Merge "Add remote_provisioning.hostname property"
diff --git a/private/compat/33.0/33.0.ignore.cil b/private/compat/33.0/33.0.ignore.cil
index 47fd528..ede2284 100644
--- a/private/compat/33.0/33.0.ignore.cil
+++ b/private/compat/33.0/33.0.ignore.cil
@@ -8,6 +8,7 @@
adaptive_haptics_prop
apex_ready_prop
artd
+ bt_device
credential_service
device_config_camera_native_prop
device_config_memory_safety_native_prop
@@ -50,4 +51,5 @@
hal_fastboot_service
hal_can_controller_service
zoned_block_device
+ future_pm_prop
))
diff --git a/private/credstore.te b/private/credstore.te
index c410d76..2d9824b 100644
--- a/private/credstore.te
+++ b/private/credstore.te
@@ -10,3 +10,8 @@
# credstore needs to get keys from the remotely provisioned pool
allow credstore remotelyprovisionedkeypool_service:service_manager find;
+allow credstore keystore:keystore2 get_attestation_key;
+
+# credstore needs to get keys from the RKPD
+get_prop(credstore, device_config_remote_key_provisioning_native_prop)
+allow credstore remote_provisioning_service:service_manager find;
diff --git a/private/file_contexts b/private/file_contexts
index 766b971..7ce80ae 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -374,7 +374,6 @@
/system/bin/simpleperf u:object_r:simpleperf_exec:s0
/system/bin/simpleperf_app_runner u:object_r:simpleperf_app_runner_exec:s0
/system/bin/migrate_legacy_obb_data u:object_r:migrate_legacy_obb_data_exec:s0
-/system/bin/android\.frameworks\.automotive\.display@1\.0-service u:object_r:automotive_display_service_exec:s0
/system/bin/snapuserd u:object_r:snapuserd_exec:s0
/system/bin/odsign u:object_r:odsign_exec:s0
/system/bin/vehicle_binding_util u:object_r:vehicle_binding_util_exec:s0
@@ -494,6 +493,8 @@
/(system_ext|system/system_ext)/bin/hidl_lazy_test_server u:object_r:hidl_lazy_test_server_exec:s0
/(system_ext|system/system_ext)/bin/hidl_lazy_cb_test_server u:object_r:hidl_lazy_test_server_exec:s0
+/(system_ext|system/system_ext)/bin/android\.frameworks\.automotive\.display@1\.0-service u:object_r:automotive_display_service_exec:s0
+
/(system_ext|system/system_ext)/lib(64)?(/.*)? u:object_r:system_lib_file:s0
#############################
diff --git a/private/property_contexts b/private/property_contexts
index 8483c3d..8b403ca 100644
--- a/private/property_contexts
+++ b/private/property_contexts
@@ -592,29 +592,32 @@
ro.hdmi.cec.source.send_standby_on_sleep u:object_r:hdmi_config_prop:s0 exact enum to_tv broadcast none
ro.hdmi.cec.source.playback_device_action_on_routing_control u:object_r:hdmi_config_prop:s0 exact enum none wake_up_only wake_up_and_send_active_source
-# This is the namespace of all system properties used by ART Service.
-# As ART Service is in the updatable ART module, we need the prefix to allow us
-# to add new properties.
-pm.dexopt. u:object_r:exported_pm_prop:s0 prefix
+pm.dexopt.bg-dexopt u:object_r:exported_pm_prop:s0 exact string
+pm.dexopt.bg-dexopt.concurrency u:object_r:exported_pm_prop:s0 exact int
+pm.dexopt.first-boot u:object_r:exported_pm_prop:s0 exact string
+pm.dexopt.first-boot.concurrency u:object_r:exported_pm_prop:s0 exact int
+pm.dexopt.boot-after-ota u:object_r:exported_pm_prop:s0 exact string
+pm.dexopt.boot-after-ota.concurrency u:object_r:exported_pm_prop:s0 exact int
+pm.dexopt.boot-after-mainline-update u:object_r:exported_pm_prop:s0 exact string
+pm.dexopt.boot-after-mainline-update.concurrency u:object_r:exported_pm_prop:s0 exact int
-# A set of pm.dexopt properties that we should keep supporting for Treble
-# compatibility. We explicitly list them here to discourage renaming or
-# disregarding them.
-pm.dexopt.ab-ota u:object_r:exported_pm_prop:s0 exact string
-pm.dexopt.bg-dexopt u:object_r:exported_pm_prop:s0 exact string
-pm.dexopt.boot u:object_r:exported_pm_prop:s0 exact string
-pm.dexopt.cmdline u:object_r:exported_pm_prop:s0 exact string
-pm.dexopt.disable_bg_dexopt u:object_r:exported_pm_prop:s0 exact bool
-pm.dexopt.downgrade_after_inactive_days u:object_r:exported_pm_prop:s0 exact int
-pm.dexopt.first-boot u:object_r:exported_pm_prop:s0 exact string
-pm.dexopt.inactive u:object_r:exported_pm_prop:s0 exact string
-pm.dexopt.install u:object_r:exported_pm_prop:s0 exact string
-pm.dexopt.install-fast u:object_r:exported_pm_prop:s0 exact string
-pm.dexopt.install-bulk u:object_r:exported_pm_prop:s0 exact string
-pm.dexopt.install-bulk-secondary u:object_r:exported_pm_prop:s0 exact string
-pm.dexopt.install-bulk-downgraded u:object_r:exported_pm_prop:s0 exact string
-pm.dexopt.install-bulk-secondary-downgraded u:object_r:exported_pm_prop:s0 exact string
-pm.dexopt.shared u:object_r:exported_pm_prop:s0 exact string
+pm.dexopt.post-boot u:object_r:exported_pm_prop:s0 exact string
+pm.dexopt.ab-ota u:object_r:exported_pm_prop:s0 exact string
+pm.dexopt.cmdline u:object_r:exported_pm_prop:s0 exact string
+pm.dexopt.inactive u:object_r:exported_pm_prop:s0 exact string
+pm.dexopt.install u:object_r:exported_pm_prop:s0 exact string
+pm.dexopt.install-fast u:object_r:exported_pm_prop:s0 exact string
+pm.dexopt.install-bulk u:object_r:exported_pm_prop:s0 exact string
+pm.dexopt.install-bulk-secondary u:object_r:exported_pm_prop:s0 exact string
+pm.dexopt.install-bulk-downgraded u:object_r:exported_pm_prop:s0 exact string
+pm.dexopt.install-bulk-secondary-downgraded u:object_r:exported_pm_prop:s0 exact string
+
+pm.dexopt.shared u:object_r:exported_pm_prop:s0 exact string
+
+pm.dexopt.disable_bg_dexopt u:object_r:exported_pm_prop:s0 exact bool
+pm.dexopt.downgrade_after_inactive_days u:object_r:exported_pm_prop:s0 exact int
+
+pm.dexopt. u:object_r:future_pm_prop:s0 prefix
ro.apk_verity.mode u:object_r:apk_verity_prop:s0 exact int
diff --git a/private/remote_prov_app.te b/private/remote_prov_app.te
index f49eb63..d5f8e3f 100644
--- a/private/remote_prov_app.te
+++ b/private/remote_prov_app.te
@@ -8,6 +8,9 @@
# The app needs access to properly build a DeviceInfo package for the verifying server
get_prop(remote_prov_app, vendor_security_patch_level_prop)
+# if rkpd is enabled, remote provisioner is a noop
+get_prop(remote_prov_app, device_config_remote_key_provisioning_native_prop)
+
allow remote_prov_app {
app_api_service
mediametrics_service
diff --git a/private/surfaceflinger.te b/private/surfaceflinger.te
index 26c781b..91e9aba 100644
--- a/private/surfaceflinger.te
+++ b/private/surfaceflinger.te
@@ -49,6 +49,9 @@
allow surfaceflinger video_device:dir r_dir_perms;
allow surfaceflinger video_device:chr_file rw_file_perms;
+# Access the secure heap.
+allow surfaceflinger dmabuf_system_secure_heap_device:chr_file r_file_perms;
+
# Create and use netlink kobject uevent sockets.
allow surfaceflinger self:netlink_kobject_uevent_socket create_socket_perms_no_ioctl;
diff --git a/public/device.te b/public/device.te
index 31ffead..ead7fbc 100644
--- a/public/device.te
+++ b/public/device.te
@@ -7,6 +7,7 @@
type hwbinder_device, dev_type, mlstrustedobject;
type vndbinder_device, dev_type;
type block_device, dev_type;
+type bt_device, dev_type;
type camera_device, dev_type;
type dm_device, dev_type;
type dm_user_device, dev_type;
diff --git a/public/domain.te b/public/domain.te
index 79e62d0..56c3142 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -537,6 +537,14 @@
neverallow { domain -coredomain -vendor_init } exported_pm_prop:file no_rw_file_perms;
')
+# New "pm.dexopt." sysprops should be explicitly listed as exported_pm_prop.
+neverallow { domain -init -dumpstate -vendor_init } future_pm_prop:property_service set;
+neverallow { domain -init -dumpstate -vendor_init } future_pm_prop:file no_rw_file_perms;
+
+# ART may introduce new sysprops. SELinux denials due to reading new sysprops on
+# old platforms shouldn't be regarded as a problem.
+dontaudit domain future_pm_prop:file read;
+
neverallow { domain -init } aac_drc_prop:property_service set;
neverallow { domain -init } build_prop:property_service set;
neverallow { domain -init } userdebug_or_eng_prop:property_service set;
diff --git a/public/hal_graphics_allocator.te b/public/hal_graphics_allocator.te
index 7ef27113..35a19de 100644
--- a/public/hal_graphics_allocator.te
+++ b/public/hal_graphics_allocator.te
@@ -11,6 +11,9 @@
allow hal_graphics_allocator ion_device:chr_file r_file_perms;
allow hal_graphics_allocator dmabuf_system_heap_device:chr_file r_file_perms;
+# Access the secure heap
+allow hal_graphics_allocator dmabuf_system_secure_heap_device:chr_file r_file_perms;
+
# allow to run with real-time scheduling policy
allow hal_graphics_allocator self:global_capability_class_set sys_nice;
diff --git a/public/property.te b/public/property.te
index c0a3a6e..346cd77 100644
--- a/public/property.te
+++ b/public/property.te
@@ -208,6 +208,7 @@
system_public_prop(exported_bluetooth_prop)
system_public_prop(exported_overlay_prop)
system_public_prop(exported_pm_prop)
+system_public_prop(future_pm_prop)
system_public_prop(ffs_control_prop)
system_public_prop(framework_status_prop)
system_public_prop(gesture_prop)
diff --git a/vendor/file_contexts b/vendor/file_contexts
index 53c0b96..f167e65 100644
--- a/vendor/file_contexts
+++ b/vendor/file_contexts
@@ -17,6 +17,7 @@
/(vendor|system/vendor)/bin/hw/android\.hardware\.automotive\.remoteaccess@V1-(.*)-service u:object_r:hal_remoteaccess_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.bluetooth@1\.[0-9]+-service u:object_r:hal_bluetooth_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.bluetooth@1\.[0-9]+-service\.btlinux u:object_r:hal_bluetooth_btlinux_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.bluetooth-service.default u:object_r:hal_bluetooth_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.biometrics\.face@1\.[0-9]+-service\.example u:object_r:hal_face_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.biometrics\.face-service\.example u:object_r:hal_face_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.biometrics\.fingerprint@2\.1-service u:object_r:hal_fingerprint_default_exec:s0
diff --git a/vendor/hal_bluetooth_default.te b/vendor/hal_bluetooth_default.te
index 01d60db..efa75a7 100644
--- a/vendor/hal_bluetooth_default.te
+++ b/vendor/hal_bluetooth_default.te
@@ -1,5 +1,8 @@
type hal_bluetooth_default, domain;
hal_server_domain(hal_bluetooth_default, hal_bluetooth)
+allow hal_bluetooth_default bt_device:chr_file { open read write };
+allow hal_bluetooth_default self:bluetooth_socket { create bind read write };
+
type hal_bluetooth_default_exec, exec_type, vendor_file_type, file_type;
init_daemon_domain(hal_bluetooth_default)