Merge "Label /dev/hvcN paths"
diff --git a/microdroid/system/private/microdroid_app.te b/microdroid/system/private/microdroid_app.te
index 004aa3d..de1c8d6 100644
--- a/microdroid/system/private/microdroid_app.te
+++ b/microdroid/system/private/microdroid_app.te
@@ -23,7 +23,3 @@
rebind
use
};
-
-# Microdroid manager connects vsock_socket to the host and app's output is redirected to it.
-# TODO(b/195751698) This is flaky; it seems this is not always necessary.
-dontaudit microdroid_app microdroid_manager:vsock_socket getattr;
diff --git a/microdroid/system/public/attributes b/microdroid/system/public/attributes
index cf516dd..ffc2b3b 100644
--- a/microdroid/system/public/attributes
+++ b/microdroid/system/public/attributes
@@ -7,6 +7,9 @@
# in tools/checkfc.c
attribute dev_type;
+# Attribute for block devices.
+attribute bdev_type;
+
# All types used for processes.
attribute domain;
diff --git a/microdroid/system/public/device.te b/microdroid/system/public/device.te
index c03fb4d..898224c 100644
--- a/microdroid/system/public/device.te
+++ b/microdroid/system/public/device.te
@@ -1,7 +1,7 @@
type ashmem_device, dev_type, mlstrustedobject;
type ashmem_libcutils_device, dev_type, mlstrustedobject;
type binder_device, dev_type, mlstrustedobject;
-type block_device, dev_type;
+type block_device, dev_type, bdev_type;
type console_device, dev_type;
type device, dev_type, fs_type;
type dm_device, dev_type;
@@ -34,7 +34,7 @@
type uhid_device, dev_type, mlstrustedobject;
type uio_device, dev_type;
type userdata_sysdev, dev_type;
-type vd_device, dev_type;
+type vd_device, dev_type, bdev_type;
type vndbinder_device, dev_type;
type vsock_device, dev_type;
type zero_device, dev_type, mlstrustedobject;
diff --git a/private/compat/31.0/31.0.cil b/private/compat/31.0/31.0.cil
index f3abde4..362b412 100644
--- a/private/compat/31.0/31.0.cil
+++ b/private/compat/31.0/31.0.cil
@@ -3,6 +3,8 @@
(type apex_permission_data_file)
(type apex_scheduling_data_file)
(type apex_wifi_data_file)
+(type vr_hwc)
+(type vr_hwc_exec)
(expandtypeattribute (DockObserver_service_31_0) true)
(expandtypeattribute (IProxyService_service_31_0) true)
diff --git a/private/compat/31.0/31.0.ignore.cil b/private/compat/31.0/31.0.ignore.cil
index f80312a..7decba1 100644
--- a/private/compat/31.0/31.0.ignore.cil
+++ b/private/compat/31.0/31.0.ignore.cil
@@ -12,6 +12,7 @@
extra_free_kbytes
extra_free_kbytes_exec
hal_contexthub_service
+ hal_graphics_composer_service
hal_sensors_service
hal_system_suspend_service
hal_tv_tuner_service
diff --git a/private/file_contexts b/private/file_contexts
index 55b9e41..18be045 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -357,7 +357,6 @@
/system/etc/task_profiles\.json u:object_r:task_profiles_file:s0
/system/etc/task_profiles/task_profiles_[0-9]+\.json u:object_r:task_profiles_api_file:s0
/system/usr/share/zoneinfo(/.*)? u:object_r:system_zoneinfo_file:s0
-/system/bin/vr_hwc u:object_r:vr_hwc_exec:s0
/system/bin/adbd u:object_r:adbd_exec:s0
/system/bin/vold_prepare_subdirs u:object_r:vold_prepare_subdirs_exec:s0
/system/bin/stats u:object_r:stats_exec:s0
diff --git a/private/genfs_contexts b/private/genfs_contexts
index 8f82b5d..664a3b3 100644
--- a/private/genfs_contexts
+++ b/private/genfs_contexts
@@ -119,6 +119,7 @@
genfscon sysfs /devices/system/cpu u:object_r:sysfs_devices_system_cpu:s0
genfscon sysfs /class/android_usb u:object_r:sysfs_android_usb:s0
genfscon sysfs /class/extcon u:object_r:sysfs_extcon:s0
+genfscon sysfs /class/block u:object_r:sysfs_block:s0
genfscon sysfs /class/leds u:object_r:sysfs_leds:s0
genfscon sysfs /class/net u:object_r:sysfs_net:s0
genfscon sysfs /class/rfkill/rfkill0/state u:object_r:sysfs_bluetooth_writable:s0
diff --git a/private/service_contexts b/private/service_contexts
index 335004e..b9ab85d 100644
--- a/private/service_contexts
+++ b/private/service_contexts
@@ -4,6 +4,7 @@
android.hardware.biometrics.fingerprint.IFingerprint/default u:object_r:hal_fingerprint_service:s0
android.hardware.contexthub.IContextHub/default u:object_r:hal_contexthub_service:s0
android.hardware.gnss.IGnss/default u:object_r:hal_gnss_service:s0
+android.hardware.graphics.composer3.IComposer/default u:object_r:hal_graphics_composer_service:s0
android.hardware.health.storage.IStorage/default u:object_r:hal_health_storage_service:s0
android.hardware.identity.IIdentityCredentialStore/default u:object_r:hal_identity_service:s0
android.hardware.light.ILights/default u:object_r:hal_light_service:s0
@@ -308,8 +309,6 @@
voiceinteraction u:object_r:voiceinteraction_service:s0
vold u:object_r:vold_service:s0
vpn_management u:object_r:vpn_management_service:s0
-vr_hwc u:object_r:vr_hwc_service:s0
-vrflinger_vsync u:object_r:vrflinger_vsync_service:s0
vrmanager u:object_r:vr_manager_service:s0
wallpaper u:object_r:wallpaper_service:s0
webviewupdate u:object_r:webviewupdate_service:s0
diff --git a/private/surfaceflinger.te b/private/surfaceflinger.te
index 9900600..e88efd0 100644
--- a/private/surfaceflinger.te
+++ b/private/surfaceflinger.te
@@ -91,8 +91,6 @@
#add_service(surfaceflinger, surfaceflinger_service)
allow surfaceflinger surfaceflinger_service:service_manager { add find };
-add_service(surfaceflinger, vrflinger_vsync_service)
-
allow surfaceflinger mediaserver_service:service_manager find;
allow surfaceflinger permission_service:service_manager find;
allow surfaceflinger power_service:service_manager find;
diff --git a/private/system_app.te b/private/system_app.te
index 239686e..6cf993a 100644
--- a/private/system_app.te
+++ b/private/system_app.te
@@ -93,7 +93,6 @@
-tracingproxy_service
-virtual_touchpad_service
-vold_service
- -vr_hwc_service
-default_android_service
}:service_manager find;
# suppress denials for services system_app should not be accessing.
@@ -105,7 +104,6 @@
netd_service
virtual_touchpad_service
vold_service
- vr_hwc_service
}:service_manager find;
# suppress denials caused by debugfs_tracing
diff --git a/private/vr_hwc.te b/private/vr_hwc.te
deleted file mode 100644
index 053c03d..0000000
--- a/private/vr_hwc.te
+++ /dev/null
@@ -1,6 +0,0 @@
-typeattribute vr_hwc coredomain;
-
-# Daemon started by init.
-init_daemon_domain(vr_hwc)
-
-hal_server_domain(vr_hwc, hal_graphics_composer)
diff --git a/public/attributes b/public/attributes
index 35a3800..32fe98c 100644
--- a/public/attributes
+++ b/public/attributes
@@ -7,6 +7,9 @@
# in tools/checkfc.c
attribute dev_type;
+# Attribute for block devices.
+attribute bdev_type;
+
# All types used for processes.
attribute domain;
@@ -65,6 +68,9 @@
# All types used for sysfs files.
attribute sysfs_type;
+# Attribute for /sys/class/block files.
+attribute sysfs_block_type;
+
# All types use for debugfs files.
attribute debugfs_type;
diff --git a/public/device.te b/public/device.te
index 686f955..1a71a40 100644
--- a/public/device.te
+++ b/public/device.te
@@ -6,18 +6,18 @@
type binder_device, dev_type, mlstrustedobject;
type hwbinder_device, dev_type, mlstrustedobject;
type vndbinder_device, dev_type;
-type block_device, dev_type;
+type block_device, dev_type, bdev_type;
type camera_device, dev_type;
-type dm_device, dev_type;
-type dm_user_device, dev_type;
+type dm_device, dev_type, bdev_type;
+type dm_user_device, dev_type, bdev_type;
type keychord_device, dev_type;
type loop_control_device, dev_type;
-type loop_device, dev_type;
+type loop_device, dev_type, bdev_type;
type pmsg_device, dev_type, mlstrustedobject;
type radio_device, dev_type;
-type ram_device, dev_type;
+type ram_device, dev_type, bdev_type;
type rtc_device, dev_type;
-type vd_device, dev_type;
+type vd_device, dev_type, bdev_type;
type vold_device, dev_type;
type console_device, dev_type;
type fscklogs, dev_type;
@@ -73,51 +73,51 @@
type rpmsg_device, dev_type;
# Partition layout block device
-type root_block_device, dev_type;
+type root_block_device, dev_type, bdev_type;
# factory reset protection block device
-type frp_block_device, dev_type;
+type frp_block_device, dev_type, bdev_type;
# System block device mounted on /system.
# Documented at https://source.android.com/devices/bootloader/partitions-images
-type system_block_device, dev_type;
+type system_block_device, dev_type, bdev_type;
# Recovery block device.
# Documented at https://source.android.com/devices/bootloader/partitions-images
-type recovery_block_device, dev_type;
+type recovery_block_device, dev_type, bdev_type;
# boot block device.
# Documented at https://source.android.com/devices/bootloader/partitions-images
-type boot_block_device, dev_type;
+type boot_block_device, dev_type, bdev_type;
# Userdata block device mounted on /data.
# Documented at https://source.android.com/devices/bootloader/partitions-images
-type userdata_block_device, dev_type;
+type userdata_block_device, dev_type, bdev_type;
# Cache block device mounted on /cache.
# Documented at https://source.android.com/devices/bootloader/partitions-images
-type cache_block_device, dev_type;
+type cache_block_device, dev_type, bdev_type;
# Block device for any swap partition.
-type swap_block_device, dev_type;
+type swap_block_device, dev_type, bdev_type;
# Metadata block device used for encryption metadata.
# Assign this type to the partition specified by the encryptable=
# mount option in your fstab file in the entry for userdata.
# Documented at https://source.android.com/devices/bootloader/partitions-images
-type metadata_block_device, dev_type;
+type metadata_block_device, dev_type, bdev_type;
# The 'misc' partition used by recovery and A/B.
# Documented at https://source.android.com/devices/bootloader/partitions-images
-type misc_block_device, dev_type;
+type misc_block_device, dev_type, bdev_type;
# 'super' partition to be used for logical partitioning.
-type super_block_device, super_block_device_type, dev_type;
+type super_block_device, super_block_device_type, dev_type, bdev_type;
# sdcard devices; normally vold uses the vold_block_device label and creates a
# separate device node. gsid, however, accesses the original devide node
# created through uevents, so we use a separate label.
-type sdcard_block_device, dev_type;
+type sdcard_block_device, dev_type, bdev_type;
# Userdata device file for filesystem tunables
type userdata_sysdev, dev_type;
diff --git a/public/domain.te b/public/domain.te
index 423d59c..95b59d8 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -685,7 +685,6 @@
-nfc_service
-radio_service
-virtual_touchpad_service
- -vr_hwc_service
-vr_manager_service
userdebug_or_eng(`-hal_face_service')
}:service_manager find;
diff --git a/public/dumpstate.te b/public/dumpstate.te
index 23711c3..b1f186c 100644
--- a/public/dumpstate.te
+++ b/public/dumpstate.te
@@ -255,7 +255,6 @@
-gatekeeper_service
-virtual_touchpad_service
-vold_service
- -vr_hwc_service
-default_android_service
}:service_manager find;
# suppress denials for services dumpstate should not be accessing.
@@ -265,7 +264,6 @@
gatekeeper_service
virtual_touchpad_service
vold_service
- vr_hwc_service
}:service_manager find;
# Most of these are neverallowed.
diff --git a/public/file.te b/public/file.te
index ffcfd2b..0b94e2e 100644
--- a/public/file.te
+++ b/public/file.te
@@ -88,10 +88,11 @@
type sysfs_android_usb, fs_type, sysfs_type;
type sysfs_uio, sysfs_type, fs_type;
type sysfs_batteryinfo, fs_type, sysfs_type;
+type sysfs_block, fs_type, sysfs_type, sysfs_block_type;
type sysfs_bluetooth_writable, fs_type, sysfs_type, mlstrustedobject;
type sysfs_devfreq_cur, fs_type, sysfs_type;
type sysfs_devfreq_dir, fs_type, sysfs_type;
-type sysfs_devices_block, fs_type, sysfs_type;
+type sysfs_devices_block, fs_type, sysfs_type, sysfs_block_type;
type sysfs_dm, fs_type, sysfs_type;
type sysfs_dm_verity, fs_type, sysfs_type;
type sysfs_dma_heap, fs_type, sysfs_type;
diff --git a/public/hal_graphics_composer.te b/public/hal_graphics_composer.te
index 1c69c99..7327256 100644
--- a/public/hal_graphics_composer.te
+++ b/public/hal_graphics_composer.te
@@ -30,3 +30,8 @@
# allow self to set SCHED_FIFO
allow hal_graphics_composer self:global_capability_class_set sys_nice;
+
+binder_call(hal_graphics_composer_client, servicemanager)
+binder_call(hal_graphics_composer_server, servicemanager)
+
+hal_attribute_service(hal_graphics_composer, hal_graphics_composer_service)
diff --git a/public/service.te b/public/service.te
index ef24657..a821941 100644
--- a/public/service.te
+++ b/public/service.te
@@ -260,6 +260,7 @@
type hal_face_service, vendor_service, protected_service, service_manager_type;
type hal_fingerprint_service, vendor_service, protected_service, service_manager_type;
type hal_gnss_service, vendor_service, protected_service, service_manager_type;
+type hal_graphics_composer_service, vendor_service, protected_service, service_manager_type;
type hal_health_storage_service, vendor_service, protected_service, service_manager_type;
type hal_identity_service, vendor_service, protected_service, service_manager_type;
type hal_keymint_service, vendor_service, protected_service, service_manager_type;
diff --git a/public/shell.te b/public/shell.te
index 29c07a4..5fd9079 100644
--- a/public/shell.te
+++ b/public/shell.te
@@ -89,7 +89,6 @@
-system_suspend_control_service
-virtual_touchpad_service
-vold_service
- -vr_hwc_service
-default_android_service
}:service_manager find;
allow shell dumpstate:binder call;
@@ -158,6 +157,9 @@
allow shell sysfs_batteryinfo:dir r_dir_perms;
allow shell sysfs_batteryinfo:file r_file_perms;
+# allow shell to list /sys/class/block/ to get storage type for CTS
+allow shell sysfs_block:dir r_dir_perms;
+
# Allow access to ion memory allocation device.
allow shell ion_device:chr_file rw_file_perms;
diff --git a/public/traceur_app.te b/public/traceur_app.te
index ce9b844..03c4944 100644
--- a/public/traceur_app.te
+++ b/public/traceur_app.te
@@ -15,7 +15,6 @@
-netd_service
-virtual_touchpad_service
-vold_service
- -vr_hwc_service
-default_android_service
}:service_manager find;
diff --git a/public/vr_hwc.te b/public/vr_hwc.te
deleted file mode 100644
index c146887..0000000
--- a/public/vr_hwc.te
+++ /dev/null
@@ -1,33 +0,0 @@
-type vr_hwc, domain;
-type vr_hwc_exec, system_file_type, exec_type, file_type;
-
-# Get buffer metadata.
-hal_client_domain(vr_hwc, hal_graphics_allocator)
-
-binder_use(vr_hwc)
-binder_service(vr_hwc)
-
-binder_call(vr_hwc, surfaceflinger)
-# Needed to check for app permissions.
-binder_call(vr_hwc, system_server)
-
-add_service(vr_hwc, vr_hwc_service)
-
-# Hosts the VR HWC implementation and provides a simple Binder interface for VR
-# Window Manager to receive the layers/buffers.
-hwbinder_use(vr_hwc)
-
-# Load vendor libraries.
-allow vr_hwc system_file:dir r_dir_perms;
-
-allow vr_hwc ion_device:chr_file r_file_perms;
-
-# Allow connection to VR DisplayClient to get the primary display metadata
-# (ie: size).
-pdx_client(vr_hwc, display_client)
-
-# Requires access to the permission service to validate that clients have the
-# appropriate VR permissions.
-allow vr_hwc permission_service:service_manager find;
-
-allow vr_hwc vrflinger_vsync_service:service_manager find;
diff --git a/vendor/file_contexts b/vendor/file_contexts
index 5f8d0cd..59694ec 100644
--- a/vendor/file_contexts
+++ b/vendor/file_contexts
@@ -40,6 +40,7 @@
/(vendor|system/vendor)/bin/hw/android\.hardware\.graphics\.allocator@3\.0-service u:object_r:hal_graphics_allocator_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.graphics\.allocator@4\.0-service u:object_r:hal_graphics_allocator_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.graphics\.composer@[0-9]\.[0-9]-service u:object_r:hal_graphics_composer_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.graphics\.composer3-service\.example u:object_r:hal_graphics_composer_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.health@1\.0-service u:object_r:hal_health_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.health@2\.0-service u:object_r:hal_health_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.health@2\.1-service u:object_r:hal_health_default_exec:s0