Merge "Remove sepolicy for viewcompiler" into main
diff --git a/build/soong/cil_compat_map.go b/build/soong/cil_compat_map.go
index eb7cb06..dd883cc 100644
--- a/build/soong/cil_compat_map.go
+++ b/build/soong/cil_compat_map.go
@@ -103,6 +103,10 @@
return proptools.String(c.properties.Version) == ctx.DeviceConfig().PlatformSepolicyVersion()
}
+func (c *cilCompatMap) stem() string {
+ return proptools.StringDefault(c.properties.Stem, c.Name())
+}
+
func (c *cilCompatMap) GenerateAndroidBuildActions(ctx android.ModuleContext) {
if c.shouldSkipBuild(ctx) {
return
@@ -144,6 +148,7 @@
} else {
c.installSource = android.OptionalPathForPath(bottomHalf)
}
+ ctx.InstallFile(c.installPath, c.stem(), c.installSource.Path())
}
func (c *cilCompatMap) DepsMutator(ctx android.BottomUpMutatorContext) {
diff --git a/flagging/Android.bp b/flagging/Android.bp
index bdd0481..b40a80a 100644
--- a/flagging/Android.bp
+++ b/flagging/Android.bp
@@ -17,6 +17,7 @@
se_flags {
name: "aosp_selinux_flags",
flags: [
+ "RELEASE_AVF_SUPPORT_CUSTOM_VM_WITH_PARAVIRTUALIZED_DEVICES",
"RELEASE_AVF_ENABLE_DEVICE_ASSIGNMENT",
"RELEASE_AVF_ENABLE_LLPVM_CHANGES",
"RELEASE_HARDWARE_BLUETOOTH_RANGING_SERVICE",
diff --git a/private/crosvm.te b/private/crosvm.te
index 6ad3727..a96a22a 100644
--- a/private/crosvm.te
+++ b/private/crosvm.te
@@ -81,6 +81,24 @@
allow crosvm adbd:unix_stream_socket { read write };
allow crosvm devpts:chr_file { read write getattr ioctl };
+is_flag_enabled(RELEASE_AVF_SUPPORT_CUSTOM_VM_WITH_PARAVIRTUALIZED_DEVICES, `
+ # Allow crosvm to draw screen in the surface
+ allow crosvm device:dir { read open };
+ allow crosvm same_process_hal_file:file { read open getattr map execute };
+ allow crosvm gpu_device:chr_file { read write open ioctl map open getattr };
+ allow crosvm hal_graphics_allocator:fd use;
+ allow crosvm hal_graphics_allocator_server:binder call;
+ allow crosvm surfaceflinger:fd use;
+ hal_client_domain(crosvm, hal_graphics_allocator)
+
+ # To provide display service to an app to get surface.
+ # TODO(b/332677707): remove them when display service uses binder RPC.
+ allow crosvm priv_app:binder { transfer call };
+ allow crosvm servicemanager:binder { call transfer };
+ allow crosvm virtualization_service:service_manager find;
+ allow crosvm virtualizationservice:binder { call transfer };
+')
+
# crosvm tries to use netlink sockets as part its APCI implementation, but we don't need it for AVF (b/228077254)
dontaudit crosvm self:netlink_generic_socket create_socket_perms_no_ioctl;
@@ -136,6 +154,7 @@
-vendor_microdroid_file
-vndk_sp_file
-vendor_task_profiles_file
+ is_flag_enabled(RELEASE_AVF_SUPPORT_CUSTOM_VM_WITH_PARAVIRTUALIZED_DEVICES, `-same_process_hal_file')
}:file *;
')
diff --git a/private/priv_app.te b/private/priv_app.te
index 9ba2c95..76682f1 100644
--- a/private/priv_app.te
+++ b/private/priv_app.te
@@ -124,6 +124,13 @@
allow priv_app preloads_media_file:file r_file_perms;
allow priv_app preloads_media_file:dir r_dir_perms;
+is_flag_enabled(RELEASE_AVF_SUPPORT_CUSTOM_VM_WITH_PARAVIRTUALIZED_DEVICES, `
+ # TODO(b/332677707): remove them when display service uses binder RPC.
+ allow priv_app virtualization_service:service_manager find;
+ allow priv_app virtualizationservice:binder call;
+ allow priv_app crosvm:binder { call transfer };
+')
+
read_runtime_log_tags(priv_app)
# Allow priv_apps to request and collect incident reports.
diff --git a/private/property_contexts b/private/property_contexts
index 474316d..6f5d205 100644
--- a/private/property_contexts
+++ b/private/property_contexts
@@ -762,6 +762,7 @@
ro.lmk.psi_partial_stall_ms u:object_r:lmkd_config_prop:s0 exact int
ro.lmk.psi_complete_stall_ms u:object_r:lmkd_config_prop:s0 exact int
ro.lmk.stall_limit_critical u:object_r:lmkd_config_prop:s0 exact int
+ro.lmk.swap_compression_ratio u:object_r:lmkd_config_prop:s0 exact int
ro.lmk.swap_free_low_percentage u:object_r:lmkd_config_prop:s0 exact int
ro.lmk.swap_util_max u:object_r:lmkd_config_prop:s0 exact int
ro.lmk.thrashing_limit u:object_r:lmkd_config_prop:s0 exact int
diff --git a/private/virtualizationservice.te b/private/virtualizationservice.te
index ee288f2..2d14f5d 100644
--- a/private/virtualizationservice.te
+++ b/private/virtualizationservice.te
@@ -18,7 +18,7 @@
add_service(virtualizationservice, virtualization_maintenance_service)
')
-is_flag_enabled(RELEASE_AVF_ENABLE_DEVICE_ASSIGNMENT, `
+is_flag_enabled(RELEASE_AVF_SUPPORT_CUSTOM_VM_WITH_PARAVIRTUALIZED_DEVICES, `
# Let virtualizationservice find and communicate with vfio_handler.
allow virtualizationservice vfio_handler_service:service_manager find;
binder_call(virtualizationservice, vfio_handler)
@@ -44,6 +44,12 @@
allow virtualizationservice self:capability sys_resource;
allow virtualizationservice virtualizationmanager:process setrlimit;
+is_flag_enabled(RELEASE_AVF_SUPPORT_CUSTOM_VM_WITH_PARAVIRTUALIZED_DEVICES, `
+ # To provide display service to an app to get surface.
+ # TODO(b/332677707): remove them when display service uses binder RPC.
+ allow virtualizationservice priv_app:binder transfer;
+')
+
# Let virtualizationservice set the owner of a VM's temporary directory.
allow virtualizationservice self:capability chown;
@@ -112,6 +118,8 @@
domain
-virtualizationmanager
-virtualizationservice
+ # TODO(b/332677707): remove them when display service uses binder RPC.
+ is_flag_enabled(RELEASE_AVF_SUPPORT_CUSTOM_VM_WITH_PARAVIRTUALIZED_DEVICES, `-crosvm')
}:process setrlimit;
is_flag_enabled(RELEASE_AVF_ENABLE_DEVICE_ASSIGNMENT, `