Merge "app.te: enable mapping ART apexdata cache executable"
diff --git a/apex/com.android.art-file_contexts b/apex/com.android.art-file_contexts
index d2a8626..2533cac 100644
--- a/apex/com.android.art-file_contexts
+++ b/apex/com.android.art-file_contexts
@@ -2,6 +2,7 @@
# System files
#
(/.*)? u:object_r:system_file:s0
+/bin/artd u:object_r:artd_exec:s0
/bin/dex2oat(32|64)? u:object_r:dex2oat_exec:s0
/bin/dexoptanalyzer u:object_r:dexoptanalyzer_exec:s0
/bin/odrefresh u:object_r:odrefresh_exec:s0
diff --git a/private/artd.te b/private/artd.te
new file mode 100644
index 0000000..a76074b
--- /dev/null
+++ b/private/artd.te
@@ -0,0 +1,12 @@
+# art service daemon
+type artd, domain;
+type artd_exec, system_file_type, exec_type, file_type;
+
+# Allow artd to publish a binder service and make binder calls.
+binder_use(artd)
+add_service(artd, artd_service)
+allow artd dumpstate:fifo_file { getattr write };
+
+typeattribute artd coredomain;
+
+init_daemon_domain(artd)
diff --git a/private/bootanim.te b/private/bootanim.te
index cc6e0db..855bc3d 100644
--- a/private/bootanim.te
+++ b/private/bootanim.te
@@ -11,4 +11,7 @@
# Read ro.boot.bootreason b/30654343
get_prop(bootanim, bootloader_boot_reason_prop)
-get_prop(bootanim, bootanim_config_prop)
\ No newline at end of file
+get_prop(bootanim, bootanim_config_prop)
+
+# Allow updating boot animation status.
+set_prop(bootanim, bootanim_system_prop)
diff --git a/private/compat/26.0/26.0.ignore.cil b/private/compat/26.0/26.0.ignore.cil
index 1599a3e..98d5840 100644
--- a/private/compat/26.0/26.0.ignore.cil
+++ b/private/compat/26.0/26.0.ignore.cil
@@ -211,6 +211,7 @@
vndk_prop
vold_config_prop
vold_metadata_file
+ vold_post_fs_data_prop
vold_prepare_subdirs
vold_prepare_subdirs_exec
vold_service
diff --git a/private/compat/27.0/27.0.ignore.cil b/private/compat/27.0/27.0.ignore.cil
index 202baaf..427f4d4 100644
--- a/private/compat/27.0/27.0.ignore.cil
+++ b/private/compat/27.0/27.0.ignore.cil
@@ -28,6 +28,7 @@
blank_screen_exec
blank_screen_tmpfs
boot_status_prop
+ bootanim_system_prop
bootloader_boot_reason_prop
bootloader_prop
bluetooth_a2dp_offload_prop
@@ -227,6 +228,7 @@
vndk_prop
vold_config_prop
vold_metadata_file
+ vold_post_fs_data_prop
vold_prepare_subdirs
vold_prepare_subdirs_exec
vold_service
diff --git a/private/compat/29.0/29.0.cil b/private/compat/29.0/29.0.cil
index fb0fa44..0fb0a1c 100644
--- a/private/compat/29.0/29.0.cil
+++ b/private/compat/29.0/29.0.cil
@@ -1206,7 +1206,10 @@
(typeattributeset exported2_system_prop_29_0
( exported2_system_prop
surfaceflinger_color_prop))
-(typeattributeset exported2_vold_prop_29_0 (exported2_vold_prop vold_config_prop))
+(typeattributeset exported2_vold_prop_29_0
+ ( exported2_vold_prop
+ vold_config_prop
+ vold_post_fs_data_prop))
(typeattributeset exported3_default_prop_29_0 (exported3_default_prop lmkd_config_prop))
(typeattributeset exported3_radio_prop_29_0 (exported3_radio_prop))
(typeattributeset exported3_system_prop_29_0 (exported3_system_prop boot_status_prop))
diff --git a/private/compat/30.0/30.0.cil b/private/compat/30.0/30.0.cil
index c158a30..ac3d463 100644
--- a/private/compat/30.0/30.0.cil
+++ b/private/compat/30.0/30.0.cil
@@ -1378,7 +1378,10 @@
dalvik_runtime_prop
surfaceflinger_color_prop
zram_control_prop))
-(typeattributeset exported2_vold_prop_30_0 (exported2_vold_prop vold_config_prop))
+(typeattributeset exported2_vold_prop_30_0
+ ( exported2_vold_prop
+ vold_config_prop
+ vold_post_fs_data_prop))
(typeattributeset exported3_default_prop_30_0
( exported3_default_prop
camera_calibration_prop
@@ -1430,6 +1433,8 @@
(typeattributeset exported_radio_prop_30_0 (exported_radio_prop telephony_status_prop))
(typeattributeset exported_secure_prop_30_0 (exported_secure_prop))
(typeattributeset exported_system_prop_30_0 (exported_system_prop charger_status_prop))
+(typeattributeset exported_system_prop_30_0 (exported_system_prop bootanim_system_prop))
+
(typeattributeset exported_system_radio_prop_30_0
( exported_system_radio_prop
usb_config_prop
diff --git a/private/compat/30.0/30.0.ignore.cil b/private/compat/30.0/30.0.ignore.cil
index e479f33..eb34315 100644
--- a/private/compat/30.0/30.0.ignore.cil
+++ b/private/compat/30.0/30.0.ignore.cil
@@ -17,6 +17,9 @@
app_hibernation_service
appcompat_data_file
arm64_memtag_prop
+ artd
+ artd_exec
+ artd_service
authorization_service
bootanim_config_prop
camerax_extensions_prop
diff --git a/private/derive_classpath.te b/private/derive_classpath.te
index caa6058..2299ba0 100644
--- a/private/derive_classpath.te
+++ b/private/derive_classpath.te
@@ -13,3 +13,13 @@
# b/183079517 fails on gphone targets otherwise
allow derive_classpath unlabeled:dir search;
+
+# Allow derive_classpath to write the classpath into ota dexopt
+# - Read the ota's apex dir
+allow derive_classpath postinstall_apex_mnt_dir:dir r_dir_perms;
+# - Report the BCP to the ota's dexopt
+allow derive_classpath postinstall_dexopt:dir search;
+allow derive_classpath postinstall_dexopt:fd use;
+allow derive_classpath postinstall_dexopt:file read;
+allow derive_classpath postinstall_dexopt:lnk_file read;
+allow derive_classpath postinstall_dexopt_tmpfs:file rw_file_perms;
diff --git a/private/domain.te b/private/domain.te
index 87518a7..9e2e033 100644
--- a/private/domain.te
+++ b/private/domain.te
@@ -49,6 +49,9 @@
-zygote
})')
+# Everyone can access the IncFS list of features.
+r_dir_file(domain, sysfs_fs_incfs_features);
+
# Path resolution access in cgroups.
allow domain cgroup:dir search;
allow { domain -appdomain -rs } cgroup:dir w_dir_perms;
diff --git a/private/isolated_app.te b/private/isolated_app.te
index 94d60f0..71749c0 100644
--- a/private/isolated_app.te
+++ b/private/isolated_app.te
@@ -128,6 +128,7 @@
-sysfs_devices_system_cpu
-sysfs_transparent_hugepage
-sysfs_usb # TODO: check with audio team if needed for isolated_app (b/28417852)
+ -sysfs_fs_incfs_features
}:file no_rw_file_perms;
# No creation of sockets families other than AF_UNIX sockets.
diff --git a/private/odrefresh.te b/private/odrefresh.te
index 3ae35fc..3ea8ad2 100644
--- a/private/odrefresh.te
+++ b/private/odrefresh.te
@@ -47,4 +47,4 @@
neverallow { domain -init -odrefresh -system_server } odrefresh_data_file:file *;
# Allow updating boot animation status.
-set_prop(odrefresh, exported_system_prop)
+set_prop(odrefresh, bootanim_system_prop)
diff --git a/private/postinstall_dexopt.te b/private/postinstall_dexopt.te
index 0b1a032..94af043 100644
--- a/private/postinstall_dexopt.te
+++ b/private/postinstall_dexopt.te
@@ -5,6 +5,7 @@
type postinstall_dexopt, domain, coredomain, mlstrustedsubject;
type postinstall_dexopt_exec, system_file_type, exec_type, file_type;
+type postinstall_dexopt_tmpfs, file_type;
# Run dex2oat/patchoat in its own sandbox.
# We have to manually transition, as we don't have an entrypoint.
@@ -15,6 +16,12 @@
# with the `postinstall_file` type by update_engine.
domain_auto_trans(postinstall_dexopt, postinstall_file, dex2oat)
+# Run derive_classpath to get the current BCP.
+domain_auto_trans(postinstall_dexopt, derive_classpath_exec, derive_classpath)
+# Allow postinstall_dexopt to make a tempfile for derive_classpath to write into
+tmpfs_domain(postinstall_dexopt);
+allow postinstall_dexopt postinstall_dexopt_tmpfs:file open;
+
allow postinstall_dexopt self:global_capability_class_set { chown dac_override dac_read_search fowner fsetid setgid setuid };
allow postinstall_dexopt postinstall_file:filesystem getattr;
diff --git a/private/priv_app.te b/private/priv_app.te
index 4fd86e5..63a9cbf 100644
--- a/private/priv_app.te
+++ b/private/priv_app.te
@@ -161,9 +161,6 @@
allow priv_app system_server:udp_socket {
connect getattr read recvfrom sendto write getopt setopt };
-# Access the IncFS list of features
-r_dir_file(priv_app, sysfs_fs_incfs_features)
-
# allow apps like Phonesky to check the file signature of an apk installed on
# the Incremental File System, fill missing blocks and get the app status and loading progress
allowxperm priv_app apk_data_file:file ioctl {
diff --git a/private/property_contexts b/private/property_contexts
index 58780d0..0b9446e 100644
--- a/private/property_contexts
+++ b/private/property_contexts
@@ -560,7 +560,7 @@
tombstoned.max_tombstone_count u:object_r:tombstone_config_prop:s0 exact int
-vold.post_fs_data_done u:object_r:vold_config_prop:s0 exact int
+vold.post_fs_data_done u:object_r:vold_post_fs_data_prop:s0 exact int
apexd.status u:object_r:apexd_prop:s0 exact enum starting activated ready
@@ -869,8 +869,8 @@
ro.vendor.redirect_socket_calls u:object_r:vendor_socket_hook_prop:s0 exact bool
-service.bootanim.exit u:object_r:exported_system_prop:s0 exact int
-service.bootanim.progress u:object_r:exported_system_prop:s0 exact int
+service.bootanim.exit u:object_r:bootanim_system_prop:s0 exact int
+service.bootanim.progress u:object_r:bootanim_system_prop:s0 exact int
sys.init.userspace_reboot.in_progress u:object_r:userspace_reboot_exported_prop:s0 exact bool
sys.use_memfd u:object_r:use_memfd_prop:s0 exact bool
@@ -1041,6 +1041,7 @@
ro.surface_flinger.update_device_product_info_on_hotplug_reconnect u:object_r:surfaceflinger_prop:s0 exact bool
ro.surface_flinger.enable_frame_rate_override u:object_r:surfaceflinger_prop:s0 exact bool
ro.surface_flinger.enable_layer_caching u:object_r:surfaceflinger_prop:s0 exact bool
+ro.surface_flinger.display_update_imminent_timeout_ms u:object_r:surfaceflinger_prop:s0 exact int
ro.sf.disable_triple_buffer u:object_r:surfaceflinger_prop:s0 exact bool
ro.sf.lcd_density u:object_r:surfaceflinger_prop:s0 exact int
@@ -1168,4 +1169,4 @@
persist.rollback.is_test u:object_r:rollback_test_prop:s0 exact bool
# bootanimation properties
-ro.bootanim.quiescent.enabled u:object_r:bootanim_config_prop:s0 exact bool
\ No newline at end of file
+ro.bootanim.quiescent.enabled u:object_r:bootanim_config_prop:s0 exact bool
diff --git a/private/service_contexts b/private/service_contexts
index c9c6aef..3357943 100644
--- a/private/service_contexts
+++ b/private/service_contexts
@@ -51,6 +51,7 @@
gsiservice u:object_r:gsi_service:s0
appops u:object_r:appops_service:s0
appwidget u:object_r:appwidget_service:s0
+artd u:object_r:artd_service:s0
assetatlas u:object_r:assetatlas_service:s0
attention u:object_r:attention_service:s0
audio u:object_r:audio_service:s0
diff --git a/private/surfaceflinger.te b/private/surfaceflinger.te
index a32f89c..7a92bd4 100644
--- a/private/surfaceflinger.te
+++ b/private/surfaceflinger.te
@@ -53,6 +53,7 @@
# Set properties.
set_prop(surfaceflinger, system_prop)
+set_prop(surfaceflinger, bootanim_system_prop)
set_prop(surfaceflinger, exported_system_prop)
set_prop(surfaceflinger, exported3_system_prop)
set_prop(surfaceflinger, ctl_bootanim_prop)
diff --git a/private/system_server.te b/private/system_server.te
index d3478bd..79666fb 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -26,9 +26,6 @@
# For Incremental Service to check if incfs is available
allow system_server proc_filesystems:file r_file_perms;
-# Access the IncFS list of features
-r_dir_file(system_server, sysfs_fs_incfs_features);
-
# To create files, get permission to fill blocks, and configure Incremental File System
allow system_server incremental_control_file:file { ioctl r_file_perms };
allowxperm system_server incremental_control_file:file ioctl {
@@ -632,6 +629,7 @@
# Property Service write
set_prop(system_server, system_prop)
+set_prop(system_server, bootanim_system_prop)
set_prop(system_server, exported_system_prop)
set_prop(system_server, exported3_system_prop)
set_prop(system_server, safemode_prop)
diff --git a/private/vold.te b/private/vold.te
index d794abf..a802bdb 100644
--- a/private/vold.te
+++ b/private/vold.te
@@ -23,6 +23,7 @@
get_prop(vold, storage_config_prop);
get_prop(vold, incremental_prop);
+set_prop(vold, vold_post_fs_data_prop)
set_prop(vold, vold_prop)
set_prop(vold, vold_status_prop)
set_prop(vold, powerctl_prop)
diff --git a/public/hal_neuralnetworks.te b/public/hal_neuralnetworks.te
index 4eb8bb2..7497dec 100644
--- a/public/hal_neuralnetworks.te
+++ b/public/hal_neuralnetworks.te
@@ -21,6 +21,9 @@
# Allow NN HAL service to use a client-provided fd residing in /storage
allow hal_neuralnetworks_server storage_file:file { getattr map read };
+# Allow NN HAL service to read a client-provided fd residing in /data/app/.
+allow hal_neuralnetworks_server apk_data_file:file { getattr map read };
+
# Allow NN HAL client to check the ro.nnapi.extensions.deny_on_product
# property to determine whether to deny NNAPI extensions use for apps
# on product partition (apps in GSI are not allowed to use NNAPI extensions).
diff --git a/public/property.te b/public/property.te
index 55eb7c2..5edb59e 100644
--- a/public/property.te
+++ b/public/property.te
@@ -60,6 +60,7 @@
system_restricted_prop(binder_cache_system_server_prop)
system_restricted_prop(binder_cache_telephony_server_prop)
system_restricted_prop(boot_status_prop)
+system_restricted_prop(bootanim_system_prop)
system_restricted_prop(bootloader_prop)
system_restricted_prop(boottime_public_prop)
system_restricted_prop(bq_config_prop)
@@ -208,6 +209,7 @@
system_public_prop(system_prop)
system_public_prop(telephony_status_prop)
system_public_prop(usb_control_prop)
+system_public_prop(vold_post_fs_data_prop)
system_public_prop(wifi_hal_prop)
system_public_prop(wifi_log_prop)
system_public_prop(wifi_prop)
diff --git a/public/service.te b/public/service.te
index 4012fca..916ad53 100644
--- a/public/service.te
+++ b/public/service.te
@@ -1,6 +1,7 @@
type aidl_lazy_test_service, service_manager_type;
type apc_service, service_manager_type;
type apex_service, service_manager_type;
+type artd_service, service_manager_type;
type audioserver_service, service_manager_type;
type authorization_service, service_manager_type;
type batteryproperties_service, app_api_service, ephemeral_app_api_service, service_manager_type;
diff --git a/public/vendor_init.te b/public/vendor_init.te
index 1c425fb..ae523b9 100644
--- a/public/vendor_init.te
+++ b/public/vendor_init.te
@@ -244,6 +244,7 @@
set_prop(vendor_init, vendor_security_patch_level_prop)
set_prop(vendor_init, vndk_prop)
set_prop(vendor_init, virtual_ab_prop)
+set_prop(vendor_init, vold_post_fs_data_prop)
set_prop(vendor_init, wifi_hal_prop)
set_prop(vendor_init, wifi_log_prop)
set_prop(vendor_init, zram_control_prop)
diff --git a/public/vold.te b/public/vold.te
index 17c71b5..7796ba8 100644
--- a/public/vold.te
+++ b/public/vold.te
@@ -127,8 +127,6 @@
allow vold apk_data_file:dir { create getattr setattr };
allow vold shell_data_file:dir { create getattr setattr };
-# Access the IncFS list of features
-r_dir_file(vold, sysfs_fs_incfs_features);
# Allow to mount incremental file system on /data/incremental and create files
allow vold apk_data_file:dir { mounton rw_dir_perms };
# Allow to create and write files in /data/incremental