Merge "[MTE] Add memtag sysprop sepolicy."
diff --git a/build/soong/selinux_contexts.go b/build/soong/selinux_contexts.go
index a2dad9b..5b21d41 100644
--- a/build/soong/selinux_contexts.go
+++ b/build/soong/selinux_contexts.go
@@ -231,6 +231,7 @@
fmt.Fprintln(w, "\ninclude $(CLEAR_VARS)")
fmt.Fprintln(w, "LOCAL_PATH :=", moduleDir)
fmt.Fprintln(w, "LOCAL_MODULE :=", name+nameSuffix)
+ data.Entries.WriteLicenseVariables(w)
fmt.Fprintln(w, "LOCAL_MODULE_CLASS := ETC")
if m.Owner() != "" {
fmt.Fprintln(w, "LOCAL_MODULE_OWNER :=", m.Owner())
diff --git a/private/canhalconfigurator.te b/private/canhalconfigurator.te
index 171f68a..9ba60ac 100644
--- a/private/canhalconfigurator.te
+++ b/private/canhalconfigurator.te
@@ -4,8 +4,4 @@
# This allows the configurator to look up the CAN HAL controller via
# hwservice_manager and communicate with it.
-allow canhalconfigurator hal_can_controller_hwservice:hwservice_manager find;
-binder_call(canhalconfigurator, hal_can_controller);
-allow canhalconfigurator hidl_manager_hwservice:hwservice_manager find;
-hwbinder_use(canhalconfigurator);
-get_prop(canhalconfigurator, hwservicemanager_prop);
+hal_client_domain(canhalconfigurator, hal_can_controller)
diff --git a/private/compat/30.0/30.0.ignore.cil b/private/compat/30.0/30.0.ignore.cil
index 8ca123b..a77ac01 100644
--- a/private/compat/30.0/30.0.ignore.cil
+++ b/private/compat/30.0/30.0.ignore.cil
@@ -24,10 +24,12 @@
game_service
gki_apex_prepostinstall
gki_apex_prepostinstall_exec
+ hal_authsecret_service
hal_audiocontrol_service
hal_face_service
hal_fingerprint_service
hal_memtrack_service
+ hal_oemlock_service
gnss_device
hal_dumpstate_config_prop
hal_gnss_service
@@ -37,6 +39,9 @@
keystore2_key_contexts_file
legacy_permission_service
location_time_zone_manager_service
+ mediatuner_exec
+ mediatuner_service
+ mediatuner
mediatranscoding_tmpfs
music_recognition_service
nfc_logs_data_file
@@ -45,6 +50,7 @@
power_debug_prop
power_stats_service
proc_kallsyms
+ proc_locks
profcollectd
profcollectd_data_file
profcollectd_exec
@@ -59,8 +65,10 @@
system_server_dumper_service
system_suspend_control_internal_service
task_profiles_api_file
+ transformer_service
update_engine_stable_service
userspace_reboot_metadata_file
vcn_management_service
vibrator_manager_service
+ watchdog_metadata_file
zygote_config_prop))
diff --git a/private/coredomain.te b/private/coredomain.te
index bac494f..4e3d6fd 100644
--- a/private/coredomain.te
+++ b/private/coredomain.te
@@ -49,7 +49,7 @@
-idmap
-init
-installd
- userdebug_or_eng(`-heapprofd')
+ -heapprofd
-postinstall_dexopt
-rs # spawned by appdomain, so carryover the exception above
-system_server
@@ -66,7 +66,7 @@
-idmap
-init
-installd
- userdebug_or_eng(`-heapprofd')
+ -heapprofd
userdebug_or_eng(`-profcollectd')
-postinstall_dexopt
-rs # spawned by appdomain, so carryover the exception above
@@ -93,7 +93,7 @@
-app_zygote
-webview_zygote
-zygote
- userdebug_or_eng(`-heapprofd')
+ -heapprofd
} vendor_overlay_file:dir { getattr open read search };
')
@@ -113,7 +113,7 @@
-app_zygote
-webview_zygote
-zygote
- userdebug_or_eng(`-heapprofd')
+ -heapprofd
userdebug_or_eng(`-profcollectd')
} vendor_overlay_file:file open;
')
diff --git a/private/domain.te b/private/domain.te
index d4f9e0e..e6b26f4 100644
--- a/private/domain.te
+++ b/private/domain.te
@@ -11,7 +11,7 @@
# necessary SELinux permissions.
get_prop(domain, heapprofd_prop);
# Allow heap profiling on debug builds.
-userdebug_or_eng(`can_profile_heap_central({
+userdebug_or_eng(`can_profile_heap({
domain
-bpfloader
-init
@@ -307,7 +307,7 @@
iorap_prefetcherd
traced_perf
traced_probes
- userdebug_or_eng(`heapprofd')
+ heapprofd
} self:global_capability_class_set dac_read_search;
# Limit what domains can mount filesystems or change their mount flags.
@@ -414,7 +414,7 @@
-iorap_inode2filename
-iorap_prefetcherd
-kernel # loads /vendor/firmware
- userdebug_or_eng(`-heapprofd')
+ -heapprofd
userdebug_or_eng(`-profcollectd')
-shell
-system_executes_vendor_violators
diff --git a/private/file_contexts b/private/file_contexts
index 98300cb..5330bdb 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -260,6 +260,7 @@
/system/bin/mediaextractor u:object_r:mediaextractor_exec:s0
/system/bin/mediaswcodec u:object_r:mediaswcodec_exec:s0
/system/bin/mediatranscoding u:object_r:mediatranscoding_exec:s0
+/system/bin/mediatuner u:object_r:mediatuner_exec:s0
/system/bin/mdnsd u:object_r:mdnsd_exec:s0
/system/bin/installd u:object_r:installd_exec:s0
/system/bin/otapreopt_chroot u:object_r:otapreopt_chroot_exec:s0
@@ -546,6 +547,10 @@
/data/preloads/demo(/.*)? u:object_r:preloads_media_file:s0
/data/server_configurable_flags(/.*)? u:object_r:server_configurable_flags_data_file:s0
/data/app-staging(/.*)? u:object_r:staging_data_file:s0
+# Ensure we have the same labels as /data/app or /data/apex/active
+# to avoid restorecon conflicts
+/data/rollback/\d+/[^/]+/.*\.apk u:object_r:apk_data_file:s0
+/data/rollback/\d+/[^/]+/.*\.apex u:object_r:staging_data_file:s0
# Misc data
/data/misc/adb(/.*)? u:object_r:adb_keys_file:s0
@@ -749,6 +754,7 @@
/metadata/bootstat(/.*)? u:object_r:metadata_bootstat_file:s0
/metadata/staged-install(/.*)? u:object_r:staged_install_file:s0
/metadata/userspacereboot(/.*)? u:object_r:userspace_reboot_metadata_file:s0
+/metadata/watchdog(/.*)? u:object_r:watchdog_metadata_file:s0
#############################
# asec containers
diff --git a/private/genfs_contexts b/private/genfs_contexts
index 4c6edd6..900b25b 100644
--- a/private/genfs_contexts
+++ b/private/genfs_contexts
@@ -14,6 +14,7 @@
genfscon proc /keys u:object_r:proc_keys:s0
genfscon proc /kmsg u:object_r:proc_kmsg:s0
genfscon proc /loadavg u:object_r:proc_loadavg:s0
+genfscon proc /locks u:object_r:proc_locks:s0
genfscon proc /lowmemorykiller u:object_r:proc_lowmemorykiller:s0
genfscon proc /meminfo u:object_r:proc_meminfo:s0
genfscon proc /misc u:object_r:proc_misc:s0
diff --git a/private/heapprofd.te b/private/heapprofd.te
index 5f1476e..50039c2 100644
--- a/private/heapprofd.te
+++ b/private/heapprofd.te
@@ -39,19 +39,14 @@
# When handling profiling for all processes, heapprofd needs to read
# executables/libraries/etc to do stack unwinding.
-userdebug_or_eng(`
- r_dir_file(heapprofd, nativetest_data_file)
- r_dir_file(heapprofd, system_file_type)
- r_dir_file(heapprofd, apk_data_file)
- r_dir_file(heapprofd, dalvikcache_data_file)
- r_dir_file(heapprofd, vendor_file_type)
- r_dir_file(heapprofd, shell_data_file)
- # Some dex files are not world-readable.
- # We are still constrained by the SELinux rules above.
- allow heapprofd self:global_capability_class_set dac_read_search;
-
- allow heapprofd proc_kpageflags:file r_file_perms;
-')
+r_dir_file(heapprofd, nativetest_data_file)
+r_dir_file(heapprofd, system_file_type)
+r_dir_file(heapprofd, apk_data_file)
+r_dir_file(heapprofd, dalvikcache_data_file)
+r_dir_file(heapprofd, vendor_file_type)
+# Some dex files are not world-readable.
+# We are still constrained by the SELinux rules above.
+allow heapprofd self:global_capability_class_set dac_read_search;
# For checking profileability.
allow heapprofd packages_list_file:file r_file_perms;
diff --git a/private/kernel.te b/private/kernel.te
index 207800e..70ca912 100644
--- a/private/kernel.te
+++ b/private/kernel.te
@@ -1,8 +1,32 @@
typeattribute kernel coredomain;
domain_auto_trans(kernel, init_exec, init)
+domain_auto_trans(kernel, snapuserd_exec, snapuserd)
# Allow the kernel to read otapreopt_chroot's file descriptors and files under
# /postinstall, as it uses apexd logic to mount APEX packages in /postinstall/apex.
allow kernel otapreopt_chroot:fd use;
allow kernel postinstall_file:file read;
+
+# The following sections are for the transition period during a Virtual A/B
+# OTA. Once sepolicy is loaded, snapuserd must be re-launched in the correct
+# context, and with properly labelled devices. This must be done before
+# enabling enforcement, eg, in permissive mode while still in the kernel
+# context.
+allow kernel tmpfs:blk_file { getattr relabelfrom };
+allow kernel tmpfs:chr_file { getattr relabelfrom };
+allow kernel tmpfs:lnk_file { getattr relabelfrom };
+allow kernel tmpfs:dir { open read relabelfrom };
+
+allow kernel block_device:blk_file relabelto;
+allow kernel block_device:lnk_file relabelto;
+allow kernel dm_device:chr_file relabelto;
+allow kernel dm_device:blk_file relabelto;
+allow kernel dm_user_device:dir { read open search relabelto };
+allow kernel dm_user_device:chr_file relabelto;
+allow kernel kmsg_device:chr_file relabelto;
+allow kernel null_device:chr_file relabelto;
+allow kernel random_device:chr_file relabelto;
+allow kernel snapuserd_exec:file relabelto;
+
+allow kernel kmsg_device:chr_file write;
diff --git a/private/mediatuner.te b/private/mediatuner.te
new file mode 100644
index 0000000..443119e
--- /dev/null
+++ b/private/mediatuner.te
@@ -0,0 +1,27 @@
+# mediatuner - mediatuner daemon
+type mediatuner, domain;
+type mediatuner_exec, system_file_type, exec_type, file_type;
+
+typeattribute mediatuner coredomain;
+
+init_daemon_domain(mediatuner)
+hal_client_domain(mediatuner, hal_tv_tuner)
+
+binder_use(mediatuner)
+binder_call(mediatuner, appdomain)
+binder_service(mediatuner)
+
+add_service(mediatuner, mediatuner_service)
+allow mediatuner system_server:fd use;
+
+###
+### neverallow rules
+###
+
+# mediatuner should never execute any executable without a
+# domain transition
+neverallow mediatuner { file_type fs_type }:file execute_no_trans;
+
+# do not allow privileged socket ioctl commands
+neverallowxperm mediatuner domain:{ rawip_socket tcp_socket udp_socket } ioctl priv_sock_ioctls;
+
diff --git a/private/property_contexts b/private/property_contexts
index 06734bc..c1aa5e0 100644
--- a/private/property_contexts
+++ b/private/property_contexts
@@ -127,9 +127,6 @@
vold. u:object_r:vold_prop:s0
ro.crypto. u:object_r:vold_prop:s0
-# TODO(b/141677108): Remove once true everywhere
-ro.vold.level_from_user u:object_r:vold_config_prop:s0
-
# ro.build.fingerprint is either set in /system/build.prop, or is
# set at runtime by system_server.
ro.build.fingerprint u:object_r:fingerprint_prop:s0 exact string
@@ -986,6 +983,7 @@
ro.surface_flinger.color_space_agnostic_dataspace u:object_r:surfaceflinger_prop:s0 exact int
ro.surface_flinger.refresh_rate_switching u:object_r:surfaceflinger_prop:s0 exact bool
ro.surface_flinger.update_device_product_info_on_hotplug_reconnect u:object_r:surfaceflinger_prop:s0 exact bool
+ro.surface_flinger.enable_frame_rate_override u:object_r:surfaceflinger_prop:s0 exact bool
ro.sf.disable_triple_buffer u:object_r:surfaceflinger_prop:s0 exact bool
ro.sf.lcd_density u:object_r:surfaceflinger_prop:s0 exact int
diff --git a/private/service.te b/private/service.te
index 29932d2..f17fe86 100644
--- a/private/service.te
+++ b/private/service.te
@@ -2,6 +2,7 @@
type dynamic_system_service, system_api_service, system_server_service, service_manager_type;
type gsi_service, service_manager_type;
type incidentcompanion_service, system_api_service, system_server_service, service_manager_type;
+type mediatuner_service, app_api_service, service_manager_type;
type profcollectd_service, service_manager_type;
type stats_service, service_manager_type;
type statscompanion_service, system_server_service, service_manager_type;
diff --git a/private/service_contexts b/private/service_contexts
index 560a427..dd27bcf 100644
--- a/private/service_contexts
+++ b/private/service_contexts
@@ -1,3 +1,4 @@
+android.hardware.authsecret.IAuthSecret/default u:object_r:hal_authsecret_service:s0
android.hardware.automotive.audiocontrol.IAudioControl/default u:object_r:hal_audiocontrol_service:s0
android.hardware.biometrics.face.IFace/default u:object_r:hal_face_service:s0
android.hardware.biometrics.fingerprint.IFingerprint/default u:object_r:hal_fingerprint_service:s0
@@ -5,6 +6,7 @@
android.hardware.identity.IIdentityCredentialStore/default u:object_r:hal_identity_service:s0
android.hardware.light.ILights/default u:object_r:hal_light_service:s0
android.hardware.memtrack.IMemtrack/default u:object_r:hal_memtrack_service:s0
+android.hardware.oemlock.IOemLock/default u:object_r:hal_oemlock_service:s0
android.hardware.power.IPower/default u:object_r:hal_power_service:s0
android.hardware.power.stats.IPowerStats/default u:object_r:hal_power_stats_service:s0
android.hardware.rebootescrow.IRebootEscrow/default u:object_r:hal_rebootescrow_service:s0
@@ -153,6 +155,7 @@
media.resource_observer u:object_r:mediaserver_service:s0
media.sound_trigger_hw u:object_r:audioserver_service:s0
media.drm u:object_r:mediadrmserver_service:s0
+media.tuner u:object_r:mediatuner_service:s0
media_projection u:object_r:media_projection_service:s0
media_resource_monitor u:object_r:media_session_service:s0
media_router u:object_r:media_router_service:s0
@@ -245,6 +248,7 @@
time_zone_detector u:object_r:timezonedetector_service:s0
timezone u:object_r:timezone_service:s0
thermalservice u:object_r:thermal_service:s0
+transformer u:object_r:transformer_service:s0
trust u:object_r:trust_service:s0
tv_input u:object_r:tv_input_service:s0
tv_tuner_resource_mgr u:object_r:tv_tuner_resource_mgr_service:s0
diff --git a/private/shared_relro.te b/private/shared_relro.te
index 02f7206..31fdb8c 100644
--- a/private/shared_relro.te
+++ b/private/shared_relro.te
@@ -3,3 +3,13 @@
# The shared relro process is a Java program forked from the zygote, so it
# inherits from app to get basic permissions it needs to run.
app_domain(shared_relro)
+
+allow shared_relro shared_relro_file:dir rw_dir_perms;
+allow shared_relro shared_relro_file:file create_file_perms;
+
+allow shared_relro activity_service:service_manager find;
+allow shared_relro webviewupdate_service:service_manager find;
+allow shared_relro package_service:service_manager find;
+
+# StrictMode may attempt to find this service, failure is harmless.
+dontaudit shared_relro network_management_service:service_manager find;
diff --git a/private/snapuserd.te b/private/snapuserd.te
index 99ee90f..d96b31e 100644
--- a/private/snapuserd.te
+++ b/private/snapuserd.te
@@ -16,3 +16,11 @@
# Reading and writing to dm-user control nodes.
allow snapuserd dm_user_device:dir r_dir_perms;
allow snapuserd dm_user_device:chr_file rw_file_perms;
+
+# Reading and writing to /dev/socket/snapuserd.
+allow snapuserd snapuserd_socket:unix_stream_socket { accept listen getattr read write };
+
+# This arises due to first-stage init opening /dev/null without F_CLOEXEC
+# (see SetStdioToDevNull in init). When we fork() and execveat() snapuserd
+# again, the descriptor leaks into the new process.
+allow snapuserd kernel:fd use;
diff --git a/private/system_server.te b/private/system_server.te
index 9979fd5..69e04d9 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -290,6 +290,7 @@
mediaserver
mediaswcodec
mediatranscoding
+ mediatuner
netd
sdcardd
statsd
@@ -519,6 +520,9 @@
allow system_server staging_data_file:dir create_dir_perms;
allow system_server staging_data_file:file create_file_perms;
+# Manage /data/rollback.
+allow system_server staging_data_file:{ file lnk_file } { create_file_perms link };
+
# Walk /data/data subdirectories.
allow system_server app_data_file_type:dir { getattr read search };
@@ -778,6 +782,7 @@
allow system_server mediametrics_service:service_manager find;
allow system_server mediaextractor_service:service_manager find;
allow system_server mediadrmserver_service:service_manager find;
+allow system_server mediatuner_service:service_manager find;
allow system_server netd_service:service_manager find;
allow system_server nfc_service:service_manager find;
allow system_server radio_service:service_manager find;
@@ -925,6 +930,8 @@
# Access to /dev/dma_heap/system
allow system_server dmabuf_system_heap_device:chr_file r_file_perms;
+# Access to /dev/dma_heap/system-secure
+allow system_server dmabuf_system_secure_heap_device:chr_file r_file_perms;
r_dir_file(system_server, proc_asound)
r_dir_file(system_server, proc_net_type)
@@ -932,6 +939,7 @@
allow system_server {
proc_cmdline
proc_loadavg
+ proc_locks
proc_meminfo
proc_pagetypeinfo
proc_pipe_conf
@@ -1169,6 +1177,9 @@
allow system_server staged_install_file:dir rw_dir_perms;
allow system_server staged_install_file:file create_file_perms;
+allow system_server watchdog_metadata_file:dir rw_dir_perms;
+allow system_server watchdog_metadata_file:file create_file_perms;
+
# Allow init to set sysprop used to compute stats about userspace reboot.
set_prop(system_server, userspace_reboot_log_prop)
diff --git a/private/traced.te b/private/traced.te
index 2410d7e..ccb28ef 100644
--- a/private/traced.te
+++ b/private/traced.te
@@ -62,6 +62,9 @@
# Allow to lazily start producers.
set_prop(traced, traced_lazy_prop)
+# Allow traced to talk to statsd for logging metrics.
+unix_socket_send(traced, statsdw, statsd)
+
###
### Neverallow rules
###
diff --git a/public/app.te b/public/app.te
index 6f267c9..f9c0d95 100644
--- a/public/app.te
+++ b/public/app.te
@@ -310,6 +310,7 @@
allow { appdomain -isolated_app } ion_device:chr_file r_file_perms;
allow { appdomain -isolated_app } dmabuf_system_heap_device:chr_file r_file_perms;
+allow { appdomain -isolated_app } dmabuf_system_secure_heap_device:chr_file r_file_perms;
# Allow AAudio apps to use shared memory file descriptors from the HAL
allow { appdomain -isolated_app } hal_audio:fd use;
diff --git a/public/domain.te b/public/domain.te
index bd0dff8..3801631 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -1205,7 +1205,6 @@
domain
-shell
userdebug_or_eng(`-uncrypt')
- userdebug_or_eng(`-heapprofd')
-installd
} shell_data_file:lnk_file read;
@@ -1234,7 +1233,6 @@
-simpleperf_app_runner
-system_server # why?
userdebug_or_eng(`-uncrypt')
- userdebug_or_eng(`-heapprofd')
} shell_data_file:dir { open search };
# Same as above for /data/local/tmp files. We allow shell files
@@ -1246,7 +1244,6 @@
-dumpstate
-installd
userdebug_or_eng(`-uncrypt')
- userdebug_or_eng(`-heapprofd')
} shell_data_file:file open;
# servicemanager and vndservicemanager are the only processes which handle the
diff --git a/public/file.te b/public/file.te
index 404e1d4..ccd65e2 100644
--- a/public/file.te
+++ b/public/file.te
@@ -37,6 +37,7 @@
type proc_keys, fs_type, proc_type;
type proc_kmsg, fs_type, proc_type;
type proc_loadavg, fs_type, proc_type;
+type proc_locks, fs_type, proc_type;
type proc_lowmemorykiller, fs_type, proc_type;
type proc_max_map_count, fs_type, proc_type;
type proc_meminfo, fs_type, proc_type;
@@ -245,6 +246,8 @@
type userspace_reboot_metadata_file, file_type;
# Staged install files within /metadata/staged-install
type staged_install_file, file_type;
+# Metadata information within /metadata/watchdog
+type watchdog_metadata_file, file_type;
# Type for /dev/cpu_variant:.*.
type dev_cpu_variant, file_type;
diff --git a/public/hal_authsecret.te b/public/hal_authsecret.te
index daf8d48..bbcdb9a 100644
--- a/public/hal_authsecret.te
+++ b/public/hal_authsecret.te
@@ -2,3 +2,6 @@
binder_call(hal_authsecret_client, hal_authsecret_server)
hal_attribute_hwservice(hal_authsecret, hal_authsecret_hwservice)
+hal_attribute_service(hal_authsecret, hal_authsecret_service)
+
+binder_call(hal_authsecret_server, servicemanager)
diff --git a/public/hal_can.te b/public/hal_can.te
index c75495b..959d1d9 100644
--- a/public/hal_can.te
+++ b/public/hal_can.te
@@ -1,9 +1,9 @@
# CAN controller
binder_call(hal_can_controller_client, hal_can_controller_server)
-add_hwservice(hal_can_controller_server, hal_can_controller_hwservice)
-allow hal_can_controller_client hal_can_controller_hwservice:hwservice_manager find;
+binder_call(hal_can_controller_server, hal_can_controller_client)
+hal_attribute_hwservice(hal_can_controller, hal_can_controller_hwservice)
# CAN bus
binder_call(hal_can_bus_client, hal_can_bus_server)
-add_hwservice(hal_can_bus_server, hal_can_bus_hwservice)
-allow hal_can_bus_client hal_can_bus_hwservice:hwservice_manager find;
+binder_call(hal_can_bus_server, hal_can_bus_client)
+hal_attribute_hwservice(hal_can_bus, hal_can_bus_hwservice)
diff --git a/public/hal_oemlock.te b/public/hal_oemlock.te
index 26b2b42..9f38fa5 100644
--- a/public/hal_oemlock.te
+++ b/public/hal_oemlock.te
@@ -2,3 +2,6 @@
binder_call(hal_oemlock_client, hal_oemlock_server)
hal_attribute_hwservice(hal_oemlock, hal_oemlock_hwservice)
+hal_attribute_service(hal_oemlock, hal_oemlock_service)
+
+binder_call(hal_oemlock_server, servicemanager)
diff --git a/public/init.te b/public/init.te
index 0bbeb29..59e6b4e 100644
--- a/public/init.te
+++ b/public/init.te
@@ -16,6 +16,12 @@
userdebug_or_eng(`
allow init kmsg_debug_device:chr_file { open write relabelto };
')
+
+# allow init to mount and unmount debugfs in debug builds
+userdebug_or_eng(`
+ allow init debugfs:dir mounton;
+')
+
# /dev/__properties__
allow init properties_device:dir relabelto;
allow init properties_serial:file { write relabelto };
@@ -37,6 +43,7 @@
allow init tmpfs:blk_file getattr;
allow init block_device:{ dir blk_file lnk_file } relabelto;
allow init dm_device:{ chr_file blk_file } relabelto;
+allow init dm_user_device:chr_file relabelto;
allow init kernel:fd use;
# restorecon for early mount device symlinks
allow init tmpfs:lnk_file { getattr read relabelfrom };
@@ -543,6 +550,9 @@
allow init dm_device:chr_file rw_file_perms;
allow init dm_device:blk_file rw_file_perms;
+# Access dm-user for OTA boot
+allow init dm_user_device:chr_file rw_file_perms;
+
# Access metadata block device for storing dm-verity state
allow init metadata_block_device:blk_file rw_file_perms;
diff --git a/public/mediaserver.te b/public/mediaserver.te
index 1978aa3..d32b9d9 100644
--- a/public/mediaserver.te
+++ b/public/mediaserver.te
@@ -120,6 +120,7 @@
allow mediaserver ion_device:chr_file r_file_perms;
allow mediaserver dmabuf_system_heap_device:chr_file r_file_perms;
+allow mediaserver dmabuf_system_secure_heap_device:chr_file r_file_perms;
allow mediaserver hal_graphics_allocator:fd use;
allow mediaserver hal_graphics_composer:fd use;
allow mediaserver hal_camera:fd use;
diff --git a/public/mediaswcodec.te b/public/mediaswcodec.te
index 8e35225..5726842 100644
--- a/public/mediaswcodec.te
+++ b/public/mediaswcodec.te
@@ -24,3 +24,4 @@
neverallow mediaswcodec domain:{ tcp_socket udp_socket rawip_socket } *;
allow mediaswcodec dmabuf_system_heap_device:chr_file r_file_perms;
+allow mediaswcodec dmabuf_system_secure_heap_device:chr_file r_file_perms;
diff --git a/public/service.te b/public/service.te
index 3463128..072de79 100644
--- a/public/service.te
+++ b/public/service.te
@@ -193,6 +193,7 @@
type timedetector_service, system_server_service, service_manager_type;
type timezone_service, system_server_service, service_manager_type;
type timezonedetector_service, app_api_service, system_server_service, service_manager_type;
+type transformer_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type trust_service, app_api_service, system_server_service, service_manager_type;
type tv_input_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type tv_tuner_resource_mgr_service, app_api_service, system_server_service, service_manager_type;
@@ -224,6 +225,7 @@
### HAL Services
###
+type hal_authsecret_service, vendor_service, protected_service, service_manager_type;
type hal_audiocontrol_service, vendor_service, service_manager_type;
type hal_face_service, vendor_service, protected_service, service_manager_type;
type hal_fingerprint_service, vendor_service, protected_service, service_manager_type;
@@ -232,6 +234,7 @@
type hal_keymint_service, vendor_service, protected_service, service_manager_type;
type hal_light_service, vendor_service, protected_service, service_manager_type;
type hal_memtrack_service, vendor_service, protected_service, service_manager_type;
+type hal_oemlock_service, vendor_service, protected_service, service_manager_type;
type hal_power_service, vendor_service, protected_service, service_manager_type;
type hal_power_stats_service, vendor_service, protected_service, service_manager_type;
type hal_rebootescrow_service, vendor_service, protected_service, service_manager_type;
diff --git a/public/shared_relro.te b/public/shared_relro.te
index 7413b20..6dd5bd7 100644
--- a/public/shared_relro.te
+++ b/public/shared_relro.te
@@ -1,14 +1,2 @@
# Process which creates/updates shared RELRO files to be used by other apps.
type shared_relro, domain;
-
-# Grant write access to the shared relro files/directory.
-allow shared_relro shared_relro_file:dir rw_dir_perms;
-allow shared_relro shared_relro_file:file create_file_perms;
-
-# Needs to contact the "webviewupdate" and "activity" services
-allow shared_relro activity_service:service_manager find;
-allow shared_relro webviewupdate_service:service_manager find;
-allow shared_relro package_service:service_manager find;
-
-# StrictMode may attempt to find this service, failure is harmless.
-dontaudit shared_relro network_management_service:service_manager find;
diff --git a/public/te_macros b/public/te_macros
index 467ac44..1966f20 100644
--- a/public/te_macros
+++ b/public/te_macros
@@ -693,40 +693,9 @@
###################################
# can_profile_heap(domain)
-# Allow processes within the domain to have their heap profiled by heapprofd.
-#
-# Note that profiling is performed differently between debug and user builds.
-# There are two modes for profiling:
-# * forked
-# * central.
-# On user builds, the default is to allow only forked mode. If it is desired
-# to allow central mode as well for a domain, use can_profile_heap_central.
-# On userdebug, this macro allows both forked and central.
-define(`can_profile_heap', `
- # Allow central daemon to send signal for client initialization.
- allow heapprofd $1:process signal;
-
- # Allow executing a private heapprofd process to handle profiling on
- # user builds (also debug builds for testing & development purposes).
- allow $1 heapprofd_exec:file rx_file_perms;
-
- # Allow directory & file read to the central heapprofd daemon, as it scans
- # /proc/[pid]/cmdline for by-process-name profiling configs.
- # Note that this excludes /proc/[pid]/mem, as it requires ptrace capabilities.
- allow heapprofd $1:file r_file_perms;
- allow heapprofd $1:dir r_dir_perms;
-
- # Profilability on user implies profilability on userdebug and eng.
- userdebug_or_eng(`
- can_profile_heap_central($1)
- ')
-')
-
-###################################
-# can_profile_heap_central(domain)
# Allow processes within the domain to have their heap profiled by central
# heapprofd.
-define(`can_profile_heap_central', `
+define(`can_profile_heap', `
# Allow central daemon to send signal for client initialization.
allow heapprofd $1:process signal;
# Allow connecting to the daemon.
diff --git a/vendor/hal_oemlock_default.te b/vendor/hal_oemlock_default.te
new file mode 100644
index 0000000..8597f2c
--- /dev/null
+++ b/vendor/hal_oemlock_default.te
@@ -0,0 +1,5 @@
+type hal_oemlock_default, domain;
+hal_server_domain(hal_oemlock_default, hal_oemlock)
+
+type hal_oemlock_default_exec, exec_type, vendor_file_type, file_type;
+init_daemon_domain(hal_oemlock_default)
diff --git a/vendor/hal_vehicle_default.te b/vendor/hal_vehicle_default.te
index dcb03a8..56a47b7 100644
--- a/vendor/hal_vehicle_default.te
+++ b/vendor/hal_vehicle_default.te
@@ -7,6 +7,4 @@
init_daemon_domain(hal_vehicle_default)
# communication with CAN bus HAL
-allow hal_vehicle_default hal_can_bus_hwservice:hwservice_manager find;
-allow hal_vehicle_default hal_can_socketcan:binder { call transfer };
-allow hal_can_socketcan hal_vehicle_default:binder { call transfer };
+hal_client_domain(hal_vehicle_default, hal_can_bus)