Merge "Track sys_module permission for system_server"
diff --git a/README b/README
deleted file mode 100644
index f14ac67..0000000
--- a/README
+++ /dev/null
@@ -1,114 +0,0 @@
-This directory contains the core Android SELinux policy configuration.
-It defines the domains and types for the AOSP services and apps common to
-all devices. Device-specific policy should be placed under a
-separate device/<vendor>/<board>/sepolicy subdirectory and linked
-into the policy build as described below.
-
-Policy Generation:
-
-Additional, per device, policy files can be added into the
-policy build. These files should have each line including the
-final line terminated by a newline character (0x0A). This
-will allow files to be concatenated and processed whenever
-the m4(1) macro processor is called by the build process.
-Adding the newline will also make the intermediate text files
-easier to read when debugging build failures. The sets of file,
-service and property contexts files will automatically have a
-newline inserted between each file as these are common failure
-points.
-
-These device policy files can be configured through the use of
-the BOARD_VENDOR_SEPOLICY_DIRS variable. This variable should be set
-in the BoardConfig.mk file in the device or vendor directories.
-
-BOARD_VENDOR_SEPOLICY_DIRS contains a list of directories to search
-for additional policy files. Order matters in this list.
-For example, if you have 2 instances of widget.te files in the
-BOARD_VENDOR_SEPOLICY_DIRS search path, then the first one found (at the
-first search dir containing the file) will be concatenated first.
-Reviewing out/target/product/<device>/obj/ETC/sepolicy_intermediates/policy.conf
-will help sort out ordering issues.
-
-Example BoardConfig.mk Usage:
-From the Tuna device BoardConfig.mk, device/samsung/tuna/BoardConfig.mk
-
-BOARD_VENDOR_SEPOLICY_DIRS += device/samsung/tuna/sepolicy
-
-Alongside vendor sepolicy dirs, OEMs can also amend the public and private
-policy of the product and system_ext partitions:
-
-SYSTEM_EXT_PUBLIC_SEPOLICY_DIRS += device/acme/roadrunner-sepolicy/systemext/public
-SYSTEM_EXT_PRIVATE_SEPOLICY_DIRS += device/acme/roadrunner-sepolicy/systemext/private
-PRODUCT_PUBLIC_SEPOLICY_DIRS += device/acme/roadrunner-sepolicy/product/public
-PRODUCT_PRIVATE_SEPOLICY_DIRS += device/acme/roadrunner-sepolicy/product/private
-
-The old BOARD_PLAT_PUBLIC_SEPOLICY_DIR and BOARD_PLAT_PRIVATE_SEPOLICY_DIR
-variables have been deprecated in favour of SYSTEM_EXT_*.
-
-Additionally, OEMs can specify BOARD_SEPOLICY_M4DEFS to pass arbitrary m4
-definitions during the build. A definition consists of a string in the form
-of macro-name=value. Spaces must NOT be present. This is useful for building modular
-policies, policy generation, conditional file paths, etc. It is supported in
-the following file types:
- * All *.te and SE Linux policy files as passed to checkpolicy
- * file_contexts
- * service_contexts
- * property_contexts
- * keys.conf
-
-Example BoardConfig.mk Usage:
-BOARD_SEPOLICY_M4DEFS += btmodule=foomatic \
- btdevice=/dev/gps
-
-SPECIFIC POLICY FILE INFORMATION
-
-mac_permissions.xml:
- ABOUT:
- The mac_permissions.xml file is used for controlling the mmac solutions
- as well as mapping a public base16 signing key with an arbitrary seinfo
- string. Details of the files contents can be found in a comment at the
- top of that file. The seinfo string, previously mentioned, is the same string
- that is referenced in seapp_contexts.
-
- It is important to note the final processed version of this file
- is stripped of comments and whitespace. This is to preserve space on the
- system.img. If one wishes to view it in a more human friendly format,
- the "tidy" or "xmllint" command will assist you.
-
- TOOLING:
- insertkeys.py
- Is a helper script for mapping arbitrary tags in the signature stanzas of
- mac_permissions.xml to public keys found in pem files. This script takes
- a mac_permissions.xml file(s) and configuration file in order to operate.
- Details of the configuration file (keys.conf) can be found in the subsection
- keys.conf. This tool is also responsible for stripping the comments and
- whitespace during processing.
-
- keys.conf
- The keys.conf file is used for controlling the mapping of "tags" found in
- the mac_permissions.xml signature stanzas with actual public keys found in
- pem files. The configuration file is processed via m4.
-
- The script allows for mapping any string contained in TARGET_BUILD_VARIANT
- with specific path to a pem file. Typically TARGET_BUILD_VARIANT is either
- user, eng or userdebug. Additionally, one can specify "ALL" to map a path to
- any string specified in TARGET_BUILD_VARIANT. All tags are matched verbatim
- and all options are matched lowercase. The options are "tolowered" automatically
- for the user, it is convention to specify tags and options in all uppercase
- and tags start with @. The option arguments can also use environment variables
- via the familiar $VARIABLE syntax. This is often useful for setting a location
- to ones release keys.
-
- Often times, one will need to integrate an application that was signed by a separate
- organization and may need to extract the pem file for the insertkeys/keys.conf tools.
- Extraction of the public key in the pem format is possible via openssl. First you need
- to unzip the apk, once it is unzipped, cd into the META_INF directory and then execute
- openssl pkcs7 -inform DER -in CERT.RSA -out CERT.pem -outform PEM -print_certs
- On some occasions CERT.RSA has a different name, and you will need to adjust for that.
- After extracting the pem, you can rename it, and configure keys.conf and
- mac_permissions.xml to pick up the change. You MUST open the generated pem file in a text
- editor and strip out anything outside the opening and closing scissor lines. Failure to do
- so WILL cause a compile time issue thrown by insertkeys.py
-
- NOTE: The pem files are base64 encoded and PackageManagerService, mac_permissions.xml
- and setool all use base16 encodings.
diff --git a/README.md b/README.md
new file mode 100644
index 0000000..16d7e45
--- /dev/null
+++ b/README.md
@@ -0,0 +1,117 @@
+# Android SEPolicy
+
+This directory contains the core Android SELinux policy configuration.
+It defines the domains and types for the AOSP services and apps common to
+all devices. Device-specific policy should be placed under a
+separate `device/<vendor>/<board>/sepolicy` subdirectory and linked
+into the policy build as described below.
+
+## Policy Generation
+
+Additional, per device, policy files can be added into the
+policy build. These files should have each line including the
+final line terminated by a newline character (`0x0A`). This
+will allow files to be concatenated and processed whenever
+the `m4`(1) macro processor is called by the build process.
+Adding the newline will also make the intermediate text files
+easier to read when debugging build failures. The sets of file,
+service and property contexts files will automatically have a
+newline inserted between each file as these are common failure
+points.
+
+These device policy files can be configured through the use of
+the `BOARD_VENDOR_SEPOLICY_DIRS` variable. This variable should be set
+in the BoardConfig.mk file in the device or vendor directories.
+
+`BOARD_VENDOR_SEPOLICY_DIRS` contains a list of directories to search
+for additional policy files. Order matters in this list.
+For example, if you have 2 instances of widget.te files in the
+`BOARD_VENDOR_SEPOLICY_DIRS` search path, then the first one found (at the
+first search dir containing the file) will be concatenated first.
+Reviewing `out/target/product/<device>/obj/ETC/vendor_sepolicy.conf_intermediates/vendor_sepolicy.conf`
+will help sort out ordering issues.
+
+Example `BoardConfig.mk` Usage:
+From the Tuna device `BoardConfig.mk`, `device/samsung/tuna/BoardConfig.mk`
+
+ BOARD_VENDOR_SEPOLICY_DIRS += device/samsung/tuna/sepolicy
+
+Alongside vendor sepolicy dirs, OEMs can also amend the public and private
+policy of the product and system_ext partitions:
+
+ SYSTEM_EXT_PUBLIC_SEPOLICY_DIRS += device/acme/roadrunner-sepolicy/systemext/public
+ SYSTEM_EXT_PRIVATE_SEPOLICY_DIRS += device/acme/roadrunner-sepolicy/systemext/private
+ PRODUCT_PUBLIC_SEPOLICY_DIRS += device/acme/roadrunner-sepolicy/product/public
+ PRODUCT_PRIVATE_SEPOLICY_DIRS += device/acme/roadrunner-sepolicy/product/private
+
+The old `BOARD_PLAT_PUBLIC_SEPOLICY_DIR` and `BOARD_PLAT_PRIVATE_SEPOLICY_DIR`
+variables have been deprecated in favour of `SYSTEM_EXT_*`.
+
+Additionally, OEMs can specify `BOARD_SEPOLICY_M4DEFS` to pass arbitrary `m4`
+definitions during the build. A definition consists of a string in the form
+of `macro-name=value`. Spaces must **NOT** be present. This is useful for building modular
+policies, policy generation, conditional file paths, etc. It is supported in
+the following file types:
+* All `*.te` and SELinux policy files as passed to `checkpolicy`
+* `file_contexts`
+* `service_contexts`
+* `property_contexts`
+* `keys.conf`
+
+Example BoardConfig.mk Usage:
+
+ BOARD_SEPOLICY_M4DEFS += btmodule=foomatic \
+ btdevice=/dev/gps
+
+## SPECIFIC POLICY FILE INFORMATION
+
+### mac_permissions.xml
+The `mac_permissions.xml` file is used for controlling the mmac solutions
+as well as mapping a public base16 signing key with an arbitrary seinfo
+string. Details of the files contents can be found in a comment at the
+top of that file. The seinfo string, previously mentioned, is the same string
+that is referenced in seapp_contexts.
+
+It is important to note the final processed version of this file
+is stripped of comments and whitespace. This is to preserve space on the
+system.img. If one wishes to view it in a more human friendly format,
+the `tidy` or `xmllint` command will assist you.
+
+### insertkeys.py
+Is a helper script for mapping arbitrary tags in the signature stanzas of
+`mac_permissions.xml` to public keys found in pem files. This script takes
+a `mac_permissions.xml` file(s) and configuration file in order to operate.
+Details of the configuration file (`keys.conf`) can be found in the subsection
+keys.conf. This tool is also responsible for stripping the comments and
+whitespace during processing.
+
+### keys.conf
+The `keys.conf` file is used for controlling the mapping of "tags" found in
+the `mac_permissions.xml` signature stanzas with actual public keys found in
+pem files. The configuration file is processed via `m4`.
+
+The script allows for mapping any string contained in `TARGET_BUILD_VARIANT`
+with specific path to a pem file. Typically `TARGET_BUILD_VARIANT` is either
+user, eng or userdebug. Additionally, one can specify "ALL" to map a path to
+any string specified in `TARGET_BUILD_VARIANT`. All tags are matched verbatim
+and all options are matched lowercase. The options are **tolowered** automatically
+for the user, it is convention to specify tags and options in all uppercase
+and tags start with @. The option arguments can also use environment variables
+via the familiar `$VARIABLE` syntax. This is often useful for setting a location
+to ones release keys.
+
+Often times, one will need to integrate an application that was signed by a separate
+organization and may need to extract the pem file for the `insertkeys/keys.conf` tools.
+Extraction of the public key in the pem format is possible via `openssl`. First you need
+to unzip the apk, once it is unzipped, `cd` into the `META_INF` directory and then execute
+
+ openssl pkcs7 -inform DER -in CERT.RSA -out CERT.pem -outform PEM -print_certs
+
+On some occasions `CERT.RSA` has a different name, and you will need to adjust for that.
+After extracting the pem, you can rename it, and configure `keys.conf` and
+`mac_permissions.xml` to pick up the change. You **MUST** open the generated pem file in a text
+editor and strip out anything outside the opening and closing scissor lines. Failure to do
+so **WILL** cause a compile time issue thrown by insertkeys.py
+
+**NOTE:** The pem files are base64 encoded and `PackageManagerService`, `mac_permissions.xml`
+ and `setool` all use base16 encodings.
diff --git a/microdroid/system/private/apkdmverity.te b/microdroid/system/private/apkdmverity.te
index c56f05e..0545744 100644
--- a/microdroid/system/private/apkdmverity.te
+++ b/microdroid/system/private/apkdmverity.te
@@ -26,9 +26,7 @@
# allow apkdmverity to access loop devices
allow apkdmverity loop_device:blk_file rw_file_perms;
allowxperm apkdmverity loop_device:blk_file ioctl {
- LOOP_SET_STATUS64
- LOOP_SET_FD
- LOOP_SET_DIRECT_IO
+ LOOP_CONFIGURE
};
# allow apkdmverity to log to the kernel
diff --git a/microdroid/system/private/file_contexts b/microdroid/system/private/file_contexts
index 4f7a0ff..83eceb0 100644
--- a/microdroid/system/private/file_contexts
+++ b/microdroid/system/private/file_contexts
@@ -103,6 +103,7 @@
/system/lib(64)?(/.*)? u:object_r:system_lib_file:s0
/system/lib(64)?/bootstrap(/.*)? u:object_r:system_bootstrap_lib_file:s0
/system/bin/apexd u:object_r:apexd_exec:s0
+/system/bin/tombstone_transmit.microdroid u:object_r:tombstone_transmit_exec:s0
/system/bin/linker(64)? u:object_r:system_linker_exec:s0
/system/bin/linkerconfig u:object_r:linkerconfig_exec:s0
/system/bin/bootstrap/linker(64)? u:object_r:system_linker_exec:s0
diff --git a/microdroid/system/private/microdroid_manager.te b/microdroid/system/private/microdroid_manager.te
index bf344ac..21731cc 100644
--- a/microdroid/system/private/microdroid_manager.te
+++ b/microdroid/system/private/microdroid_manager.te
@@ -56,10 +56,11 @@
allow microdroid_manager apex_mnt_dir:dir w_dir_perms;
allow microdroid_manager apex_mnt_dir:file create_file_perms;
-# Allow microdroid_manager to start the services apexd-vm, apkdmverity and zipfuse
+# Allow microdroid_manager to start the services apexd-vm, apkdmverity,tombstone_transmit & zipfuse
set_prop(microdroid_manager, ctl_apexd_vm_prop)
set_prop(microdroid_manager, ctl_apkdmverity_prop)
set_prop(microdroid_manager, ctl_seriallogging_prop)
+set_prop(microdroid_manager, ctl_tombstone_transmit_prop)
set_prop(microdroid_manager, ctl_zipfuse_prop)
# Allow microdroid_manager to wait for linkerconfig to be ready
diff --git a/microdroid/system/private/property_contexts b/microdroid/system/private/property_contexts
index 3c80273..68d6df5 100644
--- a/microdroid/system/private/property_contexts
+++ b/microdroid/system/private/property_contexts
@@ -26,6 +26,7 @@
ctl.start$apexd-vm u:object_r:ctl_apexd_vm_prop:s0
ctl.start$apkdmverity u:object_r:ctl_apkdmverity_prop:s0
ctl.start$seriallogging u:object_r:ctl_seriallogging_prop:s0
+ctl.start$tombstone_transmit u:object_r:ctl_tombstone_transmit_prop:s0
ctl.start$zipfuse u:object_r:ctl_zipfuse_prop:s0
ctl.console u:object_r:ctl_console_prop:s0
@@ -92,6 +93,7 @@
ro.boot.microdroid.app_debuggable u:object_r:bootloader_prop:s0 exact bool
ro.boot.microdroid.debuggable u:object_r:bootloader_prop:s0 exact bool
ro.boot.slot_suffix u:object_r:bootloader_prop:s0 exact string
+ro.boot.tombstone_transmit.enabled u:object_r:bootloader_prop:s0 exact bool
ro.boot.vbmeta.avb_version u:object_r:bootloader_prop:s0 exact string
ro.boot.vbmeta.device_state u:object_r:bootloader_prop:s0 exact string
ro.boot.vbmeta.digest u:object_r:bootloader_prop:s0 exact string
diff --git a/microdroid/system/private/tombstone_transmit.te b/microdroid/system/private/tombstone_transmit.te
new file mode 100644
index 0000000..588ebff
--- /dev/null
+++ b/microdroid/system/private/tombstone_transmit.te
@@ -0,0 +1,8 @@
+type tombstone_transmit, domain, coredomain;
+type tombstone_transmit_exec, exec_type, system_file_type, file_type;
+
+init_daemon_domain(tombstone_transmit)
+
+r_dir_file(tombstone_transmit, tombstone_data_file)
+
+allow tombstone_transmit self:{ vsock_socket } create_socket_perms_no_ioctl;
diff --git a/microdroid/system/public/property.te b/microdroid/system/public/property.te
index d00a618..f85ba76 100644
--- a/microdroid/system/public/property.te
+++ b/microdroid/system/public/property.te
@@ -22,6 +22,7 @@
type ctl_sigstop_prop, property_type;
type ctl_start_prop, property_type;
type ctl_stop_prop, property_type;
+type ctl_tombstone_transmit_prop, property_type;
type ctl_zipfuse_prop, property_type;
type debug_prop, property_type;
type default_prop, property_type;
diff --git a/microdroid/vendor/file_contexts b/microdroid/vendor/file_contexts
index c86f862..002fb14 100644
--- a/microdroid/vendor/file_contexts
+++ b/microdroid/vendor/file_contexts
@@ -1,38 +1,8 @@
-# TODO(jiyong): clean this up
#############################
# Vendor files
#
(/.*)? u:object_r:vendor_file:s0
-/bin/sh u:object_r:vendor_shell_exec:s0
-/bin/toybox_vendor u:object_r:vendor_toolbox_exec:s0
-/bin/toolbox u:object_r:vendor_toolbox_exec:s0
/etc(/.*)? u:object_r:vendor_configs_file:s0
-/etc/cgroups\.json u:object_r:vendor_cgroup_desc_file:s0
-/etc/task_profiles\.json u:object_r:vendor_task_profiles_file:s0
-
-/lib(64)?/egl(/.*)? u:object_r:same_process_hal_file:s0
-
-/lib(64)?/vndk-sp(/.*)? u:object_r:vndk_sp_file:s0
-
-/manifest\.xml u:object_r:vendor_configs_file:s0
-/compatibility_matrix\.xml u:object_r:vendor_configs_file:s0
-/etc/vintf(/.*)? u:object_r:vendor_configs_file:s0
-/app(/.*)? u:object_r:vendor_app_file:s0
-/priv-app(/.*)? u:object_r:vendor_app_file:s0
-/overlay(/.*)? u:object_r:vendor_overlay_file:s0
-/framework(/.*)? u:object_r:vendor_framework_file:s0
-
-/apex(/[^/]+){0,2} u:object_r:vendor_apex_file:s0
-/bin/misc_writer u:object_r:vendor_misc_writer_exec:s0
-/bin/boringssl_self_test(32|64) u:object_r:vendor_boringssl_self_test_exec:s0
# HAL location
-/lib(64)?/hw u:object_r:vendor_hal_file:s0
-
-/etc/selinux/nonplat_service_contexts u:object_r:nonplat_service_contexts_file:s0
-
-/etc/selinux/vendor_service_contexts u:object_r:vendor_service_contexts_file:s0
-
-/bin/install-recovery\.sh u:object_r:vendor_install_recovery_exec:s0
-
/bin/hw/android\.hardware\.security\.dice-service\.microdroid u:object_r:hal_dice_default_exec:s0
diff --git a/private/adbd.te b/private/adbd.te
index c5c5cc2..48fa849 100644
--- a/private/adbd.te
+++ b/private/adbd.te
@@ -129,6 +129,7 @@
binder_call(adbd, gpuservice)
# b/13188914
allow adbd gpu_device:chr_file rw_file_perms;
+allow adbd gpu_device:dir r_dir_perms;
allow adbd ion_device:chr_file rw_file_perms;
r_dir_file(adbd, system_file)
diff --git a/private/app.te b/private/app.te
index 436af5a..5570544 100644
--- a/private/app.te
+++ b/private/app.te
@@ -302,6 +302,9 @@
# Grant GPU access to all processes started by Zygote.
# They need that to render the standard UI.
allow { appdomain -isolated_app } gpu_device:chr_file rw_file_perms;
+allow { appdomain -isolated_app } gpu_device:dir r_dir_perms;
+allow { appdomain -isolated_app } sysfs_gpu:file r_file_perms;
+
# Use the Binder.
binder_use(appdomain)
diff --git a/private/bluetooth.te b/private/bluetooth.te
index 5522e32..d548e80 100644
--- a/private/bluetooth.te
+++ b/private/bluetooth.te
@@ -15,7 +15,7 @@
# Data file accesses.
allow bluetooth bluetooth_data_file:dir create_dir_perms;
-allow bluetooth bluetooth_data_file:notdevfile_class_set create_file_perms;
+allow bluetooth bluetooth_data_file:notdevfile_class_set { create_file_perms link };
allow bluetooth bluetooth_logs_data_file:dir rw_dir_perms;
allow bluetooth bluetooth_logs_data_file:file create_file_perms;
@@ -36,6 +36,9 @@
# allow Bluetooth to access uhid device for HID profile
allow bluetooth uhid_device:chr_file rw_file_perms;
+allow bluetooth gpu_device:chr_file rw_file_perms;
+allow bluetooth gpu_device:dir r_dir_perms;
+
# proc access.
allow bluetooth proc_bluetooth_writable:file rw_file_perms;
diff --git a/private/cameraserver.te b/private/cameraserver.te
index 2be3c9e..96d7dbd 100644
--- a/private/cameraserver.te
+++ b/private/cameraserver.te
@@ -4,3 +4,6 @@
init_daemon_domain(cameraserver)
tmpfs_domain(cameraserver)
+
+allow cameraserver gpu_device:chr_file rw_file_perms;
+allow cameraserver gpu_device:dir r_dir_perms;
diff --git a/private/compat/32.0/32.0.ignore.cil b/private/compat/32.0/32.0.ignore.cil
index ceb54b1..41d3e56 100644
--- a/private/compat/32.0/32.0.ignore.cil
+++ b/private/compat/32.0/32.0.ignore.cil
@@ -5,6 +5,7 @@
(typeattribute new_objects)
(typeattributeset new_objects
( new_objects
+ adservices_manager_service
apexd_select_prop
artd_service
attestation_verification_service
@@ -13,6 +14,7 @@
charger_vendor
cloudsearch
cloudsearch_service
+ connectivity_native_service
device_config_nnapi_native_prop
device_config_surface_flinger_native_boot_prop
dice_maintenance_service
@@ -63,6 +65,8 @@
smart_idle_maint_enabled_prop
snapuserd_proxy_socket
sysfs_fs_fuse_bpf
+ sysfs_gpu
+ sysfs_lru_gen_enabled
system_dlkm_file
tare_service
tv_iapp_service
diff --git a/private/crosvm.te b/private/crosvm.te
index 26b1df3..167ad2f 100644
--- a/private/crosvm.te
+++ b/private/crosvm.te
@@ -32,7 +32,7 @@
apk_data_file
app_data_file
apex_compos_data_file
- userdebug_or_eng(`shell_data_file')
+ shell_data_file
}:file { getattr read ioctl lock };
# Allow searching the directory where the composite disk images are.
@@ -63,6 +63,9 @@
allow crosvm adbd:fd use;
allow crosvm adbd:unix_stream_socket { read write };
+# For ACPI
+allow crosvm self:netlink_generic_socket create_socket_perms_no_ioctl;
+
# The console log can also be written to /data/local/tmp. This is not safe as the log then can be
# visible to the processes which don't own the VM. Therefore, this is a debugging only feature.
userdebug_or_eng(`allow crosvm shell_data_file:file w_file_perms;')
@@ -81,15 +84,14 @@
}:file *;
')
-# app_data_file (and shell_data_file for debuggable builds) is the only
-# app_data_file_type that is allowed for crosvm to read. Note that the use of
-# app_data_file is allowed only for the instance disk image. This is enforced
-# inside the virtualizationservice by checking the file context of all disk
-# image files.
+# app_data_file and shell_data_file is the only app_data_file_type that is
+# allowed for crosvm to read. Note that the use of app_data_file is allowed
+# only for the instance disk image. This is enforced inside the
+# virtualizationservice by checking the file context of all disk image files.
neverallow crosvm {
app_data_file_type
-app_data_file
- userdebug_or_eng(`-shell_data_file')
+ -shell_data_file
}:file read;
# Only virtualizationservice can run crosvm
diff --git a/private/file.te b/private/file.te
index 54d6df6..5a843f9 100644
--- a/private/file.te
+++ b/private/file.te
@@ -76,6 +76,9 @@
# /data/misc/odsign
type odsign_data_file, file_type, data_file_type, core_data_file_type;
+# /data/misc/odsign_metrics
+type odsign_metrics_file, file_type, data_file_type, core_data_file_type;
+
# /data/misc/virtualizationservice
type virtualizationservice_data_file, file_type, data_file_type, core_data_file_type;
diff --git a/private/file_contexts b/private/file_contexts
index b075839..b4f42cf 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -623,6 +623,7 @@
/data/misc/nfc/logs(/.*)? u:object_r:nfc_logs_data_file:s0
/data/misc/odrefresh(/.*)? u:object_r:odrefresh_data_file:s0
/data/misc/odsign(/.*)? u:object_r:odsign_data_file:s0
+/data/misc/odsign/metrics(/.*)? u:object_r:odsign_metrics_file:s0
/data/misc/perfetto-traces/bugreport(.*)? u:object_r:perfetto_traces_bugreport_data_file:s0
/data/misc/perfetto-traces(/.*)? u:object_r:perfetto_traces_data_file:s0
/data/misc/perfetto-configs(/.*)? u:object_r:perfetto_configs_data_file:s0
@@ -701,6 +702,8 @@
/data/misc_ce/[0-9]+/apexdata/com\.android\.permission(/.*)? u:object_r:apex_system_server_data_file:s0
/data/misc_de/[0-9]+/apexdata/com\.android\.wifi(/.*)? u:object_r:apex_system_server_data_file:s0
/data/misc_ce/[0-9]+/apexdata/com\.android\.wifi(/.*)? u:object_r:apex_system_server_data_file:s0
+/data/misc_de/[0-9]+/apexdata/com\.android\.uwb(/.*)? u:object_r:apex_system_server_data_file:s0
+/data/misc_ce/[0-9]+/apexdata/com\.android\.uwb(/.*)? u:object_r:apex_system_server_data_file:s0
# Apex rollback directories
/data/misc_de/[0-9]+/apexrollback(/.*)? u:object_r:apex_rollback_data_file:s0
diff --git a/private/flags_health_check.te b/private/flags_health_check.te
index 69ff58c..54ecd45 100644
--- a/private/flags_health_check.te
+++ b/private/flags_health_check.te
@@ -12,6 +12,7 @@
set_prop(flags_health_check, device_config_nnapi_native_prop)
set_prop(flags_health_check, device_config_activity_manager_native_boot_prop)
set_prop(flags_health_check, device_config_media_native_prop)
+set_prop(flags_health_check, device_config_mglru_native_prop)
set_prop(flags_health_check, device_config_profcollect_native_boot_prop)
set_prop(flags_health_check, device_config_statsd_native_prop)
set_prop(flags_health_check, device_config_statsd_native_boot_prop)
@@ -22,6 +23,7 @@
set_prop(flags_health_check, device_config_configuration_prop)
set_prop(flags_health_check, device_config_connectivity_prop)
set_prop(flags_health_check, device_config_surface_flinger_native_boot_prop)
+set_prop(flags_health_check, device_config_vendor_system_native_prop)
set_prop(flags_health_check, device_config_virtualization_framework_native_prop)
# system property device_config_boot_count_prop is used for deciding when to perform server
diff --git a/private/genfs_contexts b/private/genfs_contexts
index ca64733..1c604fc 100644
--- a/private/genfs_contexts
+++ b/private/genfs_contexts
@@ -123,6 +123,7 @@
genfscon sysfs /devices/system/cpu u:object_r:sysfs_devices_system_cpu:s0
genfscon sysfs /class/android_usb u:object_r:sysfs_android_usb:s0
genfscon sysfs /class/extcon u:object_r:sysfs_extcon:s0
+genfscon sysfs /class/gpu u:object_r:sysfs_gpu:s0
genfscon sysfs /class/leds u:object_r:sysfs_leds:s0
genfscon sysfs /class/net u:object_r:sysfs_net:s0
genfscon sysfs /class/rfkill/rfkill0/state u:object_r:sysfs_bluetooth_writable:s0
@@ -162,6 +163,7 @@
genfscon sysfs /kernel/ion u:object_r:sysfs_ion:s0
genfscon sysfs /kernel/ipv4 u:object_r:sysfs_ipv4:s0
genfscon sysfs /kernel/mm/transparent_hugepage u:object_r:sysfs_transparent_hugepage:s0
+genfscon sysfs /kernel/mm/lru_gen/enabled u:object_r:sysfs_lru_gen_enabled:s0
genfscon sysfs /kernel/notes u:object_r:sysfs_kernel_notes:s0
genfscon sysfs /kernel/uevent_helper u:object_r:sysfs_usermodehelper:s0
genfscon sysfs /kernel/wakeup_reasons u:object_r:sysfs_wakeup_reasons:s0
diff --git a/private/gmscore_app.te b/private/gmscore_app.te
index a05f3de..114c184 100644
--- a/private/gmscore_app.te
+++ b/private/gmscore_app.te
@@ -129,7 +129,7 @@
allow gmscore_app cache_file:lnk_file r_file_perms;
# Write to /data/ota_package for OTA packages.
-allow gmscore_app ota_package_file:dir rw_dir_perms;
+allow gmscore_app ota_package_file:dir create_dir_perms;
allow gmscore_app ota_package_file:file create_file_perms;
# Write the checkin metadata to /data/misc_ce/<userid>/checkin
diff --git a/private/init.te b/private/init.te
index 997a184..1405b9e 100644
--- a/private/init.te
+++ b/private/init.te
@@ -105,6 +105,9 @@
# Only init can set keystore.boot_level
neverallow { domain -init } keystore_listen_prop:property_service set;
+# Only init can set the ro.remote_provisioning.* props
+neverallow { domain -init } remote_prov_prop:property_service set;
+
# Allow accessing /sys/kernel/tracing/instances/bootreceiver to set up tracing.
allow init debugfs_bootreceiver_tracing:file w_file_perms;
diff --git a/private/keystore.te b/private/keystore.te
index 838712f..78c0198 100644
--- a/private/keystore.te
+++ b/private/keystore.te
@@ -17,6 +17,9 @@
# Allow to check whether security logging is enabled.
get_prop(keystore, device_logging_prop)
+# Allow keystore to check if the system is rkp only.
+get_prop(keystore, remote_prov_prop)
+
# Allow keystore to write to statsd.
unix_socket_send(keystore, statsdw, statsd)
diff --git a/private/mediaprovider_app.te b/private/mediaprovider_app.te
index 630183e..a9a52bb 100644
--- a/private/mediaprovider_app.te
+++ b/private/mediaprovider_app.te
@@ -59,7 +59,8 @@
get_prop(mediaprovider_app, drm_service_config_prop)
-allow mediaprovider_app gpu_device:dir search;
+allow mediaprovider_app gpu_device:chr_file rw_file_perms;
+allow mediaprovider_app gpu_device:dir r_dir_perms;
dontaudit mediaprovider_app sysfs_vendor_sched:dir search;
dontaudit mediaprovider_app sysfs_vendor_sched:file w_file_perms;
diff --git a/private/mediatranscoding.te b/private/mediatranscoding.te
index 817416d..829d948 100644
--- a/private/mediatranscoding.te
+++ b/private/mediatranscoding.te
@@ -42,7 +42,8 @@
# Allow mediatranscoding to access the DMA-BUF system heap
allow mediatranscoding dmabuf_system_heap_device:chr_file r_file_perms;
-allow mediatranscoding gpu_device:dir search;
+allow mediatranscoding gpu_device:chr_file rw_file_perms;
+allow mediatranscoding gpu_device:dir r_dir_perms;
# Allow mediatranscoding service to access media-related system properties
get_prop(mediatranscoding, media_config_prop)
diff --git a/private/odsign.te b/private/odsign.te
index 86a0a6b..f06795c 100644
--- a/private/odsign.te
+++ b/private/odsign.te
@@ -13,6 +13,10 @@
allow odsign odsign_data_file:dir create_dir_perms;
allow odsign odsign_data_file:file create_file_perms;
+# Allow using persistent storage in /data/odsign/metrics - to add metrics related files
+allow odsign odsign_metrics_file:dir rw_dir_perms;
+allow odsign odsign_metrics_file:file create_file_perms;
+
# Create and use pty created by android_fork_execvp().
create_pty(odsign)
@@ -61,5 +65,5 @@
set_prop(odsign, ctl_odsign_prop)
# Neverallows
-neverallow { domain -odsign -init -fsverity_init } odsign_data_file:dir *;
-neverallow { domain -odsign -init -fsverity_init } odsign_data_file:file *;
+neverallow { domain -odsign -init -fsverity_init} odsign_data_file:dir ~search;
+neverallow { domain -odsign -init -fsverity_init} odsign_data_file:file *;
diff --git a/private/property.te b/private/property.te
index 3f02c83..396fd25 100644
--- a/private/property.te
+++ b/private/property.te
@@ -3,6 +3,7 @@
system_internal_prop(apexd_payload_metadata_prop)
system_internal_prop(ctl_snapuserd_prop)
system_internal_prop(device_config_lmkd_native_prop)
+system_internal_prop(device_config_mglru_native_prop)
system_internal_prop(device_config_profcollect_native_boot_prop)
system_internal_prop(device_config_statsd_native_prop)
system_internal_prop(device_config_statsd_native_boot_prop)
@@ -31,6 +32,7 @@
system_internal_prop(pm_prop)
system_internal_prop(profcollectd_node_id_prop)
system_internal_prop(radio_cdma_ecm_prop)
+system_internal_prop(remote_prov_prop)
system_internal_prop(rollback_test_prop)
system_internal_prop(setupwizard_prop)
system_internal_prop(snapuserd_prop)
@@ -45,7 +47,9 @@
system_internal_prop(virtualizationservice_prop)
# Properties which can't be written outside system
+system_restricted_prop(device_config_vendor_system_native_prop)
system_restricted_prop(device_config_virtualization_framework_native_prop)
+system_restricted_prop(system_user_mode_emulation_prop)
###
### Neverallow rules
@@ -118,6 +122,7 @@
-restorecon_prop
-shell_prop
-system_prop
+ -system_user_mode_emulation_prop
-usb_prop
-vold_prop
}:file no_rw_file_perms;
diff --git a/private/property_contexts b/private/property_contexts
index 04e77e4..2fafdf5 100644
--- a/private/property_contexts
+++ b/private/property_contexts
@@ -57,6 +57,7 @@
persist.nfc. u:object_r:nfc_prop:s0
persist.nfc_cfg. u:object_r:nfc_prop:s0
persist.debug. u:object_r:persist_debug_prop:s0
+persist.debug.user_mode_emulation u:object_r:system_user_mode_emulation_prop:s0
logd. u:object_r:logd_prop:s0
persist.logd. u:object_r:logd_prop:s0
ro.logd. u:object_r:logd_prop:s0
@@ -255,12 +256,16 @@
persist.device_config.storage_native_boot. u:object_r:device_config_storage_native_boot_prop:s0
persist.device_config.surface_flinger_native_boot. u:object_r:device_config_surface_flinger_native_boot_prop:s0
persist.device_config.swcodec_native. u:object_r:device_config_swcodec_native_prop:s0
+persist.device_config.vendor_system_native. u:object_r:device_config_vendor_system_native_prop:s0
persist.device_config.virtualization_framework_native. u:object_r:device_config_virtualization_framework_native_prop:s0
persist.device_config.window_manager_native_boot. u:object_r:device_config_window_manager_native_boot_prop:s0
# F2FS smart idle maint prop
persist.device_config.storage_native_boot.smart_idle_maint_enabled u:object_r:smart_idle_maint_enabled_prop:s0 exact bool
+# MGLRU experiment prop
+persist.device_config.mglru_native.lru_gen_config u:object_r:device_config_mglru_native_prop:s0 exact enum none core core_and_mm_walk core_and_nonleaf_young all
+
# MM Events config props
persist.mm_events.enabled u:object_r:mm_events_config_prop:s0 exact bool
@@ -480,6 +485,8 @@
bluetooth.framework.support_persisted_state u:object_r:bluetooth_config_prop:s0 exact bool
bluetooth.framework.adapter_address_validation u:object_r:bluetooth_config_prop:s0 exact bool
+bluetooth.core.gap.le.privacy.enabled u:object_r:bluetooth_config_prop:s0 exact bool
+
bluetooth.device.default_name u:object_r:bluetooth_config_prop:s0 exact string
bluetooth.device.class_of_device u:object_r:bluetooth_config_prop:s0 exact string
@@ -1249,6 +1256,10 @@
ro.zygote.disable_gl_preload u:object_r:zygote_config_prop:s0 exact bool
+# Store the URL that the provisioning code should point at.
+ro.remote_provisioning.strongbox.rkp_only u:object_r:remote_prov_prop:s0 exact bool
+ro.remote_provisioning.tee.rkp_only u:object_r:remote_prov_prop:s0 exact bool
+
# Broadcast boot stages, which keystore listens to
keystore.boot_level u:object_r:keystore_listen_prop:s0 exact int
diff --git a/private/remote_prov_app.te b/private/remote_prov_app.te
index 010c9bc..b2b3987 100644
--- a/private/remote_prov_app.te
+++ b/private/remote_prov_app.te
@@ -4,6 +4,7 @@
app_domain(remote_prov_app)
net_domain(remote_prov_app)
+get_prop(remote_prov_app, remote_prov_prop)
# The app needs access to properly build a DeviceInfo package for the verifying server
get_prop(remote_prov_app, vendor_security_patch_level_prop)
diff --git a/private/service_contexts b/private/service_contexts
index cac6ea8..ee5b6a9 100644
--- a/private/service_contexts
+++ b/private/service_contexts
@@ -75,6 +75,7 @@
activity u:object_r:activity_service:s0
activity_task u:object_r:activity_task_service:s0
adb u:object_r:adb_service:s0
+adservices_manager u:object_r:adservices_manager_service:s0
aidl_lazy_test_1 u:object_r:aidl_lazy_test_service:s0
aidl_lazy_test_2 u:object_r:aidl_lazy_test_service:s0
aidl_lazy_cb_test u:object_r:aidl_lazy_test_service:s0
@@ -136,6 +137,7 @@
platform_compat u:object_r:platform_compat_service:s0
platform_compat_native u:object_r:platform_compat_service:s0
connectivity u:object_r:connectivity_service:s0
+connectivity_native u:object_r:connectivity_native_service:s0
connmetrics u:object_r:connmetrics_service:s0
consumer_ir u:object_r:consumer_ir_service:s0
content u:object_r:content_service:s0
diff --git a/private/shell.te b/private/shell.te
index ae5ff55..97fb0b4 100644
--- a/private/shell.te
+++ b/private/shell.te
@@ -85,6 +85,7 @@
# Allow (host-driven) ART run-tests to execute dex2oat, in order to
# check ART's compiler.
allow shell dex2oat_exec:file rx_file_perms;
+allow shell dex2oat_exec:lnk_file read;
# Allow shell to start and comminicate with lpdumpd.
set_prop(shell, lpdumpd_prop);
diff --git a/private/surfaceflinger.te b/private/surfaceflinger.te
index bc7543b..123fc69 100644
--- a/private/surfaceflinger.te
+++ b/private/surfaceflinger.te
@@ -38,6 +38,8 @@
# Access the GPU.
allow surfaceflinger gpu_device:chr_file rw_file_perms;
+allow surfaceflinger gpu_device:dir r_dir_perms;
+allow surfaceflinger sysfs_gpu:file r_file_perms;
# Access /dev/graphics/fb0.
allow surfaceflinger graphics_device:dir search;
@@ -72,9 +74,13 @@
allow surfaceflinger wm_trace_data_file:file { getattr setattr create w_file_perms };
')
-# Needed to register as a Perfetto producer.
+# Allow userspace tracing via perfetto.
perfetto_producer(surfaceflinger)
+# Allow to be profiled by performance tools.
+can_profile_heap(surfaceflinger)
+can_profile_perf(surfaceflinger)
+
# Use socket supplied by adbd, for cmd gpu vkjson etc.
allow surfaceflinger adbd:unix_stream_socket { read write getattr };
diff --git a/private/system_app.te b/private/system_app.te
index 77cca3d..01956f4 100644
--- a/private/system_app.te
+++ b/private/system_app.te
@@ -176,6 +176,10 @@
# Allow system apps to act as Perfetto producers.
perfetto_producer(system_app)
+# TODO(b/217368496): remove this.
+can_profile_heap(system_app)
+can_profile_perf(system_app)
+
###
### Neverallow rules
###
diff --git a/private/system_server.te b/private/system_server.te
index 7ca6019..12926fc 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -221,6 +221,11 @@
allow system_server stats_data_file:dir { open read remove_name search write };
allow system_server stats_data_file:file unlink;
+# Read metric file & upload to statsd
+allow system_server odsign_data_file:dir search;
+allow system_server odsign_metrics_file:dir { r_dir_perms write remove_name };
+allow system_server odsign_metrics_file:file { r_file_perms unlink };
+
# Read /sys/kernel/debug/wakeup_sources.
no_debugfs_restriction(`
allow system_server debugfs_wakeup_sources:file r_file_perms;
@@ -446,6 +451,8 @@
allow system_server device:dir r_dir_perms;
allow system_server mdns_socket:sock_file rw_file_perms;
allow system_server gpu_device:chr_file rw_file_perms;
+allow system_server gpu_device:dir r_dir_perms;
+allow system_server sysfs_gpu:file r_file_perms;
allow system_server input_device:dir r_dir_perms;
allow system_server input_device:chr_file rw_file_perms;
allow system_server tty_device:chr_file rw_file_perms;
@@ -708,6 +715,7 @@
set_prop(system_server, retaildemo_prop)
set_prop(system_server, dmesgd_start_prop)
userdebug_or_eng(`set_prop(system_server, wifi_log_prop)')
+userdebug_or_eng(`set_prop(system_server, system_user_mode_emulation_prop)')
# ctl interface
set_prop(system_server, ctl_default_prop)
@@ -726,6 +734,7 @@
set_prop(system_server, device_config_runtime_native_prop)
set_prop(system_server, device_config_lmkd_native_prop)
set_prop(system_server, device_config_media_native_prop)
+set_prop(system_server, device_config_mglru_native_prop)
set_prop(system_server, device_config_profcollect_native_boot_prop)
set_prop(system_server, device_config_statsd_native_prop)
set_prop(system_server, device_config_statsd_native_boot_prop)
@@ -736,6 +745,7 @@
set_prop(system_server, device_config_configuration_prop)
set_prop(system_server, device_config_connectivity_prop)
set_prop(system_server, device_config_surface_flinger_native_boot_prop)
+set_prop(system_server, device_config_vendor_system_native_prop)
set_prop(system_server, device_config_virtualization_framework_native_prop)
set_prop(system_server, smart_idle_maint_enabled_prop)
@@ -1260,6 +1270,7 @@
device_config_runtime_native_boot_prop
device_config_runtime_native_prop
device_config_media_native_prop
+ device_config_mglru_native_prop
device_config_storage_native_boot_prop
device_config_surface_flinger_native_boot_prop
device_config_sys_traced_prop
diff --git a/private/traced_probes.te b/private/traced_probes.te
index 730a45c..66d5ac4 100644
--- a/private/traced_probes.te
+++ b/private/traced_probes.te
@@ -43,6 +43,9 @@
# Allow to read packages.list file.
allow traced_probes packages_list_file:file r_file_perms;
+# Allow to read game_mode_intervention.list file.
+allow traced_probes game_mode_intervention_list_file:file r_file_perms;
+
# Allow to log to kernel dmesg when starting / stopping ftrace.
allow traced_probes kmsg_device:chr_file write;
@@ -144,6 +147,7 @@
-zoneinfo_data_file
-packages_list_file
with_native_coverage(`-method_trace_data_file')
+ -game_mode_intervention_list_file
}:file *;
# Only init is allowed to enter the traced_probes domain via exec()
diff --git a/private/virtualizationservice.te b/private/virtualizationservice.te
index 05e1664..c369a90 100644
--- a/private/virtualizationservice.te
+++ b/private/virtualizationservice.te
@@ -70,6 +70,13 @@
# Allow writing stats to statsd
unix_socket_send(virtualizationservice, statsdw, statsd)
+# Allow virtualization service to talk to tombstoned to push guest tombstones
+unix_socket_connect(virtualizationservice, tombstoned_crash, tombstoned)
+
+# Append to tombstone files passed as fds from tombstoned
+allow virtualizationservice tombstone_data_file:file { append getattr };
+allow virtualizationservice tombstoned:fd use;
+
neverallow {
domain
-init
diff --git a/private/vold.te b/private/vold.te
index 1ad1f43..cb7b1bc 100644
--- a/private/vold.te
+++ b/private/vold.te
@@ -24,7 +24,6 @@
get_prop(vold, incremental_prop);
get_prop(vold, gsid_prop);
-set_prop(vold, vold_post_fs_data_prop)
set_prop(vold, vold_prop)
set_prop(vold, vold_status_prop)
set_prop(vold, powerctl_prop)
diff --git a/public/bootanim.te b/public/bootanim.te
index 88fe173..9c7a0ee 100644
--- a/public/bootanim.te
+++ b/public/bootanim.te
@@ -13,6 +13,8 @@
hwbinder_use(bootanim)
allow bootanim gpu_device:chr_file rw_file_perms;
+allow bootanim gpu_device:dir r_dir_perms;
+allow bootanim sysfs_gpu:file r_file_perms;
# /oem access
allow bootanim oemfs:dir search;
diff --git a/public/device.te b/public/device.te
index 4ca8a6f..1bb386f 100644
--- a/public/device.te
+++ b/public/device.te
@@ -79,36 +79,35 @@
type frp_block_device, dev_type;
# System block device mounted on /system.
-# Documented at https://source.android.com/devices/bootloader/partitions-images
+# Documented at https://source.android.com/devices/bootloader/partitions
type system_block_device, dev_type;
# Recovery block device.
-# Documented at https://source.android.com/devices/bootloader/partitions-images
+# Documented at https://source.android.com/devices/bootloader/partitions
type recovery_block_device, dev_type;
# boot block device.
-# Documented at https://source.android.com/devices/bootloader/partitions-images
+# Documented at https://source.android.com/devices/bootloader/partitions
type boot_block_device, dev_type;
# Userdata block device mounted on /data.
-# Documented at https://source.android.com/devices/bootloader/partitions-images
+# Documented at https://source.android.com/devices/bootloader/partitions
type userdata_block_device, dev_type;
# Cache block device mounted on /cache.
-# Documented at https://source.android.com/devices/bootloader/partitions-images
+# Documented at https://source.android.com/devices/bootloader/partitions
type cache_block_device, dev_type;
# Block device for any swap partition.
type swap_block_device, dev_type;
-# Metadata block device used for encryption metadata.
-# Assign this type to the partition specified by the encryptable=
-# mount option in your fstab file in the entry for userdata.
-# Documented at https://source.android.com/devices/bootloader/partitions-images
+# Metadata block device mounted on /metadata, used for encryption metadata and
+# various other purposes.
+# Documented at https://source.android.com/devices/bootloader/partitions
type metadata_block_device, dev_type;
# The 'misc' partition used by recovery and A/B.
-# Documented at https://source.android.com/devices/bootloader/partitions-images
+# Documented at https://source.android.com/devices/bootloader/partitions
type misc_block_device, dev_type;
# 'super' partition to be used for logical partitioning.
diff --git a/public/dumpstate.te b/public/dumpstate.te
index 871403a..2c75f30 100644
--- a/public/dumpstate.te
+++ b/public/dumpstate.te
@@ -188,6 +188,7 @@
# Dumpstate calls screencap, which grabs a screenshot. Needs gpu access
allow dumpstate gpu_device:chr_file rw_file_perms;
+allow dumpstate gpu_device:dir r_dir_perms;
# logd access
read_logd(dumpstate)
diff --git a/public/file.te b/public/file.te
index 55f65b6..9d333f5 100644
--- a/public/file.te
+++ b/public/file.te
@@ -106,6 +106,7 @@
type sysfs_kernel_notes, fs_type, sysfs_type, mlstrustedobject;
type sysfs_leds, fs_type, sysfs_type;
type sysfs_loop, fs_type, sysfs_type;
+type sysfs_gpu, fs_type, sysfs_type;
type sysfs_hwrandom, fs_type, sysfs_type;
type sysfs_nfc_power_writable, fs_type, sysfs_type, mlstrustedobject;
type sysfs_wake_lock, fs_type, sysfs_type;
@@ -115,6 +116,7 @@
type sysfs_suspend_stats, fs_type, sysfs_type;
type sysfs_switch, fs_type, sysfs_type;
type sysfs_transparent_hugepage, fs_type, sysfs_type;
+type sysfs_lru_gen_enabled, fs_type, sysfs_type;
type sysfs_usb, fs_type, sysfs_type;
type sysfs_wakeup, fs_type, sysfs_type;
type sysfs_wakeup_reasons, fs_type, sysfs_type;
diff --git a/public/hal_graphics_allocator.te b/public/hal_graphics_allocator.te
index b6d5d92..7ef27113 100644
--- a/public/hal_graphics_allocator.te
+++ b/public/hal_graphics_allocator.te
@@ -7,6 +7,7 @@
# GPU device access
allow hal_graphics_allocator gpu_device:chr_file rw_file_perms;
+allow hal_graphics_allocator gpu_device:dir r_dir_perms;
allow hal_graphics_allocator ion_device:chr_file r_file_perms;
allow hal_graphics_allocator dmabuf_system_heap_device:chr_file r_file_perms;
diff --git a/public/hal_graphics_composer.te b/public/hal_graphics_composer.te
index 3dbc1d8..e99d45f 100644
--- a/public/hal_graphics_composer.te
+++ b/public/hal_graphics_composer.te
@@ -15,6 +15,7 @@
# GPU device access
allow hal_graphics_composer gpu_device:chr_file rw_file_perms;
+allow hal_graphics_composer gpu_device:dir r_dir_perms;
allow hal_graphics_composer ion_device:chr_file r_file_perms;
allow hal_graphics_composer dmabuf_system_heap_device:chr_file r_file_perms;
allow hal_graphics_composer hal_graphics_allocator:fd use;
diff --git a/public/init.te b/public/init.te
index 5139038..8dcdd33 100644
--- a/public/init.te
+++ b/public/init.te
@@ -144,7 +144,7 @@
# /metadata
allow init metadata_file:dir mounton;
-# Use tmpfs as /data, used for booting when /data is encrypted
+# Run restorecon on /dev
allow init tmpfs:dir relabelfrom;
# Create directories under /dev/cpuctl after chowning it to system.
@@ -423,6 +423,7 @@
sysfs_power
sysfs_fs_f2fs
sysfs_dm
+ sysfs_lru_gen_enabled
}:file w_file_perms;
allow init {
diff --git a/public/installd.te b/public/installd.te
index 84ef1fd..46796af 100644
--- a/public/installd.te
+++ b/public/installd.te
@@ -13,13 +13,6 @@
allow installd apk_data_file:file { create_file_perms relabelfrom link };
allow installd apk_data_file:lnk_file { create r_file_perms unlink };
-# FS_IOC_ENABLE_VERITY and FS_IOC_MEASURE_VERITY (or in old implementation used in installd,
-# FS_IOC_SET_VERITY_MEASUREMENT) ioctls on APKs in /data/app, to support fsverity.
-# TODO(b/120629632): this path is deprecated, remove when possible.
-allowxperm installd apk_data_file:file ioctl {
- FS_IOC_ENABLE_VERITY FS_IOC_MEASURE_VERITY
-};
-
allow installd asec_apk_file:file r_file_perms;
allow installd apk_tmp_file:file { r_file_perms unlink };
allow installd apk_tmp_file:dir { relabelfrom create_dir_perms };
diff --git a/public/mediaserver.te b/public/mediaserver.te
index 0275532..621b6d7 100644
--- a/public/mediaserver.te
+++ b/public/mediaserver.te
@@ -33,6 +33,7 @@
allow mediaserver { app_data_file privapp_data_file }:file { append getattr ioctl lock map read write };
allow mediaserver { sdcard_type fuse }:file write;
allow mediaserver gpu_device:chr_file rw_file_perms;
+allow mediaserver gpu_device:dir r_dir_perms;
allow mediaserver video_device:dir r_dir_perms;
allow mediaserver video_device:chr_file rw_file_perms;
diff --git a/public/mediaswcodec.te b/public/mediaswcodec.te
index 5726842..edbab03 100644
--- a/public/mediaswcodec.te
+++ b/public/mediaswcodec.te
@@ -25,3 +25,5 @@
allow mediaswcodec dmabuf_system_heap_device:chr_file r_file_perms;
allow mediaswcodec dmabuf_system_secure_heap_device:chr_file r_file_perms;
+allow mediaswcodec gpu_device:chr_file rw_file_perms;
+allow mediaswcodec gpu_device:dir r_dir_perms;
diff --git a/public/service.te b/public/service.te
index 4583186..0fd2360 100644
--- a/public/service.te
+++ b/public/service.te
@@ -61,6 +61,7 @@
type activity_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type activity_task_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type adb_service, system_api_service, system_server_service, service_manager_type;
+type adservices_manager_service, system_api_service, system_server_service, service_manager_type;
type alarm_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type app_binding_service, system_server_service, service_manager_type;
type app_hibernation_service, app_api_service, system_api_service, system_server_service, service_manager_type;
@@ -89,6 +90,7 @@
type crossprofileapps_service, app_api_service, system_server_service, service_manager_type;
type IProxyService_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type companion_device_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type connectivity_native_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type connectivity_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type connmetrics_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type consumer_ir_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
@@ -161,7 +163,7 @@
type midi_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type mount_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type music_recognition_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type nearby_service, system_api_service, system_server_service, service_manager_type;
+type nearby_service, app_api_service, system_server_service, service_manager_type;
type netpolicy_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type netstats_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type network_management_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
diff --git a/public/vdc.te b/public/vdc.te
index e638e50..dfe6888 100644
--- a/public/vdc.te
+++ b/public/vdc.te
@@ -1,6 +1,6 @@
-# vdc spawned from init for the following services:
-# defaultcrypto
-# encrypt
+# vdc is a helper program for making Binder calls to vold. It is spawned from
+# init for various reasons, such as initializing file-based encryption and
+# metadata encryption, and managing userdata checkpointing.
#
# We also transition into this domain from dumpstate, when
# collecting bug reports.
diff --git a/public/vold.te b/public/vold.te
index c8ff749..b0fb6d0 100644
--- a/public/vold.te
+++ b/public/vold.te
@@ -168,17 +168,9 @@
allow vold fscklogs:dir rw_dir_perms;
allow vold fscklogs:file create_file_perms;
-#
-# Rules to support encrypted fs support.
-#
-
-# Unmount and mount the fs.
+# Mount and unmount filesystems.
allow vold labeledfs:filesystem { mount unmount remount };
-# Access /efs/userdata_footer.
-# XXX Split into a separate type?
-allow vold efs_file:file rw_file_perms;
-
# Create and mount on /data/tmp_mnt and management of expansion mounts
allow vold {
system_data_file
@@ -210,7 +202,7 @@
allow vold fusectlfs:file rw_file_perms;
allow vold fusectlfs:dir rw_dir_perms;
-# Handle wake locks (used for device encryption)
+# Allow vold to use wake locks. Needed for idle maintenance and moving storage.
wakelock_use(vold)
# Allow vold to publish a binder service and make binder calls.
@@ -221,9 +213,6 @@
binder_call(vold, system_server)
allow vold permission_service:service_manager find;
-# talk to keymaster
-hal_client_domain(vold, hal_keymaster)
-
# talk to health storage HAL
hal_client_domain(vold, hal_health_storage)
@@ -272,7 +261,7 @@
allow vold app_fuse_file:dir rw_dir_perms;
allow vold app_fuse_file:file { read write open getattr append };
-# MoveTask.cpp executes cp and rm
+# MoveStorage.cpp executes cp and rm
allow vold toolbox_exec:file rx_file_perms;
# Prepare profile dir for users.
@@ -338,7 +327,6 @@
neverallow vold {
domain
-hal_health_storage_server
- -hal_keymaster_server
-system_suspend_server
-hal_bootctl_server
-hwservicemanager
diff --git a/treble_sepolicy_tests_for_release.mk b/treble_sepolicy_tests_for_release.mk
index e221eae..c8d5b46 100644
--- a/treble_sepolicy_tests_for_release.mk
+++ b/treble_sepolicy_tests_for_release.mk
@@ -77,6 +77,8 @@
$(hide) cat $(PRIVATE_ADDITIONAL_CIL_FILES) >> $@
$(hide) $(HOST_OUT_EXECUTABLES)/secilc -m -M true -G -c $(POLICYVERS) $(PRIVATE_NEVERALLOW_ARG) $@ -o $@ -f /dev/null
+$(call declare-1p-target,$(built_$(version)_plat_sepolicy),system/sepolicy)
+
# TODO(b/214336258): move to Soong
$(call dist-for-goals,base-sepolicy-files-for-mapping,$(built_$(version)_plat_sepolicy):$(version)_plat_sepolicy)
diff --git a/vendor/hal_camera_default.te b/vendor/hal_camera_default.te
index 5bc4a61..b0912d4 100644
--- a/vendor/hal_camera_default.te
+++ b/vendor/hal_camera_default.te
@@ -9,3 +9,6 @@
# For collecting bugreports.
allow hal_camera_default dumpstate:fd use;
allow hal_camera_default dumpstate:fifo_file write;
+
+allow hal_camera_default gpu_device:chr_file rw_file_perms;
+allow hal_camera_default gpu_device:dir r_dir_perms;
diff --git a/vendor/mediacodec.te b/vendor/mediacodec.te
index 8587e12..84f2421 100644
--- a/vendor/mediacodec.te
+++ b/vendor/mediacodec.te
@@ -17,6 +17,7 @@
hal_client_domain(mediacodec, hal_graphics_allocator)
allow mediacodec gpu_device:chr_file rw_file_perms;
+allow mediacodec gpu_device:dir r_dir_perms;
allow mediacodec ion_device:chr_file rw_file_perms;
allow mediacodec dmabuf_system_heap_device:chr_file r_file_perms;
allow mediacodec video_device:chr_file rw_file_perms;
diff --git a/vendor/tee.te b/vendor/tee.te
index 4b2e6c7..323c7e8 100644
--- a/vendor/tee.te
+++ b/vendor/tee.te
@@ -6,7 +6,7 @@
allow tee self:global_capability_class_set { dac_override };
allow tee tee_device:chr_file rw_file_perms;
-allow tee tee_data_file:dir rw_dir_perms;
+allow tee tee_data_file:dir create_dir_perms;
allow tee tee_data_file:file create_file_perms;
allow tee self:netlink_socket create_socket_perms_no_ioctl;
allow tee self:netlink_generic_socket create_socket_perms_no_ioctl;