Merge "Allow dexoptanalyzer to use fd's from odsign."
diff --git a/private/access_vectors b/private/access_vectors
index 1420360..a02a2a8 100644
--- a/private/access_vectors
+++ b/private/access_vectors
@@ -714,7 +714,10 @@
class keystore2
{
add_auth
+ change_password
+ change_user
clear_ns
+ clear_uid
get_state
list
lock
diff --git a/private/apexd.te b/private/apexd.te
index f6e8058..a2a77ab 100644
--- a/private/apexd.te
+++ b/private/apexd.te
@@ -22,6 +22,8 @@
allow apexd apex_module_data_file:file { create_file_perms relabelfrom };
allow apexd apex_rollback_data_file:dir create_dir_perms;
allow apexd apex_rollback_data_file:file create_file_perms;
+allow apexd apex_scheduling_data_file:dir { create_dir_perms relabelto };
+allow apexd apex_scheduling_data_file:file { create_file_perms relabelto };
allow apexd apex_wifi_data_file:dir { create_dir_perms relabelto };
allow apexd apex_wifi_data_file:file { create_file_perms relabelto };
diff --git a/private/compat/30.0/30.0.ignore.cil b/private/compat/30.0/30.0.ignore.cil
index ac7da6e..bf02085 100644
--- a/private/compat/30.0/30.0.ignore.cil
+++ b/private/compat/30.0/30.0.ignore.cil
@@ -11,6 +11,7 @@
apex_art_data_file
apex_art_staging_data_file
apex_info_file
+ apex_scheduling_data_file
app_hibernation_service
appcompat_data_file
arm64_memtag_prop
@@ -81,6 +82,7 @@
profcollectd_data_file
profcollectd_exec
profcollectd_service
+ qemu_hw_prop
radio_core_data_file
reboot_readiness_service
remote_prov_app
@@ -104,6 +106,8 @@
texttospeech_service
transformer_service
update_engine_stable_service
+ userdata_sysdev
+ usermanager_service
userspace_reboot_metadata_file
vcn_management_service
vibrator_manager_service
diff --git a/private/file_contexts b/private/file_contexts
index 580ce0e..b7c5628 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -173,6 +173,7 @@
/dev/socket/usap_pool_primary u:object_r:zygote_socket:s0
/dev/socket/usap_pool_secondary u:object_r:zygote_socket:s0
/dev/spdif_out.* u:object_r:audio_device:s0
+/dev/sys/fs/by-name/userdata(/.*)? u:object_r:userdata_sysdev:s0
/dev/tty u:object_r:owntty_device:s0
/dev/tty[0-9]* u:object_r:tty_device:s0
/dev/ttyS[0-9]* u:object_r:serial_device:s0
@@ -561,6 +562,7 @@
/data/misc/apexdata(/.*)? u:object_r:apex_module_data_file:s0
/data/misc/apexdata/com\.android\.art(/.*)? u:object_r:apex_art_data_file:s0
/data/misc/apexdata/com\.android\.permission(/.*)? u:object_r:apex_permission_data_file:s0
+/data/misc/apexdata/com\.android\.scheduling(/.*)? u:object_r:apex_scheduling_data_file:s0
/data/misc/apexdata/com\.android\.wifi(/.*)? u:object_r:apex_wifi_data_file:s0
/data/misc/apexrollback(/.*)? u:object_r:apex_rollback_data_file:s0
/data/misc/apns(/.*)? u:object_r:radio_data_file:s0
diff --git a/private/platform_app.te b/private/platform_app.te
index 7bf14c8..a112081 100644
--- a/private/platform_app.te
+++ b/private/platform_app.te
@@ -90,6 +90,9 @@
# allow platform apps to read keyguard.no_require_sim
get_prop(platform_app, keyguard_config_prop)
+# allow platform apps to read qemu.hw.mainkeys
+get_prop(platform_app, qemu_hw_prop)
+
# allow platform apps to create symbolic link
allow platform_app app_data_file:lnk_file create_file_perms;
diff --git a/private/property_contexts b/private/property_contexts
index 25e9d87..ff84dcc 100644
--- a/private/property_contexts
+++ b/private/property_contexts
@@ -186,6 +186,9 @@
dalvik. u:object_r:dalvik_prop:s0
ro.dalvik. u:object_r:dalvik_prop:s0
+# qemu_hw_prop is read/written by both system and vendor.
+qemu.hw.mainkeys u:object_r:qemu_hw_prop:s0
+
# Shared between system server and wificond
wifi. u:object_r:wifi_prop:s0
wlan. u:object_r:wifi_prop:s0
@@ -990,6 +993,7 @@
ro.surface_flinger.refresh_rate_switching u:object_r:surfaceflinger_prop:s0 exact bool
ro.surface_flinger.update_device_product_info_on_hotplug_reconnect u:object_r:surfaceflinger_prop:s0 exact bool
ro.surface_flinger.enable_frame_rate_override u:object_r:surfaceflinger_prop:s0 exact bool
+ro.surface_flinger.enable_layer_caching u:object_r:surfaceflinger_prop:s0 exact bool
ro.sf.disable_triple_buffer u:object_r:surfaceflinger_prop:s0 exact bool
ro.sf.lcd_density u:object_r:surfaceflinger_prop:s0 exact int
diff --git a/private/service_contexts b/private/service_contexts
index c1aab48..db56651 100644
--- a/private/service_contexts
+++ b/private/service_contexts
@@ -36,6 +36,7 @@
android.security.identity u:object_r:credstore_service:s0
android.security.keystore u:object_r:keystore_service:s0
android.security.remoteprovisioning u:object_r:remoteprovisioning_service:s0
+android.security.usermanager u:object_r:usermanager_service:s0
android.service.gatekeeper.IGateKeeperService u:object_r:gatekeeper_service:s0
android.system.keystore2 u:object_r:keystore_service:s0
app_binding u:object_r:app_binding_service:s0
diff --git a/private/system_server.te b/private/system_server.te
index 9e903d5..c0c7c16 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -830,6 +830,7 @@
allow system_server storaged_service:service_manager find;
allow system_server surfaceflinger_service:service_manager find;
allow system_server update_engine_service:service_manager find;
+allow system_server usermanager_service:service_manager find;
allow system_server vold_service:service_manager find;
allow system_server wifinl80211_service:service_manager find;
userdebug_or_eng(`
@@ -861,7 +862,10 @@
allow system_server keystore:keystore2 {
add_auth
+ change_password
+ change_user
clear_ns
+ clear_uid
get_state
lock
reset
@@ -1224,6 +1228,8 @@
allow system_server apex_module_data_file:dir { getattr search };
allow system_server apex_permission_data_file:dir create_dir_perms;
allow system_server apex_permission_data_file:file create_file_perms;
+allow system_server apex_scheduling_data_file:dir create_dir_perms;
+allow system_server apex_scheduling_data_file:file create_file_perms;
allow system_server apex_wifi_data_file:dir create_dir_perms;
allow system_server apex_wifi_data_file:file create_file_perms;
@@ -1330,3 +1336,6 @@
# Only system server can write the font files.
neverallow { domain -init -system_server } font_data_file:file no_w_file_perms;
neverallow { domain -init -system_server } font_data_file:dir no_w_dir_perms;
+
+# Read qemu.hw.mainkeys property
+get_prop(system_server, qemu_hw_prop)
diff --git a/private/vold_prepare_subdirs.te b/private/vold_prepare_subdirs.te
index b4e95b8..1414f6c 100644
--- a/private/vold_prepare_subdirs.te
+++ b/private/vold_prepare_subdirs.te
@@ -20,6 +20,7 @@
apex_module_data_file
apex_permission_data_file
apex_rollback_data_file
+ apex_scheduling_data_file
apex_wifi_data_file
backup_data_file
face_vendor_data_file
@@ -36,6 +37,7 @@
apex_module_data_file
apex_permission_data_file
apex_rollback_data_file
+ apex_scheduling_data_file
apex_wifi_data_file
backup_data_file
face_vendor_data_file
diff --git a/public/device.te b/public/device.te
index d98806a..e2dc511 100644
--- a/public/device.te
+++ b/public/device.te
@@ -117,3 +117,6 @@
# separate device node. gsid, however, accesses the original devide node
# created through uevents, so we use a separate label.
type sdcard_block_device, dev_type;
+
+# Userdata device file for filesystem tunables
+type userdata_sysdev, dev_type;
diff --git a/public/file.te b/public/file.te
index a188c78..f0d5622 100644
--- a/public/file.te
+++ b/public/file.te
@@ -382,6 +382,7 @@
type apex_module_data_file, file_type, data_file_type, core_data_file_type;
type apex_permission_data_file, file_type, data_file_type, core_data_file_type;
type apex_rollback_data_file, file_type, data_file_type, core_data_file_type;
+type apex_scheduling_data_file, file_type, data_file_type, core_data_file_type;
type apex_wifi_data_file, file_type, data_file_type, core_data_file_type;
type appcompat_data_file, file_type, data_file_type, core_data_file_type;
type audio_data_file, file_type, data_file_type, core_data_file_type;
diff --git a/public/init.te b/public/init.te
index 069f17d..fdb1694 100644
--- a/public/init.te
+++ b/public/init.te
@@ -600,6 +600,9 @@
# stat the root dir of fuse filesystems (for the mount handler)
allow init fuse:dir { search getattr };
+# allow filesystem tuning
+allow init userdata_sysdev:file create_file_perms;
+
###
### neverallow rules
###
diff --git a/public/keystore.te b/public/keystore.te
index 1c8d3bd..f70fb2c 100644
--- a/public/keystore.te
+++ b/public/keystore.te
@@ -19,6 +19,7 @@
add_service(keystore, apc_service)
add_service(keystore, keystore_compat_hal_service)
add_service(keystore, authorization_service)
+add_service(keystore, usermanager_service)
# Check SELinux permissions.
selinux_check_access(keystore)
diff --git a/public/property.te b/public/property.te
index 37884f0..3f3f148 100644
--- a/public/property.te
+++ b/public/property.te
@@ -191,6 +191,7 @@
system_public_prop(nfc_prop)
system_public_prop(ota_prop)
system_public_prop(powerctl_prop)
+system_public_prop(qemu_hw_prop)
system_public_prop(radio_control_prop)
system_public_prop(radio_prop)
system_public_prop(serialno_prop)
diff --git a/public/service.te b/public/service.te
index 7292a97..4a0b728 100644
--- a/public/service.te
+++ b/public/service.te
@@ -39,6 +39,7 @@
type system_suspend_control_service, service_manager_type;
type update_engine_service, service_manager_type;
type update_engine_stable_service, service_manager_type;
+type usermanager_service, service_manager_type;
type virtual_touchpad_service, service_manager_type;
type vold_service, service_manager_type;
type vr_hwc_service, service_manager_type;
diff --git a/public/userdata_sysdev.te b/public/userdata_sysdev.te
new file mode 100644
index 0000000..9974f36
--- /dev/null
+++ b/public/userdata_sysdev.te
@@ -0,0 +1 @@
+allow userdata_sysdev sysfs:filesystem associate;
diff --git a/public/vendor_init.te b/public/vendor_init.te
index 8d436b9..a54befb 100644
--- a/public/vendor_init.te
+++ b/public/vendor_init.te
@@ -197,6 +197,9 @@
allow vendor_init system_bootstrap_lib_file:dir r_dir_perms;
allow vendor_init system_bootstrap_lib_file:file { execute read open getattr map };
+# allow filesystem tuning
+allow vendor_init userdata_sysdev:file create_file_perms;
+
# Everything is labeled as rootfs in recovery mode. Vendor init has to execute
# the dynamic linker and shared libraries.
recovery_only(`
@@ -235,6 +238,7 @@
set_prop(vendor_init, logd_prop)
set_prop(vendor_init, log_tag_prop)
set_prop(vendor_init, log_prop)
+set_prop(vendor_init, qemu_hw_prop)
set_prop(vendor_init, radio_control_prop)
set_prop(vendor_init, rebootescrow_hal_prop)
set_prop(vendor_init, serialno_prop)