Merge "Add sepolicy for IFace"

commit: d2acfb0f9c4fb703ac4a099d950ae06ce261474e [log] [tgz]
author: Ilya Matyukhin <ilyamaty@google.com> Tue Sep 29 20:20:00 2020 +0000
committer: Gerrit Code Review <noreply-gerritcodereview@google.com> Tue Sep 29 20:20:00 2020 +0000
tree: 5f44e9b2b7ad257859d5b20a7edd966111149d6b
parent: 1ae3b13e397c9aca5dabfc8ee9009d30c8c53d55 [diff]
parent: 9bd164241e393047d7a61a32b0108c1ca9376cf9 [diff]
diff --git a/private/compat/30.0/30.0.ignore.cil b/private/compat/30.0/30.0.ignore.cil
index 016823b..7db303c 100644
--- a/private/compat/30.0/30.0.ignore.cil
+++ b/private/compat/30.0/30.0.ignore.cil

@@ -5,6 +5,7 @@
 (typeattribute new_objects)
 (typeattributeset new_objects
   ( new_objects
+    ab_update_gki_prop
     adbd_config_prop
     apex_info_file
     cgroup_v2
@@ -16,6 +17,7 @@
     hal_fingerprint_service
     gnss_device
     hal_dumpstate_config_prop
+    hal_gnss_service
     hal_power_stats_service
     keystore2_key_contexts_file
     location_time_zone_manager_service

diff --git a/private/property_contexts b/private/property_contexts
index 11e9905..1fe3e0c 100644
--- a/private/property_contexts
+++ b/private/property_contexts

@@ -707,7 +707,11 @@
 
 ro.boringcrypto.hwrand u:object_r:exported_default_prop:s0 exact bool
 
-ro.build.ab_update         u:object_r:exported_default_prop:s0 exact string
+# Update related props
+ro.build.ab_update                                u:object_r:exported_default_prop:s0 exact string
+ro.build.ab_update.gki.prevent_downgrade_version  u:object_r:ab_update_gki_prop:s0 exact bool
+ro.build.ab_update.gki.prevent_downgrade_spl      u:object_r:ab_update_gki_prop:s0 exact bool
+
 ro.build.expect.baseband   u:object_r:exported_default_prop:s0 exact string
 ro.build.expect.bootloader u:object_r:exported_default_prop:s0 exact string
 

diff --git a/private/seapp_contexts b/private/seapp_contexts
index 4b23e89..0b13600 100644
--- a/private/seapp_contexts
+++ b/private/seapp_contexts

@@ -141,7 +141,7 @@
 
 isSystemServer=true domain=system_server_startup
 
-user=_app seinfo=platform name=com.android.traceur domain=traceur_app type=app_data_file levelFrom=all
+user=_app isPrivApp=true name=com.android.traceur domain=traceur_app type=app_data_file levelFrom=all
 user=system seinfo=platform domain=system_app type=system_app_data_file
 user=bluetooth seinfo=platform domain=bluetooth type=bluetooth_data_file
 user=network_stack seinfo=network_stack domain=network_stack levelFrom=all type=radio_data_file

diff --git a/private/service_contexts b/private/service_contexts
index becefd5..f5cd873 100644
--- a/private/service_contexts
+++ b/private/service_contexts

@@ -1,5 +1,6 @@
 android.hardware.biometrics.face.IFace/default                       u:object_r:hal_face_service:s0
 android.hardware.biometrics.fingerprint.IFingerprint/default         u:object_r:hal_fingerprint_service:s0
+android.hardware.gnss.IGnss/default                                  u:object_r:hal_gnss_service:s0
 android.hardware.identity.IIdentityCredentialStore/default           u:object_r:hal_identity_service:s0
 android.hardware.light.ILights/default                               u:object_r:hal_light_service:s0
 android.hardware.power.IPower/default                                u:object_r:hal_power_service:s0

diff --git a/public/attributes b/public/attributes
index 3582a09..45900a9 100644
--- a/public/attributes
+++ b/public/attributes

@@ -204,6 +204,9 @@
 # All core domains (as opposed to vendor/device-specific domains)
 attribute coredomain;
 
+# All vendor hwservice.
+attribute vendor_hwservice_type;
+
 # All socket devices owned by core domain components
 attribute coredomain_socket;
 expandattribute coredomain_socket false;

diff --git a/public/domain.te b/public/domain.te
index a70db8a..931a045 100644
--- a/public/domain.te
+++ b/public/domain.te

@@ -670,6 +670,7 @@
     -ephemeral_app_api_service
     -audioserver_service # TODO(b/36783122) remove exemptions below once app_api_service is fixed
     -cameraserver_service
+    -hal_gnss_service # TODO(b/169256910) remove once all violators are gone
     -drmserver_service
     -hal_light_service # TODO(b/148154485) remove once all violators are gone
     -credstore_service

diff --git a/public/hal_gnss.te b/public/hal_gnss.te
index 9bfc4ec..832bc8d 100644
--- a/public/hal_gnss.te
+++ b/public/hal_gnss.te

@@ -3,3 +3,7 @@
 binder_call(hal_gnss_server, hal_gnss_client)
 
 hal_attribute_hwservice(hal_gnss, hal_gnss_hwservice)
+hal_attribute_service(hal_gnss, hal_gnss_service)
+binder_call(hal_gnss_server, servicemanager)
+binder_call(hal_gnss_client, servicemanager)
+

diff --git a/public/property.te b/public/property.te
index 708fc38..06df3d7 100644
--- a/public/property.te
+++ b/public/property.te

@@ -79,6 +79,7 @@
 system_restricted_prop(surfaceflinger_display_prop)
 system_restricted_prop(system_boot_reason_prop)
 system_restricted_prop(system_jvmti_agent_prop)
+system_restricted_prop(ab_update_gki_prop)
 system_restricted_prop(usb_prop)
 system_restricted_prop(userspace_reboot_exported_prop)
 system_restricted_prop(vold_status_prop)

diff --git a/public/service.te b/public/service.te
index ffbf5dc..7d40854 100644
--- a/public/service.te
+++ b/public/service.te

@@ -215,6 +215,7 @@
 
 type hal_face_service, vendor_service, service_manager_type;
 type hal_fingerprint_service, vendor_service, service_manager_type;
+type hal_gnss_service, vendor_service, service_manager_type;
 type hal_identity_service, vendor_service, service_manager_type;
 type hal_light_service, vendor_service, service_manager_type;
 type hal_power_service, vendor_service, service_manager_type;

diff --git a/public/update_engine_common.te b/public/update_engine_common.te
index 57d8e7e..d332771 100644
--- a/public/update_engine_common.te
+++ b/public/update_engine_common.te

@@ -80,6 +80,9 @@
 # Allow to read Virtual A/B feature flags.
 get_prop(update_engine_common, virtual_ab_prop)
 
+# Allow to read GKI related flags.
+get_prop(update_engine_common, ab_update_gki_prop)
+
 # Allow to read/write/create OTA metadata files for snapshot status and COW file status.
 allow update_engine_common metadata_file:dir search;
 allow update_engine_common ota_metadata_file:dir rw_dir_perms;

diff --git a/vendor/file_contexts b/vendor/file_contexts
index b686508..3668b12 100644
--- a/vendor/file_contexts
+++ b/vendor/file_contexts

@@ -3,6 +3,7 @@
 #
 /(vendor|system/vendor)/bin/hw/android\.hardware\.atrace@1\.0-service         u:object_r:hal_atrace_default_exec:s0
 /(vendor|system/vendor)/bin/hw/android\.hardware\.audio(@2\.0-|\.)service     u:object_r:hal_audio_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.audio@7\.0-service\.example     u:object_r:hal_audio_default_exec:s0
 /(vendor|system/vendor)/bin/hw/android\.hardware\.automotive\.audiocontrol@1\.0-service  u:object_r:hal_audiocontrol_default_exec:s0
 /(vendor|system/vendor)/bin/hw/android\.hardware\.automotive\.audiocontrol@2\.0-service  u:object_r:hal_audiocontrol_default_exec:s0
 /(vendor|system/vendor)/bin/hw/android\.hardware\.automotive\.can@1\.0-service  u:object_r:hal_can_socketcan_exec:s0
@@ -13,7 +14,7 @@
 /(vendor|system/vendor)/bin/hw/android\.hardware\.biometrics\.face@1\.[0-9]+-service\.example u:object_r:hal_face_default_exec:s0
 /(vendor|system/vendor)/bin/hw/android\.hardware\.biometrics\.face-service\.example u:object_r:hal_face_default_exec:s0
 /(vendor|system/vendor)/bin/hw/android\.hardware\.biometrics\.fingerprint@2\.1-service u:object_r:hal_fingerprint_default_exec:s0
-/(vendor|system/vendor)/bin/hw/android\.hardware\.biometrics\.fingerprint-service u:object_r:hal_fingerprint_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.biometrics\.fingerprint-service\.example u:object_r:hal_fingerprint_default_exec:s0
 /(vendor|system/vendor)/bin/hw/android\.hardware\.boot@1\.[0-9]+-service      u:object_r:hal_bootctl_default_exec:s0
 /(vendor|system/vendor)/bin/hw/android\.hardware\.broadcastradio@\d+\.\d+-service u:object_r:hal_broadcastradio_default_exec:s0
 /(vendor|system/vendor)/bin/hw/android\.hardware\.camera\.provider@2\.[0-9]+-service_64       u:object_r:hal_camera_default_exec:s0
@@ -30,6 +31,7 @@
 /(vendor|system/vendor)/bin/hw/android\.hardware\.cas@1\.[0-2]-service-lazy       u:object_r:hal_cas_default_exec:s0
 /(vendor|system/vendor)/bin/hw/android\.hardware\.dumpstate@1\.[0-1]-service\.example      u:object_r:hal_dumpstate_default_exec:s0
 /(vendor|system/vendor)/bin/hw/android\.hardware\.gatekeeper@1\.0-service     u:object_r:hal_gatekeeper_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.gnss-service.example        u:object_r:hal_gnss_default_exec:s0
 /(vendor|system/vendor)/bin/hw/android\.hardware\.gnss@[0-9]\.[0-9]-service   u:object_r:hal_gnss_default_exec:s0
 /(vendor|system/vendor)/bin/hw/android\.hardware\.graphics\.allocator@2\.0-service   u:object_r:hal_graphics_allocator_default_exec:s0
 /(vendor|system/vendor)/bin/hw/android\.hardware\.graphics\.allocator@3\.0-service   u:object_r:hal_graphics_allocator_default_exec:s0
commit	d2acfb0f9c4fb703ac4a099d950ae06ce261474e	[log] [tgz]
author	Ilya Matyukhin <ilyamaty@google.com>	Tue Sep 29 20:20:00 2020 +0000
committer	Gerrit Code Review <noreply-gerritcodereview@google.com>	Tue Sep 29 20:20:00 2020 +0000
tree	5f44e9b2b7ad257859d5b20a7edd966111149d6b
parent	1ae3b13e397c9aca5dabfc8ee9009d30c8c53d55 [diff]
parent	9bd164241e393047d7a61a32b0108c1ca9376cf9 [diff]