Merge "prng_seeder is a bootstrap process in microdroid"

commit: bce697f3c5cce47adda90ed428a2d7a4b0f50a41 [log] [tgz]
author: Jiyong Park <jiyong@google.com> Fri Dec 23 03:31:18 2022 +0000
committer: Gerrit Code Review <noreply-gerritcodereview@google.com> Fri Dec 23 03:31:18 2022 +0000
tree: 1712d2e70e526727cb21eaa3d9affd43ae070119
parent: 7394ea85d218c66afa8ad861d184d380bb7c5cbf [diff]
parent: c4cf20a146134748c2daef6f0cbf23489fc33a58 [diff]
diff --git a/apex/com.android.conscrypt-file_contexts b/apex/com.android.conscrypt-file_contexts
index abf0085..7b81ab8 100644
--- a/apex/com.android.conscrypt-file_contexts
+++ b/apex/com.android.conscrypt-file_contexts

@@ -4,3 +4,4 @@
 (/.*)?                          u:object_r:system_file:s0
 /lib(64)?(/.*)?                 u:object_r:system_lib_file:s0
 /bin/boringssl_self_test(32|64) u:object_r:boringssl_self_test_exec:s0
+/cacerts(/.*)?                  u:object_r:system_security_cacerts_file:s0

diff --git a/microdroid/system/private/microdroid_manager.te b/microdroid/system/private/microdroid_manager.te
index baf8366..a5b71f0 100644
--- a/microdroid/system/private/microdroid_manager.te
+++ b/microdroid/system/private/microdroid_manager.te

@@ -31,6 +31,9 @@
 allowxperm microdroid_manager vd_device:blk_file ioctl BLKFLSBUF;
 allow microdroid_manager self:global_capability_class_set sys_admin;
 
+# Allow microdroid_manager to remove capabilities from it's capability bounding set.
+allow microdroid_manager self:global_capability_class_set setpcap;
+
 # Allow microdroid_manager to start payload tasks
 domain_auto_trans(microdroid_manager, microdroid_app_exec, microdroid_app)
 domain_auto_trans(microdroid_manager, compos_exec, compos)

diff --git a/private/property.te b/private/property.te
index cac04d3..dee6369 100644
--- a/private/property.te
+++ b/private/property.te

@@ -432,6 +432,7 @@
   -init
   -shell
   -system_app
+  -system_server
   -mtectrl
 } {
   arm64_memtag_prop

diff --git a/private/system_server.te b/private/system_server.te
index 54ad242..f85237f 100644
--- a/private/system_server.te
+++ b/private/system_server.te

@@ -762,6 +762,7 @@
 set_prop(system_server, device_config_memory_safety_native_prop)
 set_prop(system_server, device_config_remote_key_provisioning_native_prop)
 set_prop(system_server, smart_idle_maint_enabled_prop)
+set_prop(system_server, arm64_memtag_prop)
 
 # Allow query ART device config properties
 get_prop(system_server, device_config_runtime_native_boot_prop)
@@ -1086,7 +1087,7 @@
 allow system_server toolbox_exec:file rx_file_perms;
 
 # Allow system process to setup fs-verity
-allowxperm system_server apk_data_file:file ioctl FS_IOC_ENABLE_VERITY;
+allowxperm system_server { apk_data_file system_data_file apex_system_server_data_file }:file ioctl FS_IOC_ENABLE_VERITY;
 
 # Allow system process to measure fs-verity for apps, apps being installed and system files
 allowxperm system_server { apk_data_file apk_tmp_file system_file }:file ioctl FS_IOC_MEASURE_VERITY;

diff --git a/vendor/hal_audio_default.te b/vendor/hal_audio_default.te
index 82cbf8e..506c7e4 100644
--- a/vendor/hal_audio_default.te
+++ b/vendor/hal_audio_default.te

@@ -6,5 +6,8 @@
 
 hal_client_domain(hal_audio_default, hal_allocator)
 
+# android.frameworks.sensorservice through libsensorndkbridge
+allow hal_audio_default fwk_sensor_service:service_manager find;
+
 # allow audioserver to call hal_audio dump with its own fd to retrieve status
 allow hal_audio_default audioserver:fifo_file write;

diff --git a/vendor/hal_camera_default.te b/vendor/hal_camera_default.te
index f0098a8..e7c5886 100644
--- a/vendor/hal_camera_default.te
+++ b/vendor/hal_camera_default.te

@@ -4,7 +4,10 @@
 type hal_camera_default_exec, exec_type, vendor_file_type, file_type;
 init_daemon_domain(hal_camera_default)
 
+# HIDL sensorservice
 allow hal_camera_default fwk_sensor_hwservice:hwservice_manager find;
+# AIDL sensorservice
+allow hal_camera_default fwk_sensor_service:service_manager find;
 
 get_prop(hal_camera_default, device_config_camera_native_prop);
 

diff --git a/vendor/hal_face_default.te b/vendor/hal_face_default.te
index ddfa62e..66ce40c 100644
--- a/vendor/hal_face_default.te
+++ b/vendor/hal_face_default.te

@@ -4,4 +4,7 @@
 type hal_face_default_exec, exec_type, vendor_file_type, file_type;
 init_daemon_domain(hal_face_default)
 
+# android.frameworks.sensorservice through libsensorndkbridge
+allow hal_face_default fwk_sensor_service:service_manager find;
+
 set_prop(hal_face_default, virtual_face_hal_prop)

diff --git a/vendor/hal_fingerprint_default.te b/vendor/hal_fingerprint_default.te
index 812c528..7173223 100644
--- a/vendor/hal_fingerprint_default.te
+++ b/vendor/hal_fingerprint_default.te

@@ -4,4 +4,7 @@
 type hal_fingerprint_default_exec, exec_type, vendor_file_type, file_type;
 init_daemon_domain(hal_fingerprint_default)
 
+# android.frameworks.sensorservice through libsensorndkbridge
+allow hal_fingerprint_default fwk_sensor_service:service_manager find;
+
 set_prop(hal_fingerprint_default, virtual_fingerprint_hal_prop)
commit	bce697f3c5cce47adda90ed428a2d7a4b0f50a41	[log] [tgz]
author	Jiyong Park <jiyong@google.com>	Fri Dec 23 03:31:18 2022 +0000
committer	Gerrit Code Review <noreply-gerritcodereview@google.com>	Fri Dec 23 03:31:18 2022 +0000
tree	1712d2e70e526727cb21eaa3d9affd43ae070119
parent	7394ea85d218c66afa8ad861d184d380bb7c5cbf [diff]
parent	c4cf20a146134748c2daef6f0cbf23489fc33a58 [diff]