Merge "Allow vendors to set remote_prov_prop properties"
diff --git a/Android.mk b/Android.mk
index bd2bd56..8220fd5 100644
--- a/Android.mk
+++ b/Android.mk
@@ -511,6 +511,8 @@
     odm_seapp_contexts \
     odm_property_contexts \
     odm_property_contexts_test \
+    odm_service_contexts \
+    odm_service_contexts_test \
     odm_hwservice_contexts \
     odm_hwservice_contexts_test \
     odm_mac_permissions.xml
diff --git a/build/soong/service_fuzzer_bindings.go b/build/soong/service_fuzzer_bindings.go
index 267df23..60799cd 100644
--- a/build/soong/service_fuzzer_bindings.go
+++ b/build/soong/service_fuzzer_bindings.go
@@ -92,10 +92,12 @@
 		"android.hardware.tv.input.ITvInput/default":                              []string{},
 		"android.hardware.tv.tuner.ITuner/default":                                []string{},
 		"android.hardware.usb.IUsb/default":                                       []string{},
+		"android.hardware.usb.gadget.IUsbGadget/default":                          []string{},
 		"android.hardware.uwb.IUwb/default":                                       []string{},
 		"android.hardware.vibrator.IVibrator/default":                             []string{},
 		"android.hardware.vibrator.IVibratorManager/default":                      []string{"android.hardware.vibrator-service.example_fuzzer"},
 		"android.hardware.weaver.IWeaver/default":                                 []string{},
+		"android.hardware.wifi.IWifi/default":                                     []string{},
 		"android.hardware.wifi.hostapd.IHostapd/default":                          []string{},
 		"android.hardware.wifi.supplicant.ISupplicant/default":                    []string{},
 		"android.frameworks.stats.IStats/default":                                 []string{},
diff --git a/contexts/Android.bp b/contexts/Android.bp
index 82f42ba..d5cd8ae 100644
--- a/contexts/Android.bp
+++ b/contexts/Android.bp
@@ -277,6 +277,15 @@
     recovery_available: true,
 }
 
+service_contexts {
+    name: "odm_service_contexts",
+    srcs: [
+        ":service_contexts_files{.odm}",
+    ],
+    device_specific: true,
+    recovery_available: true,
+}
+
 keystore2_key_contexts {
     name: "plat_keystore2_key_contexts",
     srcs: [":keystore2_key_contexts_files{.plat_private}"],
@@ -515,6 +524,12 @@
     sepolicy: ":precompiled_sepolicy",
 }
 
+service_contexts_test {
+    name: "odm_service_contexts_test",
+    srcs: [":odm_service_contexts"],
+    sepolicy: ":precompiled_sepolicy",
+}
+
 vndservice_contexts_test {
     name: "vndservice_contexts_test",
     srcs: [":vndservice_contexts"],
diff --git a/microdroid/system/private/microdroid_payload.te b/microdroid/system/private/microdroid_payload.te
index 851a85a..1375442 100644
--- a/microdroid/system/private/microdroid_payload.te
+++ b/microdroid/system/private/microdroid_payload.te
@@ -27,8 +27,16 @@
 # Write to /dev/kmsg.
 allow microdroid_payload kmsg_device:chr_file rw_file_perms;
 
-# Allow microdroid_payload to open binder servers via vsock.
-allow microdroid_payload self:vsock_socket { create_socket_perms_no_ioctl listen accept };
+# Allow microdroid_payload to host binder servers via vsock. Listening
+# for connections from the host is permitted, but connecting out to
+# the host is not. Inbound connections are mediated by
+# virtualiationservice which ensures a process can only connect to a
+# VM that it owns.
+allow microdroid_payload self:vsock_socket {
+ create listen accept read getattr write setattr lock append bind
+ getopt setopt shutdown map
+};
+neverallow microdroid_payload self:vsock_socket connect;
 
 # Payload can read extra apks
 r_dir_file(microdroid_payload, extra_apk_file)
diff --git a/private/compat/33.0/33.0.ignore.cil b/private/compat/33.0/33.0.ignore.cil
index e6fe12e..ff84b96 100644
--- a/private/compat/33.0/33.0.ignore.cil
+++ b/private/compat/33.0/33.0.ignore.cil
@@ -15,9 +15,11 @@
     hal_cas_service
     hal_remoteaccess_service
     hal_thermal_service
+    hal_usb_gadget_service
     hal_tv_input_service
     hal_tv_hdmi_service
     hal_tv_hdmi_cec_service
+    hal_wifi_service
     healthconnect_service
     keystore_config_prop
     permissive_mte_prop
diff --git a/private/file_contexts b/private/file_contexts
index 951c9b5..4deecf7 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -443,13 +443,14 @@
 /odm/etc/selinux/precompiled_sepolicy                           u:object_r:sepolicy_file:s0
 /odm/etc/selinux/precompiled_sepolicy\.plat_and_mapping\.sha256 u:object_r:sepolicy_file:s0
 
-/(odm|vendor/odm)/etc/selinux/odm_sepolicy\.cil                  u:object_r:sepolicy_file:s0
+/(odm|vendor/odm)/etc/selinux/odm_sepolicy\.cil                 u:object_r:sepolicy_file:s0
 /(odm|vendor/odm)/etc/selinux/odm_file_contexts                 u:object_r:file_contexts_file:s0
 /(odm|vendor/odm)/etc/selinux/odm_seapp_contexts                u:object_r:seapp_contexts_file:s0
 /(odm|vendor/odm)/etc/selinux/odm_property_contexts             u:object_r:property_contexts_file:s0
+/(odm|vendor/odm)/etc/selinux/odm_service_contexts              u:object_r:vendor_service_contexts_file:s0
 /(odm|vendor/odm)/etc/selinux/odm_hwservice_contexts            u:object_r:hwservice_contexts_file:s0
-/(odm|vendor/odm)/etc/selinux/odm_keystore2_key_contexts         u:object_r:keystore2_key_contexts_file:s0
-/(odm|vendor/odm)/etc/selinux/odm_mac_permissions\.xml           u:object_r:mac_perms_file:s0
+/(odm|vendor/odm)/etc/selinux/odm_keystore2_key_contexts        u:object_r:keystore2_key_contexts_file:s0
+/(odm|vendor/odm)/etc/selinux/odm_mac_permissions\.xml          u:object_r:mac_perms_file:s0
 
 #############################
 # Product files
diff --git a/private/service_contexts b/private/service_contexts
index 9cb430e..2b9e88f 100644
--- a/private/service_contexts
+++ b/private/service_contexts
@@ -77,10 +77,12 @@
 android.hardware.tv.tuner.ITuner/default                             u:object_r:hal_tv_tuner_service:s0
 android.hardware.tv.input.ITvInput/default                           u:object_r:hal_tv_input_service:s0
 android.hardware.usb.IUsb/default                                    u:object_r:hal_usb_service:s0
+android.hardware.usb.gadget.IUsbGadget/default                       u:object_r:hal_usb_gadget_service:s0
 android.hardware.uwb.IUwb/default                                    u:object_r:hal_uwb_service:s0
 android.hardware.vibrator.IVibrator/default                          u:object_r:hal_vibrator_service:s0
 android.hardware.vibrator.IVibratorManager/default                   u:object_r:hal_vibrator_service:s0
 android.hardware.weaver.IWeaver/default                              u:object_r:hal_weaver_service:s0
+android.hardware.wifi.IWifi/default                                  u:object_r:hal_wifi_service:s0
 android.hardware.wifi.hostapd.IHostapd/default                       u:object_r:hal_wifi_hostapd_service:s0
 android.hardware.wifi.supplicant.ISupplicant/default                 u:object_r:hal_wifi_supplicant_service:s0
 android.se.omapi.ISecureElementService/default                       u:object_r:secure_element_service:s0
diff --git a/private/untrusted_app_all.te b/private/untrusted_app_all.te
index 0b4b919..8c7fe7a 100644
--- a/private/untrusted_app_all.te
+++ b/private/untrusted_app_all.te
@@ -153,9 +153,12 @@
 
 # These have been disallowed since Android O.
 # For P, we assume that apps are safely handling the denial.
-dontaudit untrusted_app_all proc_stat:file read;
-dontaudit untrusted_app_all proc_vmstat:file read;
-dontaudit untrusted_app_all proc_uptime:file read;
+dontaudit untrusted_app_all {
+  proc_stat
+  proc_uptime
+  proc_vmstat
+  proc_zoneinfo
+}:file read;
 
 # Allow the allocation and use of ptys
 # Used by: https://play.google.com/store/apps/details?id=jackpal.androidterm
diff --git a/public/dumpstate.te b/public/dumpstate.te
index c73c2e7..0864ee0 100644
--- a/public/dumpstate.te
+++ b/public/dumpstate.te
@@ -243,9 +243,9 @@
 allow dumpstate recovery_data_file:dir r_dir_perms;
 allow dumpstate recovery_data_file:file r_file_perms;
 
-#Access /data/misc/update_engine_log
-allow dumpstate update_engine_log_data_file:dir r_dir_perms;
-allow dumpstate update_engine_log_data_file:file r_file_perms;
+# Access /data/misc/update_engine & /data/misc/update_engine_log
+allow dumpstate { update_engine_data_file update_engine_log_data_file }:dir r_dir_perms;
+allow dumpstate { update_engine_data_file update_engine_log_data_file }:file r_file_perms;
 
 # Access /data/misc/profiles/{cur,ref}/
 userdebug_or_eng(`
diff --git a/public/hal_usb_gadget.te b/public/hal_usb_gadget.te
index a474652..45bfdbe 100644
--- a/public/hal_usb_gadget.te
+++ b/public/hal_usb_gadget.te
@@ -2,6 +2,9 @@
 binder_call(hal_usb_gadget_client, hal_usb_gadget_server)
 binder_call(hal_usb_gadget_server, hal_usb_gadget_client)
 
+hal_attribute_service(hal_usb_gadget, hal_usb_gadget_service)
+binder_call(hal_usb_gadget_server, servicemanager)
+
 hal_attribute_hwservice(hal_usb_gadget, hal_usb_gadget_hwservice)
 
 # Configuring usb gadget functions
@@ -10,4 +13,4 @@
 allow hal_usb_gadget_server configfs:file create_file_perms;
 allow hal_usb_gadget_server functionfs:dir { read search };
 allow hal_usb_gadget_server functionfs:file read;
-
+allow hal_usb_gadget_server proc_interrupts:file r_file_perms;
diff --git a/public/hal_wifi.te b/public/hal_wifi.te
index 2e4fa78..e4f1d21 100644
--- a/public/hal_wifi.te
+++ b/public/hal_wifi.te
@@ -3,6 +3,9 @@
 binder_call(hal_wifi_server, hal_wifi_client)
 
 hal_attribute_hwservice(hal_wifi, hal_wifi_hwservice)
+hal_attribute_service(hal_wifi, hal_wifi_service)
+
+binder_call(hal_wifi_server, servicemanager)
 
 r_dir_file(hal_wifi, proc_net_type)
 r_dir_file(hal_wifi, sysfs_type)
diff --git a/public/service.te b/public/service.te
index 825c289..db7c298 100644
--- a/public/service.te
+++ b/public/service.te
@@ -312,11 +312,13 @@
 type hal_tv_input_service, protected_service, hal_service_type, service_manager_type;
 type hal_tv_tuner_service, protected_service, hal_service_type, service_manager_type;
 type hal_usb_service, protected_service, hal_service_type, service_manager_type;
+type hal_usb_gadget_service, protected_service, hal_service_type, service_manager_type;
 type hal_uwb_service, protected_service, hal_service_type, service_manager_type;
 type hal_vehicle_service, protected_service, hal_service_type, service_manager_type;
 type hal_vibrator_service, protected_service, hal_service_type, service_manager_type;
 type hal_weaver_service, protected_service, hal_service_type, service_manager_type;
 type hal_nlinterceptor_service, protected_service, hal_service_type, service_manager_type;
+type hal_wifi_service, protected_service, hal_service_type, service_manager_type;
 type hal_wifi_hostapd_service, protected_service, hal_service_type, service_manager_type;
 type hal_wifi_supplicant_service, protected_service, hal_service_type, service_manager_type;
 type hal_gatekeeper_service, protected_service, hal_service_type, service_manager_type;
diff --git a/public/te_macros b/public/te_macros
index 8a8b473..ab42534 100644
--- a/public/te_macros
+++ b/public/te_macros
@@ -194,7 +194,7 @@
 # to crosvm
 allow { virtualizationservice crosvm } $1:fd use;
 # Allow piping console log to the client
-allow { virtualizationservice crosvm } $1:fifo_file write;
+allow { virtualizationservice crosvm } $1:fifo_file { getattr write};
 # Allow client to read/write vsock created by virtualizationservice to
 # communicate with the VM that it created. Notice that we do not grant
 # permission to create a vsock; the client can only connect to VMs
diff --git a/vendor/file_contexts b/vendor/file_contexts
index c41a1fb..5681054 100644
--- a/vendor/file_contexts
+++ b/vendor/file_contexts
@@ -104,6 +104,7 @@
 /(vendor|system/vendor)/bin/hw/android\.hardware\.tv\.tuner-service\.example(-lazy)?  u:object_r:hal_tv_tuner_default_exec:s0
 /(vendor|system/vendor)/bin/hw/android\.hardware\.usb@1\.0-service            u:object_r:hal_usb_default_exec:s0
 /(vendor|system/vendor)/bin/hw/android\.hardware\.usb-service\.example        u:object_r:hal_usb_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.usb\.gadget-service\.example   u:object_r:hal_usb_gadget_default_exec:s0
 /(vendor|system/vendor)/bin/hw/android\.hardware\.usb\.gadget@1\.1-service    u:object_r:hal_usb_gadget_default_exec:s0
 /(vendor|system/vendor)/bin/hw/android\.hardware\.uwb-service                 u:object_r:hal_uwb_default_exec:s0
 /(vendor|system/vendor)/bin/hw/android\.hardware\.vibrator@1\.0-service       u:object_r:hal_vibrator_default_exec:s0