Merge "sepolicy: Grant hal_bluetooth_server to access udp_socket" into main
diff --git a/Android.mk b/Android.mk
index 63b74aa..2e327c2 100644
--- a/Android.mk
+++ b/Android.mk
@@ -445,15 +445,13 @@
# The file_contexts.bin is built in the following way:
# 1. Collect all file_contexts files in THIS repository and process them with
# m4 into a tmp file called file_contexts.local.tmp.
-# 2. Collect all file_contexts files from LOCAL_FILE_CONTEXTS of installed
-# modules with m4 with a tmp file called file_contexts.modules.tmp.
-# 3. Collect all device specific file_contexts files and process them with m4
+# 2. Collect all device specific file_contexts files and process them with m4
# into a tmp file called file_contexts.device.tmp.
-# 4. Run checkfc -e (allow no device fc entries ie empty) and fc_sort on
+# 3. Run checkfc -e (allow no device fc entries ie empty) and fc_sort on
# file_contexts.device.tmp and output to file_contexts.device.sorted.tmp.
-# 5. Concatenate file_contexts.local.tmp, file_contexts.modules.tmp and
-# file_contexts.device.sorted.tmp into file_contexts.concat.tmp.
-# 6. Run checkfc and sefcontext_compile on file_contexts.concat.tmp to produce
+# 4. Concatenate file_contexts.local.tmp and file_contexts.device.sorted.tmp
+# into file_contexts.concat.tmp.
+# 5. Run checkfc and sefcontext_compile on file_contexts.concat.tmp to produce
# file_contexts.bin.
#
# Note: That a newline file is placed between each file_context file found to
@@ -489,10 +487,6 @@
file_contexts.local.tmp := $(intermediates)/file_contexts.local.tmp
$(call merge-fc-files,$(local_fc_files),$(file_contexts.local.tmp))
-# The rule for file_contexts.modules.tmp is defined in build/make/core/Makefile.
-# it gathers LOCAL_FILE_CONTEXTS from product_MODULES
-file_contexts.modules.tmp := $(intermediates)/file_contexts.modules.tmp
-
device_fc_files += $(call intermediates-dir-for,ETC,vendor_file_contexts)/vendor_file_contexts
ifdef BOARD_ODM_SEPOLICY_DIRS
@@ -516,8 +510,7 @@
file_contexts.concat.tmp := $(intermediates)/file_contexts.concat.tmp
$(call merge-fc-files,\
- $(file_contexts.local.tmp) $(file_contexts.modules.tmp) $(file_contexts.device.sorted.tmp),\
- $(file_contexts.concat.tmp))
+ $(file_contexts.local.tmp) $(file_contexts.device.sorted.tmp),$(file_contexts.concat.tmp))
$(LOCAL_BUILT_MODULE): PRIVATE_SEPOLICY := $(built_sepolicy)
$(LOCAL_BUILT_MODULE): $(file_contexts.concat.tmp) $(built_sepolicy) $(HOST_OUT_EXECUTABLES)/sefcontext_compile $(HOST_OUT_EXECUTABLES)/checkfc
@@ -531,7 +524,6 @@
file_contexts.device.sorted.tmp :=
file_contexts.device.tmp :=
file_contexts.local.tmp :=
-file_contexts.modules.tmp :=
##################################
# Tests for Treble compatibility of current platform policy and vendor policy of
diff --git a/apex/com.android.art-file_contexts b/apex/com.android.art-file_contexts
index ada6c3b..83d081a 100644
--- a/apex/com.android.art-file_contexts
+++ b/apex/com.android.art-file_contexts
@@ -9,4 +9,5 @@
/bin/dexoptanalyzer u:object_r:dexoptanalyzer_exec:s0
/bin/odrefresh u:object_r:odrefresh_exec:s0
/bin/profman u:object_r:profman_exec:s0
+/bin/oatdump u:object_r:oatdump_exec:s0
/lib(64)?(/.*)? u:object_r:system_lib_file:s0
diff --git a/apex/com.android.webview.bootstrap-file_contexts b/apex/com.android.webview.bootstrap-file_contexts
new file mode 100644
index 0000000..9398505
--- /dev/null
+++ b/apex/com.android.webview.bootstrap-file_contexts
@@ -0,0 +1 @@
+(/.*)? u:object_r:system_file:s0
diff --git a/build/soong/sepolicy_freeze.go b/build/soong/sepolicy_freeze.go
index 385d6af..e1e8956 100644
--- a/build/soong/sepolicy_freeze.go
+++ b/build/soong/sepolicy_freeze.go
@@ -45,18 +45,16 @@
freezeTestTimestamp android.ModuleOutPath
}
-func (f *freezeTestModule) shouldSkip(ctx android.EarlyModuleContext) bool {
- platformVersion := ctx.DeviceConfig().PlatformSepolicyVersion()
- totVersion := ctx.DeviceConfig().TotSepolicyVersion()
-
- return platformVersion == totVersion
+func (f *freezeTestModule) shouldRunTest(ctx android.EarlyModuleContext) bool {
+ val, _ := ctx.Config().GetBuildFlag("RELEASE_BOARD_API_LEVEL_FROZEN")
+ return val == "true"
}
func (f *freezeTestModule) loadHook(ctx android.LoadHookContext) {
extraDirs := ctx.DeviceConfig().SepolicyFreezeTestExtraDirs()
extraPrebuiltDirs := ctx.DeviceConfig().SepolicyFreezeTestExtraPrebuiltDirs()
- if f.shouldSkip(ctx) {
+ if !f.shouldRunTest(ctx) {
if len(extraDirs) > 0 || len(extraPrebuiltDirs) > 0 {
ctx.ModuleErrorf("SEPOLICY_FREEZE_TEST_EXTRA_DIRS or SEPOLICY_FREEZE_TEST_EXTRA_PREBUILT_DIRS cannot be set before system/sepolicy freezes.")
return
@@ -76,7 +74,7 @@
}
func (f *freezeTestModule) DepsMutator(ctx android.BottomUpMutatorContext) {
- if f.shouldSkip(ctx) {
+ if !f.shouldRunTest(ctx) {
return
}
@@ -118,7 +116,7 @@
func (f *freezeTestModule) GenerateAndroidBuildActions(ctx android.ModuleContext) {
f.freezeTestTimestamp = android.PathForModuleOut(ctx, "freeze_test")
- if f.shouldSkip(ctx) {
+ if !f.shouldRunTest(ctx) {
// we still build a rule to prevent possible regression
android.WriteFileRule(ctx, f.freezeTestTimestamp, ";; no freeze tests needed before system/sepolicy freezes")
return
diff --git a/build/soong/service_fuzzer_bindings.go b/build/soong/service_fuzzer_bindings.go
index 48a3890..7f1f0be 100644
--- a/build/soong/service_fuzzer_bindings.go
+++ b/build/soong/service_fuzzer_bindings.go
@@ -53,6 +53,7 @@
"android.hardware.bluetooth.IBluetoothHci/default": EXCEPTION_NO_FUZZER,
"android.hardware.bluetooth.finder.IBluetoothFinder/default": EXCEPTION_NO_FUZZER,
"android.hardware.bluetooth.ranging.IBluetoothChannelSounding/default": EXCEPTION_NO_FUZZER,
+ "android.hardware.bluetooth.lmp_event.IBluetoothLmpEvent/default": EXCEPTION_NO_FUZZER,
"android.hardware.camera.provider.ICameraProvider/internal/0": EXCEPTION_NO_FUZZER,
"android.hardware.camera.provider.ICameraProvider/virtual/0": EXCEPTION_NO_FUZZER,
"android.hardware.cas.IMediaCasService/default": EXCEPTION_NO_FUZZER,
@@ -122,7 +123,7 @@
"android.hardware.security.keymint.IKeyMintDevice/default": EXCEPTION_NO_FUZZER,
"android.hardware.security.keymint.IRemotelyProvisionedComponent/default": EXCEPTION_NO_FUZZER,
"android.hardware.security.secretkeeper.ISecretkeeper/default": EXCEPTION_NO_FUZZER,
- "android.hardware.security.secretkeeper.ISecretkeeper/nonsecure": EXCEPTION_NO_FUZZER,
+ "android.hardware.security.secretkeeper.ISecretkeeper/nonsecure": []string{"android.hardware.security.secretkeeper-service.nonsecure_fuzzer"},
"android.hardware.security.secureclock.ISecureClock/default": EXCEPTION_NO_FUZZER,
"android.hardware.security.sharedsecret.ISharedSecret/default": EXCEPTION_NO_FUZZER,
"android.hardware.sensors.ISensors/default": EXCEPTION_NO_FUZZER,
@@ -157,6 +158,7 @@
"account": EXCEPTION_NO_FUZZER,
"activity": EXCEPTION_NO_FUZZER,
"activity_task": EXCEPTION_NO_FUZZER,
+ "adaptive_auth": EXCEPTION_NO_FUZZER,
"adb": EXCEPTION_NO_FUZZER,
"adservices_manager": EXCEPTION_NO_FUZZER,
"aidl_lazy_test_1": EXCEPTION_NO_FUZZER,
@@ -262,6 +264,7 @@
"dumpstate": EXCEPTION_NO_FUZZER,
"dynamic_system": EXCEPTION_NO_FUZZER,
"econtroller": EXCEPTION_NO_FUZZER,
+ "ecm_enhanced_confirmation": EXCEPTION_NO_FUZZER,
"emergency_affordance": EXCEPTION_NO_FUZZER,
"euicc_card_controller": EXCEPTION_NO_FUZZER,
"external_vibrator_service": EXCEPTION_NO_FUZZER,
@@ -417,7 +420,7 @@
"slice": EXCEPTION_NO_FUZZER,
"smartspace": EXCEPTION_NO_FUZZER,
"speech_recognition": EXCEPTION_NO_FUZZER,
- "stats": EXCEPTION_NO_FUZZER,
+ "stats": []string{"statsd_service_fuzzer"},
"statsbootstrap": EXCEPTION_NO_FUZZER,
"statscompanion": EXCEPTION_NO_FUZZER,
"statsmanager": EXCEPTION_NO_FUZZER,
diff --git a/contexts/plat_file_contexts_test b/contexts/plat_file_contexts_test
index 54dc1f3..f75312a 100644
--- a/contexts/plat_file_contexts_test
+++ b/contexts/plat_file_contexts_test
@@ -200,6 +200,9 @@
/dev/socket/mdns mdns_socket
/dev/socket/mdnsd mdnsd_socket
/dev/socket/mtpd mtpd_socket
+/dev/socket/ot-daemon/ ot_daemon_socket
+/dev/socket/ot-daemon/thread-wpan ot_daemon_socket
+/dev/socket/ot-daemon/100 ot_daemon_socket
/dev/socket/pdx/system/buffer_hub pdx_bufferhub_dir
/dev/socket/pdx/system/buffer_hub/client pdx_bufferhub_client_endpoint_socket
/dev/socket/pdx/system/performance pdx_performance_dir
@@ -915,8 +918,10 @@
/data/misc/apexdata/com.android.permission/test apex_system_server_data_file
/data/misc/apexdata/com.android.scheduling apex_system_server_data_file
/data/misc/apexdata/com.android.scheduling/test apex_system_server_data_file
-/data/misc/apexdata/com.android.tethering apex_system_server_data_file
-/data/misc/apexdata/com.android.tethering/test apex_system_server_data_file
+/data/misc/apexdata/com.android.tethering apex_tethering_data_file
+/data/misc/apexdata/com.android.tethering/test apex_tethering_data_file
+/data/misc/apexdata/com.android.tethering/threadnetwork apex_tethering_data_file
+/data/misc/apexdata/com.android.tethering/threadnetwork/test apex_tethering_data_file
/data/misc/apexdata/com.android.uwb apex_system_server_data_file
/data/misc/apexdata/com.android.uwb/test apex_system_server_data_file
/data/misc/apexdata/com.android.wifi apex_system_server_data_file
@@ -977,6 +982,8 @@
/data/misc/net/test net_data_file
/data/misc/network_watchlist network_watchlist_data_file
/data/misc/network_watchlist/test network_watchlist_data_file
+/data/misc/telephonyconfig radio_data_file
+/data/misc/telephonyconfig/test radio_data_file
/data/misc/nfc/logs nfc_logs_data_file
/data/misc/nfc/logs/test nfc_logs_data_file
/data/misc/odrefresh odrefresh_data_file
@@ -1017,8 +1024,6 @@
/data/misc/systemkeys/test systemkeys_data_file
/data/misc/textclassifier textclassifier_data_file
/data/misc/textclassifier/test textclassifier_data_file
-/data/misc/threadnetwork threadnetwork_data_file
-/data/misc/threadnetwork/test threadnetwork_data_file
/data/misc/train-info stats_data_file
/data/misc/train-info/test stats_data_file
/data/misc/user misc_user_data_file
@@ -1269,3 +1274,7 @@
/product/bin/otapreopt_script postinstall_exec
/system/bin/otapreopt postinstall_dexopt_exec
/product/bin/otapreopt postinstall_dexopt_exec
+/data/misc/uprobestats-configs uprobestats_configs_data_file
+/data/misc/uprobestats-configs/test uprobestats_configs_data_file
+
+/tmp shell_data_file
diff --git a/microdroid/system/private/genfs_contexts b/microdroid/system/private/genfs_contexts
index f55711e..13ce685 100644
--- a/microdroid/system/private/genfs_contexts
+++ b/microdroid/system/private/genfs_contexts
@@ -7,6 +7,9 @@
genfscon proc /buddyinfo u:object_r:proc_buddyinfo:s0
genfscon proc /cmdline u:object_r:proc_cmdline:s0
genfscon proc /config.gz u:object_r:config_gz:s0
+genfscon proc /device-tree/avf u:object_r:proc_dt_avf:s0
+genfscon proc /device-tree/chosen/avf,new-instance u:object_r:proc_dt_avf:s0
+genfscon proc /device-tree/chosen/avf,strict-boot u:object_r:proc_dt_avf:s0
genfscon proc /diskstats u:object_r:proc_diskstats:s0
genfscon proc /filesystems u:object_r:proc_filesystems:s0
genfscon proc /interrupts u:object_r:proc_interrupts:s0
diff --git a/microdroid/system/private/init.te b/microdroid/system/private/init.te
index 896590d..c83bcdb 100644
--- a/microdroid/system/private/init.te
+++ b/microdroid/system/private/init.te
@@ -435,3 +435,8 @@
# PRNG seeder daemon socket is created and listened on by init before forking.
allow init prng_seeder:unix_stream_socket { create bind listen };
+
+# Allow init to load vendor modules
+r_dir_file(init, vendor_kernel_modules)
+allow init self:capability sys_module;
+allow init vendor_kernel_modules:system module_load;
diff --git a/microdroid/system/private/init_debug_policy.te b/microdroid/system/private/init_debug_policy.te
index 33b8917..384f5d5 100644
--- a/microdroid/system/private/init_debug_policy.te
+++ b/microdroid/system/private/init_debug_policy.te
@@ -27,6 +27,5 @@
set_prop(init_debug_policy, init_debug_policy_prop)
# Allow init_debug_policy to read AVF debug policy
-allow init_debug_policy sysfs_dt_avf:dir search;
-allow init_debug_policy sysfs_dt_avf:file { open read };
-
+r_dir_file(init_debug_policy, proc_dt_avf)
+r_dir_file(init_debug_policy, sysfs_dt_avf)
diff --git a/microdroid/system/private/microdroid_manager.te b/microdroid/system/private/microdroid_manager.te
index 2aed367..d1a5c6f 100644
--- a/microdroid/system/private/microdroid_manager.te
+++ b/microdroid/system/private/microdroid_manager.te
@@ -18,7 +18,8 @@
allow microdroid_manager dm_device:blk_file r_file_perms;
# microdroid_manager can query AVF flags in the device tree
-allow microdroid_manager sysfs_dt_avf:file r_file_perms;
+r_dir_file(microdroid_manager, proc_dt_avf)
+r_dir_file(microdroid_manager, sysfs_dt_avf)
# Read config from the open-dice driver.
allow microdroid_manager open_dice_device:chr_file rw_file_perms;
@@ -123,10 +124,6 @@
# Allow microdroid_manager to write kmsg_debug (stdio_to_kmsg).
allow microdroid_manager kmsg_debug_device:chr_file w_file_perms;
-# Allow microdroid_manager to read AVF debug policy
-allow microdroid_manager sysfs_dt_avf:dir search;
-allow microdroid_manager sysfs_dt_avf:file { open read };
-
# Domains other than microdroid can't write extra_apks
neverallow { domain -microdroid_manager -init -vendor_init } extra_apk_file:file no_w_file_perms;
neverallow { domain -microdroid_manager -init -vendor_init } extra_apk_file:dir no_w_dir_perms;
diff --git a/microdroid/system/public/file.te b/microdroid/system/public/file.te
index d53de79..201a07e 100644
--- a/microdroid/system/public/file.te
+++ b/microdroid/system/public/file.te
@@ -37,6 +37,7 @@
type vendor_configs_file, file_type, vendor_file_type;
type vendor_data_file, file_type, data_file_type;
type vendor_file, file_type, vendor_file_type;
+type vendor_kernel_modules, vendor_file_type, file_type;
type vendor_service_contexts_file, vendor_file_type, file_type;
type vm_payload_service_socket, file_type, coredomain_socket;
type traced_consumer_socket, file_type, coredomain_socket;
@@ -83,6 +84,7 @@
type proc_dirty, fs_type, proc_type;
type proc_diskstats, fs_type, proc_type;
type proc_drop_caches, fs_type, proc_type;
+type proc_dt_avf, fs_type, proc_type;
type proc_extra_free_kbytes, fs_type, proc_type;
type proc_filesystems, fs_type, proc_type;
type proc_hostname, fs_type, proc_type;
diff --git a/private/bpfloader.te b/private/bpfloader.te
index 0ad2c6b..be6f77c 100644
--- a/private/bpfloader.te
+++ b/private/bpfloader.te
@@ -41,7 +41,7 @@
neverallow { domain -bpfloader -netd -network_stack -system_server } fs_bpf_netd_readonly:file { getattr read };
neverallow { domain -bpfloader -netd -netutils_wrapper -network_stack -system_server } fs_bpf_netd_shared:file { getattr read };
neverallow { domain -bpfloader -network_stack } fs_bpf_tethering:file { getattr read };
-neverallow { domain -bpfloader -uprobestats } fs_bpf_uprobe_private:file { getattr read };
+neverallow { domain -bpfloader -uprobestats } fs_bpf_uprobestats:file { getattr read };
neverallow { domain -bpfloader -gpuservice -netd -netutils_wrapper -network_stack -system_server -uprobestats } { bpffs_type -fs_bpf_vendor }:file write;
neverallow { domain -bpfloader } bpffs_type:lnk_file ~read;
@@ -68,7 +68,7 @@
neverallow { domain -bpfloader -gpuservice -lmkd -mediaprovider_app -netd -network_stack -system_server -uprobestats } *:bpf { map_read map_write };
neverallow { domain -bpfloader -init } bpfloader_exec:file { execute execute_no_trans };
-neverallow { coredomain -bpfloader } fs_bpf_vendor:file *;
+neverallow { coredomain -bpfloader -netd -netutils_wrapper } fs_bpf_vendor:file *;
neverallow bpfloader *:{ tcp_socket udp_socket rawip_socket } *;
diff --git a/private/bug_map b/private/bug_map
index 3a78a40..172d9a7 100644
--- a/private/bug_map
+++ b/private/bug_map
@@ -19,10 +19,7 @@
mediaprovider cache_file blk_file b/77925342
mediaprovider mnt_media_rw_file dir b/77925342
mediaprovider shell_data_file dir b/77925342
-mediaprovider_app device_config_media_native_prop file b/308043377
mediaswcodec ashmem_device chr_file b/142679232
-nfc device_config_media_native_prop file b/308043377
-platform_app device_config_media_native_prop file b/308043377
platform_app nfc_data_file dir b/74331887
platform_app system_data_file dir b/306090533
system_server overlayfs_file file b/142390309
diff --git a/private/compat/34.0/34.0.cil b/private/compat/34.0/34.0.cil
index aa8a56c..b10103e 100644
--- a/private/compat/34.0/34.0.cil
+++ b/private/compat/34.0/34.0.cil
@@ -1,3 +1,7 @@
+;; types removed from current policy
+(type racoon)
+(type racoon_exec)
+
;; mapping information from ToT policy's types to 34.0 policy's types.
(expandtypeattribute (DockObserver_service_34_0) true)
(expandtypeattribute (IProxyService_service_34_0) true)
diff --git a/private/compat/34.0/34.0.ignore.cil b/private/compat/34.0/34.0.ignore.cil
index 2c9961d..c1cd3ee 100644
--- a/private/compat/34.0/34.0.ignore.cil
+++ b/private/compat/34.0/34.0.ignore.cil
@@ -10,15 +10,18 @@
ota_build_prop
snapuserd_log_data_file
fwk_vibrator_control_service
+ ecm_enhanced_confirmation_service
hal_authgraph_service
hal_secretkeeper_service
hal_codec2_service
hal_macsec_service
hal_remotelyprovisionedcomponent_avf_service
hal_threadnetwork_service
+ hidl_memory_prop
hidraw_device
virtual_camera_service
ot_daemon_service
+ ot_daemon_socket
pm_archiving_enabled_prop
remote_auth_service
security_state_service
@@ -34,4 +37,5 @@
drm_forcel3_prop
proc_percpu_pagelist_high_fraction
vendor_microdroid_file
+ threadnetwork_config_prop
))
diff --git a/private/crosvm.te b/private/crosvm.te
index ed89b87..6cd3969 100644
--- a/private/crosvm.te
+++ b/private/crosvm.te
@@ -45,9 +45,6 @@
# Allow searching the directory where the composite disk images are.
allow crosvm virtualizationservice_data_file:dir search;
-# Allow crosvm to mlock guest memory.
-allow crosvm self:capability ipc_lock;
-
# Let crosvm access its control socket as created by VS.
# read, write, getattr: listener socket polling
# accept: listener socket accepting new connection
diff --git a/private/dumpstate.te b/private/dumpstate.te
index 1faedb4..6798667 100644
--- a/private/dumpstate.te
+++ b/private/dumpstate.te
@@ -95,6 +95,7 @@
# Read files in /proc
allow dumpstate {
+ config_gz
proc_net_tcp_udp
proc_pid_max
}:file r_file_perms;
diff --git a/private/file.te b/private/file.te
index f4c3e2d..450fe2c 100644
--- a/private/file.te
+++ b/private/file.te
@@ -8,7 +8,7 @@
type fs_bpf_netd_readonly, fs_type, bpffs_type;
type fs_bpf_netd_shared, fs_type, bpffs_type;
type fs_bpf_loader, fs_type, bpffs_type;
-type fs_bpf_uprobe_private, fs_type, bpffs_type;
+type fs_bpf_uprobestats, fs_type, bpffs_type;
# /data/misc/storaged
type storaged_data_file, file_type, data_file_type, core_data_file_type;
@@ -28,6 +28,12 @@
# /data/misc/perfetto-configs for perfetto configs
type perfetto_configs_data_file, file_type, data_file_type, core_data_file_type;
+# /data/misc/uprobestats-configs for uprobestats configs
+type uprobestats_configs_data_file, file_type, data_file_type, core_data_file_type;
+
+# /apex/com.android.art/bin/oatdump
+type oatdump_exec, system_file_type, exec_type, file_type;
+
# /data/misc_{ce/de}/<user>/sdksandbox root data directory for sdk sandbox processes
type sdk_sandbox_system_data_file, file_type, data_file_type, core_data_file_type;
# /data/misc_{ce/de}/<user>/sdksandbox/<app-name>/* subdirectory for sdk sandbox processes
@@ -71,12 +77,14 @@
# /data/misc/apexdata/com.android.virt
type apex_virt_data_file, file_type, data_file_type, core_data_file_type, apex_data_file_type;
+# /data/misc/apexdata/com.android.tethering
+type apex_tethering_data_file, file_type, data_file_type, core_data_file_type, apex_data_file_type;
+
# legacy labels for various /data/misc[_ce|_de]/*/apexdata directories - retained
# for backward compatibility b/217581286
type apex_appsearch_data_file, file_type, data_file_type, core_data_file_type, apex_data_file_type;
type apex_permission_data_file, file_type, data_file_type, core_data_file_type, apex_data_file_type;
type apex_scheduling_data_file, file_type, data_file_type, core_data_file_type, apex_data_file_type;
-type apex_tethering_data_file, file_type, data_file_type, core_data_file_type, apex_data_file_type;
type apex_wifi_data_file, file_type, data_file_type, core_data_file_type, apex_data_file_type;
# /data/font/files
@@ -128,11 +136,9 @@
# in to satisfy MLS constraints for trusted domains.
type prng_seeder_socket, file_type, coredomain_socket, mlstrustedobject;
-# /data/misc/threadnetwork
-type threadnetwork_data_file, file_type, data_file_type, core_data_file_type;
-
-# /sys/firmware/devicetree/base/avf
+# /proc/device-tree/avf and /sys/firmware/devicetree/base/avf
type sysfs_dt_avf, fs_type, sysfs_type;
+type proc_dt_avf, fs_type, proc_type;
# Type for /system/fonts/font_fallback.xm
type system_font_fallback_file, system_file_type, file_type;
diff --git a/private/file_contexts b/private/file_contexts
index 3cfbaf0..765bb7b 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -54,6 +54,7 @@
/sys u:object_r:sysfs:s0
/apex u:object_r:apex_mnt_dir:s0
/bootstrap-apex u:object_r:apex_mnt_dir:s0
+/tmp u:object_r:shell_data_file:s0
# Postinstall directories
/postinstall u:object_r:postinstall_mnt_dir:s0
@@ -166,6 +167,7 @@
/dev/socket/mdns u:object_r:mdns_socket:s0
/dev/socket/mdnsd u:object_r:mdnsd_socket:s0
/dev/socket/mtpd u:object_r:mtpd_socket:s0
+/dev/socket/ot-daemon(/.*)? u:object_r:ot_daemon_socket:s0
/dev/socket/pdx/system/buffer_hub u:object_r:pdx_bufferhub_dir:s0
/dev/socket/pdx/system/buffer_hub/client u:object_r:pdx_bufferhub_client_endpoint_socket:s0
/dev/socket/pdx/system/performance u:object_r:pdx_performance_dir:s0
@@ -178,7 +180,6 @@
/dev/socket/prng_seeder u:object_r:prng_seeder_socket:s0
/dev/socket/property_service u:object_r:property_socket:s0
/dev/socket/property_service_for_system u:object_r:property_socket:s0
-/dev/socket/racoon u:object_r:racoon_socket:s0
/dev/socket/recovery u:object_r:recovery_socket:s0
/dev/socket/rild u:object_r:rild_socket:s0
/dev/socket/rild-debug u:object_r:rild_debug_socket:s0
@@ -320,7 +321,6 @@
/system/bin/dmesgd u:object_r:dmesgd_exec:s0
/system/bin/mtpd u:object_r:mtp_exec:s0
/system/bin/pppd u:object_r:ppp_exec:s0
-/system/bin/racoon u:object_r:racoon_exec:s0
/system/xbin/su u:object_r:su_exec:s0
/system/bin/dnsmasq u:object_r:dnsmasq_exec:s0
/system/bin/linker(64)? u:object_r:system_linker_exec:s0
@@ -624,7 +624,7 @@
/data/misc/apexdata/com\.android\.virt(/.*)? u:object_r:apex_virt_data_file:s0
/data/misc/apexdata/com\.android\.permission(/.*)? u:object_r:apex_system_server_data_file:s0
/data/misc/apexdata/com\.android\.scheduling(/.*)? u:object_r:apex_system_server_data_file:s0
-/data/misc/apexdata/com\.android\.tethering(/.*)? u:object_r:apex_system_server_data_file:s0
+/data/misc/apexdata/com\.android\.tethering(/.*)? u:object_r:apex_tethering_data_file:s0
/data/misc/apexdata/com\.android\.uwb(/.*)? u:object_r:apex_system_server_data_file:s0
/data/misc/apexdata/com\.android\.wifi(/.*)? u:object_r:apex_system_server_data_file:s0
/data/misc/apexrollback(/.*)? u:object_r:apex_rollback_data_file:s0
@@ -656,6 +656,7 @@
/data/misc/media(/.*)? u:object_r:media_data_file:s0
/data/misc/net(/.*)? u:object_r:net_data_file:s0
/data/misc/network_watchlist(/.*)? u:object_r:network_watchlist_data_file:s0
+/data/misc/telephonyconfig(/.*)? u:object_r:radio_data_file:s0
/data/misc/nfc/logs(/.*)? u:object_r:nfc_logs_data_file:s0
/data/misc/odrefresh(/.*)? u:object_r:odrefresh_data_file:s0
/data/misc/odsign(/.*)? u:object_r:odsign_data_file:s0
@@ -663,6 +664,7 @@
/data/misc/perfetto-traces(/.*)? u:object_r:perfetto_traces_data_file:s0
/data/misc/perfetto-traces/bugreport(.*)? u:object_r:perfetto_traces_bugreport_data_file:s0
/data/misc/perfetto-configs(/.*)? u:object_r:perfetto_configs_data_file:s0
+/data/misc/uprobestats-configs(/.*)? u:object_r:uprobestats_configs_data_file:s0
/data/misc/prereboot(/.*)? u:object_r:prereboot_data_file:s0
/data/misc/profcollectd(/.*)? u:object_r:profcollectd_data_file:s0
/data/misc/radio(/.*)? u:object_r:radio_core_data_file:s0
@@ -676,7 +678,6 @@
/data/misc/stats-metadata(/.*)? u:object_r:stats_data_file:s0
/data/misc/systemkeys(/.*)? u:object_r:systemkeys_data_file:s0
/data/misc/textclassifier(/.*)? u:object_r:textclassifier_data_file:s0
-/data/misc/threadnetwork(/.*)? u:object_r:threadnetwork_data_file:s0
/data/misc/train-info(/.*)? u:object_r:stats_data_file:s0
/data/misc/user(/.*)? u:object_r:misc_user_data_file:s0
/data/misc/virtualizationservice(/.*)? u:object_r:virtualizationservice_data_file:s0
diff --git a/private/genfs_contexts b/private/genfs_contexts
index 41c60df..6a1caf3 100644
--- a/private/genfs_contexts
+++ b/private/genfs_contexts
@@ -8,6 +8,7 @@
genfscon proc /cmdline u:object_r:proc_cmdline:s0
genfscon proc /config.gz u:object_r:config_gz:s0
genfscon proc /cpu/alignment u:object_r:proc_cpu_alignment:s0
+genfscon proc /device-tree/avf u:object_r:proc_dt_avf:s0
genfscon proc /diskstats u:object_r:proc_diskstats:s0
genfscon proc /filesystems u:object_r:proc_filesystems:s0
genfscon proc /interrupts u:object_r:proc_interrupts:s0
@@ -419,4 +420,4 @@
genfscon bpf /netd_shared u:object_r:fs_bpf_netd_shared:s0
genfscon bpf /tethering u:object_r:fs_bpf_tethering:s0
genfscon bpf /vendor u:object_r:fs_bpf_vendor:s0
-genfscon bpf /uprobe_private u:object_r:fs_bpf_uprobe_private:s0
+genfscon bpf /uprobestats u:object_r:fs_bpf_uprobestats:s0
diff --git a/private/hal_allocator_default.te b/private/hal_allocator_default.te
index 7aa28aa..6ab7eb8 100644
--- a/private/hal_allocator_default.te
+++ b/private/hal_allocator_default.te
@@ -3,3 +3,6 @@
type hal_allocator_default_exec, system_file_type, exec_type, file_type;
init_daemon_domain(hal_allocator_default)
+
+# to force stop the service when it's not supported
+set_prop(hal_allocator_default, hidl_memory_prop)
diff --git a/private/keys.conf b/private/keys.conf
index 18c1a8c..fc50ef3 100644
--- a/private/keys.conf
+++ b/private/keys.conf
@@ -23,6 +23,9 @@
[@NETWORK_STACK]
ALL : $MAINLINE_SEPOLICY_DEV_CERTIFICATES/networkstack.x509.pem
+[@NFC]
+ALL : $MAINLINE_SEPOLICY_DEV_CERTIFICATES/nfc.x509.pem
+
[@SHARED]
ALL : $DEFAULT_SYSTEM_DEV_CERTIFICATE/shared.x509.pem
diff --git a/private/mac_permissions.xml b/private/mac_permissions.xml
index c9a9aca..fa8ffcf 100644
--- a/private/mac_permissions.xml
+++ b/private/mac_permissions.xml
@@ -69,4 +69,9 @@
<signer signature="@NETWORK_STACK" >
<seinfo value="network_stack" />
</signer>
+
+ <!-- NFC key in AOSP -->
+ <signer signature="@NFC" >
+ <seinfo value="nfc" />
+ </signer>
</policy>
diff --git a/private/mediaserver.te b/private/mediaserver.te
index 92ec40d..5fc13a8 100644
--- a/private/mediaserver.te
+++ b/private/mediaserver.te
@@ -29,3 +29,7 @@
allow mediaserver stats_service:service_manager find;
allow mediaserver statsmanager_service:service_manager find;
binder_call(mediaserver, statsd)
+
+# Allow mediaserver to communicate with Surface provided
+# by virtual camera.
+binder_call(mediaserver, virtual_camera)
diff --git a/private/netd.te b/private/netd.te
index 8be8212..6d1c10c 100644
--- a/private/netd.te
+++ b/private/netd.te
@@ -6,9 +6,9 @@
# Allow netd to spawn dnsmasq in it's own domain
domain_auto_trans(netd, dnsmasq_exec, dnsmasq)
-allow netd { fs_bpf fs_bpf_netd_readonly fs_bpf_netd_shared }:dir search;
-allow netd { fs_bpf fs_bpf_netd_readonly fs_bpf_netd_shared }:file { getattr read };
-allow netd { fs_bpf fs_bpf_netd_shared }:file write;
+allow netd { fs_bpf fs_bpf_netd_readonly fs_bpf_netd_shared fs_bpf_vendor }:dir search;
+allow netd { fs_bpf fs_bpf_netd_readonly fs_bpf_netd_shared fs_bpf_vendor }:file { getattr read };
+allow netd { fs_bpf fs_bpf_netd_shared }:file write;
# give netd permission to setup iptables rule with xt_bpf, attach program to cgroup, and read/write
# the map created by bpfloader
diff --git a/private/netutils_wrapper.te b/private/netutils_wrapper.te
index 01f1915..a26181f 100644
--- a/private/netutils_wrapper.te
+++ b/private/netutils_wrapper.te
@@ -25,9 +25,9 @@
# For vendor code that update the iptables rules at runtime. They need to reload
# the whole chain including the xt_bpf rules. They need to access to the pinned
# program when reloading the rule.
-allow netutils_wrapper { fs_bpf fs_bpf_netd_shared }:dir search;
-allow netutils_wrapper { fs_bpf fs_bpf_netd_shared }:file { getattr read };
-allow netutils_wrapper { fs_bpf }:file write;
+allow netutils_wrapper { fs_bpf fs_bpf_netd_shared fs_bpf_vendor }:dir search;
+allow netutils_wrapper { fs_bpf fs_bpf_netd_shared fs_bpf_vendor }:file { getattr read };
+allow netutils_wrapper { fs_bpf }:file write;
allow netutils_wrapper bpfloader:bpf prog_run;
# For /data/misc/net access to ndc and ip
diff --git a/private/ot_daemon.te b/private/ot_daemon.te
index 457e1bf..341fa9c 100644
--- a/private/ot_daemon.te
+++ b/private/ot_daemon.te
@@ -12,10 +12,13 @@
# Allow the ot_daemon to use the net domain.
net_domain(ot_daemon)
-# Allow the ot_daemon to access the folder "/data/misc/threadnetwork".
-allow ot_daemon threadnetwork_data_file:dir rw_dir_perms;
-allow ot_daemon threadnetwork_data_file:file create_file_perms;
-allow ot_daemon threadnetwork_data_file:sock_file {create unlink};
+# Allow ot_daemon to find /data/misc/apexdata/com.android.tethering
+allow ot_daemon apex_module_data_file:dir search;
+
+# Allow the ot_daemon to access files and subdirectories under
+# /data/misc/apexdata/com\.android\.tethering
+allow ot_daemon apex_tethering_data_file:dir {create rw_dir_perms};
+allow ot_daemon apex_tethering_data_file:file create_file_perms;
# Allow OT daemon to read/write the Thread tunnel interface
allow ot_daemon tun_device:chr_file {read write};
diff --git a/private/property.te b/private/property.te
index ff0b693..a098d05 100644
--- a/private/property.te
+++ b/private/property.te
@@ -45,6 +45,7 @@
system_internal_prop(system_adbd_prop)
system_internal_prop(timezone_metadata_prop)
system_internal_prop(traced_perf_enabled_prop)
+system_internal_prop(uprobestats_start_with_config_prop)
system_internal_prop(tuner_server_ctl_prop)
system_internal_prop(userspace_reboot_log_prop)
system_internal_prop(userspace_reboot_test_prop)
@@ -59,6 +60,8 @@
system_internal_prop(hypervisor_pvmfw_prop)
system_internal_prop(hypervisor_virtualizationmanager_prop)
system_internal_prop(game_manager_config_prop)
+system_internal_prop(hidl_memory_prop)
+system_internal_prop(suspend_debug_prop)
# Properties which can't be written outside system
system_restricted_prop(device_config_virtualization_framework_native_prop)
@@ -340,8 +343,26 @@
} {
suspend_prop
}:property_service set;
+
+ neverallow {
+ domain
+ -init
+ } {
+ suspend_debug_prop
+ }:property_service set;
+
+ neverallow {
+ domain
+ -init
+ -dumpstate
+ userdebug_or_eng(`-system_suspend')
+ } {
+ suspend_debug_prop
+ }:file no_rw_file_perms;
')
+dontaudit system_suspend suspend_debug_prop:file r_file_perms;
+
compatible_property_only(`
# Neverallow coredomain to set vendor properties
neverallow {
diff --git a/private/property_contexts b/private/property_contexts
index 4166c55..be72223 100644
--- a/private/property_contexts
+++ b/private/property_contexts
@@ -87,6 +87,7 @@
traced.lazy. u:object_r:traced_lazy_prop:s0
persist.heapprofd.enable u:object_r:heapprofd_enabled_prop:s0
persist.traced_perf.enable u:object_r:traced_perf_enabled_prop:s0
+uprobestats.start_with_config u:object_r:uprobestats_start_with_config_prop:s0
persist.vendor.debug.wifi. u:object_r:persist_vendor_debug_wifi_prop:s0
persist.vendor.overlay. u:object_r:overlay_prop:s0
ril.cdma.inecmmode u:object_r:radio_cdma_ecm_prop:s0 exact bool
@@ -118,6 +119,9 @@
suspend.short_suspend_backoff_enabled u:object_r:suspend_prop:s0 exact bool
suspend.disable_sync_on_suspend u:object_r:suspend_prop:s0 exact bool
+# Suspend service debug properties
+suspend.debug.wakestats_log.enabled u:object_r:suspend_debug_prop:s0 exact bool
+
# Fastbootd protocol control property
fastbootd.protocol u:object_r:fastbootd_protocol_prop:s0 exact enum usb tcp
@@ -232,6 +236,9 @@
# hwservicemanager properties
hwservicemanager. u:object_r:hwservicemanager_prop:s0
+# hidl_memory properties to intentionally force a shutdown
+hidl_memory. u:object_r:hidl_memory_prop:s0
+
# Common default properties for vendor, odm, vendor_dlkm, and odm_dlkm.
init.svc.odm. u:object_r:vendor_default_prop:s0
init.svc.vendor. u:object_r:vendor_default_prop:s0
@@ -534,6 +541,7 @@
persist.bluetooth.a2dp_offload.cap u:object_r:bluetooth_a2dp_offload_prop:s0 exact string
persist.bluetooth.a2dp_offload.disabled u:object_r:bluetooth_a2dp_offload_prop:s0 exact bool
+persist.bluetooth.leaudio_offload.disabled u:object_r:bluetooth_a2dp_offload_prop:s0 exact bool
persist.bluetooth.bluetooth_audio_hal.disabled u:object_r:bluetooth_audio_hal_prop:s0 exact bool
persist.bluetooth.btsnoopenable u:object_r:exported_bluetooth_prop:s0 exact bool
persist.bluetooth.btsnoopdefaultmode u:object_r:bluetooth_prop:s0 exact enum empty disabled filtered full
@@ -734,6 +742,7 @@
ro.lmk.log_stats u:object_r:lmkd_config_prop:s0 exact bool
ro.lmk.low u:object_r:lmkd_config_prop:s0 exact int
ro.lmk.medium u:object_r:lmkd_config_prop:s0 exact int
+ro.lmk.pressure_after_kill_min_score u:object_r:lmkd_config_prop:s0 exact int
ro.lmk.psi_partial_stall_ms u:object_r:lmkd_config_prop:s0 exact int
ro.lmk.psi_complete_stall_ms u:object_r:lmkd_config_prop:s0 exact int
ro.lmk.stall_limit_critical u:object_r:lmkd_config_prop:s0 exact int
@@ -1545,8 +1554,13 @@
persist.vendor.face.virtual.strength u:object_r:virtual_face_hal_prop:s0 exact string
persist.vendor.face.virtual.enrollments u:object_r:virtual_face_hal_prop:s0 exact string
persist.vendor.face.virtual.features u:object_r:virtual_face_hal_prop:s0 exact string
+persist.vendor.face.virtual.lockout_enable u:object_r:virtual_face_hal_prop:s0 exact bool
+persist.vendor.face.virtual.lockout_timed_enable u:object_r:virtual_face_hal_prop:s0 exact bool
+persist.vendor.face.virtual.lockout_timed_threshold u:object_r:virtual_face_hal_prop:s0 exact int
+persist.vendor.face.virtual.lockout_timed_duration u:object_r:virtual_face_hal_prop:s0 exact int
+persist.vendor.face.virtual.lockout_permanent_threshold u:object_r:virtual_face_hal_prop:s0 exact int
+vendor.face.virtual.no_human_face_detected u:object_r:virtual_face_hal_prop:s0 exact bool
vendor.face.virtual.enrollment_hit u:object_r:virtual_face_hal_prop:s0 exact int
-vendor.face.virtual.operation_start_enroll_latency u:object_r:virtual_face_hal_prop:s0 exact int
vendor.face.virtual.next_enrollment u:object_r:virtual_face_hal_prop:s0 exact string
vendor.face.virtual.authenticator_id u:object_r:virtual_face_hal_prop:s0 exact int
vendor.face.virtual.challenge u:object_r:virtual_face_hal_prop:s0 exact int
@@ -1554,8 +1568,9 @@
vendor.face.virtual.operation_authenticate_fails u:object_r:virtual_face_hal_prop:s0 exact bool
vendor.face.virtual.operation_detect_interaction_fails u:object_r:virtual_face_hal_prop:s0 exact bool
vendor.face.virtual.operation_enroll_fails u:object_r:virtual_face_hal_prop:s0 exact bool
-vendor.face.virtual.operation_authenticate_latency u:object_r:virtual_face_hal_prop:s0 exact int
-vendor.face.virtual.operation_detect_interaction_latency u:object_r:virtual_face_hal_prop:s0 exact int
+vendor.face.virtual.operation_authenticate_latency u:object_r:virtual_face_hal_prop:s0 exact string
+vendor.face.virtual.operation_detect_interaction_latency u:object_r:virtual_face_hal_prop:s0 exact string
+vendor.face.virtual.operation_enroll_latency u:object_r:virtual_face_hal_prop:s0 exact string
vendor.face.virtual.operation_authenticate_duration u:object_r:virtual_face_hal_prop:s0 exact int
# properties for the virtual Fingerprint HAL
@@ -1613,3 +1628,5 @@
# Properties for app archiving
pm.archiving.enabled u:object_r:pm_archiving_enabled_prop:s0 exact bool
+# Properties for ThreadNetworkService
+threadnetwork.country_code u:object_r:threadnetwork_config_prop:s0 exact string
diff --git a/private/racoon.te b/private/racoon.te
deleted file mode 100644
index 42ea7c9..0000000
--- a/private/racoon.te
+++ /dev/null
@@ -1,3 +0,0 @@
-typeattribute racoon coredomain;
-
-init_daemon_domain(racoon)
diff --git a/private/remount.te b/private/remount.te
index 4dd94a5..5ef7fac 100644
--- a/private/remount.te
+++ b/private/remount.te
@@ -12,4 +12,14 @@
# Allow searching for /metadata/gsi/remount/lp_metadata.
allow remount { metadata_file gsi_metadata_file_type }:dir search;
+
+ # Allow remount to flip the overlayfs bit in the super partition.
+ # This requires being able to read fstab, find /dev/block/by-name/super,
+ # and read-write super.
+ r_dir_file(remount, sysfs_dt_firmware_android)
+ allow remount proc_bootconfig:file r_file_perms;
+ allow remount proc_cmdline:file r_file_perms;
+ allow remount block_device:dir r_dir_perms;
+ allow remount super_block_device_type:blk_file rw_file_perms;
+ allowxperm remount super_block_device_type:blk_file ioctl { BLKIOMIN BLKALIGNOFF };
')
diff --git a/private/seapp_contexts b/private/seapp_contexts
index 957d005..2219631 100644
--- a/private/seapp_contexts
+++ b/private/seapp_contexts
@@ -184,7 +184,9 @@
user=system seinfo=platform isPrivApp=true name=com.android.DeviceAsWebcam domain=device_as_webcam type=system_app_data_file levelFrom=all
user=bluetooth seinfo=bluetooth domain=bluetooth type=bluetooth_data_file
user=network_stack seinfo=network_stack domain=network_stack type=radio_data_file
+# NFC stack signed with platform cert needed for maintaining backwards comptibility for -next release config.
user=nfc seinfo=platform domain=nfc type=nfc_data_file
+user=nfc seinfo=nfc domain=nfc type=nfc_data_file
user=secure_element seinfo=platform domain=secure_element levelFrom=all
user=radio seinfo=platform domain=radio type=radio_data_file
user=shared_relro domain=shared_relro levelFrom=all
diff --git a/private/service.te b/private/service.te
index 2f5241c..36d6ccf 100644
--- a/private/service.te
+++ b/private/service.te
@@ -1,3 +1,4 @@
+type adaptive_auth_service, system_server_service, service_manager_type;
type ambient_context_service, app_api_service, system_server_service, service_manager_type;
type attention_service, system_server_service, service_manager_type;
type bg_install_control_service, system_api_service, system_server_service, service_manager_type;
@@ -27,4 +28,4 @@
')
type uce_service, service_manager_type;
-type wearable_sensing_service, system_api_service, system_server_service, service_manager_type;
+type wearable_sensing_service, app_api_service, system_server_service, service_manager_type;
diff --git a/private/service_contexts b/private/service_contexts
index ce151f0..863ffde 100644
--- a/private/service_contexts
+++ b/private/service_contexts
@@ -33,6 +33,7 @@
is_flag_enabled(RELEASE_HARDWARE_BLUETOOTH_RANGING_SERVICE, `
android.hardware.bluetooth.ranging.IBluetoothChannelSounding/default u:object_r:hal_bluetooth_service:s0
')
+android.hardware.bluetooth.lmp_event.IBluetoothLmpEvent/default u:object_r:hal_bluetooth_service:s0
android.hardware.bluetooth.audio.IBluetoothAudioProviderFactory/default u:object_r:hal_audio_service:s0
android.hardware.broadcastradio.IBroadcastRadio/amfm u:object_r:hal_broadcastradio_service:s0
android.hardware.broadcastradio.IBroadcastRadio/dab u:object_r:hal_broadcastradio_service:s0
@@ -138,6 +139,7 @@
account u:object_r:account_service:s0
activity u:object_r:activity_service:s0
activity_task u:object_r:activity_task_service:s0
+adaptive_auth u:object_r:adaptive_auth_service:s0
adb u:object_r:adb_service:s0
adservices_manager u:object_r:adservices_manager_service:s0
aidl_lazy_test_1 u:object_r:aidl_lazy_test_service:s0
@@ -241,6 +243,7 @@
dumpstate u:object_r:dumpstate_service:s0
dynamic_system u:object_r:dynamic_system_service:s0
econtroller u:object_r:radio_service:s0
+ecm_enhanced_confirmation u:object_r:ecm_enhanced_confirmation_service:s0
emergency_affordance u:object_r:emergency_affordance_service:s0
euicc_card_controller u:object_r:radio_service:s0
external_vibrator_service u:object_r:external_vibrator_service:s0
diff --git a/private/shell.te b/private/shell.te
index f32395e..bfcd5ac 100644
--- a/private/shell.te
+++ b/private/shell.te
@@ -258,3 +258,5 @@
# Allow shell to read the build properties for attestation feature
get_prop(shell, build_attestation_prop)
+# Allow shell to execute oatdump.
+allow shell oatdump_exec:file rx_file_perms;
diff --git a/private/snapuserd.te b/private/snapuserd.te
index 8cd9e63..3752e01 100644
--- a/private/snapuserd.te
+++ b/private/snapuserd.te
@@ -33,6 +33,9 @@
allow snapuserd snapuserd_socket:unix_stream_socket { accept listen getattr read write };
allow snapuserd snapuserd_proxy_socket:sock_file write;
+# Required for setting GID to system while calling SetTaskProfile() API
+allow snapuserd self:global_capability_class_set { setgid };
+
# This arises due to first-stage init opening /dev/null without F_CLOEXEC
# (see SetStdioToDevNull in init). When we fork() and execveat() snapuserd
# again, the descriptor leaks into the new process.
diff --git a/private/statsd.te b/private/statsd.te
index 59948ff..051b99e 100644
--- a/private/statsd.te
+++ b/private/statsd.te
@@ -28,3 +28,10 @@
# Allow statsd to read its system properties
get_prop(statsd, device_config_statsd_native_prop)
get_prop(statsd, device_config_statsd_native_boot_prop)
+
+# Allow statsd to write uprobestats configs.
+allow statsd uprobestats_configs_data_file:dir rw_dir_perms;
+allow statsd uprobestats_configs_data_file:file create_file_perms;
+
+# Allow statsd to trigger uprobestats via property.
+set_prop(statsd, uprobestats_start_with_config_prop);
diff --git a/private/su.te b/private/su.te
index cc00e10..2e0d10a 100644
--- a/private/su.te
+++ b/private/su.te
@@ -19,8 +19,9 @@
# Put the perfetto command into its domain so it is the same on user, userdebug and eng.
domain_auto_trans(su, perfetto_exec, perfetto)
- # Put the virtmgr command into its domain.
- domain_auto_trans(su, virtualizationmanager_exec, virtualizationmanager)
+ # Allow accessing virtualization (e.g. via the vm command) - ensures virtmgr runs in its
+ # own domain.
+ virtualizationservice_use(su)
# su is also permissive to permit setenforce.
permissive su;
diff --git a/private/system_app.te b/private/system_app.te
index 31e10bb..338d852 100644
--- a/private/system_app.te
+++ b/private/system_app.te
@@ -83,6 +83,12 @@
# Allow system apps to interact with incidentd
binder_call(system_app, incidentd)
+# Allow system apps (Settings) to call into update_engine
+# in order to apply update to switch from 4k kernel to 16K and vice-versa
+binder_use(system_app)
+allow system_app update_engine_stable_service:service_manager find;
+binder_call(system_app, update_engine)
+
# Allow system app to interact with Dumpstate HAL
hal_client_domain(system_app, hal_dumpstate)
@@ -187,3 +193,5 @@
# system_app should be the only domain writing the adaptive haptics prop
neverallow { domain -init -system_app } adaptive_haptics_prop:property_service set;
+# system_app should be the only domain writing the force l3 prop
+neverallow { domain -init -system_app } drm_forcel3_prop:property_service set;
diff --git a/private/system_server.te b/private/system_server.te
index 474a7b6..ad45d0e 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -262,7 +262,6 @@
unix_socket_connect(system_server, lmkd, lmkd)
unix_socket_connect(system_server, mtpd, mtp)
unix_socket_connect(system_server, zygote, zygote)
-unix_socket_connect(system_server, racoon, racoon)
unix_socket_connect(system_server, uncrypt, uncrypt)
# Allow system_server to write to statsd.
@@ -302,6 +301,7 @@
binder_call(system_server, vold)
binder_call(system_server, logd)
binder_call(system_server, wificond)
+binder_call(system_server, uprobestats)
binder_service(system_server)
# Use HALs
@@ -309,6 +309,7 @@
hal_client_domain(system_server, hal_audio)
hal_client_domain(system_server, hal_authgraph)
hal_client_domain(system_server, hal_authsecret)
+hal_client_domain(system_server, hal_bluetooth)
hal_client_domain(system_server, hal_broadcastradio)
hal_client_domain(system_server, hal_codec2)
hal_client_domain(system_server, hal_configstore)
@@ -373,6 +374,7 @@
# This is derived from the list that system server defines as interesting native processes
# to dump during ANRs or watchdog aborts, defined in NATIVE_STACKS_OF_INTEREST in
# frameworks/base/services/core/java/com/android/server/Watchdog.java.
+ artd
audioserver
cameraserver
drmserver
@@ -1416,19 +1418,19 @@
# These are modules where the code runs in system_server, so we need full access.
allow system_server apex_system_server_data_file:dir create_dir_perms;
allow system_server apex_system_server_data_file:file create_file_perms;
+allow system_server apex_tethering_data_file:dir create_dir_perms;
+allow system_server apex_tethering_data_file:file create_file_perms;
# Legacy labels that we still need to support (b/217581286)
allow system_server {
apex_appsearch_data_file
apex_permission_data_file
apex_scheduling_data_file
- apex_tethering_data_file
apex_wifi_data_file
}:dir create_dir_perms;
allow system_server {
apex_appsearch_data_file
apex_permission_data_file
apex_scheduling_data_file
- apex_tethering_data_file
apex_wifi_data_file
}:file create_file_perms;
@@ -1563,3 +1565,18 @@
# Allow GameManagerService to read and write persist.graphics.game_default_frame_rate.enabled
set_prop(system_server, game_manager_config_prop)
+# ThreadNetworkService reads Thread Network properties
+get_prop(system_server, threadnetwork_config_prop)
+
+# Do not allow any domain other than init and system server to set the property
+neverallow {
+ domain
+ -init
+ -vendor_init
+ -dumpstate
+ -system_server
+} threadnetwork_config_prop:file no_rw_file_perms;
+
+# Allow system server to read pm.archiving.enabled prop
+# TODO(azilio): Remove system property after archiving testing is completed.
+get_prop(system_server, pm_archiving_enabled_prop)
diff --git a/private/system_suspend.te b/private/system_suspend.te
index 683d913..a525866 100644
--- a/private/system_suspend.te
+++ b/private/system_suspend.te
@@ -22,6 +22,11 @@
# Access to suspend_hal system properties
get_prop(system_suspend, suspend_prop)
+# Access to system_suspend debug system properties
+userdebug_or_eng(`
+ get_prop(system_suspend, suspend_debug_prop)
+')
+
# To call BTAA registered callbacks
allow system_suspend bluetooth:binder call;
diff --git a/private/traced_probes.te b/private/traced_probes.te
index 0d68fa3..003e992 100644
--- a/private/traced_probes.te
+++ b/private/traced_probes.te
@@ -84,6 +84,9 @@
proc_vmstat
proc_stat
proc_buddyinfo
+ proc_pressure_cpu
+ proc_pressure_io
+ proc_pressure_mem
}:file r_file_perms;
# Allow access to read /sys/class/devfreq/ and /$DEVICE/cur_freq files
diff --git a/private/update_engine.te b/private/update_engine.te
index c9511f7..862a62a 100644
--- a/private/update_engine.te
+++ b/private/update_engine.te
@@ -22,6 +22,10 @@
# Allow update_engine to call the callback function provided by GKI update hook.
binder_call(update_engine, gki_apex_prepostinstall)
+# Allow update_engine to call the callback function by settings app
+# for the kernel update triggered using 16k developer option
+binder_call(update_engine, system_app)
+
# Allow to communicate with the snapuserd service, for dm-user snapshots.
allow update_engine snapuserd:unix_stream_socket connectto;
allow update_engine snapuserd_socket:sock_file write;
diff --git a/private/uprobestats.te b/private/uprobestats.te
index f2a4ae3..f6dd906 100644
--- a/private/uprobestats.te
+++ b/private/uprobestats.te
@@ -4,13 +4,34 @@
type uprobestats_exec, system_file_type, exec_type, file_type;
-# Allow uprobestats to be invoked by statsd.
-domain_auto_trans(statsd, uprobestats_exec, uprobestats)
+# Allow init to start uprobestats.
+init_daemon_domain(uprobestats)
-allow uprobestats fs_bpf_uprobe_private:file { read write };
-allow uprobestats fs_bpf_uprobe_private:dir search;
+allow uprobestats fs_bpf_uprobestats:file { read write };
+allow uprobestats fs_bpf_uprobestats:dir search;
allow uprobestats bpfloader:bpf { map_read map_write prog_run };
allow uprobestats self:capability2 perfmon;
allow uprobestats self:perf_event { cpu open write };
allow uprobestats sysfs_uprobe:file { open read };
allow uprobestats sysfs_uprobe:dir { search };
+
+# Allow uprobestats to popen oatdump.
+allow uprobestats oatdump_exec:file rx_file_perms;
+
+# Allow uprobestats to write atoms to statsd
+unix_socket_send(uprobestats, statsdw, statsd)
+
+# For registration with system server as a process observer.
+binder_use(uprobestats)
+allow uprobestats activity_service:service_manager find;
+binder_call(uprobestats, system_server);
+
+# Allow uprobestats to talk to native package manager
+allow uprobestats package_native_service:service_manager find;
+
+# Allow uprobestats to scan /proc/<pid>/cmdline.
+r_dir_file(uprobestats, { domain -appdomain })
+
+# Allow uprobestats to manage its own config files.
+allow uprobestats uprobestats_configs_data_file:dir rw_dir_perms;
+allow uprobestats uprobestats_configs_data_file:file { r_file_perms unlink };
diff --git a/private/virtual_camera.te b/private/virtual_camera.te
index 4c4ac7a..dde98c0 100644
--- a/private/virtual_camera.te
+++ b/private/virtual_camera.te
@@ -12,6 +12,15 @@
binder_call(virtual_camera, cameraserver)
binder_call(virtual_camera, system_server)
+# Allow virtual_camera to communicate with
+# mediaserver (required for using Surface originating
+# from virtual camera in mediaserver).
+binder_call(virtual_camera, mediaserver)
+
+# Required for the codecs to be able to decode
+# video into surface provided by virtual camera.
+hal_client_domain(virtual_camera, hal_codec2)
+hal_client_domain(virtual_camera, hal_omx)
# Allow virtualCamera to call apps via binder.
binder_call(virtual_camera, appdomain)
diff --git a/private/virtualizationmanager.te b/private/virtualizationmanager.te
index 40d95c6..3aaff5b 100644
--- a/private/virtualizationmanager.te
+++ b/private/virtualizationmanager.te
@@ -83,9 +83,13 @@
allow virtualizationmanager tombstone_data_file:file { append getattr };
allow virtualizationmanager tombstoned:fd use;
-# Allow virtualizationmanager to read AVF debug policy
-allow virtualizationmanager sysfs_dt_avf:dir search;
-allow virtualizationmanager sysfs_dt_avf:file { open read };
+# Allow virtualizationmanager to read file system DT for VM reference DT and AVF debug policy
+r_dir_file(virtualizationmanager, proc_dt_avf)
+r_dir_file(virtualizationmanager, sysfs_dt_avf)
+
+# virtualizationmanager to be client of secretkeeper HAL. It ferries SecretManagement messages
+# from pVM to HAL.
+hal_client_domain(virtualizationmanager, hal_secretkeeper);
# Let virtualizationmanager open test artifacts under /data/local/tmp with file path.
# (e.g. custom debug policy)
@@ -107,3 +111,8 @@
# For debug purposes we try to get the canonical path from /proc/self/fd/N. That triggers
# a harmless denial for CompOS log files, so ignore that.
dontaudit virtualizationmanager apex_module_data_file:dir search;
+
+is_flag_enabled(RELEASE_AVF_ENABLE_DEVICE_ASSIGNMENT, `
+ # virtualizationmanager holds references to bound devices, returned from vfio_handler
+ binder_call(virtualizationmanager, vfio_handler)
+')
diff --git a/private/virtualizationservice.te b/private/virtualizationservice.te
index e17797e..972f376 100644
--- a/private/virtualizationservice.te
+++ b/private/virtualizationservice.te
@@ -29,6 +29,10 @@
binder_call(virtualizationservice, system_server)
allow virtualizationservice permission_service:service_manager find;
+# Allow virtualizationservice to retrieve the remotely provisioned keys from rkpd.
+binder_call(virtualizationservice, remote_provisioning_service)
+allow virtualizationservice remote_provisioning_service:service_manager find;
+
# Let virtualizationservice remove memlock rlimit of virtualizationmanager. This is necessary
# to mlock VM memory and page tables.
allow virtualizationservice self:capability sys_resource;
@@ -104,6 +108,6 @@
}:process setrlimit;
is_flag_enabled(RELEASE_AVF_ENABLE_DEVICE_ASSIGNMENT, `
- # Only virtualizationservice can communicate to vfio_handler
- neverallow { domain -virtualizationservice -servicemanager } vfio_handler:binder call;
+ # Only virtualizationservice and virtualizationmanager can communicate to vfio_handler
+ neverallow { domain -virtualizationmanager -virtualizationservice -servicemanager } vfio_handler:binder call;
')
diff --git a/public/file.te b/public/file.te
index 01143f7..2a84dd0 100644
--- a/public/file.te
+++ b/public/file.te
@@ -539,6 +539,7 @@
type mdnsd_socket, file_type, coredomain_socket, mlstrustedobject;
type misc_logd_file, coredomain_socket, file_type, data_file_type, core_data_file_type;
type mtpd_socket, file_type, coredomain_socket;
+type ot_daemon_socket, file_type, coredomain_socket;
type property_socket, file_type, coredomain_socket, mlstrustedobject;
type racoon_socket, file_type, coredomain_socket;
type recovery_socket, file_type, coredomain_socket;
diff --git a/public/hal_codec2.te b/public/hal_codec2.te
index 60cda48..0bdcc23 100644
--- a/public/hal_codec2.te
+++ b/public/hal_codec2.te
@@ -29,4 +29,4 @@
# codec2 aidl graphic buffer allocation waitable object
allow hal_codec2_server su:fifo_file read;
allow hal_codec2_server mediaserver:fifo_file read;
-allow hal_codec2_server untrusted_app_all:fifo_file read;
+allow hal_codec2_server { appdomain -isolated_app_all }:fifo_file read;
diff --git a/public/init.te b/public/init.te
index 29dd42d..47b8603 100644
--- a/public/init.te
+++ b/public/init.te
@@ -105,6 +105,7 @@
vendor_file
postinstall_mnt_dir
mirror_data_file
+ shell_data_file
}:dir mounton;
# Mount bpf fs on sys/fs/bpf
diff --git a/public/mediaswcodec.te b/public/mediaswcodec.te
index b3b26c1..dc45500 100644
--- a/public/mediaswcodec.te
+++ b/public/mediaswcodec.te
@@ -11,6 +11,9 @@
hal_client_domain(mediaswcodec, hal_allocator)
hal_client_domain(mediaswcodec, hal_graphics_allocator)
+# get aac_drc_* properties
+get_prop(mediaswcodec, aac_drc_prop)
+
crash_dump_fallback(mediaswcodec)
# mediaswcodec_server should never execute any executable without a
diff --git a/public/property.te b/public/property.te
index b072b5b..c513434 100644
--- a/public/property.te
+++ b/public/property.te
@@ -181,6 +181,7 @@
system_vendor_config_prop(suspend_prop)
system_vendor_config_prop(systemsound_config_prop)
system_vendor_config_prop(telephony_config_prop)
+system_vendor_config_prop(threadnetwork_config_prop)
system_vendor_config_prop(tombstone_config_prop)
system_vendor_config_prop(usb_config_prop)
system_vendor_config_prop(userspace_reboot_config_prop)
diff --git a/public/racoon.te b/public/racoon.te
deleted file mode 100644
index b0383f0..0000000
--- a/public/racoon.te
+++ /dev/null
@@ -1,27 +0,0 @@
-# IKE key management daemon
-type racoon, domain;
-type racoon_exec, system_file_type, exec_type, file_type;
-
-typeattribute racoon mlstrustedsubject;
-
-net_domain(racoon)
-allowxperm racoon self:udp_socket ioctl { SIOCSIFFLAGS SIOCSIFADDR SIOCSIFNETMASK };
-
-binder_use(racoon)
-
-allow racoon tun_device:chr_file r_file_perms;
-allowxperm racoon tun_device:chr_file ioctl TUNSETIFF;
-allow racoon cgroup:dir { add_name create };
-allow racoon cgroup_v2:dir { add_name create };
-
-allow racoon self:key_socket create_socket_perms_no_ioctl;
-allow racoon self:tun_socket create_socket_perms_no_ioctl;
-allow racoon self:global_capability_class_set { net_admin net_bind_service net_raw };
-
-# XXX: should we give ip-up-vpn its own label (currently racoon domain)
-allow racoon system_file:file rx_file_perms;
-not_full_treble(`allow racoon vendor_file:file rx_file_perms;')
-allow racoon vpn_data_file:file create_file_perms;
-allow racoon vpn_data_file:dir w_dir_perms;
-
-use_keystore(racoon)
diff --git a/public/service.te b/public/service.te
index acbaf4d..5c63e9e 100644
--- a/public/service.te
+++ b/public/service.te
@@ -118,6 +118,7 @@
type display_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type domain_verification_service, app_api_service, system_server_service, service_manager_type;
type color_display_service, app_api_service, system_api_service, system_server_service, service_manager_type;
+type ecm_enhanced_confirmation_service, app_api_service, system_server_service, service_manager_type;
type external_vibrator_service, system_server_service, service_manager_type;
type file_integrity_service, app_api_service, system_server_service, service_manager_type;
type font_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
@@ -213,7 +214,7 @@
type search_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type search_ui_service, app_api_service, system_server_service, service_manager_type;
type sec_key_att_app_id_provider_service, app_api_service, system_server_service, service_manager_type;
-type security_state_service, app_api_service, system_server_service, service_manager_type;
+type security_state_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type selection_toolbar_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type sensorservice_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type sensor_privacy_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
diff --git a/public/te_macros b/public/te_macros
index d2f4406..6d7533a 100644
--- a/public/te_macros
+++ b/public/te_macros
@@ -186,13 +186,13 @@
# Transition to virtualizationmanager when the client executes it.
domain_auto_trans($1, virtualizationmanager_exec, virtualizationmanager)
# Allow virtualizationmanager to communicate over UDS with the client.
-allow { virtualizationmanager crosvm } $1:unix_stream_socket { getattr read write };
+allow { virtualizationmanager crosvm } $1:unix_stream_socket { ioctl getattr read write };
# Let the client pass file descriptors to virtualizationmanager and on to crosvm.
allow { virtualizationmanager crosvm } $1:fd use;
# Let the client use file descriptors created by virtualizationmanager.
allow $1 virtualizationmanager:fd use;
# Allow piping console log to the client
-allow { virtualizationmanager crosvm } $1:fifo_file { getattr read write };
+allow { virtualizationmanager crosvm } $1:fifo_file { ioctl getattr read write };
# Allow client to read/write vsock created by virtualizationmanager to communicate with the VM
# that it created. Notice that we do not grant permission to create a vsock;
# the client can only connect to VMs that it owns.
diff --git a/vendor/file_contexts b/vendor/file_contexts
index 8e4ddb5..60e0339 100644
--- a/vendor/file_contexts
+++ b/vendor/file_contexts
@@ -21,6 +21,7 @@
/(vendor|system/vendor)/bin/hw/android\.hardware\.bluetooth-service.default u:object_r:hal_bluetooth_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.bluetooth\.finder-service\.default u:object_r:hal_bluetooth_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.bluetooth\.ranging-service\.default u:object_r:hal_bluetooth_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.bluetooth\.lmp_event-service\.default u:object_r:hal_bluetooth_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.biometrics\.face@1\.[0-9]+-service\.example u:object_r:hal_face_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.biometrics\.face-service\.example u:object_r:hal_face_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.biometrics\.fingerprint@2\.1-service u:object_r:hal_fingerprint_default_exec:s0
diff --git a/vendor/hal_face_default.te b/vendor/hal_face_default.te
index 66ce40c..3d608cd 100644
--- a/vendor/hal_face_default.te
+++ b/vendor/hal_face_default.te
@@ -7,4 +7,9 @@
# android.frameworks.sensorservice through libsensorndkbridge
allow hal_face_default fwk_sensor_service:service_manager find;
-set_prop(hal_face_default, virtual_face_hal_prop)
+# virtual_face_hal_prop is only for debuggable builds
+userdebug_or_eng(`set_prop(hal_face_default, virtual_face_hal_prop)');
+neverallow { domain -init -dumpstate userdebug_or_eng(`-hal_face_default') not_compatible_property(`-vendor_init') } virtual_face_hal_prop:file no_rw_file_perms;
+neverallow { domain -init userdebug_or_eng(`-hal_face_default') not_compatible_property(`-vendor_init') } virtual_face_hal_prop:property_service set;
+
+