Merge "Merge logic of DICE HAL and diced in to dice-service"
diff --git a/Android.mk b/Android.mk
index 8f0b37c..bd2bd56 100644
--- a/Android.mk
+++ b/Android.mk
@@ -478,7 +478,6 @@
LOCAL_REQUIRED_MODULES += precompiled_sepolicy.product_sepolicy_and_mapping.sha256
endif
-LOCAL_REQUIRED_MODULES += precompiled_sepolicy.apex_sepolicy.sha256
endif # ($(PRODUCT_PRECOMPILED_SEPOLICY),false)
diff --git a/com.android.sepolicy/33/definitions/definitions.cil b/com.android.sepolicy/33/definitions/definitions.cil
index 3c47764..ffe4660 100644
--- a/com.android.sepolicy/33/definitions/definitions.cil
+++ b/com.android.sepolicy/33/definitions/definitions.cil
@@ -7,87 +7,9 @@
(sid amend)
(sidorder (amend))
-(classorder (file service_manager))
+(classorder (file))
;;;;;;;;;;;;;;;;;;;;;; shell.te ;;;;;;;;;;;;;;;;;;;;;;
(type shell)
(type sepolicy_test_file)
-(class file (ioctl read getattr lock map open watch watch_reads execute_no_trans))
-
-;;;;;;;;;;;;;;;;;;;;;; sdk_sandbox.te ;;;;;;;;;;;;;;;;;;;;;;
-(class service_manager (add find list ))
-
-(type activity_service)
-(type activity_task_service)
-(type appops_service)
-(type audioserver_service)
-(type audio_service)
-(type batteryproperties_service)
-(type batterystats_service)
-(type connectivity_service)
-(type connmetrics_service)
-(type deviceidle_service)
-(type display_service)
-(type dropbox_service)
-(type font_service)
-(type game_service)
-(type gpu_service)
-(type graphicsstats_service)
-(type hardware_properties_service)
-(type hint_service)
-(type imms_service)
-(type input_method_service)
-(type input_service)
-(type IProxyService_service)
-(type ipsec_service)
-(type launcherapps_service)
-(type legacy_permission_service)
-(type light_service)
-(type locale_service)
-(type media_communication_service)
-(type mediaextractor_service)
-(type mediametrics_service)
-(type media_projection_service)
-(type media_router_service)
-(type mediaserver_service)
-(type media_session_service)
-(type memtrackproxy_service)
-(type midi_service)
-(type netpolicy_service)
-(type netstats_service)
-(type network_management_service)
-(type notification_service)
-(type package_service)
-(type permission_checker_service)
-(type permissionmgr_service)
-(type permission_service)
-(type platform_compat_service)
-(type power_service)
-(type procstats_service)
-(type registry_service)
-(type restrictions_service)
-(type rttmanager_service)
-(type sdk_sandbox)
-(type search_service)
-(type selection_toolbar_service)
-(type sensor_privacy_service)
-(type sensorservice_service)
-(type servicediscovery_service)
-(type settings_service)
-(type speech_recognition_service)
-(type statusbar_service)
-(type storagestats_service)
-(type surfaceflinger_service)
-(type system_linker_exec)
-(type telecom_service)
-(type tethering_service)
-(type textclassification_service)
-(type textservices_service)
-(type texttospeech_service)
-(type thermal_service)
-(type translation_service)
-(type tv_iapp_service)
-(type tv_input_service)
-(type uimode_service)
-(type vcn_management_service)
-(type webviewupdate_service)
+(class file (ioctl read getattr lock map open watch watch_reads))
diff --git a/com.android.sepolicy/33/sdk_sandbox.te b/com.android.sepolicy/33/sdk_sandbox.te
deleted file mode 100644
index 7c7b15b..0000000
--- a/com.android.sepolicy/33/sdk_sandbox.te
+++ /dev/null
@@ -1,77 +0,0 @@
-# Allow finding services. This is different from ephemeral_app policy.
-# Adding services manually to the allowlist is preferred hence app_api_service is not used.
-
-allow sdk_sandbox activity_service:service_manager find;
-allow sdk_sandbox activity_task_service:service_manager find;
-allow sdk_sandbox appops_service:service_manager find;
-allow sdk_sandbox audio_service:service_manager find;
-allow sdk_sandbox audioserver_service:service_manager find;
-allow sdk_sandbox batteryproperties_service:service_manager find;
-allow sdk_sandbox batterystats_service:service_manager find;
-allow sdk_sandbox connectivity_service:service_manager find;
-allow sdk_sandbox connmetrics_service:service_manager find;
-allow sdk_sandbox deviceidle_service:service_manager find;
-allow sdk_sandbox display_service:service_manager find;
-allow sdk_sandbox dropbox_service:service_manager find;
-allow sdk_sandbox font_service:service_manager find;
-allow sdk_sandbox game_service:service_manager find;
-allow sdk_sandbox gpu_service:service_manager find;
-allow sdk_sandbox graphicsstats_service:service_manager find;
-allow sdk_sandbox hardware_properties_service:service_manager find;
-allow sdk_sandbox hint_service:service_manager find;
-allow sdk_sandbox imms_service:service_manager find;
-allow sdk_sandbox input_method_service:service_manager find;
-allow sdk_sandbox input_service:service_manager find;
-allow sdk_sandbox IProxyService_service:service_manager find;
-allow sdk_sandbox ipsec_service:service_manager find;
-allow sdk_sandbox launcherapps_service:service_manager find;
-allow sdk_sandbox legacy_permission_service:service_manager find;
-allow sdk_sandbox light_service:service_manager find;
-allow sdk_sandbox locale_service:service_manager find;
-allow sdk_sandbox media_communication_service:service_manager find;
-allow sdk_sandbox mediaextractor_service:service_manager find;
-allow sdk_sandbox mediametrics_service:service_manager find;
-allow sdk_sandbox media_projection_service:service_manager find;
-allow sdk_sandbox media_router_service:service_manager find;
-allow sdk_sandbox mediaserver_service:service_manager find;
-allow sdk_sandbox media_session_service:service_manager find;
-allow sdk_sandbox memtrackproxy_service:service_manager find;
-allow sdk_sandbox midi_service:service_manager find;
-allow sdk_sandbox netpolicy_service:service_manager find;
-allow sdk_sandbox netstats_service:service_manager find;
-allow sdk_sandbox network_management_service:service_manager find;
-allow sdk_sandbox notification_service:service_manager find;
-allow sdk_sandbox package_service:service_manager find;
-allow sdk_sandbox permission_checker_service:service_manager find;
-allow sdk_sandbox permission_service:service_manager find;
-allow sdk_sandbox permissionmgr_service:service_manager find;
-allow sdk_sandbox platform_compat_service:service_manager find;
-allow sdk_sandbox power_service:service_manager find;
-allow sdk_sandbox procstats_service:service_manager find;
-allow sdk_sandbox registry_service:service_manager find;
-allow sdk_sandbox restrictions_service:service_manager find;
-allow sdk_sandbox rttmanager_service:service_manager find;
-allow sdk_sandbox search_service:service_manager find;
-allow sdk_sandbox selection_toolbar_service:service_manager find;
-allow sdk_sandbox sensor_privacy_service:service_manager find;
-allow sdk_sandbox sensorservice_service:service_manager find;
-allow sdk_sandbox servicediscovery_service:service_manager find;
-allow sdk_sandbox settings_service:service_manager find;
-allow sdk_sandbox speech_recognition_service:service_manager find;
-allow sdk_sandbox statusbar_service:service_manager find;
-allow sdk_sandbox storagestats_service:service_manager find;
-allow sdk_sandbox surfaceflinger_service:service_manager find;
-allow sdk_sandbox telecom_service:service_manager find;
-allow sdk_sandbox tethering_service:service_manager find;
-allow sdk_sandbox textclassification_service:service_manager find;
-allow sdk_sandbox textservices_service:service_manager find;
-allow sdk_sandbox texttospeech_service:service_manager find;
-allow sdk_sandbox thermal_service:service_manager find;
-allow sdk_sandbox translation_service:service_manager find;
-allow sdk_sandbox tv_iapp_service:service_manager find;
-allow sdk_sandbox tv_input_service:service_manager find;
-allow sdk_sandbox uimode_service:service_manager find;
-allow sdk_sandbox vcn_management_service:service_manager find;
-allow sdk_sandbox webviewupdate_service:service_manager find;
-
-allow sdk_sandbox system_linker_exec:file execute_no_trans;
diff --git a/private/compat/33.0/33.0.cil b/private/compat/33.0/33.0.cil
index 163a300..849be82 100644
--- a/private/compat/33.0/33.0.cil
+++ b/private/compat/33.0/33.0.cil
@@ -1637,7 +1637,11 @@
(typeattributeset exported_overlay_prop_33_0 (exported_overlay_prop))
(typeattributeset exported_pm_prop_33_0 (exported_pm_prop))
(typeattributeset exported_secure_prop_33_0 (exported_secure_prop))
-(typeattributeset exported_system_prop_33_0 (exported_system_prop))
+(typeattributeset exported_system_prop_33_0
+ ( exported_system_prop
+ locale_prop
+ timezone_prop
+))
(typeattributeset external_vibrator_service_33_0 (external_vibrator_service))
(typeattributeset extra_free_kbytes_33_0 (extra_free_kbytes))
(typeattributeset extra_free_kbytes_exec_33_0 (extra_free_kbytes_exec))
diff --git a/private/compat/33.0/33.0.ignore.cil b/private/compat/33.0/33.0.ignore.cil
index 6d82d0f..bdb4869 100644
--- a/private/compat/33.0/33.0.ignore.cil
+++ b/private/compat/33.0/33.0.ignore.cil
@@ -20,6 +20,7 @@
prng_seeder
servicemanager_prop
system_net_netd_service
+ timezone_metadata_prop
tuner_config_prop
tuner_server_ctl_prop
virtual_face_hal_prop
diff --git a/private/domain.te b/private/domain.te
index 8f43181..632b9f6 100644
--- a/private/domain.te
+++ b/private/domain.te
@@ -634,3 +634,5 @@
sdk_sandbox
untrusted_app_all
} system_app_data_file:dir_file_class_set { create unlink open };
+
+neverallow { domain -init } mtectrl:process { dyntransition transition };
diff --git a/private/mtectrl.te b/private/mtectrl.te
index 436dcae..a727b25 100644
--- a/private/mtectrl.te
+++ b/private/mtectrl.te
@@ -4,7 +4,12 @@
init_daemon_domain(mtectrl)
+# to set the sys prop to match the bootloader message state.
+set_prop(mtectrl, arm64_memtag_prop)
+
# mtectrl communicates the request to the bootloader via the misc partition.
-allow mtectrl misc_block_device:blk_file w_file_perms;
+# needs to write to update the request in misc partition, and read to sync
+# back to the property.
+allow mtectrl misc_block_device:blk_file rw_file_perms;
allow mtectrl block_device:dir r_dir_perms;
read_fstab(mtectrl)
diff --git a/private/property.te b/private/property.te
index 805b70d..61144be 100644
--- a/private/property.te
+++ b/private/property.te
@@ -38,6 +38,7 @@
system_internal_prop(setupwizard_prop)
system_internal_prop(snapuserd_prop)
system_internal_prop(system_adbd_prop)
+system_internal_prop(timezone_metadata_prop)
system_internal_prop(traced_perf_enabled_prop)
system_internal_prop(tuner_server_ctl_prop)
system_internal_prop(userspace_reboot_log_prop)
@@ -430,6 +431,7 @@
-init
-shell
-system_app
+ -mtectrl
} {
arm64_memtag_prop
gwp_asan_prop
diff --git a/private/property_contexts b/private/property_contexts
index a67ea73..515c007 100644
--- a/private/property_contexts
+++ b/private/property_contexts
@@ -783,8 +783,25 @@
net.redirect_socket_calls.hooked u:object_r:socket_hook_prop:s0 exact bool
-persist.sys.locale u:object_r:exported_system_prop:s0 exact string
-persist.sys.timezone u:object_r:exported_system_prop:s0 exact string
+# Settings system properties containing mutable "global" device settings.
+#
+# These can't be Android settings because they are also read by low-level
+# binaries that don't have access to "real" SettingsProvider settings. This
+# will usually be because of when they execute, e.g. during boot when Android
+# services are not yet running, and/or because they are needed by binaries that
+# are not "Android aware", i.e. they have light integration with the Android
+# platform via the low-level system properties lib. Processes like shell may
+# modify these for testing purposes, but doing so is generally discouraged;
+# updates to these props will generally require intents to be sent to
+# long-running Android apps so they can update cached data and their UI state.
+persist.sys.locale u:object_r:locale_prop:s0 exact string
+persist.sys.timezone u:object_r:timezone_prop:s0 exact string
+
+# Time zone metadata system properties. Holds information associated with the
+# device's time zone and will therefore be written to at the same time. Unlike
+# timezone_prop props, these do not need to be read by other processes.
+persist.sys.timezone_confidence u:object_r:timezone_metadata_prop:s0 exact uint
+
persist.sys.mte.permissive u:object_r:permissive_mte_prop:s0 exact string
persist.sys.test_harness u:object_r:test_harness_prop:s0 exact bool
diff --git a/private/sdk_sandbox.te b/private/sdk_sandbox.te
index 3f4a49b..d851ab7 100644
--- a/private/sdk_sandbox.te
+++ b/private/sdk_sandbox.te
@@ -10,6 +10,84 @@
net_domain(sdk_sandbox)
app_domain(sdk_sandbox)
+# Allow finding services. This is different from ephemeral_app policy.
+# Adding services manually to the allowlist is preferred hence app_api_service is not used.
+
+allow sdk_sandbox activity_service:service_manager find;
+allow sdk_sandbox activity_task_service:service_manager find;
+allow sdk_sandbox appops_service:service_manager find;
+allow sdk_sandbox audio_service:service_manager find;
+allow sdk_sandbox audioserver_service:service_manager find;
+allow sdk_sandbox batteryproperties_service:service_manager find;
+allow sdk_sandbox batterystats_service:service_manager find;
+allow sdk_sandbox connectivity_service:service_manager find;
+allow sdk_sandbox connmetrics_service:service_manager find;
+allow sdk_sandbox deviceidle_service:service_manager find;
+allow sdk_sandbox display_service:service_manager find;
+allow sdk_sandbox dropbox_service:service_manager find;
+allow sdk_sandbox font_service:service_manager find;
+allow sdk_sandbox game_service:service_manager find;
+allow sdk_sandbox gpu_service:service_manager find;
+allow sdk_sandbox graphicsstats_service:service_manager find;
+allow sdk_sandbox hardware_properties_service:service_manager find;
+allow sdk_sandbox hint_service:service_manager find;
+allow sdk_sandbox imms_service:service_manager find;
+allow sdk_sandbox input_method_service:service_manager find;
+allow sdk_sandbox input_service:service_manager find;
+allow sdk_sandbox IProxyService_service:service_manager find;
+allow sdk_sandbox ipsec_service:service_manager find;
+allow sdk_sandbox launcherapps_service:service_manager find;
+allow sdk_sandbox legacy_permission_service:service_manager find;
+allow sdk_sandbox light_service:service_manager find;
+allow sdk_sandbox locale_service:service_manager find;
+allow sdk_sandbox media_communication_service:service_manager find;
+allow sdk_sandbox mediaextractor_service:service_manager find;
+allow sdk_sandbox mediametrics_service:service_manager find;
+allow sdk_sandbox media_projection_service:service_manager find;
+allow sdk_sandbox media_router_service:service_manager find;
+allow sdk_sandbox mediaserver_service:service_manager find;
+allow sdk_sandbox media_session_service:service_manager find;
+allow sdk_sandbox memtrackproxy_service:service_manager find;
+allow sdk_sandbox midi_service:service_manager find;
+allow sdk_sandbox netpolicy_service:service_manager find;
+allow sdk_sandbox netstats_service:service_manager find;
+allow sdk_sandbox network_management_service:service_manager find;
+allow sdk_sandbox notification_service:service_manager find;
+allow sdk_sandbox package_service:service_manager find;
+allow sdk_sandbox permission_checker_service:service_manager find;
+allow sdk_sandbox permission_service:service_manager find;
+allow sdk_sandbox permissionmgr_service:service_manager find;
+allow sdk_sandbox platform_compat_service:service_manager find;
+allow sdk_sandbox power_service:service_manager find;
+allow sdk_sandbox procstats_service:service_manager find;
+allow sdk_sandbox registry_service:service_manager find;
+allow sdk_sandbox restrictions_service:service_manager find;
+allow sdk_sandbox rttmanager_service:service_manager find;
+allow sdk_sandbox search_service:service_manager find;
+allow sdk_sandbox selection_toolbar_service:service_manager find;
+allow sdk_sandbox sensor_privacy_service:service_manager find;
+allow sdk_sandbox sensorservice_service:service_manager find;
+allow sdk_sandbox servicediscovery_service:service_manager find;
+allow sdk_sandbox settings_service:service_manager find;
+allow sdk_sandbox speech_recognition_service:service_manager find;
+allow sdk_sandbox statusbar_service:service_manager find;
+allow sdk_sandbox storagestats_service:service_manager find;
+allow sdk_sandbox surfaceflinger_service:service_manager find;
+allow sdk_sandbox telecom_service:service_manager find;
+allow sdk_sandbox tethering_service:service_manager find;
+allow sdk_sandbox textclassification_service:service_manager find;
+allow sdk_sandbox textservices_service:service_manager find;
+allow sdk_sandbox texttospeech_service:service_manager find;
+allow sdk_sandbox thermal_service:service_manager find;
+allow sdk_sandbox translation_service:service_manager find;
+allow sdk_sandbox tv_iapp_service:service_manager find;
+allow sdk_sandbox tv_input_service:service_manager find;
+allow sdk_sandbox uimode_service:service_manager find;
+allow sdk_sandbox vcn_management_service:service_manager find;
+allow sdk_sandbox webviewupdate_service:service_manager find;
+
+allow sdk_sandbox system_linker_exec:file execute_no_trans;
+
# Write app-specific trace data to the Perfetto traced damon. This requires
# connecting to its producer socket and obtaining a (per-process) tmpfs fd.
perfetto_producer(sdk_sandbox)
diff --git a/private/surfaceflinger.te b/private/surfaceflinger.te
index bb16f20..dbb5507 100644
--- a/private/surfaceflinger.te
+++ b/private/surfaceflinger.te
@@ -58,7 +58,9 @@
set_prop(surfaceflinger, exported_system_prop)
set_prop(surfaceflinger, exported3_system_prop)
set_prop(surfaceflinger, ctl_bootanim_prop)
+set_prop(surfaceflinger, locale_prop)
set_prop(surfaceflinger, surfaceflinger_display_prop)
+set_prop(surfaceflinger, timezone_prop)
# Get properties.
get_prop(surfaceflinger, qemu_sf_lcd_density_prop)
diff --git a/private/system_app.te b/private/system_app.te
index 822fbb5..61d3b5d 100644
--- a/private/system_app.te
+++ b/private/system_app.te
@@ -44,8 +44,10 @@
set_prop(system_app, exported_system_prop)
set_prop(system_app, exported3_system_prop)
set_prop(system_app, gesture_prop)
+set_prop(system_app, locale_prop)
set_prop(system_app, logd_prop)
set_prop(system_app, net_radio_prop)
+set_prop(system_app, timezone_prop)
set_prop(system_app, usb_control_prop)
set_prop(system_app, usb_prop)
set_prop(system_app, log_tag_prop)
diff --git a/private/system_server.te b/private/system_server.te
index ab0bfe0..eb1e46a 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -717,6 +717,9 @@
set_prop(system_server, provisioned_prop)
set_prop(system_server, retaildemo_prop)
set_prop(system_server, dmesgd_start_prop)
+set_prop(system_server, locale_prop)
+set_prop(system_server, timezone_metadata_prop)
+set_prop(system_server, timezone_prop)
userdebug_or_eng(`set_prop(system_server, wifi_log_prop)')
userdebug_or_eng(`set_prop(system_server, system_user_mode_emulation_prop)')
diff --git a/public/domain.te b/public/domain.te
index 9fbef64..dc467a6 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -123,6 +123,7 @@
get_prop(domain, hw_timeout_multiplier_prop)
get_prop(domain, init_service_status_prop)
get_prop(domain, libc_debug_prop)
+get_prop(domain, locale_prop)
get_prop(domain, logd_prop)
get_prop(domain, mediadrm_config_prop)
get_prop(domain, property_service_version_prop)
@@ -130,6 +131,7 @@
get_prop(domain, socket_hook_prop)
get_prop(domain, surfaceflinger_prop)
get_prop(domain, telephony_status_prop)
+get_prop(domain, timezone_prop)
get_prop({domain - untrusted_app_all }, userdebug_or_eng_prop)
get_prop(domain, vendor_socket_hook_prop)
get_prop(domain, vndk_prop)
diff --git a/public/property.te b/public/property.te
index 80df624..a9e61b5 100644
--- a/public/property.te
+++ b/public/property.te
@@ -212,6 +212,7 @@
system_public_prop(sota_prop)
system_public_prop(hwservicemanager_prop)
system_public_prop(lmkd_prop)
+system_public_prop(locale_prop)
system_public_prop(logd_prop)
system_public_prop(logpersistd_logging_prop)
system_public_prop(log_prop)
@@ -230,6 +231,7 @@
system_public_prop(system_prop)
system_public_prop(system_user_mode_emulation_prop)
system_public_prop(telephony_status_prop)
+system_public_prop(timezone_prop)
system_public_prop(usb_control_prop)
system_public_prop(vold_post_fs_data_prop)
system_public_prop(wifi_hal_prop)