Merge "Policy for virtual_camera" into main
diff --git a/private/compat/33.0/33.0.ignore.cil b/private/compat/33.0/33.0.ignore.cil
index 7a5ca9a..4c6492f 100644
--- a/private/compat/33.0/33.0.ignore.cil
+++ b/private/compat/33.0/33.0.ignore.cil
@@ -18,6 +18,7 @@
credential_service
device_as_webcam
device_config_camera_native_prop
+ device_config_core_experiments_team_internal_prop
device_config_edgetpu_native_prop
device_config_memory_safety_native_boot_prop
device_config_memory_safety_native_prop
diff --git a/private/dex2oat.te b/private/dex2oat.te
index 379e32c..18600d8 100644
--- a/private/dex2oat.te
+++ b/private/dex2oat.te
@@ -84,7 +84,7 @@
# Allow dex2oat access to /postinstall/apex.
allow dex2oat postinstall_apex_mnt_dir:dir { getattr search };
-allow dex2oat postinstall_apex_mnt_dir:file r_file_perms;
+allow dex2oat postinstall_apex_mnt_dir:{ file lnk_file } r_file_perms;
# Allow dex2oat access to files in /data/ota.
allow dex2oat ota_data_file:dir ra_dir_perms;
diff --git a/private/domain.te b/private/domain.te
index 692c962..662cdd6 100644
--- a/private/domain.te
+++ b/private/domain.te
@@ -156,10 +156,18 @@
get_prop(domain, binder_cache_system_server_prop)
get_prop(domain, binder_cache_telephony_server_prop)
-# Allow access to fsverity keyring.
+# Allow searching the ".fs-verity" keyring.
+#
+# Note: Android no longer uses fsverity builtin signatures, which makes this
+# rule mostly unnecessary. This rule can potentially still be invoked when
+# opening a file with an fsverity builtin signature that exists on-disk from
+# Android 13 or earlier, if the kernel hasn't updated to disable fsverity
+# builtin signature support. Though, opening such a file fails regardless of
+# whether SELinux allows the keyring lookup, as the keyring is now always empty.
+# At the same time, some totally unrelated dependencies on this rule have crept
+# in as well, for example init needs it to create the session keyring on Linux
+# v5.3 and later. TODO(b/290064770) Replace this with more specific rules.
allow domain kernel:key search;
-# Allow access to keys in the fsverity keyring that were installed at boot.
-allow domain fsverity_init:key search;
# For testing purposes, allow access to keys installed with su.
userdebug_or_eng(`
allow domain su:key search;
diff --git a/private/file_contexts b/private/file_contexts
index 123e4ed..9344953 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -238,7 +238,6 @@
/system/bin/init u:object_r:init_exec:s0
# TODO(/123600489): merge mini-keyctl into toybox
/system/bin/mini-keyctl -- u:object_r:toolbox_exec:s0
-/system/bin/fsverity_init u:object_r:fsverity_init_exec:s0
/system/bin/sload_f2fs -- u:object_r:e2fs_exec:s0
/system/bin/make_f2fs -- u:object_r:e2fs_exec:s0
/system/bin/fsck_msdos -- u:object_r:fsck_exec:s0
diff --git a/private/flags_health_check.te b/private/flags_health_check.te
index 9480b40..9afaba0 100644
--- a/private/flags_health_check.te
+++ b/private/flags_health_check.te
@@ -3,6 +3,7 @@
init_daemon_domain(flags_health_check)
set_prop(flags_health_check, device_config_boot_count_prop)
+set_prop(flags_health_check, device_config_core_experiments_team_internal_prop)
set_prop(flags_health_check, device_config_edgetpu_native_prop)
set_prop(flags_health_check, device_config_reset_performed_prop)
set_prop(flags_health_check, device_config_runtime_native_boot_prop)
diff --git a/private/fsverity_init.te b/private/fsverity_init.te
deleted file mode 100644
index 2e5089c..0000000
--- a/private/fsverity_init.te
+++ /dev/null
@@ -1,21 +0,0 @@
-type fsverity_init, domain, coredomain;
-type fsverity_init_exec, exec_type, file_type, system_file_type;
-
-init_daemon_domain(fsverity_init)
-
-# Allow to read /proc/keys for searching key id.
-allow fsverity_init proc_keys:file r_file_perms;
-
-# Ignore denials to access irrelevant keys, as a side effect to access /proc/keys.
-dontaudit fsverity_init domain:key view;
-allow fsverity_init kernel:key { view search write setattr };
-allow fsverity_init fsverity_init:key { view search write };
-
-# Read the on-device signing certificate, to be able to add it to the keyring
-allow fsverity_init odsign:fd use;
-allow fsverity_init odsign_data_file:file { getattr read };
-
-# When kernel requests an algorithm, the crypto API first looks for an
-# already registered algorithm with that name. If it fails, the kernel creates
-# an implementation of the algorithm from templates.
-dontaudit fsverity_init kernel:system module_request;
diff --git a/private/lpdumpd.te b/private/lpdumpd.te
index 9f5f87e..09ba079 100644
--- a/private/lpdumpd.te
+++ b/private/lpdumpd.te
@@ -18,6 +18,16 @@
allow lpdumpd sysfs_dt_firmware_android:file r_file_perms;
read_fstab(lpdumpd)
+# Allow to get A/B slot suffix from device tree or kernel cmdline.
+r_dir_file(lpdumpd, sysfs_dt_firmware_android);
+allow lpdumpd proc_cmdline:file r_file_perms;
+
+# Allow reading Virtual A/B status information.
+get_prop(lpdumpd, virtual_ab_prop)
+allow lpdumpd metadata_file:dir search;
+allow lpdumpd ota_metadata_file:dir { r_dir_perms lock };
+allow lpdumpd ota_metadata_file:file r_file_perms;
+
### Neverallow rules
# Disallow other domains to get lpdump_service and call lpdumpd.
diff --git a/private/odsign.te b/private/odsign.te
index f06795c..da1d9d6 100644
--- a/private/odsign.te
+++ b/private/odsign.te
@@ -51,9 +51,6 @@
# Run odrefresh to refresh ART artifacts
domain_auto_trans(odsign, odrefresh_exec, odrefresh)
-# Run fsverity_init to add key to fsverity keyring
-domain_auto_trans(odsign, fsverity_init_exec, fsverity_init)
-
# Run compos_verify to verify CompOs signatures
domain_auto_trans(odsign, compos_verify_exec, compos_verify)
@@ -65,5 +62,5 @@
set_prop(odsign, ctl_odsign_prop)
# Neverallows
-neverallow { domain -odsign -init -fsverity_init} odsign_data_file:dir ~search;
-neverallow { domain -odsign -init -fsverity_init} odsign_data_file:file *;
+neverallow { domain -odsign -init } odsign_data_file:dir ~search;
+neverallow { domain -odsign -init } odsign_data_file:file *;
diff --git a/private/property.te b/private/property.te
index 66c9cea..8d99e66 100644
--- a/private/property.te
+++ b/private/property.te
@@ -2,6 +2,7 @@
system_internal_prop(adbd_prop)
system_internal_prop(apexd_payload_metadata_prop)
system_internal_prop(ctl_snapuserd_prop)
+system_internal_prop(device_config_core_experiments_team_internal_prop)
system_internal_prop(device_config_lmkd_native_prop)
system_internal_prop(device_config_mglru_native_prop)
system_internal_prop(device_config_profcollect_native_boot_prop)
@@ -51,6 +52,8 @@
system_internal_prop(virtualizationservice_prop)
system_internal_prop(ctl_apex_load_prop)
+system_internal_prop(sensors_config_prop)
+
# Properties which can't be written outside system
system_restricted_prop(device_config_virtualization_framework_native_prop)
system_restricted_prop(log_file_logger_prop)
diff --git a/private/property_contexts b/private/property_contexts
index d556acf..3400597 100644
--- a/private/property_contexts
+++ b/private/property_contexts
@@ -253,6 +253,7 @@
persist.device_config.camera_native. u:object_r:device_config_camera_native_prop:s0
persist.device_config.configuration. u:object_r:device_config_configuration_prop:s0
persist.device_config.connectivity. u:object_r:device_config_connectivity_prop:s0
+persist.device_config.core_experiments_team_internal. u:object_r:device_config_core_experiments_team_internal_prop:s0
persist.device_config.edgetpu_native. u:object_r:device_config_edgetpu_native_prop:s0
persist.device_config.input_native_boot. u:object_r:device_config_input_native_boot_prop:s0
persist.device_config.lmkd_native. u:object_r:device_config_lmkd_native_prop:s0
@@ -706,6 +707,7 @@
ro.lmk.critical u:object_r:lmkd_config_prop:s0 exact int
ro.lmk.critical_upgrade u:object_r:lmkd_config_prop:s0 exact bool
ro.lmk.debug u:object_r:lmkd_config_prop:s0 exact bool
+ro.lmk.delay_monitors_until_boot u:object_r:lmkd_config_prop:s0 exact bool
ro.lmk.downgrade_pressure u:object_r:lmkd_config_prop:s0 exact int
ro.lmk.filecache_min_kb u:object_r:lmkd_config_prop:s0 exact int
ro.lmk.kill_heaviest_task u:object_r:lmkd_config_prop:s0 exact bool
@@ -1566,3 +1568,6 @@
# Properties for Quick Start setup.
ro.quick_start.oem_id u:object_r:quick_start_prop:s0 exact string
ro.quick_start.device_id u:object_r:quick_start_prop:s0 exact string
+
+# Properties for sensor service
+sensors.aosp_low_power_sensor_fusion.maximum_rate u:object_r:sensors_config_prop:s0 exact uint
diff --git a/private/seapp_contexts b/private/seapp_contexts
index 085492a..bc68209 100644
--- a/private/seapp_contexts
+++ b/private/seapp_contexts
@@ -47,9 +47,11 @@
# be mapped to isolated_compute_app by default. It is expected to be used together
# with user=_isolated. This selector should not be used unless it is intended
# to provide isolated processes with relaxed security restrictions.
+# An unspecified isIsolatedComputeApp defaults to false.
#
# isSdkSandboxNext=true means sdk sandbox processes will get
# sdk_sandbox_next sepolicy applied to them.
+# An unspecified isSdkSandboxNext defaults to false.
#
# Precedence: entries are compared using the following rules, in the order shown
# (see external/selinux/libselinux/src/android/android_platform.c,
@@ -67,8 +69,8 @@
# minTargetSdkVersion= integer. Note that minTargetSdkVersion=
# defaults to 0 if unspecified.
# (8) fromRunAs=true before fromRunAs=false.
-# (9) isIsolatedComputeApp=true before isIsolatedComputeApp=false
-# (10) isSdkSandboxNext=true before isSdkSandboxNext=false
+# (9) Platform seapp_contexts files (system, system_ext, product) before
+# vendor seapp_contexts files (vendor, odm).
# (A fixed selector is more specific than a prefix, i.e. ending in *, and a
# longer prefix is more specific than a shorter prefix.)
# Apps are checked against entries in precedence order until the first match,
diff --git a/private/system_server.te b/private/system_server.te
index a9eb31d..cacb3c8 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -743,6 +743,7 @@
set_prop(system_server, cppreopt_prop)
# server configurable flags properties
+set_prop(system_server, device_config_core_experiments_team_internal_prop)
set_prop(system_server, device_config_edgetpu_native_prop)
set_prop(system_server, device_config_input_native_boot_prop)
set_prop(system_server, device_config_netd_native_prop)
@@ -854,6 +855,10 @@
# Allow the heap dump ART plugin to the count of sessions waiting for OOME
get_prop(system_server, traced_oome_heap_session_count_prop)
+# Allow the sensor service (running in the system service) to read sensor
+# configuration properties
+get_prop(system_server, sensors_config_prop)
+
# Create a socket for connections from debuggerd.
allow system_server system_ndebug_socket:sock_file create_file_perms;
@@ -1309,6 +1314,7 @@
-system_server
-flags_health_check
} {
+ device_config_core_experiments_team_internal_prop
device_config_activity_manager_native_boot_prop
device_config_connectivity_prop
device_config_input_native_boot_prop
diff --git a/vendor/file_contexts b/vendor/file_contexts
index 80dfbdc..a7657e1 100644
--- a/vendor/file_contexts
+++ b/vendor/file_contexts
@@ -54,7 +54,7 @@
/(vendor|system/vendor)/bin/hw/android\.hardware\.graphics\.allocator@2\.0-service u:object_r:hal_graphics_allocator_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.graphics\.allocator@3\.0-service u:object_r:hal_graphics_allocator_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.graphics\.allocator@4\.0-service u:object_r:hal_graphics_allocator_default_exec:s0
-/(vendor|system/vendor)/bin/hw/android\.hardware\.graphics\.allocator-V1-service u:object_r:hal_graphics_allocator_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.graphics\.allocator-V[1-2]-service u:object_r:hal_graphics_allocator_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.graphics\.allocator-service u:object_r:hal_graphics_allocator_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.graphics\.composer@[0-9]\.[0-9]-service u:object_r:hal_graphics_composer_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.graphics\.composer3-service\.example u:object_r:hal_graphics_composer_default_exec:s0
@@ -149,3 +149,46 @@
#
/data/vendor/wifi/hostapd(/.*)? u:object_r:hostapd_data_file:s0
/data/vendor/wifi/wpa(/.*)? u:object_r:wpa_data_file:s0
+
+#############################
+# Vendor libraries loaded from SP-HAL (former VNDK-SP)
+#
+/(vendor|system/vendor)/lib(64)?/android\.hardware\.common-V2-ndk\.so u:object_r:same_process_hal_file:s0
+/(vendor|system/vendor)/lib(64)?/android\.hardware\.common\.fmq-V1-ndk\.so u:object_r:same_process_hal_file:s0
+/(vendor|system/vendor)/lib(64)?/android\.hardware\.graphics\.allocator-V2-ndk\.so u:object_r:same_process_hal_file:s0
+/(vendor|system/vendor)/lib(64)?/android\.hardware\.graphics\.common-V4-ndk\.so u:object_r:same_process_hal_file:s0
+/(vendor|system/vendor)/lib(64)?/android\.hardware\.graphics\.common@1\.0\.so u:object_r:same_process_hal_file:s0
+/(vendor|system/vendor)/lib(64)?/android\.hardware\.graphics\.common@1\.1\.so u:object_r:same_process_hal_file:s0
+/(vendor|system/vendor)/lib(64)?/android\.hardware\.graphics\.common@1\.2\.so u:object_r:same_process_hal_file:s0
+/(vendor|system/vendor)/lib(64)?/android\.hardware\.graphics\.composer3-V1-ndk\.so u:object_r:same_process_hal_file:s0
+/(vendor|system/vendor)/lib(64)?/android\.hardware\.graphics\.mapper@2\.0\.so u:object_r:same_process_hal_file:s0
+/(vendor|system/vendor)/lib(64)?/android\.hardware\.graphics\.mapper@2\.1\.so u:object_r:same_process_hal_file:s0
+/(vendor|system/vendor)/lib(64)?/android\.hardware\.graphics\.mapper@3\.0\.so u:object_r:same_process_hal_file:s0
+/(vendor|system/vendor)/lib(64)?/android\.hardware\.graphics\.mapper@4\.0\.so u:object_r:same_process_hal_file:s0
+/(vendor|system/vendor)/lib(64)?/android\.hardware\.renderscript@1\.0\.so u:object_r:same_process_hal_file:s0
+/(vendor|system/vendor)/lib(64)?/android\.hidl\.memory\.token@1\.0\.so u:object_r:same_process_hal_file:s0
+/(vendor|system/vendor)/lib(64)?/android\.hidl\.memory@1\.0-impl\.so u:object_r:same_process_hal_file:s0
+/(vendor|system/vendor)/lib(64)?/android\.hidl\.memory@1\.0\.so u:object_r:same_process_hal_file:s0
+/(vendor|system/vendor)/lib(64)?/android\.hidl\.safe_union@1\.0\.so u:object_r:same_process_hal_file:s0
+/(vendor|system/vendor)/lib(64)?/libRSCpuRef\.so u:object_r:same_process_hal_file:s0
+/(vendor|system/vendor)/lib(64)?/libRSDriver\.so u:object_r:same_process_hal_file:s0
+/(vendor|system/vendor)/lib(64)?/libRS_internal\.so u:object_r:same_process_hal_file:s0
+/(vendor|system/vendor)/lib(64)?/libbase\.so u:object_r:same_process_hal_file:s0
+/(vendor|system/vendor)/lib(64)?/libbcinfo\.so u:object_r:same_process_hal_file:s0
+/(vendor|system/vendor)/lib(64)?/libblas\.so u:object_r:same_process_hal_file:s0
+/(vendor|system/vendor)/lib(64)?/libc\+\+\.so u:object_r:same_process_hal_file:s0
+/(vendor|system/vendor)/lib(64)?/libcompiler_rt\.so u:object_r:same_process_hal_file:s0
+/(vendor|system/vendor)/lib(64)?/libcutils\.so u:object_r:same_process_hal_file:s0
+/(vendor|system/vendor)/lib(64)?/libdmabufheap\.so u:object_r:same_process_hal_file:s0
+/(vendor|system/vendor)/lib(64)?/libgralloctypes\.so u:object_r:same_process_hal_file:s0
+/(vendor|system/vendor)/lib(64)?/libhardware\.so u:object_r:same_process_hal_file:s0
+/(vendor|system/vendor)/lib(64)?/libhidlbase\.so u:object_r:same_process_hal_file:s0
+/(vendor|system/vendor)/lib(64)?/libhidlmemory\.so u:object_r:same_process_hal_file:s0
+/(vendor|system/vendor)/lib(64)?/libion\.so u:object_r:same_process_hal_file:s0
+/(vendor|system/vendor)/lib(64)?/libjsoncpp\.so u:object_r:same_process_hal_file:s0
+/(vendor|system/vendor)/lib(64)?/liblzma\.so u:object_r:same_process_hal_file:s0
+/(vendor|system/vendor)/lib(64)?/libprocessgroup\.so u:object_r:same_process_hal_file:s0
+/(vendor|system/vendor)/lib(64)?/libunwindstack\.so u:object_r:same_process_hal_file:s0
+/(vendor|system/vendor)/lib(64)?/libutils\.so u:object_r:same_process_hal_file:s0
+/(vendor|system/vendor)/lib(64)?/libutilscallstack\.so u:object_r:same_process_hal_file:s0
+/(vendor|system/vendor)/lib(64)?/libz\.so u:object_r:same_process_hal_file:s0