Merge "Reland "Change the stem name to microdroid_precompiled_s...""
diff --git a/Android.mk b/Android.mk
index 618f7f0..d496f1d 100644
--- a/Android.mk
+++ b/Android.mk
@@ -113,12 +113,6 @@
) \
)))
-ifdef BOARD_ODM_SEPOLICY_DIRS
-ifneq ($(PRODUCT_SEPOLICY_SPLIT),true)
-$(error PRODUCT_SEPOLICY_SPLIT needs to be true when using BOARD_ODM_SEPOLICY_DIRS)
-endif
-endif
-
###########################################################
# Compute policy files to be used in policy build.
# $(1): files to include
@@ -315,15 +309,6 @@
plat_bug_map \
searchpolicy \
-# This conditional inclusion closely mimics the conditional logic
-# inside init/init.cpp for loading SELinux policy from files.
-ifneq ($(PRODUCT_SEPOLICY_SPLIT),true)
-# The following files are only allowed for non-Treble devices.
-LOCAL_REQUIRED_MODULES += \
- sepolicy \
-
-endif # ($(PRODUCT_SEPOLICY_SPLIT),true)
-
ifneq ($(with_asan),true)
ifneq ($(SELINUX_IGNORE_NEVERALLOWS),true)
LOCAL_REQUIRED_MODULES += \
@@ -334,11 +319,9 @@
# Instead, use LOCAL_ADDITIONAL_DEPENDENCIES with intermediate output
LOCAL_ADDITIONAL_DEPENDENCIES += $(call intermediates-dir-for,ETC,sepolicy_test)/sepolicy_test
-ifeq ($(PRODUCT_SEPOLICY_SPLIT),true)
LOCAL_REQUIRED_MODULES += \
$(addprefix treble_sepolicy_tests_,$(PLATFORM_SEPOLICY_COMPAT_VERSIONS)) \
-endif # PRODUCT_SEPOLICY_SPLIT
endif # SELINUX_IGNORE_NEVERALLOWS
endif # with_asan
@@ -532,24 +515,6 @@
built_sepolicy_neverallows := $(call intermediates-dir-for,ETC,sepolicy_neverallows)/sepolicy_neverallows
built_sepolicy_neverallows += $(call intermediates-dir-for,ETC,sepolicy_neverallows_vendor)/sepolicy_neverallows_vendor
-#################################
-# sepolicy is also built with Android.bp.
-# This module is to keep compatibility with monolithic sepolicy devices.
-include $(CLEAR_VARS)
-
-LOCAL_MODULE := sepolicy
-LOCAL_LICENSE_KINDS := SPDX-license-identifier-Apache-2.0 legacy_unencumbered
-LOCAL_LICENSE_CONDITIONS := notice unencumbered
-LOCAL_NOTICE_FILE := $(LOCAL_PATH)/NOTICE
-LOCAL_MODULE_CLASS := ETC
-LOCAL_MODULE_TAGS := optional
-LOCAL_MODULE_PATH := $(TARGET_ROOT_OUT)
-
-include $(BUILD_SYSTEM)/base_rules.mk
-
-$(LOCAL_BUILT_MODULE): $(built_sepolicy)
- $(copy-file-to-target)
-
##################################
# TODO - remove this. Keep around until we get the filesystem creation stuff taken care of.
#
@@ -667,7 +632,6 @@
##################################
# Tests for Treble compatibility of current platform policy and vendor policy of
# given release version.
-ifeq ($(PRODUCT_SEPOLICY_SPLIT),true)
built_plat_sepolicy := $(call intermediates-dir-for,ETC,base_plat_sepolicy)/base_plat_sepolicy
built_system_ext_sepolicy := $(call intermediates-dir-for,ETC,base_system_ext_sepolicy)/base_system_ext_sepolicy
@@ -681,7 +645,6 @@
$(eval version_under_treble_tests := $(v)) \
$(eval include $(LOCAL_PATH)/treble_sepolicy_tests_for_release.mk) \
)
-endif # PRODUCT_SEPOLICY_SPLIT
built_plat_sepolicy :=
built_system_ext_sepolicy :=
diff --git a/apex/Android.bp b/apex/Android.bp
index 2dcae6f..22de5d4 100644
--- a/apex/Android.bp
+++ b/apex/Android.bp
@@ -43,6 +43,13 @@
}
filegroup {
+ name: "com.android.threadnetwork-file_contexts",
+ srcs: [
+ "com.android.threadnetwork-file_contexts",
+ ],
+}
+
+filegroup {
name: "com.android.sdkext-file_contexts",
srcs: [
"com.android.sdkext-file_contexts",
diff --git a/apex/com.android.threadnetwork-file_contexts b/apex/com.android.threadnetwork-file_contexts
new file mode 100644
index 0000000..1aabee9
--- /dev/null
+++ b/apex/com.android.threadnetwork-file_contexts
@@ -0,0 +1,4 @@
+(/.*)? u:object_r:system_file:s0
+/bin/otbr-agent u:object_r:ot_daemon_exec:s0
+/bin/ot-ctl u:object_r:ot_ctl_exec:s0
+/bin/ot-rcp u:object_r:ot_rcp_exec:s0
diff --git a/build/soong/policy.go b/build/soong/policy.go
index 7c1aab2..d8c3ffb 100644
--- a/build/soong/policy.go
+++ b/build/soong/policy.go
@@ -151,7 +151,7 @@
if c.isTargetRecovery() {
return "false"
}
- return strconv.FormatBool(ctx.DeviceConfig().SepolicySplit())
+ return strconv.FormatBool(true)
}
func (c *policyConf) compatibleProperty(ctx android.ModuleContext) string {
diff --git a/build/soong/service_fuzzer_bindings.go b/build/soong/service_fuzzer_bindings.go
index 7eef4ea..fae0106 100644
--- a/build/soong/service_fuzzer_bindings.go
+++ b/build/soong/service_fuzzer_bindings.go
@@ -153,15 +153,15 @@
"aidl_lazy_cb_test": EXCEPTION_NO_FUZZER,
"alarm": EXCEPTION_NO_FUZZER,
"android.hardware.automotive.evs.IEvsEnumerator/default": EXCEPTION_NO_FUZZER,
- "android.os.UpdateEngineService": EXCEPTION_NO_FUZZER,
- "android.os.UpdateEngineStableService": EXCEPTION_NO_FUZZER,
+ "android.os.UpdateEngineService": []string{"update_engine_service_fuzzer"},
+ "android.os.UpdateEngineStableService": []string{"update_engine_service_fuzzer"},
"android.frameworks.automotive.display.ICarDisplayProxy/default": EXCEPTION_NO_FUZZER,
"android.security.apc": EXCEPTION_NO_FUZZER,
"android.security.authorization": []string{"authorization_service_fuzzer"},
"android.security.compat": EXCEPTION_NO_FUZZER,
"android.security.dice.IDiceMaintenance": EXCEPTION_NO_FUZZER,
"android.security.dice.IDiceNode": EXCEPTION_NO_FUZZER,
- "android.security.identity": EXCEPTION_NO_FUZZER,
+ "android.security.identity": []string{"credstore_service_fuzzer"},
"android.security.keystore": EXCEPTION_NO_FUZZER,
"android.security.legacykeystore": EXCEPTION_NO_FUZZER,
"android.security.maintenance": EXCEPTION_NO_FUZZER,
@@ -458,7 +458,7 @@
"wifip2p": EXCEPTION_NO_FUZZER,
"wifiscanner": EXCEPTION_NO_FUZZER,
"wifi": EXCEPTION_NO_FUZZER,
- "wifinl80211": EXCEPTION_NO_FUZZER,
+ "wifinl80211": []string{"wificond_service_fuzzer"},
"wifiaware": EXCEPTION_NO_FUZZER,
"wifirtt": EXCEPTION_NO_FUZZER,
"window": EXCEPTION_NO_FUZZER,
diff --git a/microdroid/system/private/domain.te b/microdroid/system/private/domain.te
index c940eca..118425a 100644
--- a/microdroid/system/private/domain.te
+++ b/microdroid/system/private/domain.te
@@ -252,6 +252,10 @@
# Properties that microdroid doesn't have but some still want to read.
dontaudit domain { heapprofd_prop timezone_prop }:file r_file_perms;
+# Allow all processes to "read" non_existing_prop to suppress libc's access denial logs.
+# dontaudit is not enough; it's still fine because they can't be written, by neverallow rules
+get_prop(domain, non_existing_prop)
+
###
### neverallow rules
###
diff --git a/microdroid/system/private/property.te b/microdroid/system/private/property.te
index de32003..98c483a 100644
--- a/microdroid/system/private/property.te
+++ b/microdroid/system/private/property.te
@@ -5,6 +5,7 @@
system_public_prop(dalvik_dynamic_config_prop)
system_restricted_prop(device_config_runtime_native_prop)
system_restricted_prop(device_config_runtime_native_boot_prop)
+system_restricted_prop(non_existing_prop)
typeattribute dalvik_config_prop dalvik_config_prop_type;
typeattribute dalvik_dynamic_config_prop dalvik_config_prop_type;
@@ -61,3 +62,8 @@
-microdroid_manager
-crash_dump
} {microdroid_config_prop}:file no_rw_file_perms;
+
+neverallow {
+ domain
+ -init
+} non_existing_prop:property_service set;
diff --git a/microdroid/system/private/property_contexts b/microdroid/system/private/property_contexts
index e74d6d2..2bd5a22 100644
--- a/microdroid/system/private/property_contexts
+++ b/microdroid/system/private/property_contexts
@@ -145,6 +145,7 @@
libc.debug.hooks.enable u:object_r:libc_debug_prop:s0 exact string
arm64.memtag. u:object_r:arm64_memtag_prop:s0 prefix string
+persist.arm64.memtag. u:object_r:non_existing_prop:s0 prefix string
persist.sys.timezone u:object_r:timezone_prop:s0 exact string
@@ -171,3 +172,21 @@
dalvik.vm.restore-dex2oat-threads u:object_r:dalvik_dynamic_config_prop:s0 exact int
apexd.payload_metadata.path u:object_r:apexd_payload_metadata_prop:s0 exact string
+
+# These non_existing_prop properties are unused in microdroid, but added here to suppress libc's
+# access denial logs.
+libc.debug.gwp_asan. u:object_r:non_existing_prop:s0 prefix string
+persist.libc.debug.gwp_asan. u:object_r:non_existing_prop:s0 prefix string
+persist.adb.tls_server.enable u:object_r:non_existing_prop:s0 exact bool
+persist.adb.watchdog.timeout_secs u:object_r:non_existing_prop:s0 exact int
+persist.adb.watchdog u:object_r:non_existing_prop:s0 exact bool
+persist.device_config. u:object_r:non_existing_prop:s0 prefix string
+persist.sys.test_harness u:object_r:non_existing_prop:s0 exact bool
+ro.arch u:object_r:non_existing_prop:s0 exact string
+ro.boot.vsock_tombstone_port u:object_r:non_existing_prop:s0 exact int
+ro.product.device u:object_r:non_existing_prop:s0 exact string
+ro.product.model u:object_r:non_existing_prop:s0 exact string
+ro.product.name u:object_r:non_existing_prop:s0 exact string
+ro.product.vndk.version u:object_r:non_existing_prop:s0 exact string
+ro.secure u:object_r:non_existing_prop:s0 exact bool
+ro.serialno u:object_r:non_existing_prop:s0 exact string
diff --git a/private/apexd.te b/private/apexd.te
index b74d4ee..f158ef6 100644
--- a/private/apexd.te
+++ b/private/apexd.te
@@ -102,8 +102,8 @@
allow apexd staging_data_file:file relabelto;
# allow apexd to read files from /vendor/apex
-allow apexd vendor_apex_file:dir r_dir_perms;
-allow apexd vendor_apex_file:file r_file_perms;
+r_dir_file(apexd, vendor_apex_file)
+r_dir_file(apexd, vendor_apex_metadata_file)
# Unmount and mount filesystems
allow apexd labeledfs:filesystem { mount unmount };
diff --git a/private/app.te b/private/app.te
index 754c802..3f8560a 100644
--- a/private/app.te
+++ b/private/app.te
@@ -47,6 +47,7 @@
get_prop(appdomain, dck_prop)
get_prop(appdomain, persist_wm_debug_prop)
get_prop(appdomain, persist_sysui_builder_extras_prop)
+get_prop(appdomain, persist_sysui_ranking_update_prop)
# Allow the heap dump ART plugin to the count of sessions waiting for OOME
get_prop(appdomain, traced_oome_heap_session_count_prop)
diff --git a/private/app_zygote.te b/private/app_zygote.te
index 6552d63..e3869cd 100644
--- a/private/app_zygote.te
+++ b/private/app_zygote.te
@@ -20,6 +20,9 @@
# For JIT
allow app_zygote self:process execmem;
+# Allow exec mapping from tmpfs (memfds) for binary translation
+allow app_zygote app_zygote_tmpfs:file execute;
+
# Allow app_zygote to stat the files that it opens. It must
# be able to inspect them so that it can reopen them on fork
# if necessary: b/30963384.
@@ -74,6 +77,8 @@
# Allow app_zygote access to /vendor/overlay
r_dir_file(app_zygote, vendor_overlay_file)
+# Allow app_zygote to read vendor_overlay_file from vendor apex as well
+allow app_zygote vendor_apex_metadata_file:dir { getattr search };
allow app_zygote system_data_file:lnk_file r_file_perms;
allow app_zygote system_data_file:file { getattr read map };
diff --git a/private/artd.te b/private/artd.te
index ef54d8c..5fcd43a 100644
--- a/private/artd.te
+++ b/private/artd.te
@@ -39,9 +39,11 @@
# Read access to vendor APKs ({/vendor,/odm}/{app,priv-app}/...).
r_dir_file(artd, vendor_app_file)
-# Read access to vendor overlay APKs ({/vendor,/odm,/oem}/overlay/...).
+# Read access to vendor overlay APKs ({/vendor,/odm,/oem,/apex/*}/overlay/...).
allow artd oemfs:dir { getattr search };
r_dir_file(artd, vendor_overlay_file)
+# Vendor overlay can be found in vendor apex
+allow artd vendor_apex_metadata_file:dir { getattr search };
# Read access to vendor shared libraries ({/vendor,/odm}/framework/...).
r_dir_file(artd, vendor_framework_file)
diff --git a/private/atrace.te b/private/atrace.te
index 50ab392..1712648 100644
--- a/private/atrace.te
+++ b/private/atrace.te
@@ -77,3 +77,5 @@
allow atrace debugfs_tracing_debug:dir r_dir_perms;
allow atrace debugfs_tracing_debug:file rw_file_perms;
')
+
+dontaudit atrace debugfs_tracing_debug:file audit_access;
diff --git a/private/compat/33.0/33.0.cil b/private/compat/33.0/33.0.cil
index 8fa3985..204048e 100644
--- a/private/compat/33.0/33.0.cil
+++ b/private/compat/33.0/33.0.cil
@@ -2544,7 +2544,10 @@
(typeattributeset vendor_apex_file_33_0 (vendor_apex_file))
(typeattributeset vendor_app_file_33_0 (vendor_app_file))
(typeattributeset vendor_cgroup_desc_file_33_0 (vendor_cgroup_desc_file))
-(typeattributeset vendor_configs_file_33_0 (vendor_configs_file))
+(typeattributeset vendor_configs_file_33_0
+ ( vendor_configs_file
+ vendor_apex_metadata_file
+))
(typeattributeset vendor_data_file_33_0 (vendor_data_file vendor_userdir_file))
(typeattributeset vendor_default_prop_33_0 (vendor_default_prop))
(typeattributeset vendor_file_33_0 (vendor_file))
diff --git a/private/compat/33.0/33.0.ignore.cil b/private/compat/33.0/33.0.ignore.cil
index c73eefa..d84d8ea 100644
--- a/private/compat/33.0/33.0.ignore.cil
+++ b/private/compat/33.0/33.0.ignore.cil
@@ -57,6 +57,7 @@
ota_build_prop
permissive_mte_prop
persist_sysui_builder_extras_prop
+ persist_sysui_ranking_update_prop
prng_seeder
recovery_usb_config_prop
remote_provisioning_service
diff --git a/private/crosvm.te b/private/crosvm.te
index f1012b7..8a6bd24 100644
--- a/private/crosvm.te
+++ b/private/crosvm.te
@@ -69,6 +69,7 @@
# Allow crosvm to pipe console log to shell or app which could be the owner of a VM.
allow crosvm adbd:fd use;
allow crosvm adbd:unix_stream_socket { read write };
+allow crosvm devpts:chr_file { read write getattr ioctl };
# crosvm tries to use netlink sockets as part its APCI implementation, but we don't need it for AVF (b/228077254)
dontaudit crosvm self:netlink_generic_socket create_socket_perms_no_ioctl;
diff --git a/private/derive_classpath.te b/private/derive_classpath.te
index 2299ba0..4f15d5a 100644
--- a/private/derive_classpath.te
+++ b/private/derive_classpath.te
@@ -6,6 +6,7 @@
# Read /apex
allow derive_classpath apex_mnt_dir:dir r_dir_perms;
+allow derive_classpath vendor_apex_metadata_file:dir r_dir_perms;
# Create /data/system/environ/classpath file
allow derive_classpath environ_system_data_file:dir rw_dir_perms;
diff --git a/private/derive_sdk.te b/private/derive_sdk.te
index f46c614..c47f0a5 100644
--- a/private/derive_sdk.te
+++ b/private/derive_sdk.te
@@ -6,6 +6,7 @@
# Read /apex
allow derive_sdk apex_mnt_dir:dir r_dir_perms;
+allow derive_sdk vendor_apex_metadata_file:dir r_dir_perms;
# Prop rules: writable by derive_sdk, readable by bootclasspath (apps)
set_prop(derive_sdk, module_sdkextensions_prop)
diff --git a/private/dex2oat.te b/private/dex2oat.te
index 23f7444..379e32c 100644
--- a/private/dex2oat.te
+++ b/private/dex2oat.te
@@ -12,6 +12,8 @@
allow dex2oat vendor_framework_file:file { getattr open read map };
# Access /vendor/overlay
r_dir_file(dex2oat, vendor_overlay_file);
+# Vendor overlay can be found in vendor apex
+allow dex2oat vendor_apex_metadata_file:dir { getattr search };
allow dex2oat tmpfs:file { read getattr map };
diff --git a/private/domain.te b/private/domain.te
index f98a285..692c962 100644
--- a/private/domain.te
+++ b/private/domain.te
@@ -609,6 +609,7 @@
-same_process_hal_file
-vendor_app_file
-vendor_apex_file
+ -vendor_apex_metadata_file
-vendor_configs_file
-vendor_service_contexts_file
-vendor_framework_file
diff --git a/private/file.te b/private/file.te
index f6781b0..e48fc4c 100644
--- a/private/file.te
+++ b/private/file.te
@@ -131,5 +131,8 @@
# in to satisfy MLS constraints for trusted domains.
type prng_seeder_socket, file_type, coredomain_socket, mlstrustedobject;
+# /data/misc/threadnetwork
+type threadnetwork_data_file, file_type, data_file_type, core_data_file_type;
+
# /sys/firmware/devicetree/base/avf
type sysfs_dt_avf, fs_type, sysfs_type;
diff --git a/private/file_contexts b/private/file_contexts
index c9c51e4..123e4ed 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -655,6 +655,7 @@
/data/misc/stats-metadata(/.*)? u:object_r:stats_data_file:s0
/data/misc/systemkeys(/.*)? u:object_r:systemkeys_data_file:s0
/data/misc/textclassifier(/.*)? u:object_r:textclassifier_data_file:s0
+/data/misc/threadnetwork(/.*)? u:object_r:threadnetwork_data_file:s0
/data/misc/train-info(/.*)? u:object_r:stats_data_file:s0
/data/misc/user(/.*)? u:object_r:misc_user_data_file:s0
/data/misc/virtualizationservice(/.*)? u:object_r:virtualizationservice_data_file:s0
diff --git a/private/file_contexts_asan b/private/file_contexts_asan
index fd083c2..9554a76 100644
--- a/private/file_contexts_asan
+++ b/private/file_contexts_asan
@@ -6,8 +6,8 @@
/data/asan/odm/lib64(/.*)? u:object_r:system_lib_file:s0
/data/asan/product/lib(/.*)? u:object_r:system_lib_file:s0
/data/asan/product/lib64(/.*)? u:object_r:system_lib_file:s0
-/data/asan/system/system_ext/lib(/.*)? u:object_r:system_lib_file:s0
-/data/asan/system/system_ext/lib64(/.*)? u:object_r:system_lib_file:s0
+/data/asan/(system_ext|system/system_ext)/lib(/.*)? u:object_r:system_lib_file:s0
+/data/asan/(system_ext|system/system_ext)/lib64(/.*)? u:object_r:system_lib_file:s0
/system/asan.options u:object_r:system_asan_options_file:s0
/system/bin/asan_extract u:object_r:asan_extract_exec:s0
/system/bin/asanwrapper u:object_r:asanwrapper_exec:s0
diff --git a/private/linkerconfig.te b/private/linkerconfig.te
index 7e78c19..bd46ca4 100644
--- a/private/linkerconfig.te
+++ b/private/linkerconfig.te
@@ -19,6 +19,9 @@
# Allow linkerconfig to read apex-info-list.xml
allow linkerconfig apex_info_file:file r_file_perms;
+# Allow linkerconfig to read apex_manifest.pb file from vendor apex
+r_dir_file(linkerconfig, vendor_apex_metadata_file)
+
# Allow linkerconfig to be called in the otapreopt_chroot
allow linkerconfig otapreopt_chroot:fd use;
allow linkerconfig postinstall_apex_mnt_dir:dir r_dir_perms;
diff --git a/private/ot_ctl.te b/private/ot_ctl.te
new file mode 100644
index 0000000..12e7ce2
--- /dev/null
+++ b/private/ot_ctl.te
@@ -0,0 +1,11 @@
+#
+# ot_ctl is the commandline tool for controling the native Thread network daemon (ot_daemon).
+#
+
+type ot_ctl, domain, coredomain;
+type ot_ctl_exec, exec_type, system_file_type, file_type;
+
+init_daemon_domain(ot_ctl)
+
+# Allow the ot_ctl to read/write the socket file.
+allow ot_ctl threadnetwork_data_file:sock_file {read write};
diff --git a/private/ot_daemon.te b/private/ot_daemon.te
new file mode 100644
index 0000000..98e1a0a
--- /dev/null
+++ b/private/ot_daemon.te
@@ -0,0 +1,24 @@
+#
+# ot_daemon is the native Thread network stack on the host (Android) side.
+# Refer to https://www.threadgroup.org for Thread network knowledge.
+#
+
+# ot_daemon
+type ot_daemon, domain, coredomain;
+type ot_daemon_exec, exec_type, file_type, system_file_type;
+
+# Allow init ot_daemon
+init_daemon_domain(ot_daemon)
+# Allow the ot_daemon to use the net domain.
+net_domain(ot_daemon)
+
+# Allow the ot_daemon to access the folder "/data/misc/threadnetwork".
+allow ot_daemon threadnetwork_data_file:dir rw_dir_perms;
+allow ot_daemon threadnetwork_data_file:file create_file_perms;
+allow ot_daemon threadnetwork_data_file:sock_file {create unlink};
+
+# used for simulation
+userdebug_or_eng(`
+create_pty(ot_daemon);
+domain_auto_trans(ot_daemon, ot_rcp_exec, ot_rcp);
+')
diff --git a/private/ot_rcp.te b/private/ot_rcp.te
new file mode 100644
index 0000000..0f6f1d3
--- /dev/null
+++ b/private/ot_rcp.te
@@ -0,0 +1,15 @@
+#
+# ot_rcp is the simulated Thread Radio Coprocessor device which is used by ot_daemon.
+#
+
+type ot_rcp, domain, coredomain;
+type ot_rcp_exec, exec_type, file_type, system_file_type;
+
+userdebug_or_eng(`
+allow ot_rcp ot_daemon:fd use;
+allow ot_rcp ot_daemon:fifo_file rw_file_perms;
+allow ot_rcp ot_daemon_devpts:chr_file {read write};
+allow ot_rcp self:udp_socket create_socket_perms_no_ioctl;
+allow ot_rcp port:udp_socket name_bind;
+allow ot_rcp node:udp_socket node_bind;
+')
diff --git a/private/platform_app.te b/private/platform_app.te
index 6d49502..1bd0020 100644
--- a/private/platform_app.te
+++ b/private/platform_app.te
@@ -48,6 +48,9 @@
userdebug_or_eng(`
set_prop(platform_app, persist_sysui_builder_extras_prop)
')
+userdebug_or_eng(`
+ set_prop(platform_app, persist_sysui_ranking_update_prop)
+')
# com.android.captiveportallogin reads /proc/vmstat
allow platform_app {
diff --git a/private/postinstall_dexopt.te b/private/postinstall_dexopt.te
index 2fdc941..cdf403c 100644
--- a/private/postinstall_dexopt.te
+++ b/private/postinstall_dexopt.te
@@ -47,6 +47,8 @@
r_dir_file(postinstall_dexopt, vendor_app_file)
# Read vendor overlay files (APKs) as input to dex2oat.
r_dir_file(postinstall_dexopt, vendor_overlay_file)
+# Vendor overlay can be found in vendor apex
+allow postinstall_dexopt vendor_apex_metadata_file:dir { getattr search };
# Access to app oat directory.
r_dir_file(postinstall_dexopt, dalvikcache_data_file)
diff --git a/private/property.te b/private/property.te
index 35f9bc7..66c9cea 100644
--- a/private/property.te
+++ b/private/property.te
@@ -55,6 +55,7 @@
system_restricted_prop(device_config_virtualization_framework_native_prop)
system_restricted_prop(log_file_logger_prop)
system_restricted_prop(persist_sysui_builder_extras_prop)
+system_restricted_prop(persist_sysui_ranking_update_prop)
###
### Neverallow rules
diff --git a/private/property_contexts b/private/property_contexts
index 2399163..19bd51a 100644
--- a/private/property_contexts
+++ b/private/property_contexts
@@ -1562,4 +1562,5 @@
ro.usb.uvc.enabled u:object_r:usb_uvc_enabled_prop:s0 exact bool
# System UI notification properties
+persist.sysui.notification.ranking_update_ashmem u:object_r:persist_sysui_ranking_update_prop:s0 exact bool
persist.sysui.notification.builder_extras_override u:object_r:persist_sysui_builder_extras_prop:s0 exact bool
diff --git a/private/rs.te b/private/rs.te
index a9b2edd..906373b 100644
--- a/private/rs.te
+++ b/private/rs.te
@@ -19,6 +19,8 @@
allow rs vendor_file:dir r_dir_perms;
r_dir_file(rs, vendor_overlay_file)
r_dir_file(rs, vendor_app_file)
+# Vendor overlay can be found in vendor apex
+allow rs vendor_apex_metadata_file:dir { getattr search };
# Read contents of app apks
r_dir_file(rs, apk_data_file)
diff --git a/private/seapp_contexts b/private/seapp_contexts
index 4454bd7..abd6c7b 100644
--- a/private/seapp_contexts
+++ b/private/seapp_contexts
@@ -183,8 +183,8 @@
user=_app isPrivApp=true name=com.google.android.providers.media.module:* domain=mediaprovider_app type=privapp_data_file levelFrom=all
user=_app seinfo=platform isPrivApp=true name=com.android.permissioncontroller domain=permissioncontroller_app type=privapp_data_file levelFrom=all
user=_app isPrivApp=true name=com.android.vzwomatrigger domain=vzwomatrigger_app type=privapp_data_file levelFrom=all
-user=_app isPrivApp=true name=com.android.rkpdapp domain=rkpdapp type=privapp_data_file levelFrom=user
-user=_app isPrivApp=true name=com.google.android.rkpdapp domain=rkpdapp type=privapp_data_file levelFrom=user
+user=_app isPrivApp=true name=com.android.rkpdapp domain=rkpdapp type=privapp_data_file levelFrom=all
+user=_app isPrivApp=true name=com.google.android.rkpdapp domain=rkpdapp type=privapp_data_file levelFrom=all
user=_app isPrivApp=true name=com.google.android.gms domain=gmscore_app type=privapp_data_file levelFrom=user
user=_app isPrivApp=true name=com.google.android.gms.* domain=gmscore_app type=privapp_data_file levelFrom=user
user=_app isPrivApp=true name=com.google.android.gms:* domain=gmscore_app type=privapp_data_file levelFrom=user
diff --git a/private/shell.te b/private/shell.te
index 85d09f9..1b859d1 100644
--- a/private/shell.te
+++ b/private/shell.te
@@ -136,6 +136,7 @@
allow shell apex_info_file:file r_file_perms;
allow shell vendor_apex_file:file r_file_perms;
allow shell vendor_apex_file:dir r_dir_perms;
+allow shell vendor_apex_metadata_file:dir r_dir_perms;
# Allow shell to read updated APEXes under /data/apex
allow shell apex_data_file:dir search;
@@ -246,4 +247,6 @@
# Allow shell to set persist.sysui.notification.builder_extras_override property
userdebug_or_eng(`set_prop(shell, persist_sysui_builder_extras_prop)')
+# Allow shell to set persist.sysui.notification.ranking_update_ashmem property
+userdebug_or_eng(`set_prop(shell, persist_sysui_ranking_update_prop)')
diff --git a/private/system_server.te b/private/system_server.te
index 4356c26..d30f657 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -842,6 +842,8 @@
# Read persist.sysui.notification.builder_extras_override property
get_prop(system_server, persist_sysui_builder_extras_prop)
+# Read persist.sysui.notification.ranking_update_ashmem property
+get_prop(system_server, persist_sysui_ranking_update_prop)
# Read ro.tuner.lazyhal
get_prop(system_server, tuner_config_prop)
diff --git a/private/virtualizationmanager.te b/private/virtualizationmanager.te
index bfad8e7..b6bcd98 100644
--- a/private/virtualizationmanager.te
+++ b/private/virtualizationmanager.te
@@ -7,6 +7,9 @@
allow virtualizationmanager adbd:fd use;
allow virtualizationmanager adbd:unix_stream_socket { read write };
+# Allow writing VM logs to the shell console
+allow virtualizationmanager devpts:chr_file { read write getattr ioctl };
+
# Let the virtualizationmanager domain use Binder.
binder_use(virtualizationmanager)
diff --git a/private/webview_zygote.te b/private/webview_zygote.te
index 3473eca..0556950 100644
--- a/private/webview_zygote.te
+++ b/private/webview_zygote.te
@@ -35,6 +35,9 @@
allow webview_zygote { apex_art_data_file dalvikcache_data_file }:file { r_file_perms execute };
allow webview_zygote apex_module_data_file:dir search;
+# To load overlay from /apex (vendor APEXes)
+allow webview_zygote vendor_apex_metadata_file:dir search;
+
# Allow webview_zygote to create JIT memory.
allow webview_zygote self:process execmem;
diff --git a/private/zygote.te b/private/zygote.te
index d61a431..c5cc73a 100644
--- a/private/zygote.te
+++ b/private/zygote.te
@@ -247,9 +247,11 @@
# preloaded classes
get_prop(zygote, persist_wm_debug_prop)
-# Allow zygote to read persist_sysui_builder_extras_prop to toggle experimental features in
-# core preloaded classes
+# Allow zygote to read persist_sysui_builder_extras_prop
+# and persist_sysui_ranking_update_prop
+# to toggle experimental features in core preloaded classes
get_prop(zygote, persist_sysui_builder_extras_prop)
+get_prop(zygote, persist_sysui_ranking_update_prop)
# Allow zygote to read /apex/apex-info-list.xml
allow zygote apex_info_file:file r_file_perms;
@@ -258,6 +260,7 @@
# preinstalled path of APEXes that contain runtime resource overlays for the 'android' package.
allow zygote vendor_apex_file:dir { getattr search };
allow zygote vendor_apex_file:file { getattr };
+allow zygote vendor_apex_metadata_file:dir { search };
# Allow zygote to query for compression/features.
r_dir_file(zygote, sysfs_fs_f2fs)
diff --git a/public/dumpstate.te b/public/dumpstate.te
index cc3678c..4877f14 100644
--- a/public/dumpstate.te
+++ b/public/dumpstate.te
@@ -56,7 +56,7 @@
allow dumpstate domain:process getattr;
# Signal java processes to dump their stack
-allow dumpstate { appdomain system_server zygote }:process signal;
+allow dumpstate { appdomain system_server zygote app_zygote }:process signal;
# Signal native processes to dump their stack.
allow dumpstate {
diff --git a/public/file.te b/public/file.te
index 7aad936..f7fafcb 100644
--- a/public/file.te
+++ b/public/file.te
@@ -381,6 +381,8 @@
type staging_data_file, file_type, data_file_type, core_data_file_type;
# /vendor/apex
type vendor_apex_file, vendor_file_type, file_type;
+# apex_manifest.pb in vendor apex
+type vendor_apex_metadata_file, vendor_file_type, file_type;
# /data/system/shutdown-checkpoints
type shutdown_checkpoints_system_data_file, file_type, data_file_type, core_data_file_type;
diff --git a/public/installd.te b/public/installd.te
index 216704d..88f6aab 100644
--- a/public/installd.te
+++ b/public/installd.te
@@ -33,6 +33,8 @@
r_dir_file(installd, vendor_framework_file)
# Scan through Runtime Resource Overlay APKs in /vendor/overlay
r_dir_file(installd, vendor_overlay_file)
+# Vendor overlay can be found in vendor apex
+allow installd vendor_apex_metadata_file:dir { getattr search };
# Get file context
allow installd file_contexts_file:file r_file_perms;
# Get seapp_context
diff --git a/public/te_macros b/public/te_macros
index 63805de..c4ebc63 100644
--- a/public/te_macros
+++ b/public/te_macros
@@ -1047,6 +1047,7 @@
define(`use_apex_info', `
allow $1 apex_mnt_dir:dir r_dir_perms;
allow $1 apex_info_file:file r_file_perms;
+ r_dir_file($1, vendor_apex_metadata_file)
')
####################################
diff --git a/public/vold.te b/public/vold.te
index 3d204e1..c0fdf50 100644
--- a/public/vold.te
+++ b/public/vold.te
@@ -177,10 +177,13 @@
allow vold labeledfs:filesystem { mount unmount remount };
# Create and mount on /data/tmp_mnt and management of expansion mounts
+#
+# Also rename per-user encrypted directories such as /data/user/10 from their
+# temporary name ("10.new") to their final name ("10").
allow vold {
system_data_file
system_data_root_file
-}:dir { create rw_dir_perms mounton setattr rmdir };
+}:dir { create_dir_perms mounton };
allow vold system_data_file:lnk_file getattr;
# Vold create users in /data/vendor_{ce,de}/[0-9]+
diff --git a/vendor/hal_fingerprint_default.te b/vendor/hal_fingerprint_default.te
index 7173223..e380ebd 100644
--- a/vendor/hal_fingerprint_default.te
+++ b/vendor/hal_fingerprint_default.te
@@ -8,3 +8,8 @@
allow hal_fingerprint_default fwk_sensor_service:service_manager find;
set_prop(hal_fingerprint_default, virtual_fingerprint_hal_prop)
+
+userdebug_or_eng(`
+ # Allow fingerprint hal to read app-created pipes (to respond shell commands from test apps)
+ allow hal_fingerprint_default appdomain:fifo_file read;
+')