Merge "Add SELinux policy for using userfaultfd"

commit: baf84ee461bf98ad6ee61ad6122a964e2e580b00 [log] [tgz]
author: Treehugger Robot <treehugger-gerrit@google.com> Wed Mar 17 15:04:51 2021 +0000
committer: Gerrit Code Review <noreply-gerritcodereview@google.com> Wed Mar 17 15:04:51 2021 +0000
tree: 9db63e2cbfcec20348d1e780526e5ee12f76bcbb
parent: e165cd486bfbc9d5a2cc9028caa8e16515bb7525 [diff]
parent: 06edcd8250a249192981c7fbeea196249394b9ad [diff]
diff --git a/Android.bp b/Android.bp
index 8fa57ca..aca6e40 100644
--- a/Android.bp
+++ b/Android.bp

@@ -735,3 +735,30 @@
     relative_install_path: "selinux",
     installable: false,
 }
+
+se_build_files {
+    name: "se_build_files",
+    srcs: [
+        "security_classes",
+        "initial_sids",
+        "access_vectors",
+        "global_macros",
+        "neverallow_macros",
+        "mls_macros",
+        "mls_decl",
+        "mls",
+        "policy_capabilities",
+        "te_macros",
+        "attributes",
+        "ioctl_defines",
+        "ioctl_macros",
+        "*.te",
+        "roles_decl",
+        "roles",
+        "users",
+        "initial_sid_contexts",
+        "fs_use",
+        "genfs_contexts",
+        "port_contexts",
+    ],
+}

diff --git a/apex/com.android.sdkext-file_contexts b/apex/com.android.sdkext-file_contexts
index 2d59dda..551a12c 100644
--- a/apex/com.android.sdkext-file_contexts
+++ b/apex/com.android.sdkext-file_contexts

@@ -1,2 +1,3 @@
-(/.*)?                u:object_r:system_file:s0
-/bin/derive_sdk       u:object_r:derive_sdk_exec:s0
+(/.*)?                       u:object_r:system_file:s0
+/bin/derive_classpath        u:object_r:derive_classpath_exec:s0
+/bin/derive_sdk              u:object_r:derive_sdk_exec:s0

diff --git a/build/soong/Android.bp b/build/soong/Android.bp
index 5f951ce..54173e0 100644
--- a/build/soong/Android.bp
+++ b/build/soong/Android.bp

@@ -31,6 +31,7 @@
         "soong-sysprop",
     ],
     srcs: [
+        "build_files.go",
         "cil_compat_map.go",
         "filegroup.go",
         "selinux.go",

diff --git a/build/soong/build_files.go b/build/soong/build_files.go
new file mode 100644
index 0000000..1704366
--- /dev/null
+++ b/build/soong/build_files.go

@@ -0,0 +1,191 @@
+// Copyright 2021 The Android Open Source Project
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package selinux
+
+import (
+	"fmt"
+	"path/filepath"
+	"sort"
+	"strings"
+
+	"android/soong/android"
+)
+
+func init() {
+	android.RegisterModuleType("se_build_files", buildFilesFactory)
+}
+
+// se_build_files gathers policy files from sepolicy dirs, and acts like a filegroup. A tag with
+// partition(plat, system_ext, product) and scope(public, private) is used to select directories.
+// Supported tags are: "plat", "plat_public", "system_ext", "system_ext_public", "product",
+// "product_public", and "reqd_mask".
+func buildFilesFactory() android.Module {
+	module := &buildFiles{}
+	module.AddProperties(&module.properties)
+	android.InitAndroidModule(module)
+	return module
+}
+
+type buildFilesProperties struct {
+	// list of source file suffixes used to collect selinux policy files.
+	// Source files will be looked up in the following local directories:
+	// system/sepolicy/{public, private, vendor, reqd_mask}
+	// and directories specified by following config variables:
+	// BOARD_SEPOLICY_DIRS, BOARD_ODM_SEPOLICY_DIRS
+	// BOARD_PLAT_PUBLIC_SEPOLICY_DIR, BOARD_PLAT_PRIVATE_SEPOLICY_DIR
+	Srcs []string
+}
+
+type buildFiles struct {
+	android.ModuleBase
+	properties buildFilesProperties
+
+	srcs map[string]android.Paths
+}
+
+func (b *buildFiles) findSrcsInDirs(ctx android.ModuleContext, dirs ...string) android.Paths {
+	result := android.Paths{}
+	for _, file := range b.properties.Srcs {
+		for _, dir := range dirs {
+			path := filepath.Join(dir, file)
+			files, err := ctx.GlobWithDeps(path, nil)
+			if err != nil {
+				ctx.ModuleErrorf("glob: %s", err.Error())
+			}
+			for _, f := range files {
+				result = append(result, android.PathForSource(ctx, f))
+			}
+		}
+	}
+	return result
+}
+
+func (b *buildFiles) DepsMutator(ctx android.BottomUpMutatorContext) {
+	// do nothing
+}
+
+func (b *buildFiles) OutputFiles(tag string) (android.Paths, error) {
+	if paths, ok := b.srcs[tag]; ok {
+		return paths, nil
+	}
+
+	return nil, fmt.Errorf("unknown tag %q. Supported tags are: %q", tag, strings.Join(android.SortedStringKeys(b.srcs), " "))
+}
+
+var _ android.OutputFileProducer = (*buildFiles)(nil)
+
+type partition int
+
+const (
+	system partition = iota
+	system_ext
+	product
+)
+
+type scope int
+
+const (
+	public scope = iota
+	private
+)
+
+type sepolicyDir struct {
+	partition partition
+	scope     scope
+	paths     []string
+}
+
+func (p partition) String() string {
+	switch p {
+	case system:
+		return "plat"
+	case system_ext:
+		return "system_ext"
+	case product:
+		return "product"
+	default:
+		panic(fmt.Sprintf("Unknown partition %#v", p))
+	}
+}
+
+func (b *buildFiles) GenerateAndroidBuildActions(ctx android.ModuleContext) {
+	// Sepolicy directories should be included in the following order.
+	//   - system_public
+	//   - system_private
+	//   - system_ext_public
+	//   - system_ext_private
+	//   - product_public
+	//   - product_private
+	dirs := []sepolicyDir{
+		sepolicyDir{partition: system, scope: public, paths: []string{filepath.Join(ctx.ModuleDir(), "public")}},
+		sepolicyDir{partition: system, scope: private, paths: []string{filepath.Join(ctx.ModuleDir(), "private")}},
+		sepolicyDir{partition: system_ext, scope: public, paths: ctx.DeviceConfig().SystemExtPublicSepolicyDirs()},
+		sepolicyDir{partition: system_ext, scope: private, paths: ctx.DeviceConfig().SystemExtPrivateSepolicyDirs()},
+		sepolicyDir{partition: product, scope: public, paths: ctx.Config().ProductPublicSepolicyDirs()},
+		sepolicyDir{partition: product, scope: private, paths: ctx.Config().ProductPrivateSepolicyDirs()},
+	}
+
+	if !sort.SliceIsSorted(dirs, func(i, j int) bool {
+		if dirs[i].partition != dirs[j].partition {
+			return dirs[i].partition < dirs[j].partition
+		}
+
+		return dirs[i].scope < dirs[j].scope
+	}) {
+		panic("dirs is not sorted")
+	}
+
+	// Exported cil policy files are built with the following policies.
+	//
+	//   - plat_pub_policy.cil: exported 'system'
+	//   - system_ext_pub_policy.cil: exported 'system' and 'system_ext'
+	//   - pub_policy.cil: exported 'system', 'system_ext', and 'product'
+	//
+	// cil policy files are built with the following policies.
+	//
+	//   - plat_policy.cil: 'system', including private
+	//   - system_ext_policy.cil: 'system_ext', including private
+	//   - product_sepolicy.cil: 'product', including private
+	//
+	// gatherDirsFor collects all needed directories for given partition and scope. For example,
+	//
+	//   - gatherDirsFor(system_ext, private) will return system + system_ext (including private)
+	//   - gatherDirsFor(product, public) will return system + system_ext + product (public only)
+	//
+	// "dirs" should be sorted before calling this.
+	gatherDirsFor := func(p partition, s scope) []string {
+		var ret []string
+
+		for _, d := range dirs {
+			if d.partition <= p && d.scope <= s {
+				ret = append(ret, d.paths...)
+			}
+		}
+
+		return ret
+	}
+
+	reqdMaskDir := filepath.Join(ctx.ModuleDir(), "reqd_mask")
+
+	b.srcs = make(map[string]android.Paths)
+	b.srcs[".reqd_mask"] = b.findSrcsInDirs(ctx, reqdMaskDir)
+
+	for _, p := range []partition{system, system_ext, product} {
+		b.srcs["."+p.String()] = b.findSrcsInDirs(ctx, gatherDirsFor(p, private)...)
+
+		// reqd_mask is needed for public policies
+		b.srcs["."+p.String()+"_public"] = b.findSrcsInDirs(ctx, append(gatherDirsFor(p, public), reqdMaskDir)...)
+	}
+}

diff --git a/private/access_vectors b/private/access_vectors
index 7e5e7a5..c1c0359 100644
--- a/private/access_vectors
+++ b/private/access_vectors

@@ -721,6 +721,7 @@
 	change_user
 	clear_ns
 	clear_uid
+	get_auth_token
 	get_state
 	list
 	lock

diff --git a/private/apexd.te b/private/apexd.te
index a2a77ab..44e38b6 100644
--- a/private/apexd.te
+++ b/private/apexd.te

@@ -13,6 +13,10 @@
 allow apexd apex_metadata_file:dir create_dir_perms;
 allow apexd apex_metadata_file:file create_file_perms;
 
+# Allow reserving space on /data/apex/ota_reserved for apex decompression
+allow apexd apex_ota_reserved_file:dir create_dir_perms;
+allow apexd apex_ota_reserved_file:file create_file_perms;
+
 # Allow apexd to create files and directories for snapshots of apex data
 allow apexd apex_art_data_file:dir { create_dir_perms relabelto };
 allow apexd apex_art_data_file:file { create_file_perms relabelto };
@@ -158,6 +162,9 @@
 # apexd uses it to decide whether it needs to keep retrying polling for loop device.
 get_prop(apexd, cold_boot_done_prop)
 
+# Allow apexd to read per-device configuration properties.
+get_prop(apexd, apexd_config_prop)
+
 neverallow { domain -apexd -init } apex_data_file:dir no_w_dir_perms;
 neverallow { domain -apexd -init } apex_metadata_file:dir no_w_dir_perms;
 neverallow { domain -apexd -init -kernel } apex_data_file:file no_w_file_perms;

diff --git a/private/charger.te b/private/charger.te
index 693fd3a..8be113f 100644
--- a/private/charger.te
+++ b/private/charger.te

@@ -15,6 +15,7 @@
 
 compatible_property_only(`
     neverallow {
+        domain
         -init
         -dumpstate
         -charger
@@ -22,6 +23,7 @@
 ')
 
 neverallow {
+    domain
     -init
     -dumpstate
     -vendor_init

diff --git a/private/compat/30.0/30.0.ignore.cil b/private/compat/30.0/30.0.ignore.cil
index 835f901..e4e7f7e 100644
--- a/private/compat/30.0/30.0.ignore.cil
+++ b/private/compat/30.0/30.0.ignore.cil

@@ -13,6 +13,7 @@
     apex_info_file
     apex_ota_reserved_file
     apex_scheduling_data_file
+    apexd_config_prop
     app_hibernation_service
     appcompat_data_file
     arm64_memtag_prop
@@ -58,6 +59,7 @@
     hal_sharedsecret_service
     hal_weaver_service
     keystore_compat_hal_service
+    keystore_maintenance_service
     keystore2_key_contexts_file
     legacy_permission_service
     location_time_zone_manager_service
@@ -74,6 +76,7 @@
     odsign
     odsign_data_file
     odsign_exec
+    pac_proxy_service
     people_service
     persist_vendor_debug_wifi_prop
     power_debug_prop
@@ -110,7 +113,6 @@
     transformer_service
     update_engine_stable_service
     userdata_sysdev
-    usermanager_service
     userspace_reboot_metadata_file
     vcn_management_service
     vibrator_manager_service

diff --git a/private/coredomain.te b/private/coredomain.te
index de9b953..9fe82d3 100644
--- a/private/coredomain.te
+++ b/private/coredomain.te

@@ -11,6 +11,7 @@
 get_prop(coredomain, localization_prop)
 get_prop(coredomain, pm_prop)
 get_prop(coredomain, radio_control_prop)
+get_prop(coredomain, rollback_test_prop)
 get_prop(coredomain, setupwizard_prop)
 get_prop(coredomain, sqlite_log_prop)
 get_prop(coredomain, storagemanager_config_prop)

diff --git a/private/credstore.te b/private/credstore.te
index 8d87e2f..a1c3263 100644
--- a/private/credstore.te
+++ b/private/credstore.te

@@ -4,3 +4,6 @@
 
 # talk to Identity Credential
 hal_client_domain(credstore, hal_identity)
+
+# TODO Remove this property when Keystore 2.0 migration is complete b/171563717
+get_prop(credstore, keystore2_enable_prop)

diff --git a/private/derive_classpath.te b/private/derive_classpath.te
new file mode 100644
index 0000000..15f1973
--- /dev/null
+++ b/private/derive_classpath.te

@@ -0,0 +1,9 @@
+
+# Domain for derive_classpath
+type derive_classpath, domain, coredomain;
+type derive_classpath_exec, system_file_type, exec_type, file_type;
+init_daemon_domain(derive_classpath)
+
+# Create /data/system/environ/classpath file
+allow derive_classpath environ_system_data_file:dir rw_dir_perms;
+allow derive_classpath environ_system_data_file:file create_file_perms;

diff --git a/private/dex2oat.te b/private/dex2oat.te
index 47ff77f..697ec1f 100644
--- a/private/dex2oat.te
+++ b/private/dex2oat.te

@@ -19,6 +19,7 @@
 
 # Acquire advisory lock on /system/framework/arm/*
 allow dex2oat system_file:file lock;
+allow dex2oat postinstall_file:file lock;
 
 # Read already open asec_apk_file file descriptors passed by installd.
 # Also allow reading unlabeled files, to allow for upgrading forward

diff --git a/private/file.te b/private/file.te
index 4b0f48a..984a7b6 100644
--- a/private/file.te
+++ b/private/file.te

@@ -33,6 +33,9 @@
 # /data/gsi/ota
 type ota_image_data_file, file_type, data_file_type, core_data_file_type;
 
+# /data/gsi_persistent_data
+type gsi_persistent_data_file, file_type, data_file_type, core_data_file_type;
+
 # /data/misc/emergencynumberdb
 type emergency_data_file, file_type, data_file_type, core_data_file_type;
 
@@ -50,3 +53,6 @@
 
 # /data/misc/odsign
 type odsign_data_file, file_type, data_file_type, core_data_file_type;
+
+# /data/system/environ
+type environ_system_data_file, file_type, data_file_type, core_data_file_type;

diff --git a/private/file_contexts b/private/file_contexts
index 35b93a1..1347797 100644
--- a/private/file_contexts
+++ b/private/file_contexts

@@ -361,7 +361,6 @@
 /system/bin/gsid                 u:object_r:gsid_exec:s0
 /system/bin/simpleperf           u:object_r:simpleperf_exec:s0
 /system/bin/simpleperf_app_runner    u:object_r:simpleperf_app_runner_exec:s0
-/system/bin/notify_traceur\.sh       u:object_r:notify_traceur_exec:s0
 /system/bin/migrate_legacy_obb_data\.sh u:object_r:migrate_legacy_obb_data_exec:s0
 /system/bin/android\.frameworks\.automotive\.display@1\.0-service u:object_r:automotive_display_service_exec:s0
 /system/bin/snapuserd            u:object_r:snapuserd_exec:s0
@@ -505,6 +504,7 @@
 #
 /data		u:object_r:system_data_root_file:s0
 /data/(.*)?		u:object_r:system_data_file:s0
+/data/system/environ(/.*)? u:object_r:environ_system_data_file:s0
 /data/system/packages\.list u:object_r:packages_list_file:s0
 /data/unencrypted(/.*)?         u:object_r:unencrypted_data_file:s0
 /data/backup(/.*)?		u:object_r:backup_data_file:s0
@@ -533,6 +533,7 @@
 /data/app-private(/.*)?               u:object_r:apk_private_data_file:s0
 /data/app-private/vmdl.*\.tmp(/.*)?   u:object_r:apk_private_tmp_file:s0
 /data/gsi(/.*)?        u:object_r:gsi_data_file:s0
+/data/gsi_persistent_data    u:object_r:gsi_persistent_data_file:s0
 /data/gsi/ota(/.*)?    u:object_r:ota_image_data_file:s0
 /data/tombstones(/.*)?	u:object_r:tombstone_data_file:s0
 /data/vendor/tombstones/wifi(/.*)? u:object_r:tombstone_wifi_data_file:s0

diff --git a/private/incidentd.te b/private/incidentd.te
index eda55e3..70e1187 100644
--- a/private/incidentd.te
+++ b/private/incidentd.te

@@ -53,6 +53,9 @@
 allow incidentd perfetto_traces_data_file:dir r_dir_perms;
 allow incidentd perfetto_traces_data_file:file r_file_perms;
 
+# section id 3052, allow accessing nfc_service
+allow incidentd nfc_service:service_manager find;
+
 # Create and write into /data/misc/incidents
 allow incidentd incident_data_file:dir rw_dir_perms;
 allow incidentd incident_data_file:file create_file_perms;

diff --git a/private/init.te b/private/init.te
index 4e8289a..c652603 100644
--- a/private/init.te
+++ b/private/init.te

@@ -70,19 +70,19 @@
 
 # Only init can write vts.native_server.on
 set_prop(init, vts_status_prop)
-neverallow { -init } vts_status_prop:property_service set;
+neverallow { domain -init } vts_status_prop:property_service set;
 
 # Only init can write normal ro.boot. properties
-neverallow { -init } bootloader_prop:property_service set;
+neverallow { domain -init } bootloader_prop:property_service set;
 
 # Only init can write hal.instrumentation.enable
-neverallow { -init } hal_instrumentation_prop:property_service set;
+neverallow { domain -init } hal_instrumentation_prop:property_service set;
 
 # Only init can write ro.property_service.version
-neverallow { -init } property_service_version_prop:property_service set;
+neverallow { domain -init } property_service_version_prop:property_service set;
 
 # Only init can set keystore.boot_level
-neverallow { -init } keystore_listen_prop:property_service set;
+neverallow { domain -init } keystore_listen_prop:property_service set;
 
 # Allow accessing /sys/kernel/tracing/instances/bootreceiver to set up tracing.
 allow init debugfs_bootreceiver_tracing:file w_file_perms;

diff --git a/private/keystore2_key_contexts b/private/keystore2_key_contexts
index 9612b90..5695cc3 100644
--- a/private/keystore2_key_contexts
+++ b/private/keystore2_key_contexts

@@ -20,3 +20,6 @@
 # namespace in keystore.
 102            u:object_r:wifi_key:s0
 
+# resume_on_reboot_key is a keystore2_key namespace intended for resume on reboot.
+120            u:object_r:resume_on_reboot_key:s0
+

diff --git a/private/keystore_keys.te b/private/keystore_keys.te
index 990bc29..8d33d5d 100644
--- a/private/keystore_keys.te
+++ b/private/keystore_keys.te

@@ -13,3 +13,7 @@
 
 # A keystore2 namespace for the on-device signing daemon.
 type odsign_key, keystore2_key_type;
+
+# A keystore2 namespace for resume on reboot.
+type resume_on_reboot_key, keystore2_key_type;
+

diff --git a/private/linkerconfig.te b/private/linkerconfig.te
index 3e08e42..84fde67 100644
--- a/private/linkerconfig.te
+++ b/private/linkerconfig.te

@@ -19,4 +19,4 @@
 # Allow linkerconfig to read apex-info-list.xml
 allow linkerconfig apex_info_file:file r_file_perms;
 
-neverallow { domain -init -linkerconfig } linkerconfig_exec:file no_x_file_perms;
+neverallow { domain -init -linkerconfig -otapreopt_chroot } linkerconfig_exec:file no_x_file_perms;

diff --git a/private/lmkd.te b/private/lmkd.te
index 1e7bbde..fef3a89 100644
--- a/private/lmkd.te
+++ b/private/lmkd.te

@@ -8,4 +8,4 @@
 # Set lmkd.* properties.
 set_prop(lmkd, lmkd_prop)
 
-neverallow { -init -lmkd -vendor_init } lmkd_prop:property_service set;
+neverallow { domain -init -lmkd -vendor_init } lmkd_prop:property_service set;

diff --git a/private/mediametrics.te b/private/mediametrics.te
index f8b2fa5..5a6f2e1 100644
--- a/private/mediametrics.te
+++ b/private/mediametrics.te

@@ -1,3 +1,8 @@
 typeattribute mediametrics coredomain;
 
 init_daemon_domain(mediametrics)
+
+# Needed for stats callback registration to statsd.
+allow mediametrics stats_service:service_manager find;
+allow mediametrics statsmanager_service:service_manager find;
+binder_call(mediametrics, statsd)

diff --git a/private/mediaprovider.te b/private/mediaprovider.te
index 9991725..978ae2a 100644
--- a/private/mediaprovider.te
+++ b/private/mediaprovider.te

@@ -42,3 +42,6 @@
 # MtpServer sets sys.usb.ffs.mtp.ready
 get_prop(mediaprovider, ffs_config_prop)
 set_prop(mediaprovider, ffs_control_prop)
+
+# DownloadManager may retrieve DRM status
+get_prop(mediaprovider, drm_service_config_prop)

diff --git a/private/network_stack.te b/private/network_stack.te
index 9598fa5..6fa3055 100644
--- a/private/network_stack.te
+++ b/private/network_stack.te

@@ -49,10 +49,9 @@
 allow network_stack bpfloader:bpf { map_read map_write prog_run };
 
 # Only the bpfloader and the network_stack should ever touch 'fs_bpf_tethering' programs/maps.
-# TODO: remove netd once netd/tethering mainline module split is complete
 # Unfortunately init/vendor_init have all sorts of extra privs
-neverallow { domain -bpfloader -init -netd -network_stack -vendor_init } fs_bpf_tethering:dir ~getattr;
-neverallow { domain -bpfloader -init -netd -network_stack -vendor_init } fs_bpf_tethering:file *;
+neverallow { domain -bpfloader -init -network_stack -vendor_init } fs_bpf_tethering:dir ~getattr;
+neverallow { domain -bpfloader -init -network_stack -vendor_init } fs_bpf_tethering:file *;
 
-neverallow { domain -bpfloader -netd -network_stack } fs_bpf_tethering:dir ~{ getattr open read search setattr };
-neverallow { domain -bpfloader -netd -network_stack } fs_bpf_tethering:file ~{ map open read setattr };
+neverallow { domain -bpfloader -network_stack } fs_bpf_tethering:dir ~{ getattr open read search setattr };
+neverallow { domain -bpfloader -network_stack } fs_bpf_tethering:file ~{ map open read setattr };

diff --git a/private/notify_traceur.te b/private/notify_traceur.te
deleted file mode 100644
index ef1fd4f..0000000
--- a/private/notify_traceur.te
+++ /dev/null

@@ -1,12 +0,0 @@
-type notify_traceur, domain, coredomain;
-type notify_traceur_exec, system_file_type, exec_type, file_type;
-
-init_daemon_domain(notify_traceur);
-binder_use(notify_traceur);
-
-# This is to execute am
-allow notify_traceur activity_service:service_manager find;
-allow notify_traceur shell_exec:file rx_file_perms;
-allow notify_traceur system_file:file rx_file_perms;
-
-binder_call(notify_traceur, system_server);

diff --git a/private/otapreopt_chroot.te b/private/otapreopt_chroot.te
index 37149ab..529dba3 100644
--- a/private/otapreopt_chroot.te
+++ b/private/otapreopt_chroot.te

@@ -37,11 +37,16 @@
 # Allow to transition to postinstall_dexopt, to run otapreopt in its own sandbox.
 domain_auto_trans(otapreopt_chroot, postinstall_file, postinstall_dexopt)
 
+# Allow otapreopt_chroot to control linkerconfig
+allow otapreopt_chroot linkerconfig_file:dir { create_dir_perms relabelto };
+allow otapreopt_chroot linkerconfig_file:file create_file_perms;
+
 # Allow otapreopt_chroot to create loop devices with /dev/loop-control.
 allow otapreopt_chroot loop_control_device:chr_file rw_file_perms;
 # Allow otapreopt_chroot to access loop devices.
 allow otapreopt_chroot loop_device:blk_file rw_file_perms;
 allowxperm otapreopt_chroot loop_device:blk_file ioctl {
+  LOOP_CONFIGURE
   LOOP_GET_STATUS64
   LOOP_SET_STATUS64
   LOOP_SET_FD
@@ -63,6 +68,7 @@
 
 # Allow otapreopt_chroot to manipulate directory /postinstall/apex.
 allow otapreopt_chroot postinstall_apex_mnt_dir:dir create_dir_perms;
+allow otapreopt_chroot postinstall_apex_mnt_dir:file create_file_perms;
 # Allow otapreopt_chroot to mount APEX packages in /postinstall/apex.
 allow otapreopt_chroot postinstall_apex_mnt_dir:dir mounton;
 
@@ -77,3 +83,6 @@
 # This is a temporary solution to make sure that otapreopt_chroot doesn't block indefinetelly.
 # TODO(b/165948777): remove this once otapreopt_chroot is migrated to libapexmount.
 get_prop(otapreopt_chroot, cold_boot_done_prop)
+
+# allow otapreopt_chroot to run the linkerconfig from the new image.
+allow otapreopt_chroot linkerconfig_exec:file rx_file_perms;

diff --git a/private/profcollectd.te b/private/profcollectd.te
index 875ef5b..baccf88 100644
--- a/private/profcollectd.te
+++ b/private/profcollectd.te

@@ -1,5 +1,5 @@
 # profcollectd - hardware profile collection daemon
-type profcollectd, domain, coredomain;
+type profcollectd, domain, coredomain, mlstrustedsubject;
 type profcollectd_exec, system_file_type, exec_type, file_type;
 
 userdebug_or_eng(`

diff --git a/private/property.te b/private/property.te
index 34c0fd8..d9cc93c 100644
--- a/private/property.te
+++ b/private/property.te

@@ -19,8 +19,11 @@
 system_internal_prop(last_boot_reason_prop)
 system_internal_prop(localization_prop)
 system_internal_prop(lower_kptr_restrict_prop)
+system_internal_prop(net_464xlat_fromvendor_prop)
+system_internal_prop(net_connectivity_prop)
 system_internal_prop(netd_stable_secret_prop)
 system_internal_prop(pm_prop)
+system_internal_prop(rollback_test_prop)
 system_internal_prop(setupwizard_prop)
 system_internal_prop(system_adbd_prop)
 system_internal_prop(suspend_prop)
@@ -316,6 +319,7 @@
 ')
 
 neverallow {
+  domain
   -coredomain
   -vendor_init
 } {
@@ -324,6 +328,7 @@
 }:file no_rw_file_perms;
 
 neverallow {
+  domain
   -init
   -system_server
 } {
@@ -332,6 +337,7 @@
 
 neverallow {
   # Only allow init and system_server to set system_adbd_prop
+  domain
   -init
   -system_server
 } {
@@ -340,6 +346,7 @@
 
 # Let (vendor_)init, adbd, and system_server set service.adb.tcp.port
 neverallow {
+  domain
   -init
   -vendor_init
   -adbd
@@ -350,6 +357,7 @@
 
 neverallow {
   # Only allow init and adbd to set adbd_prop
+  domain
   -init
   -adbd
 } {
@@ -358,6 +366,7 @@
 
 neverallow {
   # Only allow init and shell to set userspace_reboot_test_prop
+  domain
   -init
   -shell
 } {
@@ -365,6 +374,7 @@
 }:property_service set;
 
 neverallow {
+  domain
   -init
   -system_server
   -vendor_init
@@ -373,6 +383,7 @@
 }:property_service set;
 
 neverallow {
+  domain
   -init
 } {
   libc_debug_prop
@@ -381,6 +392,7 @@
 # Allow the shell to set MTE props, so that non-root users with adb shell
 # access can control the settings on their device.
 neverallow {
+  domain
   -init
   -shell
 } {
@@ -388,18 +400,21 @@
 }:property_service set;
 
 neverallow {
+  domain
   -init
   -system_server
   -vendor_init
 } zram_control_prop:property_service set;
 
 neverallow {
+  domain
   -init
   -system_server
   -vendor_init
 } dalvik_runtime_prop:property_service set;
 
 neverallow {
+  domain
   -coredomain
   -vendor_init
 } {
@@ -408,6 +423,7 @@
 }:property_service set;
 
 neverallow {
+  domain
   -init
   -system_server
 } {
@@ -416,6 +432,7 @@
 }:property_service set;
 
 neverallow {
+  domain
   -coredomain
   -vendor_init
 } {
@@ -424,6 +441,7 @@
 }:file no_rw_file_perms;
 
 neverallow {
+  domain
   -init
 } {
   init_service_status_private_prop
@@ -431,6 +449,7 @@
 }:property_service set;
 
 neverallow {
+  domain
   -init
   -radio
   -appdomain
@@ -439,6 +458,7 @@
 } telephony_status_prop:property_service set;
 
 neverallow {
+  domain
   -init
   -vendor_init
 } {
@@ -446,6 +466,7 @@
 }:property_service set;
 
 neverallow {
+  domain
   -init
   -surfaceflinger
 } {
@@ -453,23 +474,27 @@
 }:property_service set;
 
 neverallow {
+  domain
   -coredomain
   -appdomain
   -vendor_init
 } packagemanager_config_prop:file no_rw_file_perms;
 
 neverallow {
+  domain
   -coredomain
   -vendor_init
 } keyguard_config_prop:file no_rw_file_perms;
 
 neverallow {
+  domain
   -init
 } {
   localization_prop
 }:property_service set;
 
 neverallow {
+  domain
   -init
   -vendor_init
   -dumpstate
@@ -477,11 +502,13 @@
 } oem_unlock_prop:file no_rw_file_perms;
 
 neverallow {
+  domain
   -coredomain
   -vendor_init
 } storagemanager_config_prop:file no_rw_file_perms;
 
 neverallow {
+  domain
   -init
   -vendor_init
   -dumpstate
@@ -489,6 +516,7 @@
 } sendbug_config_prop:file no_rw_file_perms;
 
 neverallow {
+  domain
   -init
   -vendor_init
   -dumpstate
@@ -496,6 +524,7 @@
 } camera_calibration_prop:file no_rw_file_perms;
 
 neverallow {
+  domain
   -init
   -dumpstate
   -hal_dumpstate_server
@@ -503,6 +532,7 @@
 } hal_dumpstate_config_prop:file no_rw_file_perms;
 
 neverallow {
+  domain
   -init
   userdebug_or_eng(`-traced_probes')
   userdebug_or_eng(`-traced_perf')
@@ -512,47 +542,75 @@
 
 # TODO Remove this property when Keystore 2.0 migration is complete b/171563717
 neverallow {
+  domain
   -init
   -dumpstate
   -system_app
   -system_server
   -zygote
+  -credstore
 } keystore2_enable_prop:file no_rw_file_perms;
 
 neverallow {
+  domain
   -init
 } zygote_wrap_prop:property_service set;
 
 neverallow {
+  domain
   -init
 } verity_status_prop:property_service set;
 
 neverallow {
+  domain
   -init
 } setupwizard_prop:property_service set;
 
 # ro.product.property_source_order is useless after initialization of ro.product.* props.
 # So making it accessible only from init and vendor_init.
 neverallow {
+  domain
   -init
   -dumpstate
   -vendor_init
 } build_config_prop:file no_rw_file_perms;
 
 neverallow {
+  domain
   -init
   -shell
 } sqlite_log_prop:property_service set;
 
 neverallow {
+  domain
   -coredomain
   -appdomain
 } sqlite_log_prop:file no_rw_file_perms;
 
 neverallow {
+  domain
   -init
 } default_prop:property_service set;
 
 # Only one of system_property_type and vendor_property_type can be assigned.
 # Property types having both attributes won't be accessible from anywhere.
 neverallow domain system_and_vendor_property_type:{file property_service} *;
+
+neverallow {
+  # Only allow init and shell to set rollback_test_prop
+  domain
+  -init
+  -shell
+} rollback_test_prop:property_service set;
+
+# Only init and vendor_init are allowed to set apexd_config_prop
+neverallow { domain -init -vendor_init } apexd_config_prop:property_service set;
+
+# apexd_config properties should only be read by apexd, and dumpstate (to appear in bugreports).
+neverallow {
+  domain
+  -apexd
+  -init
+  -dumpstate
+  -vendor_init
+} apexd_config_prop:file no_rw_file_perms;

diff --git a/private/property_contexts b/private/property_contexts
index 22e0ff6..4120b51 100644
--- a/private/property_contexts
+++ b/private/property_contexts

@@ -244,6 +244,8 @@
 persist.device_config.global_settings.sys_traced u:object_r:device_config_sys_traced_prop:s0
 
 apexd.                  u:object_r:apexd_prop:s0
+apexd.config.dm_delete.timeout           u:object_r:apexd_config_prop:s0 exact uint
+apexd.config.dm_create.timeout           u:object_r:apexd_config_prop:s0 exact uint
 persist.apexd.          u:object_r:apexd_prop:s0
 
 bpf.progs_loaded        u:object_r:bpf_progs_loaded_prop:s0
@@ -279,6 +281,10 @@
 com.android.sdkext.                  u:object_r:module_sdkextensions_prop:s0
 persist.com.android.sdkext.          u:object_r:module_sdkextensions_prop:s0
 
+# Connectivity module
+net.464xlat.cellular.enabled         u:object_r:net_464xlat_fromvendor_prop:s0 exact bool
+net.tcp_def_init_rwnd                u:object_r:net_connectivity_prop:s0 exact int
+
 # Userspace reboot properties
 sys.userspace_reboot.log.         u:object_r:userspace_reboot_log_prop:s0
 persist.sys.userspace_reboot.log. u:object_r:userspace_reboot_log_prop:s0
@@ -467,6 +473,7 @@
 external_storage.projid.enabled   u:object_r:storage_config_prop:s0 exact bool
 external_storage.casefold.enabled u:object_r:storage_config_prop:s0 exact bool
 external_storage.sdcardfs.enabled u:object_r:storage_config_prop:s0 exact bool
+external_storage.cross_user.enabled u:object_r:storage_config_prop:s0 exact bool
 
 ro.config.per_app_memcg         u:object_r:lmkd_config_prop:s0 exact bool
 ro.lmk.critical                 u:object_r:lmkd_config_prop:s0 exact int
@@ -745,6 +752,7 @@
 ro.odm.build.date.utc            u:object_r:build_odm_prop:s0 exact int
 ro.odm.build.fingerprint         u:object_r:build_odm_prop:s0 exact string
 ro.odm.build.version.incremental u:object_r:build_odm_prop:s0 exact string
+ro.odm.build.media_performance_class   u:object_r:build_odm_prop:s0 exact int
 
 ro.product.odm.brand        u:object_r:build_odm_prop:s0 exact string
 ro.product.odm.device       u:object_r:build_odm_prop:s0 exact string
@@ -1122,3 +1130,7 @@
 # SOC related props
 ro.soc.manufacturer u:object_r:soc_prop:s0 exact string
 ro.soc.model        u:object_r:soc_prop:s0 exact string
+
+# set to true when running rollback tests to disable fallback-to-copy when enabling rollbacks
+# to detect failures where hard linking should work otherwise
+persist.rollback.is_test u:object_r:rollback_test_prop:s0 exact bool

diff --git a/private/remote_prov_app.te b/private/remote_prov_app.te
index e877981..d536622 100644
--- a/private/remote_prov_app.te
+++ b/private/remote_prov_app.te

@@ -4,7 +4,11 @@
 app_domain(remote_prov_app)
 net_domain(remote_prov_app)
 
+# The app needs access to properly build a DeviceInfo package for the verifying server
+get_prop(remote_prov_app, vendor_security_patch_level_prop)
+
 allow remote_prov_app {
     activity_service
     remoteprovisioning_service
+    tethering_service
 }:service_manager find;

diff --git a/private/service_contexts b/private/service_contexts
index f522323..1965d65 100644
--- a/private/service_contexts
+++ b/private/service_contexts

@@ -35,8 +35,8 @@
 android.security.compat                   u:object_r:keystore_compat_hal_service:s0
 android.security.identity                 u:object_r:credstore_service:s0
 android.security.keystore                 u:object_r:keystore_service:s0
+android.security.maintenance              u:object_r:keystore_maintenance_service:s0
 android.security.remoteprovisioning       u:object_r:remoteprovisioning_service:s0
-android.security.usermanager              u:object_r:usermanager_service:s0
 android.security.vpnprofilestore          u:object_r:vpnprofilestore_service:s0
 android.service.gatekeeper.IGateKeeperService    u:object_r:gatekeeper_service:s0
 android.system.keystore2                  u:object_r:keystore_service:s0
@@ -190,6 +190,7 @@
 oem_lock                                  u:object_r:oem_lock_service:s0
 otadexopt                                 u:object_r:otadexopt_service:s0
 overlay                                   u:object_r:overlay_service:s0
+pac_proxy                                 u:object_r:pac_proxy_service:s0
 package                                   u:object_r:package_service:s0
 package_native                            u:object_r:package_native_service:s0
 people                                    u:object_r:people_service:s0

diff --git a/private/shell.te b/private/shell.te
index 94a2c2e..a99ada8 100644
--- a/private/shell.te
+++ b/private/shell.te

@@ -94,6 +94,9 @@
 # userspace reboot
 set_prop(shell, userspace_reboot_test_prop)
 
+# Allow shell to set this property used for rollback tests
+set_prop(shell, rollback_test_prop)
+
 # Allow shell to get encryption policy of /data/local/tmp/, for CTS
 allowxperm shell shell_data_file:dir ioctl {
   FS_IOC_GET_ENCRYPTION_POLICY

diff --git a/private/stats.te b/private/stats.te
index 3e8a3d5..9b9d4ba 100644
--- a/private/stats.te
+++ b/private/stats.te

@@ -43,6 +43,7 @@
   -gmscore_app
   -gpuservice
   -incidentd
+  -mediametrics
   -platform_app
   -priv_app
   -shell

diff --git a/private/surfaceflinger.te b/private/surfaceflinger.te
index 640306f..a32f89c 100644
--- a/private/surfaceflinger.te
+++ b/private/surfaceflinger.te

@@ -109,6 +109,7 @@
 allow surfaceflinger system_server:fd use;
 allow surfaceflinger system_server:unix_stream_socket { read write };
 allow surfaceflinger ion_device:chr_file r_file_perms;
+allow surfaceflinger dmabuf_system_heap_device:chr_file r_file_perms;
 
 # pdx IPC
 pdx_server(surfaceflinger, display_client)

diff --git a/private/system_server.te b/private/system_server.te
index 9ef8363..bfb7fef 100644
--- a/private/system_server.te
+++ b/private/system_server.te

@@ -242,7 +242,6 @@
 binder_call(system_server, incidentd)
 binder_call(system_server, iorapd)
 binder_call(system_server, netd)
-binder_call(system_server, notify_traceur)
 userdebug_or_eng(`binder_call(system_server, profcollectd)')
 binder_call(system_server, statsd)
 binder_call(system_server, storaged)
@@ -638,6 +637,7 @@
 set_prop(system_server, safemode_prop)
 set_prop(system_server, theme_prop)
 set_prop(system_server, dhcp_prop)
+set_prop(system_server, net_connectivity_prop)
 set_prop(system_server, net_radio_prop)
 set_prop(system_server, net_dns_prop)
 set_prop(system_server, usb_control_prop)
@@ -736,6 +736,9 @@
 # Read ro.control_privapp_permissions and ro.cp_system_other_odex
 get_prop(system_server, packagemanager_config_prop)
 
+# Read the net.464xlat.cellular.enabled property (written by init).
+get_prop(system_server, net_464xlat_fromvendor_prop)
+
 # Create a socket for connections from debuggerd.
 allow system_server system_ndebug_socket:sock_file create_file_perms;
 
@@ -819,6 +822,7 @@
 allow system_server incremental_service:service_manager find;
 allow system_server installd_service:service_manager find;
 allow system_server iorapd_service:service_manager find;
+allow system_server keystore_maintenance_service:service_manager find;
 allow system_server keystore_service:service_manager find;
 allow system_server mediaserver_service:service_manager find;
 allow system_server mediametrics_service:service_manager find;
@@ -832,7 +836,6 @@
 allow system_server storaged_service:service_manager find;
 allow system_server surfaceflinger_service:service_manager find;
 allow system_server update_engine_service:service_manager find;
-allow system_server usermanager_service:service_manager find;
 allow system_server vold_service:service_manager find;
 allow system_server wifinl80211_service:service_manager find;
 userdebug_or_eng(`
@@ -893,6 +896,15 @@
 	use
 };
 
+# Allow lock_settings service to manage RoR keys.
+allow system_server resume_on_reboot_key:keystore2_key {
+	delete
+	get_info
+	rebind
+	update
+	use
+};
+
 # Allow system server to search and write to the persistent factory reset
 # protection partition. This block device does not get wiped in a factory reset.
 allow system_server block_device:dir search;
@@ -1255,6 +1267,9 @@
 allow system_server watchdog_metadata_file:dir rw_dir_perms;
 allow system_server watchdog_metadata_file:file create_file_perms;
 
+allow system_server gsi_persistent_data_file:dir rw_dir_perms;
+allow system_server gsi_persistent_data_file:file create_file_perms;
+
 # Allow system server r access to /system/bin/surfaceflinger for PinnerService.
 allow system_server surfaceflinger_exec:file r_file_perms;
 
@@ -1318,6 +1333,7 @@
 neverallow { domain -init -system_server } boot_status_prop:property_service set;
 
 neverallow {
+  domain
   -init
   -vendor_init
   -dumpstate

diff --git a/private/tombstoned.te b/private/tombstoned.te
index ca9a0aa..b6dfd1e 100644
--- a/private/tombstoned.te
+++ b/private/tombstoned.te

@@ -5,6 +5,7 @@
 get_prop(tombstoned, tombstone_config_prop)
 
 neverallow {
+    domain
     -init
     -vendor_init
     -dumpstate

diff --git a/private/zygote.te b/private/zygote.te
index 18babe0..e78e070 100644
--- a/private/zygote.te
+++ b/private/zygote.te

@@ -199,9 +199,11 @@
 # undesirable, so suppress the denial.
 dontaudit zygote self:global_capability_class_set { sys_resource fsetid };
 
-# Ignore spurious denials calling access() on fuse
+# Ignore spurious denials calling access() on fuse.
+# Also ignore read and open as sdcardfs may read and open dir when app tries to access a dir that
+# doesn't exist.
 # TODO(b/151316657): avoid the denials
-dontaudit zygote media_rw_data_file:dir setattr;
+dontaudit zygote media_rw_data_file:dir  { read open setattr };
 
 # Allow zygote to use ashmem fds from system_server.
 allow zygote system_server:fd use;

diff --git a/public/app.te b/public/app.te
index 67a996a..af19d10 100644
--- a/public/app.te
+++ b/public/app.te

@@ -298,6 +298,9 @@
 allow { appdomain -isolated_app -ephemeral_app } keystore:keystore_key { get_state get insert delete exist list sign verify };
 allow { appdomain -isolated_app -ephemeral_app } keystore:keystore2_key { delete use get_info rebind update };
 
+allow { appdomain -isolated_app -ephemeral_app } keystore_maintenance_service:service_manager find;
+allow { appdomain -isolated_app -ephemeral_app } keystore:keystore2 get_state;
+
 use_keystore({ appdomain -isolated_app -ephemeral_app })
 
 use_credstore({ appdomain -isolated_app -ephemeral_app })

diff --git a/public/bootanim.te b/public/bootanim.te
index acef6da..88fe173 100644
--- a/public/bootanim.te
+++ b/public/bootanim.te

@@ -27,6 +27,10 @@
 
 # Allow access to ion memory allocation device
 allow bootanim ion_device:chr_file rw_file_perms;
+
+# Allow access to DMA-BUF system heap
+allow bootanim dmabuf_system_heap_device:chr_file r_file_perms;
+
 allow bootanim hal_graphics_allocator:fd use;
 
 # Fences

diff --git a/public/cameraserver.te b/public/cameraserver.te
index 365af78..7a29240 100644
--- a/public/cameraserver.te
+++ b/public/cameraserver.te

@@ -13,6 +13,7 @@
 hal_client_domain(cameraserver, hal_graphics_allocator)
 
 allow cameraserver ion_device:chr_file rw_file_perms;
+allow cameraserver dmabuf_system_heap_device:chr_file r_file_perms;
 
 # Talk with graphics composer fences
 allow cameraserver hal_graphics_composer:fd use;

diff --git a/public/credstore.te b/public/credstore.te
index a2376d2..97d942d 100644
--- a/public/credstore.te
+++ b/public/credstore.te

@@ -12,6 +12,8 @@
 add_service(credstore, credstore_service)
 allow credstore sec_key_att_app_id_provider_service:service_manager find;
 allow credstore dropbox_service:service_manager find;
+allow credstore authorization_service:service_manager find;
+allow credstore keystore:keystore2 get_auth_token;
 
 r_dir_file(credstore, cgroup)
 r_dir_file(credstore, cgroup_v2)

diff --git a/public/domain.te b/public/domain.te
index 3666fbc..02df9a3 100644
--- a/public/domain.te
+++ b/public/domain.te

@@ -677,6 +677,7 @@
     -cameraserver_service
     -drmserver_service
     -credstore_service
+    -keystore_maintenance_service
     -keystore_service
     -mediadrmserver_service
     -mediaextractor_service

diff --git a/public/fastbootd.te b/public/fastbootd.te
index fb3e953..9614545 100644
--- a/public/fastbootd.te
+++ b/public/fastbootd.te

@@ -98,6 +98,8 @@
     }:{ file lnk_file } unlink;
     allow fastbootd tmpfs:dir rw_dir_perms;
     allow fastbootd labeledfs:filesystem { mount unmount };
+    # Fetch vendor_boot partition
+    allow fastbootd boot_block_device:blk_file r_file_perms;
   ')
 
   # Allow using libfiemap/gsid directly (no binder in recovery).

diff --git a/public/hal_camera.te b/public/hal_camera.te
index 77216e4..45fad56 100644
--- a/public/hal_camera.te
+++ b/public/hal_camera.te

@@ -9,6 +9,8 @@
 allow hal_camera video_device:chr_file rw_file_perms;
 allow hal_camera camera_device:chr_file rw_file_perms;
 allow hal_camera ion_device:chr_file rw_file_perms;
+allow hal_camera dmabuf_system_heap_device:chr_file r_file_perms;
+
 # Both the client and the server need to use the graphics allocator
 allow { hal_camera_client hal_camera_server } hal_graphics_allocator:fd use;
 

diff --git a/public/hal_graphics_allocator.te b/public/hal_graphics_allocator.te
index 991e147..3ec6b96 100644
--- a/public/hal_graphics_allocator.te
+++ b/public/hal_graphics_allocator.te

@@ -8,6 +8,7 @@
 # GPU device access
 allow hal_graphics_allocator gpu_device:chr_file rw_file_perms;
 allow hal_graphics_allocator ion_device:chr_file r_file_perms;
+allow hal_graphics_allocator dmabuf_system_heap_device:chr_file r_file_perms;
 
 # allow to run with real-time scheduling policy
 allow hal_graphics_allocator self:global_capability_class_set sys_nice;

diff --git a/public/hal_graphics_composer.te b/public/hal_graphics_composer.te
index cb4a130..1c69c99 100644
--- a/public/hal_graphics_composer.te
+++ b/public/hal_graphics_composer.te

@@ -16,6 +16,7 @@
 # GPU device access
 allow hal_graphics_composer gpu_device:chr_file rw_file_perms;
 allow hal_graphics_composer ion_device:chr_file r_file_perms;
+allow hal_graphics_composer dmabuf_system_heap_device:chr_file r_file_perms;
 allow hal_graphics_composer hal_graphics_allocator:fd use;
 
 # Access /dev/graphics/fb0.

diff --git a/public/hal_power_stats.te b/public/hal_power_stats.te
index f458db6..4076eff 100644
--- a/public/hal_power_stats.te
+++ b/public/hal_power_stats.te

@@ -6,3 +6,4 @@
 hal_attribute_service(hal_power_stats, hal_power_stats_service)
 
 binder_call(hal_power_stats_server, servicemanager)
+binder_call(hal_power_stats_client, servicemanager)

diff --git a/public/kernel.te b/public/kernel.te
index 35018e9..9aa40cc 100644
--- a/public/kernel.te
+++ b/public/kernel.te

@@ -5,7 +5,12 @@
 
 # Root fs.
 r_dir_file(kernel, rootfs)
-allow kernel proc_cmdline:file r_file_perms;
+
+# Used to read androidboot.selinux property
+allow kernel {
+  proc_bootconfig
+  proc_cmdline
+}:file r_file_perms;
 
 # Get SELinux enforcing status.
 allow kernel selinuxfs:dir r_dir_perms;

diff --git a/public/keystore.te b/public/keystore.te
index ae7ed91..7a6074b 100644
--- a/public/keystore.te
+++ b/public/keystore.te

@@ -19,7 +19,7 @@
 add_service(keystore, apc_service)
 add_service(keystore, keystore_compat_hal_service)
 add_service(keystore, authorization_service)
-add_service(keystore, usermanager_service)
+add_service(keystore, keystore_maintenance_service)
 add_service(keystore, vpnprofilestore_service)
 
 # Check SELinux permissions.

diff --git a/public/netd.te b/public/netd.te
index 4472938..ff0bff6 100644
--- a/public/netd.te
+++ b/public/netd.te

@@ -64,9 +64,8 @@
 
 r_dir_file(netd, cgroup_v2)
 
-# TODO: remove 'fs_bpf_tethering' once netd/tethering mainline module split is completed.
-allow netd { fs_bpf fs_bpf_tethering }:dir search;
-allow netd { fs_bpf fs_bpf_tethering }:file { read write };
+allow netd fs_bpf:dir search;
+allow netd fs_bpf:file { read write };
 
 # TODO: netd previously thought it needed these permissions to do WiFi related
 #       work.  However, after all the WiFi stuff is gone, we still need them.

diff --git a/public/property.te b/public/property.te
index 506e985..db5d754 100644
--- a/public/property.te
+++ b/public/property.te

@@ -112,6 +112,7 @@
 ')
 
 # Properties which can be written only by vendor_init
+system_vendor_config_prop(apexd_config_prop)
 system_vendor_config_prop(aaudio_config_prop)
 system_vendor_config_prop(apk_verity_prop)
 system_vendor_config_prop(audio_config_prop)

diff --git a/public/service.te b/public/service.te
index f6a47bc..29d4933 100644
--- a/public/service.te
+++ b/public/service.te

@@ -19,6 +19,7 @@
 type installd_service,          service_manager_type;
 type credstore_service,         app_api_service, service_manager_type;
 type keystore_compat_hal_service, service_manager_type;
+type keystore_maintenance_service, service_manager_type;
 type keystore_service,          service_manager_type;
 type lpdump_service,            service_manager_type;
 type mediaserver_service,       service_manager_type;
@@ -39,7 +40,6 @@
 type system_suspend_control_service, service_manager_type;
 type update_engine_service,     service_manager_type;
 type update_engine_stable_service, service_manager_type;
-type usermanager_service,       service_manager_type;
 type virtual_touchpad_service,  service_manager_type;
 type vold_service,              service_manager_type;
 type vpnprofilestore_service,   service_manager_type;
@@ -117,7 +117,7 @@
 type face_service, app_api_service, system_server_service, service_manager_type;
 type fingerprint_service, app_api_service, system_server_service, service_manager_type;
 type fwk_stats_service, system_server_service, service_manager_type;
-type game_service, app_api_service, system_server_service, service_manager_type;
+type game_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
 type gfxinfo_service, system_api_service, system_server_service, service_manager_type;
 type graphicsstats_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
 type hardware_service, system_server_service, service_manager_type;
@@ -156,6 +156,7 @@
 type oem_lock_service, system_api_service, system_server_service, service_manager_type;
 type otadexopt_service, system_server_service, service_manager_type;
 type overlay_service, system_api_service, system_server_service, service_manager_type;
+type pac_proxy_service, system_server_service, service_manager_type;
 type package_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
 type package_native_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
 type people_service, app_api_service, system_server_service, service_manager_type;
@@ -203,7 +204,7 @@
 type texttospeech_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
 type telecom_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
 type thermal_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type timedetector_service, system_server_service, service_manager_type;
+type timedetector_service, app_api_service, system_server_service, service_manager_type;
 type timezone_service, system_server_service, service_manager_type;
 type timezonedetector_service, app_api_service, system_server_service, service_manager_type;
 type transformer_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;

diff --git a/public/statsd.te b/public/statsd.te
index 435bbdf..baf05d4 100644
--- a/public/statsd.te
+++ b/public/statsd.te

@@ -33,6 +33,10 @@
 allow statsd gpu_service:service_manager find;
 binder_call(statsd, gpuservice)
 
+# Allow statsd to interact with mediametrics
+allow statsd mediametrics_service:service_manager find;
+binder_call(statsd, mediametrics)
+
 # Allow logd access.
 read_logd(statsd)
 control_logd(statsd)

diff --git a/public/system_server.te b/public/system_server.te
index 09421cc..edefadf 100644
--- a/public/system_server.te
+++ b/public/system_server.te

@@ -10,6 +10,7 @@
 set_prop(system_server, power_debug_prop)
 
 neverallow {
+  domain
   -init
   -vendor_init
   -system_server

diff --git a/public/ueventd.te b/public/ueventd.te
index 9c2575a..d5d4301 100644
--- a/public/ueventd.te
+++ b/public/ueventd.te

@@ -40,8 +40,9 @@
 # Use setfscreatecon() to label /dev directories and files.
 allow ueventd self:process setfscreate;
 
-# Allow ueventd to read androidboot.android_dt_dir from kernel cmdline.
+# Allow ueventd to read androidboot.android_dt_dir from kernel cmdline or bootconfig.
 allow ueventd proc_cmdline:file r_file_perms;
+allow ueventd proc_bootconfig:file r_file_perms;
 
 # Everything is labeled as rootfs in recovery mode. ueventd has to execute
 # the dynamic linker and shared libraries.

diff --git a/public/update_engine.te b/public/update_engine.te
index 206d29c..b7cf827 100644
--- a/public/update_engine.te
+++ b/public/update_engine.te

@@ -29,14 +29,6 @@
 allow update_engine update_engine_log_data_file:dir create_dir_perms;
 allow update_engine update_engine_log_data_file:file create_file_perms;
 
-# TODO(b/172911822): remove these access when we have transferred
-# reservation responsibility to apexd
-
-# Allow reserving space on /data/apex/ota_reserved for apex decompression
-allow update_engine apex_ota_reserved_file:dir create_dir_perms;
-allow update_engine apex_ota_reserved_file:file create_file_perms;
-allow update_engine apex_data_file:dir search;
-
 # Don't allow kernel module loading, just silence the logs.
 dontaudit update_engine kernel:system module_request;
 

diff --git a/public/vold.te b/public/vold.te
index b6d1443..fb16b7e 100644
--- a/public/vold.te
+++ b/public/vold.te

@@ -132,7 +132,7 @@
 # Allow to mount incremental file system on /data/incremental and create files
 allow vold apk_data_file:dir { mounton rw_dir_perms };
 # Allow to create and write files in /data/incremental
-allow vold apk_data_file:file rw_file_perms;
+allow vold apk_data_file:file { rw_file_perms unlink };
 # Allow to bind-mount incremental file system on /data/app/vmdl*.tmp and read files
 allow vold apk_tmp_file:dir { mounton r_dir_perms };
 # Allow to read incremental control file and call selinux restorecon on it

diff --git a/vendor/hal_sensors_default.te b/vendor/hal_sensors_default.te
index f00b25a..8752364 100644
--- a/vendor/hal_sensors_default.te
+++ b/vendor/hal_sensors_default.te

@@ -13,6 +13,7 @@
 # android.hardware.graphics.allocator
 allow hal_sensors_default hal_graphics_allocator_default:fd use;
 allow hal_sensors_default ion_device:chr_file r_file_perms;
+allow hal_sensors_default dmabuf_system_heap_device:chr_file r_file_perms;
 
 # allow sensor hal to use lock for keeping system awake for wake up
 # events delivery.

diff --git a/vendor/hal_tv_tuner_default.te b/vendor/hal_tv_tuner_default.te
index abe1e77..639c7bd 100644
--- a/vendor/hal_tv_tuner_default.te
+++ b/vendor/hal_tv_tuner_default.te

@@ -5,3 +5,6 @@
 init_daemon_domain(hal_tv_tuner_default)
 
 allow hal_tv_tuner_default ion_device:chr_file r_file_perms;
+
+# Access to /dev/dma_heap/system
+allow hal_tv_tuner_default dmabuf_system_heap_device:chr_file r_file_perms;
commit	baf84ee461bf98ad6ee61ad6122a964e2e580b00	[log] [tgz]
author	Treehugger Robot <treehugger-gerrit@google.com>	Wed Mar 17 15:04:51 2021 +0000
committer	Gerrit Code Review <noreply-gerritcodereview@google.com>	Wed Mar 17 15:04:51 2021 +0000
tree	9db63e2cbfcec20348d1e780526e5ee12f76bcbb
parent	e165cd486bfbc9d5a2cc9028caa8e16515bb7525 [diff]
parent	06edcd8250a249192981c7fbeea196249394b9ad [diff]