Merge "Allow camera HAL to read EGL vendor properties"
diff --git a/apex/Android.bp b/apex/Android.bp
index c4080ca..403eafa 100644
--- a/apex/Android.bp
+++ b/apex/Android.bp
@@ -92,13 +92,6 @@
}
filegroup {
- name: "com.android.cronet-file_contexts",
- srcs: [
- "com.android.cronet-file_contexts",
- ],
-}
-
-filegroup {
name: "com.android.federatedcompute-file_contexts",
srcs: [
"com.android.federatedcompute-file_contexts",
diff --git a/apex/com.android.cronet-file_contexts b/apex/com.android.cronet-file_contexts
deleted file mode 100644
index f6b21da..0000000
--- a/apex/com.android.cronet-file_contexts
+++ /dev/null
@@ -1,2 +0,0 @@
-(/.*)? u:object_r:system_file:s0
-/lib(64)?(/.*) u:object_r:system_lib_file:s0
diff --git a/private/domain.te b/private/domain.te
index 4ad7298..b858d4e 100644
--- a/private/domain.te
+++ b/private/domain.te
@@ -223,8 +223,18 @@
# System_server owns dropbox data, and init creates/restorecons the directory
# Disallow direct access by other processes.
-neverallow { domain -init -system_server } dropbox_data_file:dir *;
-neverallow { domain -init -system_server } dropbox_data_file:file ~{ getattr read };
+neverallow {
+ domain
+ -init
+ -system_server
+ userdebug_or_eng(`-dumpstate')
+} dropbox_data_file:dir *;
+neverallow {
+ domain
+ -init
+ -system_server
+ userdebug_or_eng(`-dumpstate')
+} dropbox_data_file:file ~{ getattr read };
###
# Services should respect app sandboxes
@@ -744,4 +754,4 @@
neverallow { domain -init } mtectrl:process { dyntransition transition };
# For now, don't allow processes other than gmscore to access /data/misc_ce/<userid>/checkin
-neverallow { domain -gmscore_app -init -vold_prepare_subdirs } checkin_data_file:{dir file} *;
\ No newline at end of file
+neverallow { domain -gmscore_app -init -vold_prepare_subdirs } checkin_data_file:{dir file} *;
diff --git a/private/dumpstate.te b/private/dumpstate.te
index fe442b3..850b0d8 100644
--- a/private/dumpstate.te
+++ b/private/dumpstate.te
@@ -27,6 +27,12 @@
allow dumpstate wm_trace_data_file:file r_file_perms;
')
+# /data/system/dropbox for dropbox entries
+userdebug_or_eng(`
+ allow dumpstate dropbox_data_file:dir r_dir_perms;
+ allow dumpstate dropbox_data_file:file r_file_perms;
+')
+
# Allow dumpstate to make binder calls to incidentd
binder_call(dumpstate, incidentd)
diff --git a/private/gmscore_app.te b/private/gmscore_app.te
index 8795798..cd05a65 100644
--- a/private/gmscore_app.te
+++ b/private/gmscore_app.te
@@ -149,6 +149,9 @@
# b/186488185: Allow GMSCore to read dck properties
get_prop(gmscore_app, dck_prop)
+# Allow GMSCore to read RKP properties for the purpose of GTS testing.
+get_prop(gmscore_app, remote_prov_prop)
+
# Do not allow getting permission-protected network information from sysfs.
neverallow gmscore_app sysfs_net:file *;
diff --git a/private/isolated_compute_app.te b/private/isolated_compute_app.te
index 536261f..bde6195 100644
--- a/private/isolated_compute_app.te
+++ b/private/isolated_compute_app.te
@@ -20,11 +20,18 @@
allow isolated_compute_app content_capture_service:service_manager find;
allow isolated_compute_app device_state_service:service_manager find;
allow isolated_compute_app speech_recognition_service:service_manager find;
+allow isolated_compute_app mediaserver_service:service_manager find;
# Enable access to hardware services for camera functionalilites
hal_client_domain(isolated_compute_app, hal_allocator)
hwbinder_use(isolated_compute_app)
+allow isolated_compute_app dmabuf_system_heap_device:chr_file r_file_perms;
+
+# Allow access to network sockets received over IPC. New socket creation is not
+# permitted.
+allow isolated_compute_app { ephemeral_app priv_app untrusted_app_all }:{ tcp_socket udp_socket } { rw_socket_perms_no_ioctl };
+
#####
##### Neverallow
#####
diff --git a/private/property_contexts b/private/property_contexts
index 902d51e..fdc6f89 100644
--- a/private/property_contexts
+++ b/private/property_contexts
@@ -584,6 +584,9 @@
bluetooth.sco.disable_enhanced_connection u:object_r:bluetooth_config_prop:s0 exact bool
persist.nfc.debug_enabled u:object_r:nfc_prop:s0 exact bool
+persist.nfc.vendor_debug_enabled u:object_r:nfc_prop:s0 exact bool
+persist.nfc.snoop_log_mode u:object_r:nfc_prop:s0 exact enum full filtered
+nfc.dta.skip_ndef_read u:object_r:nfc_prop:s0 exact bool
persist.radio.multisim.config u:object_r:radio_control_prop:s0 exact string
persist.radio.allow_mock_modem u:object_r:radio_control_prop:s0 exact bool
diff --git a/private/seapp_contexts b/private/seapp_contexts
index 878d50e..24e58bf 100644
--- a/private/seapp_contexts
+++ b/private/seapp_contexts
@@ -173,7 +173,9 @@
user=_app isPrivApp=true domain=priv_app type=privapp_data_file levelFrom=user
user=_app isPrivApp=true name=com.google.android.permissioncontroller domain=permissioncontroller_app type=privapp_data_file levelFrom=all
user=_app seinfo=media isPrivApp=true name=com.android.providers.media.module domain=mediaprovider_app type=privapp_data_file levelFrom=all
+user=_app seinfo=media isPrivApp=true name=com.android.providers.media.module:* domain=mediaprovider_app type=privapp_data_file levelFrom=all
user=_app isPrivApp=true name=com.google.android.providers.media.module domain=mediaprovider_app type=privapp_data_file levelFrom=all
+user=_app isPrivApp=true name=com.google.android.providers.media.module:* domain=mediaprovider_app type=privapp_data_file levelFrom=all
user=_app seinfo=platform isPrivApp=true name=com.android.permissioncontroller domain=permissioncontroller_app type=privapp_data_file levelFrom=all
user=_app isPrivApp=true name=com.android.vzwomatrigger domain=vzwomatrigger_app type=privapp_data_file levelFrom=all
user=_app isPrivApp=true name=com.android.rkpdapp domain=rkpdapp type=privapp_data_file levelFrom=user
diff --git a/private/technical_debt.cil b/private/technical_debt.cil
index 069bb10..27ea187 100644
--- a/private/technical_debt.cil
+++ b/private/technical_debt.cil
@@ -14,11 +14,11 @@
; Apps, except isolated apps, are clients of OMX-related services
; Unfortunately, we can't currently express this in module policy language:
-(typeattributeset hal_omx_client ((and (appdomain) ((not (isolated_app_all))))))
+(typeattributeset hal_omx_client ((and (appdomain) ((not (isolated_app))))))
; Apps, except isolated apps, are clients of Codec2-related services
; Unfortunately, we can't currently express this in module policy language:
-(typeattributeset hal_codec2_client ((and (appdomain) ((not (isolated_app_all))))))
+(typeattributeset hal_codec2_client ((and (appdomain) ((not (isolated_app))))))
; Apps, except isolated apps and SDK sandboxes, are clients of Drm-related services
; Unfortunately, we can't currently express this in module policy language:
diff --git a/public/hal_fingerprint.te b/public/hal_fingerprint.te
index 444cfda..29abe4f 100644
--- a/public/hal_fingerprint.te
+++ b/public/hal_fingerprint.te
@@ -5,7 +5,7 @@
hal_attribute_hwservice(hal_fingerprint, hal_fingerprint_hwservice)
hal_attribute_service(hal_fingerprint, hal_fingerprint_service)
-binder_call(hal_fingerprint_server, servicemanager)
+binder_use(hal_fingerprint_server)
# For memory allocation
allow hal_fingerprint ion_device:chr_file r_file_perms;
diff --git a/public/su.te b/public/su.te
index 3473e74..bcdc322 100644
--- a/public/su.te
+++ b/public/su.te
@@ -31,7 +31,7 @@
dontaudit su domain:socket_class_set *;
dontaudit su domain:ipc_class_set *;
dontaudit su domain:key *;
- dontaudit su fs_type:filesystem *;
+ dontaudit su {fs_type fusefs_type}:filesystem *;
dontaudit su {fs_type dev_type file_type}:dir_file_class_set *;
dontaudit su node_type:node *;
dontaudit su node_type:{ tcp_socket udp_socket rawip_socket } *;