Merge "Add persist properties for app profiling itself."
diff --git a/private/apexd.te b/private/apexd.te
index 50a7a72..feee8ff 100644
--- a/private/apexd.te
+++ b/private/apexd.te
@@ -186,3 +186,6 @@
allow apexd postinstall_apex_mnt_dir:file { create_file_perms relabelfrom };
allow apexd postinstall_apex_mnt_dir:lnk_file create;
allow apexd proc_filesystems:file r_file_perms;
+
+# Allow calling derive_classpath to gather BCP information for staged sessions
+domain_auto_trans(apexd, derive_classpath_exec, apexd_derive_classpath);
diff --git a/private/apexd_derive_classpath.te b/private/apexd_derive_classpath.te
new file mode 100644
index 0000000..d4c5496
--- /dev/null
+++ b/private/apexd_derive_classpath.te
@@ -0,0 +1,9 @@
+# Exclusive domain for apexd calling into derive_classpath binary
+type apexd_derive_classpath, domain, coredomain;
+
+# Allow the binary to write into output file at location /apex/derive_classpath_temp
+allow apexd_derive_classpath apexd:fd use;
+allow apexd_derive_classpath apex_mnt_dir:file { write open };
+# Allow the binary to log using logwrap
+allow apexd_derive_classpath apexd_devpts:chr_file { read write };
+
diff --git a/private/compat/31.0/31.0.ignore.cil b/private/compat/31.0/31.0.ignore.cil
index 5860761..3183ff1 100644
--- a/private/compat/31.0/31.0.ignore.cil
+++ b/private/compat/31.0/31.0.ignore.cil
@@ -20,6 +20,7 @@
hal_uwb_service
hal_uwb_vendor_service
hal_wifi_hostapd_service
+ hal_nlinterceptor_service
hypervisor_prop
locale_service
power_stats_service
diff --git a/private/service_contexts b/private/service_contexts
index 4470e1c..82660d7 100644
--- a/private/service_contexts
+++ b/private/service_contexts
@@ -10,6 +10,7 @@
android.hardware.identity.IIdentityCredentialStore/default u:object_r:hal_identity_service:s0
android.hardware.light.ILights/default u:object_r:hal_light_service:s0
android.hardware.memtrack.IMemtrack/default u:object_r:hal_memtrack_service:s0
+android.hardware.net.nlinterceptor.IInterceptor/default u:object_r:hal_nlinterceptor_service:s0
android.hardware.oemlock.IOemLock/default u:object_r:hal_oemlock_service:s0
android.hardware.power.IPower/default u:object_r:hal_power_service:s0
android.hardware.power.stats.IPowerStats/default u:object_r:hal_power_stats_service:s0
diff --git a/private/virtualizationservice.te b/private/virtualizationservice.te
index 0b02745..1e00dcd 100644
--- a/private/virtualizationservice.te
+++ b/private/virtualizationservice.te
@@ -22,9 +22,6 @@
# When virtualizationservice execs a file with the crosvm_exec label, run it in the crosvm domain.
domain_auto_trans(virtualizationservice, crosvm_exec, crosvm)
-# Let virtualizationservice exec other files (e.g. mk_cdisk) in the same domain.
-allow virtualizationservice system_file:file execute_no_trans;
-
# Let virtualizationservice kill crosvm.
allow virtualizationservice crosvm:process sigkill;
diff --git a/public/attributes b/public/attributes
index 6c37db1..ee8a05e 100644
--- a/public/attributes
+++ b/public/attributes
@@ -354,6 +354,7 @@
hal_attribute(memtrack);
hal_attribute(neuralnetworks);
hal_attribute(nfc);
+hal_attribute(nlinterceptor);
hal_attribute(oemlock);
hal_attribute(omx);
hal_attribute(power);
diff --git a/public/hal_neverallows.te b/public/hal_neverallows.te
index cd15910..e77ea9d 100644
--- a/public/hal_neverallows.te
+++ b/public/hal_neverallows.te
@@ -11,6 +11,7 @@
-hal_uwb_server
# TODO(b/196225233): Remove hal_uwb_vendor_server
-hal_uwb_vendor_server
+ -hal_nlinterceptor_server
} self:global_capability_class_set { net_admin net_raw };
# Unless a HAL's job is to communicate over the network, or control network
@@ -31,6 +32,7 @@
-hal_uwb_server
# TODO(b/196225233): Remove hal_uwb_vendor_server
-hal_uwb_vendor_server
+ -hal_nlinterceptor_server
} domain:{ udp_socket rawip_socket } *;
neverallow {
@@ -42,6 +44,7 @@
-hal_wifi_hostapd_server
-hal_wifi_supplicant_server
-hal_telephony_server
+ -hal_nlinterceptor_server
} {
domain
userdebug_or_eng(`-su')
diff --git a/public/hal_nlinterceptor.te b/public/hal_nlinterceptor.te
new file mode 100644
index 0000000..2076de8
--- /dev/null
+++ b/public/hal_nlinterceptor.te
@@ -0,0 +1,8 @@
+binder_call(hal_nlinterceptor_client, hal_nlinterceptor_server)
+
+hal_attribute_service(hal_nlinterceptor, hal_nlinterceptor_service)
+binder_call(hal_nlinterceptor, servicemanager)
+
+allow hal_nlinterceptor self:global_capability_class_set net_admin;
+allow hal_nlinterceptor self:netlink_generic_socket create_socket_perms_no_ioctl;
+allow hal_nlinterceptor self:netlink_route_socket { nlmsg_readpriv nlmsg_write };
diff --git a/public/service.te b/public/service.te
index 083de1d..ae2ae1f 100644
--- a/public/service.te
+++ b/public/service.te
@@ -282,6 +282,7 @@
type hal_uwb_service, vendor_service, protected_service, service_manager_type;
type hal_vibrator_service, vendor_service, protected_service, service_manager_type;
type hal_weaver_service, vendor_service, protected_service, service_manager_type;
+type hal_nlinterceptor_service, vendor_service, protected_service, service_manager_type;
###
### Neverallow rules
diff --git a/public/wificond.te b/public/wificond.te
index 254fcbc..98db0d7 100644
--- a/public/wificond.te
+++ b/public/wificond.te
@@ -7,6 +7,7 @@
binder_call(wificond, keystore)
add_service(wificond, wifinl80211_service)
+hal_client_domain(wificond, hal_nlinterceptor)
# create sockets to set interfaces up and down
allow wificond self:udp_socket create_socket_perms;