Merge "Accept starting_at_board_api macro in service contexts" into main
diff --git a/apex/Android.bp b/apex/Android.bp
index 4daff80..a6d0853 100644
--- a/apex/Android.bp
+++ b/apex/Android.bp
@@ -307,3 +307,10 @@
"com.android.uprobestats-file_contexts",
],
}
+
+filegroup {
+ name: "com.android.biometrics.virtual.face-file_contexts",
+ srcs: [
+ "com.android.biometrics.virtual.face-file_contexts",
+ ],
+}
diff --git a/apex/com.android.biometrics.virtual.face-file_contexts b/apex/com.android.biometrics.virtual.face-file_contexts
new file mode 100644
index 0000000..07fc0a8
--- /dev/null
+++ b/apex/com.android.biometrics.virtual.face-file_contexts
@@ -0,0 +1,3 @@
+(/.*)? u:object_r:vendor_file:s0
+/etc(/.*)? u:object_r:vendor_configs_file:s0
+/bin/hw/android\.hardware\.biometrics\.face-service\.example u:object_r:virtual_face_exec:s0
diff --git a/build/soong/service_fuzzer_bindings.go b/build/soong/service_fuzzer_bindings.go
index 0c98d1b..d22ceb7 100644
--- a/build/soong/service_fuzzer_bindings.go
+++ b/build/soong/service_fuzzer_bindings.go
@@ -45,6 +45,7 @@
"android.hardware.automotive.audiocontrol.IAudioControl/default": EXCEPTION_NO_FUZZER,
"android.hardware.biometrics.face.IFace/default": EXCEPTION_NO_FUZZER,
"android.hardware.biometrics.face.IFace/virtual": EXCEPTION_NO_FUZZER,
+ "android.hardware.biometrics.face.virtualhal.IVirtualHal/virtual": EXCEPTION_NO_FUZZER,
"android.hardware.biometrics.fingerprint.IFingerprint/default": EXCEPTION_NO_FUZZER,
"android.hardware.biometrics.fingerprint.IFingerprint/virtual": EXCEPTION_NO_FUZZER,
"android.hardware.biometrics.fingerprint.virtualhal.IVirtualHal/virtual": EXCEPTION_NO_FUZZER,
diff --git a/private/app.te b/private/app.te
index c51ba8b..6362c7d 100644
--- a/private/app.te
+++ b/private/app.te
@@ -167,6 +167,8 @@
use_credstore({ appdomain -isolated_app_all -ephemeral_app -sdk_sandbox_all })
+allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox_all } persistent_data_block_service:service_manager find;
+
# For app fuse.
pdx_client({ appdomain -isolated_app_all -ephemeral_app -sdk_sandbox_all }, display_client)
pdx_client({ appdomain -isolated_app_all -ephemeral_app -sdk_sandbox_all }, display_manager)
diff --git a/private/compat/202404/202404.ignore.cil b/private/compat/202404/202404.ignore.cil
index 73058ef..ff84b4e 100644
--- a/private/compat/202404/202404.ignore.cil
+++ b/private/compat/202404/202404.ignore.cil
@@ -15,4 +15,6 @@
app_function_service
virtual_fingerprint
virtual_fingerprint_exec
+ virtual_face
+ virtual_face_exec
))
diff --git a/private/domain.te b/private/domain.te
index d6f86f4..e9cc7f5 100644
--- a/private/domain.te
+++ b/private/domain.te
@@ -501,7 +501,7 @@
get_prop(domain, surfaceflinger_prop)
get_prop(domain, telephony_status_prop)
get_prop(domain, timezone_prop)
-get_prop({domain -untrusted_app_all -isolated_app_all -ephemeral_app }, userdebug_or_eng_prop)
+get_prop({domain -untrusted_app_all -isolated_app_all -ephemeral_app -app_zygote }, userdebug_or_eng_prop)
get_prop(domain, vendor_socket_hook_prop)
get_prop(domain, vndk_prop)
get_prop(domain, vold_status_prop)
diff --git a/private/fsck.te b/private/fsck.te
index 5eeb39f..90f7e51 100644
--- a/private/fsck.te
+++ b/private/fsck.te
@@ -2,6 +2,9 @@
init_daemon_domain(fsck)
+# fsck can run before apex is ready.
+use_bootstrap_libs(fsck)
+
allow fsck metadata_block_device:blk_file rw_file_perms;
# /dev/__null__ created by init prior to policy load,
diff --git a/private/fsck_untrusted.te b/private/fsck_untrusted.te
index 682831f..4b55a57 100644
--- a/private/fsck_untrusted.te
+++ b/private/fsck_untrusted.te
@@ -1,5 +1,7 @@
typeattribute fsck_untrusted coredomain;
+use_bootstrap_libs(fsck)
+
# Inherit and use pty created by android_fork_execvp_ext().
allow fsck_untrusted devpts:chr_file { read write ioctl getattr };
diff --git a/private/hal_face.te b/private/hal_face.te
index e14666a..5e43953 100644
--- a/private/hal_face.te
+++ b/private/hal_face.te
@@ -11,5 +11,5 @@
allow hal_face ion_device:chr_file r_file_perms;
# Allow read/write access to the face template directory.
-allow hal_face face_vendor_data_file:file create_file_perms;
-allow hal_face face_vendor_data_file:dir rw_dir_perms;
+allow {hal_face -coredomain} face_vendor_data_file:file create_file_perms;
+allow {hal_face -coredomain} face_vendor_data_file:dir rw_dir_perms;
diff --git a/private/service_contexts b/private/service_contexts
index 5fdae3c..960bb66 100644
--- a/private/service_contexts
+++ b/private/service_contexts
@@ -26,6 +26,7 @@
android.hardware.automotive.vehicle.IVehicle/default u:object_r:hal_vehicle_service:s0
android.hardware.biometrics.face.IFace/default u:object_r:hal_face_service:s0
android.hardware.biometrics.face.IFace/virtual u:object_r:hal_face_service:s0
+android.hardware.biometrics.face.virtualhal.IVirtualHal/virtual u:object_r:hal_face_service:s0
android.hardware.biometrics.fingerprint.IFingerprint/default u:object_r:hal_fingerprint_service:s0
android.hardware.biometrics.fingerprint.IFingerprint/virtual u:object_r:hal_fingerprint_service:s0
android.hardware.biometrics.fingerprint.virtualhal.IVirtualHal/virtual u:object_r:hal_fingerprint_service:s0
diff --git a/private/system_app.te b/private/system_app.te
index e0ed8c3..0b6ffe2 100644
--- a/private/system_app.te
+++ b/private/system_app.te
@@ -151,7 +151,7 @@
proc_version
}:file r_file_perms;
-# Settings app writes to /dev/stune/foreground/tasks.
+# Allow system apps to modify cgroup attributes and migrate processes
allow system_app cgroup:file w_file_perms;
allow system_app cgroup_v2:file w_file_perms;
allow system_app cgroup_v2:dir w_dir_perms;
diff --git a/private/virtual_face.te b/private/virtual_face.te
new file mode 100644
index 0000000..0e33d6b
--- /dev/null
+++ b/private/virtual_face.te
@@ -0,0 +1,6 @@
+# biometric virtual face sensor
+type virtual_face, domain;
+type virtual_face_exec, system_file_type, exec_type, file_type;
+hal_server_domain(virtual_face, hal_face)
+typeattribute virtual_face coredomain;
+init_daemon_domain(virtual_face)
diff --git a/public/property.te b/public/property.te
index 4f1b369..d5fb468 100644
--- a/public/property.te
+++ b/public/property.te
@@ -273,7 +273,7 @@
vendor_internal_prop(rebootescrow_hal_prop)
# Properties used in the default Face HAL implementations
-vendor_internal_prop(virtual_face_hal_prop)
+system_public_prop(virtual_face_hal_prop)
# Properties used in the default Fingerprint HAL implementations
system_public_prop(virtual_fingerprint_hal_prop)
diff --git a/public/service.te b/public/service.te
index 0982629..8f1245d 100644
--- a/public/service.te
+++ b/public/service.te
@@ -198,7 +198,7 @@
type permission_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type permissionmgr_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type permission_checker_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type persistent_data_block_service, system_api_service, system_server_service, service_manager_type;
+type persistent_data_block_service, app_api_service, system_api_service, system_server_service, service_manager_type;
type pinner_service, system_server_service, service_manager_type;
type powerstats_service, app_api_service, system_server_service, service_manager_type;
type power_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
diff --git a/vendor/file_contexts b/vendor/file_contexts
index cd03ae1..d0c698d 100644
--- a/vendor/file_contexts
+++ b/vendor/file_contexts
@@ -24,6 +24,7 @@
/(vendor|system/vendor)/bin/hw/android\.hardware\.bluetooth\.lmp_event-service\.default u:object_r:hal_bluetooth_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.biometrics\.face@1\.[0-9]+-service\.example u:object_r:hal_face_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.biometrics\.face-service\.example u:object_r:hal_face_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.biometrics\.face-service\.default u:object_r:hal_face_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.biometrics\.fingerprint@2\.1-service u:object_r:hal_fingerprint_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.biometrics\.fingerprint@2\.2-service\.example u:object_r:hal_fingerprint_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.biometrics\.fingerprint-service\.default u:object_r:hal_fingerprint_default_exec:s0