Merge "Define property ro.camera.enableCamera1MaxZsl" into sc-dev
diff --git a/prebuilts/api/30.0/private/system_app.te b/prebuilts/api/30.0/private/system_app.te
index 0b77bb3..06dac78 100644
--- a/prebuilts/api/30.0/private/system_app.te
+++ b/prebuilts/api/30.0/private/system_app.te
@@ -72,12 +72,6 @@
# Settings need to access app name and icon from asec
allow system_app asec_apk_file:file r_file_perms;
-# Allow system_app (adb data loader) to write data to /data/incremental
-allow system_app apk_data_file:file write;
-
-# Allow system app (adb data loader) to read logs
-allow system_app incremental_control_file:file r_file_perms;
-
# Allow system apps (like Settings) to interact with statsd
binder_call(system_app, statsd)
diff --git a/prebuilts/api/31.0/private/access_vectors b/prebuilts/api/31.0/private/access_vectors
index 22f2ffa..5ff7aef 100644
--- a/prebuilts/api/31.0/private/access_vectors
+++ b/prebuilts/api/31.0/private/access_vectors
@@ -726,6 +726,7 @@
get_state
list
lock
+ pull_metrics
report_off_body
reset
unlock
diff --git a/prebuilts/api/31.0/private/apexd.te b/prebuilts/api/31.0/private/apexd.te
index 32b2594..b923cdb 100644
--- a/prebuilts/api/31.0/private/apexd.te
+++ b/prebuilts/api/31.0/private/apexd.te
@@ -209,4 +209,5 @@
allow apexd otapreopt_chroot:fd use;
allow apexd postinstall_apex_mnt_dir:dir { create_dir_perms mounton };
allow apexd postinstall_apex_mnt_dir:file { create_file_perms relabelfrom };
+allow apexd postinstall_apex_mnt_dir:lnk_file create;
allow apexd proc_filesystems:file r_file_perms;
diff --git a/prebuilts/api/31.0/private/app_zygote.te b/prebuilts/api/31.0/private/app_zygote.te
index 4ee3af7..cb023ec 100644
--- a/prebuilts/api/31.0/private/app_zygote.te
+++ b/prebuilts/api/31.0/private/app_zygote.te
@@ -79,6 +79,9 @@
get_prop(app_zygote, device_config_runtime_native_prop)
get_prop(app_zygote, device_config_runtime_native_boot_prop)
+# Allow app_zygote to access odsign verification status
+get_prop(app_zygote, odsign_prop)
+
#####
##### Neverallow
#####
diff --git a/prebuilts/api/31.0/private/atrace.te b/prebuilts/api/31.0/private/atrace.te
index d4aed40..d9e351c 100644
--- a/prebuilts/api/31.0/private/atrace.te
+++ b/prebuilts/api/31.0/private/atrace.te
@@ -27,15 +27,16 @@
allow atrace {
service_manager_type
-apex_service
- -incident_service
- -iorapd_service
- -netd_service
-dnsresolver_service
- -stats_service
-dumpstate_service
+ -incident_service
-installd_service
- -vold_service
+ -iorapd_service
-lpdump_service
+ -netd_service
+ -stats_service
+ -tracingproxy_service
+ -vold_service
-default_android_service
}:service_manager { find };
allow atrace servicemanager:service_manager list;
diff --git a/prebuilts/api/31.0/private/compat/30.0/30.0.ignore.cil b/prebuilts/api/31.0/private/compat/30.0/30.0.ignore.cil
index 1db4408..56acd4d 100644
--- a/prebuilts/api/31.0/private/compat/30.0/30.0.ignore.cil
+++ b/prebuilts/api/31.0/private/compat/30.0/30.0.ignore.cil
@@ -67,12 +67,15 @@
hal_remotelyprovisionedcomponent_service
hal_secureclock_service
hal_sharedsecret_service
+ hal_uwb_service
hal_weaver_service
hw_timeout_multiplier_prop
keystore_compat_hal_service
keystore_maintenance_service
+ keystore_metrics_service
keystore2_key_contexts_file
legacy_permission_service
+ legacykeystore_service
location_time_zone_manager_service
media_communication_service
media_metrics_service
@@ -143,7 +146,6 @@
vibrator_manager_service
virtualization_service
vpn_management_service
- vpnprofilestore_service
watchdog_metadata_file
wifi_key
zygote_config_prop))
diff --git a/prebuilts/api/31.0/private/dex2oat.te b/prebuilts/api/31.0/private/dex2oat.te
index 28d8b9a..e7cdd5f 100644
--- a/prebuilts/api/31.0/private/dex2oat.te
+++ b/prebuilts/api/31.0/private/dex2oat.te
@@ -79,6 +79,7 @@
# Allow dex2oat access to /postinstall/apex.
allow dex2oat postinstall_apex_mnt_dir:dir { getattr search };
+allow dex2oat postinstall_apex_mnt_dir:file r_file_perms;
# Allow dex2oat access to files in /data/ota.
allow dex2oat ota_data_file:dir ra_dir_perms;
diff --git a/prebuilts/api/31.0/private/dexoptanalyzer.te b/prebuilts/api/31.0/private/dexoptanalyzer.te
index b99349e..8eb1d29 100644
--- a/prebuilts/api/31.0/private/dexoptanalyzer.te
+++ b/prebuilts/api/31.0/private/dexoptanalyzer.te
@@ -53,4 +53,4 @@
get_prop(dexoptanalyzer, device_config_runtime_native_boot_prop)
# Allow dexoptanalyzer to read /apex/apex-info-list.xml
-allow dex2oat apex_info_file:file r_file_perms;
+allow dexoptanalyzer apex_info_file:file r_file_perms;
diff --git a/prebuilts/api/31.0/private/incidentd.te b/prebuilts/api/31.0/private/incidentd.te
index ef191a2..e20e6ca 100644
--- a/prebuilts/api/31.0/private/incidentd.te
+++ b/prebuilts/api/31.0/private/incidentd.te
@@ -161,6 +161,7 @@
system_server_service
app_api_service
system_api_service
+ -tracingproxy_service
}:service_manager find;
# Only incidentd can publish the binder service
diff --git a/prebuilts/api/31.0/private/installd.te b/prebuilts/api/31.0/private/installd.te
index c89ba8b..726e5aa 100644
--- a/prebuilts/api/31.0/private/installd.te
+++ b/prebuilts/api/31.0/private/installd.te
@@ -40,6 +40,9 @@
# Allow installd to access apk verity feature flag (for legacy case).
get_prop(installd, apk_verity_prop)
+# Allow installd to access odsign verification status
+get_prop(installd, odsign_prop)
+
# Allow installd to delete files in /data/staging
allow installd staging_data_file:file unlink;
allow installd staging_data_file:dir { open read remove_name rmdir search write };
diff --git a/prebuilts/api/31.0/private/recovery.te b/prebuilts/api/31.0/private/recovery.te
index 00d7132..bba2a0d 100644
--- a/prebuilts/api/31.0/private/recovery.te
+++ b/prebuilts/api/31.0/private/recovery.te
@@ -43,4 +43,7 @@
set_prop(recovery, fastbootd_protocol_prop)
get_prop(recovery, recovery_config_prop)
+
+ # Needed to read bootconfig parameters through libfs_mgr
+ allow recovery proc_bootconfig:file r_file_perms;
')
diff --git a/prebuilts/api/31.0/private/service_contexts b/prebuilts/api/31.0/private/service_contexts
index df5769a..3fd342b 100644
--- a/prebuilts/api/31.0/private/service_contexts
+++ b/prebuilts/api/31.0/private/service_contexts
@@ -37,9 +37,10 @@
android.security.compat u:object_r:keystore_compat_hal_service:s0
android.security.identity u:object_r:credstore_service:s0
android.security.keystore u:object_r:keystore_service:s0
+android.security.legacykeystore u:object_r:legacykeystore_service:s0
android.security.maintenance u:object_r:keystore_maintenance_service:s0
+android.security.metrics u:object_r:keystore_metrics_service:s0
android.security.remoteprovisioning u:object_r:remoteprovisioning_service:s0
-android.security.vpnprofilestore u:object_r:vpnprofilestore_service:s0
android.service.gatekeeper.IGateKeeperService u:object_r:gatekeeper_service:s0
app_binding u:object_r:app_binding_service:s0
app_hibernation u:object_r:app_hibernation_service:s0
diff --git a/prebuilts/api/31.0/private/system_app.te b/prebuilts/api/31.0/private/system_app.te
index 10b8177..239686e 100644
--- a/prebuilts/api/31.0/private/system_app.te
+++ b/prebuilts/api/31.0/private/system_app.te
@@ -90,6 +90,7 @@
-netd_service
-system_suspend_control_internal_service
-system_suspend_control_service
+ -tracingproxy_service
-virtual_touchpad_service
-vold_service
-vr_hwc_service
diff --git a/prebuilts/api/31.0/private/system_server.te b/prebuilts/api/31.0/private/system_server.te
index f35f9a8..73301c1 100644
--- a/prebuilts/api/31.0/private/system_server.te
+++ b/prebuilts/api/31.0/private/system_server.te
@@ -853,6 +853,7 @@
allow system_server installd_service:service_manager find;
allow system_server iorapd_service:service_manager find;
allow system_server keystore_maintenance_service:service_manager find;
+allow system_server keystore_metrics_service:service_manager find;
allow system_server keystore_service:service_manager find;
allow system_server mediaserver_service:service_manager find;
allow system_server mediametrics_service:service_manager find;
@@ -903,6 +904,7 @@
clear_uid
get_state
lock
+ pull_metrics
reset
unlock
};
diff --git a/prebuilts/api/31.0/private/system_server_startup.te b/prebuilts/api/31.0/private/system_server_startup.te
index 3301304..064e038 100644
--- a/prebuilts/api/31.0/private/system_server_startup.te
+++ b/prebuilts/api/31.0/private/system_server_startup.te
@@ -7,6 +7,10 @@
allow system_server_startup self:process execmem;
allow system_server_startup system_server_startup_tmpfs:file { execute read write open map };
+# Allow to pick up integrity-checked artifacts from the ART APEX dalvik cache.
+allow system_server_startup apex_art_data_file:dir r_dir_perms;
+allow system_server_startup apex_art_data_file:file { r_file_perms execute };
+
# Allow system_server_startup to run setcon() and enter the
# system_server domain
allow system_server_startup self:process setcurrent;
diff --git a/prebuilts/api/31.0/private/traced.te b/prebuilts/api/31.0/private/traced.te
index 6e3ad46..fc9a245 100644
--- a/prebuilts/api/31.0/private/traced.te
+++ b/prebuilts/api/31.0/private/traced.te
@@ -116,3 +116,6 @@
# Only init is allowed to enter the traced domain via exec()
neverallow { domain -init } traced:process transition;
neverallow * traced:process dyntransition;
+
+# Limit the processes that can access tracingproxy_service.
+neverallow { domain -traced -dumpstate -traceur_app -shell -system_server } tracingproxy_service:service_manager find;
diff --git a/prebuilts/api/31.0/private/webview_zygote.te b/prebuilts/api/31.0/private/webview_zygote.te
index 10bcf1c..3473eca 100644
--- a/prebuilts/api/31.0/private/webview_zygote.te
+++ b/prebuilts/api/31.0/private/webview_zygote.te
@@ -87,6 +87,9 @@
get_prop(webview_zygote, device_config_runtime_native_prop)
get_prop(webview_zygote, device_config_runtime_native_boot_prop)
+# Allow webview_zygote to access odsign verification status
+get_prop(zygote, odsign_prop)
+
#####
##### Neverallow
#####
diff --git a/prebuilts/api/31.0/private/wificond.te b/prebuilts/api/31.0/private/wificond.te
index 8bf37ca..3fdaca2 100644
--- a/prebuilts/api/31.0/private/wificond.te
+++ b/prebuilts/api/31.0/private/wificond.te
@@ -6,4 +6,6 @@
get_prop(wificond, hwservicemanager_prop)
+allow wificond legacykeystore_service:service_manager find;
+
init_daemon_domain(wificond)
diff --git a/prebuilts/api/31.0/private/zygote.te b/prebuilts/api/31.0/private/zygote.te
index dd42a81..090e121 100644
--- a/prebuilts/api/31.0/private/zygote.te
+++ b/prebuilts/api/31.0/private/zygote.te
@@ -217,6 +217,9 @@
# Allow zygote to access media_variant_prop for static initialization
get_prop(zygote, media_variant_prop)
+# Allow zygote to access odsign verification status
+get_prop(zygote, odsign_prop)
+
# Allow zygote to read ro.control_privapp_permissions and ro.cp_system_other_odex
get_prop(zygote, packagemanager_config_prop)
diff --git a/prebuilts/api/31.0/public/app.te b/prebuilts/api/31.0/public/app.te
index e4b293f..5527f99 100644
--- a/prebuilts/api/31.0/public/app.te
+++ b/prebuilts/api/31.0/public/app.te
@@ -16,6 +16,9 @@
# Receive and use open file descriptors inherited from zygote.
allow appdomain zygote:fd use;
+# Receive and use open file descriptors inherited from app zygote.
+allow appdomain app_zygote:fd use;
+
# gdbserver for ndk-gdb reads the zygote.
# valgrind needs mmap exec for zygote
allow appdomain zygote_exec:file rx_file_perms;
diff --git a/prebuilts/api/31.0/public/attributes b/prebuilts/api/31.0/public/attributes
index daef4bb..2e01f1e 100644
--- a/prebuilts/api/31.0/public/attributes
+++ b/prebuilts/api/31.0/public/attributes
@@ -358,6 +358,7 @@
hal_attribute(tv_tuner);
hal_attribute(usb);
hal_attribute(usb_gadget);
+hal_attribute(uwb);
hal_attribute(vehicle);
hal_attribute(vibrator);
hal_attribute(vr);
diff --git a/prebuilts/api/31.0/public/domain.te b/prebuilts/api/31.0/public/domain.te
index d84abf1..799a2f1 100644
--- a/prebuilts/api/31.0/public/domain.te
+++ b/prebuilts/api/31.0/public/domain.te
@@ -677,6 +677,7 @@
-credstore_service
-keystore_maintenance_service
-keystore_service
+ -legacykeystore_service
-mediadrmserver_service
-mediaextractor_service
-mediametrics_service
@@ -684,7 +685,6 @@
-nfc_service
-radio_service
-virtual_touchpad_service
- -vpnprofilestore_service
-vr_hwc_service
-vr_manager_service
userdebug_or_eng(`-hal_face_service')
diff --git a/prebuilts/api/31.0/public/hal_neverallows.te b/prebuilts/api/31.0/public/hal_neverallows.te
index 4117878..105689b 100644
--- a/prebuilts/api/31.0/public/hal_neverallows.te
+++ b/prebuilts/api/31.0/public/hal_neverallows.te
@@ -8,6 +8,7 @@
-hal_wifi_hostapd_server
-hal_wifi_supplicant_server
-hal_telephony_server
+ -hal_uwb_server
} self:global_capability_class_set { net_admin net_raw };
# Unless a HAL's job is to communicate over the network, or control network
@@ -25,8 +26,17 @@
-hal_wifi_hostapd_server
-hal_wifi_supplicant_server
-hal_telephony_server
+ -hal_uwb_server
} domain:{ tcp_socket udp_socket rawip_socket } *;
+# The UWB HAL is not actually a networking HAL but may need to bring up and down
+# interfaces. Restrict it to only these networking operations.
+neverallow hal_uwb_server self:global_capability_class_set { net_raw };
+
+# Subset of socket_class_set likely to be usable for communication or accessible through net_admin.
+# udp_socket is required to use interface ioctls.
+neverallow hal_uwb_server domain:{ socket tcp_socket rawip_socket netlink_socket packet_socket key_socket netlink_route_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_dnrt_socket netlink_kobject_uevent_socket tun_socket netlink_iscsi_socket netlink_fib_lookup_socket netlink_connector_socket netlink_netfilter_socket netlink_scsitransport_socket netlink_rdma_socket netlink_crypto_socket qipcrtr_socket xdp_socket } *;
+
###
# HALs are defined as an attribute and so a given domain could hypothetically
# have multiple HALs in it (or even all of them) with the subsequent policy of
diff --git a/prebuilts/api/31.0/public/keystore.te b/prebuilts/api/31.0/public/keystore.te
index 155322c..b7d5090 100644
--- a/prebuilts/api/31.0/public/keystore.te
+++ b/prebuilts/api/31.0/public/keystore.te
@@ -20,7 +20,8 @@
add_service(keystore, keystore_compat_hal_service)
add_service(keystore, authorization_service)
add_service(keystore, keystore_maintenance_service)
-add_service(keystore, vpnprofilestore_service)
+add_service(keystore, keystore_metrics_service)
+add_service(keystore, legacykeystore_service)
# Check SELinux permissions.
selinux_check_access(keystore)
diff --git a/prebuilts/api/31.0/public/service.te b/prebuilts/api/31.0/public/service.te
index a51203f..ba7837d 100644
--- a/prebuilts/api/31.0/public/service.te
+++ b/prebuilts/api/31.0/public/service.te
@@ -20,7 +20,9 @@
type credstore_service, app_api_service, service_manager_type;
type keystore_compat_hal_service, service_manager_type;
type keystore_maintenance_service, service_manager_type;
+type keystore_metrics_service, service_manager_type;
type keystore_service, service_manager_type;
+type legacykeystore_service, service_manager_type;
type lpdump_service, service_manager_type;
type mediaserver_service, service_manager_type;
type mediametrics_service, service_manager_type;
@@ -43,7 +45,6 @@
type virtualization_service, service_manager_type;
type virtual_touchpad_service, service_manager_type;
type vold_service, service_manager_type;
-type vpnprofilestore_service, service_manager_type;
type vr_hwc_service, service_manager_type;
type vrflinger_vsync_service, service_manager_type;
diff --git a/prebuilts/api/31.0/public/te_macros b/prebuilts/api/31.0/public/te_macros
index 8d15d47..7dc5062 100644
--- a/prebuilts/api/31.0/public/te_macros
+++ b/prebuilts/api/31.0/public/te_macros
@@ -635,7 +635,7 @@
allow keystore $1:process getattr;
allow $1 apc_service:service_manager find;
allow $1 keystore_service:service_manager find;
- allow $1 vpnprofilestore_service:service_manager find;
+ allow $1 legacykeystore_service:service_manager find;
binder_call($1, keystore)
binder_call(keystore, $1)
')
diff --git a/private/access_vectors b/private/access_vectors
index 22f2ffa..5ff7aef 100644
--- a/private/access_vectors
+++ b/private/access_vectors
@@ -726,6 +726,7 @@
get_state
list
lock
+ pull_metrics
report_off_body
reset
unlock
diff --git a/private/apexd.te b/private/apexd.te
index 32b2594..b923cdb 100644
--- a/private/apexd.te
+++ b/private/apexd.te
@@ -209,4 +209,5 @@
allow apexd otapreopt_chroot:fd use;
allow apexd postinstall_apex_mnt_dir:dir { create_dir_perms mounton };
allow apexd postinstall_apex_mnt_dir:file { create_file_perms relabelfrom };
+allow apexd postinstall_apex_mnt_dir:lnk_file create;
allow apexd proc_filesystems:file r_file_perms;
diff --git a/private/app_zygote.te b/private/app_zygote.te
index 4ee3af7..cb023ec 100644
--- a/private/app_zygote.te
+++ b/private/app_zygote.te
@@ -79,6 +79,9 @@
get_prop(app_zygote, device_config_runtime_native_prop)
get_prop(app_zygote, device_config_runtime_native_boot_prop)
+# Allow app_zygote to access odsign verification status
+get_prop(app_zygote, odsign_prop)
+
#####
##### Neverallow
#####
diff --git a/private/atrace.te b/private/atrace.te
index d4aed40..d9e351c 100644
--- a/private/atrace.te
+++ b/private/atrace.te
@@ -27,15 +27,16 @@
allow atrace {
service_manager_type
-apex_service
- -incident_service
- -iorapd_service
- -netd_service
-dnsresolver_service
- -stats_service
-dumpstate_service
+ -incident_service
-installd_service
- -vold_service
+ -iorapd_service
-lpdump_service
+ -netd_service
+ -stats_service
+ -tracingproxy_service
+ -vold_service
-default_android_service
}:service_manager { find };
allow atrace servicemanager:service_manager list;
diff --git a/private/compat/30.0/30.0.ignore.cil b/private/compat/30.0/30.0.ignore.cil
index 1db4408..56acd4d 100644
--- a/private/compat/30.0/30.0.ignore.cil
+++ b/private/compat/30.0/30.0.ignore.cil
@@ -67,12 +67,15 @@
hal_remotelyprovisionedcomponent_service
hal_secureclock_service
hal_sharedsecret_service
+ hal_uwb_service
hal_weaver_service
hw_timeout_multiplier_prop
keystore_compat_hal_service
keystore_maintenance_service
+ keystore_metrics_service
keystore2_key_contexts_file
legacy_permission_service
+ legacykeystore_service
location_time_zone_manager_service
media_communication_service
media_metrics_service
@@ -143,7 +146,6 @@
vibrator_manager_service
virtualization_service
vpn_management_service
- vpnprofilestore_service
watchdog_metadata_file
wifi_key
zygote_config_prop))
diff --git a/private/dex2oat.te b/private/dex2oat.te
index 28d8b9a..e7cdd5f 100644
--- a/private/dex2oat.te
+++ b/private/dex2oat.te
@@ -79,6 +79,7 @@
# Allow dex2oat access to /postinstall/apex.
allow dex2oat postinstall_apex_mnt_dir:dir { getattr search };
+allow dex2oat postinstall_apex_mnt_dir:file r_file_perms;
# Allow dex2oat access to files in /data/ota.
allow dex2oat ota_data_file:dir ra_dir_perms;
diff --git a/private/dexoptanalyzer.te b/private/dexoptanalyzer.te
index b99349e..8eb1d29 100644
--- a/private/dexoptanalyzer.te
+++ b/private/dexoptanalyzer.te
@@ -53,4 +53,4 @@
get_prop(dexoptanalyzer, device_config_runtime_native_boot_prop)
# Allow dexoptanalyzer to read /apex/apex-info-list.xml
-allow dex2oat apex_info_file:file r_file_perms;
+allow dexoptanalyzer apex_info_file:file r_file_perms;
diff --git a/private/incidentd.te b/private/incidentd.te
index ef191a2..e20e6ca 100644
--- a/private/incidentd.te
+++ b/private/incidentd.te
@@ -161,6 +161,7 @@
system_server_service
app_api_service
system_api_service
+ -tracingproxy_service
}:service_manager find;
# Only incidentd can publish the binder service
diff --git a/private/installd.te b/private/installd.te
index c89ba8b..726e5aa 100644
--- a/private/installd.te
+++ b/private/installd.te
@@ -40,6 +40,9 @@
# Allow installd to access apk verity feature flag (for legacy case).
get_prop(installd, apk_verity_prop)
+# Allow installd to access odsign verification status
+get_prop(installd, odsign_prop)
+
# Allow installd to delete files in /data/staging
allow installd staging_data_file:file unlink;
allow installd staging_data_file:dir { open read remove_name rmdir search write };
diff --git a/private/recovery.te b/private/recovery.te
index 00d7132..bba2a0d 100644
--- a/private/recovery.te
+++ b/private/recovery.te
@@ -43,4 +43,7 @@
set_prop(recovery, fastbootd_protocol_prop)
get_prop(recovery, recovery_config_prop)
+
+ # Needed to read bootconfig parameters through libfs_mgr
+ allow recovery proc_bootconfig:file r_file_perms;
')
diff --git a/private/service_contexts b/private/service_contexts
index df5769a..3fd342b 100644
--- a/private/service_contexts
+++ b/private/service_contexts
@@ -37,9 +37,10 @@
android.security.compat u:object_r:keystore_compat_hal_service:s0
android.security.identity u:object_r:credstore_service:s0
android.security.keystore u:object_r:keystore_service:s0
+android.security.legacykeystore u:object_r:legacykeystore_service:s0
android.security.maintenance u:object_r:keystore_maintenance_service:s0
+android.security.metrics u:object_r:keystore_metrics_service:s0
android.security.remoteprovisioning u:object_r:remoteprovisioning_service:s0
-android.security.vpnprofilestore u:object_r:vpnprofilestore_service:s0
android.service.gatekeeper.IGateKeeperService u:object_r:gatekeeper_service:s0
app_binding u:object_r:app_binding_service:s0
app_hibernation u:object_r:app_hibernation_service:s0
diff --git a/private/system_app.te b/private/system_app.te
index 10b8177..239686e 100644
--- a/private/system_app.te
+++ b/private/system_app.te
@@ -90,6 +90,7 @@
-netd_service
-system_suspend_control_internal_service
-system_suspend_control_service
+ -tracingproxy_service
-virtual_touchpad_service
-vold_service
-vr_hwc_service
diff --git a/private/system_server.te b/private/system_server.te
index f35f9a8..73301c1 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -853,6 +853,7 @@
allow system_server installd_service:service_manager find;
allow system_server iorapd_service:service_manager find;
allow system_server keystore_maintenance_service:service_manager find;
+allow system_server keystore_metrics_service:service_manager find;
allow system_server keystore_service:service_manager find;
allow system_server mediaserver_service:service_manager find;
allow system_server mediametrics_service:service_manager find;
@@ -903,6 +904,7 @@
clear_uid
get_state
lock
+ pull_metrics
reset
unlock
};
diff --git a/private/system_server_startup.te b/private/system_server_startup.te
index 3301304..064e038 100644
--- a/private/system_server_startup.te
+++ b/private/system_server_startup.te
@@ -7,6 +7,10 @@
allow system_server_startup self:process execmem;
allow system_server_startup system_server_startup_tmpfs:file { execute read write open map };
+# Allow to pick up integrity-checked artifacts from the ART APEX dalvik cache.
+allow system_server_startup apex_art_data_file:dir r_dir_perms;
+allow system_server_startup apex_art_data_file:file { r_file_perms execute };
+
# Allow system_server_startup to run setcon() and enter the
# system_server domain
allow system_server_startup self:process setcurrent;
diff --git a/private/traced.te b/private/traced.te
index 6e3ad46..fc9a245 100644
--- a/private/traced.te
+++ b/private/traced.te
@@ -116,3 +116,6 @@
# Only init is allowed to enter the traced domain via exec()
neverallow { domain -init } traced:process transition;
neverallow * traced:process dyntransition;
+
+# Limit the processes that can access tracingproxy_service.
+neverallow { domain -traced -dumpstate -traceur_app -shell -system_server } tracingproxy_service:service_manager find;
diff --git a/private/webview_zygote.te b/private/webview_zygote.te
index 10bcf1c..3473eca 100644
--- a/private/webview_zygote.te
+++ b/private/webview_zygote.te
@@ -87,6 +87,9 @@
get_prop(webview_zygote, device_config_runtime_native_prop)
get_prop(webview_zygote, device_config_runtime_native_boot_prop)
+# Allow webview_zygote to access odsign verification status
+get_prop(zygote, odsign_prop)
+
#####
##### Neverallow
#####
diff --git a/private/wificond.te b/private/wificond.te
index 8bf37ca..3fdaca2 100644
--- a/private/wificond.te
+++ b/private/wificond.te
@@ -6,4 +6,6 @@
get_prop(wificond, hwservicemanager_prop)
+allow wificond legacykeystore_service:service_manager find;
+
init_daemon_domain(wificond)
diff --git a/private/zygote.te b/private/zygote.te
index dd42a81..090e121 100644
--- a/private/zygote.te
+++ b/private/zygote.te
@@ -217,6 +217,9 @@
# Allow zygote to access media_variant_prop for static initialization
get_prop(zygote, media_variant_prop)
+# Allow zygote to access odsign verification status
+get_prop(zygote, odsign_prop)
+
# Allow zygote to read ro.control_privapp_permissions and ro.cp_system_other_odex
get_prop(zygote, packagemanager_config_prop)
diff --git a/public/app.te b/public/app.te
index e4b293f..5527f99 100644
--- a/public/app.te
+++ b/public/app.te
@@ -16,6 +16,9 @@
# Receive and use open file descriptors inherited from zygote.
allow appdomain zygote:fd use;
+# Receive and use open file descriptors inherited from app zygote.
+allow appdomain app_zygote:fd use;
+
# gdbserver for ndk-gdb reads the zygote.
# valgrind needs mmap exec for zygote
allow appdomain zygote_exec:file rx_file_perms;
diff --git a/public/attributes b/public/attributes
index daef4bb..2e01f1e 100644
--- a/public/attributes
+++ b/public/attributes
@@ -358,6 +358,7 @@
hal_attribute(tv_tuner);
hal_attribute(usb);
hal_attribute(usb_gadget);
+hal_attribute(uwb);
hal_attribute(vehicle);
hal_attribute(vibrator);
hal_attribute(vr);
diff --git a/public/domain.te b/public/domain.te
index d84abf1..799a2f1 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -677,6 +677,7 @@
-credstore_service
-keystore_maintenance_service
-keystore_service
+ -legacykeystore_service
-mediadrmserver_service
-mediaextractor_service
-mediametrics_service
@@ -684,7 +685,6 @@
-nfc_service
-radio_service
-virtual_touchpad_service
- -vpnprofilestore_service
-vr_hwc_service
-vr_manager_service
userdebug_or_eng(`-hal_face_service')
diff --git a/public/hal_neverallows.te b/public/hal_neverallows.te
index 4117878..105689b 100644
--- a/public/hal_neverallows.te
+++ b/public/hal_neverallows.te
@@ -8,6 +8,7 @@
-hal_wifi_hostapd_server
-hal_wifi_supplicant_server
-hal_telephony_server
+ -hal_uwb_server
} self:global_capability_class_set { net_admin net_raw };
# Unless a HAL's job is to communicate over the network, or control network
@@ -25,8 +26,17 @@
-hal_wifi_hostapd_server
-hal_wifi_supplicant_server
-hal_telephony_server
+ -hal_uwb_server
} domain:{ tcp_socket udp_socket rawip_socket } *;
+# The UWB HAL is not actually a networking HAL but may need to bring up and down
+# interfaces. Restrict it to only these networking operations.
+neverallow hal_uwb_server self:global_capability_class_set { net_raw };
+
+# Subset of socket_class_set likely to be usable for communication or accessible through net_admin.
+# udp_socket is required to use interface ioctls.
+neverallow hal_uwb_server domain:{ socket tcp_socket rawip_socket netlink_socket packet_socket key_socket netlink_route_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_dnrt_socket netlink_kobject_uevent_socket tun_socket netlink_iscsi_socket netlink_fib_lookup_socket netlink_connector_socket netlink_netfilter_socket netlink_scsitransport_socket netlink_rdma_socket netlink_crypto_socket qipcrtr_socket xdp_socket } *;
+
###
# HALs are defined as an attribute and so a given domain could hypothetically
# have multiple HALs in it (or even all of them) with the subsequent policy of
diff --git a/public/keystore.te b/public/keystore.te
index 155322c..b7d5090 100644
--- a/public/keystore.te
+++ b/public/keystore.te
@@ -20,7 +20,8 @@
add_service(keystore, keystore_compat_hal_service)
add_service(keystore, authorization_service)
add_service(keystore, keystore_maintenance_service)
-add_service(keystore, vpnprofilestore_service)
+add_service(keystore, keystore_metrics_service)
+add_service(keystore, legacykeystore_service)
# Check SELinux permissions.
selinux_check_access(keystore)
diff --git a/public/service.te b/public/service.te
index a51203f..ba7837d 100644
--- a/public/service.te
+++ b/public/service.te
@@ -20,7 +20,9 @@
type credstore_service, app_api_service, service_manager_type;
type keystore_compat_hal_service, service_manager_type;
type keystore_maintenance_service, service_manager_type;
+type keystore_metrics_service, service_manager_type;
type keystore_service, service_manager_type;
+type legacykeystore_service, service_manager_type;
type lpdump_service, service_manager_type;
type mediaserver_service, service_manager_type;
type mediametrics_service, service_manager_type;
@@ -43,7 +45,6 @@
type virtualization_service, service_manager_type;
type virtual_touchpad_service, service_manager_type;
type vold_service, service_manager_type;
-type vpnprofilestore_service, service_manager_type;
type vr_hwc_service, service_manager_type;
type vrflinger_vsync_service, service_manager_type;
diff --git a/public/te_macros b/public/te_macros
index 8d15d47..7dc5062 100644
--- a/public/te_macros
+++ b/public/te_macros
@@ -635,7 +635,7 @@
allow keystore $1:process getattr;
allow $1 apc_service:service_manager find;
allow $1 keystore_service:service_manager find;
- allow $1 vpnprofilestore_service:service_manager find;
+ allow $1 legacykeystore_service:service_manager find;
binder_call($1, keystore)
binder_call(keystore, $1)
')