Merge "Allow vendors to set remote_prov_prop properties"
diff --git a/Android.mk b/Android.mk
index bd2bd56..8220fd5 100644
--- a/Android.mk
+++ b/Android.mk
@@ -511,6 +511,8 @@
odm_seapp_contexts \
odm_property_contexts \
odm_property_contexts_test \
+ odm_service_contexts \
+ odm_service_contexts_test \
odm_hwservice_contexts \
odm_hwservice_contexts_test \
odm_mac_permissions.xml
diff --git a/build/soong/service_fuzzer_bindings.go b/build/soong/service_fuzzer_bindings.go
index 267df23..60799cd 100644
--- a/build/soong/service_fuzzer_bindings.go
+++ b/build/soong/service_fuzzer_bindings.go
@@ -92,10 +92,12 @@
"android.hardware.tv.input.ITvInput/default": []string{},
"android.hardware.tv.tuner.ITuner/default": []string{},
"android.hardware.usb.IUsb/default": []string{},
+ "android.hardware.usb.gadget.IUsbGadget/default": []string{},
"android.hardware.uwb.IUwb/default": []string{},
"android.hardware.vibrator.IVibrator/default": []string{},
"android.hardware.vibrator.IVibratorManager/default": []string{"android.hardware.vibrator-service.example_fuzzer"},
"android.hardware.weaver.IWeaver/default": []string{},
+ "android.hardware.wifi.IWifi/default": []string{},
"android.hardware.wifi.hostapd.IHostapd/default": []string{},
"android.hardware.wifi.supplicant.ISupplicant/default": []string{},
"android.frameworks.stats.IStats/default": []string{},
diff --git a/contexts/Android.bp b/contexts/Android.bp
index 82f42ba..d5cd8ae 100644
--- a/contexts/Android.bp
+++ b/contexts/Android.bp
@@ -277,6 +277,15 @@
recovery_available: true,
}
+service_contexts {
+ name: "odm_service_contexts",
+ srcs: [
+ ":service_contexts_files{.odm}",
+ ],
+ device_specific: true,
+ recovery_available: true,
+}
+
keystore2_key_contexts {
name: "plat_keystore2_key_contexts",
srcs: [":keystore2_key_contexts_files{.plat_private}"],
@@ -515,6 +524,12 @@
sepolicy: ":precompiled_sepolicy",
}
+service_contexts_test {
+ name: "odm_service_contexts_test",
+ srcs: [":odm_service_contexts"],
+ sepolicy: ":precompiled_sepolicy",
+}
+
vndservice_contexts_test {
name: "vndservice_contexts_test",
srcs: [":vndservice_contexts"],
diff --git a/microdroid/system/private/microdroid_payload.te b/microdroid/system/private/microdroid_payload.te
index 851a85a..1375442 100644
--- a/microdroid/system/private/microdroid_payload.te
+++ b/microdroid/system/private/microdroid_payload.te
@@ -27,8 +27,16 @@
# Write to /dev/kmsg.
allow microdroid_payload kmsg_device:chr_file rw_file_perms;
-# Allow microdroid_payload to open binder servers via vsock.
-allow microdroid_payload self:vsock_socket { create_socket_perms_no_ioctl listen accept };
+# Allow microdroid_payload to host binder servers via vsock. Listening
+# for connections from the host is permitted, but connecting out to
+# the host is not. Inbound connections are mediated by
+# virtualiationservice which ensures a process can only connect to a
+# VM that it owns.
+allow microdroid_payload self:vsock_socket {
+ create listen accept read getattr write setattr lock append bind
+ getopt setopt shutdown map
+};
+neverallow microdroid_payload self:vsock_socket connect;
# Payload can read extra apks
r_dir_file(microdroid_payload, extra_apk_file)
diff --git a/private/compat/33.0/33.0.ignore.cil b/private/compat/33.0/33.0.ignore.cil
index e6fe12e..ff84b96 100644
--- a/private/compat/33.0/33.0.ignore.cil
+++ b/private/compat/33.0/33.0.ignore.cil
@@ -15,9 +15,11 @@
hal_cas_service
hal_remoteaccess_service
hal_thermal_service
+ hal_usb_gadget_service
hal_tv_input_service
hal_tv_hdmi_service
hal_tv_hdmi_cec_service
+ hal_wifi_service
healthconnect_service
keystore_config_prop
permissive_mte_prop
diff --git a/private/file_contexts b/private/file_contexts
index 951c9b5..4deecf7 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -443,13 +443,14 @@
/odm/etc/selinux/precompiled_sepolicy u:object_r:sepolicy_file:s0
/odm/etc/selinux/precompiled_sepolicy\.plat_and_mapping\.sha256 u:object_r:sepolicy_file:s0
-/(odm|vendor/odm)/etc/selinux/odm_sepolicy\.cil u:object_r:sepolicy_file:s0
+/(odm|vendor/odm)/etc/selinux/odm_sepolicy\.cil u:object_r:sepolicy_file:s0
/(odm|vendor/odm)/etc/selinux/odm_file_contexts u:object_r:file_contexts_file:s0
/(odm|vendor/odm)/etc/selinux/odm_seapp_contexts u:object_r:seapp_contexts_file:s0
/(odm|vendor/odm)/etc/selinux/odm_property_contexts u:object_r:property_contexts_file:s0
+/(odm|vendor/odm)/etc/selinux/odm_service_contexts u:object_r:vendor_service_contexts_file:s0
/(odm|vendor/odm)/etc/selinux/odm_hwservice_contexts u:object_r:hwservice_contexts_file:s0
-/(odm|vendor/odm)/etc/selinux/odm_keystore2_key_contexts u:object_r:keystore2_key_contexts_file:s0
-/(odm|vendor/odm)/etc/selinux/odm_mac_permissions\.xml u:object_r:mac_perms_file:s0
+/(odm|vendor/odm)/etc/selinux/odm_keystore2_key_contexts u:object_r:keystore2_key_contexts_file:s0
+/(odm|vendor/odm)/etc/selinux/odm_mac_permissions\.xml u:object_r:mac_perms_file:s0
#############################
# Product files
diff --git a/private/service_contexts b/private/service_contexts
index 9cb430e..2b9e88f 100644
--- a/private/service_contexts
+++ b/private/service_contexts
@@ -77,10 +77,12 @@
android.hardware.tv.tuner.ITuner/default u:object_r:hal_tv_tuner_service:s0
android.hardware.tv.input.ITvInput/default u:object_r:hal_tv_input_service:s0
android.hardware.usb.IUsb/default u:object_r:hal_usb_service:s0
+android.hardware.usb.gadget.IUsbGadget/default u:object_r:hal_usb_gadget_service:s0
android.hardware.uwb.IUwb/default u:object_r:hal_uwb_service:s0
android.hardware.vibrator.IVibrator/default u:object_r:hal_vibrator_service:s0
android.hardware.vibrator.IVibratorManager/default u:object_r:hal_vibrator_service:s0
android.hardware.weaver.IWeaver/default u:object_r:hal_weaver_service:s0
+android.hardware.wifi.IWifi/default u:object_r:hal_wifi_service:s0
android.hardware.wifi.hostapd.IHostapd/default u:object_r:hal_wifi_hostapd_service:s0
android.hardware.wifi.supplicant.ISupplicant/default u:object_r:hal_wifi_supplicant_service:s0
android.se.omapi.ISecureElementService/default u:object_r:secure_element_service:s0
diff --git a/private/untrusted_app_all.te b/private/untrusted_app_all.te
index 0b4b919..8c7fe7a 100644
--- a/private/untrusted_app_all.te
+++ b/private/untrusted_app_all.te
@@ -153,9 +153,12 @@
# These have been disallowed since Android O.
# For P, we assume that apps are safely handling the denial.
-dontaudit untrusted_app_all proc_stat:file read;
-dontaudit untrusted_app_all proc_vmstat:file read;
-dontaudit untrusted_app_all proc_uptime:file read;
+dontaudit untrusted_app_all {
+ proc_stat
+ proc_uptime
+ proc_vmstat
+ proc_zoneinfo
+}:file read;
# Allow the allocation and use of ptys
# Used by: https://play.google.com/store/apps/details?id=jackpal.androidterm
diff --git a/public/dumpstate.te b/public/dumpstate.te
index c73c2e7..0864ee0 100644
--- a/public/dumpstate.te
+++ b/public/dumpstate.te
@@ -243,9 +243,9 @@
allow dumpstate recovery_data_file:dir r_dir_perms;
allow dumpstate recovery_data_file:file r_file_perms;
-#Access /data/misc/update_engine_log
-allow dumpstate update_engine_log_data_file:dir r_dir_perms;
-allow dumpstate update_engine_log_data_file:file r_file_perms;
+# Access /data/misc/update_engine & /data/misc/update_engine_log
+allow dumpstate { update_engine_data_file update_engine_log_data_file }:dir r_dir_perms;
+allow dumpstate { update_engine_data_file update_engine_log_data_file }:file r_file_perms;
# Access /data/misc/profiles/{cur,ref}/
userdebug_or_eng(`
diff --git a/public/hal_usb_gadget.te b/public/hal_usb_gadget.te
index a474652..45bfdbe 100644
--- a/public/hal_usb_gadget.te
+++ b/public/hal_usb_gadget.te
@@ -2,6 +2,9 @@
binder_call(hal_usb_gadget_client, hal_usb_gadget_server)
binder_call(hal_usb_gadget_server, hal_usb_gadget_client)
+hal_attribute_service(hal_usb_gadget, hal_usb_gadget_service)
+binder_call(hal_usb_gadget_server, servicemanager)
+
hal_attribute_hwservice(hal_usb_gadget, hal_usb_gadget_hwservice)
# Configuring usb gadget functions
@@ -10,4 +13,4 @@
allow hal_usb_gadget_server configfs:file create_file_perms;
allow hal_usb_gadget_server functionfs:dir { read search };
allow hal_usb_gadget_server functionfs:file read;
-
+allow hal_usb_gadget_server proc_interrupts:file r_file_perms;
diff --git a/public/hal_wifi.te b/public/hal_wifi.te
index 2e4fa78..e4f1d21 100644
--- a/public/hal_wifi.te
+++ b/public/hal_wifi.te
@@ -3,6 +3,9 @@
binder_call(hal_wifi_server, hal_wifi_client)
hal_attribute_hwservice(hal_wifi, hal_wifi_hwservice)
+hal_attribute_service(hal_wifi, hal_wifi_service)
+
+binder_call(hal_wifi_server, servicemanager)
r_dir_file(hal_wifi, proc_net_type)
r_dir_file(hal_wifi, sysfs_type)
diff --git a/public/service.te b/public/service.te
index 825c289..db7c298 100644
--- a/public/service.te
+++ b/public/service.te
@@ -312,11 +312,13 @@
type hal_tv_input_service, protected_service, hal_service_type, service_manager_type;
type hal_tv_tuner_service, protected_service, hal_service_type, service_manager_type;
type hal_usb_service, protected_service, hal_service_type, service_manager_type;
+type hal_usb_gadget_service, protected_service, hal_service_type, service_manager_type;
type hal_uwb_service, protected_service, hal_service_type, service_manager_type;
type hal_vehicle_service, protected_service, hal_service_type, service_manager_type;
type hal_vibrator_service, protected_service, hal_service_type, service_manager_type;
type hal_weaver_service, protected_service, hal_service_type, service_manager_type;
type hal_nlinterceptor_service, protected_service, hal_service_type, service_manager_type;
+type hal_wifi_service, protected_service, hal_service_type, service_manager_type;
type hal_wifi_hostapd_service, protected_service, hal_service_type, service_manager_type;
type hal_wifi_supplicant_service, protected_service, hal_service_type, service_manager_type;
type hal_gatekeeper_service, protected_service, hal_service_type, service_manager_type;
diff --git a/public/te_macros b/public/te_macros
index 8a8b473..ab42534 100644
--- a/public/te_macros
+++ b/public/te_macros
@@ -194,7 +194,7 @@
# to crosvm
allow { virtualizationservice crosvm } $1:fd use;
# Allow piping console log to the client
-allow { virtualizationservice crosvm } $1:fifo_file write;
+allow { virtualizationservice crosvm } $1:fifo_file { getattr write};
# Allow client to read/write vsock created by virtualizationservice to
# communicate with the VM that it created. Notice that we do not grant
# permission to create a vsock; the client can only connect to VMs
diff --git a/vendor/file_contexts b/vendor/file_contexts
index c41a1fb..5681054 100644
--- a/vendor/file_contexts
+++ b/vendor/file_contexts
@@ -104,6 +104,7 @@
/(vendor|system/vendor)/bin/hw/android\.hardware\.tv\.tuner-service\.example(-lazy)? u:object_r:hal_tv_tuner_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.usb@1\.0-service u:object_r:hal_usb_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.usb-service\.example u:object_r:hal_usb_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.usb\.gadget-service\.example u:object_r:hal_usb_gadget_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.usb\.gadget@1\.1-service u:object_r:hal_usb_gadget_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.uwb-service u:object_r:hal_uwb_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.vibrator@1\.0-service u:object_r:hal_vibrator_default_exec:s0