Merge "Use properties for various userspace reboot timeouts"
diff --git a/private/adbd.te b/private/adbd.te
index f7504df..cd3d8f3 100644
--- a/private/adbd.te
+++ b/private/adbd.te
@@ -183,6 +183,11 @@
allow adbd rootfs:dir r_dir_perms;
+# Allow killing child "perfetto" binary processes, which auto-transition to
+# their own domain. Allows propagating termination of "adb shell perfetto ..."
+# invocations.
+allow adbd perfetto:process signal;
+
# Allow to pull Perfetto traces.
allow adbd perfetto_traces_data_file:file r_file_perms;
allow adbd perfetto_traces_data_file:dir r_dir_perms;
diff --git a/private/attributes b/private/attributes
new file mode 100644
index 0000000..e01b212
--- /dev/null
+++ b/private/attributes
@@ -0,0 +1 @@
+hal_attribute(lazy_test);
diff --git a/private/file_contexts b/private/file_contexts
index c1d5274..f0afa95 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -451,6 +451,7 @@
/(system_ext|system/system_ext)/etc/selinux/system_ext_mac_permissions\.xml u:object_r:mac_perms_file:s0
/(system_ext|system/system_ext)/bin/aidl_lazy_test_server u:object_r:aidl_lazy_test_server_exec:s0
+/(system_ext|system/system_ext)/bin/hidl_lazy_test_server u:object_r:hidl_lazy_test_server_exec:s0
#############################
# Vendor files from /(product|system/product)/vendor_overlay
diff --git a/private/hal_lazy_test.te b/private/hal_lazy_test.te
new file mode 100644
index 0000000..93cf235
--- /dev/null
+++ b/private/hal_lazy_test.te
@@ -0,0 +1,3 @@
+userdebug_or_eng(`
+ hal_attribute_hwservice(hal_lazy_test, hal_lazy_test_hwservice)
+')
diff --git a/private/hidl_lazy_test_server.te b/private/hidl_lazy_test_server.te
new file mode 100644
index 0000000..04e8c9f
--- /dev/null
+++ b/private/hidl_lazy_test_server.te
@@ -0,0 +1,8 @@
+type hidl_lazy_test_server, domain;
+type hidl_lazy_test_server_exec, exec_type, file_type, system_file_type;
+
+userdebug_or_eng(`
+ typeattribute hidl_lazy_test_server coredomain;
+ init_daemon_domain(hidl_lazy_test_server)
+ hal_server_domain(hidl_lazy_test_server, hal_lazy_test)
+')
diff --git a/private/hwservice.te b/private/hwservice.te
new file mode 100644
index 0000000..b7ba4d7
--- /dev/null
+++ b/private/hwservice.te
@@ -0,0 +1 @@
+type hal_lazy_test_hwservice, hwservice_manager_type, protected_hwservice;
diff --git a/private/hwservice_contexts b/private/hwservice_contexts
index 9c471bc..664e697 100644
--- a/private/hwservice_contexts
+++ b/private/hwservice_contexts
@@ -40,6 +40,7 @@
android.hardware.input.classifier::IInputClassifier u:object_r:hal_input_classifier_hwservice:s0
android.hardware.ir::IConsumerIr u:object_r:hal_ir_hwservice:s0
android.hardware.keymaster::IKeymasterDevice u:object_r:hal_keymaster_hwservice:s0
+android.hardware.tests.lazy::ILazy u:object_r:hal_lazy_test_hwservice:s0
android.hardware.light::ILight u:object_r:hal_light_hwservice:s0
android.hardware.lowpan::ILowpanDevice u:object_r:hal_lowpan_hwservice:s0
android.hardware.media.omx::IOmx u:object_r:hal_omx_hwservice:s0
diff --git a/private/mediaprovider_app.te b/private/mediaprovider_app.te
index 0b1047a..7923649 100644
--- a/private/mediaprovider_app.te
+++ b/private/mediaprovider_app.te
@@ -39,4 +39,7 @@
FS_IOC_SETFLAGS
};
+# Access external sdcards through /mnt/media_rw
+allow mediaprovider_app { mnt_media_rw_file }:dir search;
+
allow mediaprovider_app proc_filesystems:file r_file_perms;
diff --git a/private/perfetto.te b/private/perfetto.te
index 2183b6d..58cfae8 100644
--- a/private/perfetto.te
+++ b/private/perfetto.te
@@ -50,6 +50,14 @@
binder_call(perfetto, incidentd)
');
+# perfetto log formatter calls isatty() on its stderr. Denial when running
+# under adbd is harmless. Avoid generating denial logs.
+dontaudit perfetto adbd:unix_stream_socket getattr;
+dontauditxperm perfetto adbd:unix_stream_socket ioctl unpriv_tty_ioctls;
+# As above, when adbd is running in "su" domain (only the ioctl is denied in
+# practice).
+dontauditxperm perfetto su:unix_stream_socket ioctl unpriv_tty_ioctls;
+
###
### Neverallow rules
###
diff --git a/vendor/file_contexts b/vendor/file_contexts
index 213ba05..4fdc737 100644
--- a/vendor/file_contexts
+++ b/vendor/file_contexts
@@ -25,7 +25,7 @@
/(vendor|system/vendor)/bin/hw/android\.hardware\.drm@1\.0-service-lazy u:object_r:hal_drm_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.cas@1\.[0-2]-service u:object_r:hal_cas_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.cas@1\.[0-2]-service-lazy u:object_r:hal_cas_default_exec:s0
-/(vendor|system/vendor)/bin/hw/android\.hardware\.dumpstate@1\.0-service\.example u:object_r:hal_dumpstate_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.dumpstate@1\.[0-1]-service\.example u:object_r:hal_dumpstate_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.gatekeeper@1\.0-service u:object_r:hal_gatekeeper_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.gnss@[0-9]\.[0-9]-service u:object_r:hal_gnss_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.graphics\.allocator@2\.0-service u:object_r:hal_graphics_allocator_default_exec:s0