Merge "property_context: add Codec2 HAL selection property" into main
diff --git a/microdroid/system/private/init.te b/microdroid/system/private/init.te
index f4541a3..2dbf495 100644
--- a/microdroid/system/private/init.te
+++ b/microdroid/system/private/init.te
@@ -435,3 +435,7 @@
# PRNG seeder daemon socket is created and listened on by init before forking.
allow init prng_seeder:unix_stream_socket { create bind listen };
+
+# Workaround for test failures (b/306516077)
+# We get a denial for this on VM boot, but the denial is correct.
+dontaudit init device:file relabelto;
diff --git a/private/bug_map b/private/bug_map
index 9aced64..f35fbca 100644
--- a/private/bug_map
+++ b/private/bug_map
@@ -21,6 +21,7 @@
mediaprovider shell_data_file dir b/77925342
mediaswcodec ashmem_device chr_file b/142679232
platform_app nfc_data_file dir b/74331887
+platform_app system_data_file dir b/306090533
system_server overlayfs_file file b/142390309
system_server sdcardfs file b/77856826
system_server system_server capability b/228030183
diff --git a/private/cameraserver.te b/private/cameraserver.te
index 96d7dbd..76ffba6 100644
--- a/private/cameraserver.te
+++ b/private/cameraserver.te
@@ -7,3 +7,4 @@
allow cameraserver gpu_device:chr_file rw_file_perms;
allow cameraserver gpu_device:dir r_dir_perms;
+allow cameraserver virtual_camera:binder call;
diff --git a/private/file_contexts b/private/file_contexts
index 683e97a..3a9c04d 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -333,6 +333,7 @@
/system/bin/profcollectctl u:object_r:profcollectd_exec:s0
/system/bin/storaged u:object_r:storaged_exec:s0
/system/bin/virtual_touchpad u:object_r:virtual_touchpad_exec:s0
+/system/bin/virtual_camera u:object_r:virtual_camera_exec:s0
/system/bin/hw/android\.frameworks\.bufferhub@1\.0-service u:object_r:fwk_bufferhub_exec:s0
/system/bin/hw/android\.system\.suspend-service u:object_r:system_suspend_exec:s0
/system/etc/cgroups\.json u:object_r:cgroup_desc_file:s0
diff --git a/private/init.te b/private/init.te
index 9d3a2c3..67e5561 100644
--- a/private/init.te
+++ b/private/init.te
@@ -123,3 +123,7 @@
-vm_manager_device_type
-port_device
}:chr_file setattr;
+
+# Workaround for test failures (b/306516077)
+# We get a denial for this on boot, but the denial is correct.
+dontaudit init device:file relabelto;
diff --git a/private/property_contexts b/private/property_contexts
index 0028830..6e52e2d 100644
--- a/private/property_contexts
+++ b/private/property_contexts
@@ -416,6 +416,7 @@
ro.camera.enableCamera1MaxZsl u:object_r:camera_config_prop:s0 exact bool
ro.camera.disableJpegR u:object_r:camera_config_prop:s0 exact bool
ro.camera.enableCompositeAPI0JpegR u:object_r:camera_config_prop:s0 exact bool
+ro.camera.enableVirtualCamera u:object_r:camera_config_prop:s0 exact bool
ro.camerax.extensions.enabled u:object_r:camerax_extensions_prop:s0 exact bool
@@ -1345,6 +1346,7 @@
ro.surface_flinger.uclamp.min u:object_r:surfaceflinger_prop:s0 exact int
ro.surface_flinger.ignore_hdr_camera_layers u:object_r:surfaceflinger_prop:s0 exact bool
ro.surface_flinger.clear_slots_with_set_layer_buffer u:object_r:surfaceflinger_prop:s0 exact bool
+ro.surface_flinger.prime_shader_cache.ultrahdr u:object_r:surfaceflinger_prop:s0 exact bool
ro.sf.disable_triple_buffer u:object_r:surfaceflinger_prop:s0 exact bool
ro.sf.lcd_density u:object_r:surfaceflinger_prop:s0 exact int
diff --git a/private/virtual_camera.te b/private/virtual_camera.te
index c39625d..765a59f 100644
--- a/private/virtual_camera.te
+++ b/private/virtual_camera.te
@@ -1,16 +1,20 @@
# virtual_camera - virtual camera daemon
type virtual_camera, domain, coredomain;
+type virtual_camera_exec, system_file_type, exec_type, file_type;
-app_domain(virtual_camera)
+init_daemon_domain(virtual_camera)
-allow virtual_camera system_app_data_file:dir create_dir_perms;
-allow virtual_camera system_app_data_file:file create_file_perms;
+# Since virtual_camera is not a real HAL we don't set the
+# hal_server_domain(virtual_camera, hal_camera) macro but only the rules that
+# we actually need from halserverdomain and hal_camera_server:
+binder_use(virtual_camera)
-allow virtual_camera activity_service:service_manager find;
+# Allow virtual_camera to use fd from apps
+allow virtual_camera { appdomain -isolated_app }:fd use;
-# hal_server_domain adds this rule to prevent any other domain from adding
-# a virtual_camera_service. We cannot mix app_domain and hal_server_domain
-# so we use app_domain and manully add the neverallow
-allow virtual_camera virtual_camera_service:service_manager add;
-neverallow { domain -virtual_camera} virtual_camera_service:service_manager add;
+# Only allow virtual_camera to add a virtual_camera_service and no one else.
+add_service(virtual_camera, virtual_camera_service);
+
+# Allow virtual_camera to map graphic buffers
+hal_client_domain(virtual_camera, hal_graphics_allocator)