diff --git a/private/bpfloader.te b/private/bpfloader.te
index 343ec7a..25cfda4 100644
--- a/private/bpfloader.te
+++ b/private/bpfloader.te
@@ -41,3 +41,7 @@
# No domain should be allowed to ptrace bpfloader
neverallow { domain userdebug_or_eng(`-llkd') } bpfloader:process ptrace;
+
+# Currently only bpfloader.rc (which runs as init) can do bpf sysctl setup
+# this should perhaps be moved to the bpfloader binary itself. Allow both.
+neverallow { domain -bpfloader -init } proc_bpf:file write;
diff --git a/private/charger.te b/private/charger.te
index 8be113f..c5f3a50 100644
--- a/private/charger.te
+++ b/private/charger.te
@@ -2,16 +2,13 @@
# charger needs to tell init to continue the boot
# process when running in charger mode.
+# The system charger needs to be allowed to set these properties on legacy devices.
set_prop(charger, system_prop)
set_prop(charger, exported_system_prop)
set_prop(charger, exported3_system_prop)
-set_prop(charger, charger_status_prop)
+# The system charger can read ro.charger.*
get_prop(charger, charger_prop)
-get_prop(charger, charger_config_prop)
-
-# get minui properties
-get_prop(charger, recovery_config_prop)
compatible_property_only(`
neverallow {
@@ -21,11 +18,3 @@
-charger
} charger_prop:file no_rw_file_perms;
')
-
-neverallow {
- domain
- -init
- -dumpstate
- -vendor_init
- -charger
-} { charger_config_prop charger_status_prop }:file no_rw_file_perms;
diff --git a/private/charger_type.te b/private/charger_type.te
new file mode 100644
index 0000000..cb699de
--- /dev/null
+++ b/private/charger_type.te
@@ -0,0 +1,38 @@
+# charger needs to tell init to continue the boot
+# process when running in charger mode.
+set_prop(charger_type, charger_status_prop)
+get_prop(charger_type, charger_config_prop)
+
+# get minui properties
+get_prop(charger_type, recovery_config_prop)
+
+### Neverallow rules for charger properties
+
+# charger_config_prop: Only init and vendor_init is allowed to set it
+neverallow {
+ domain
+ -init
+ -vendor_init
+} charger_config_prop:property_service set;
+
+# charger_status_prop: Only init, vendor_init, charger, and hal_health_server
+# are allowed to set it
+neverallow {
+ domain
+ -init
+ -vendor_init
+ -charger
+ -hal_health_server
+} charger_status_prop:property_service set;
+
+# Both charger_config_prop and charger_status_prop:
+# Only init, vendor_init, dumpstate, charger, and hal_health_server
+# are allowed to read it
+neverallow {
+ domain
+ -init
+ -dumpstate
+ -vendor_init
+ -charger
+ -hal_health_server
+} { charger_config_prop charger_status_prop }:file no_rw_file_perms;
diff --git a/private/clatd.te b/private/clatd.te
index 0fa774a..dfcaf57 100644
--- a/private/clatd.te
+++ b/private/clatd.te
@@ -12,25 +12,9 @@
# Access objects inherited from netd.
allow clatd netd:fd use;
allow clatd netd:fifo_file { read write };
-# TODO: Check whether some or all of these sockets should be close-on-exec.
-allow clatd netd:netlink_kobject_uevent_socket { read write };
-allow clatd netd:netlink_nflog_socket { read write };
-allow clatd netd:netlink_route_socket { read write };
-allow clatd netd:udp_socket { read write };
-allow clatd netd:unix_stream_socket { read write };
-allow clatd netd:unix_dgram_socket { read write };
allow clatd self:global_capability_class_set { net_admin net_raw setuid setgid };
-# clatd calls mmap(MAP_LOCKED) with a 1M buffer. MAP_LOCKED first checks
-# capable(CAP_IPC_LOCK), and then checks to see the requested amount is
-# under RLIMIT_MEMLOCK. If the latter check succeeds clatd won't have
-# needed CAP_IPC_LOCK. But this is not guaranteed to succeed on all devices
-# so we permit any requests we see from clatd asking for this capability.
-# See https://android-review.googlesource.com/127940 and
-# https://b.corp.google.com/issues/21736319
-allow clatd self:global_capability_class_set ipc_lock;
-
allow clatd self:netlink_route_socket nlmsg_write;
allow clatd self:{ packet_socket rawip_socket } create_socket_perms_no_ioctl;
allow clatd tun_device:chr_file rw_file_perms;
diff --git a/private/compat/31.0/31.0.cil b/private/compat/31.0/31.0.cil
index a71eec4..eaf971b 100644
--- a/private/compat/31.0/31.0.cil
+++ b/private/compat/31.0/31.0.cil
@@ -4,6 +4,7 @@
(type apex_scheduling_data_file)
(type apex_wifi_data_file)
(type healthd_exec)
+(type nonplat_service_contexts_file)
(type vr_hwc)
(type vr_hwc_exec)
@@ -1963,6 +1964,7 @@
(typeattributeset privapp_data_file_31_0 (privapp_data_file))
(typeattributeset proc_31_0
( proc
+ proc_bpf
proc_cpu_alignment
))
(typeattributeset proc_abi_31_0 (proc_abi))
@@ -1995,7 +1997,10 @@
(typeattributeset proc_misc_31_0 (proc_misc))
(typeattributeset proc_modules_31_0 (proc_modules))
(typeattributeset proc_mounts_31_0 (proc_mounts))
-(typeattributeset proc_net_31_0 (proc_net))
+(typeattributeset proc_net_31_0
+ ( proc_bpf
+ proc_net
+))
(typeattributeset proc_net_tcp_udp_31_0 (proc_net_tcp_udp))
(typeattributeset proc_overcommit_memory_31_0 (proc_overcommit_memory))
(typeattributeset proc_page_cluster_31_0 (proc_page_cluster))
diff --git a/private/compat/31.0/31.0.ignore.cil b/private/compat/31.0/31.0.ignore.cil
index 3183ff1..f89c3ba 100644
--- a/private/compat/31.0/31.0.ignore.cil
+++ b/private/compat/31.0/31.0.ignore.cil
@@ -5,21 +5,35 @@
(typeattribute new_objects)
(typeattributeset new_objects
( new_objects
+ apexd_select_prop
artd_service
attestation_verification_service
camera2_extensions_prop
device_config_nnapi_native_prop
+ dice_maintenance_service
+ dice_node_service
+ diced
+ diced_exec
extra_free_kbytes
extra_free_kbytes_exec
hal_contexthub_service
+ hal_dice_service
hal_graphics_composer_service
hal_health_service
+ hal_radio_config_service
+ hal_radio_data_service
+ hal_radio_messaging_service
+ hal_radio_modem_service
+ hal_radio_network_service
+ hal_radio_sim_service
+ hal_radio_voice_service
hal_sensors_service
hal_system_suspend_service
hal_tv_tuner_service
hal_uwb_service
hal_uwb_vendor_service
hal_wifi_hostapd_service
+ hal_wifi_supplicant_service
hal_nlinterceptor_service
hypervisor_prop
locale_service
diff --git a/private/composd.te b/private/composd.te
index 4f85125..5edea69 100644
--- a/private/composd.te
+++ b/private/composd.te
@@ -6,6 +6,9 @@
binder_use(composd)
add_service(composd, compos_service)
+# Call back into system server
+binder_call(composd, system_server)
+
# Start a VM
virtualizationservice_use(composd)
@@ -14,5 +17,7 @@
allow composd apex_compos_data_file:dir create_dir_perms;
allow composd apex_compos_data_file:file create_file_perms;
-# Run odrefresh to refresh ART artifacts
+# TODO(b/205750213): Removed these when we run odrefresh in the VM
+# Run odrefresh to refresh ART artifacts, and kill it if we need to
domain_auto_trans(composd, odrefresh_exec, odrefresh)
+allow composd odrefresh:process sigkill;
diff --git a/private/crash_dump.te b/private/crash_dump.te
index 9233a4d..90ffeb5 100644
--- a/private/crash_dump.te
+++ b/private/crash_dump.te
@@ -8,6 +8,7 @@
-apexd
-bpfloader
-crash_dump
+ -diced
-init
-kernel
-keystore
@@ -40,6 +41,7 @@
apexd
userdebug_or_eng(`-apexd')
bpfloader
+ diced
init
kernel
keystore
diff --git a/private/diced.te b/private/diced.te
new file mode 100644
index 0000000..b37809c
--- /dev/null
+++ b/private/diced.te
@@ -0,0 +1,6 @@
+typeattribute diced coredomain;
+
+init_daemon_domain(diced)
+
+# Talk to dice HAL.
+hal_client_domain(diced, hal_dice)
diff --git a/private/file.te b/private/file.te
index f2d3f56..f3e1855 100644
--- a/private/file.te
+++ b/private/file.te
@@ -74,3 +74,6 @@
# /apex/com.android.virt/bin/fd_server
type fd_server_exec, system_file_type, exec_type, file_type;
+
+# /metadata/sepolicy
+type sepolicy_metadata_file, file_type;
diff --git a/private/file_contexts b/private/file_contexts
index 14a56d5..c1110cf 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -48,29 +48,21 @@
# SELinux policy files
/vendor_file_contexts u:object_r:file_contexts_file:s0
-/nonplat_file_contexts u:object_r:file_contexts_file:s0
/plat_file_contexts u:object_r:file_contexts_file:s0
/product_file_contexts u:object_r:file_contexts_file:s0
/mapping_sepolicy\.cil u:object_r:sepolicy_file:s0
-/nonplat_sepolicy\.cil u:object_r:sepolicy_file:s0
/plat_sepolicy\.cil u:object_r:sepolicy_file:s0
/plat_property_contexts u:object_r:property_contexts_file:s0
/product_property_contexts u:object_r:property_contexts_file:s0
-/nonplat_property_contexts u:object_r:property_contexts_file:s0
/vendor_property_contexts u:object_r:property_contexts_file:s0
/seapp_contexts u:object_r:seapp_contexts_file:s0
-/nonplat_seapp_contexts u:object_r:seapp_contexts_file:s0
/vendor_seapp_contexts u:object_r:seapp_contexts_file:s0
/plat_seapp_contexts u:object_r:seapp_contexts_file:s0
/sepolicy u:object_r:sepolicy_file:s0
/plat_service_contexts u:object_r:service_contexts_file:s0
/plat_hwservice_contexts u:object_r:hwservice_contexts_file:s0
/plat_keystore2_key_contexts u:object_r:keystore2_key_contexts_file:s0
-/nonplat_service_contexts u:object_r:nonplat_service_contexts_file:s0
-# Use nonplat_service_contexts_file to allow servicemanager to read it
-# on non full-treble devices.
-/vendor_service_contexts u:object_r:nonplat_service_contexts_file:s0
-/nonplat_hwservice_contexts u:object_r:hwservice_contexts_file:s0
+/vendor_service_contexts u:object_r:vendor_service_contexts_file:s0
/vendor_hwservice_contexts u:object_r:hwservice_contexts_file:s0
/vndservice_contexts u:object_r:vndservice_contexts_file:s0
@@ -278,6 +270,7 @@
/system/bin/credstore u:object_r:credstore_exec:s0
/system/bin/keystore u:object_r:keystore_exec:s0
/system/bin/keystore2 u:object_r:keystore_exec:s0
+/system/bin/diced u:object_r:diced_exec:s0
/system/bin/fingerprintd u:object_r:fingerprintd_exec:s0
/system/bin/gatekeeperd u:object_r:gatekeeperd_exec:s0
/system/bin/tombstoned u:object_r:tombstoned_exec:s0
@@ -285,6 +278,7 @@
/system/bin/recovery-refresh u:object_r:recovery_refresh_exec:s0
/system/bin/sdcard u:object_r:sdcardd_exec:s0
/system/bin/snapshotctl u:object_r:snapshotctl_exec:s0
+/system/bin/remount u:object_r:remount_exec:s0
/system/bin/dhcpcd u:object_r:dhcp_exec:s0
/system/bin/dhcpcd-6\.8\.2 u:object_r:dhcp_exec:s0
/system/bin/mtpd u:object_r:mtp_exec:s0
@@ -402,8 +396,6 @@
# HAL location
/(vendor|system/vendor)/lib(64)?/hw u:object_r:vendor_hal_file:s0
-/(vendor|system/vendor)/etc/selinux/nonplat_service_contexts u:object_r:nonplat_service_contexts_file:s0
-
/(vendor|system/vendor)/etc/selinux/vendor_service_contexts u:object_r:vendor_service_contexts_file:s0
#############################
@@ -787,6 +779,7 @@
/metadata/password_slots(/.*)? u:object_r:password_slot_metadata_file:s0
/metadata/ota(/.*)? u:object_r:ota_metadata_file:s0
/metadata/bootstat(/.*)? u:object_r:metadata_bootstat_file:s0
+/metadata/sepolicy(/.*)? u:object_r:sepolicy_metadata_file:s0
/metadata/staged-install(/.*)? u:object_r:staged_install_file:s0
/metadata/userspacereboot(/.*)? u:object_r:userspace_reboot_metadata_file:s0
/metadata/watchdog(/.*)? u:object_r:watchdog_metadata_file:s0
diff --git a/private/flags_health_check.te b/private/flags_health_check.te
index c4e589d..69ff58c 100644
--- a/private/flags_health_check.te
+++ b/private/flags_health_check.te
@@ -22,6 +22,7 @@
set_prop(flags_health_check, device_config_configuration_prop)
set_prop(flags_health_check, device_config_connectivity_prop)
set_prop(flags_health_check, device_config_surface_flinger_native_boot_prop)
+set_prop(flags_health_check, device_config_virtualization_framework_native_prop)
# system property device_config_boot_count_prop is used for deciding when to perform server
# configurable flags related disaster recovery. Mistakenly set up by unrelated components can, at a
diff --git a/private/genfs_contexts b/private/genfs_contexts
index 3e2dbe4..39b04f3 100644
--- a/private/genfs_contexts
+++ b/private/genfs_contexts
@@ -44,6 +44,7 @@
genfscon proc /sys/fs/protected_symlinks u:object_r:proc_security:s0
genfscon proc /sys/fs/suid_dumpable u:object_r:proc_security:s0
genfscon proc /sys/fs/verity/require_signatures u:object_r:proc_fs_verity:s0
+genfscon proc /sys/kernel/bpf_ u:object_r:proc_bpf:s0
genfscon proc /sys/kernel/core_pattern u:object_r:usermodehelper:s0
genfscon proc /sys/kernel/core_pipe_limit u:object_r:usermodehelper:s0
genfscon proc /sys/kernel/domainname u:object_r:proc_hostname:s0
@@ -74,8 +75,10 @@
genfscon proc /sys/kernel/sched_util_clamp_min_rt_default u:object_r:proc_sched:s0
genfscon proc /sys/kernel/sched_wakeup_granularity_ns u:object_r:proc_sched:s0
genfscon proc /sys/kernel/sysrq u:object_r:proc_sysrq:s0
+genfscon proc /sys/kernel/unprivileged_bpf_ u:object_r:proc_bpf:s0
genfscon proc /sys/kernel/usermodehelper u:object_r:usermodehelper:s0
genfscon proc /sys/net u:object_r:proc_net:s0
+genfscon proc /sys/net/core/bpf_ u:object_r:proc_bpf:s0
genfscon proc /sys/vm/dirty_background_ratio u:object_r:proc_dirty:s0
genfscon proc /sys/vm/dirty_expire_centisecs u:object_r:proc_dirty:s0
genfscon proc /sys/vm/extra_free_kbytes u:object_r:proc_extra_free_kbytes:s0
@@ -120,7 +123,6 @@
genfscon sysfs /devices/system/cpu u:object_r:sysfs_devices_system_cpu:s0
genfscon sysfs /class/android_usb u:object_r:sysfs_android_usb:s0
genfscon sysfs /class/extcon u:object_r:sysfs_extcon:s0
-genfscon sysfs /class/block u:object_r:sysfs_block:s0
genfscon sysfs /class/leds u:object_r:sysfs_leds:s0
genfscon sysfs /class/net u:object_r:sysfs_net:s0
genfscon sysfs /class/rfkill/rfkill0/state u:object_r:sysfs_bluetooth_writable:s0
@@ -230,6 +232,12 @@
genfscon tracefs /events/block/block_rq_issue/ u:object_r:debugfs_tracing:s0
genfscon tracefs /events/block/block_rq_complete/ u:object_r:debugfs_tracing:s0
+genfscon tracefs /synthetic_events u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/synthetic/rss_stat_throttled u:object_r:debugfs_tracing:s0
+
+genfscon debugfs /tracing/synthetic_events u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/synthetic/rss_stat_throttled u:object_r:debugfs_tracing:s0
+
genfscon tracefs /trace_clock u:object_r:debugfs_tracing:s0
genfscon tracefs /buffer_size_kb u:object_r:debugfs_tracing:s0
genfscon tracefs /options/overwrite u:object_r:debugfs_tracing:s0
diff --git a/private/gsid.te b/private/gsid.te
index 2ccc51c..fa76da0 100644
--- a/private/gsid.te
+++ b/private/gsid.te
@@ -55,8 +55,15 @@
# Needed to stat /data/gsi/* and realpath on /dev/block/by-name/*
allow gsid block_device:dir r_dir_perms;
+# Allow querying the size of super_block_device_type.
+allow gsid super_block_device_type:blk_file r_file_perms;
+
# liblp queries these block alignment properties.
-allowxperm gsid { userdata_block_device sdcard_block_device }:blk_file ioctl {
+allowxperm gsid {
+ userdata_block_device
+ sdcard_block_device
+ super_block_device_type
+}:blk_file ioctl {
BLKIOMIN
BLKALIGNOFF
};
diff --git a/private/init.te b/private/init.te
index 09a9a5e..26aea2f 100644
--- a/private/init.te
+++ b/private/init.te
@@ -15,6 +15,7 @@
domain_trans(init, rootfs, fastbootd)
domain_trans(init, rootfs, recovery)
domain_trans(init, rootfs, linkerconfig)
+ domain_trans(init, rootfs, servicemanager)
domain_trans(init, rootfs, snapuserd)
')
domain_trans(init, shell_exec, shell)
@@ -106,6 +107,11 @@
# Allow accessing /sys/kernel/tracing/instances/bootreceiver to set up tracing.
allow init debugfs_bootreceiver_tracing:file w_file_perms;
+# Devices with kernels where CONFIG_HIST_TRIGGERS isn't enabled will
+# attempt to write a non exisiting 'synthetic_events' file, when setting
+# up synthetic events. This is a no-op in tracefs.
+dontaudit init debugfs_tracing_debug:dir { write add_name };
+
# chown/chmod on devices.
allow init {
dev_type
diff --git a/private/llkd.te b/private/llkd.te
index 9c96dfb..8512e85 100644
--- a/private/llkd.te
+++ b/private/llkd.te
@@ -23,6 +23,7 @@
allow llkd {
domain
-apexd
+ -diced
-kernel
-keystore
-init
diff --git a/private/mediatranscoding.te b/private/mediatranscoding.te
index 6f7d027..817416d 100644
--- a/private/mediatranscoding.te
+++ b/private/mediatranscoding.te
@@ -18,6 +18,7 @@
hal_client_domain(mediatranscoding, hal_configstore)
hal_client_domain(mediatranscoding, hal_omx)
hal_client_domain(mediatranscoding, hal_codec2)
+hal_client_domain(mediatranscoding, hal_allocator)
allow mediatranscoding mediaserver_service:service_manager find;
allow mediatranscoding mediametrics_service:service_manager find;
diff --git a/private/property_contexts b/private/property_contexts
index 040ffe6..7b5c5a9 100644
--- a/private/property_contexts
+++ b/private/property_contexts
@@ -265,6 +265,8 @@
apexd.config.dm_delete.timeout u:object_r:apexd_config_prop:s0 exact uint
apexd.config.dm_create.timeout u:object_r:apexd_config_prop:s0 exact uint
persist.apexd. u:object_r:apexd_prop:s0
+persist.vendor.apex. u:object_r:apexd_select_prop:s0
+ro.boot.vendor.apex. u:object_r:apexd_select_prop:s0
bpf.progs_loaded u:object_r:bpf_progs_loaded_prop:s0
@@ -337,6 +339,7 @@
config.disable_cameraservice u:object_r:camera_config_prop:s0 exact bool
+camera.disable_preview_scheduler u:object_r:camera_config_prop:s0 exact bool
camera.disable_zsl_mode u:object_r:camera_config_prop:s0 exact bool
camera.fifo.disable u:object_r:camera_config_prop:s0 exact bool
ro.camera.notify_nfc u:object_r:camera_config_prop:s0 exact bool
diff --git a/private/remount.te b/private/remount.te
new file mode 100644
index 0000000..4dd94a5
--- /dev/null
+++ b/private/remount.te
@@ -0,0 +1,15 @@
+type remount, domain, coredomain;
+type remount_exec, system_file_type, exec_type, file_type;
+
+userdebug_or_eng(`
+ # Allow init to run clean_scratch_files and do auto domain transfer.
+ init_daemon_domain(remount)
+
+ # Allow talking to gsid.
+ binder_use(remount)
+ allow remount gsi_service:service_manager find;
+ binder_call(remount, gsid)
+
+ # Allow searching for /metadata/gsi/remount/lp_metadata.
+ allow remount { metadata_file gsi_metadata_file_type }:dir search;
+')
diff --git a/private/security_classes b/private/security_classes
index 200b030..0d3cc80 100644
--- a/private/security_classes
+++ b/private/security_classes
@@ -163,5 +163,8 @@
# Keystore 2.0 key permissions
class keystore2_key # userspace
+# Diced permissions
+class diced # userspace
+
class drmservice # userspace
# FLASK
diff --git a/private/service_contexts b/private/service_contexts
index c96ee82..032f680 100644
--- a/private/service_contexts
+++ b/private/service_contexts
@@ -14,7 +14,27 @@
android.hardware.oemlock.IOemLock/default u:object_r:hal_oemlock_service:s0
android.hardware.power.IPower/default u:object_r:hal_power_service:s0
android.hardware.power.stats.IPowerStats/default u:object_r:hal_power_stats_service:s0
+android.hardware.radio.config.IRadioConfig/default u:object_r:hal_radio_config_service:s0
+android.hardware.radio.data.IRadioData/slot1 u:object_r:hal_radio_data_service:s0
+android.hardware.radio.data.IRadioData/slot2 u:object_r:hal_radio_data_service:s0
+android.hardware.radio.data.IRadioData/slot3 u:object_r:hal_radio_data_service:s0
+android.hardware.radio.messaging.IRadioMessaging/slot1 u:object_r:hal_radio_messaging_service:s0
+android.hardware.radio.messaging.IRadioMessaging/slot2 u:object_r:hal_radio_messaging_service:s0
+android.hardware.radio.messaging.IRadioMessaging/slot3 u:object_r:hal_radio_messaging_service:s0
+android.hardware.radio.modem.IRadioModem/slot1 u:object_r:hal_radio_modem_service:s0
+android.hardware.radio.modem.IRadioModem/slot2 u:object_r:hal_radio_modem_service:s0
+android.hardware.radio.modem.IRadioModem/slot3 u:object_r:hal_radio_modem_service:s0
+android.hardware.radio.network.IRadioNetwork/slot1 u:object_r:hal_radio_network_service:s0
+android.hardware.radio.network.IRadioNetwork/slot2 u:object_r:hal_radio_network_service:s0
+android.hardware.radio.network.IRadioNetwork/slot3 u:object_r:hal_radio_network_service:s0
+android.hardware.radio.sim.IRadioSim/slot1 u:object_r:hal_radio_sim_service:s0
+android.hardware.radio.sim.IRadioSim/slot2 u:object_r:hal_radio_sim_service:s0
+android.hardware.radio.sim.IRadioSim/slot3 u:object_r:hal_radio_sim_service:s0
+android.hardware.radio.voice.IRadioVoice/slot1 u:object_r:hal_radio_voice_service:s0
+android.hardware.radio.voice.IRadioVoice/slot2 u:object_r:hal_radio_voice_service:s0
+android.hardware.radio.voice.IRadioVoice/slot3 u:object_r:hal_radio_voice_service:s0
android.hardware.rebootescrow.IRebootEscrow/default u:object_r:hal_rebootescrow_service:s0
+android.hardware.security.dice.IDiceDevice/default u:object_r:hal_dice_service:s0
android.hardware.security.keymint.IKeyMintDevice/default u:object_r:hal_keymint_service:s0
android.hardware.security.keymint.IRemotelyProvisionedComponent/default u:object_r:hal_remotelyprovisionedcomponent_service:s0
android.hardware.security.secureclock.ISecureClock/default u:object_r:hal_secureclock_service:s0
@@ -27,6 +47,7 @@
android.hardware.vibrator.IVibratorManager/default u:object_r:hal_vibrator_service:s0
android.hardware.weaver.IWeaver/default u:object_r:hal_weaver_service:s0
android.hardware.wifi.hostapd.IHostapd/default u:object_r:hal_wifi_hostapd_service:s0
+android.hardware.wifi.supplicant.ISupplicant/default u:object_r:hal_wifi_supplicant_service:s0
android.frameworks.stats.IStats/default u:object_r:fwk_stats_service:s0
android.system.keystore2.IKeystoreService/default u:object_r:keystore_service:s0
android.system.suspend.ISystemSuspend/default u:object_r:hal_system_suspend_service:s0
@@ -45,6 +66,8 @@
android.security.apc u:object_r:apc_service:s0
android.security.authorization u:object_r:authorization_service:s0
android.security.compat u:object_r:keystore_compat_hal_service:s0
+android.security.dice.IDiceMaintenance u:object_r:dice_maintenance_service:s0
+android.security.dice.IDiceNode u:object_r:dice_node_service:s0
android.security.identity u:object_r:credstore_service:s0
android.security.keystore u:object_r:keystore_service:s0
android.security.legacykeystore u:object_r:legacykeystore_service:s0
diff --git a/private/system_server.te b/private/system_server.te
index 4c87b3f..5b67b70 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -70,6 +70,12 @@
allow system_server { apex_art_data_file dalvikcache_data_file }:dir r_dir_perms;
allow system_server { apex_art_data_file dalvikcache_data_file }:file r_file_perms;
+# For release odex/vdex compress blocks
+allowxperm system_server dalvikcache_data_file:file ioctl {
+ F2FS_IOC_RELEASE_COMPRESS_BLOCKS
+ FS_IOC_GETFLAGS
+};
+
# When running system server under --invoke-with, we'll try to load the boot image under the
# system server domain, following links to the system partition.
with_asan(`allow system_server dalvikcache_data_file:lnk_file r_file_perms;')
@@ -256,6 +262,7 @@
binder_use(system_server)
binder_call(system_server, appdomain)
binder_call(system_server, binderservicedomain)
+binder_call(system_server, composd)
binder_call(system_server, dumpstate)
binder_call(system_server, fingerprintd)
binder_call(system_server, gatekeeperd)
@@ -712,6 +719,7 @@
set_prop(system_server, device_config_configuration_prop)
set_prop(system_server, device_config_connectivity_prop)
set_prop(system_server, device_config_surface_flinger_native_boot_prop)
+set_prop(system_server, device_config_virtualization_framework_native_prop)
# Allow query ART device config properties
get_prop(system_server, device_config_runtime_native_boot_prop)
@@ -842,6 +850,7 @@
allow system_server authorization_service:service_manager find;
allow system_server batteryproperties_service:service_manager find;
allow system_server cameraserver_service:service_manager find;
+allow system_server compos_service:service_manager find;
allow system_server dataloader_manager_service:service_manager find;
allow system_server dnsresolver_service:service_manager find;
allow system_server drmserver_service:service_manager find;
@@ -907,6 +916,7 @@
clear_uid
get_state
lock
+ migrate_any_key
pull_metrics
reset
unlock
diff --git a/public/attributes b/public/attributes
index ee8a05e..07eecfc 100644
--- a/public/attributes
+++ b/public/attributes
@@ -7,7 +7,7 @@
# in tools/checkfc.c
attribute dev_type;
-# Attribute for block devices.
+# TODO(b/202520796) Remove this attribute once the sc-dev branch stops using it.
attribute bdev_type;
# All types used for processes.
@@ -68,7 +68,7 @@
# All types used for sysfs files.
attribute sysfs_type;
-# Attribute for /sys/class/block files.
+# TODO(b/202520796) Remove this attribute once the sc-dev branch stops using it.
attribute sysfs_block_type;
# All types use for debugfs files.
@@ -333,6 +333,7 @@
hal_attribute(configstore);
hal_attribute(confirmationui);
hal_attribute(contexthub);
+hal_attribute(dice);
hal_attribute(drm);
hal_attribute(dumpstate);
hal_attribute(evs);
@@ -412,3 +413,10 @@
# Types used for module-specific APEX data directories under
# /data/{misc,misc_ce,misc_de}/apexdata.
attribute apex_data_file_type;
+
+# Domains used for charger.
+# This is the common type for domains that executes charger's
+# functionalities, including setting and getting necessary properties,
+# permissions to maintain the health loop, writing to kernel log, handling
+# inputs and drawing screens, etc.
+attribute charger_type;
diff --git a/public/charger.te b/public/charger.te
index 37359e3..418dff9 100644
--- a/public/charger.te
+++ b/public/charger.te
@@ -1,40 +1,5 @@
-type charger, domain;
+type charger, charger_type, domain;
type charger_exec, system_file_type, exec_type, file_type;
-# Write to /dev/kmsg
-allow charger kmsg_device:chr_file rw_file_perms;
-
-# Read access to pseudo filesystems.
-r_dir_file(charger, rootfs)
-r_dir_file(charger, cgroup)
-r_dir_file(charger, cgroup_v2)
-
-# Allow to read /sys/class/power_supply directory
-allow charger sysfs_type:dir r_dir_perms;
-
-allow charger self:global_capability_class_set { sys_tty_config };
-allow charger self:global_capability_class_set sys_boot;
-
-wakelock_use(charger)
-
-allow charger self:netlink_kobject_uevent_socket create_socket_perms_no_ioctl;
-
-# Read/write to /sys/power/state
-allow charger sysfs_power:file rw_file_perms;
-
-r_dir_file(charger, sysfs_batteryinfo)
-
-# Read /sys/fs/pstore/console-ramoops
-# Don't worry about overly broad permissions for now, as there's
-# only one file in /sys/fs/pstore
-allow charger pstorefs:dir r_dir_perms;
-allow charger pstorefs:file r_file_perms;
-
-allow charger graphics_device:dir r_dir_perms;
-allow charger graphics_device:chr_file rw_file_perms;
-allow charger input_device:dir r_dir_perms;
-allow charger input_device:chr_file r_file_perms;
-allow charger tty_device:chr_file rw_file_perms;
-allow charger proc_sysrq:file rw_file_perms;
-
+# The system charger is a client of HIDL health HAL.
hal_client_domain(charger, hal_health)
diff --git a/public/charger_type.te b/public/charger_type.te
new file mode 100644
index 0000000..4241360
--- /dev/null
+++ b/public/charger_type.te
@@ -0,0 +1,37 @@
+# Write to /dev/kmsg
+allow charger_type kmsg_device:chr_file rw_file_perms;
+
+# Read access to pseudo filesystems.
+r_dir_file(charger_type, rootfs)
+r_dir_file(charger_type, cgroup)
+r_dir_file(charger_type, cgroup_v2)
+
+# Allow to read /sys/class/power_supply directory
+allow charger_type sysfs_type:dir r_dir_perms;
+
+allow charger_type self:global_capability_class_set {
+ sys_boot
+ sys_tty_config
+};
+
+wakelock_use(charger_type)
+
+allow charger_type self:netlink_kobject_uevent_socket create_socket_perms_no_ioctl;
+
+# Read/write to /sys/power/state
+allow charger_type sysfs_power:file rw_file_perms;
+
+r_dir_file(charger_type, sysfs_batteryinfo)
+
+# Read /sys/fs/pstore/console-ramoops
+# Don't worry about overly broad permissions for now, as there's
+# only one file in /sys/fs/pstore
+allow charger_type pstorefs:dir r_dir_perms;
+allow charger_type pstorefs:file r_file_perms;
+
+allow charger_type graphics_device:dir r_dir_perms;
+allow charger_type graphics_device:chr_file rw_file_perms;
+allow charger_type input_device:dir r_dir_perms;
+allow charger_type input_device:chr_file r_file_perms;
+allow charger_type tty_device:chr_file rw_file_perms;
+allow charger_type proc_sysrq:file rw_file_perms;
diff --git a/public/device.te b/public/device.te
index 1a71a40..686f955 100644
--- a/public/device.te
+++ b/public/device.te
@@ -6,18 +6,18 @@
type binder_device, dev_type, mlstrustedobject;
type hwbinder_device, dev_type, mlstrustedobject;
type vndbinder_device, dev_type;
-type block_device, dev_type, bdev_type;
+type block_device, dev_type;
type camera_device, dev_type;
-type dm_device, dev_type, bdev_type;
-type dm_user_device, dev_type, bdev_type;
+type dm_device, dev_type;
+type dm_user_device, dev_type;
type keychord_device, dev_type;
type loop_control_device, dev_type;
-type loop_device, dev_type, bdev_type;
+type loop_device, dev_type;
type pmsg_device, dev_type, mlstrustedobject;
type radio_device, dev_type;
-type ram_device, dev_type, bdev_type;
+type ram_device, dev_type;
type rtc_device, dev_type;
-type vd_device, dev_type, bdev_type;
+type vd_device, dev_type;
type vold_device, dev_type;
type console_device, dev_type;
type fscklogs, dev_type;
@@ -73,51 +73,51 @@
type rpmsg_device, dev_type;
# Partition layout block device
-type root_block_device, dev_type, bdev_type;
+type root_block_device, dev_type;
# factory reset protection block device
-type frp_block_device, dev_type, bdev_type;
+type frp_block_device, dev_type;
# System block device mounted on /system.
# Documented at https://source.android.com/devices/bootloader/partitions-images
-type system_block_device, dev_type, bdev_type;
+type system_block_device, dev_type;
# Recovery block device.
# Documented at https://source.android.com/devices/bootloader/partitions-images
-type recovery_block_device, dev_type, bdev_type;
+type recovery_block_device, dev_type;
# boot block device.
# Documented at https://source.android.com/devices/bootloader/partitions-images
-type boot_block_device, dev_type, bdev_type;
+type boot_block_device, dev_type;
# Userdata block device mounted on /data.
# Documented at https://source.android.com/devices/bootloader/partitions-images
-type userdata_block_device, dev_type, bdev_type;
+type userdata_block_device, dev_type;
# Cache block device mounted on /cache.
# Documented at https://source.android.com/devices/bootloader/partitions-images
-type cache_block_device, dev_type, bdev_type;
+type cache_block_device, dev_type;
# Block device for any swap partition.
-type swap_block_device, dev_type, bdev_type;
+type swap_block_device, dev_type;
# Metadata block device used for encryption metadata.
# Assign this type to the partition specified by the encryptable=
# mount option in your fstab file in the entry for userdata.
# Documented at https://source.android.com/devices/bootloader/partitions-images
-type metadata_block_device, dev_type, bdev_type;
+type metadata_block_device, dev_type;
# The 'misc' partition used by recovery and A/B.
# Documented at https://source.android.com/devices/bootloader/partitions-images
-type misc_block_device, dev_type, bdev_type;
+type misc_block_device, dev_type;
# 'super' partition to be used for logical partitioning.
-type super_block_device, super_block_device_type, dev_type, bdev_type;
+type super_block_device, super_block_device_type, dev_type;
# sdcard devices; normally vold uses the vold_block_device label and creates a
# separate device node. gsid, however, accesses the original devide node
# created through uevents, so we use a separate label.
-type sdcard_block_device, dev_type, bdev_type;
+type sdcard_block_device, dev_type;
# Userdata device file for filesystem tunables
type userdata_sysdev, dev_type;
diff --git a/public/diced.te b/public/diced.te
new file mode 100644
index 0000000..0908936
--- /dev/null
+++ b/public/diced.te
@@ -0,0 +1,11 @@
+type diced, domain;
+type diced_exec, system_file_type, exec_type, file_type;
+
+binder_use(diced)
+binder_service(diced)
+
+add_service(diced, dice_node_service)
+add_service(diced, dice_maintenance_service)
+
+# Check SELinux permissions.
+selinux_check_access(diced)
diff --git a/public/file.te b/public/file.te
index 6e2adde..b8b9899 100644
--- a/public/file.te
+++ b/public/file.te
@@ -23,6 +23,7 @@
type proc_abi, fs_type, proc_type;
type proc_asound, fs_type, proc_type;
type proc_bootconfig, fs_type, proc_type;
+type proc_bpf, fs_type, proc_type;
type proc_buddyinfo, fs_type, proc_type;
type proc_cmdline, fs_type, proc_type;
type proc_cpu_alignment, fs_type, proc_type;
@@ -89,11 +90,10 @@
type sysfs_android_usb, fs_type, sysfs_type;
type sysfs_uio, sysfs_type, fs_type;
type sysfs_batteryinfo, fs_type, sysfs_type;
-type sysfs_block, fs_type, sysfs_type, sysfs_block_type;
type sysfs_bluetooth_writable, fs_type, sysfs_type, mlstrustedobject;
type sysfs_devfreq_cur, fs_type, sysfs_type;
type sysfs_devfreq_dir, fs_type, sysfs_type;
-type sysfs_devices_block, fs_type, sysfs_type, sysfs_block_type;
+type sysfs_devices_block, fs_type, sysfs_type;
type sysfs_dm, fs_type, sysfs_type;
type sysfs_dm_verity, fs_type, sysfs_type;
type sysfs_dma_heap, fs_type, sysfs_type;
@@ -566,9 +566,6 @@
# vendor service_contexts file
type vendor_service_contexts_file, vendor_file_type, file_type;
-# nonplat service_contexts file (only accessible on non full-treble devices)
-type nonplat_service_contexts_file, vendor_file_type, file_type;
-
# hwservice_contexts file
type hwservice_contexts_file, system_file_type, file_type;
diff --git a/public/hal_dice.te b/public/hal_dice.te
new file mode 100644
index 0000000..92222c5
--- /dev/null
+++ b/public/hal_dice.te
@@ -0,0 +1,4 @@
+binder_call(hal_dice_client, hal_dice_server)
+
+hal_attribute_service(hal_dice, hal_dice_service)
+binder_call(hal_dice_server, servicemanager)
diff --git a/public/hal_telephony.te b/public/hal_telephony.te
index f0cf075..8a1fbe5 100644
--- a/public/hal_telephony.te
+++ b/public/hal_telephony.te
@@ -3,6 +3,13 @@
binder_call(hal_telephony_server, hal_telephony_client)
hal_attribute_hwservice(hal_telephony, hal_telephony_hwservice)
+hal_attribute_service(hal_telephony, hal_radio_config_service)
+hal_attribute_service(hal_telephony, hal_radio_data_service)
+hal_attribute_service(hal_telephony, hal_radio_messaging_service)
+hal_attribute_service(hal_telephony, hal_radio_modem_service)
+hal_attribute_service(hal_telephony, hal_radio_network_service)
+hal_attribute_service(hal_telephony, hal_radio_sim_service)
+hal_attribute_service(hal_telephony, hal_radio_voice_service)
allowxperm hal_telephony_server self:udp_socket ioctl priv_sock_ioctls;
@@ -42,3 +49,6 @@
# granting the ioctl permission for hal_telephony_server should be device specific
allow hal_telephony_server self:socket create_socket_perms_no_ioctl;
+
+# Allow AIDL HAL shim to call HIDL HAL implementation
+binder_call(hal_telephony_server, hal_telephony_server)
diff --git a/public/hal_wifi_supplicant.te b/public/hal_wifi_supplicant.te
index f7c444e..b4ff7aa 100644
--- a/public/hal_wifi_supplicant.te
+++ b/public/hal_wifi_supplicant.te
@@ -3,6 +3,9 @@
binder_call(hal_wifi_supplicant_server, hal_wifi_supplicant_client)
hal_attribute_hwservice(hal_wifi_supplicant, hal_wifi_supplicant_hwservice)
+hal_attribute_service(hal_wifi_supplicant, hal_wifi_supplicant_service)
+
+binder_call(hal_wifi_supplicant_server, servicemanager)
# in addition to ioctls allowlisted for all domains, grant hal_wifi_supplicant priv_sock_ioctls.
allowxperm hal_wifi_supplicant self:udp_socket ioctl priv_sock_ioctls;
diff --git a/public/init.te b/public/init.te
index 8799134..5c3e4e7 100644
--- a/public/init.te
+++ b/public/init.te
@@ -371,6 +371,7 @@
allow init {
proc_abi
+ proc_bpf
proc_cpu_alignment
proc_dirty
proc_hostname
diff --git a/public/keystore.te b/public/keystore.te
index b7d5090..9535491 100644
--- a/public/keystore.te
+++ b/public/keystore.te
@@ -43,3 +43,7 @@
# TODO(b/186868271): Remove the crash dump exception soon-ish (maybe by May 14, 2021?)
neverallow { domain userdebug_or_eng(`-crash_dump') } keystore:process ptrace;
+
+# The software KeyMint implementation used in km_compat needs
+# to read the vendor security patch level.
+get_prop(keystore, vendor_security_patch_level_prop);
diff --git a/public/property.te b/public/property.te
index f73a408..c33d8a6 100644
--- a/public/property.te
+++ b/public/property.te
@@ -115,6 +115,7 @@
# Properties which can be written only by vendor_init
system_vendor_config_prop(apexd_config_prop)
+system_vendor_config_prop(apexd_select_prop)
system_vendor_config_prop(aaudio_config_prop)
system_vendor_config_prop(apk_verity_prop)
system_vendor_config_prop(audio_config_prop)
diff --git a/public/service.te b/public/service.te
index ae2ae1f..dc9b178 100644
--- a/public/service.te
+++ b/public/service.te
@@ -8,6 +8,8 @@
type bluetooth_service, service_manager_type;
type cameraserver_service, service_manager_type;
type default_android_service, service_manager_type;
+type dice_maintenance_service, service_manager_type;
+type dice_node_service, service_manager_type;
type dnsresolver_service, service_manager_type;
type drmserver_service, service_manager_type;
type dumpstate_service, service_manager_type;
@@ -249,6 +251,7 @@
type tethering_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type emergency_affordance_service, system_server_service, service_manager_type;
type hal_wifi_hostapd_service, vendor_service, protected_service, service_manager_type;
+type hal_wifi_supplicant_service, vendor_service, protected_service, service_manager_type;
###
### HAL Services
@@ -258,6 +261,7 @@
type hal_audiocontrol_service, vendor_service, service_manager_type;
type hal_authsecret_service, vendor_service, protected_service, service_manager_type;
type hal_contexthub_service, vendor_service, protected_service, service_manager_type;
+type hal_dice_service, vendor_service, protected_service, service_manager_type;
type hal_face_service, vendor_service, protected_service, service_manager_type;
type hal_fingerprint_service, vendor_service, protected_service, service_manager_type;
type hal_gnss_service, vendor_service, protected_service, service_manager_type;
@@ -272,6 +276,13 @@
type hal_oemlock_service, vendor_service, protected_service, service_manager_type;
type hal_power_service, vendor_service, protected_service, service_manager_type;
type hal_power_stats_service, vendor_service, protected_service, service_manager_type;
+type hal_radio_config_service, vendor_service, protected_service, service_manager_type;
+type hal_radio_data_service, vendor_service, protected_service, service_manager_type;
+type hal_radio_messaging_service, vendor_service, protected_service, service_manager_type;
+type hal_radio_modem_service, vendor_service, protected_service, service_manager_type;
+type hal_radio_network_service, vendor_service, protected_service, service_manager_type;
+type hal_radio_sim_service, vendor_service, protected_service, service_manager_type;
+type hal_radio_voice_service, vendor_service, protected_service, service_manager_type;
type hal_rebootescrow_service, vendor_service, protected_service, service_manager_type;
type hal_remotelyprovisionedcomponent_service, vendor_service, protected_service, service_manager_type;
type hal_sensors_service, vendor_service, protected_service, service_manager_type;
diff --git a/public/servicemanager.te b/public/servicemanager.te
index 63fc227..12004da 100644
--- a/public/servicemanager.te
+++ b/public/servicemanager.te
@@ -22,7 +22,7 @@
allow servicemanager vendor_service_contexts_file:file r_file_perms;
# nonplat_service_contexts only accessible on non full-treble devices
-not_full_treble(`allow servicemanager nonplat_service_contexts_file:file r_file_perms;')
+not_full_treble(`allow servicemanager vendor_service_contexts_file:file r_file_perms;')
add_service(servicemanager, service_manager_service)
allow servicemanager dumpstate:fd use;
@@ -30,3 +30,8 @@
# Check SELinux permissions.
selinux_check_access(servicemanager)
+
+# In recovery, log to kmsg.
+recovery_only(`
+ allow servicemanager kmsg_device:chr_file rw_file_perms;
+')
diff --git a/public/shell.te b/public/shell.te
index 5fd9079..7751d63 100644
--- a/public/shell.te
+++ b/public/shell.te
@@ -157,9 +157,6 @@
allow shell sysfs_batteryinfo:dir r_dir_perms;
allow shell sysfs_batteryinfo:file r_file_perms;
-# allow shell to list /sys/class/block/ to get storage type for CTS
-allow shell sysfs_block:dir r_dir_perms;
-
# Allow access to ion memory allocation device.
allow shell ion_device:chr_file rw_file_perms;
diff --git a/vendor/file_contexts b/vendor/file_contexts
index a2587e1..35c2d95 100644
--- a/vendor/file_contexts
+++ b/vendor/file_contexts
@@ -70,10 +70,12 @@
/(vendor|system/vendor)/bin/hw/android\.hardware\.radio\.config@1\.0-service u:object_r:hal_radio_config_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.radio@1\.2-radio-service u:object_r:hal_radio_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.radio@1\.2-sap-service u:object_r:hal_radio_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.radio-service\.compat u:object_r:hal_radio_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.rebootescrow-service\.default u:object_r:hal_rebootescrow_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.sensors@[0-9]\.[0-9]-service(\.multihal)? u:object_r:hal_sensors_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.sensors-service\.example u:object_r:hal_sensors_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.secure_element@1\.0-service u:object_r:hal_secure_element_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.security\.dice-service\.non-secure-software u:object_r:hal_dice_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.security\.keymint-service u:object_r:hal_keymint_default_exec:s0
/(vendor|system/vendor)/bin/hw/rild u:object_r:rild_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.thermal@1\.[01]-service u:object_r:hal_thermal_default_exec:s0
diff --git a/vendor/hal_dice_default.te b/vendor/hal_dice_default.te
new file mode 100644
index 0000000..832e717
--- /dev/null
+++ b/vendor/hal_dice_default.te
@@ -0,0 +1,5 @@
+type hal_dice_default, domain;
+hal_server_domain(hal_dice_default, hal_dice)
+
+type hal_dice_default_exec, exec_type, vendor_file_type, file_type;
+init_daemon_domain(hal_dice_default)