Merge "Add new time zone detection service"
diff --git a/definitions.mk b/definitions.mk
index 6bb4f24..2ecdbdc 100644
--- a/definitions.mk
+++ b/definitions.mk
@@ -13,6 +13,7 @@
-D target_compatible_property=$(PRIVATE_COMPATIBLE_PROPERTY) \
-D target_treble_sysprop_neverallow=$(PRIVATE_TREBLE_SYSPROP_NEVERALLOW) \
-D target_exclude_build_test=$(PRIVATE_EXCLUDE_BUILD_TEST) \
+ -D target_requires_insecure_execmem_for_swiftshader=$(PRODUCT_REQUIRES_INSECURE_EXECMEM_FOR_SWIFTSHADER) \
$(PRIVATE_TGT_RECOVERY) \
-s $(PRIVATE_POLICY_FILES) > $@
endef
diff --git a/private/apexd.te b/private/apexd.te
index 14778b2..31371d9 100644
--- a/private/apexd.te
+++ b/private/apexd.te
@@ -114,6 +114,9 @@
domain_auto_trans(apexd, apex_test_prepostinstall_exec, apex_test_prepostinstall)
')
+# Allow apexd to be invoked with logwrapper from init during userspace reboot.
+allow apexd devpts:chr_file { read write };
+
neverallow { domain -apexd -init } apex_data_file:dir no_w_dir_perms;
neverallow { domain -apexd -init } apex_metadata_file:dir no_w_dir_perms;
neverallow { domain -apexd -init -kernel } apex_data_file:file no_w_file_perms;
diff --git a/private/gsid.te b/private/gsid.te
index cc255ca..306efb8 100644
--- a/private/gsid.te
+++ b/private/gsid.te
@@ -75,6 +75,8 @@
-gsid
-init
-update_engine_common
+ -recovery
+ -fastbootd
} gsid_prop:property_service set;
# gsid needs to store images on /data, but cannot use file I/O. If it did, the
@@ -130,6 +132,7 @@
-init
-gsid
-fastbootd
+ -recovery
-vold
} gsi_metadata_file:dir *;
diff --git a/private/permissioncontroller_app.te b/private/permissioncontroller_app.te
index 9b09ce3..15bb9e1 100644
--- a/private/permissioncontroller_app.te
+++ b/private/permissioncontroller_app.te
@@ -3,14 +3,6 @@
###
type permissioncontroller_app, domain;
-# Allow everything.
-# TODO(b/142672293): remove when no selinux denials are triggered for this
-# domain
-# STOPSHIP(b/142672293): monitor http://go/sedenials for any denials around
-# `permissioncontroller_app` and remove this line once we are confident about
-# this having the right set of permissions.
-userdebug_or_eng(`permissive permissioncontroller_app;')
-
app_domain(permissioncontroller_app)
# Allow interaction with gpuservice
diff --git a/private/seapp_contexts b/private/seapp_contexts
index 14b63e9..4980c93 100644
--- a/private/seapp_contexts
+++ b/private/seapp_contexts
@@ -158,6 +158,7 @@
user=_app isEphemeralApp=true domain=ephemeral_app type=app_data_file levelFrom=all
user=_app isPrivApp=true domain=priv_app type=privapp_data_file levelFrom=user
user=_app isPrivApp=true name=com.google.android.permissioncontroller domain=permissioncontroller_app type=privapp_data_file levelFrom=all
+user=_app isPrivApp=true name=com.android.vzwomatrigger domain=vzwomatrigger_app type=privapp_data_file levelFrom=all
user=_app minTargetSdkVersion=29 domain=untrusted_app type=app_data_file levelFrom=all
user=_app minTargetSdkVersion=28 domain=untrusted_app_27 type=app_data_file levelFrom=all
user=_app minTargetSdkVersion=26 domain=untrusted_app_27 type=app_data_file levelFrom=user
diff --git a/private/system_server.te b/private/system_server.te
index 9232843..f0a447a 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -983,7 +983,12 @@
# system_server should never use JIT functionality
# See https://googleprojectzero.blogspot.com/2016/12/bitunmap-attacking-android-ashmem.html
# in the section titled "A Short ROP Chain" for why.
-neverallow system_server self:process execmem;
+# However, in emulator builds without OpenGL passthrough, we use software
+# rendering via SwiftShader, which requires JIT support. These builds are
+# never shipped to users.
+ifelse(target_requires_insecure_execmem_for_swiftshader, `true',
+ `allow system_server self:process execmem;',
+ `neverallow system_server self:process execmem;')
neverallow system_server ashmem_device:chr_file execute;
# TODO: deal with tmpfs_domain pub/priv split properly
diff --git a/private/vzwomatrigger_app.te b/private/vzwomatrigger_app.te
new file mode 100644
index 0000000..4a7d3f7
--- /dev/null
+++ b/private/vzwomatrigger_app.te
@@ -0,0 +1,14 @@
+###
+### A domain for further sandboxing the VzwOmaTrigger app.
+###
+type vzwomatrigger_app, domain;
+
+# Allow everything.
+# TODO(b/142672293): remove when no selinux denials are triggered for this
+# domain
+# STOPSHIP(b/142672293): monitor http://go/sedenials for any denials around
+# `vzwomatrigger_app` and remove this line once we are confident about
+# this having the right set of permissions.
+userdebug_or_eng(`permissive vzwomatrigger_app;')
+
+app_domain(vzwomatrigger_app)
diff --git a/public/fastbootd.te b/public/fastbootd.te
index 39abc5e..f08885a 100644
--- a/public/fastbootd.te
+++ b/public/fastbootd.te
@@ -107,6 +107,12 @@
allow fastbootd labeledfs:filesystem { mount unmount };
get_prop(fastbootd, persistent_properties_ready_prop)
')
+
+ # Allow using libfiemap/gsid directly (no binder in recovery).
+ set_prop(fastbootd, gsid_prop)
+ allow fastbootd gsi_metadata_file:dir search;
+ allow fastbootd ota_metadata_file:dir rw_dir_perms;
+ allow fastbootd ota_metadata_file:file create_file_perms;
')
###
diff --git a/public/recovery.te b/public/recovery.te
index 2b77bc3..1193354 100644
--- a/public/recovery.te
+++ b/public/recovery.te
@@ -142,6 +142,12 @@
# These are needed to update dynamic partitions in recovery.
r_dir_file(recovery, sysfs_dm)
allowxperm recovery super_block_device_type:blk_file ioctl { BLKIOMIN BLKALIGNOFF };
+
+ # Allow using libfiemap/gsid directly (no binder in recovery).
+ set_prop(recovery, gsid_prop)
+ allow recovery gsi_metadata_file:dir search;
+ allow recovery ota_metadata_file:dir rw_dir_perms;
+ allow recovery ota_metadata_file:file create_file_perms;
')
###