Merge "Allow AIDL VHAL service."
diff --git a/private/bluetooth.te b/private/bluetooth.te
index 0e0cf7f..5522e32 100644
--- a/private/bluetooth.te
+++ b/private/bluetooth.te
@@ -62,6 +62,7 @@
allow bluetooth system_api_service:service_manager find;
allow bluetooth network_stack_service:service_manager find;
allow bluetooth system_suspend_control_service:service_manager find;
+allow bluetooth hal_audio_service:service_manager find;
# already open bugreport file descriptors may be shared with
# the bluetooth process, from a file in
diff --git a/private/clatd.te b/private/clatd.te
index da6820c..57eee78 100644
--- a/private/clatd.te
+++ b/private/clatd.te
@@ -4,18 +4,10 @@
net_domain(clatd)
-r_dir_file(clatd, proc_net_type)
-userdebug_or_eng(`
- auditallow clatd proc_net_type:{ dir file lnk_file } { getattr open read };
-')
-
# Access objects inherited from netd.
allow clatd netd:fd use;
-allow clatd netd:fifo_file { read write };
allow clatd netd:packet_socket { read write };
allow clatd netd:rawip_socket { read write };
-allow clatd self:global_capability_class_set { net_admin net_raw setuid setgid };
-
allow clatd self:netlink_route_socket nlmsg_write;
allow clatd tun_device:chr_file rw_file_perms;
diff --git a/private/compat/32.0/32.0.ignore.cil b/private/compat/32.0/32.0.ignore.cil
index 43f8136..c6bdbe7 100644
--- a/private/compat/32.0/32.0.ignore.cil
+++ b/private/compat/32.0/32.0.ignore.cil
@@ -22,6 +22,7 @@
hal_contexthub_service
hal_dice_service
hal_dumpstate_service
+ hal_graphics_allocator_service
hal_graphics_composer_service
hal_health_service
hal_ir_service
@@ -36,11 +37,13 @@
hal_sensors_service
hal_system_suspend_service
hal_tv_tuner_service
+ hal_usb_service
hal_uwb_service
hal_vehicle_service
hal_wifi_hostapd_service
hal_wifi_supplicant_service
locale_service
+ mtectrl
nearby_service
proc_watermark_boost_factor
proc_watermark_scale_factor
diff --git a/private/file_contexts b/private/file_contexts
index 4a04532..f70c972 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -309,6 +309,7 @@
/system/bin/lpdumpd u:object_r:lpdumpd_exec:s0
/system/bin/rss_hwm_reset u:object_r:rss_hwm_reset_exec:s0
/system/bin/perfetto u:object_r:perfetto_exec:s0
+/system/bin/mtectrl u:object_r:mtectrl_exec:s0
/system/bin/traced u:object_r:traced_exec:s0
/system/bin/traced_perf u:object_r:traced_perf_exec:s0
/system/bin/traced_probes u:object_r:traced_probes_exec:s0
diff --git a/private/mtectrl.te b/private/mtectrl.te
new file mode 100644
index 0000000..a89edda
--- /dev/null
+++ b/private/mtectrl.te
@@ -0,0 +1,9 @@
+# mtectrl is a tool to request MTE (Memory Tagging Extensions) from the bootloader.
+type mtectrl_exec, system_file_type, exec_type, file_type;
+
+init_daemon_domain(mtectrl)
+
+# mtectrl communicates the request to the bootloader via the misc partition.
+allow mtectrl misc_block_device:blk_file w_file_perms;
+allow mtectrl block_device:dir r_dir_perms;
+read_fstab(mtectrl)
diff --git a/private/odrefresh.te b/private/odrefresh.te
index 6c34e9f..d716309 100644
--- a/private/odrefresh.te
+++ b/private/odrefresh.te
@@ -45,19 +45,6 @@
get_prop(odrefresh, device_config_runtime_native_prop)
get_prop(odrefresh, device_config_runtime_native_boot_prop)
-# Use inherited stdin/stdout/stderr from composd which exec()'s
-# odrefesh.
-allow odrefresh composd:fd use;
-
-# Run binaries from the CompOS APEX in the same domain
-allow odrefresh system_file:file execute_no_trans;
-
-# Run fd_server in its own domain
-domain_auto_trans(odrefresh, fd_server_exec, compos_fd_server)
-
-# And kill it via SIGTERM
-allow odrefresh compos_fd_server:process signal;
-
# Do not audit unused resources from parent processes (adb, shell, su).
# These appear to be unnecessary for odrefresh.
dontaudit odrefresh { adbd shell }:fd use;
diff --git a/private/service.te b/private/service.te
index aa72e3e..19dd451 100644
--- a/private/service.te
+++ b/private/service.te
@@ -14,4 +14,5 @@
type statscompanion_service, system_server_service, service_manager_type;
type statsmanager_service, system_api_service, system_server_service, service_manager_type;
type tracingproxy_service, system_server_service, service_manager_type;
+type transparency_service, system_server_service, service_manager_type;
type uce_service, service_manager_type;
diff --git a/private/service_contexts b/private/service_contexts
index 35b9dcc..e01d07c 100644
--- a/private/service_contexts
+++ b/private/service_contexts
@@ -3,9 +3,11 @@
android.hardware.automotive.audiocontrol.IAudioControl/default u:object_r:hal_audiocontrol_service:s0
android.hardware.biometrics.face.IFace/default u:object_r:hal_face_service:s0
android.hardware.biometrics.fingerprint.IFingerprint/default u:object_r:hal_fingerprint_service:s0
+android.hardware.bluetooth.audio.IBluetoothAudioProviderFactory/default u:object_r:hal_audio_service:s0
android.hardware.contexthub.IContextHub/default u:object_r:hal_contexthub_service:s0
android.hardware.dumpstate.IDumpstateDevice/default u:object_r:hal_dumpstate_service:s0
android.hardware.gnss.IGnss/default u:object_r:hal_gnss_service:s0
+android.hardware.graphics.allocator.IAllocator/default u:object_r:hal_graphics_allocator_service:s0
android.hardware.graphics.composer3.IComposer/default u:object_r:hal_graphics_composer_service:s0
android.hardware.health.storage.IStorage/default u:object_r:hal_health_storage_service:s0
android.hardware.health.IHealth/default u:object_r:hal_health_service:s0
@@ -45,6 +47,7 @@
android.hardware.sensors.ISensors/default u:object_r:hal_sensors_service:s0
android.hardware.soundtrigger3.ISoundTriggerHw/default u:object_r:hal_audio_service:s0
android.hardware.tv.tuner.ITuner/default u:object_r:hal_tv_tuner_service:s0
+android.hardware.usb.IUsb/default u:object_r:hal_usb_service:s0
android.hardware.uwb.IUwb/default u:object_r:hal_uwb_service:s0
android.hardware.vibrator.IVibrator/default u:object_r:hal_vibrator_service:s0
android.hardware.vibrator.IVibratorManager/default u:object_r:hal_vibrator_service:s0
@@ -327,6 +330,7 @@
thermalservice u:object_r:thermal_service:s0
tracing.proxy u:object_r:tracingproxy_service:s0
translation u:object_r:translation_service:s0
+transparency u:object_r:transparency_service:s0
trust u:object_r:trust_service:s0
tv_iapp u:object_r:tv_iapp_service:s0
tv_input u:object_r:tv_input_service:s0
diff --git a/private/system_server.te b/private/system_server.te
index d3d731c..cc04b79 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -402,7 +402,7 @@
# Check SELinux permissions.
selinux_check_access(system_server)
-allow system_server sysfs_type:dir search;
+allow system_server sysfs_type:dir r_dir_perms;
r_dir_file(system_server, sysfs_android_usb)
allow system_server sysfs_android_usb:file w_file_perms;
diff --git a/public/domain.te b/public/domain.te
index e7853ec..9b8aefd 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -627,6 +627,7 @@
-vold
-recovery
-ueventd
+ -mtectrl
} misc_block_device:blk_file { append link relabelfrom rename write open read ioctl lock };
# Only (hw|vnd|)servicemanager should be able to register with binder as the context manager
diff --git a/public/hal_graphics_allocator.te b/public/hal_graphics_allocator.te
index 3ec6b96..b6d5d92 100644
--- a/public/hal_graphics_allocator.te
+++ b/public/hal_graphics_allocator.te
@@ -12,3 +12,8 @@
# allow to run with real-time scheduling policy
allow hal_graphics_allocator self:global_capability_class_set sys_nice;
+
+# IAllocator stable-aidl
+hal_attribute_service(hal_graphics_allocator, hal_graphics_allocator_service)
+binder_call(hal_graphics_allocator_server, servicemanager)
+binder_call(hal_graphics_allocator_client, servicemanager)
diff --git a/public/hal_usb.te b/public/hal_usb.te
index 38bc49a..45cafaa 100644
--- a/public/hal_usb.te
+++ b/public/hal_usb.te
@@ -2,6 +2,9 @@
binder_call(hal_usb_client, hal_usb_server)
binder_call(hal_usb_server, hal_usb_client)
+hal_attribute_service(hal_usb, hal_usb_service)
+binder_call(hal_usb_server, servicemanager)
+
hal_attribute_hwservice(hal_usb, hal_usb_hwservice)
allow hal_usb self:netlink_kobject_uevent_socket create;
diff --git a/public/mtectrl.te b/public/mtectrl.te
new file mode 100644
index 0000000..2fb8a96
--- /dev/null
+++ b/public/mtectrl.te
@@ -0,0 +1 @@
+type mtectrl, domain, coredomain;
diff --git a/public/service.te b/public/service.te
index 0e9488c..47ec5aa 100644
--- a/public/service.te
+++ b/public/service.te
@@ -157,7 +157,7 @@
type midi_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type mount_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type music_recognition_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type nearby_service, system_server_service, service_manager_type;
+type nearby_service, system_api_service, system_server_service, service_manager_type;
type netpolicy_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type netstats_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type network_management_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
@@ -270,6 +270,7 @@
type hal_face_service, vendor_service, protected_service, service_manager_type;
type hal_fingerprint_service, vendor_service, protected_service, service_manager_type;
type hal_gnss_service, vendor_service, protected_service, service_manager_type;
+type hal_graphics_allocator_service, vendor_service, service_manager_type;
type hal_graphics_composer_service, vendor_service, protected_service, service_manager_type;
type hal_health_service, vendor_service, protected_service, service_manager_type;
type hal_health_storage_service, vendor_service, protected_service, service_manager_type;
@@ -296,6 +297,7 @@
type hal_sharedsecret_service, vendor_service, protected_service, service_manager_type;
type hal_system_suspend_service, protected_service, service_manager_type;
type hal_tv_tuner_service, vendor_service, protected_service, service_manager_type;
+type hal_usb_service, vendor_service, protected_service, service_manager_type;
type hal_uwb_service, vendor_service, protected_service, service_manager_type;
type hal_vehicle_service, vendor_service, protected_service, service_manager_type;
type hal_vibrator_service, vendor_service, protected_service, service_manager_type;
diff --git a/vendor/file_contexts b/vendor/file_contexts
index a53d85e..f7c035d 100644
--- a/vendor/file_contexts
+++ b/vendor/file_contexts
@@ -88,6 +88,7 @@
/(vendor|system/vendor)/bin/hw/android\.hardware\.tv\.tuner@1\.[01]-service u:object_r:hal_tv_tuner_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.tv\.tuner-service\.example u:object_r:hal_tv_tuner_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.usb@1\.0-service u:object_r:hal_usb_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.usb-service\.example u:object_r:hal_usb_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.usb\.gadget@1\.1-service u:object_r:hal_usb_gadget_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.uwb-service u:object_r:hal_uwb_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.vibrator@1\.0-service u:object_r:hal_vibrator_default_exec:s0