Merge "SELinux permissions for ProfilingService" into main
diff --git a/apex/com.android.art-file_contexts b/apex/com.android.art-file_contexts
index 83d081a..14b68ad 100644
--- a/apex/com.android.art-file_contexts
+++ b/apex/com.android.art-file_contexts
@@ -6,6 +6,7 @@
/bin/art_exec u:object_r:art_exec_exec:s0
/bin/artd u:object_r:artd_exec:s0
/bin/dex2oat(32|64)? u:object_r:dex2oat_exec:s0
+/bin/dexopt_chroot_setup u:object_r:dexopt_chroot_setup_exec:s0
/bin/dexoptanalyzer u:object_r:dexoptanalyzer_exec:s0
/bin/odrefresh u:object_r:odrefresh_exec:s0
/bin/profman u:object_r:profman_exec:s0
diff --git a/apex/com.android.art.debug-file_contexts b/apex/com.android.art.debug-file_contexts
index a3fc35d..3af8dc2 100644
--- a/apex/com.android.art.debug-file_contexts
+++ b/apex/com.android.art.debug-file_contexts
@@ -6,6 +6,7 @@
/bin/art_exec u:object_r:art_exec_exec:s0
/bin/artd u:object_r:artd_exec:s0
/bin/dex2oat(d)?(32|64)? u:object_r:dex2oat_exec:s0
+/bin/dexopt_chroot_setup u:object_r:dexopt_chroot_setup_exec:s0
/bin/dexoptanalyzer(d)? u:object_r:dexoptanalyzer_exec:s0
/bin/odrefresh u:object_r:odrefresh_exec:s0
/bin/profman(d)? u:object_r:profman_exec:s0
diff --git a/build/soong/service_fuzzer_bindings.go b/build/soong/service_fuzzer_bindings.go
index 6b8389a..726f0ab 100644
--- a/build/soong/service_fuzzer_bindings.go
+++ b/build/soong/service_fuzzer_bindings.go
@@ -199,7 +199,8 @@
"gsiservice": EXCEPTION_NO_FUZZER,
"appops": EXCEPTION_NO_FUZZER,
"appwidget": EXCEPTION_NO_FUZZER,
- "artd": EXCEPTION_NO_FUZZER,
+ "artd": []string{"artd_fuzzer"},
+ "artd_pre_reboot": []string{"artd_fuzzer"},
"assetatlas": EXCEPTION_NO_FUZZER,
"attention": EXCEPTION_NO_FUZZER,
"audio": EXCEPTION_NO_FUZZER,
@@ -251,6 +252,7 @@
"device_lock": EXCEPTION_NO_FUZZER,
"device_state": EXCEPTION_NO_FUZZER,
"devicestoragemonitor": EXCEPTION_NO_FUZZER,
+ "dexopt_chroot_setup": []string{"dexopt_chroot_setup_fuzzer"},
"diskstats": EXCEPTION_NO_FUZZER,
"display": EXCEPTION_NO_FUZZER,
"dnsresolver": []string{"resolv_service_fuzzer"},
@@ -408,6 +410,7 @@
"security_state": EXCEPTION_NO_FUZZER,
"sec_key_att_app_id_provider": EXCEPTION_NO_FUZZER,
"selection_toolbar": EXCEPTION_NO_FUZZER,
+ "sensitive_content_protection_service": EXCEPTION_NO_FUZZER,
"sensorservice": EXCEPTION_NO_FUZZER,
"sensor_privacy": EXCEPTION_NO_FUZZER,
"serial": EXCEPTION_NO_FUZZER,
diff --git a/private/artd.te b/private/artd.te
index acab397..f8e79fb 100644
--- a/private/artd.te
+++ b/private/artd.te
@@ -7,6 +7,7 @@
# Allow artd to publish a binder service and make binder calls.
binder_use(artd)
add_service(artd, artd_service)
+add_service(artd, artd_pre_reboot_service)
allow artd dumpstate:fifo_file { getattr write };
allow artd dumpstate:fd use;
diff --git a/private/compat/34.0/34.0.ignore.cil b/private/compat/34.0/34.0.ignore.cil
index 2223a8c..1de001e 100644
--- a/private/compat/34.0/34.0.ignore.cil
+++ b/private/compat/34.0/34.0.ignore.cil
@@ -6,7 +6,9 @@
(typeattributeset new_objects
( new_objects
archive_service
+ artd_pre_reboot_service
contextual_search_service
+ dexopt_chroot_setup_service
dtbo_block_device
ota_build_prop
snapuserd_log_data_file
@@ -27,6 +29,7 @@
pm_archiving_enabled_prop
remote_auth_service
security_state_service
+ sensitive_content_protection_service
setupwizard_mode_prop
sysfs_sync_on_suspend
tv_ad_service
diff --git a/private/dexopt_chroot_setup.te b/private/dexopt_chroot_setup.te
new file mode 100644
index 0000000..f7bd17a
--- /dev/null
+++ b/private/dexopt_chroot_setup.te
@@ -0,0 +1,23 @@
+type dexopt_chroot_setup, domain, coredomain;
+type dexopt_chroot_setup_exec, system_file_type, exec_type, file_type;
+type dexopt_chroot_setup_tmpfs, file_type;
+
+# Allow dexopt_chroot_setup to publish a binder service and make binder calls.
+binder_use(dexopt_chroot_setup)
+add_service(dexopt_chroot_setup, dexopt_chroot_setup_service)
+allow dexopt_chroot_setup dumpstate:fifo_file { getattr write };
+allow dexopt_chroot_setup dumpstate:fd use;
+
+init_daemon_domain(dexopt_chroot_setup)
+
+# Use tmpfs_domain() which will give tmpfs files created by dexopt_chroot_setup their
+# own label, which differs from other labels created by other processes.
+# This allows to distinguish in policy files created by dexopt_chroot_setup vs other
+# processes.
+tmpfs_domain(dexopt_chroot_setup)
+
+# libart (mark_compact.cc) has some intialization code that touches the cache
+# info file and userfaultfd.
+allow dexopt_chroot_setup apex_module_data_file:dir { getattr search };
+r_dir_file(dexopt_chroot_setup, apex_art_data_file)
+userfaultfd_use(dexopt_chroot_setup)
diff --git a/private/service_contexts b/private/service_contexts
index 3465bd8..82af95e 100644
--- a/private/service_contexts
+++ b/private/service_contexts
@@ -179,6 +179,7 @@
appops u:object_r:appops_service:s0
appwidget u:object_r:appwidget_service:s0
artd u:object_r:artd_service:s0
+artd_pre_reboot u:object_r:artd_pre_reboot_service:s0
assetatlas u:object_r:assetatlas_service:s0
attention u:object_r:attention_service:s0
audio u:object_r:audio_service:s0
@@ -230,6 +231,7 @@
device_lock u:object_r:devicelock_service:s0
device_state u:object_r:device_state_service:s0
devicestoragemonitor u:object_r:devicestoragemonitor_service:s0
+dexopt_chroot_setup u:object_r:dexopt_chroot_setup_service:s0
diskstats u:object_r:diskstats_service:s0
display u:object_r:display_service:s0
dnsresolver u:object_r:dnsresolver_service:s0
@@ -387,6 +389,7 @@
sec_key_att_app_id_provider u:object_r:sec_key_att_app_id_provider_service:s0
security_state u:object_r:security_state_service:s0
selection_toolbar u:object_r:selection_toolbar_service:s0
+sensitive_content_protection_service u:object_r:sensitive_content_protection_service:s0
sensorservice u:object_r:sensorservice_service:s0
sensor_privacy u:object_r:sensor_privacy_service:s0
serial u:object_r:serial_service:s0
diff --git a/private/system_server.te b/private/system_server.te
index 9ea2e9f..7836695 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -283,6 +283,7 @@
binder_call(system_server, artd)
binder_call(system_server, binderservicedomain)
binder_call(system_server, composd)
+binder_call(system_server, dexopt_chroot_setup)
binder_call(system_server, dumpstate)
binder_call(system_server, fingerprintd)
binder_call(system_server, gatekeeperd)
@@ -940,12 +941,14 @@
add_service(system_server, system_server_service);
allow system_server artd_service:service_manager find;
+allow system_server artd_pre_reboot_service:service_manager find;
allow system_server audioserver_service:service_manager find;
allow system_server authorization_service:service_manager find;
allow system_server batteryproperties_service:service_manager find;
allow system_server cameraserver_service:service_manager find;
allow system_server compos_service:service_manager find;
allow system_server dataloader_manager_service:service_manager find;
+allow system_server dexopt_chroot_setup_service:service_manager find;
allow system_server dnsresolver_service:service_manager find;
allow system_server drmserver_service:service_manager find;
allow system_server dumpstate_service:service_manager find;
diff --git a/public/bootanim.te b/public/bootanim.te
index 9c7a0ee..a9616b7 100644
--- a/public/bootanim.te
+++ b/public/bootanim.te
@@ -17,8 +17,7 @@
allow bootanim sysfs_gpu:file r_file_perms;
# /oem access
-allow bootanim oemfs:dir search;
-allow bootanim oemfs:file r_file_perms;
+r_dir_file(bootanim, oemfs);
allow bootanim audio_device:dir r_dir_perms;
allow bootanim audio_device:chr_file rw_file_perms;
diff --git a/public/service.te b/public/service.te
index f45a5d1..a6f854a 100644
--- a/public/service.te
+++ b/public/service.te
@@ -2,6 +2,7 @@
type apc_service, service_manager_type;
type apex_service, service_manager_type;
type artd_service, service_manager_type;
+type artd_pre_reboot_service, service_manager_type;
type audioserver_service, service_manager_type, isolated_compute_allowed_service;
type authorization_service, service_manager_type;
type batteryproperties_service, app_api_service, ephemeral_app_api_service, service_manager_type;
@@ -10,6 +11,7 @@
type fwk_camera_service, service_manager_type;
type default_android_service, service_manager_type;
type device_config_updatable_service, system_api_service, system_server_service,service_manager_type;
+type dexopt_chroot_setup_service, service_manager_type;
type dnsresolver_service, service_manager_type;
type drmserver_service, service_manager_type;
type dumpstate_service, service_manager_type;
@@ -218,6 +220,7 @@
type sec_key_att_app_id_provider_service, app_api_service, system_server_service, service_manager_type;
type security_state_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type selection_toolbar_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type sensitive_content_protection_service, app_api_service, system_server_service, service_manager_type;
type sensorservice_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type sensor_privacy_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type serial_service, system_api_service, system_server_service, service_manager_type;