Merge "Adds GPU sepolicy to support devices with DRM gralloc/rendering"
diff --git a/microdroid/system/private/apkdmverity.te b/microdroid/system/private/apkdmverity.te
index c56f05e..0545744 100644
--- a/microdroid/system/private/apkdmverity.te
+++ b/microdroid/system/private/apkdmverity.te
@@ -26,9 +26,7 @@
# allow apkdmverity to access loop devices
allow apkdmverity loop_device:blk_file rw_file_perms;
allowxperm apkdmverity loop_device:blk_file ioctl {
- LOOP_SET_STATUS64
- LOOP_SET_FD
- LOOP_SET_DIRECT_IO
+ LOOP_CONFIGURE
};
# allow apkdmverity to log to the kernel
diff --git a/microdroid/system/private/microdroid_manager.te b/microdroid/system/private/microdroid_manager.te
index bf344ac..21731cc 100644
--- a/microdroid/system/private/microdroid_manager.te
+++ b/microdroid/system/private/microdroid_manager.te
@@ -56,10 +56,11 @@
allow microdroid_manager apex_mnt_dir:dir w_dir_perms;
allow microdroid_manager apex_mnt_dir:file create_file_perms;
-# Allow microdroid_manager to start the services apexd-vm, apkdmverity and zipfuse
+# Allow microdroid_manager to start the services apexd-vm, apkdmverity,tombstone_transmit & zipfuse
set_prop(microdroid_manager, ctl_apexd_vm_prop)
set_prop(microdroid_manager, ctl_apkdmverity_prop)
set_prop(microdroid_manager, ctl_seriallogging_prop)
+set_prop(microdroid_manager, ctl_tombstone_transmit_prop)
set_prop(microdroid_manager, ctl_zipfuse_prop)
# Allow microdroid_manager to wait for linkerconfig to be ready
diff --git a/microdroid/system/private/property_contexts b/microdroid/system/private/property_contexts
index e4f0bb0..68d6df5 100644
--- a/microdroid/system/private/property_contexts
+++ b/microdroid/system/private/property_contexts
@@ -26,6 +26,7 @@
ctl.start$apexd-vm u:object_r:ctl_apexd_vm_prop:s0
ctl.start$apkdmverity u:object_r:ctl_apkdmverity_prop:s0
ctl.start$seriallogging u:object_r:ctl_seriallogging_prop:s0
+ctl.start$tombstone_transmit u:object_r:ctl_tombstone_transmit_prop:s0
ctl.start$zipfuse u:object_r:ctl_zipfuse_prop:s0
ctl.console u:object_r:ctl_console_prop:s0
diff --git a/microdroid/system/public/property.te b/microdroid/system/public/property.te
index d00a618..f85ba76 100644
--- a/microdroid/system/public/property.te
+++ b/microdroid/system/public/property.te
@@ -22,6 +22,7 @@
type ctl_sigstop_prop, property_type;
type ctl_start_prop, property_type;
type ctl_stop_prop, property_type;
+type ctl_tombstone_transmit_prop, property_type;
type ctl_zipfuse_prop, property_type;
type debug_prop, property_type;
type default_prop, property_type;
diff --git a/private/crosvm.te b/private/crosvm.te
index 0fd146e..167ad2f 100644
--- a/private/crosvm.te
+++ b/private/crosvm.te
@@ -32,7 +32,7 @@
apk_data_file
app_data_file
apex_compos_data_file
- userdebug_or_eng(`shell_data_file')
+ shell_data_file
}:file { getattr read ioctl lock };
# Allow searching the directory where the composite disk images are.
@@ -84,15 +84,14 @@
}:file *;
')
-# app_data_file (and shell_data_file for debuggable builds) is the only
-# app_data_file_type that is allowed for crosvm to read. Note that the use of
-# app_data_file is allowed only for the instance disk image. This is enforced
-# inside the virtualizationservice by checking the file context of all disk
-# image files.
+# app_data_file and shell_data_file is the only app_data_file_type that is
+# allowed for crosvm to read. Note that the use of app_data_file is allowed
+# only for the instance disk image. This is enforced inside the
+# virtualizationservice by checking the file context of all disk image files.
neverallow crosvm {
app_data_file_type
-app_data_file
- userdebug_or_eng(`-shell_data_file')
+ -shell_data_file
}:file read;
# Only virtualizationservice can run crosvm
diff --git a/private/property.te b/private/property.te
index ccf6040..396fd25 100644
--- a/private/property.te
+++ b/private/property.te
@@ -49,6 +49,7 @@
# Properties which can't be written outside system
system_restricted_prop(device_config_vendor_system_native_prop)
system_restricted_prop(device_config_virtualization_framework_native_prop)
+system_restricted_prop(system_user_mode_emulation_prop)
###
### Neverallow rules
@@ -121,6 +122,7 @@
-restorecon_prop
-shell_prop
-system_prop
+ -system_user_mode_emulation_prop
-usb_prop
-vold_prop
}:file no_rw_file_perms;
diff --git a/private/property_contexts b/private/property_contexts
index 1ad19c1..2fafdf5 100644
--- a/private/property_contexts
+++ b/private/property_contexts
@@ -57,6 +57,7 @@
persist.nfc. u:object_r:nfc_prop:s0
persist.nfc_cfg. u:object_r:nfc_prop:s0
persist.debug. u:object_r:persist_debug_prop:s0
+persist.debug.user_mode_emulation u:object_r:system_user_mode_emulation_prop:s0
logd. u:object_r:logd_prop:s0
persist.logd. u:object_r:logd_prop:s0
ro.logd. u:object_r:logd_prop:s0
diff --git a/private/shell.te b/private/shell.te
index ae5ff55..97fb0b4 100644
--- a/private/shell.te
+++ b/private/shell.te
@@ -85,6 +85,7 @@
# Allow (host-driven) ART run-tests to execute dex2oat, in order to
# check ART's compiler.
allow shell dex2oat_exec:file rx_file_perms;
+allow shell dex2oat_exec:lnk_file read;
# Allow shell to start and comminicate with lpdumpd.
set_prop(shell, lpdumpd_prop);
diff --git a/private/system_server.te b/private/system_server.te
index 927ef10..12926fc 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -715,6 +715,7 @@
set_prop(system_server, retaildemo_prop)
set_prop(system_server, dmesgd_start_prop)
userdebug_or_eng(`set_prop(system_server, wifi_log_prop)')
+userdebug_or_eng(`set_prop(system_server, system_user_mode_emulation_prop)')
# ctl interface
set_prop(system_server, ctl_default_prop)
diff --git a/private/vold.te b/private/vold.te
index 1ad1f43..cb7b1bc 100644
--- a/private/vold.te
+++ b/private/vold.te
@@ -24,7 +24,6 @@
get_prop(vold, incremental_prop);
get_prop(vold, gsid_prop);
-set_prop(vold, vold_post_fs_data_prop)
set_prop(vold, vold_prop)
set_prop(vold, vold_status_prop)
set_prop(vold, powerctl_prop)
diff --git a/public/device.te b/public/device.te
index 4ca8a6f..1bb386f 100644
--- a/public/device.te
+++ b/public/device.te
@@ -79,36 +79,35 @@
type frp_block_device, dev_type;
# System block device mounted on /system.
-# Documented at https://source.android.com/devices/bootloader/partitions-images
+# Documented at https://source.android.com/devices/bootloader/partitions
type system_block_device, dev_type;
# Recovery block device.
-# Documented at https://source.android.com/devices/bootloader/partitions-images
+# Documented at https://source.android.com/devices/bootloader/partitions
type recovery_block_device, dev_type;
# boot block device.
-# Documented at https://source.android.com/devices/bootloader/partitions-images
+# Documented at https://source.android.com/devices/bootloader/partitions
type boot_block_device, dev_type;
# Userdata block device mounted on /data.
-# Documented at https://source.android.com/devices/bootloader/partitions-images
+# Documented at https://source.android.com/devices/bootloader/partitions
type userdata_block_device, dev_type;
# Cache block device mounted on /cache.
-# Documented at https://source.android.com/devices/bootloader/partitions-images
+# Documented at https://source.android.com/devices/bootloader/partitions
type cache_block_device, dev_type;
# Block device for any swap partition.
type swap_block_device, dev_type;
-# Metadata block device used for encryption metadata.
-# Assign this type to the partition specified by the encryptable=
-# mount option in your fstab file in the entry for userdata.
-# Documented at https://source.android.com/devices/bootloader/partitions-images
+# Metadata block device mounted on /metadata, used for encryption metadata and
+# various other purposes.
+# Documented at https://source.android.com/devices/bootloader/partitions
type metadata_block_device, dev_type;
# The 'misc' partition used by recovery and A/B.
-# Documented at https://source.android.com/devices/bootloader/partitions-images
+# Documented at https://source.android.com/devices/bootloader/partitions
type misc_block_device, dev_type;
# 'super' partition to be used for logical partitioning.
diff --git a/public/init.te b/public/init.te
index e2010f3..8dcdd33 100644
--- a/public/init.te
+++ b/public/init.te
@@ -144,7 +144,7 @@
# /metadata
allow init metadata_file:dir mounton;
-# Use tmpfs as /data, used for booting when /data is encrypted
+# Run restorecon on /dev
allow init tmpfs:dir relabelfrom;
# Create directories under /dev/cpuctl after chowning it to system.
diff --git a/public/installd.te b/public/installd.te
index 84ef1fd..46796af 100644
--- a/public/installd.te
+++ b/public/installd.te
@@ -13,13 +13,6 @@
allow installd apk_data_file:file { create_file_perms relabelfrom link };
allow installd apk_data_file:lnk_file { create r_file_perms unlink };
-# FS_IOC_ENABLE_VERITY and FS_IOC_MEASURE_VERITY (or in old implementation used in installd,
-# FS_IOC_SET_VERITY_MEASUREMENT) ioctls on APKs in /data/app, to support fsverity.
-# TODO(b/120629632): this path is deprecated, remove when possible.
-allowxperm installd apk_data_file:file ioctl {
- FS_IOC_ENABLE_VERITY FS_IOC_MEASURE_VERITY
-};
-
allow installd asec_apk_file:file r_file_perms;
allow installd apk_tmp_file:file { r_file_perms unlink };
allow installd apk_tmp_file:dir { relabelfrom create_dir_perms };
diff --git a/public/vdc.te b/public/vdc.te
index e638e50..dfe6888 100644
--- a/public/vdc.te
+++ b/public/vdc.te
@@ -1,6 +1,6 @@
-# vdc spawned from init for the following services:
-# defaultcrypto
-# encrypt
+# vdc is a helper program for making Binder calls to vold. It is spawned from
+# init for various reasons, such as initializing file-based encryption and
+# metadata encryption, and managing userdata checkpointing.
#
# We also transition into this domain from dumpstate, when
# collecting bug reports.
diff --git a/public/vold.te b/public/vold.te
index c8ff749..b0fb6d0 100644
--- a/public/vold.te
+++ b/public/vold.te
@@ -168,17 +168,9 @@
allow vold fscklogs:dir rw_dir_perms;
allow vold fscklogs:file create_file_perms;
-#
-# Rules to support encrypted fs support.
-#
-
-# Unmount and mount the fs.
+# Mount and unmount filesystems.
allow vold labeledfs:filesystem { mount unmount remount };
-# Access /efs/userdata_footer.
-# XXX Split into a separate type?
-allow vold efs_file:file rw_file_perms;
-
# Create and mount on /data/tmp_mnt and management of expansion mounts
allow vold {
system_data_file
@@ -210,7 +202,7 @@
allow vold fusectlfs:file rw_file_perms;
allow vold fusectlfs:dir rw_dir_perms;
-# Handle wake locks (used for device encryption)
+# Allow vold to use wake locks. Needed for idle maintenance and moving storage.
wakelock_use(vold)
# Allow vold to publish a binder service and make binder calls.
@@ -221,9 +213,6 @@
binder_call(vold, system_server)
allow vold permission_service:service_manager find;
-# talk to keymaster
-hal_client_domain(vold, hal_keymaster)
-
# talk to health storage HAL
hal_client_domain(vold, hal_health_storage)
@@ -272,7 +261,7 @@
allow vold app_fuse_file:dir rw_dir_perms;
allow vold app_fuse_file:file { read write open getattr append };
-# MoveTask.cpp executes cp and rm
+# MoveStorage.cpp executes cp and rm
allow vold toolbox_exec:file rx_file_perms;
# Prepare profile dir for users.
@@ -338,7 +327,6 @@
neverallow vold {
domain
-hal_health_storage_server
- -hal_keymaster_server
-system_suspend_server
-hal_bootctl_server
-hwservicemanager